I only want two processes confd and my application (apache or php-fpm or node . or uwsgi ...)
The role of confd is to watch etcd/consul and update config when needed. I guess systemd is overkill for such simple thing (I don't want ttys, crons, dbus, journald....) Apache is a well-established and it have a way to drop privileges but this is not the case with "node ." I'm not sure about k8s no new priv. Ex. I want confd as root and node as app. I guess apache does not have nnp option. On Tue, Sep 6, 2016, 9:05 PM Daniel J Walsh <dwa...@redhat.com> wrote: > A couple of things. 1 you could use real systemd rather then using some > other init system. > > Secondly and perhaps conflicting, is why not run apache as non root to > start rather then dropping > > privs. Apache will run perfectly fine without requiring root privs. > Also you could set the NO_NEW_PRIVS > > right in docker/k8s. > > > On 09/06/2016 01:46 PM, Muayyad AlSadi wrote: > > > > Hi, > > > > Typical fictional unicorn containers should have one process > > > > On practice it's actually processes of one concern ex. Apache > > > > One issue is that your entry point /start.sh should exec to replace > > the shell (so that application process would recieve signals) > > > > Since start.sh is pid 1 it has the responsibility to handle zombies. > > For this we can use yelp's dumb-init (which is almost to be pushed to > > official repo and already in copr) > > > > https://github.com/Yelp/dumb-init > > > > Typically our start.sh start confd in background using nohup > > > > Then I exec my application but I would like to drop privileges, first > > I used exec sudo or exec su but it wont replace the proces. > > > > I wrote a simple application that drop groups , supplementary groups > > and user > > > > Not only that but also it can optionally set > > PR_SET_NO_NEW_PRIVS with prctl > > So that it will never get more privileges even with sudo/su. > > > > What do you think? > > > > https://github.com/muayyad-alsadi/oneway/blob/master/README.md > > > >
