Page MenuHomeFreeBSD

www/varnish4: update to 4.1.0
ClosedPublic

Authored by feld on Oct 13 2015, 3:00 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Dec 2, 11:51 AM
Unknown Object (File)
Mon, Nov 25, 1:26 AM
Unknown Object (File)
Mon, Nov 25, 1:11 AM
Unknown Object (File)
Sat, Nov 23, 3:47 PM
Unknown Object (File)
Fri, Nov 22, 9:14 PM
Unknown Object (File)
Fri, Nov 22, 5:02 PM
Unknown Object (File)
Thu, Nov 21, 11:26 AM
Unknown Object (File)
Wed, Nov 20, 12:43 PM
Subscribers

Details

Summary

Varnish update to 4.1.0

Disruptive changes: new "jail" feature. Upstream wants Varnish to run as
its own user. We were previously running as www:www which is probably
not appropriate. I am creating a varnish user/group instead.

Users may have to blow away /usr/local/varnish/hostname before firing
varnishd back up.

TODO: write an UPDATING entry

https://github.com/varnish/Varnish-Cache/blob/varnish-4.1.0/doc/sphinx/whats-new/changes.rst

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Lint Coverage
Unit
No Test Coverage
Build Status
Buildable 813
Build 813: arc lint + arc unit

Event Timeline

feld retitled this revision from to www/varnish4: update to 4.1.0.
feld updated this object.
feld edited the test plan for this revision. (Show Details)

Does it use the group at all ? I see no mention of it in the rc file.

In D3878#80519, @mat wrote:

Does it use the group at all ? I see no mention of it in the rc file.

I had a chat with phk and he said we should have two users: varnish and vcache, both should be in the varnish group.

Make varnishlog and varnishncsa run as non-root as well

Give varnishncsa and varnishlog their own UIDs. Their membership into
the varnish group allow them to read logs, but will not permit them to
attack the running varnish process if they were somehow compromised.

Reviewed Debian's approach and they share "varnishlog" user between the
varnishlog and varnishncsa processes

This revision was automatically updated to reflect the committed changes.