[Twisted-Python] Log file ownership
Hi, I am running an app as root on Linux using a .tac file and twistd. The application object is initialized with a certain gid and uid. Logging is configured to rotate daily by way of DailyLogFile. However, the log file it creates is owned by root with 600 file permission and log rotation is failing. I have read about acl to configure default file permissions but is there a way to solve this only in Twisted? --Enrique
On 06/06/2012 08:46 PM, Enrique Samson Jr, wrote:
Perhaps someone else can comment on what might be a bug, but one thing to do is to run your program directly as the uid and gid you want (rather than than root). Since presumably the goal is to bind to a port <1024, you can do that instead using authbind (http://manpages.ubuntu.com/manpages/hardy/man1/authbind.1.html).
Just some comments .. == For binding ports <1024, there is at least one more option: Since Linux kernel 2.6.24, the kernel supports associating capability sets with an executable file using setcap(8). setcap 'cap_net_bind_service=+ep' <path to actual Python binary .. not a symlink!> http://linux.die.net/man/8/setcap http://linux.die.net/man/7/capabilities == For maximum open FDs, if you run your stuff under a dedicated user, you can also modify /etc/security/limits.conf You will likely need to tune more options however .. like system wide max open FDs etc http://urbanairship.com/blog/2010/09/29/linux-kernel-tuning-for-c500k/
On 7 Jun, 12:46 am, enriquejr@gmail.com wrote:
Log rotation - ie, renaming a file - isn't affected by the permissions of the log file. The permissions of the *directory containing the log file* control whether it can be renamed (and a new one created) or not. So it doesn't matter what permissions the log file has. It only matters what permissions you set on the directory holding the log file. That's outside of the control of twistd. Jean-Paul
<exarkun <at> twistedmatrix.com> writes:
http://twistedmatrix.com/trac/browser/tags/releases/twisted- 12.0.0/twisted/python/logfile.py#L286 def rotate(self): if not (os.access(self.directory, os.W_OK) and os.access(self.path, os.W_OK)): return it seems to also need write access to log file. bye, flavio
Jean-Paul
You can also bind to privileged ports now using listeners like systemd (and, presumably xinetd). -- David Strauss | david@davidstrauss.net
On Jun 26, 2012, at 6:49 PM, David Strauss <david@davidstrauss.net> wrote:
You can also bind to privileged ports now using listeners like systemd (and, presumably xinetd).
xinetd has some mechanism to pass the listening socket, but I don't think Twisted supports it yet. I believe the string endpoint description for systemd is somewhat specific to systemd's idiom for communicating about the socket involved; when we add launchd support, launchd is kinda specific too; see <http://tm.tl/5576>. Any xinetd users want to do one for that daemon? -glyph
On 06/06/2012 08:46 PM, Enrique Samson Jr, wrote:
Perhaps someone else can comment on what might be a bug, but one thing to do is to run your program directly as the uid and gid you want (rather than than root). Since presumably the goal is to bind to a port <1024, you can do that instead using authbind (http://manpages.ubuntu.com/manpages/hardy/man1/authbind.1.html).
Just some comments .. == For binding ports <1024, there is at least one more option: Since Linux kernel 2.6.24, the kernel supports associating capability sets with an executable file using setcap(8). setcap 'cap_net_bind_service=+ep' <path to actual Python binary .. not a symlink!> http://linux.die.net/man/8/setcap http://linux.die.net/man/7/capabilities == For maximum open FDs, if you run your stuff under a dedicated user, you can also modify /etc/security/limits.conf You will likely need to tune more options however .. like system wide max open FDs etc http://urbanairship.com/blog/2010/09/29/linux-kernel-tuning-for-c500k/
On 7 Jun, 12:46 am, enriquejr@gmail.com wrote:
Log rotation - ie, renaming a file - isn't affected by the permissions of the log file. The permissions of the *directory containing the log file* control whether it can be renamed (and a new one created) or not. So it doesn't matter what permissions the log file has. It only matters what permissions you set on the directory holding the log file. That's outside of the control of twistd. Jean-Paul
<exarkun <at> twistedmatrix.com> writes:
http://twistedmatrix.com/trac/browser/tags/releases/twisted- 12.0.0/twisted/python/logfile.py#L286 def rotate(self): if not (os.access(self.directory, os.W_OK) and os.access(self.path, os.W_OK)): return it seems to also need write access to log file. bye, flavio
Jean-Paul
You can also bind to privileged ports now using listeners like systemd (and, presumably xinetd). -- David Strauss | david@davidstrauss.net
On Jun 26, 2012, at 6:49 PM, David Strauss <david@davidstrauss.net> wrote:
You can also bind to privileged ports now using listeners like systemd (and, presumably xinetd).
xinetd has some mechanism to pass the listening socket, but I don't think Twisted supports it yet. I believe the string endpoint description for systemd is somewhat specific to systemd's idiom for communicating about the socket involved; when we add launchd support, launchd is kinda specific too; see <http://tm.tl/5576>. Any xinetd users want to do one for that daemon? -glyph
participants (7)
-
David Strauss -
Enrique Samson Jr, -
exarkun@twistedmatrix.com -
Flavio Grossi -
Glyph -
Itamar Turner-Trauring -
Tobias Oberstein