acme-dns needs directory permissions in systemd (documentation)

[jvanasco]

I updated my install to control acme-dns via systemd, with an acme-dns user.

I changed the ownership of items in /etc/acme-dns to acme-dns.

If the /etc/acme-dns directory is owned by root, there are errors in accessing the existing database /etc/acme-dns/acme-dns.db. If the directory is owned by acme-dns, the db is read fine.

Stated differently,

# this results in db errors
chown acme-dns:acme-dns /etc/acme-dns/* 

# this works
chown -R acme-dns:acme-dns /etc/acme-dns

I'm not sure how/why this is happing, but I think it is due to sqlite not being able to make lock files.

[joohoi]

Thanks for bringing this up! I'll investigate a bit, but it looks like we should make slight modifications to the documentation. Pinging @gabe565 as they contributed the systemd service file and docs.

[gabe565]

I honestly forgot that this is configurable. In my setup, I have the /etc/acme-dns directory as owned by root, then have the database in /var/lib/acme-dns and have it owned by acme-dns with 600 permissions. I will PR another step with that setup.

[jvanasco]

after some testing * checking the sqlite docs regarding locks, the issue is definitely due to the acme-dns user needing write permissions for the directory which the database file is in.

[gabe565]

Yes that's what it looks like, which is why I would rather keep the database in /var/lib/acme-dns since the acme-dns user is guaranteed to own that directory (It's the acme-dns home directory), then a directory in /etc does not have to be writable. Does that seem right?

[jvanasco]

yeah that seems like the right approach.

if you wanted to overcomplicate things, have you considered playing the config file in there? then a user could just be added to the acme-dns group for edit privileges.

[Ajedi32]

Yeah, you don't want to put databases in /etc anyway. /etc on Linux is for config files. /var is more appropriate for databases. See http://www.pathname.com/fhs/pub/fhs-2.3.html