More issue description.
My initial problem was connected with hammer radosgw on el7. I couldn't run radosgw under non-privileged user without shell (/sbin/nologin), because you can't ask su
or sudo
or runuser
to start process from user without shell - these binaries do need shell. But daemon()
from /etc/init.d/functions
or start_daemon()
from /lib/lsb/init-functions
don't need it and are written for this special usage.
I decided to write 2 patches: for init-ceph and for init-radosgw to keep start of these daemons with initscripts in the same style.
The problem:
~]# getent passwd radosgw
radosgw:x:1003:1003::/var/lib/ceph/radosgw/:/sbin/nologin
~]# /bin/su radosgw -c '/bin/radosgw -n client.radosgw.i-c5ef3fa1'
This account is currently not available.
~]# ps aux | grep rados
root 11402 0.0 0.0 112648 968 pts/0 S+ 11:32 0:00 grep --color=auto rados
Right way (if we don't use systemd-units on el7 hammer):
~]# . /etc/init.d/functions
~]# daemon --user="radosgw" "/bin/radosgw -n client.radosgw.i-c5ef3fa1"
~]# [ OK ]
~]# ps aux | grep rados
radosgw 11757 1.0 0.2 2151224 9468 ? Ssl 11:34 0:00 /bin/radosgw -n client.radosgw.i-c5ef3fa1
root 11893 0.0 0.0 112648 968 pts/0 S+ 11:34 0:00 grep --color=auto rados
Anyway, even if you don't use systemd-run, you can work through systemctl:
~]# systemctl status ceph-radosgw
● ceph-radosgw.service - LSB: radosgw RESTful rados gateway
Loaded: loaded (/etc/rc.d/init.d/ceph-radosgw)
Active: active (running) since Fri 2016-06-24 11:44:04 MSK; 3s ago
Docs: man:systemd-sysv-generator(8)
Process: 8023 ExecStop=/etc/rc.d/init.d/ceph-radosgw stop (code=exited, status=0/SUCCESS)
Process: 20117 ExecReload=/etc/rc.d/init.d/ceph-radosgw reload (code=exited, status=0/SUCCESS)
Process: 13781 ExecStart=/etc/rc.d/init.d/ceph-radosgw start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/ceph-radosgw.service
└─13805 /bin/radosgw -n client.radosgw.i-c5ef3fa1
Jun 24 11:44:04 i-c5ef3fa1 systemd[1]: Starting LSB: radosgw RESTful rados gateway...
Jun 24 11:44:04 i-c5ef3fa1 ceph-radosgw[13781]: Starting client.radosgw.i-c5ef3fa1...
Jun 24 11:44:04 i-c5ef3fa1 runuser[13801]: pam_unix(runuser:session): session opened for user radosgw by (uid=0)
Jun 24 11:44:04 i-c5ef3fa1 systemd[1]: Started LSB: radosgw RESTful rados gateway.
Jun 24 11:44:04 i-c5ef3fa1 ceph-radosgw[13781]: [ OK ]
About backports:
It's very needed in EL7 hammer. There is no ability to start daemon under non-privileged user. Since el7 hammer doesn't provide packaged systemd units, and changing packaging is not a good idea in minor release, because it can break the automation and other aspects for users.
I think these changes should be in all supported branches (hammer, jewel) to keep these scripts in unified style - but this is already not a technical issue.