Commit aa3acf73 authored by Tomas Krizek's avatar Tomas Krizek

systemd: compatibility drop-in for kresd@.service

Unify the drop-in files for manual activation and systemd compatibility,
since it is not recommended to use manual activation if socket
activation is supported.

Also add --forks=1 to the command, otherwise the service attempts to
start in interactive mode.
parent 75387d4b
......@@ -11,26 +11,13 @@ Usage and Configuration
See kresd.systemd(7) for details.
Manual activation
-----------------
Compatibility with older systemd
--------------------------------
If you wish to use manual activation without sockets, you have to
grant the service the capability to bind to well-known ports, and you
should disable allocation of other sockets from systemd itself. You
can use a drop-in file like so:
# /etc/systemd/system/kresd@.service.d/override.conf
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
Sockets=
If you do this, make sure you've indicated which ports to bind to in
/etc/knot-resolver/kresd.conf , and also do:
systemctl disable --now kresd.socket kresd-tls.socket 'kresd-control@*.socket'
If you're using systemd prior to version 227, use the systemd-compat.conf
drop-in file to use manual activation. In this case, socket files shouldn't
be packaged, because they won't be used.
Notes
-----
* If you're using systemd prior to version 227, use a drop-in file to change
the service type to simple. See drop-in/systemd-compat.conf.
# /etc/systemd/system/kresd@.service.d/override.conf
# If socket activation isn't used, the CAP_NET_BIND_SERVICE is necessary
# to be able to bind to a well-known port as an unprivilidged user.
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
Sockets=
# /etc/systemd/system/kresd@.service.d/override.conf
# /usr/lib/systemd/system/kresd@.service.d/override.conf
# If systemd.227+ isn't available (e.g. CentOS 7), change the service type.
# If systemd.227+ isn't available (e.g. CentOS 7), socket activation can't be used
# and the following modifications are required to use the service with
# manual activation.
# CAP_NET_BIND_SERVICE is necessary to be able to bind to a well-known port
# as an unprivilidged user.
# Explicit --forks=1 turns off interactive mode.
[Service]
Type=simple
AmbientCapabilities=CAP_NET_BIND_SERVICE
ExecStart=
ExecStart=/usr/sbin/kresd --config=/etc/knot-resolver/kresd.conf --forks=1
Sockets=
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment