Running varnish as unprivileged user

Since I haven’t found any documentation on the topic of running varnish as non-root, I proudly present: how to run varnish as non-root. A warning ahead: this will require fiddling with init scripts, so make sure to keep backups. Also, scripts will be overwritten with each package update.

Changes to /etc/init.d/varnish

Ulimit calls are not allowed when running as non-root, so we’ll have to comment them:

#ulimit -n ${NFILES:-131072}

#ulimit -l ${MEMLOCK:-82000}

You might have to substitute that with generally increased ulimits for all users/the specific user.

Also, since the script will be run as root during system startup, we need to add a check at the beginning that re-runs the script as a different user:

SCRIPT_NAME=`basename "$0"`
NEWUSER=
U=`id -nu`
if [ $U != $NEWUSER ]; the
if [ $U = "root" ]; then
echo Re-running as $NEWUSER
exec su -l $NEWUSER -c "$0 $@" || echo oops
echo done re-running as $NEWUSER
fi
echo "Script must be run from $NEWUSER or root. You are '$U'
rc_exit 1
fi

Changes to /etc/default/varnish

Varnish won’t be able to write to some default system locations now, so we have to change some things in DEAMON_OPTS:

Add:

-n /tmp/varnish

and make /etc/varnish/secret readable by the new user, i.e. via a chown:

chown -h newuser:newuser /etc/varnish/secret

Changes to /etc/init.d/varnishlog

Add this to DEAMON_OPTS:

-n /tmp/varnish

Changes to /etc/init.d/varnishncsa

Add this to DEAMON_OPTS:

-n /tmp/varnish

Permissions to logging files

Make sure “newuser” can write to log files in /var/log/varnish 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s