On 10/12 09:33, vtamara wrote:
> In general I think these are good plans. I use to develop applications on
> Ruby on Rails, and I try to keep always with the latest version of the gems
> (since I use bundler I don't use the gems packed for OpenBSD) So these are
> good plans for me.
>
> Besides that, and thanking your hard work maintaining recent Ruby on
> OpenBSD, I would like to ask you:
> - How to use chroot with unicorn ?
>
> I have not been able to find documentation about it, except notes in
> changelogs.
It is mentioned in the unicorn documentation for the Unicorn::Worker#user
method.
I run my unicorn processes using unicorn's fork+exec support, chrooting,
priv dropping, then pledging. I use nginx as the main webserver, and
have it send requests to unicorn using a unix socket. In my unicorn
config files, I have code similar to:
require 'pledge'
listen '/var/www/sockets/app.sock'
worker_exec true
after_worker_ready do |server, worker|
server.logger.info("worker=#{worker.nr} ready")
worker.user('_app', '_app', true)
Pledge.pledge('rpath prot_exec unix')
end
One of the issues you will run into is you need to make sure that all
libraries necessary are loaded before chroot. This can be tricky if
you are using libraries that use autoload, which you are because rack
uses autoload.
Thanks,
Jeremy
