Hi Russ, On Sat, 02.06.2007 at 21:54:27 -0700, Russ Allbery <[EMAIL PROTECTED]> wrote: > Toni Mueller <[EMAIL PROTECTED]> writes: > > I'm almost entirely running things like slapd through runit these days, > > so a sane runit starting environment would imho be good (chrooted + hdb > > by default). > > You mean specifically a run script? Or something else? I'm not sure what > you mean by a "sane runit starting environment." (I personally am not a > fan of running services inside chroots; I think it's excessive hassle for > the amount of real security that it buys. But of course if someone > contributed example scripts that didn't pose a maintenance burden, I > wouldn't be adverse to including them in the package.)
imho, recent versions of the slapd package are easy enough to run inside a chroot, but doing so conflicts with the Debian policy of having all configuration files in /etc *only*. > > If you have a suggestion for a good place, I'll be probably able to > > contribute such a thing, but this doesn't interact too well with > > logcheck (different formats etc.). > > And here you've lost me completely, I'm afraid, since I don't understand > what logcheck has to do with using runit. :) I mean that such a service would probably have to run unter /srv/openldap (other suggested locations?), and that the logging in runit, which one imnsho really wants to have, needs custom logcheck (and logrotate) scripts to integrate. > is to add both options; they don't take up much space or add much > complexity, and they have somewhat different "feels." (Sentinel files are > more useful for temporarily disabling things quickly, similar to > /etc/nologin.) ...or /srv/openldap/down, in the case of runit. Best, --Toni++ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
