On 09/28/2011 06:03 AM, Alan Wright wrote:
> Thanks Mattias
>
> I thought that the idea was that resin started as root in order to
> permit binding to the protected ports<1024
> and subsequently switched to run as a different user.
>
> Our current setup with resin2 and a single server seems to do that.
>
> Thank you for taking the time to respond.
>
> Can anyone from caucho clarify this?

In Resin 4, the watchdog remains as root and the Resin instance starts 
as the specified user. There is never any switching of users in a single 
process; the switching happens during the Resin-instance spawning.

If you have multiple Resin servers managed by the same watchdog and some 
of them need to bind to port 80, the watchdog needs to be started as root.

You can use multiple watchdogs if you like, by using a <server-default> 
with a <watchdog-port> (or simply <watchdog-port> in the <server>.)

<resin ...>
<cluster id="app-tier">
<server-default>
<watchdog-port>6601</watchdog-port>
</server-default>
     ...
</cluster>

<cluster id="web-tier">
<server-default>
<watchdog-port>6600</watchdog-port>
</server-default>
     ...
</cluster>

-- Scott


>
> Regards
>
>
> Alan
>
>
>
>
> On 28/09/2011 13:35, Mattias Jiderhamn wrote:
>> To answer one part of your question:
>>
>>
>>> Additionally the application is started as root and for the app tier we
>>> use<user>   and<group>   to change the user. When we try to do the same
>>> thing in the web-loadbalancer tier the application fails to start. Is
>>> this normal/to be expected? Is it safe for the web-tier to be running as
>>> root?
>>>
>> In a *nix environment, it is likely that non-root users are not allowed
>> to bind ports<   1024. That is, Resin cannot answer on HTTP (80) or HTTPS
>> (443) request unless running as root. I'd recommend using port
>> forwarding from 80/443 to some port>   1024 and then run Resin as non-root.
>>
>> </Mattias>
>>
>>
>>
>> _______________________________________________
>> resin-interest mailing list
>> resin-interest@caucho.com
>> http://maillist.caucho.com/mailman/listinfo/resin-interest
>>
>>
>>
>



_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

Reply via email to