System Integrity Scripts - permissions problems?


(Tbaatar) #1

We are in the process of running system maintenance and website optimization and I’ve been playing around with the System Integrity Scripts on my dev server.

The scripts require to run as root user and in my case www-data (Debain 9 / Apache). Some of the scripts run fine e.g system_integrity_check_indexes.php however the system_integrity_clean_cache_dir.php throws up a permission warning. Here is the code and warning I get:

sudo -u www-data php system_integrity_clean_cache_dir.php /var/www/squiz_matrix
 
Warning: Please make sure you have the correct permission to remove cache files.
SQ_CACHE_PATH is '/var/www/squiz_matrix/cache'

I have checked the /cache directory and the sess_xxxxxx files are all 775 permissions.

What could I be doing wrong? and is this something that can be offloaded to run from Matrix or Crontab instead?

Many thanks.


(Tyson Adams) #2

Hi tbaatar,

I think you are using the right user and have the correct permissions there.

That warning will display on the screen regardless of your permissions in /cache, it runs just after making sure you are in CLI and have provided the system root path.

You should get a line under that saying:

Summary: n/n cache file(s) removed.

Do you get that line? That script will only remove expired cache files as well, so it may not delete anything at that time, but should then show 0/0 cache files removed.

If there is a permission failure on any files it will print a line with the failed filename and ‘FAILED’.

From what I can tell, you can set up your Crontab to run any script on your system, but I don’t believe there is any way to offload running that to Matrix directly.

Hope that helps.


(Tbaatar) #3

Hi Tyson,

Yes it does print the cache summary at the end.
I get 0/0 however I can see in the cache folder around 108 files. This could be because the system is quite a new dev build and the session caches hasn’t expired yet. So I need to look into the session files to make sure.

Edit:
I noticed it creates a log file/email file under mail. Not sure if this is something to be concerned about or this is a normal behaviour.

From root@cdh.localdomain  Wed Feb 27 17:01:17 2019
Return-Path: <root@cdh.localdomain>
X-Original-To: root
Delivered-To: root@cdh.localdomain
Received: by cdh.localdomain (Postfix, from userid 0)
	id 1607F22808; Wed, 27 Feb 2019 17:01:17 +0000 (UTC)
To: root@cdh.localdomain
From: root@cdh.localdomain
Auto-Submitted: auto-generated
Subject: *** SECURITY information for api ***
Message-Id: <20190227170117.1607F22808@cdh.localdomain>
Date: Wed, 27 Feb 2019 17:01:17 +0000 (UTC)

api : Feb 27 17:01:17 : root : problem with defaults entries ; TTY=pts/0 ; PWD=/var/www/squiz_matrix/scripts ; USER=www-data ; 

It would be useful to run these comands from the Cronjob. Are their anything hints and tips around this?

Thanks.


(Tyson Adams) #4

Hi tbaatar,

I think those logs are related to using sudo and it looking for directives in an incorrect place, so isnt specific to Matrix from what I can see. See https://superuser.com/questions/1086152/sudo-sending-annoying-alerts-issue-with-defaults-entries. Likely isn’t much of an issue in regards to your Matrix install and running those system scripts.

There shouldn’t be anything special you need to do to run any Matrix scripts from Crontab, just make sure its in the correct format, and you might want to export the script output message into some log file for debugging and record keeping purposes. This isn’t too bad of a resource: https://www.adminschoice.com/crontab-quick-reference.

Cheers


(David Schoen) #5

Both Matrix cache and (by default) session files are stored under the cache directory - I think the issue is you’re looking at the session files and expecting this script to clear them out because they happen to be under the cache directory on your instance.

https://matrix.squiz.net/manuals/server-administrator/chapters/session_cleanup.sh may be what you’re looking for, or you could consider putting sessions in Memcached as that’s what we always do these days.


(Tbaatar) #6

Hi David,

Thanks for the explanation it makes sense now.
If I understand correctly Memcached is different from Memcache, so presumably the session handling is not possible from within Matrix? or is it possible with this Memcache configuration to clear the session/cache?

'cache_manager'        => Array('mc1' => 1),
'session_handling'     => Array('mc1' => 1),
'locking'              => Array('mc1' => 1),
'deja_vu'              => Array('mc1' => 1),

Many thanks.


(David Schoen) #7

Matrix uses the memcache PECL to talk to Memcached (the daemon).

or is it possible with this Memcache configuration to clear the session/cache?

You can just rely on memcached to expire keys.

It’s not great to configure all 4 services to use a single DB though as LRU (Least Recently Used) will often start purging sessions or locking if your cache or deja vu are too active and there’s not enough memory allocated.


(Tbaatar) #8

Hi David,

Thanks for the feedback.

Do i need to configure anything for Memcached?

Many thanks.
Tuguldur


(David Schoen) #9

The only thing we normally configure for each memcached DB is the memory limit - how you do that is distro and version dependent though so looking at something like https://serverfault.com/a/202032/452730 would be a better start.