The idea for Daemon Manager came about when I was converting a web site from Apache to Nginx. Nginx doesn’t launch FastCGI programs itself\u2014it only connects to FastCGI sockets and so it requires that you manage the FastCGI server yourself.<\/p>\n
For a simple web site it might be OK to manually create an \/etc\/init.d script, but even for our relatively simple solitaire site<\/a> we ended having about 5 separate FastCGI servers (between the blog, the forum, and our test servers). At home I host virtual servers for various members of my family and so there’s a ton of accounts and blogs and forums and other random stuff. I just can’t abide copy and pasting 20 \/etc\/init.d scripts and then managing them all as they slowly fork away from each other over time. Not to mention that ordinary users can’t manage \/etc\/init.d scripts themselves (without compromising system security) and if the script does any sort of setuid() calls then they can’t even restart their FastCGI servers without there being some sort of arcane sudo<\/em> configuration.<\/p>\n I also ran into a problem with PHP. I wanted to run WordPress on Nginx which meant I had to run the “php-cgi” FastCGI server. The problem is that “php-cgi” seems to just die randomly which means I needed some sort of watchdog that starts it back up when it fails.<\/p>\n What I really wanted is a program that lets non-privileged users launch and respawn their own daemons securely and very simply.<\/p>\n Daemon Manager is the result.<\/p>\n The main principles of Daemon Manager’s design were:<\/p>\n There are programs out there that do parts of that list, but none that do everything:<\/p>\n From those ideas Daemon Manager was born. I prototyped it in Perl in about 8 hours. The idea seemed sound but I was unhappy with the memory requirements of Perl. I wanted it to be something really small and lean, without any external dependencies. So I rewrote it in C++. It now takes up hardly any RAM which makes it suitable for smaller or embedded environments. The main loop just poll()s on the control sockets and calls wait() when necessary, occasionally restarting a crashed daemon.<\/p>\n I tried to think about security because if it’s insecure then nobody is going to want to use it seriously. Daemon Manager will refuse to read config files that don’t have the right permissions. It uses Unix domain sockets to communicate with users (1 socket for each user in ~\/.daemon-manager\/command.sock) and makes sure that each socket has the correct permissions when it starts\u2014this way user authentication is handled by the operating system’s filesystem permissions layer. By default users of the system are not allowed to run anything\u2014root must authorize each user and specify which users their daemons can be run as.<\/p>\n The main section is the “runs_as” section. This section tells Daemon Manager which users are allowed to start daemons and which users the daemons can be run as. In the above example, “david”, “michaelc”, “amy”, “joann”, and “greenfelt” can launch daemons as themselves and also “www-data”. “jim” is only allowed to launch daemons as himself. No other users on the system are allowed to launch daemons at all because they weren’t listed.<\/p>\n The “manages” section is a little experimental at this point, but the idea is that “david” is allowed to manage (start, stop, or restart) the daemons of “michaelc”, “amy”, “joann”, and “greenfelt” in addition to his own daemons. This is so you can have help desk type users who can stop or restart other users’ daemons even though they may not have read or write access to the users’ home directories.<\/p>\n This is a simple Daemon Manager config file that launches the deluge bittorrent client daemon. “dir” and “start” are the only required entries in the file. “dir” is the working directory and “start” is a one line shell script to run. Because it is a shell script it needs<\/em> to “exec”, otherwise Daemon Manager can’t manage it properly.2<\/a><\/sup><\/p>\n This starts a PHP FastCGI daemon in a WordPress directory and starts it running with as the “www-data” user.<\/p>\n This is a paraphrase of the config file that runs greenfelt.net<\/a> which is a Catalyst<\/a> app. The “output” parameter tells Daemon Manager to collect the stdout and stderr of the daemon and save it to a log file in the “~\/.daemon-manager\/logs\/” directory.<\/p>\n Daemon Manager is controlled using the “dmctl” command. It is relatively simple at this point, allowing you to start, stop and restart daemons. It also lets you scan for new conf files and query for daemon statistics. Here’s an example output the “status” command:<\/p>\n Notice that the wordpress server (good old php-cgi) has crashed 33 times (and has been automatically respawned by Daemon Manager). Also notice that despite FastCGI being the impetus for creating Daemon Manager, most of my running daemons are not actually FastCGI servers.<\/p>\n Daemon Manager is licensed under the GPL<\/a> and can be downloaded here<\/a> (the source is also available on github<\/a>). If you use Debian there’s a Debian branch<\/a> available for building a package. The version as of this writing is 0.9 which means that there are some obvious things that need to be fixed3<\/a><\/sup> and that I’m not sure it’s 100% secure or bug free yet, though I have boldly started using it on a couple sites and so far it’s been working great.<\/p>\n The idea for Daemon Manager came about when I was converting a web site from Apache to Nginx. Nginx doesn’t launch FastCGI programs itself\u2014it only connects to FastCGI sockets and so it requires that you manage the FastCGI server yourself. For a simple web site it might be OK to manually create an \/etc\/init.d script, … Continue reading Introducing Daemon Manager<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3,10],"tags":[],"class_list":["post-193","post","type-post","status-publish","format-standard","hentry","category-software","category-sysadmin"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/posts\/193","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/comments?post=193"}],"version-history":[{"count":57,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/posts\/193\/revisions"}],"predecessor-version":[{"id":502,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/posts\/193\/revisions\/502"}],"wp:attachment":[{"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/media?parent=193"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/categories?post=193"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/tags?post=193"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Design<\/h2>\n
\n
\n
Implementation<\/h2>\n
A Quick Tutorial Through Examples<\/h2>\n
Master config: \/etc\/daemon-manager.conf<\/h3>\n
[runs_as]\r\ndavid: www-data\r\nmichaelc: www-data\r\namy: www-data\r\njoann: www-data\r\njim:\r\ngreenfelt: www-data\r\n\r\n[manages]\r\ndavid: michaelc,amy,joann,greenfelt\r\nmichaelc: amy, joann\r\nbill: joann\r\njim: greenfelt<\/code><\/pre>\nDaemon: deluged.conf<\/h3>\n
dir=\/home\/david\r\nstart=exec deluged -d<\/code><\/pre>\nDaemon: wordpress.conf<\/h3>\n
dir=\/home\/user\/wordpress\r\nuser=www-data\r\nstart=exec php-cgi -q -b wordpress.socket<\/code><\/pre>\nDaemon: greenfelt.conf<\/h3>\n
dir=\/var\/www\/greenfelt.net\r\nuser=www-data\r\nstart=exec .\/script\/greenfelt_fastcgi.pl -l greenfelt.socket -n 1\r\noutput=log<\/code><\/pre>\nControlling Daemon Manager<\/h2>\n
$ dmctl status\r\ndaemon-id\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pid respawns cooldown\u00a0\u00a0 uptime\u00a0\u00a0\u00a0 total\r\ndavid\/deluge-web\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 running\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2948\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0s\u00a0\u00a0\u00a0\u00a0 3w3d\u00a0\u00a0\u00a0\u00a0 3w3d\r\ndavid\/deluged\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 running\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2950\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0s\u00a0\u00a0\u00a0\u00a0 3w3d\u00a0\u00a0\u00a0\u00a0 3w3d\r\ndavid\/greenfelt\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 stopped\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0s\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0s\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0s\r\ndavid\/minecraft\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 stopped\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0s\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0s\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0s\r\ndavid\/moviefile\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 running\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2951\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0s\u00a0\u00a0\u00a0\u00a0 3w3d\u00a0\u00a0\u00a0\u00a0 3w3d\r\ndavid\/pytivo\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 running\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 22905\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0s\u00a0\u00a0\u00a0\u00a0 4d7h\u00a0\u00a0\u00a0\u00a0 4d7h\r\ndavid\/streamium\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 running\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2958\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0s\u00a0\u00a0\u00a0\u00a0 3w3d\u00a0\u00a0\u00a0\u00a0 3w3d\r\ndavid\/wordpress\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 running\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 27012\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 33\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0s\u00a0\u00a0 12h57m\u00a0\u00a0\u00a0\u00a0 3w3d<\/code><\/pre>\nDownload and Use<\/h2>\n
\n