David Bustos wrote:
> Quoth Tom Hintz on Fri, Oct 20, 2006 at 01:54:23PM -0500:
>> inetd_start/project            astring  workproj1
>>
>> No change.  File descriptors are still limited to 256.
> 
> Multiple properties are required for the method context to be considered
> complete.  Instead of using svccfg, add a method_context element to the
> start method in the service's manifest, and import it.

Heh, all that fire & brimstone I threatend SMF users should they vi 
their manifests ...

I played with this today and find it rather confusing.  To start with, I 
was working through Glenn's example of privilege reduction for apache2, 
and found that I needed this (using editprop)

setprop start/user = astring: "webservd"
setprop start/group = astring: "webservd"
setprop start/privileges = astring: 
"basic,!proc_session,!proc_info,!file_link_any,net_privaddr"

I don't know why I need the below, they look like setting default values 
to me, if they are defaults, why must I set them?

setprop start/limit_privileges = astring: ":default"
setprop start/use_profile = boolean: "false"
setprop start/supp_groups = astring: ":default"
setprop start/working_directory = astring: ":default"
setprop start/project = astring: ":default"
setprop start/resource_pool = astring: ":default"

On top of that, they seem arbitrary, why don't I need *all* of the 
listed method context, for example here I didn't set corefile_pattern or 
environment.  What's more, in the man page, supp_groups is described as 
"an optional string".

I tinkered with permutations of these, and in the end, unless I have all 
of them set, SMF will throw my service into maintenance and there is 
nothing anywhere that tells me where I have gone wrong.

What about stop/* ?  If I set a method context for start/blah, must a 
corresponding one be set for stop/blah?  I guess not, but I can't tell.

Here's what I did for project:

setprop start/project = astring: "xmen"

# projects -l
xmen
         projid : 100
         comment: ""
         users  : webservd
         groups : webservd
         attribs: process.max-file-descriptor=(privileged,1024,deny)
                  process.max-core-size=(privileged,64000000,deny)

This will limit my fd per httpd process to 1024, but if I try 
process.max-file-descriptor=(basic,1024,deny), my httpd process shows an 
unlimited number of fd.  I don't get this, what's the point of "basic" then?

I have apache2 started by webservd, so I need to define project users 
and groups, if I leave them blank, my service goes into maintenance.

This is probably not my favorite thing about SMF, there are too many 
knobs and the interaction of knobs and requirements for sets of knobs to 
be manipulated is a mystery.

Trying to figure out the manifest is not intuitive either.  If I 
couldn't dump the manifest using svccfg export, I would have no idea how 
to write it.  This seems to work:

                 <exec_method
                         type='method'
                         name='start'
                         exec='/lib/svc/method/http-apache2 start'
                         timeout_seconds='60' >
                         <method_context>
                         <method_credential
                                 user='webservd'
                                 group='webservd' 
privileges='basic,!proc_session,!proc_info,!file_link_any,net_privaddr'/>
                         </method_context>
                 </exec_method>

                <exec_method
                         type='method'
                         name='stop'
                         exec='/lib/svc/method/http-apache2 stop'
                         timeout_seconds='60' >
                         <method_context>
                         <method_credential
                                 user='webservd'
                                 group='webservd'
                         privileges='basic,!file_link_any,!proc_info'/>
                         </method_context>
                 </exec_method>

The thing is, after all that pain SMF gave you of not setting things 
like start/working_directory with svccfg, it's no-where in the XML 
export!  After doing this I can see why Dave said, just throw it in the 
manifest, but we've been telling folks not to do this.  I think this can 
be better.

CT







Reply via email to