systemd: clarify dropping Sockets= for non-socket-activated services

If the adminstrator of a non-socket-activated kresd installation
doesn't clear Sockets=, then they will also inherit sockets from the
process manager, which doesn't make sense.  Help them avoid that
situation.

diff --git a/systemd/README.md b/systemd/README.md
index 1c79bad337734f495e915394aed2509bc687f0b7..a194c5d5ba4673ed0672fce7c9a85c6b96c8d19b 100644 (file)
--- a/systemd/README.md
+++ b/systemd/README.md
@@ -14,13 +14,20 @@ See kresd.systemd(7) for details.
 Manual activation
 -----------------
 
-If you wish to use manual activation without sockets, you have to grant
-the service the capability to bind to well-known ports. You can use a drop-in
-file.
+If you wish to use manual activation without sockets, you have to
+grant the service the capability to bind to well-known ports, and you
+should disable allocation of other sockets from systemd itself. You
+can use a drop-in file like so:
 
     # /etc/systemd/system/kresd@.service.d/override.conf
     [Service]
     AmbientCapabilities=CAP_NET_BIND_SERVICE
+    Sockets=
+
+If you do this, make sure you've indicated which ports to bind to in
+/etc/knot-resolver/kresd.conf , and also do:
+
+    systemctl disable --now kresd.socket kresd-tls.socket 'kresd-control@*.socket'
 
 Notes
 -----

diff --git a/systemd/drop-in/manual-activation.conf b/systemd/drop-in/manual-activation.conf
index af7e0d33ce829f59edd61e2b5e3705e064c761fe..dbf6055b40e84f6f9b69610ee3088615817d92b8 100644 (file)
--- a/systemd/drop-in/manual-activation.conf
+++ b/systemd/drop-in/manual-activation.conf
@@ -5,3 +5,4 @@
 
 [Service]
 AmbientCapabilities=CAP_NET_BIND_SERVICE
+Sockets=