From: Jeremy Evans <code@jeremyevans.net>
To: unicorn-public@bogomips.org
Subject: Patch: Add after_worker_ready configuration option V2
Date: Thu, 23 Feb 2017 10:49:37 -0800 [thread overview]
Message-ID: <20170223184937.GC67612@jeremyevans.local> (raw)
Here's V2 of the after_worker_ready patch. This adds some more
documentation, and tries to give a better description of the
advantages in the commit message.
From cbc6fe845ade8946b7db2ecd2b86a0bd8e18bbb8 Mon Sep 17 00:00:00 2001
From: Jeremy Evans <code@jeremyevans.net>
Date: Tue, 21 Feb 2017 16:33:09 -0800
Subject: [PATCH] Add after_worker_ready configuration option
This adds a hook that is called after the application has
been loaded by the worker process, directly before it starts
accepting requests. This hook is necessary if your application
needs to gain access to resources during initialization,
and then drop privileges before serving requests.
This is especially useful in conjunction with chroot support
so the app can load all the normal ruby libraries it needs
to function, and then chroot before accepting requests.
If you are preloading the app, it's possible to drop privileges
or chroot in after_fork, but if you are not preloading the app,
the only way to currently do this is to override the private
HttpServer#init_worker_process method, and overriding private
methods is a recipe for future breakage if the internals are
modified. This hook allows for such functionality to be
supported and not break in future versions of Unicorn.
---
lib/unicorn/configurator.rb | 22 ++++++++++++++++++++++
lib/unicorn/http_server.rb | 4 ++--
2 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/lib/unicorn/configurator.rb b/lib/unicorn/configurator.rb
index 1e2b6e4..7ed5ffa 100644
--- a/lib/unicorn/configurator.rb
+++ b/lib/unicorn/configurator.rb
@@ -49,6 +49,9 @@ class Unicorn::Configurator
server.logger.error(m)
end
},
+ :after_worker_ready => lambda { |server, worker|
+ server.logger.info("worker=#{worker.nr} ready")
+ },
:pid => nil,
:preload_app => false,
:check_client_connection => false,
@@ -172,6 +175,21 @@ def after_worker_exit(*args, &block)
set_hook(:after_worker_exit, block_given? ? block : args[0], 3)
end
+ # sets after_worker_ready hook to a given block. This block will be called
+ # by a worker process after it has been fully loaded, directly before it
+ # starts responding to requests:
+ #
+ # after_worker_ready do |server,worker|
+ # server.logger.info("worker #{worker.nr} ready, dropping privileges")
+ # worker.user('username', 'groupname')
+ # end
+ #
+ # Do not use Configurator#user if you rely on changing users in the
+ # after_worker_ready hook.
+ def after_worker_ready(*args, &block)
+ set_hook(:after_worker_ready, block_given? ? block : args[0])
+ end
+
# sets before_fork got be a given Proc object. This Proc
# object will be called by the master process before forking
# each worker.
@@ -569,6 +587,10 @@ def working_directory(path)
# This switch will occur after calling the after_fork hook, and only
# if the Worker#user method is not called in the after_fork hook
# +group+ is optional and will not change if unspecified.
+ #
+ # Do not use Configurator#user if you rely on changing users in the
+ # after_worker_ready hook. Instead, you need to call Worker#user
+ # directly in after_worker_ready.
def user(user, group = nil)
# raises ArgumentError on invalid user/group
Etc.getpwnam(user)
diff --git a/lib/unicorn/http_server.rb b/lib/unicorn/http_server.rb
index c2086cb..ef897ad 100644
--- a/lib/unicorn/http_server.rb
+++ b/lib/unicorn/http_server.rb
@@ -15,7 +15,7 @@ class Unicorn::HttpServer
:before_fork, :after_fork, :before_exec,
:listener_opts, :preload_app,
:orig_app, :config, :ready_pipe, :user
- attr_writer :after_worker_exit
+ attr_writer :after_worker_exit, :after_worker_ready
attr_reader :pid, :logger
include Unicorn::SocketHelper
@@ -644,7 +644,7 @@ def worker_loop(worker)
trap(:USR1) { nr = -65536 }
ready = readers.dup
- @logger.info "worker=#{worker.nr} ready"
+ @after_worker_ready.call(self, worker)
begin
nr < 0 and reopen_worker_logs(worker.nr)
--
2.11.0
next reply other threads:[~2017-02-23 18:49 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-23 18:49 Jeremy Evans [this message]
2017-02-23 20:29 ` Patch: Add after_worker_ready configuration option V2 Eric Wong
2017-03-08 7:29 ` Eric Wong
2017-03-08 7:44 ` [PATCH] doc: add version annotations for new features Eric Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://yhbt.net/unicorn/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170223184937.GC67612@jeremyevans.local \
--to=code@jeremyevans.net \
--cc=unicorn-public@bogomips.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhbt.net/unicorn.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).