Verified Commit 0398a985 authored by Daniel Kahn Gillmor's avatar Daniel Kahn Gillmor Committed by Tomas Krizek

More systemd service management cleanup

Please see discussion at:
https://github.com/systemd/systemd/issues/8096

The new approach is:

 * non-templated kresd.socket and kresd-tls.socket, for the
   public-facing listening ports.  They know to invoke kresd@1.service
   if they're socket-activated.

 * kresd@.service *is* templated, to allow the admin to add more
   concurrent runners with:

      systemctl enable kresd@2.service

 * kresd-control@.socket is still templated, since each daemon has a
   separately-addressable different control port.

 * non-templated kresd.service is a dummy meta-service.  it is in the
   same slice as kresd@.service, and all the kresd@.service instances
   are PartOf= it, so you should be able to stop and restart all
   services together.  On systems like debian that ship
   /etc/init.d/kres, this also avoids having systemd-sysv-generator
   create a kresd.service based on the initscript.

 * no templated instances are explicitly instantiated during initial
   ship, but kresd@1.service should be socket-activated cleanly

Gbp-Pq: Name 0010-More-systemd-service-management-cleanup.patch
parent b3e435e8
......@@ -14,9 +14,11 @@ kresd.systemd
.SH "SYNOPSIS"
.nf
kresd@.service
kresd@.socket
kresd-tls@.socket
kresd.socket
kresd-tls.socket
kresd-control@.socket
system-kresd.slice
kresd.service
.fi
.SH "DESCRIPTION"
......@@ -31,21 +33,29 @@ managed with \fBsystemd\fR via systemd templates (see \fBsystemd.unit\fR(5)).
Each \fBsystemd\fR service instance of \fBkresd\fR (\fIkresd@.service\fR) represents a
single, independent kresd process.
The systemd-managed \fBkresd\fR service set is grouped in the
\fIsystem-kresd.slice\fR slice. The slice includes one or more
running daemons (instances of \fIkresd@.service\fR), public listening
sockets (the same listening sockets are shared by all daemons), a
dedicated control socket for each running daemon, and one meta-service
(\fIkresd.service\fR) which can be used to stop or restart all the
daemons.
Each instance of \fIkresd@.service\fR has three systemd sockets (see
\fBsystemd.socket(5)\fR) associated with it:
.nf
.RS
\fIkresd@.socket\fR - UDP/TCP network socket (default: localhost:53)
\fIkresd-tls@.socket\fR - network socket for DNS-over-TLS (default: localhost:853)
\fIkresd-control@.socket\fR - UNIX socket with control terminal
\fIkresd.socket\fR - UDP/TCP network socket (default: localhost:53), shared with other instances
\fIkresd-tls.socket\fR - network socket for DNS-over-TLS (default: localhost:853), shared with other instances
\fIkresd-control@.socket\fR - UNIX socket with control terminal, dedicated
.RE
.fi
.B Configuring network interfaces
When using socket-based activation, the daemon doesn't require root privileges
nor any capabilities, because the sockets are created by \fBsystemd\fR and
When using socket-based activation, the daemon requires neither root privileges
nor any special capabilities, because the sockets are created by \fBsystemd\fR and
passed to \fBkresd\fR. This means \fBkresd\fR can't bind to ports below 1024 when
configured in \fI/etc/knot-resolver/kresd.conf\fR.
......@@ -54,8 +64,8 @@ To configure \fBkresd\fR to listen on public interfaces, drop-in files (see
.nf
.RS 4n
.B systemctl edit kresd@.socket
.B systemctl edit kresd-tls@.socket
.B systemctl edit kresd.socket
.B systemctl edit kresd-tls.socket
.RE
.fi
......@@ -64,22 +74,79 @@ For example, to configure \fBkresd\fR to listen on 192.0.2.115 on ports 53 and
.nf
.RS 4n
# /etc/systemd/system/kresd@.socket.d/override.conf
# /etc/systemd/system/kresd.socket.d/override.conf
[Socket]
ListenDatagram=192.0.2.115:53
ListenStream=192.0.2.115:53
# /etc/systemd/system/kresd-tls@.socket.d/override.conf
# /etc/systemd/system/kresd-tls.socket.d/override.conf
[Socket]
ListenStream=192.0.2.115:853
.RE
.fi
.B Concurrent daemons
If you have more than one CPU core available, a single running
\fBkresd\fR daemon will only be able to make use of one core at a
time, leaving the other cores idle. If you want \fBkresd\fR to take
advantage of all available cores, while sharing both cache and public
listening ports, you should enable and start as many instances of the
\fBkresd@.service\fR as you have cores. Typically, each instance is
just named \fIkresd@\fBN\fI.service\fR, where \fIN\fR is a decimal
number. To enable 3 concurrent daemons:
.nf
.RS 4n
.B systemctl enable --now kresd@1.service kresd@2.service kresd@3.service
.RE
.fi
.B Using system-kresd.slice
The easiest way to view the status of systemd-supervised \fBkresd\fR
instances is to use the \fIsystem-kresd.slice\fR:
.nf
.RS 4n
.B systemctl status system-kresd.slice
.RE
.fi
You can also use the slice to restart all sockets as well as daemons:
.nf
.RS 4n
.B systemctl restart system-kresd.slice
.RE
.fi
Or you can use it to stop kresd altogether (e.g. during package removal):
.nf
.RS 4n
.B systemctl stop system-kresd.slice
.RE
.fi
Note that \fBsystemctl start system-kresd.slice\fR does not
automatically start the sockets or the daemons, though. To ensure
that all enabled daemons are started and running, do:
.nf
.RS 4n
.B systemctl start 'kresd@*.service'
.RE
.fi
.SH "NOTES"
.IP * 2
When \fIkresd@.service\fR is started, stopped or restarted, its associated
sockets are also automatically started, stopped or restarted.
When an instance of \fIkresd@.service\fR is started, stopped or
restarted, its associated control socket is also automatically
started, stopped or restarted, but the public listening sockets remain
open. As long as either of the public sockets are listening, at least
\fIkresd@1.service\fR will be automatically activated when a request arrives.
.IP * 2
If your distribution doesn't use socket-based activation, you can configure the
......@@ -110,15 +177,15 @@ To delay the service startup until some traffic arrives, start (or enable) just
the sockets:
.nf
.RS 4n
.B systemctl start kresd@1.socket
.B systemctl start kresd-tls@1.socket
.B systemctl start kresd.socket
.B systemctl start kresd-tls.socket
.RE
.fi
To disable the TLS socket, you can mask it:
.RS 4n
.B systemctl mask kresd-tls@1.socket
.B systemctl mask kresd-tls.socket
.RE
.RE
......@@ -129,10 +196,17 @@ To disable the TLS socket, you can mask it:
Multiple instances can be handled with the use of \fIBrace Expansion\fR (see
\fBbash\fR(1)).
To start multiple instances, for example 16:
To enable multiple concurrent daemons, for example 16:
.nf
.RS
.B systemctl enable kresd@{1..16}.service
.RE
.fi
To start all enabled daemons:
.nf
.RS
.B systemctl start kresd@{1..16}.service
.B systemctl start 'kresd@*.service'
.RE
.fi
......@@ -145,4 +219,5 @@ To start multiple instances, for example 16:
\fIhttps://knot-resolver.readthedocs.io\fR
.SH "AUTHORS"
.B kresd developers are mentioned in the AUTHORS file in the distribution.
.B kresd
developers are mentioned in the AUTHORS file in the distribution.
# /etc/systemd/system/kresd-tls@.socket.d/override.conf
# /etc/systemd/system/kresd-tls.socket.d/override.conf
# Configure which interfaces should kresd listen on.
# ListenStream can be added multiple times.
......
# /etc/systemd/system/kresd@.socket.d/override.conf
# /etc/systemd/system/kresd.socket.d/override.conf
# Configure which interfaces should kresd listen on.
# ListenDatagram and ListenStream can be added multiple times.
......
......@@ -9,6 +9,7 @@ Service=kresd@%i.service
ListenStream=/run/knot-resolver/control@%i
FileDescriptorName=control
SocketMode=0660
Slice=system-kresd.slice
[Install]
WantedBy=sockets.target
......@@ -2,15 +2,15 @@
Description=Knot DNS Resolver TLS network listener
Documentation=man:kresd(8)
Before=sockets.target
PartOf=kresd@%i.service
[Socket]
Service=kresd@%i.service
ReusePort=true
FreeBind=true
FileDescriptorName=tls
ListenStream=[::1]:853
ListenStream=127.0.0.1:853
Service=kresd@1.service
Slice=system-kresd.slice
[Install]
WantedBy=sockets.target
[Unit]
Description=Knot DNS Resolver daemon (meta-service, see "systemctl status 'kresd@*.service'")
Documentation=man:kresd(8)
Documentation=man:kresd.systemd(7)
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
ExecReload=/bin/true
Slice=system-kresd.slice
[Install]
WantedBy=multi-user.target
......@@ -2,7 +2,6 @@
Description=Knot DNS Resolver network listeners
Documentation=man:kresd(8)
Before=sockets.target
PartOf=kresd@%i.service
[Socket]
ReusePort=true
......@@ -11,6 +10,8 @@ ListenDatagram=[::1]:53
ListenStream=[::1]:53
ListenDatagram=127.0.0.1:53
ListenStream=127.0.0.1:53
Service=kresd@1.service
Slice=system-kresd.slice
[Install]
WantedBy=sockets.target
[Unit]
Description=Knot DNS Resolver daemon
Documentation=man:kresd(8)
Wants=kresd@%i.socket
Wants=kresd-control@%i.socket
Wants=kresd-tls@%i.socket
PartOf=kresd.service
[Service]
Type=notify
......@@ -12,3 +10,9 @@ EnvironmentFile=-/etc/default/kresd
ExecStart=/usr/sbin/kresd $KRESD_ARGS
User=knot-resolver
Restart=on-failure
Sockets=kresd.socket
Sockets=kresd-tls.socket
Sockets=kresd-control@%i.socket
[Install]
WantedBy=multi-user.target
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment