This Time Self-Hosted
dark mode light mode Search

The infamous /run migration

When I saw that a new release of OpenRC was made that finally took the step of migrating our setup to the “new standard” /run directory I was honestly thrilled: for once, the setup I used on my router is no longer a special case but it looks a lot more like the rule: /var/run directories need to be recreated, as the default /run is in a tmpfs filesystem.

The fact that this version of OpenRC has been removed without a replacement it did bother me a bit, especially in the regards of LXC because I had to make changes to the cgroups handling — since this version of OpenRC also uses cgroups when using the new init script style (it doesn’t do it if you call start-stop-daemon yourself though), I had to stop mounting /cgroups myself, otherwise it wouldn’t be able to start any guest container, as OpenRC mounts its own copy of said filesystem, trying (and, as far as I can tell, failing) to behave more like systemd.

At any rate I did the migration on most of my systems for the sake of testing it before doing so in production. As far as I can tell none of my init scripts misbehaved, which is positive. On the other hand, there seem to be some trouble with what concerns other scripts, in particular munin cron scripts … d’oh!

For the sake of using the lowest possible privilege to do any given job, the munin cron script, the one that generates the actual HTML content that is served by Apache is running as a mostly unprivileged user — on the other hand, the node daemon is usually running as root and dropping to nobody’s privileges when executing most of the plugins; some require super user privileges, on either standard systems (for instance smartd based plugins) or at least on hardened (the original if_ plugin, that accessed /proc; the current version, both upstream and in Gentoo, was modified by me to use /sys which is available to non-privileged users as well, even on hardened).

At any rate this seems to show that there still isn’t something properly set up with the way OpenRC prepares /run: the privileges to /run/lock should probably be root:uucp 0775 and that is not the case right now, not on all systems at least.. and Munin should use that directory to store the lock file.

Oh well, time to find a better workaround locally, I guess.

Comments 4
  1. Until now, my services created /var/run/xxx with ownership of unprivileged user. This was persistent.Now I understand that start_pre() should be implemented in order to create these and chown, right?

  2. Correct; the @runscript@ helper has a @checkpath@ helper designed to take care of that; you can find some examples in either @man runscript@ and in the init scripts I already ported, starting with @pcscd@ (which I guess you have installed somewhere).

  3. Thanks!I use openct not pcsc-lite… :)Anyway, I think someone forgot naming convention… I would have prefixed all runscript variables with rc_ or similar perfix.Anyway, I don’t like this method… A utility of common start sequence could have been handy… But I get it now.

  4. Just to let you know, this also breaks @screen@ as @/var/run/screen@ is gone — Maybe symlinking @/run@ wasn’t that good of an idea to migrate this!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.