From aa3acf736f48e7068777ea3cdea78de44603aedc Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Fri, 16 Feb 2018 10:20:32 +0100 Subject: [PATCH] systemd: compatibility drop-in for kresd@.service Unify the drop-in files for manual activation and systemd compatibility, since it is not recommended to use manual activation if socket activation is supported. Also add --forks=1 to the command, otherwise the service attempts to start in interactive mode. --- systemd/README.md | 23 +++++------------------ systemd/drop-in/manual-activation.conf | 8 -------- systemd/drop-in/systemd-compat.conf | 15 +++++++++++++-- 3 files changed, 18 insertions(+), 28 deletions(-) delete mode 100644 systemd/drop-in/manual-activation.conf diff --git a/systemd/README.md b/systemd/README.md index a194c5d5b..aa7046d01 100644 --- a/systemd/README.md +++ b/systemd/README.md @@ -11,26 +11,13 @@ Usage and Configuration See kresd.systemd(7) for details. -Manual activation ------------------ +Compatibility with older systemd +-------------------------------- -If you wish to use manual activation without sockets, you have to -grant the service the capability to bind to well-known ports, and you -should disable allocation of other sockets from systemd itself. You -can use a drop-in file like so: - - # /etc/systemd/system/kresd@.service.d/override.conf - [Service] - AmbientCapabilities=CAP_NET_BIND_SERVICE - Sockets= - -If you do this, make sure you've indicated which ports to bind to in -/etc/knot-resolver/kresd.conf , and also do: - - systemctl disable --now kresd.socket kresd-tls.socket 'kresd-control@*.socket' +If you're using systemd prior to version 227, use the systemd-compat.conf +drop-in file to use manual activation. In this case, socket files shouldn't +be packaged, because they won't be used. Notes ----- -* If you're using systemd prior to version 227, use a drop-in file to change - the service type to simple. See drop-in/systemd-compat.conf. diff --git a/systemd/drop-in/manual-activation.conf b/systemd/drop-in/manual-activation.conf deleted file mode 100644 index dbf6055b4..000000000 --- a/systemd/drop-in/manual-activation.conf +++ /dev/null @@ -1,8 +0,0 @@ -# /etc/systemd/system/kresd@.service.d/override.conf - -# If socket activation isn't used, the CAP_NET_BIND_SERVICE is necessary -# to be able to bind to a well-known port as an unprivilidged user. - -[Service] -AmbientCapabilities=CAP_NET_BIND_SERVICE -Sockets= diff --git a/systemd/drop-in/systemd-compat.conf b/systemd/drop-in/systemd-compat.conf index b33671a3e..d251c4152 100644 --- a/systemd/drop-in/systemd-compat.conf +++ b/systemd/drop-in/systemd-compat.conf @@ -1,6 +1,17 @@ -# /etc/systemd/system/kresd@.service.d/override.conf +# /usr/lib/systemd/system/kresd@.service.d/override.conf -# If systemd.227+ isn't available (e.g. CentOS 7), change the service type. +# If systemd.227+ isn't available (e.g. CentOS 7), socket activation can't be used +# and the following modifications are required to use the service with +# manual activation. + +# CAP_NET_BIND_SERVICE is necessary to be able to bind to a well-known port +# as an unprivilidged user. + +# Explicit --forks=1 turns off interactive mode. [Service] Type=simple +AmbientCapabilities=CAP_NET_BIND_SERVICE +ExecStart= +ExecStart=/usr/sbin/kresd --config=/etc/knot-resolver/kresd.conf --forks=1 +Sockets= -- 2.47.2