mirror of https://git.kore.io/kore.git
3b20cda11c
Starting with the privsep config, this commit changes the following:
- Removes the root, runas, keymgr_root, keymgr_runas, acme_root and
acme_runas configuration options.
Instead these are now configured via a privsep configuration context:
privsep worker {
root /tmp
runas nobody
}
This is also configurable via Python using the new kore.privsep() method:
kore.privsep("worker", root="/tmp", runas="nobody", skip=["chroot"])
Tied into this we also better handle worker startup:
- Per worker process, wait until it signalled it is ready.
- If a worker fails at startup, display its last log lines more clearly.
- Don't start acme process if no domain requires acme.
- Remove each process its individual startup log message in favour
of a generalized one that displays its PID, root and user.
- At startup, log the kore version and built-ins in a nicer way.
- The worker processes now check things they need to start running
before signaling they are ready (such as access to CA certs for
TLS client authentication).
|
||
|---|---|---|
| .. | ||
| acme.h | ||
| curl.h | ||
| hooks.h | ||
| http.h | ||
| jsonrpc.h | ||
| kore.h | ||
| pgsql.h | ||
| python_api.h | ||
| python_methods.h | ||
| seccomp.h | ||
| tasks.h | ||