Best practice on setting permissions of Varnish secret file

I'm using th following script to restart instances on a Plone site:

for i in {1..4}
varnishadm backend.set_health instance$i sick
/opt/plone/site/bin/supervisorctl restart app:instance$i
curl http://localhost:808$i/Plone > /dev/null
varnishadm backend.set_health instance$i auto

the script marks backends as sick on Varnish before restarting an instance, to avoid having errors and bloating instances with requests while the process finishes, but you need to give permission to the plone user to run varnishadm in order to avoid the following error:

Cannot open "/etc/varnish/secret": Permission denied

on Varnish 3 I was adding a group to manage Varnish and changed permissions on the secret file like this:

# cd /etc/varnish/
# ls -l secret
-rw------- 1 root root 37 Oct 13  2015 secret
# groupadd varnishcli
# usermod -a -G varnishcli root
# usermod -a -G varnishcli plone
# chgrp varnishcli secret
# chmod 640 secret
# ls -l secret
-rw-r----- 1 root varnishcli 37 Oct 13  2015 secret

but in Varnish 4.1 I'm getting the following error:

Cannot open /var/lib/varnish/site/_.vsm: Permission denied

when I look at the _.vsm file this is what I get:

$ sudo ls -l /var/lib/varnish/site/
total 82948
drwxr-xr-x 2 vcache varnish     4096 Feb 18 22:05 vcl_boot
-rw-r----- 1 root   varnish 84934656 Feb 20 11:33 _.vsm

so I'm not sure what's the best way to achieve that now.

how do you handle this on your deployments?

According to Varnish documentation

varnishlog, varnishncsa and other Varnish shared log utilities now must be run in a context with varnish group membership.

So, the you should fix group membership on by adding the user varnishlog to the group varnish, before attempting to start the varnishlog and varnishncsa daemons.

I think what plone user should be listed in the Varnish group or all Varnish utilities and context installation should are like varnishcli group:

usermod -a -G varnish plone

Also, I would make:

chmod 0600 secret

file permissions are 600 by default and that was causing an error as mentioned above:

# ls -la /etc/varnish
total 12
drwxr-xr-x   2 root root 4096 Jan 16 14:58 .
drwxr-xr-x 103 root root 4096 Feb 23 13:40 ..
lrwxrwxrwx   1 root root   47 Jan 16 14:58 default.vcl -> /opt/plone/example/etc/varnish/default.vcl
-rw-------   1 root root   37 Jan 11 23:06 secret

I changed them to 644 and now is working; thanks!

resuming, this 2 commands make the difference:

usermod -a -G varnish plone
chmod 644 /etc/varnish/secret

Cool :wink:

If you use anything ilke Munin or other reporting tools that call varnishlog/varnishstat, make sure they also run under the varnish group. Took me a few hours to figure out why my Munin statistics for Varnish were all gone.