[master] 3d0030d document jails
Nils Goroll
nils.goroll at uplex.de
Fri Mar 13 15:37:47 CET 2015
commit 3d0030db04e179549cfa845524d98a9e92906925
Author: Nils Goroll <nils.goroll at uplex.de>
Date: Fri Mar 13 15:37:20 2015 +0100
document jails
diff --git a/bin/varnishd/mgt/mgt_main.c b/bin/varnishd/mgt/mgt_main.c
index 9493fe2..4ebc6b3 100644
--- a/bin/varnishd/mgt/mgt_main.c
+++ b/bin/varnishd/mgt/mgt_main.c
@@ -154,6 +154,10 @@ usage(void)
fprintf(stderr, FMT, "", " -h classic,<buckets>");
fprintf(stderr, FMT, "-i identity", "Identity of varnish instance");
fprintf(stderr, FMT, "-j jail[,jailoptions]", "Jail specification");
+#ifdef HAVE_SETPPRIV
+ fprintf(stderr, FMT, "", " -j solaris");
+#endif
+ fprintf(stderr, FMT, "", " -j unix[,user=<user>][,ccgroup=<group>]");
fprintf(stderr, FMT, "", " -j none");
fprintf(stderr, FMT, "-l shl,free,fill", "Size of shared memory file");
fprintf(stderr, FMT, "", " shl: space for SHL records [80m]");
diff --git a/doc/sphinx/reference/varnishd.rst b/doc/sphinx/reference/varnishd.rst
index 1856bcb..c75d32e 100644
--- a/doc/sphinx/reference/varnishd.rst
+++ b/doc/sphinx/reference/varnishd.rst
@@ -70,6 +70,44 @@ OPTIONS
Specify the identity of the Varnish server. This can be accessed using server.identity
from VCL
+-j jail[,jailoptions]
+ Specify the jailing technology to use.
+
+ Jails generalize over various options to reduce the
+ privileges of varnish sub-processes. They may have
+ specific options and may be platform specific. Available
+ jails are:
+
+ * -j solaris
+
+ Reduce privileges(5) for varnishd and sub-process to the
+ minimally required set. Only available on platforms
+ which have the setppriv(2) call.
+
+ * -j unix[,user=<user>][,ccgroup=<group>]
+
+ Default on all other platforms if `varnishd` is either
+ started with an effective uid of 0 (e.g. as root) or as
+ user ``varnish``.
+
+ With the ``unix`` jail technology activated, varnish
+ will switch to an alternative user for subprocesses and
+ change the effective uid of the master process whenever
+ possible.
+
+ The optional `user` argument specifies which alternative
+ user to use. It defauls to ``varnish``
+
+ The optional `ccgroup` argument specifies a group to add
+ to varnish subprocesses requiring access to a
+ c-compiler. There is no default.
+
+ * -j none
+
+ last resort jail choice: With jail technology ``none``,
+ varnish will run all processes with the privileges it
+ was started with.
+
-l shl[,free[,fill]]
Specifies size of shmlog file. shl is the store for the
shared memory log records [80M], free is the store for other
@@ -293,7 +331,7 @@ The varnishd daemon was developed by Poul-Henning Kamp in cooperation
with Verdens Gang AS and Varnish Software.
This manual page was written by Dag-Erling Smørgrav with updates by
-Stig Sandbeck Mathisen <ssm at debian.org>.
+Stig Sandbeck Mathisen <ssm at debian.org> and others.
COPYRIGHT
More information about the varnish-commit
mailing list