[asterisk-dev] [Code Review] 3062: a systemd service

Tzafrir Cohen reviewboard at asterisk.org
Thu Jan 2 04:17:02 CST 2014



> On Jan. 1, 2014, 1:41 a.m., Matt Jordan wrote:
> > /trunk/contrib/asterisk.service, line 12
> > <https://reviewboard.asterisk.org/r/3062/diff/2/?file=49947#file49947line12>
> >
> >     Looking at how safe_asterisk spawns Asterisk, I'm not sure specifying an explicit run user is appropriate here. There's no guarantee that there's a user named "Asterisk" on the system.
> 
> Tzafrir Cohen wrote:
>     Two answers here:
>     
>     1. I guess that the stock systemd answer would be: "run asterisk as the user asterisk. That way, the username and/or group name could be overiden in /etc/systemd/system/asterisk.service".
>     
>     I remember we have some good reasons to let Asterisk drop privileges on its own. But let's try to reconsider them?
>     
>     2. So, maybe we should have asterisk_wrapper (any better name?) that will
>     
>     * Test for the requirements (perhaps as a subcommand for a Pre script?)
>     * Set up system-dependent setting
>     * Start asterisk a single time.
>     * Handle failures.
>     
>     I also considered this previously because safe_asterisk makes it very simple to override the asterisk binary to a local live_ast copy by dropping a single file in /etc/asterisk/startup.d (with a single line that may, or may not, be remmed-out).
> 
> Tzafrir Cohen wrote:
>     I looked into running Asterisk as non-root. But I can't find a way to get systemd to generate /var/run/asterisk as a writable directory to the service. It can be done by a Pre script. But the Pre script has to be configured with the username. So I think that a single wrapper script is the best option.

As others pointed out, this can be handled by tmpfiles.

BTW: safe_asterisk still creates the AST_RUN_DIR, which is, by now, pointless.

So, what other things asterisk needs root for?

* Setting a high scheduling priority
* prctl(PR_SET_KEEPCAPS, 1


- Tzafrir


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/3062/#review10499
-----------------------------------------------------------


On Dec. 24, 2013, 4:49 p.m., Tzafrir Cohen wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/3062/
> -----------------------------------------------------------
> 
> (Updated Dec. 24, 2013, 4:49 p.m.)
> 
> 
> Review request for Asterisk Developers.
> 
> 
> Repository: Asterisk
> 
> 
> Description
> -------
> 
> Installs a systemd service file for Asterisk.
> 
> Systeemd is the new "one daemon to rule them all" for Linux: http://www.freedesktop.org/wiki/Software/systemd/
> On systems without systemd this should be just a harmless (though maybe annoying) text file.
> 
> This is aimed at replacing safe_asterisk with a more reliable main loop. It almost does that. Is still fails to handle failures, as it seems that systemd's ExecPostStop command does not get the exist status of the stopped command.
> 
> 
> Diffs
> -----
> 
>   /trunk/contrib/asterisk.service PRE-CREATION 
>   /trunk/Makefile 404563 
> 
> Diff: https://reviewboard.asterisk.org/r/3062/diff/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Tzafrir Cohen
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20140102/94d4b540/attachment-0001.html>


More information about the asterisk-dev mailing list