On Mar 4, 2008, at 3:06 PM, g.sharpe wrote:
Should I be running running varnish as root? I'm not finding much by way of documentation on the varnish website. I noticed in the CacheFu deploy scripts, a "varnish_user" is given appropriate privelages to the vcl, etc. However, I don't see where this "varnish_user" is created or defined (no reference in makeconfig.cfg). Gary Sharpe
In the makeconfig.cfg, the "varnish_user" is called just "user". Now that you brought this up, it occurs to me that the makeconfig script probably shouldn't change the name during processing as it may be a bit confusing if you're trying to figure out what's happening in the templates.
In the Squid configs, we do something similar. The makeconfig.cfg allows you to set a value for "user" but processing renames this to "squid_user".
With regard to what value should be used for "user", this depends on what port you need Varnish to bind to. In order to bind to ports lower than 1024, Unix systems require the process to run as "root" (this is not the case for Windows systems -- which results in some serious security implications). So if you wish your Varnish to respond to requests on the standard HTTP port 80, you need to start it up as root. However, again for security reasons, Varnish will attempt to drop privileges as soon as the port has been bound. That's what the "user" field is for -- after binding to port 80, the Varnish child process will then continue on running with the permissions of this other, hopefully less-privileged, user.
If instead Varnish is bound to a less-privileged port like port 8000, which might be the case for a Zope-Varnish-Apache setup, then this is less important. But makeconfig still needs to know the "user" that will launch Varnish to make sure that Varnish has the proper read/ write privileges for the configs and cache storage.
The Squid install works the same way. And so does Zope, where this is governed by the "effective-user" directive in zope.conf.
Ric _______________________________________________ Setup mailing list [email protected] http://lists.plone.org/mailman/listinfo/setup
