We log to /var/log/pveproxy/access.log. Extra directory is needed because we run
as www-data (no permissions to write into /var/log/pve/).
.PHONY: install
install: country.dat vznet.conf vzdump.conf vzdump-hook-script.pl
+ install -d -m 0700 -o www-data -g www-data ${DESTDIR}/var/log/pveproxy
+ install -D -m 0644 debian/pve.logrotate ${DESTDIR}/etc/logrotate.d/pve
install -d ${DESTDIR}/usr/share/${PACKAGE}
install -d ${DESTDIR}/usr/share/man/man1
install -d ${DOCDIR}/examples
sleep (1);
} elsif ($pid) { #parent
$workers->{$pid} = 1;
- $0 = "$0 worker";
syslog('info', "worker $pid started");
$need--;
} else {
+ $0 = "$0 worker";
+
$SIG{TERM} = $SIG{QUIT} = sub {
$child_terminate = 1;
};
DAEMON=/usr/bin/pveproxy
NAME=pveproxy
DESC="PVE API Proxy Server"
-PIDFILE=/var/run/pveproxy.pid
+RUNDIR=/var/run/pveproxy
+PIDFILE=${RUNDIR}/pveproxy.pid
test -f $DAEMON || exit 0
# avoid warnings about uninstalled locales when pveproxy executes commands
export LC_ALL="C"
+mkdir -p ${RUNDIR} || true
+chmod 0700 ${RUNDIR} || true
+chown www-data:www-data ${RUNDIR} || true
+
case "$1" in
start)
log_daemon_msg "Starting $DESC" "$NAME"
lockfile => $lockfile,
keep_alive => 100,
max_conn => 500,
- max_requests => 1000,
- logfile => '/var/log/pve/pvedaemon.log', # fixme?
- );
+ max_requests => 1000);
};
my $err = $@;
use lib '..'; # fixme
use strict;
+use English;
use Getopt::Long;
use POSIX ":sys_wait_h";
use Socket;
use Data::Dumper;
-my $pidfile = "/var/run/pveproxy.pid";
+my $pidfile = "/var/run/pveproxy/pveproxy.pid";
my $lockfile = "/var/lock/pveproxy.lck";
my $opt_debug;
$0 = "pveproxy";
+# run as www-data
+my $gid = getgrnam('www-data') || die "getgrnam failed - $!\n";
+POSIX::setgid($gid) || die "setgid $gid failed - $!\n";
+$EGID = "$gid $gid"; # this calls setgroups
+my $uid = getpwnam('www-data') || die "getpwnam failed - $!\n";
+POSIX::setuid($uid) || die "setuid $uid failed - $!\n";
+
+# just to be sure
+die "detected strange uid/gid\n" if !($UID == $uid && $EUID == $uid && $GID eq "$gid $gid" && $EGID eq "$gid $gid");
+
PVE::APIDaemon::enable_debug() if $opt_debug;
sub add_dirs {
max_conn => 500,
max_requests => 1000,
trusted_env => 0, # not trusted, anyone can connect
- logfile => '/var/log/pve/access.log',
+ logfile => '/var/log/pveproxy/access.log',
lockfile => $lockfile,
ssl => {
key_file => '/etc/pve/local/pve-ssl.key',
exit (-1);
}
+
if ($opt_debug || !($cpid = fork ())) {
$SIG{PIPE} = 'IGNORE';
/etc/cron.daily/pve
/etc/vz/vznet.conf
/etc/vzdump.conf
+/etc/logrotate.d/pve
Section: admin
Priority: optional
Architecture: amd64
-Depends: perl5, libtimedate-perl, libauthen-pam-perl, libintl-perl, rsync, libjson-perl, liblockfile-simple-perl, vncterm, qemu-server (>= 1.1-1), libwww-perl (>= 6.04-1), libnet-http-perl (>= 6.06-1), libhttp-daemon-perl, wget, libnet-dns-perl, vlan, ifenslave-2.6 (>= 1.1.0-10), liblinux-inotify2-perl, debconf (>= 0.5) | debconf-2.0, netcat-traditional, pve-cluster (>= 1.0-29), libpve-common-perl, libpve-storage-perl, libterm-readline-gnu-perl, libpve-access-control, libio-socket-ssl-perl, libfilesys-df-perl, libfile-readbackwards-perl, libfile-sync-perl, redhat-cluster-pve, resource-agents-pve, fence-agents-pve, cstream, postfix | mail-transport-agent, libxml-parser-perl, lzop, dtach, libanyevent-perl, libio-compress-perl, liburi-perl
+Depends: perl5, libtimedate-perl, libauthen-pam-perl, libintl-perl, rsync, libjson-perl, liblockfile-simple-perl, vncterm, qemu-server (>= 1.1-1), libwww-perl (>= 6.04-1), libnet-http-perl (>= 6.06-1), libhttp-daemon-perl, wget, libnet-dns-perl, vlan, ifenslave-2.6 (>= 1.1.0-10), liblinux-inotify2-perl, debconf (>= 0.5) | debconf-2.0, netcat-traditional, pve-cluster (>= 1.0-29), libpve-common-perl, libpve-storage-perl, libterm-readline-gnu-perl, libpve-access-control, libio-socket-ssl-perl, libfilesys-df-perl, libfile-readbackwards-perl, libfile-sync-perl, redhat-cluster-pve, resource-agents-pve, fence-agents-pve, cstream, postfix | mail-transport-agent, libxml-parser-perl, lzop, dtach, libanyevent-perl, libio-compress-perl, liburi-perl, logrotate
Conflicts: netcat-openbsd, vzdump
Replaces: vzdump
Provides: vzdump
--- /dev/null
+/var/log/pveproxy/access.log {
+ rotate 7
+ daily
+ missingok
+ compress
+ delaycompress
+ notifempty
+ create 640 www-data www-data
+ sharedscripts
+ postrotate
+ /etc/init.d/pveproxy reload > /dev/null
+ endscript
+}