cron cli: check if posix_getuid exists. Update documentation

35183510 · Patrick Radtke · 530acfb2 · 35183510 · 35183510
Commit 35183510 authored 7 years ago by Patrick Radtke
--- a/modules/cron/bin/cron.php
+++ b/modules/cron/bin/cron.php
@@ -21,7 +21,7 @@ if (!SimpleSAML\Module::isModuleEnabled('cron')) {
 }

 $options = getopt("t:");
-if (posix_getuid() === 0) {
+if (function_exists('posix_getuid') && posix_getuid() === 0) {
    echo "Running as root is discouraged. Some cron jobs will generate files that would have the wrong ownership.\n";
    echo 'Suggested invocation: su -s "/bin/sh" -c "php /var/simplesamlphp/modules/cron/bin/cron.php -t hourly" apache';
    exit(3);

--- a/modules/cron/docs/cron.md
+++ b/modules/cron/docs/cron.md
@@ -47,9 +47,17 @@ here is a random key available to no one but you. Additionally, make
 sure that you include here the appropriate tags - for example any tags
 that you previously told metarefresh to use in the `cron` directive.

-Triggering Cron via HTTP
+Triggering Cron
 ---------------------------

+You can trigger the cron hooks through HTTP or CLI.  The HTTP method
+is the original technique, and it is recommended if you don't need to
+trigger CPU or memory intensive cron hooks.  The CLI option is
+recommended if you need more control over memory, CPU limits and
+process priority.
+
+### With HTTP
+
 `cron` functionality can be invoked by making an HTTP request to the
 cron module.  Use your web browser to go to
 `https://YOUR_SERVER/simplesaml/module.php/cron/croninfo.php`. Make
@@ -80,3 +88,35 @@ follow the appropriate links to execute the cron jobs you want. The
 page will take a while loading, and eventually show a blank page.


+### With CLI
+
+You can invoke cron functionality by running
+`/var/simplesamlphp/modules/cron/bin/cron.php` and providing a tag
+with the `-t ` argument.
+
+It is strongly recommended that you run the cron cli script as the
+same user as the web server.  Several cron hooks created files and
+those files may have the wrong permissions if you run the job as root.
+
+**note:** Logging behavior in SSP when running from CLI varies by
+version. The latest version logs to PHP's error log and ignores any
+logging configuration from `config.php`
+
+Below is an example of invoking the script. It will:
+
+* Run a command as the `apache` user
+   * `-s` specifies `apache` user's shell, since the default is non-interactive
+* Override INI entries to increase memory and execution time.
+    * This allows for processing large metadata files in metarefresh
+* Run the `cron.php` script with the `hourly` tag
+* Use `nice` to lower the priority below that of web server processes
+
+```bash
+su -s "/bin/sh" \
+   -c "nice -n 10 \
+       php -d max_execution_time=120 -d memory_limit=600M \
+       /var/simplesamlphp/modules/cron/bin/cron.php -t hourly" \
+    apache
+    
+```
+