A Quick Daemontools Brain-Dump

On my server I use D. J. Bernstein’s Daemontools package to run the servers for my web sites (other services are automatically installed in to the init or init.d directories).

The logic with Daemontools is that servers should concentrate on what makes them unique, and leave the slightly tricky process of running reliably in the background without being connected to a terminal and logging their output to a subsystem that does that and nothing else. It’s all about security through separation of concerns and simplicity.

In practice it means to set up the Kanbo server, say, I create a shell script in /service/caption/run that does what is necessary to run the server as a foreground process with errors to standard output. An optional second script /service/caption/log/run can be used to log the output of the script.

In the case of the server for http://caption.org/, I had to debug the setup, first by running the run script when logged in as the caption user to check it could work at all, and then with this incantation:

sudo ./run | (cd log;  sudo ./run)

(And before you ask, I would not suggest you run commands like that (with sudo) casually. The great thing about the run scripts is they are simple enough to scrutinise first!)

The first howler was forgetting to run

sudo chmod +x run log/run

The other was using source as a synonym for . in a /bin/sh script. The third was getting setuidgid and envuidgid mixed up. Oops.

For future reference (for myself if no-one else) here is my run script for caption.org at present:

#!/bin/sh

. /home/caption/virtualenvs/bootstrap/bin/activate
cd /home/caption/Sites/caption

exec 2>&1
exec setuidgid caption \
    python manage.py runfcgi \
        method=threaded minspare=2 maxspare=12 \
        host=127.0.0.1 port=9005 \
        pidfile=caption.pid daemonize=false

The logging script is even simpler:

#!/bin/sh
exec setuidgid caption \
    multilog t ./main

You have to remember to chown the directory log/main to allow the log to be written. The server should in fact not print anything at all except in case of errors—web server logs go to /var/log/nginx.

I think that is all I have to say about Daemontools.