[Pkg-openldap-devel] Bug#254999: slapd: postinst conflicts with daemontools (should also conflict with runit)
Toni Mueller
support at oeko.net
Sun Jun 3 09:33:44 UTC 2007
Hi Russ,
On Sat, 02.06.2007 at 21:54:27 -0700, Russ Allbery <rra at debian.org> wrote:
> Toni Mueller <support at oeko.net> writes:
> > I'm almost entirely running things like slapd through runit these days,
> > so a sane runit starting environment would imho be good (chrooted + hdb
> > by default).
>
> You mean specifically a run script? Or something else? I'm not sure what
> you mean by a "sane runit starting environment." (I personally am not a
> fan of running services inside chroots; I think it's excessive hassle for
> the amount of real security that it buys. But of course if someone
> contributed example scripts that didn't pose a maintenance burden, I
> wouldn't be adverse to including them in the package.)
imho, recent versions of the slapd package are easy enough to run
inside a chroot, but doing so conflicts with the Debian policy of
having all configuration files in /etc *only*.
> > If you have a suggestion for a good place, I'll be probably able to
> > contribute such a thing, but this doesn't interact too well with
> > logcheck (different formats etc.).
>
> And here you've lost me completely, I'm afraid, since I don't understand
> what logcheck has to do with using runit. :)
I mean that such a service would probably have to run unter
/srv/openldap (other suggested locations?), and that the logging in
runit, which one imnsho really wants to have, needs custom logcheck
(and logrotate) scripts to integrate.
> is to add both options; they don't take up much space or add much
> complexity, and they have somewhat different "feels." (Sentinel files are
> more useful for temporarily disabling things quickly, similar to
> /etc/nologin.)
...or /srv/openldap/down, in the case of runit.
Best,
--Toni++
More information about the Pkg-openldap-devel
mailing list