> exec'd as 'root', no startup issues so far. But the daemons do not drop > perms, and persist running as root.
If you specify so in conf.xml the daemons *will* drop permissions. > IIUC, there's no reason -- and is likely unwise (?) -- to exec as 'root'; I'm > attempting to run as my ods2 user, "opendnnssec". Indeed. It might be useful to start ods-signerd (and then drop) as root in case you want it to serve XFRs on low ports. > Using (just for the moment) systemd's "PermissionsStartOnly=" for perms mgmt > (eventually, I'll switch to tmpfiles ...), editing > > (btw, shouldn't ods2 sources include systemd instrumentation ?) > > edit /etc/systemd/system/ods-signer.service > [Unit] > Description=ods2 signer > After=syslog.target network.target > > [Service] > Type=forking NOTE: you can start the signerd and enforcerd with the -d flag. Then it won't fork from the console. This might improve the systemd experience. > + PermissionsStartOnly=true > + User=opendnssec > + Group=opendnssec > PIDFile=/var/run/opendnssec/signerd.pid > EnvironmentFile=-/etc/sysconfig/ods > + ExecStartPre=/bin/chown -R opendnssec:opendnssec > /usr/local/etc/opendnssec /var/run/opendnssec /var/opendnssec > ExecStart=/usr/local/opendnssec/sbin/ods-signerd > $ODS_SIGNERD_OPT > > [Install] > WantedBy=multi-user.target > , my logs get hammered with dozens of > Dec 21 07:57:10 core ods-enforcerd: ObjectFile.cpp(122): The attribute > does not exist: 0x00000002 > What's the attribute problem here? This is a permission problem again. You probably initialized the SoftHSM slots as root. Fix the permissions so /var/lib/softhsm is RW for the opendnssec user. > Is there more to execing as !root that needs to be addressed? ODS should run fine as a normal user. But beware that binding port numbers < 1024 might not work of you don't use the permission dropping functionality. This is only relevant for the signer and when using DNS adapters. //Yuri
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
