Solaris SMF manifest for update_daemon2.php

[zubb13]

While I'm running Tiny Tiny RSS in a read only root zone I also wanted to limit the updater script to only have very basic RBAC privileges.

I'm posting version one of the manifest in the event someone finds it useful and will update with any changes I make. Note I run the updater as user/group webservd in folder /var/apache2/2.2/htdocs/tt/

To use, copy the following into a filename of your choosing in /lib/svc/manifest/site and svcadm restart manifest-import

Code: Select all

<?xml version="1.0" ?>
<!DOCTYPE service_bundle
  SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<!--
    Runs update_daemon2.php as the user/group webservd
-->
<service_bundle type="manifest" name="application/ttrss-updater">
    <service version="1" type="service" name="application/ttrss-updater">
        <dependency restart_on="none" type="service"
            name="multi_user_dependency" grouping="require_all">
            <service_fmri value="svc:/milestone/multi-user"/>
            <service_fmri value="svc:/application/database/mysql"/>
            <service_fmri value="svc:/network/http"/>
        </dependency>
        <exec_method timeout_seconds="60" type="method" name="start"
            exec="/usr/bin/php /var/apache2/2.2/htdocs/tt/update_daemon2.php">
            <method_context>
               <method_credential user="webservd" group="webservd" privileges="basic" />
            </method_context>
        </exec_method>
        <exec_method timeout_seconds="60" type="method" name="stop"
            exec=":kill">
            <method_context>
               <method_credential user="webservd" group="webservd" privileges="basic" />
            </method_context>
        </exec_method>
        <exec_method timeout_seconds="60" type="method" name="refresh"
            exec=":true">
            <method_context>
               <method_credential user="webservd" group="webservd" privileges="basic" />
            </method_context>
        </exec_method>
        <property_group type="framework" name="startd">
            <propval type="astring" name="duration" value="child"/>
        </property_group>
        <instance enabled="true" name="default"/>
        <template>
            <common_name>
                <loctext xml:lang="C">
                   Tiny Tiny RSS Feed Updater
                </loctext>
            </common_name>
            <description>
                <loctext xml:lang="C">
                   See http://tt-rss.org/redmine/projects/tt-rss/wiki/UpdatingFeeds
                </loctext>
            </description>
        </template>
    </service>
</service_bundle>


It'll be enabled by default

Code: Select all

webservd@web:~$ svcs ttrss-updater
STATE          STIME    FMRI
online         19:11:58 svc:/application/ttrss-updater:default


and ppriv will show it's limited to

Code: Select all

file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info