In light of the recent heartbleed ugliness, I have been asked if we must run our (open source) chef servers as root, or if they can be run as a non-privileged user?
If so, is there documentation for how to do it?
–
Stephen Corbesero, DevOps Engineer
Synchronoss - Mobile Innovation for a Connected World
Office: +1 484-821-4272
stephen.corbesero@synchronoss.com | www.synchronoss.com
Hi Stephen,
Unfortunately, it looks like Open Source Chef Server is configured to run
all of the services as root. Take a look here:
https://github.com/opscode/omnibus-chef-server/search?q=root&ref=cmdform
It wouldn't be a ton of work to update those configuration recipes to run
the services as another user (chef-server, for instance) or even create a
user per-service for segregation. Additionally, the Chef Server API listens
on ports 80 and 443, which both require root privileges to bind to.
On Fri, Apr 11, 2014 at 12:08 PM, Stephen Corbesero <
Stephen.Corbesero@synchronoss.com> wrote:
In light of the recent heartbleed ugliness, I have been asked if we must
run our (open source) chef servers as root, or if they can be run as a
non-privileged user?If so, is there documentation for how to do it?
--
Stephen Corbesero, DevOps Engineer
Synchronoss - Mobile Innovation for a Connected World
Office: +1 484-821-4272
--
Stephen Delano
Software Development Engineer
Opscode, Inc.
1008 Western Avenue
Suite 601
Seattle, WA 98104
Hmm, I see our Chef 10 server processes running as "chef" user and our
Chef 11 running as "chef_server" user. I don't see root user running
any Chef Server processes anywhere.
On Fri, Apr 11, 2014 at 12:08 PM, Stephen Corbesero
Stephen.Corbesero@synchronoss.com wrote:
In light of the recent heartbleed ugliness, I have been asked if we must
run our (open source) chef servers as root, or if they can be run as a
non-privileged user?If so, is there documentation for how to do it?
--
Stephen Corbesero, DevOps Engineer
Synchronoss - Mobile Innovation for a Connected World
Office: +1 484-821-4272
--
Best regards, Dmitriy V.