Do not run orchestrator as root

[sjmudd]

The provided init scripts make orchestrator start and run as the root user. That's really not necessary, so it would be good to provide sample init scripts that start orchestrator as a (dedicated?) non-root user.

I would suggest

• detecting if running as root and issuing a warning that it's better not to
• making the init scripts try to start orchestrator as the orchestrator user or some specific non-root user
• add comments that any routines called by orchestrator may need to run via sudo to gain enhanced privileges if moving from the current setup.
• binding to port 80 (or low ports) may be troublesome, perhaps requiring orchestrator to drop privileges (not sure if that's an issue in go or somehow configuring the user to have such privileges. That's likely to depend on the OS being used, but as not everyone will be binding to low ports this may not be such an issue.
• ensure that log writing can write to the appropriate file(s).
• this is really not a new issue and it has been resolved by many other applications and it seems to make sense for orchestrator too.

[sjmudd]

I do notice that dropping privileges seems hard in go so maybe this can't be done yet or easily? See: golang/go#1435

[shlomi-noach]

Perhaps just run via start-stop-daemon? It's a pretty nice wrapper.

Usage: start-stop-daemon [<option> ...] <command>

Commands:
  -S|--start -- <argument> ...  start a program and pass <arguments> to it
  -K|--stop                     stop a program
  -T|--status                   get the program status
  -H|--help                     print help information
  -V|--version                  print version

Matching options (at least one is required):
     --pid <pid>                pid to check
     --ppid <ppid>              parent pid to check
  -p|--pidfile <pid-file>       pid file to check
  -x|--exec <executable>        program to start/check if it is running
  -n|--name <process-name>      process name to check
  -u|--user <username|uid>      process owner to check

Options:
  -g|--group <group|gid>        run process as this group
  -c|--chuid <name|uid[:group|gid]>
                                change to this user/group before starting
                                  process
  -s|--signal <signal>          signal to send (default TERM)
  -a|--startas <pathname>       program to start (default is <executable>)
  -r|--chroot <directory>       chroot to <directory> before starting
  -d|--chdir <directory>        change to <directory> (default is /)
  -N|--nicelevel <incr>         add incr to the process' nice level
  -P|--procsched <policy[:prio]>
                                use <policy> with <prio> for the kernel
                                  process scheduler (default prio is 0)
  -I|--iosched <class[:prio]>   use <class> with <prio> to set the IO
                                  scheduler (default prio is 4)
  -k|--umask <mask>             change the umask to <mask> before starting
  -b|--background               force the process to detach
  -C|--no-close                 do not close any file descriptor
  -m|--make-pidfile             create the pidfile before starting
    |--remove-pidfile           delete the pidfile after stopping
  -R|--retry <schedule>         check whether processes die, and retry
  -t|--test                     test mode, don't do anything
  -o|--oknodo                   exit status 0 (not 1) if nothing done
  -q|--quiet                    be more quiet
  -v|--verbose                  be more verbose

Retry <schedule> is <item>|/<item>/... where <item> is one of
 -<signal-num>|[-]<signal-name>  send that signal
 <timeout>                       wait that many seconds
 forever                         repeat remainder forever
or <schedule> may be just <timeout>, meaning <signal>/<timeout>/KILL/<timeout>
...

[shlomi-noach]

(I don't know that it solves opening port 80). If you're behind reverse proxy you don't relaly need to run orchestrator on port 80 anyhow