Sean Murphy
2012-Sep-05 15:13 UTC
[Puppet Users] Starting service as non root user with puppet
Hi, I have an ubuntu system with some of our own services on it. I prefer to run these services as a non-root user. I can control the services using upstart as a non root user and can start and stop the service using initctl without any problems. I''m trying to use puppet to start and stop these services; however, it''s not obvious if it is possible. A suboptimal approach appears to be one in which I create a service.conf file in /etc/init - this service.conf file can su to the user and run the service. I think this is suboptimal, as it''s not working with the user level control mechanisms that have already been designed into upstart. So I''m wondering if there is any way to instruct puppet to automatically become a specific user before starting a specific service (presumably using initctl in the case of ubuntu). Thoughts/pointers appreciated. BR, Seán. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
jcbollinger
2012-Sep-05 22:00 UTC
[Puppet Users] Re: Starting service as non root user with puppet
On Wednesday, September 5, 2012 10:37:40 AM UTC-5, Sean Murphy wrote:> > Hi, > > I have an ubuntu system with some of our own services on it. I prefer > to run > these services as a non-root user. > > I can control the services using upstart as a non root user and can > start and > stop the service using initctl without any problems. I''m trying to use > puppet to > start and stop these services; however, it''s not obvious if it is > possible. > > A suboptimal approach appears to be one in which I create a > service.conf file > in /etc/init - this service.conf file can su to the user and run the > service. I think > this is suboptimal, as it''s not working with the user level control > mechanisms > that have already been designed into upstart. > > So I''m wondering if there is any way to instruct puppet to > automatically become > a specific user before starting a specific service (presumably using > initctl in the > case of ubuntu). >If you use Puppet''s standard Service resource to manage your service then no, you cannot cause Puppet to assume a different user ID to execute the service management commands. But that should not be necessary. Which user a service runs as should be a matter of that service''s configuration, not of the UID of the process that starts it. Indeed, it is typically necessary for a privileged process to handle service startup in order to * enable* services to assume the correct user identity. If your home-built services don''t know how to set their own UIDs then they are deficient. Whoever is responsible for maintaining them should be introduced to the setuid() family of functions. In the mean time, you may have no alternative to using a wrapper of some kind (an upstart script, for instance). Note, too, that this is not fundamentally a Puppet problem. You will have the same issue if you want to configure your services to start automatically (as the desired user) at system startup, for instance. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/PbPLeJeRRqoJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.