Názor k článku Web server Nginx bez práv roota s pomocí systemd od Jan Molič - Jo a ještě jedna věc, aby se to...
-
Jo a ještě jedna věc, aby se to konkretizovalo. Takhle to používám na produkci s runitem. Jediný rozdíl je, že mi nginx běží pod userem "http".
/service/nginx/run:
#!/bin/sh mkdir -p /run/nginx chown http:http /run/nginx exec /usr/local/bin/cap_net_bind_service http /usr/sbin/nginx 2>&1
/usr/local/bin/cap_net_bind_service:
#!/bin/sh [ -z "$1" -o -z "$2" ] && { echo "$0 USER COMMAND"; exit 1; } exec /usr/sbin/capsh --keep=1 --user=$1 \ --inh=cap_net_bind_service \ --addamb=cap_net_bind_service \ --caps=cap_net_bind_service+eip \ -- -c "$2"a v konfiguraci nginx.conf jsou podstatné tyhle věci:
daemon off; user http; pid /run/nginx/nginx.pid;
výstup ps faux | grep nginx:
root 1555 0.0 0.0 2200 1084 ? Ss Jun01 0:00 \_ runsv nginx root 1668 0.0 0.0 2356 680 ? S Jun01 0:00 | \_ logger -p daemon info -t nginx http 26481 0.6 0.4 167556 71960 ? S 15:06 0:00 | \_ nginx: master process /usr/sbin/nginx http 26497 1.3 0.1 242252 18272 ? Sl 15:06 0:00 | \_ nginx: worker process http 26499 0.0 0.1 241540 17712 ? Sl 15:06 0:00 | \_ nginx: worker process http 26501 0.0 0.0 241292 14736 ? Sl 15:06 0:00 | \_ nginx: worker process http 26502 0.0 0.0 241292 14764 ? Sl 15:06 0:00 | \_ nginx: worker process http 26503 0.0 0.0 241292 14764 ? Sl 15:06 0:00 | \_ nginx: worker process http 26504 0.0 0.0 241292 14764 ? Sl 15:06 0:00 | \_ nginx: worker process http 26505 0.0 0.0 241292 14764 ? Sl 15:06 0:00 | \_ nginx: worker process http 26506 0.0 0.0 241292 14764 ? Sl 15:06 0:00 | \_ nginx: worker process http 26507 0.0 0.0 241292 15216 ? Sl 15:06 0:00 | \_ nginx: cache manager process http 26508 0.0 0.0 241292 14764 ? Sl 15:06 0:00 | \_ nginx: cache loader process
ČLÁNKY DO MAILU