These are chat archives for sbt/sbt-native-packager

8th
Mar 2016
Roberto Leibman
@rleibman
Mar 08 2016 20:47
So... I'm creating an akka-http server, and I want it to listen to port 80. The deb package that sbt-native-packager creates works great, as long as the port it binds to is not privileged (e.g. 8080). I need a way to let it bind to 80. There are various ways to accomplish this: use a redirect rule in the firewall from port 80 to port 8080 (yuck!), use a web front end, such as apache or nginx (why add the complexity), use setcap (but we have to setcap on the actual java binary, have to remember to do so every time we upgrade java AND leaves java exposed so that anybody running java can bind on any port). The ideal solution is to run it as root and drop privileges, which requires some really ugly jni code, or better yet, use something like authbind that wraps this process. My question: how do I tie authbind into the scripts/config files created by sbt-native-packager?
Or did I miss some other obvious way of doing this?
Nepomuk Seiler
@muuki88
Mar 08 2016 22:22
You have a few options. You can set the daemonUser and daemonGroup to root ( which I wouldn't recommend ). Another would be to override the start script, which could be cumbersome. The last option would be to provide a start script to start the start script...
Roberto Leibman
@rleibman
Mar 08 2016 22:24
I tried putting authbind in the /etc/init/myservice.conf file, but it didn't work, I think authbind needs to be lower down (like in the actuall call to java)
Nepomuk Seiler
@muuki88
Mar 08 2016 22:24
From my experience I would recommend using nginx/apache/ha-proxy an redirect
Roberto Leibman
@rleibman
Mar 08 2016 22:25
I have used nginx, but I really wanted to avoid it, partly because I shouldn't need it! and partly to see how it should be done.
(reading authbind man) maybe authbind --deep would do it.
nafg
@nafg
Mar 08 2016 22:34
@rleibman in my experience the easiest way to run on port 80 is via docker
Especially with sbt-native-packager
Roberto Leibman
@rleibman
Mar 08 2016 22:35
I haven't used docker (yet)... mhh, interesting.
nafg
@nafg
Mar 08 2016 22:35
Though it does sort of require having a docker registry (account)
you basically tell sbt to create the image,
then you docker push,
Roberto Leibman
@rleibman
Mar 08 2016 22:35
But doesn't that add a lot of overhead?
nafg
@nafg
Mar 08 2016 22:35
then on the server you say docker run --restart=always -p 80:9000 myimagename
and your done
It also saves you from worrying about upstart/systemd/v whatever
@rleibman what overhead?
Roberto Leibman
@rleibman
Mar 08 2016 22:36
I'd be afraid that docker would be even slower than nginx.
nafg
@nafg
Mar 08 2016 22:36
@rleibman slower? why?
Roberto Leibman
@rleibman
Mar 08 2016 22:36
(not that nginx is slow, just it's slower than just plain going to the server)
nafg
@nafg
Mar 08 2016 22:37
docker is just as fast as anything
it's just a fancy UI for linux cgroups ;)
Roberto Leibman
@rleibman
Mar 08 2016 22:37
docker is a container, right? so your bits are still going through something else they weren't before.
nafg
@nafg
Mar 08 2016 22:37
(okay that was WAY too simplistic)
@rleibman not in the VM sense
it's not slower
it's being executed straight on your server's kernel just like anything else
Roberto Leibman
@rleibman
Mar 08 2016 22:38
So, you're saying that speed(docker + akka-http) == speed(akka-http)
nafg
@nafg
Mar 08 2016 22:38
yes
the only caveat might be the port forwarding it does?
$ ps -ef | grep docker-proxy
core      2096  2088  0 22:39 pts/0    00:00:00 grep --colour=auto docker-proxy
root     27158   650  0 Feb23 ?        00:00:26 docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 80 -container-ip 172.17.0.5 -container-port 8080
don't know how it works under the hood
But I never heard of docker slowing anything down
Roberto Leibman
@rleibman
Mar 08 2016 22:40
ok, I'll take your word for it. I do need to do some research on docker for some other purposes so maybe this will be an excuse.
nafg
@nafg
Mar 08 2016 22:41
If you can pay for a private repository on docker hub,
it's super simple
Roberto Leibman
@rleibman
Mar 08 2016 22:41
Why do I need a docker account at all?
I can't host my own docker "image" (whatever that is) by myself?
ok... forget it... it's off topic for this forum, and I have no idea what I'm talking about when it comes to docker.
I'm going with setcap... my service will run in a vm that will ONLY do this, so I don't care if java can bind to other ports.