Supervisor for Non-Privileged Users

Supervisor for Non-Privileged Users

January 15, 2024

Introduction #

Supervisor is a useful tool that allows its users to control a number of processes on UNIX-like operating systems. There are many use cases, and I’ll focus on using supervisor as a non-privileged user.

Configurations by root. #

Suppose the tool is installed and enabled in systemd. We can show the system configuration as systemctl cat supervisor.

Below is an example:

# /lib/systemd/system/supervisor.service
[Unit]
Description=Supervisor process control system for UNIX
Documentation=http://supervisord.org
After=network.target

[Service]
User=svc_username # non-privileged username
Group=svc_groupname # the group name of the non-privileged user
ExecStart=/usr/bin/supervisord -n -c /etc/supervisor/supervisord.conf
ExecStop=/usr/bin/supervisorctl $OPTIONS shutdown
ExecReload=/usr/bin/supervisorctl -c /etc/supervisor/supervisord.conf $OPTIONS reload
KillMode=process
Restart=on-failure
RestartSec=50s

[Install]
WantedBy=multi-user.target

The configuration is defined in /etc/supervisor/supervisord.conf. We can have the config file somewhere else. For simplicity, we just use the system default conf file and make some modification to it.

Here we suppose that we want to use the service account svc_username to manage some programs, and the home of application, and related files will all be under /app_path (feel free to change the /app_path to other locations as long as svc_username is the owner of this /app_path).

# /etc/supervisor/supervisord.conf
[unix_http_server]
file=/app_path/run/supervisor.sock   ; (the path to the socket file)
chmod=0700                       ; sockef file mode (default 0700)
[supervisord]
logfile=/app_path/log/supervisor/supervisord.log ; (main log file;default $CWD/supervisord.log)
pidfile=/app_path/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
childlogdir=/app_path/log/supervisor            ; ('AUTO' child log dir, default $TEMP)
[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
[supervisorctl]
serverurl=unix:///app_path/run/supervisor.sock ; use a unix:// URL  for a unix socket
[include]
files = /app_path/supervisor/conf.d/*.conf

/etc/supervisor/supervisord.conf should be owned by root. Once /lib/systemd/system/supervisor.service and /etc/supervisor/supervisord.conf have been configured, root can reload/restart the supervisor service.

systemctl daemon-reload
systemctl restart supervisor

Configurations by non-privileged user svc_username #

Once supervisor service is running and we can put app configurations under /app_path/supervisor/conf.d/ as *.conf.

[program:foo]
command=/app_path/path_to_executable some arguments here
directory=/app_path/foo
autostart=true
autorestart=true
startretries=1
stderr_logfile=/app_path/foo.err.log
stdout_logfile=/app_path/foo.out.log
user=svc_username

More details about the configurations about be found at supervisord’s configuration page.

Calendar January 15, 2024
Edit Edit this page