When I saw that a new release of OpenRC was made that finally took the step of migrating our setup to the “new standard”
/run directory I was honestly thrilled: for once, the setup I used on my router is no longer a special case but it looks a lot more like the rule:
/var/run directories need to be recreated, as the default
/run is in a tmpfs filesystem.
The fact that this version of OpenRC has been removed without a replacement it did bother me a bit, especially in the regards of LXC because I had to make changes to the cgroups handling — since this version of OpenRC also uses cgroups when using the new init script style (it doesn’t do it if you call
start-stop-daemon yourself though), I had to stop mounting
/cgroups myself, otherwise it wouldn’t be able to start any guest container, as OpenRC mounts its own copy of said filesystem, trying (and, as far as I can tell, failing) to behave more like systemd.
At any rate I did the migration on most of my systems for the sake of testing it before doing so in production. As far as I can tell none of my init scripts misbehaved, which is positive. On the other hand, there seem to be some trouble with what concerns other scripts, in particular munin cron scripts … d’oh!
For the sake of using the lowest possible privilege to do any given job, the munin cron script, the one that generates the actual HTML content that is served by Apache is running as a mostly unprivileged user — on the other hand, the node daemon is usually running as root and dropping to nobody’s privileges when executing most of the plugins; some require super user privileges, on either standard systems (for instance
smartd based plugins) or at least on hardened (the original
if_ plugin, that accessed
/proc; the current version, both upstream and in Gentoo, was modified by me to use
/sys which is available to non-privileged users as well, even on hardened).
At any rate this seems to show that there still isn’t something properly set up with the way OpenRC prepares
/run: the privileges to
/run/lock should probably be
root:uucp 0775 and that is not the case right now, not on all systems at least.. and Munin should use that directory to store the lock file.
Oh well, time to find a better workaround locally, I guess.