-.TH "kresd.systemd" "7" "2019-01-28" "CZ.NIC" "Knot Resolver Systemd Units"
+.TH "kresd.systemd" "7" "@date@" "CZ.NIC" "Knot Resolver @version@ Systemd Units"
.\"
.\" kresd.systemd.7 -- man page for systemd units for kresd
.\"
.\"
.SH "NAME"
kresd.systemd
-\- managing Knot Resolver through systemd.
+\- managing Knot Resolver @version@ through systemd.
.SH "SYNOPSIS"
.nf
.SH "DESCRIPTION"
.P
This manual page describes how to manage \fBkresd\fR using \fBsystemd\fR
-units. Depending on your distribution, this can be either be done with
-socket-based activation or without it. The following assumes socket-based activation.
-For differences see \fINOTES\fR below.
+units.
-\fBkresd\fR daemon can be executed in multiple independent processes, which can be
-managed with \fBsystemd\fR via systemd templates (see \fBsystemd.unit\fR(5)).
-Each \fBsystemd\fR service instance of \fBkresd\fR (\fIkresd@.service\fR) represents a
-single, independent kresd process.
+.B Socket activation
-The systemd-managed \fBkresd\fR service set is grouped in the
-\fIsystem-kresd.slice\fR slice. The slice includes one or more
-running daemons (instances of \fIkresd@.service\fR), public listening
-sockets (the same listening sockets are shared by all daemons) and a
-dedicated control socket for each running daemon.
+\fBkresd\fR integration with systemd takes advantage of socket activation,
+which enables the daemon to run without super user priviledges or any
+additional capabilities. The network interface sockets are created by systemd
+and then passed to the daemon.
-Each instance of \fIkresd@.service\fR has three systemd sockets (see
-\fBsystemd.socket(5)\fR) associated with it:
+Network configuration has to take place in \fIsystemd.socket(5)\fR, which can
+be done using drop-in files. Each instance of \fIkresd@.service\fR has three
+systemd sockets associated with it:
.nf
.RS
-\fIkresd.socket\fR - UDP/TCP network socket (default: localhost:53), shared with other instances
-\fIkresd-tls.socket\fR - network socket for DNS-over-TLS (default: localhost:853), shared with other instances
-\fIkresd-control@.socket\fR - UNIX socket with control terminal, dedicated
+\fIkresd.socket\fR - UDP/TCP network socket (default: localhost:53)
+\fIkresd-tls.socket\fR - network socket for DNS-over-TLS (default: localhost:853)
+\fIkresd-control@.socket\fR - UNIX socket with control terminal
.RE
.fi
.B Configuring network interfaces
-When using socket-based activation, the daemon requires neither root privileges
-nor any special capabilities, because the sockets are created by \fBsystemd\fR and
-passed to \fBkresd\fR. This means \fBkresd\fR can't bind to ports below 1024 when
-configured in \fI/etc/knot-resolver/kresd.conf\fR.
-
To configure \fBkresd\fR to listen on public interfaces, drop-in files (see
-\fBsystemd.unit\fR(5)) should be used. These can be created with:
+\fIsystemd.unit\fR(5)) should be used. These can be created with:
.nf
.RS 4n
.RE
.fi
-To configure \fBkresd\fR to listen on all IPv4 and IPv6 interfaces, you can
-remove the default localhost address by using an empty \fIListenDatagram=\fR,
-\fIListenStream=\fR directive and then bind to the [::] address. If you've
-disabled IPv6 support in kernel, use the 0.0.0.0 address instead.
+To configure \fBkresd\fR to listen on all IPv4 and IPv6 interfaces, use empty
+\fIListenDatagram=\fR and \fIListenStream=\fR directives to remove the default
+localhost address and then bind to the [::] address. If you've disabled IPv6
+support in kernel, use the 0.0.0.0 address instead.
.nf
.RS 4n
.B Concurrent daemons
+\fBkresd\fR daemon can be executed in multiple independent processes, which are
+managed with \fBsystemd\fR via systemd templates (see \fBsystemd.unit\fR(5)).
+Each \fBsystemd\fR service instance of \fBkresd\fR (\fIkresd@.service\fR)
+represents a single, independent kresd process.
+
+The systemd-managed \fBkresd\fR service set is grouped in the
+\fIsystem-kresd.slice\fR slice. The slice includes one or more running daemons
+(instances of \fIkresd@.service\fR), network sockets \fIkresd.socket\fR and
+\fIkresd-tls.socket\fR (shared by all instances) and a dedicated control
+\fIkresd-control@.socket\fR for each running daemon.
+
If you have more than one CPU core available, a single running
\fBkresd\fR daemon will only be able to make use of one core at a
time, leaving the other cores idle. If you want \fBkresd\fR to take
.RE
.fi
-.B Using system-kresd.slice and kresd.target
-
-The following commands may not work with older systemd (e.g. on CentOS 7).
-See notes for more info.
-
-The easiest way to view the status of systemd-supervised \fBkresd\fR
-instances is to use the \fIsystem-kresd.slice\fR:
-
-.nf
-.RS 4n
-.B systemctl status system-kresd.slice
-.RE
-.fi
-
-You can also use the slice to restart all sockets as well as daemons:
-
-.nf
-.RS 4n
-.B systemctl restart system-kresd.slice
-.RE
-.fi
-
-Or you can use it to stop kresd altogether (e.g. during package removal):
-
-.nf
-.RS 4n
-.B systemctl stop system-kresd.slice
-.RE
-.fi
-
-To start all enabled kresd daemons, use the provided \fIkresd.target\fR:
-
-.nf
-.RS 4n
-.B systemctl start kresd.target
-.RE
-.fi
-
.SH "NOTES"
.IP * 2
open. As long as either of the public sockets are listening, at least
\fIkresd@1.service\fR will be automatically activated when a request arrives.
-.IP * 2
-If your distribution doesn't use socket-based activation, you can configure the
-network interfaces for \fBkresd\fR in \fI/etc/knot-resolver/kresd.conf\fR. The
-service can be started or enabled in the same way as in the examples below, but
-it doesn't have any sockets associated with it.
-
-.IP * 2
-Controlling the service with \fIsystem-kresd.slice\fR requires newer systemd.
-It may not work in some distributions, notably CentOS 7. To control multiple
-kresd instances, use \fIkresd@*.service\fR or \fIBrace Expansion\fR mentioned
-below.
-
.SH "EXAMPLES"
-.B Single instance
-.RS 4n
-
To start the service:
.nf
.RS 4n
.B systemctl mask kresd-tls.socket
.RE
+.B Using system-kresd.slice and kresd.target
+
+The easiest way to view the status of multiple \fBkresd\fR
+instances is to use the \fIsystem-kresd.slice\fR:
+
+.nf
+.RS 4n
+.B systemctl status system-kresd.slice
+.RE
+.fi
+
+You can also use the slice to restart all sockets as well as daemons:
+
+.nf
+.RS 4n
+.B systemctl restart system-kresd.slice
.RE
+.fi
+
+Alternatively, to restart just kresd daemons, you can use \fIBrace Expansion\fR:
-.B Multiple instances
+.nf
.RS 4n
+.B systemctl enable kresd@{1..4}.service
+.RE
+.fi
-Multiple instances can be handled with the use of \fIBrace Expansion\fR (see
-\fBbash\fR(1)).
+Or you can use it to stop kresd altogether (e.g. during package removal):
-To enable multiple concurrent daemons, for example 16:
.nf
-.RS
-.B systemctl enable kresd@{1..16}.service
+.RS 4n
+.B systemctl stop system-kresd.slice
.RE
.fi
-To start all enabled daemons:
+To start all enabled kresd daemons, use the provided \fIkresd.target\fR:
+
.nf
-.RS
+.RS 4n
.B systemctl start kresd.target
.RE
.fi
\fIkresd(8)\fR,
\fIsystemd.unit(5)\fR,
\fIsystemd.socket(5)\fR,
-\fIhttps://knot-resolver.readthedocs.io\fR
+\fIhttps://knot-resolver.readthedocs.io/en/v@version@/\fR
.SH "AUTHORS"
.B kresd
projects / thirdparty / knot-resolver.git / commitdiff
