Odd problem with starting Caddy at system startup...

P

Ps23Rick

Hi all ..

So I'm making progress with getting more familiar with FreeBSD (13.2-RELEASE), jails and so forth. Today I installed Caddy to be used as a reverse proxy for my homelab stuff. But on system reboot it's having a little problem I wasn't expecting and I'm not sure what the proper fix is ...

Below is what I see on the console at the end of the booting process :

Code: 
Starting sshd.
Configuring vt: blanktime.
Starting caddy...
We trust you have received the usual lecture from the local System Administrator.  It usually boils down to these three things :

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility

For security reasons, the password you type will not be visible.

Then if I login to ssh and look for caddy processes I see the following :

Code: 
root@homelab:~ # ps aux | grep caddy
root  61417   0.0  0.0  13656  3116 v0  I+   20:54   0:00.01 /usr/bin/su -m www -c /usr/local/bin/caddy start --config /usr/local/etc/caddy/Caddyfile --adapter caddyfile          --pidfile /var/run/cad
www   61607   0.0  0.0  13936  3160 v0  I    20:54   0:00.01 _su -m -c /usr/local/bin/caddy start --config /usr/local/etc/caddy/Caddyfile --adapter caddyfile          --pidfile /var/run/caddy/caddy.pid
www   62077   0.0  0.1 781708 40308 v0  I    20:54   0:00.14 /usr/local/bin/caddy start --config /usr/local/etc/caddy/Caddyfile --adapter caddyfile --pidfile /var/run/caddy/caddy.pid
www   62165   0.0  0.1 786060 46372 v0  S    20:54   0:00.22 /usr/local/bin/caddy run --pingback 127.0.0.1:37176 --config /usr/local/etc/caddy/Caddyfile --adapter caddyfile --pidfile /var/run/caddy/cad

I know that it's caused by the fact that the startup script wants privs for what it needs to do and it's using "su" to gain the privs. Anyone have any suggestions on how to proceed? Maybe I should put this thing in a jail...??

Thanks in advance!
 
The system in its current state is not completing the booting process.. Jails are not started among other things, because the system is waiting for someone (me) to put in the root password to start caddy. If I manually kill the above mentioned pid 61417, in the snippet above, then the booting process completes. I understand what it's trying to do here -- using the portacl package to run it as a non-priv user. How do I get it to not be asking me during boot for my root password? Maybe I'm missing something..

I'll look at this in the morning when I'm not so tired.. and will likely move caddy into a jail and see where that goes.. thx
 
Did you follow these instructions?
Code: 
# Note while Caddy currently defaults to running as root:wheel, it is strongly
# recommended to run the server as an unprivileged user, such as www:www.
#
# - Use security/portacl-rc to enable privileged port binding:
#
#   # pkg install security/portacl-rc
#   # sysrc portacl_users+=www
#   # sysrc portacl_user_www_tcp="http https"
#   # sysrc portacl_user_www_udp="https"
#   # service portacl enable
#   # service portacl start
#
# - Configure caddy to run as www:www
#
#   # sysrc caddy_user=www caddy_group=www
#
# - Note if Caddy has been started as root previously, files in
#   /var/log/caddy, /var/db/caddy, and /var/run/caddy may require their ownership
#   changing manually.

Code: 
We trust you have received the usual lecture from the local System Administrator.  It usually boils down to these three things :

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility

For security reasons, the password you type will not be visible.
This is output from sudo(8), not su(1). So it's probably caused by something that's started after Caddy has been started. The process list you posted shows Caddy running, and getting started via a su(1). So Caddy is probably not the source of your problem.
 
hmmm... interesting.. you're correct.. I hadn't completely thought about it, but the above sudo message is not present when using su(1) which is just being used to switch who the caddy startup script is being executed as.

I just did a reboot after disabling portacl from being part of the caddy startup and the problem disappeared.. Not sure what's going on, but I guess in my particular case I'll just leave portacl out of things and install caddy in a jail and move on.. still learning here..

For completeness, below is my /etc/rc.conf file for reference:

Code: 
clear_tmp_enable="YES"
hostname="homelab"

# set a fixed IP..
#ifconfig_igb0="DHCP"
ifconfig_igb0="inet 192.168.1.210 netmask 255.255.255.0"
defaultrouter="192.168.1.1"

sshd_enable="YES"

ntpd_enable="YES"
ntp_sync_on_start="YES"
ntpdate_enable="YES"

# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
jail_enable="YES"
jail_parallel_start="YES"
jail_list="mysql jellyfin"

#portacl_enable="YES"
#portacl_users="www"
#portacl_user_www_tcp="http https"
#portacl_user_www_udp="https"

caddy_enable="YES"
#caddy_user="www"
#caddy_group="www"

ddclient_enable="YES"
 
Ps23Rick said:
I just did a reboot after disabling portacl from being part of the caddy startup and the problem disappeared..
Click to expand...
That's odd. As far as I can tell that script doesn't use sudo(8). I see no reason why it would present the message and the password prompt during boot.

But I see you're also starting some jails. Could the message have come from there?
 
SirDice said:
That's odd. As far as I can tell that script doesn't use sudo(8). I see no reason why it would present the message and the password prompt during boot.

But I see you're also starting some jails. Could the message have come from there?
Click to expand...
when I enable the portacl stuff and reboot, the jails are not yet started according to what I see on the console. I'll try disabling the jail startup and re-enable the portacl and see what happens and report back.
 
Ps23Rick said:
the jails are not yet started according to what I see on the console.
Click to expand...
Right. Little trick to figure out in what order things are started: rcorder /etc/rc.d/* /usr/local/etc/rc.d/*
Take a look at things it tries to start after /usr/local/etc/rc.d/caddy.
 
SirDice said:
Right. Little trick to figure out in what order things are started: rcorder /etc/rc.d/* /usr/local/etc/rc.d/*
Take a look at things it tries to start after /usr/local/etc/rc.d/caddy.
Click to expand...
Thanks for that suggestion. So Im able to dig into this a bit more now that I'm home and can see the console.

Right now I've done the following and these are the results :

  • jails disabled, portacl enabled, caddy disabled, ddclient disabled = no sudo
  • jails disabled, portacl enabled, caddy enabled, ddclient disabled = no sudo
  • jails enabled, portacl enabled, caddy enabled, ddclient disabled = no sudo
  • everything enabled = no sudo
Ok.. now I'm totally stumped.. I'm not seeing the sudo now. ugh! As far as I know I changed nothing.. Yikes! I guess I'll have to keep an eye on things. I'm clueless on this one. Sorry!
 
You must log in or register to reply here.
Back
Top