[systemd-devel] GuessMainPID=no required to make daemon reload work
Colin Guthrie
gmane at colin.guthr.ie
Wed May 7 01:07:22 PDT 2014
'Twas brillig, and Lennart Poettering at 05/05/14 16:27 did gyre and gimble:
>> > ExecStart=/usr/sbin/icinga2 -c ${ICINGA2_CONFIG_FILE} -d -e ${ICINGA2_ERROR_LOG} -u ${ICINGA2_USER} -g ${ICINGA2_GROUP}
> I'd recommend teaching the daemon to find its own config file when none
> is specified and read the rest of the parameters from there...
Apologies if I've missed a small detail, but I don't think you talk
about needing raised privileges much in this thread...
I see you have -u and -g arguments to icinga2.
This means systemd will start it as root and it's up to icinga2 to drop
privs.
Unless you need to keep this priv for the lifetime of the process (i.e.
the main daemon runs as root and only child processes are actually run
under the less privileged user), then you may be better using User= and
Group= directives in the systemd unit. This way you allow systemd to
totally isolate your daemon to only that user.
You can use e.g. tmpfiles to setup needed directories in /run (and
infact newer systemds can do some directory permission/creating
internally just from the unit contents too).
If this doesn't apply feel free to ignore :)
Col
--
Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/
Day Job:
Tribalogic Limited http://www.tribalogic.net/
Open Source:
Mageia Contributor http://www.mageia.org/
PulseAudio Hacker http://www.pulseaudio.org/
Trac Hacker http://trac.edgewall.org/
More information about the systemd-devel
mailing list