Re: apache2 run script

[Alex Efros <powerman@powerman.asdfGroup.com>]

Hi!

On Fri, Oct 06, 2006 at 10:30:12AM -0400, Charlie Brady wrote:
> >exec env -i PATH=$PATH apache2 -DNO_DETACH -k start -DSSL
> 
> As a matter of interest, why do you do "env -i PATH=$PATH"? One of the 
> things that runit gives you is a guaranteed consistent environment, 
> inherited from runsvdir.
> 
> Do you have "env -i ..." in all your run scripts?

:-) Because I've shown here only part of my real 'exec' line to not
overcomplicate example. My ./run really is:

---cut---
#!/bin/sh
exec &>/var/log/all/.log
[[ -e .wait4dep ]] && exit
exec env -i PATH=$PATH LD_PRELOAD=libREV.so \
    apache2 -DNO_DETACH -k start -DDOC -DSSL -DFASTCGI # -DPHP4
---cut---

1) /var/log/all/.log is cumulative log (FIFO) designed to be only log file
   always opened for reading (tail -F) by admin and to be really readable:
   usually there few lines with important information added in few hours.
   It contains:
   a) All 'unusual' output from all services: runsvdir's STDOUT/STDERR
      for example. Here you see apache's STDOUT/STDERR redirected there
      because in normal execution flow apache will not output anything
      into STDOUT/STDERR, it will use own logs instead.
   b) All lines from all service's logs except filtered by admin
      non-interested lines. I'm using 'e' and 'E' in ./config files of
      svlogd to select these lines and my ./log/run usually looks this way:
	#!/bin/sh
	exec &>/var/log/all/.log
	exec svlogd -tt /var/log/acpid/*/
   Also I've notification service which is also reading this one log file
   and do some actions: modify firewall, notify me, etc. It's based on idea
   from http://smarden.org/socklog/notify.html .

2) .wait4dep is my home-made service dependency system. It's fairly simple
   (realization is 519 bytes of bash script) and designed mostly to make
   system startup faster by avoiding starting all services at once (not to
   provide 'reliable dependencies', because this is impossible).

3) libREV.so is our trick for web development. This library able to
   intercept all syscalls for opening files and redirect them to different
   files if needed. Looks like rootkit. ;-) This is for working with
   different 'revisions' of same CGI/html file at same time.

So... because of LD_PRELOAD and libREV's nature I prefer to not export
LD_PRELOAD to processes which doesn't need it. Most safe way - provide
this variable only for apache2 process using `env` or `envdir` or `chpst -e`.


P.S. No, I don't have `env` in all my ./run scripts. ;-) I've it only in
apache's ./run script.

-- 
			WBR, Alex.