Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Handle systemd PrivateTmp #1475

Closed
FooBarWidget opened this issue Apr 15, 2015 · 2 comments
Closed

Handle systemd PrivateTmp #1475

FooBarWidget opened this issue Apr 15, 2015 · 2 comments

Comments

@FooBarWidget
Copy link
Member

@FooBarWidget FooBarWidget commented Apr 15, 2015

On Systemd-based distributions such as Red Hat 7, Apache likely runs with PrivateTmp. Because of this, passenger-status cannot access the instance registry directory without explicit configuration.

There is no other obvious default directory we can use. /var/run is not world-writable. /var/tmp is not cleared on reboot, though this may not matter if passenger-status cleans up stale directories.

So the next best thing to do, is to autodetect PrivateTmp, and if it is used, ask the user to configure an explicit instance registry directory outside /tmp.

PrivateTmp works by creating a directory /tmp/systemd-private-XXXX, and spawning the process with /tmp private mounted to that directory. This directory is accessible by the target user only.

I have considered making passenger-status and related tools to look inside PrivateTmp directories too, but that requires root privileges, which conflicts with the desire to allow 'passenger-config restart-app' to work without root privileges (see #1392).

@FooBarWidget FooBarWidget added this to the 5.0.8 milestone Apr 15, 2015
@FooBarWidget FooBarWidget removed this from the 5.0.9 milestone Apr 28, 2015
@FooBarWidget FooBarWidget added this to the 5.0.7 milestone Apr 28, 2015
@FooBarWidget FooBarWidget added this to the 5.0.7 milestone Apr 28, 2015
@FooBarWidget FooBarWidget removed this from the 5.0.9 milestone Apr 28, 2015
@FooBarWidget FooBarWidget removed this from the 5.0.7 milestone Apr 28, 2015
@FooBarWidget FooBarWidget added this to the 5.0.8 milestone Apr 28, 2015
@FooBarWidget FooBarWidget added this to the 5.0.8 milestone Apr 28, 2015
@FooBarWidget FooBarWidget removed this from the 5.0.7 milestone Apr 28, 2015
@FooBarWidget FooBarWidget assigned FooBarWidget and unassigned OnixGH Apr 28, 2015
@FooBarWidget
Copy link
Member Author

@FooBarWidget FooBarWidget commented Apr 28, 2015

@OnixGH I'll do this as part of the packaging work in 5.0.8. Can you look at the crash issues instead?

@FooBarWidget
Copy link
Member Author

@FooBarWidget FooBarWidget commented Apr 30, 2015

The RPM packages can configure a default PassengerInstanceRegistryDir, but then we still have to tell command line tools where that instance registry dir is.

Maybe we can modify the command line tools to look in multiple directories by default for the instance registry dir, so that the command line tools need no configuration. We can set PassengerInstanceRegistryDir to /var/passenger-instances, and have the command line tools look in /tmp and /var/passenger-instances at the same time.

/var/passenger-instances must only be writable by root. This breaks PassengerDefaultUser, so the documentation for that option must be updated tell the user to adjust PassengerInstanceRegistryDir when using the RPMs.

The advantage of this approach is that Apache doesn't need to have read/write access to the user_tmp_t label.

FooBarWidget added a commit that referenced this issue May 10, 2015
…on to /tmp or TMPDIR

The RPM packages configure Apache and Nginx to use /var/run/passenger-instreg
as the instance registry dir. See #1475
FooBarWidget added a commit to phusion/passenger_rpm_automation that referenced this issue May 10, 2015
@FooBarWidget FooBarWidget changed the title Ask user to configure an explicit instance registry directory when systemd PrivateTmp is used Handle systemd PrivateTmp May 10, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants