Hmmm...not sure what the right answer for this is. The parent supervisord process, which must run as root for this use case, manages the FCGI socket so that it can be shared by a pool of child processes which may come and go as needed. I see three alternatives.
1) Keep the current behavior (not what people expect) - this means for unix domain sockets, users must set their umasks and directory permissions appropriately so that root can create sockets that non-root processes can access. 2) Have the root supervisord process do chmod/chown on the fcgi sockets in the same way it does for the chmod/chown options in the unix_http_server section of the config ( http://supervisord.org/manual/current/configuration.html#unix_http_server). The only question about this approach is whether it's possible to chown/chmod the socket so that the root supervisord process can no longer clean up the socket when it needs to. 3) Do something like Apache mod_fastcgi does with a FastCgiWrapper ( http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html#FastCgiWrapper) which I think means that each FCGI process group would need to fork a "wrapper" process that runs as the non-root user and manages the FCGI socket. This seems like a lot of work and potentially messy integration with the main supervisord event loop for dealing with SIGCHILD, etc. #2 seems the most promising. Anyone see any issues with it? I already tried setting chmod=0000 and chown=<non_root_user> in the unix_http_server section of supervisord.conf and the domain socket file was successfully deleted after supervisord exited. On Mon, Oct 19, 2009 at 7:39 AM, Phillip Oldham <[email protected]>wrote: > Chris McDonough wrote: > > What you described in your previous email should have worked. I'm not > > sure if this is a bug, or what. > > Tried again with a fresh install, new server: > > # cat /etc/supervisord.conf > [unix_http_server] > file=/tmp/supervisor.sock ; (the path to the socket file) > [supervisord] > logfile=/var/log/supervisord/supervisord.log ; (main log file;default > $CWD/supervisord.log) > logfile_maxbytes=50MB ; (max main logfile bytes b4 > rotation;default 50MB) > logfile_backups=10 ; (num of main logfile rotation > backups;default 10) > loglevel=info ; (log level;default info; others: > debug,warn,trace) > pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default > supervisord.pid) > nodaemon=false ; (start in foreground if true;default false) > minfds=1024 ; (min. avail startup file > descriptors;default 1024) > minprocs=200 ; (min. avail process descriptors;default 200) > user=root ; (default is current user, required if root) > [fcgi-program:php] > user=nginx > command=/usr/bin/php-cgi > socket=unix:///tmp/php.sock > > # ls -alh /tmp/|grep php.so > srwxr-xr-x 1 root root 0 Oct 19 15:26 php.sock > > However, the user which is running the PHP executable *is* nginx: > # ps aux|grep php > nginx 14005 0.0 0.2 142212 4748 ? S 15:26 0:00 > /usr/bin/php-cgi > > I've tried using the `chown` parameter (as defined in the > unix_http_server section of the config file) in hopes that it would work > in a similar way, but no joy. > > I need supervisord to run as root, but nginx/php daemons & sockets to > run as/be owned by nginx. For the moment I'll try running it on a port. > > Also noticed that stopping PHP via supervisorctl doesn't remove the > php.sock file. > > Running under CentOS5.2 + Python2.6 > > > > > Phillip Oldham wrote: > >> Chris McDonough wrote: > >>> There is a separate "user" parameter that is set in the > >>> [supervisord] section > >>> that may help you work around the issue. The entire supervisord > >>> process (and > >>> any children, and any socket files) will be run/written using that > >>> userid. > >>> > >>> [supervisord] > >>> user = nginx > >>> > >>> Please read > >>> http://supervisord.org/manual/current/configuration.html#supervisord > >>> > >> Thanks. I'll see if I can get that to work. > >> > >> However, is there a way to have supervisord run as root, yet have the > >> socket created by another user? eg: > >> > >> [supervisord] > >> user = root > >> ... > >> [fcgi-program:php] > >> user = nginx > >> socket = unix:///tmp/php.sock > >> ... > _______________________________________________ > Supervisor-users mailing list > [email protected] > http://lists.supervisord.org/mailman/listinfo/supervisor-users >
_______________________________________________ Supervisor-users mailing list [email protected] http://lists.supervisord.org/mailman/listinfo/supervisor-users
