1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL.MENTOR

  • Question about writing systemd unit for old package

    From Khoa Tran Minh@21:1/5 to All on Mon May 17 15:00:02 2021
    Hi everyone,

    I'm trying to write a new systemd unit for mini-httpd package, which is
    using lsb-base to init. Can I replace the old init script straight up, or
    do I have to maintain both the systemd unit and the old init script ?

    A related question: The binary itself can drop privilege and run as
    non-root, then should I use that native feature or use systemd User= when writing a default config/unit ?

    Regards,
    Khoa

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Paul Wise@21:1/5 to All on Tue May 18 02:20:01 2021
    On Mon, May 17, 2021 at 12:51 PM Khoa Tran Minh wrote:

    I'm trying to write a new systemd unit for mini-httpd package, which is
    using lsb-base to init. Can I replace the old init script straight up, or
    do I have to maintain both the systemd unit and the old init script ?

    Please make sure you send the systemd unit upstream too.

    Users of init systems other than systemd would probably appreciate it
    if you didn't remove the old init script.

    If the old init script is crufty, you could rebase it onto the
    init-d-script tool, but I am not sure how portable that is to
    non-Debian distros.

    https://manpages.debian.org/init-d-script

    A related question: The binary itself can drop privilege and run as
    non-root, then should I use that native feature or use systemd User= when writing a default config/unit ?

    I would suggest to use systemd features for this.

    --
    bye,
    pabs

    https://wiki.debian.org/PaulWise

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Richard Hector@21:1/5 to Paul Wise on Wed May 19 11:00:01 2021
    On 18/05/21 11:58 am, Paul Wise wrote:
    On Mon, May 17, 2021 at 12:51 PM Khoa Tran Minh wrote:


    A related question: The binary itself can drop privilege and run as
    non-root, then should I use that native feature or use systemd User= when
    writing a default config/unit ?

    I would suggest to use systemd features for this.

    Does that not depend on whether it does anything before dropping
    privileges? For example, a webserver can bind to low ports before
    dropping privilege. I imagine if the systemd service unit specified
    running as (eg) www-data, that wouldn't work.

    Cheers,
    Richard

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Paul Wise@21:1/5 to All on Thu May 20 04:00:01 2021
    On Wed, May 19, 2021 at 8:51 AM Richard Hector wrote:

    Does that not depend on whether it does anything before dropping
    privileges? For example, a webserver can bind to low ports before
    dropping privilege. I imagine if the systemd service unit specified
    running as (eg) www-data, that wouldn't work.

    I don't know the details, but I think systemd can open the ports and transparently pass them to the unprivileged process when it is spawned
    without any data loss, in a similar way to the inetd stuff used to
    work.

    http://0pointer.de/blog/projects/inetd.html

    --
    bye,
    pabs

    https://wiki.debian.org/PaulWise

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Alec Leamas@21:1/5 to Paul Wise on Thu May 20 04:20:01 2021
    Hi,

    On 20/05/2021 03:35, Paul Wise wrote:
    On Wed, May 19, 2021 at 8:51 AM Richard Hector wrote:

    Does that not depend on whether it does anything before dropping
    privileges? For example, a webserver can bind to low ports before
    dropping privilege. I imagine if the systemd service unit specified
    running as (eg) www-data, that wouldn't work.

    I don't know the details, but I think systemd can open the ports and transparently pass them to the unprivileged process when it is spawned without any data loss, in a similar way to the inetd stuff used to
    work.


    http://0pointer.de/blog/projects/socket-activation.html



    Cheers!
    --alec

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Richard Hector@21:1/5 to Alec Leamas on Sat May 22 08:30:01 2021
    On 20/05/21 1:59 pm, Alec Leamas wrote:
    Hi,

    On 20/05/2021 03:35, Paul Wise wrote:
    On Wed, May 19, 2021 at 8:51 AM Richard Hector wrote:

    Does that not depend on whether it does anything before dropping
    privileges? For example, a webserver can bind to low ports before
    dropping privilege. I imagine if the systemd service unit specified
    running as (eg) www-data, that wouldn't work.

    I don't know the details, but I think systemd can open the ports and
    transparently pass them to the unprivileged process when it is spawned
    without any data loss, in a similar way to the inetd stuff used to
    work.


    http://0pointer.de/blog/projects/socket-activation.html

    I confess I haven't read all that, and don't know the details of socket activation. But I think the service in question needs to be aware of it, doesn't it? It doesn't apply to wrapping a systemd service unit around
    an existing server. The nginx unit, for example, doesn't set a user, but
    a user is set in the nginx config file so it can drop privs.

    I'm happy to be corrected :-)

    Richard

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)