4 files changed, 59 insertions, 27 deletions

diff --git a/configserver/src/main/sh/start-configserver b/configserver/src/main/sh/start-configserver
index f223c0a8fb9..8e7a9d7839a 100755
--- a/configserver/src/main/sh/start-configserver
+++ b/configserver/src/main/sh/start-configserver
@@ -78,7 +78,7 @@ cd ${VESPA_HOME} || { echo "Cannot cd to ${VESPA_HOME}" 1>&2; exit 1; }
 
 fixfile () {
     if [ -f $1 ]; then
-        if [ "${VESPA_USER}" ] && [ "${VESPA_UNPRIVILEGED}" != yes ]; then
+        if [ "${VESPA_USER}" ] && [ "$(id -u)" -eq 0 ]; then
             chown ${VESPA_USER} $1
         fi
         chmod 644 $1
@@ -90,8 +90,8 @@ fixddir () {
        echo "Creating data directory $1"
        mkdir -p $1 || exit 1
     fi
-    if [ "${VESPA_USER}" ] && [ "${VESPA_UNPRIVILEGED}" != yes ]; then
-       chown ${VESPA_USER} $1
+    if [ "${VESPA_USER}" ] && [ "$(id -u)" -eq 0 ]; then
+        chown ${VESPA_USER} $1
     fi
     chmod 755 $1
 }
diff --git a/metrics-proxy/src/main/sh/start-telegraf.sh b/metrics-proxy/src/main/sh/start-telegraf.sh
index ca6549de5f8..0cdfd784367 100644
--- a/metrics-proxy/src/main/sh/start-telegraf.sh
+++ b/metrics-proxy/src/main/sh/start-telegraf.sh
@@ -79,7 +79,7 @@ fixddir () {
        echo "Creating data directory $1"
        mkdir -p $1 || exit 1
     fi
-    if [ "${VESPA_USER}" ] && [ "${VESPA_UNPRIVILEGED}" != yes ]; then
+    if [ "${VESPA_USER}" ] && [ "$(id -u)" -eq 0 ]; then
        chown ${VESPA_USER} $1
     fi
     chmod 755 $1
diff --git a/vespabase/src/common-env.sh b/vespabase/src/common-env.sh
index 628ebe6b074..00bc6652699 100755
--- a/vespabase/src/common-env.sh
+++ b/vespabase/src/common-env.sh
@@ -207,26 +207,45 @@ consider_fallback VESPA_USE_NO_VESPAMALLOC  "vespa-rpc-invoke vespa-get-config v
 
 
 fixlimits () {
-    # Cannot bump limits when not root (for testing)
-    if [ "${VESPA_UNPRIVILEGED}" = yes ]; then
-	return 0
-    fi
-    # number of open files:
-    if varhasvalue file_descriptor_limit; then
-       ulimit -n ${file_descriptor_limit} || exit 1
-    elif [ `ulimit -n` -lt 262144 ]; then
-        ulimit -n 262144 || exit 1
+    max_processes_limit=409600
+    if ! varhasvalue file_descriptor_limit; then
+        file_descriptor_limit=262144
     fi
 
-    # core file size
-    if [ `ulimit -c` != "unlimited" ]; then
-        ulimit -c unlimited
-    fi
+    max_processes=$(ulimit -u)
+    core_size=$(ulimit -c)
+    file_descriptor=$(ulimit -n)
+    # Warn if we Cannot bump limits when not root
+    if [ "$(id -u)" -ne 0 ]; then
+        # number of open files:
+        if [ $file_descriptor -lt $file_descriptor_limit ]; then
+            echo "Expected file descriptor limit to be at least $file_descriptor_limit, was $file_descriptor"
+        fi
+
+        # core file size
+        if [ "$core_size" != "unlimited" ]; then
+            echo "Expected core file size to be unlimited, was $core_size"
+        fi
+
+        # number of processes/threads
+        if [ "$max_processes" != "unlimited" ] && [ "$max_processes" -lt "$max_processes_limit" ]; then
+            echo "Expected max processes to be at least $max_processes_limit, was $max_processes"
+        fi
+    else
+        # number of open files:
+        if [ $file_descriptor -lt $file_descriptor_limit ]; then
+            ulimit -n "$file_descriptor_limit" || exit 1
+        fi
 
-    # number of processes/threads
-    max_processes=`ulimit -u`
-    if [ "$max_processes" != "unlimited" ] && [ "$max_processes" -lt 409600 ]; then
-        ulimit -u 409600
+        # core file size
+        if [ "$core_size" != "unlimited" ]; then
+            ulimit -c unlimited
+        fi
+
+        # number of processes/threads
+        if [ "$max_processes" != "unlimited" ] && [ "$max_processes" -lt "$max_processes_limit" ]; then
+            ulimit -u "$max_processes_limit"
+        fi
     fi
 }
 
diff --git a/vespabase/src/rhel-prestart.sh b/vespabase/src/rhel-prestart.sh
index 79a8e61848c..0aedfb4622d 100755
--- a/vespabase/src/rhel-prestart.sh
+++ b/vespabase/src/rhel-prestart.sh
@@ -85,6 +85,7 @@ fi
 if [ "$VESPA_GROUP" = "" ]; then
     VESPA_GROUP=$(id -rgn)
 fi
+IS_ROOT=$([ "$(id -ru)" == "0" ] && echo true || echo false)
 
 cd $VESPA_HOME || { echo "Cannot cd to $VESPA_HOME" 1>&2; exit 1; }
 
@@ -94,9 +95,21 @@ fixdir () {
         exit 1
     fi
     mkdir -p "$4"
-    if [ "${VESPA_UNPRIVILEGED}" != yes ]; then
-      chown $1 "$4"
-      chgrp $2 "$4"
+    if ! $IS_ROOT; then
+        local stat="$(stat -c "%U %G" $4)"
+        local user=${stat% *}
+        local group=${stat#* }
+        if [ "$1" != "$user" ]; then
+            echo "Wrong owner for $VESPA_HOME/$4, expected $1, was $user"
+            exit 1
+        fi
+        if [ "$2" != "$group" ]; then
+            echo "Wrong group for $VESPA_HOME/$4, expected $2, was $group"
+            exit 1
+        fi
+    else
+        chown $1 "$4"
+        chgrp $2 "$4"
     fi
     chmod $3 "$4"
 }
@@ -130,9 +143,9 @@ fixdir ${VESPA_USER} ${VESPA_GROUP}   755  var/vespa/bundlecache
 fixdir ${VESPA_USER} ${VESPA_GROUP}   755  var/vespa/bundlecache/configserver
 fixdir ${VESPA_USER} ${VESPA_GROUP}   755  var/vespa/cache/config
 
-if [ "${VESPA_UNPRIVILEGED}" != yes ]; then
-  chown -hR ${VESPA_USER} logs/vespa
-  chown -hR ${VESPA_USER} var/db/vespa
+if [ "$(id -u)" -eq 0 ]; then
+    chown -hR ${VESPA_USER} logs/vespa
+    chown -hR ${VESPA_USER} var/db/vespa
 fi
 
 # END directory fixups