我正在尝试强制 Kibana 监听端口 80,因此它需要以 root 身份运行。我该怎么做?初始化脚本如下:
#!/bin/sh
# Init script for kibana
# Maintained by
# Generated by pleaserun.
# Implemented based on LSB Core 3.1:
# * Sections: 20.2, 20.3
#
### BEGIN INIT INFO
# Provides: kibana
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description:
# Description: no description given
### END INIT INFO
PATH=/sbin:/usr/sbin:/bin:/usr/bin
export PATH
name=kibana
program=/opt/kibana/bin/kibana
args=''
pidfile="/var/run/$name.pid"
[ -r /etc/default/$name ] && . /etc/default/$name
[ -r /etc/sysconfig/$name ] && . /etc/sysconfig/$name
trace() {
logger -t "/etc/init.d/kibana" "$@"
}
emit() {
trace "$@"
echo "$@"
}
start() {
# Ensure the log directory is setup correctly.
[ ! -d "/var/log/kibana/" ] && mkdir "/var/log/kibana/"
chown "$user":"$group" "/var/log/kibana/"
chmod 755 "/var/log/kibana/"
# Setup any environmental stuff beforehand
# Run the program!
chroot --userspec "$user":"$group" "$chroot" sh -c "
cd \"$chdir\"
exec \"$program\" $args
" >> /var/log/kibana/kibana.stdout 2>> /var/log/kibana/kibana.stderr &
# Generate the pidfile from here. If we instead made the forked process
# generate it there will be a race condition between the pidfile writing
# and a process possibly asking for status.
echo $! > $pidfile
emit "$name started"
return 0
}
stop() {
# Try a few times to kill TERM the program
if status ; then
pid=$(cat "$pidfile")
trace "Killing $name (pid $pid) with SIGTERM"
kill -TERM $pid
# Wait for it to exit.
for i in 1 2 3 4 5 ; do
trace "Waiting $name (pid $pid) to die..."
status || break
sleep 1
done
if status ; then
emit "$name stop failed; still running."
else
emit "$name stopped."
fi
fi
}
status() {
if [ -f "$pidfile" ] ; then
pid=$(cat "$pidfile")
if ps -p $pid > /dev/null 2> /dev/null ; then
# process by this pid is running.
# It may not be our pid, but that's what you get with just pidfiles.
# TODO(sissel): Check if this process seems to be the same as the one we
# expect. It'd be nice to use flock here, but flock uses fork, not exec,
# so it makes it quite awkward to use in this case.
return 0
else
return 2 # program is dead but pid file exists
fi
else
return 3 # program is not running
fi
}
force_stop() {
if status ; then
stop
status && kill -KILL $(cat "$pidfile")
fi
}
case "$1" in
force-start|start|stop|force-stop|restart)
trace "Attempting '$1' on kibana"
;;
esac
case "$1" in
force-start)
PRESTART=no
exec "$0" start
;;
start)
status
code=$?
if [ $code -eq 0 ]; then
emit "$name is already running"
exit $code
else
start
exit $?
fi
;;
stop) stop ;;
force-stop) force_stop ;;
status)
status
code=$?
if [ $code -eq 0 ] ; then
emit "$name is running"
else
emit "$name is not running"
fi
exit $code
;;
restart)
stop && start
;;
*)
echo "Usage: $SCRIPTNAME {start|force-start|stop|force-start|force-stop|status|restart}" >&2
exit 3
;;
esac
exit $?
答案1
编辑/etc/sysconfig/kibana
并在末尾添加一行:
user=root
答案2
不要以 root 身份运行服务。一个简单但明智的选择如下:
- 以非特权用户身份运行该服务并将其绑定到端口 8080。
- 用于
iptables
将端口 80 收到的请求重定向到端口 8080。
这里讨论了其他替代方案: 有没有办法让非 root 进程绑定到特权端口?