On 04/24/2015 11:37 AM, Sage Weil wrote: > -- Logs -- > One other thing in addition to the log directory is the socket directory permissions (/var/run/ceph). The ceph UID will need to write there, right? In newer distros with systemd, /var/run is on tmpfs so we use this tmpfiles.d snippet to be sure the directory is there in /var/tmpfs after every boot: https://github.com/ceph/ceph/blob/master/systemd/ceph.tmpfiles.d The snippet currently creates the directory as root-owned, and I imagine we'd want to change that to the ceph UID instead? > -- systemd -- > > Most of the daemons can just get the User=ceph and Group=cpeh lines in the > unit files. The OSD is tricky, though, since we want the prestart script > to run as root so that it can chown the disk contents if necessary. We > have two options, I think: > > 1) run prestart and ceph-osd as root, and add a ceph daemon arg to drop > privileges and setuid. > > 2) add a sudo rule so that the ceph user can run the chown command from > prestart. (This seems more dangerous.) I agree sudo sounds more dangerous, and it'll also be more complex to implement in the packaging. Would it be possible to use Apache's model, where it does the bare minimum set of things it needs as root (binding to port 80, etc), and then drops privileges thereafter? If the OSD had this ability built-in, then it could run in minimal environments like containers where sudo is not present, etc. - Ken -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
