It seems I’ve been writing little daemons a lot lately–small things that don’t want to run as root but still need to be launched in the background as services. I’ve been noticing because it’s such a pain to integrate them into the system once they are written (or installed). I have to mess around as root creating \/etc\/init.d shell scripts (probably by copy and pasting–who out there can actually make those from scratch?) or maybe tweaking some upstart or systemd config file.<\/p>\n
And then when I’m done it annoys me that I have to be root to start or stop a daemon that ends up running as my login user anyway.<\/p>\n
So last October (2010) I sat down and wrote daemon-manager. It started from a few core ideas:<\/p>\n
There are programs out there that do parts of that list, but none that do everything:<\/p>\n
[runs_as]\r\ndavid: www-data\r\nmichaelc: www-data\r\namy: www-data\r\njoann: www-data\r\njim:\r\ngreenfelt: greenfelt-daemon\r\n\r\n[manages]\r\ndavid: michaelc,amy,joann,greenfelt\r\nmichaelc: amy, joann\r\nbill: joann\r\njim: greenfelt<\/code><\/pre>\nThe main section is the “runs_as” section. This section tells Daemon Manager which users are allowed to start daemons and which users the daemons can be run as. In the above example, “david”, “michaelc”, “amy”, and “joann” can launch daemons as themselves and also “www-data”. “greenfelt” can launch daemons as itself and the “greenfelt-daemon” user. “jim” is only allowed to launch daemons as himself. No other users on the system are allowed to launch daemons at all because they weren’t explicitly listed.<\/p>\n
The “manages” section is a little experimental at this point, but the idea is that “david” is allowed to manage (start, stop, or restart) the daemons of “michaelc”, “amy”, “joann”, and “greenfelt” in addition to his own daemons. This is so you can have help desk type users who can stop or restart other users’ daemons even though they may not have read or write access to the users’ home directories. As you might expect, “root” is always allowed to start and stop anyone’s daemons.<\/p>\n
Daemon: deluged.conf<\/h3>\ndir=\/home\/david\r\nstart=exec deluged -d<\/code><\/pre>\nThis is a simple Daemon Manager config file that launches the deluge bittorrent daemon. “dir” and “start” are the only required entries in the config file. “dir” is the working directory and “start” is a one line shell script to run. Because it is a shell script it needs<\/em> to “exec”, otherwise Daemon Manager can’t manage it properly.2<\/a><\/sup><\/p>\nDaemon: wordpress.conf<\/h3>\ndir=\/home\/amy\/wordpress\r\nuser=www-data\r\nstart=exec php-cgi -q -b wordpress.socket<\/code><\/pre>\nThis starts a PHP FastCGI daemon in a WordPress directory and starts it running with as the “www-data” user (“amy” was given explicit permission to start daemons as the www-data user in “\/etc\/daemon-manager.conf”).<\/p>\n
Daemon: greenfelt.conf<\/h3>\ndir=\/var\/www\/greenfelt.net\r\nuser=greenfelt-daemon\r\nstart=exec .\/script\/greenfelt_fastcgi.pl -l greenfelt.socket -n 1\r\noutput=log<\/code><\/pre>\nThis is a paraphrase of the config file that runs greenfelt.net<\/a> which is a Catalyst<\/a> app that talks to nginx via FastCGI through the “greenfelt.socket” unix domain socket. It runs as the user “greenfelt-daemon” so it can have less privileges than the main “greenfelt” user. The “output” parameter tells Daemon Manager to collect the stdout and stderr of the daemon and save it to a log file in the “~\/.daemon-manager\/logs\/” directory (the default setting is to throw away stdout and stderr).<\/p>\nControlling Daemon Manager<\/h2>\n
Daemon Manager is controlled using the “dmctl” command. It is relatively simple at this point, allowing you to start, stop and restart daemons. It also lets you scan for new config files and query for daemon statistics. Here’s an example output the “status” command:<\/p>\n
$ dmctl status\r\ndaemon-id state pid respawns cooldown uptime total\r\ndavid\/deluge-web running 2948 0 0s 3w3d 3w3d\r\ndavid\/deluged running 2950 0 0s 3w3d 3w3d\r\ndavid\/greenfelt stopped 0 0 0s 0s 0s\r\ndavid\/minecraft stopped 0 0 0s 0s 0s\r\ndavid\/moviefile running 2951 0 0s 3w3d 3w3d\r\ndavid\/pytivo running 22905 0 0s 4d7h 4d7h\r\ndavid\/streamium running 2958 0 0s 3w3d 3w3d\r\ndavid\/wordpress running 27012 33 0s 12h57m 3w3d<\/pre>\nNotice that the wordpress server (good old php-cgi) has crashed 33 times (and has been automatically respawned by Daemon Manager).<\/p>\n
Download and Use<\/h2>\n
Daemon Manager is licensed under the GPL<\/a> and can be downloaded here<\/a> (the source is also available on github<\/a>). If you use Debian there’s a Debian branch<\/a> available for building a package. The version as of this writing is 0.9 which means that there are some obvious things that need to be fixed3<\/a><\/sup> and that I’m not sure it’s 100% secure or bug free yet, though I have been using it for months now and I absolutely love it–it filled a void I wasn’t even sure was really there when I started.<\/p>\nFor a more detailed version of the history of Daemon Manager, see this blog post<\/a>.<\/p>\n\n<\/div>\n\n- That way, if there is a security hole in your code the attacker doesn’t get access to your main login account. ↩<\/a><\/span><\/li>\n
- I would like to change that but I’m having trouble getting dash (\/bin\/sh on my Debian system) to pass signals onto its child processes. Bash seems to work correctly and so the exec is not needed if \/bin\/sh is bash on your system. ↩<\/a><\/span><\/li>\n
- The dmctl commands and arguments should be reversed so it’s more like system v init scripts or the “service” command: “dmctl wordpress stop” instead of the current “dmctl stop wordpress”. ↩<\/a><\/span><\/li>\n<\/ol>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
It seems I’ve been writing little daemons a lot lately–small things that don’t want to run as root but still need to be launched in the background as services. I’ve been noticing because it’s such a pain to integrate them into the system once they are written (or installed). I have to mess around as … Continue reading Daemon-Manager: Manage your non-privileged daemons<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3,10],"tags":[],"class_list":["post-257","post","type-post","status-publish","format-standard","hentry","category-software","category-sysadmin"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/posts\/257","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/comments?post=257"}],"version-history":[{"count":22,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/posts\/257\/revisions"}],"predecessor-version":[{"id":501,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/posts\/257\/revisions\/501"}],"wp:attachment":[{"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/media?parent=257"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/categories?post=257"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/porkrind.org\/missives\/wp-json\/wp\/v2\/tags?post=257"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}