From 0398a9859855a6a4c6ec0c577e1368dc7230ae40 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 5 Feb 2018 02:37:44 -0500 Subject: [PATCH] More systemd service management cleanup Please see discussion at: https://github.com/systemd/systemd/issues/8096 The new approach is: * non-templated kresd.socket and kresd-tls.socket, for the public-facing listening ports. They know to invoke kresd@1.service if they're socket-activated. * kresd@.service *is* templated, to allow the admin to add more concurrent runners with: systemctl enable kresd@2.service * kresd-control@.socket is still templated, since each daemon has a separately-addressable different control port. * non-templated kresd.service is a dummy meta-service. it is in the same slice as kresd@.service, and all the kresd@.service instances are PartOf= it, so you should be able to stop and restart all services together. On systems like debian that ship /etc/init.d/kres, this also avoids having systemd-sysv-generator create a kresd.service based on the initscript. * no templated instances are explicitly instantiated during initial ship, but kresd@1.service should be socket-activated cleanly Gbp-Pq: Name 0010-More-systemd-service-management-cleanup.patch --- doc/kresd.systemd.7 | 113 +++++++++++++++--- systemd/drop-in/listen-tls.conf | 2 +- systemd/drop-in/listen-udp-tcp.conf | 2 +- systemd/kresd-control@.socket | 1 + .../{kresd-tls@.socket => kresd-tls.socket} | 4 +- systemd/kresd.service | 14 +++ systemd/{kresd@.socket => kresd.socket} | 3 +- systemd/kresd@.service | 10 +- 8 files changed, 122 insertions(+), 27 deletions(-) rename systemd/{kresd-tls@.socket => kresd-tls.socket} (83%) create mode 100644 systemd/kresd.service rename systemd/{kresd@.socket => kresd.socket} (85%) diff --git a/doc/kresd.systemd.7 b/doc/kresd.systemd.7 index f046710d7..d231c32ca 100644 --- a/doc/kresd.systemd.7 +++ b/doc/kresd.systemd.7 @@ -14,9 +14,11 @@ kresd.systemd .SH "SYNOPSIS" .nf kresd@.service -kresd@.socket -kresd-tls@.socket +kresd.socket +kresd-tls.socket kresd-control@.socket +system-kresd.slice +kresd.service .fi .SH "DESCRIPTION" @@ -31,21 +33,29 @@ managed with \fBsystemd\fR via systemd templates (see \fBsystemd.unit\fR(5)). Each \fBsystemd\fR service instance of \fBkresd\fR (\fIkresd@.service\fR) represents a single, independent kresd process. +The systemd-managed \fBkresd\fR service set is grouped in the +\fIsystem-kresd.slice\fR slice. The slice includes one or more +running daemons (instances of \fIkresd@.service\fR), public listening +sockets (the same listening sockets are shared by all daemons), a +dedicated control socket for each running daemon, and one meta-service +(\fIkresd.service\fR) which can be used to stop or restart all the +daemons. + Each instance of \fIkresd@.service\fR has three systemd sockets (see \fBsystemd.socket(5)\fR) associated with it: .nf .RS -\fIkresd@.socket\fR - UDP/TCP network socket (default: localhost:53) -\fIkresd-tls@.socket\fR - network socket for DNS-over-TLS (default: localhost:853) -\fIkresd-control@.socket\fR - UNIX socket with control terminal +\fIkresd.socket\fR - UDP/TCP network socket (default: localhost:53), shared with other instances +\fIkresd-tls.socket\fR - network socket for DNS-over-TLS (default: localhost:853), shared with other instances +\fIkresd-control@.socket\fR - UNIX socket with control terminal, dedicated .RE .fi .B Configuring network interfaces -When using socket-based activation, the daemon doesn't require root privileges -nor any capabilities, because the sockets are created by \fBsystemd\fR and +When using socket-based activation, the daemon requires neither root privileges +nor any special capabilities, because the sockets are created by \fBsystemd\fR and passed to \fBkresd\fR. This means \fBkresd\fR can't bind to ports below 1024 when configured in \fI/etc/knot-resolver/kresd.conf\fR. @@ -54,8 +64,8 @@ To configure \fBkresd\fR to listen on public interfaces, drop-in files (see .nf .RS 4n -.B systemctl edit kresd@.socket -.B systemctl edit kresd-tls@.socket +.B systemctl edit kresd.socket +.B systemctl edit kresd-tls.socket .RE .fi @@ -64,22 +74,79 @@ For example, to configure \fBkresd\fR to listen on 192.0.2.115 on ports 53 and .nf .RS 4n -# /etc/systemd/system/kresd@.socket.d/override.conf +# /etc/systemd/system/kresd.socket.d/override.conf [Socket] ListenDatagram=192.0.2.115:53 ListenStream=192.0.2.115:53 -# /etc/systemd/system/kresd-tls@.socket.d/override.conf +# /etc/systemd/system/kresd-tls.socket.d/override.conf [Socket] ListenStream=192.0.2.115:853 .RE .fi +.B Concurrent daemons + +If you have more than one CPU core available, a single running +\fBkresd\fR daemon will only be able to make use of one core at a +time, leaving the other cores idle. If you want \fBkresd\fR to take +advantage of all available cores, while sharing both cache and public +listening ports, you should enable and start as many instances of the +\fBkresd@.service\fR as you have cores. Typically, each instance is +just named \fIkresd@\fBN\fI.service\fR, where \fIN\fR is a decimal +number. To enable 3 concurrent daemons: + +.nf +.RS 4n +.B systemctl enable --now kresd@1.service kresd@2.service kresd@3.service +.RE +.fi + +.B Using system-kresd.slice + +The easiest way to view the status of systemd-supervised \fBkresd\fR +instances is to use the \fIsystem-kresd.slice\fR: + +.nf +.RS 4n +.B systemctl status system-kresd.slice +.RE +.fi + +You can also use the slice to restart all sockets as well as daemons: + +.nf +.RS 4n +.B systemctl restart system-kresd.slice +.RE +.fi + +Or you can use it to stop kresd altogether (e.g. during package removal): + +.nf +.RS 4n +.B systemctl stop system-kresd.slice +.RE +.fi + +Note that \fBsystemctl start system-kresd.slice\fR does not +automatically start the sockets or the daemons, though. To ensure +that all enabled daemons are started and running, do: + +.nf +.RS 4n +.B systemctl start 'kresd@*.service' +.RE +.fi + .SH "NOTES" .IP * 2 -When \fIkresd@.service\fR is started, stopped or restarted, its associated -sockets are also automatically started, stopped or restarted. +When an instance of \fIkresd@.service\fR is started, stopped or +restarted, its associated control socket is also automatically +started, stopped or restarted, but the public listening sockets remain +open. As long as either of the public sockets are listening, at least +\fIkresd@1.service\fR will be automatically activated when a request arrives. .IP * 2 If your distribution doesn't use socket-based activation, you can configure the @@ -110,15 +177,15 @@ To delay the service startup until some traffic arrives, start (or enable) just the sockets: .nf .RS 4n -.B systemctl start kresd@1.socket -.B systemctl start kresd-tls@1.socket +.B systemctl start kresd.socket +.B systemctl start kresd-tls.socket .RE .fi To disable the TLS socket, you can mask it: .RS 4n -.B systemctl mask kresd-tls@1.socket +.B systemctl mask kresd-tls.socket .RE .RE @@ -129,10 +196,17 @@ To disable the TLS socket, you can mask it: Multiple instances can be handled with the use of \fIBrace Expansion\fR (see \fBbash\fR(1)). -To start multiple instances, for example 16: +To enable multiple concurrent daemons, for example 16: +.nf +.RS +.B systemctl enable kresd@{1..16}.service +.RE +.fi + +To start all enabled daemons: .nf .RS -.B systemctl start kresd@{1..16}.service +.B systemctl start 'kresd@*.service' .RE .fi @@ -145,4 +219,5 @@ To start multiple instances, for example 16: \fIhttps://knot-resolver.readthedocs.io\fR .SH "AUTHORS" -.B kresd developers are mentioned in the AUTHORS file in the distribution. +.B kresd +developers are mentioned in the AUTHORS file in the distribution. diff --git a/systemd/drop-in/listen-tls.conf b/systemd/drop-in/listen-tls.conf index b03c42526..6c798f0c9 100644 --- a/systemd/drop-in/listen-tls.conf +++ b/systemd/drop-in/listen-tls.conf @@ -1,4 +1,4 @@ -# /etc/systemd/system/kresd-tls@.socket.d/override.conf +# /etc/systemd/system/kresd-tls.socket.d/override.conf # Configure which interfaces should kresd listen on. # ListenStream can be added multiple times. diff --git a/systemd/drop-in/listen-udp-tcp.conf b/systemd/drop-in/listen-udp-tcp.conf index c45e1ce58..480767abb 100644 --- a/systemd/drop-in/listen-udp-tcp.conf +++ b/systemd/drop-in/listen-udp-tcp.conf @@ -1,4 +1,4 @@ -# /etc/systemd/system/kresd@.socket.d/override.conf +# /etc/systemd/system/kresd.socket.d/override.conf # Configure which interfaces should kresd listen on. # ListenDatagram and ListenStream can be added multiple times. diff --git a/systemd/kresd-control@.socket b/systemd/kresd-control@.socket index 902c9d74a..9133a5ded 100644 --- a/systemd/kresd-control@.socket +++ b/systemd/kresd-control@.socket @@ -9,6 +9,7 @@ Service=kresd@%i.service ListenStream=/run/knot-resolver/control@%i FileDescriptorName=control SocketMode=0660 +Slice=system-kresd.slice [Install] WantedBy=sockets.target diff --git a/systemd/kresd-tls@.socket b/systemd/kresd-tls.socket similarity index 83% rename from systemd/kresd-tls@.socket rename to systemd/kresd-tls.socket index 533e07ba3..b30c2f2a5 100644 --- a/systemd/kresd-tls@.socket +++ b/systemd/kresd-tls.socket @@ -2,15 +2,15 @@ Description=Knot DNS Resolver TLS network listener Documentation=man:kresd(8) Before=sockets.target -PartOf=kresd@%i.service [Socket] -Service=kresd@%i.service ReusePort=true FreeBind=true FileDescriptorName=tls ListenStream=[::1]:853 ListenStream=127.0.0.1:853 +Service=kresd@1.service +Slice=system-kresd.slice [Install] WantedBy=sockets.target diff --git a/systemd/kresd.service b/systemd/kresd.service new file mode 100644 index 000000000..75cf4dfdb --- /dev/null +++ b/systemd/kresd.service @@ -0,0 +1,14 @@ +[Unit] +Description=Knot DNS Resolver daemon (meta-service, see "systemctl status 'kresd@*.service'") +Documentation=man:kresd(8) +Documentation=man:kresd.systemd(7) + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/true +ExecReload=/bin/true +Slice=system-kresd.slice + +[Install] +WantedBy=multi-user.target diff --git a/systemd/kresd@.socket b/systemd/kresd.socket similarity index 85% rename from systemd/kresd@.socket rename to systemd/kresd.socket index fac7759e9..4b8f648ca 100644 --- a/systemd/kresd@.socket +++ b/systemd/kresd.socket @@ -2,7 +2,6 @@ Description=Knot DNS Resolver network listeners Documentation=man:kresd(8) Before=sockets.target -PartOf=kresd@%i.service [Socket] ReusePort=true @@ -11,6 +10,8 @@ ListenDatagram=[::1]:53 ListenStream=[::1]:53 ListenDatagram=127.0.0.1:53 ListenStream=127.0.0.1:53 +Service=kresd@1.service +Slice=system-kresd.slice [Install] WantedBy=sockets.target diff --git a/systemd/kresd@.service b/systemd/kresd@.service index 864ebe773..3995490a4 100644 --- a/systemd/kresd@.service +++ b/systemd/kresd@.service @@ -1,9 +1,7 @@ [Unit] Description=Knot DNS Resolver daemon Documentation=man:kresd(8) -Wants=kresd@%i.socket -Wants=kresd-control@%i.socket -Wants=kresd-tls@%i.socket +PartOf=kresd.service [Service] Type=notify @@ -12,3 +10,9 @@ EnvironmentFile=-/etc/default/kresd ExecStart=/usr/sbin/kresd $KRESD_ARGS User=knot-resolver Restart=on-failure +Sockets=kresd.socket +Sockets=kresd-tls.socket +Sockets=kresd-control@%i.socket + +[Install] +WantedBy=multi-user.target -- 2.47.2