No edit summary |
(note for dwalsh question) |
||
Line 55: | Line 55: | ||
=== Have the daemon create the directory when it starts up === | === Have the daemon create the directory when it starts up === | ||
Many times, daemons run as an unprivileged user who would not be allowed to create new directories directly into <code>/var/run</code> or <code>/var/lock</code>. | Many times, daemons run as an unprivileged user who would not be allowed to create new directories directly into <code>/var/run</code> or <code>/var/lock</code>. | ||
{{admon/question|Get dwalsh input| mzcalero suggests stating something like "If your daemon must run with root privleges anyway, then the daemon can create the directories when it starts. Be aware that if the daemon needs to use multiple SELinux labels on the created files then the code will need to explicitly tell selinux how to correctly label the directories" but there's some confusion of whether this is accurate: [11:37:12] <mezcalero> abadger1999: but well, the full rule is actually even more complex, i.e. i thinkt the file type matters, but the name definitely doesn't or so. and often it even is fine if two files created in /var/run are labelled the same. dwalsh needs to weigh in.}} | |||
=== Have the init script create the directory when it starts up the daemon === | === Have the init script create the directory when it starts up the daemon === |
Revision as of 19:47, 5 January 2011
tmpfiles.d is a service provided by both systemd and upstart for managing temporary files and directories. In this guideline we mainly oncentrate on how it is used to populate /var/run
and /var/lock
. In Fedora 15 and above, /var/run
and /var/lock
are tmpfs filesystems. As such, they are created empty on every reboot. For files intended to be placed into those directories, this should normally not pose any problems. For directories, however, we often need to create the directories ahead of time. This is best done using the tmpfiles.d mechanism that both upstart and systemd share.
tmpfiles.d configuration
Configuring tmpfiles.d just involves dropping a file into %{_sysconfdir}/tmpfiles.d/
that tells the init system what directories need to be created.
For example, the httpd package needs a few directories to be created in /var/run
in order for apache to run. The packager needs to create a file named apache.conf
that is installed as %{_sysconfdir}/tmpfiles.d/apache.conf
. The file has the following lines:
D /var/run/httpd 0710 root apache -
The format of the line is as follows:
D
specifies that a directory is to be created if it doesn't exist; empties it if it does exist./var/run/httpd
is the filesystem path to create0710
are the permissions to apply to the directory when it is createdroot
is the owner of the directoryapache
is the group that owns the directory-
the last field is for age (if used should be a time specification such as1min
) which specifies to delete some files in the directory automatically in regular intervals. This is mostly useful for directories such as /tmp and is seldom used by packages.
Information on other options is available on the tmpfiles.d man page should you need to do something more advanced.
Example spec file
In the spec file, the packager needs to install the tmpfiles.d conf file and also make sure the directory is included in the rpm.
# tmpfiles.d configuration for apache's /var/run directory Source1: httpd.conf Requires: initscripts [...] %install mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d install -m 0644 %{source1} %{buildroot}%{_sysconfdir}/tmpfiles.d/ # The next two lines may not be needed if the upstream's install script creates them mkdir -p %{buildroot}%{_localstatedir}/run/ install -d -m 0710 %{buildroot}%{_localstatedir}/run/httpd/ [...] %files %defattr(0644, root, root, 0755) %dir %{_localstatedir}/run/httpd/ %config(noreplace) %{_sysconfdir}/tmpfiles.d/httpd.conf
Files that the program places directly into /var/run
or /var/lock
or into subdirectories of those may be listed in the %files section as %ghost
but this is not required as the files will be cleaned up on every reboot.
Why not create the directories with XXXXXX instead?
There are multiple ways to try creating the directories but most suffer some disadvantage that tmpfiles.d addresses:
Have the daemon create the directory when it starts up
Many times, daemons run as an unprivileged user who would not be allowed to create new directories directly into /var/run
or /var/lock
.
Have the init script create the directory when it starts up the daemon
Since the init script is run by root, before the daemon drops privileges, why not create the directories there?
- This code would need to be implemented in every init script packaged. Since both upstart and systemd support tmpfiles.d, we can cut down on the number of places we have to put code like this.
- Having to add the mkdir to the systemd unit files when tmpfiles.d is already in place introduces the need to run shell code for that init script. Systemd is no longer able to handle starting the daemon by itself which slows things down. The shell code also introduces imperative constructs into the otherwise declarative structure which is nice to avoid.
- Properly labelling the created directories is done automatically by the tmpfiles.d mechanism but would have to be manually done by the init script.