Supervisord is a nifty daemon for running and monitoring processes, that in the words of our sys admin Randol, “is everything Upstart isn’t.”
Supervisord differs from Upstart in that it uses a main background daemon that does the work of starting processes and monitoring their status, along with a UNIX socket file used by the supervisorctl command-line tool to talk to the main controller process. Let’s dive right in by installing and configuring supervisor (on Ubuntu!).
apt-get install supervisor
/etc/supervisor/supervisor.conf
[inet_http_server] port=9001
supervisorctl reload
Those trying to run commands along with the article might find that the call to supervisorctl fails with a “Permission denied” error such as
error: <class 'socket.error'>, [Errno 13] Permission denied: file: /usr/lib/python2.7/socket.py line: 224
Lets create a group, add ourselves to it by doing the following
groupadd supervisor usermod -a -G supervisor <myusername>
[unix_http_server] file=/var/run/supervisor.sock ; (the path to the socket file) chmod=0770 ; socket file mode (default 0700) chown=root:supervisor
Supervisord uses “program” as a naming convention for services it is setup to handle. Supervisor allows us to configure programs that run as background services, and will restart them upon failures. We can also create one-shot programs that do not need to run in the background as services. Let’s start with the configuration file ( /etc/supervisor/conf.d/uwsgi_app.conf) of a uwsgi application running in emperor mode
[program:uwsgi_app] command=/path/to/uwsgi --emperor /path/to/app/uwsgi.ini redirect_stderr=true stdout_logfile=/path/to/log stderr_logfile=/path/to/error_log user=<myusername> autostart=false autorestart=true stopsignal=QUIT
supervisorctl [start|stop] uwsgi_app
Applications that spawn a background process and then exit immediately pose a bit of a difficulty when managed by supervisor, who expects processes to start and stay alive rather than forking off and returning. Many of these applications leave a pidfile in /var/run, and we can couple these files with pidproxy, for services such as mysqld ( /etc/supervisor/conf.d/mysql.conf )
[program:mysql] command=/usr/bin/pidproxy /var/run/mysqld/mysqld.pid /usr/sbin/supervised_mysql redirect_stderr=true stdout_logfile=/var/log/mysql/supervisor.log stderr_logfile=/var/log/mysql/supervisor.error_log autostart=false autorestart=false environment=HOME="/etc/mysql" umask=007
#!/bin/sh if [ ! -d /var/run/mysqld ]; then install -m 755 -o mysql -g root -d /var/run/mysqld fi /lib/init/apparmor-profile-load usr.sbin.mysqld /usr/sbin/mysqld
The supervisor is designed to manage processes that run in the background, but it can handle one-shot programs as well. This capability is useful where you have commands that require root, yet you want to enable users without sudo permissions to run those commands. Let’s examine a script to stop and start an upstart service, such as nginx ( /etc/supervisor/conf.d/nginx.conf )
[program:nginx_start] command=service nginx start startsecs=0 autostart=false autorestart=false [program:nginx_stop] command=service nginx stop startsecs=0 autostart=false autorestart=false
Changing the permissions of supervisord’s UNIX socket allows us to expose programs to a group, but the problem is that this only really works with one group. Luckily, both supervisord and supervisorctl can be invoked with a -c command line parameter to specify the location of the configuration file to use. This means that separate configuration files for each group could be configured, with matching supervisors. For example, we could create a config file named /etc/supervisor/supervisor2.conf containing the following
. . . [unix_http_server] file=/var/run/supervisor2.sock ; (the path to the socket file) chmod=0770 ; socket file mode (default 0700) chown=root:othergroup . . . [include] files = /etc/supervisor/conf2.d/*.conf
[program:supervisor2] command=/usr/bin/supervisord -n -c /etc/supervisor/supervisor2.conf autostart=false autorestart=false
supervisorctl -c /etc/supervisor/supervisor2.conf [start|stop] <programname>
This article makes no claims about security, since the aim is to provide a quick introduction to supervisord. It is important to remember that the default Ubuntu install of supervisord runs as root, and all commands will be executed by root, unless otherwise noted in the program’s configuration. This may have far-reaching security implications. Be careful, and wear a helmet when experimenting. Enjoy!