You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On Systemd-based distributions such as Red Hat 7, Apache likely runs with PrivateTmp. Because of this, passenger-status cannot access the instance registry directory without explicit configuration.
There is no other obvious default directory we can use. /var/run is not world-writable. /var/tmp is not cleared on reboot, though this may not matter if passenger-status cleans up stale directories.
So the next best thing to do, is to autodetect PrivateTmp, and if it is used, ask the user to configure an explicit instance registry directory outside /tmp.
PrivateTmp works by creating a directory /tmp/systemd-private-XXXX, and spawning the process with /tmp private mounted to that directory. This directory is accessible by the target user only.
I have considered making passenger-status and related tools to look inside PrivateTmp directories too, but that requires root privileges, which conflicts with the desire to allow 'passenger-config restart-app' to work without root privileges (see #1392).
The text was updated successfully, but these errors were encountered:
The RPM packages can configure a default PassengerInstanceRegistryDir, but then we still have to tell command line tools where that instance registry dir is.
Maybe we can modify the command line tools to look in multiple directories by default for the instance registry dir, so that the command line tools need no configuration. We can set PassengerInstanceRegistryDir to /var/passenger-instances, and have the command line tools look in /tmp and /var/passenger-instances at the same time.
/var/passenger-instances must only be writable by root. This breaks PassengerDefaultUser, so the documentation for that option must be updated tell the user to adjust PassengerInstanceRegistryDir when using the RPMs.
The advantage of this approach is that Apache doesn't need to have read/write access to the user_tmp_t label.
FooBarWidget
changed the title
Ask user to configure an explicit instance registry directory when systemd PrivateTmp is used
Handle systemd PrivateTmp
May 10, 2015
On Systemd-based distributions such as Red Hat 7, Apache likely runs with PrivateTmp. Because of this, passenger-status cannot access the instance registry directory without explicit configuration.
There is no other obvious default directory we can use. /var/run is not world-writable. /var/tmp is not cleared on reboot, though this may not matter if passenger-status cleans up stale directories.
So the next best thing to do, is to autodetect PrivateTmp, and if it is used, ask the user to configure an explicit instance registry directory outside /tmp.
PrivateTmp works by creating a directory /tmp/systemd-private-XXXX, and spawning the process with /tmp private mounted to that directory. This directory is accessible by the target user only.
I have considered making passenger-status and related tools to look inside PrivateTmp directories too, but that requires root privileges, which conflicts with the desire to allow 'passenger-config restart-app' to work without root privileges (see #1392).
The text was updated successfully, but these errors were encountered: