On Thu, Dec 11, 2014 at 2:07 AM, Tim Serong <tserong@xxxxxxxx> wrote: > Calamari consists of a few pieces - the web-accessible bit runs as the > apache user, then there's the cthulhu daemon, as well as carbon-cache > for the graphite stuff. These latter two I believe run as root (at > least, they do with my SUSE packages which have systemd units for each > of these services, and I assume they run as root on other distros where > they're run under supervisord). Now that I think of it though, I wonder > if it makes sense to just run the whole lot as the apache user...? It probably doesn't make sense to move all the services under apache: the in-apache parts (i.e. the REST request handlers) are relatively unprivileged things that just know how to make calls to other (local) services, whereas the other services are reaching out over the network to the Ceph servers. It might make sense to use a ceph-calamari user for cthulhu et al, and leave the REST bits running as apache. As for carbon-cache, that should cease to be a calamari-specific question when using proper distro packages instead of an embedded instance (iirc we were still running our own built-in carbon last time I touched calamari) Cheers, John -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
