* Lars Bruun-Hansen <lars.bruun-hansen at mail.dk> [2007-09-24 20:23]:
> I've worked a lot with trying to delegate the admin and management of
> Solaris' build-in Apache2.
>
> Some comments:
>
> The Apache2 method script, /lib/svc/method/http-apache2, adds - imho -
> absolutely no value. We might as well call apachectl directly. Let's take a
> closer look at it:
>
> * It checks if the conf file exist and exits with error if not. Why not let
> apachectl (which will delegate this job to the httpd binary) report this ?
>
> * It checks the value of a manifest property ('ssl') and let this govern if
> apachectl is called with the "start" or the "startssl". Only problem is that
> my apachectl (and yours, I hope) does not support the "startssl" argument so
> if you try to use it it will fail.
>
> * It removes the Pid file when the argument is "start". Why is this required?
> Surely if this was required the guys at apache.org would have put such
> functionality into apachectl.
>
> * It tries to create a Pid File directory if it does not already exist. I
> would rather have it fail cleanly in such a case. We should not try to
> silently fix configuration errors.
>
> Here is what I think:
>
> The manifest should simply call apachectl but with the user being able to
> customize it by using SMF property value. I'm not 100% sure how this is done
> but man page smf_method says it is possible to use the value of a property in
> a method.
>
> Let's assume that httpd_options is a property from the manifest, defaulting
> to an empty string. Then the start method would simply be
>
> "/usr/apache2/bin/apachectl ${httpd_options} -k start"
>
> An administrator could then set the httpd_options property in the manifest to
> say "-f /apps/apache2/conf/httpd.conf" to allow the web server to start with
> configuration from a non-default location.
>
> As I mentioned in the beginning I'm working with delegating Apache2 service
> to a non-root user to allow him to start and stop it using his own
> configuration. The above would make it a lot simpler to do delegation.
>
> Another requirement for out-of-the-box-supported-delegation is that the
> manifest includes action_authorization and value_authorization tags in the
> appropriate parts of the manifest. Also these tags must be included by
> default in the /etc/security/auth_attrr file to make it simple for the sysadm.
>
> In summary for a service to support out-of-the-box-delegation it should:
>
> 1. allow location of config files, pid files, log files etc to be customized
> without having to write a new manifest or indeed without having to change
> anything but property values in the manifest that comes with the OS.
> 2. have authorization tags in all relevant places in the manifest
> 3. tags mentioned in requirement #2 should exist in auth_attrr
>
> Any support for such ideas?
> I'm on a quest to make sure all the nice SFW stuff that comes with Solaris
> can be delegated easily. Delegation is one area where Solaris really has an
> edge but we have to make it easier. Next: postgress, mysql, samba. :-)
Lars,
I don't have much of an opinion on this, but I know some guys who
might: the webstack project is trying to bring the Apache install
(and other bundled components) up to date. Practices like these might
already be in their plans--or up for further discussion.
Cheers
Stephen
--
sch at sun.com http://blogs.sun.com/sch/
