From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Mon, 5 Feb 2018 19:04:55 +0000 (-0500)
Subject: systemd: clarify dropping Sockets= for non-socket-activated services
X-Git-Tag: v2.1.0~1^2~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=26918db914cb4998e6903ae2b530c206ffd4333f;p=thirdparty%2Fknot-resolver.git

systemd: clarify dropping Sockets= for non-socket-activated services

If the adminstrator of a non-socket-activated kresd installation
doesn't clear Sockets=, then they will also inherit sockets from the
process manager, which doesn't make sense.  Help them avoid that
situation.
---

diff --git a/systemd/README.md b/systemd/README.md
index 1c79bad33..a194c5d5b 100644
--- a/systemd/README.md
+++ b/systemd/README.md
@@ -14,13 +14,20 @@ See kresd.systemd(7) for details.
 Manual activation
 -----------------
 
-If you wish to use manual activation without sockets, you have to grant
-the service the capability to bind to well-known ports. You can use a drop-in
-file.
+If you wish to use manual activation without sockets, you have to
+grant the service the capability to bind to well-known ports, and you
+should disable allocation of other sockets from systemd itself. You
+can use a drop-in file like so:
 
     # /etc/systemd/system/kresd@.service.d/override.conf
     [Service]
     AmbientCapabilities=CAP_NET_BIND_SERVICE
+    Sockets=
+
+If you do this, make sure you've indicated which ports to bind to in
+/etc/knot-resolver/kresd.conf , and also do:
+
+    systemctl disable --now kresd.socket kresd-tls.socket 'kresd-control@*.socket'
 
 Notes
 -----
diff --git a/systemd/drop-in/manual-activation.conf b/systemd/drop-in/manual-activation.conf
index af7e0d33c..dbf6055b4 100644
--- a/systemd/drop-in/manual-activation.conf
+++ b/systemd/drop-in/manual-activation.conf
@@ -5,3 +5,4 @@
 
 [Service]
 AmbientCapabilities=CAP_NET_BIND_SERVICE
+Sockets=