I'm using th following script to restart instances on a Plone site:
for i in {1..4}
do
varnishadm backend.set_health instance$i sick
/opt/plone/site/bin/supervisorctl restart app:instance$i
curl http://localhost:808$i/Plone > /dev/null
varnishadm backend.set_health instance$i auto
done
the script marks backends as sick on Varnish before restarting an instance, to avoid having errors and bloating instances with requests while the process finishes, but you need to give permission to the plone user to run varnishadm in order to avoid the following error:
Cannot open "/etc/varnish/secret": Permission denied
on Varnish 3 I was adding a group to manage Varnish and changed permissions on the secret file like this:
# cd /etc/varnish/
# ls -l secret
-rw------- 1 root root 37 Oct 13 2015 secret
# groupadd varnishcli
# usermod -a -G varnishcli root
# usermod -a -G varnishcli plone
# chgrp varnishcli secret
# chmod 640 secret
# ls -l secret
-rw-r----- 1 root varnishcli 37 Oct 13 2015 secret
but in Varnish 4.1 I'm getting the following error:
Cannot open /var/lib/varnish/site/_.vsm: Permission denied
when I look at the _.vsm file this is what I get:
$ sudo ls -l /var/lib/varnish/site/
total 82948
drwxr-xr-x 2 vcache varnish 4096 Feb 18 22:05 vcl_boot
-rw-r----- 1 root varnish 84934656 Feb 20 11:33 _.vsm
so I'm not sure what's the best way to achieve that now.
varnishlog, varnishncsa and other Varnish shared log utilities now must be run in a context with varnish group membership.
So, the you should fix group membership on by adding the user varnishlog to the group varnish, before attempting to start the varnishlog and varnishncsa daemons.
I think what plone user should be listed in the Varnish group or all Varnish utilities and context installation should are like varnishcli group:
If you use anything ilke Munin or other reporting tools that call varnishlog/varnishstat, make sure they also run under the varnish group. Took me a few hours to figure out why my Munin statistics for Varnish were all gone.