From: Tomas Krizek Date: Fri, 16 Feb 2018 09:20:32 +0000 (+0100) Subject: systemd: compatibility drop-in for kresd@.service X-Git-Tag: v2.1.0~1^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aa3acf736f48e7068777ea3cdea78de44603aedc;p=thirdparty%2Fknot-resolver.git systemd: compatibility drop-in for kresd@.service Unify the drop-in files for manual activation and systemd compatibility, since it is not recommended to use manual activation if socket activation is supported. Also add --forks=1 to the command, otherwise the service attempts to start in interactive mode. --- diff --git a/systemd/README.md b/systemd/README.md index a194c5d5b..aa7046d01 100644 --- a/systemd/README.md +++ b/systemd/README.md @@ -11,26 +11,13 @@ Usage and Configuration See kresd.systemd(7) for details. -Manual activation ------------------ +Compatibility with older systemd +-------------------------------- -If you wish to use manual activation without sockets, you have to -grant the service the capability to bind to well-known ports, and you -should disable allocation of other sockets from systemd itself. You -can use a drop-in file like so: - - # /etc/systemd/system/kresd@.service.d/override.conf - [Service] - AmbientCapabilities=CAP_NET_BIND_SERVICE - Sockets= - -If you do this, make sure you've indicated which ports to bind to in -/etc/knot-resolver/kresd.conf , and also do: - - systemctl disable --now kresd.socket kresd-tls.socket 'kresd-control@*.socket' +If you're using systemd prior to version 227, use the systemd-compat.conf +drop-in file to use manual activation. In this case, socket files shouldn't +be packaged, because they won't be used. Notes ----- -* If you're using systemd prior to version 227, use a drop-in file to change - the service type to simple. See drop-in/systemd-compat.conf. diff --git a/systemd/drop-in/manual-activation.conf b/systemd/drop-in/manual-activation.conf deleted file mode 100644 index dbf6055b4..000000000 --- a/systemd/drop-in/manual-activation.conf +++ /dev/null @@ -1,8 +0,0 @@ -# /etc/systemd/system/kresd@.service.d/override.conf - -# If socket activation isn't used, the CAP_NET_BIND_SERVICE is necessary -# to be able to bind to a well-known port as an unprivilidged user. - -[Service] -AmbientCapabilities=CAP_NET_BIND_SERVICE -Sockets= diff --git a/systemd/drop-in/systemd-compat.conf b/systemd/drop-in/systemd-compat.conf index b33671a3e..d251c4152 100644 --- a/systemd/drop-in/systemd-compat.conf +++ b/systemd/drop-in/systemd-compat.conf @@ -1,6 +1,17 @@ -# /etc/systemd/system/kresd@.service.d/override.conf +# /usr/lib/systemd/system/kresd@.service.d/override.conf -# If systemd.227+ isn't available (e.g. CentOS 7), change the service type. +# If systemd.227+ isn't available (e.g. CentOS 7), socket activation can't be used +# and the following modifications are required to use the service with +# manual activation. + +# CAP_NET_BIND_SERVICE is necessary to be able to bind to a well-known port +# as an unprivilidged user. + +# Explicit --forks=1 turns off interactive mode. [Service] Type=simple +AmbientCapabilities=CAP_NET_BIND_SERVICE +ExecStart= +ExecStart=/usr/sbin/kresd --config=/etc/knot-resolver/kresd.conf --forks=1 +Sockets=