Mail archive
alpine-devel

Re: [alpine-devel] [PATCH] Add more default options, Add user varnish.

From: Natanael Copa <ncopa_at_alpinelinux.org>
Date: Tue, 7 May 2013 15:59:56 +0200

sorry for late reply

On Tue, 16 Apr 2013 13:40:20 +0000
"V.Krishn" <vkrishn4_at_gmail.com> wrote:

> From: "V.Krishn" <vkrishn4_at_gmail.com>
>
> Users should read manual pages before runing varnish in production.
> ---
> main/varnish/APKBUILD | 17 ++++++++++++-----
> main/varnish/varnish.pre-install | 5 +++++
> main/varnish/varnishd.confd | 34 ++++++++++++++++++++++++++++++++--
> main/varnish/varnishd.initd | 12 ++++++------
> 4 files changed, 55 insertions(+), 13 deletions(-)
> create mode 100644 main/varnish/varnish.pre-install
>
> diff --git a/main/varnish/APKBUILD b/main/varnish/APKBUILD
> index 6fafe20..e98d95d 100644
> --- a/main/varnish/APKBUILD
> +++ b/main/varnish/APKBUILD
> _at_@ -1,17 +1,20 @@
> # Contributor: Leonardo Arena <rnalrd_at_alpinelinux.org>
> +# Contributor: V.Krishn <vkrishn4_at_gmail.com>
> # Maintainer: Natanael Copa <ncopa_at_alpinelinux.org>
> pkgname=varnish
> pkgver=3.0.3
> -pkgrel=1
> +pkgrel=2
> pkgdesc="High-performance HTTP accelerator"
> url="http://www.varnish-cache.org/"
> arch="all"
> license="BSD"
> -depends="gcc libc-dev"
> +depends="gcc uclibc-dev"

I cannot apply this patch due to this change. we did a meta libc-dev package to pull in correcte libec (it can be either uclibc-dev or eglibc-dev depening on the environment)

> depends_dev=
> makedepends="$depends_dev pcre-dev ncurses-dev"
> install=""
> subpackages="$pkgname-dev $pkgname-doc $pkgname-libs"
> +pkgusers="varnish"
> +pkggroups="varnish"
> source="http://repo.varnish-cache.org/source/varnish-$pkgver.tar.gz
> varnishd.initd
> varnishd.confd
> _at_@ -50,7 +53,11 @@ package() {
> || return 1
> install -Dm644 "$srcdir"/varnishd.logrotate \
> "$pkgdir"/etc/logrotate.d/varnishd || return 1
> - mkdir -p "$pkgdir"/var/log/varnish
> + install -d -o varnish -g varnish \
> + "$pkgdir"/var/cache/varnish \
> + "$pkgdir"/var/log/varnish \

Those are good.

> + "$pkgdir"/var/run/varnish \

/var/run is a tmpfs mounted at boot. we chould have a checkpath --directory from init.d script instead of creating the dir in .apk.


> + || return 1
> find "$pkgdir" -name *.la -print | xargs rm
> }
>
> _at_@ -61,7 +68,7 @@ libs() {
> }
>
> md5sums="714310c83fdbd2061d897dacd3f63d8b varnish-3.0.3.tar.gz
> -4f78964bf3eb6f1fd0fd2d533575982e varnishd.initd
> -6dd289ba81464eacc238109143126d6a varnishd.confd
> +d734dd74ab449200fefd954e72845ca7 varnishd.initd
> +daac2a8dade3abebb9e36cd1786360b0 varnishd.confd
> a6cb8a43c9465699cf956dc992998225 varnishd.logrotate
> 8c5532869bea7f668e2ce5d4585359f8 varnish-3.0.3-pthread-uclibc.patch"
> diff --git a/main/varnish/varnish.pre-install b/main/varnish/varnish.pre-install
> new file mode 100644
> index 0000000..7aa01c1
> --- /dev/null
> +++ b/main/varnish/varnish.pre-install
> _at_@ -0,0 +1,5 @@
> +#!/bin/sh
> +
> +addgroup varnish 2>/dev/null
> +adduser -S -H -h /var/lib/varnish -s /bin/false -D -G varnish varnish 2>/dev/null
> +exit 0

i think we should use /sbin/nologin instead of /bin/false (we should change all our .pre-install scripts to that)


> diff --git a/main/varnish/varnishd.confd b/main/varnish/varnishd.confd
> index 1b46706..e24e5f1 100644
> --- a/main/varnish/varnishd.confd
> +++ b/main/varnish/varnishd.confd
> _at_@ -1,12 +1,42 @@
> # /etc/conf.d/varnishd
>
> +# Varnish user.
> +VARNISH_USER="varnish"
> +
> +# Varnish group.
> +VARNISH_GROUP="varnish"

Are there any situation where we want users be able to run varnish as other user than "varnish"? if not, i think we could remove this, and simply not give them the option to set the user/group.

> +
> +# Varnish configuration file.
> +VARNISH_CONF="/etc/varnish/default.vcl"
> +
> +VARNISH_SECRET_FILE="/etc/varnish/secret"
> +
> +# Varnish address.
> +VARNISH_LISTEN_ADDRESS=
> +VARNISH_PORT=8080
> +
> +# Varnish work files.
> +VARNISH_WORKING_DIR="/var/cache/$VARNISH_USER"
> +VARNISH_STORAGE_FILE="/var/cache/$VARNISH_USER/varnish_storage.bin"
> +VARNISH_STORAGE_SIZE=50M
> +VARNISH_STORAGE="file,${VARNISH_STORAGE_FILE},${VARNISH_STORAGE_SIZE}"
> +
> +# PID files
> +VARNISHD_PID_FILE=/var/run/varnish/varnishd.pid
> +VARNISHNCSA_PID_FILE=/var/run/varnish/varnishncsa.pid
> +
> +# Varnish admin.
> ADMINHOSTPORT="127.0.0.1:65080"
> -CFG_FILE="/etc/varnish/default.vcl"
>
> # options passed to varnish on startup
> # please see the varnishd man page for more options
> -VARNISHD_OPTS="-a 127.0.0.1:8080 -T $ADMINHOSTPORT -f $CFG_FILE"
> +VARNISHD_OPTS="-a ${VARNISH_LISTEN_ADDRESS}:${VARNISH_PORT} -f ${VARNISH_CONF} -s ${VARNISH_STORAGE} -P $VARNISHD_PID_FILE -n $VARNISH_WORKING_DIR -T $ADMINHOSTPORT"
> +
> +if [ `id|sed -e s/uid=//g -e s/\(.*//g` -eq 0 ]; then
> + VARNISHD_OPTS="-u varnish $VARNISHD_OPTS"
> +fi

i dont like running sed lines in a config file...

> # arguments passed to varnishncsa
> # please see the varnishncsa man page for more options
> VARNISHNCSA_ARGS="-c -a -w /var/log/varnish/access.log"
> +
> diff --git a/main/varnish/varnishd.initd b/main/varnish/varnishd.initd
> index b8c5653..8ccb220 100755
> --- a/main/varnish/varnishd.initd
> +++ b/main/varnish/varnishd.initd
> _at_@ -13,24 +13,24 @@ start() {
> ebegin "Starting varnish"
> #allow varnishd to lock logfile to memory
> ulimit -l 82000
> - start-stop-daemon --quiet --start --pidfile /var/run/varnishd.pid --exec /usr/sbin/varnishd -- -P /var/run/varnishd.pid ${VARNISHD_OPTS} &> /dev/null
> + start-stop-daemon --quiet --start --pidfile ${VARNISHD_PID_FILE} --exec /usr/sbin/varnishd -- -P ${VARNISHD_PID_FILE} ${VARNISHD_OPTS} &> /dev/null
> eend $?
>
> if [ "${VARNISHNCSA_ARGS}" != "" ]; then
> ebegin "Starting varnish logging"
> - start-stop-daemon --quiet --start --pidfile /var/run/varnishncsa.pid --exec /usr/bin/varnishncsa -- -D -P /var/run/varnishncsa.pid ${VARNISHNCSA_ARGS}
> + start-stop-daemon --quiet --start --pidfile ${VARNISHNCSA_PID_FILE} --exec /usr/bin/varnishncsa -- -D -P ${VARNISHNCSA_PID_FILE} ${VARNISHNCSA_ARGS}
> eend $?
> fi
> }
>
> stop() {
> ebegin "Stopping varnish"
> - start-stop-daemon --quiet --stop --pidfile /var/run/varnishd.pid
> + start-stop-daemon --quiet --stop --pidfile ${VARNISHD_PID_FILE}
> eend $?
>
> - if [ -e /var/run/varnishncsa.pid ]; then
> + if [ -e ${VARNISHNCSA_PID_FILE} ]; then
> ebegin "Stopping varnish logging"
> - start-stop-daemon --quiet --stop --pidfile /var/run/varnishncsa.pid
> + start-stop-daemon --quiet --stop --pidfile ${VARNISHNCSA_PID_FILE}
> eend $?
> fi
> }
> _at_@ -47,7 +47,7 @@ reload() {
>
> # reload new one
> NOW=$(date +%Y%m%d-%H%M%S-%s)
> - /usr/bin/varnishadm -T $ADMINHOSTPORT vcl.load reload-$NOW $CFG_FILE > /dev/null
> + /usr/bin/varnishadm -T $ADMINHOSTPORT vcl.load reload-$NOW $VARNISH_CONF > /dev/null

I think this will break things for people who upgrades. we should probably fall back to CFG_FILE if VARNISH_CONF is unset, eg ${VARNISH_CONF:-${CFG_FILE}} (or exit with error if its not)

> /usr/bin/varnishadm -T $ADMINHOSTPORT vcl.use reload-$NOW > /dev/null
>
> eend $?



---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Tue May 07 2013 - 15:59:56 UTC