Run services as non root user

3 years ago · 0d495c24f8
parent 4a173c2ebc
commit 0d495c24f8
5 changed files with 27 additions and 22 deletions
--- a/el/rtpengine-recording.service
+++ b/el/rtpengine-recording.service
@ -5,13 +5,18 @@ After=network-online.target

 [Service]
 Type=forking
+LimitNOFILE=100000
 Environment=CFG_FILE=/etc/rtpengine/rtpengine-recording.conf
 EnvironmentFile=/etc/sysconfig/rtpengine-recording
-PIDFile=/run/rtpengine-recording.pid
+User=ngcp-rtpengine
+Group=ngcp-rtpengine
+AmbientCapabilities=CAP_NET_ADMIN
+RuntimeDirectory=rtpengine-recording
+PIDFile=/run/rtpengine-recording/rtpengine-recording.pid
 ExecStart=/usr/sbin/rtpengine-recording --config-file=${CFG_FILE} --pidfile=${PID_FILE}
 TimeoutSec=15s
 Restart=on-failure

 [Install]
 WantedBy=multi-user.target
-Alias=ngcp-rtpengine-recording.service
+Alias=ngcp-rtpengine-recording.service
--- a/el/rtpengine-recording.sysconfig
+++ b/el/rtpengine-recording.sysconfig
@ -2,4 +2,4 @@
 # http://github.com/sipwise/rtpengine
 #
 CONFIG_FILE=/etc/rtpengine/rtpengine-recording.conf
-PID_FILE=/run/rtpengine-recording.pid
+PID_FILE=/run/rtpengine-recording/rtpengine-recording.pid
--- a/el/rtpengine.service
+++ b/el/rtpengine.service
@ -6,14 +6,19 @@ After=network-online.target
 Type=forking
 Environment=CFG_FILE=/etc/rtpengine/rtpengine.conf
 EnvironmentFile=/etc/sysconfig/rtpengine
-PIDFile=/run/rtpengine.pid
-ExecStartPre=/usr/sbin/ngcp-rtpengine-iptables-setup start
+User=ngcp-rtpengine
+Group=ngcp-rtpengine
+AmbientCapabilities=CAP_NET_ADMIN CAP_SYS_NICE
+LimitNOFILE=150000
+RuntimeDirectory=rtpengine
+PIDFile=/run/rtpengine/rtpengine.pid
+ExecStartPre=+/usr/sbin/ngcp-rtpengine-iptables-setup start
 ExecStart=/usr/sbin/rtpengine --config-file=${CFG_FILE} --pidfile=${PID_FILE}
-ExecStopPost=/usr/sbin/ngcp-rtpengine-iptables-setup stop
+ExecStopPost=+/usr/sbin/ngcp-rtpengine-iptables-setup stop
 RestartSec=3s
 TimeoutSec=15s
 Restart=on-failure

 [Install]
 WantedBy=multi-user.target
-Alias=ngcp-rtpengine.service
+Alias=ngcp-rtpengine.service
--- a/el/rtpengine.spec
+++ b/el/rtpengine.spec
@ -27,6 +27,7 @@ BuildRequires:  ffmpeg-devel
 Requires(pre):	ffmpeg-libs
 %endif

+Requires:	perl-Config-Tiny
 Requires:	nc
 # Remain compat with other installations
 Provides:	ngcp-rtpengine = %{version}-%{release}
@ -148,6 +149,7 @@ install -D -p -m644 el/%{binname}-recording.sysconfig \
 	%{buildroot}%{_sysconfdir}/sysconfig/%{binname}-recording
 %endif
 mkdir -p %{buildroot}%{_sharedstatedir}/%{name}
+mkdir -p %{buildroot}%{_var}/lib/%{binname}-recording
 mkdir -p %{buildroot}%{_var}/spool/%{binname}

 # Install config files
@ -175,12 +177,6 @@ install -D -p -m644 kernel-module/rtpengine_config.h \
 install -D -p -m644 debian/dkms.conf.in %{buildroot}%{_usrsrc}/%{name}-%{version}-%{release}/dkms.conf
 sed -i -e "s/__VERSION__/%{version}-%{release}/g" %{buildroot}%{_usrsrc}/%{name}-%{version}-%{release}/dkms.conf

-# For RHEL 7, load the compiled kernel module on boot.
-%if 0%{?rhel} == 7
-  install -D -p -m644 kernel-module/xt_RTPENGINE.modules.load.d \
-           %{buildroot}%{_sysconfdir}/modules-load.d/xt_RTPENGINE.conf
-%endif
-
 %pre
 getent group %{name} >/dev/null || /usr/sbin/groupadd -r %{name}
 getent passwd %{name} >/dev/null || /usr/sbin/useradd -r -g %{name} \
@ -249,22 +245,19 @@ true
 %{_initrddir}/%{name}
 %endif
 %config(noreplace) %{_sysconfdir}/sysconfig/%{binname}
-%attr(0750,%{name},%{name}) %dir %{_sharedstatedir}/%{name}
 # default config
 %config(noreplace) %{_sysconfdir}/%{binname}/%{binname}.conf
+# spool directory
+%attr(0750,%{name},%{name}) %dir %{_var}/spool/%{binname}
 # Documentation
 %doc LICENSE README.md debian/changelog debian/copyright

-
 %files kernel
 /%{_lib}/xtables/libxt_RTPENGINE.so


 %files dkms
 %{_usrsrc}/%{name}-%{version}-%{release}/
-%if 0%{?rhel} == 7
-  %{_sysconfdir}/modules-load.d/xt_RTPENGINE.conf
-%endif


 %if 0%{?with_transcoding} > 0
@ -281,8 +274,8 @@ true
 %config(noreplace) %{_sysconfdir}/sysconfig/%{binname}-recording
 # Default config
 %config(noreplace) %{_sysconfdir}/%{binname}/%{binname}-recording.conf
-# spool directory
-%attr(0750,%{name},%{name}) %dir %{_var}/spool/%{binname}
+# recording directory
+%attr(0750,%{name},%{name}) %dir %{_sharedstatedir}/%{binname}-recording
 %endif

 %changelog
@ -308,4 +301,3 @@ true
  - Builds and installs userspace daemon (but no init.d scripts etc yet)
  - Builds and installs the iptables plugin
  - DKMS package for the kernel module
-
--- a/el/rtpengine.sysconfig
+++ b/el/rtpengine.sysconfig
@ -3,4 +3,7 @@
 # main config file
 CONFIG_FILE=/etc/rtpengine/rtpengine.conf
 # pid
-PID_FILE=/run/rtpengine.pid
+PID_FILE=/run/rtpengine/rtpengine.pid
+# user and group for /proc interface
+SET_USER=ngcp-rtpengine
+SET_GROUP=ngcp-rtpengine