Hier werden die Unterschiede zwischen zwei Versionen gezeigt.
Nächste Überarbeitung | Vorherige Überarbeitung | ||
admin_grundlagen:systemd_service_unit_files [2016/11/24 10:04] stefan_miethke angelegt |
admin_grundlagen:systemd_service_unit_files [2025/09/02 13:23] (aktuell) ingo_wichmann |
||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | ====== Beispiel für eine Service unit-file ====== | + | ====== Beispiel für ein Service Unit ====== |
+ | |||
+ | Unit File anlegen: | ||
+ | systemctl edit --full --force nc.service | ||
<file txt /etc/systemd/system/nc.service> | <file txt /etc/systemd/system/nc.service> | ||
- | [Unit] | ||
- | Description=my netcat service | ||
- | |||
[Service] | [Service] | ||
ExecStart=/usr/bin/nc -l -p 5000 | ExecStart=/usr/bin/nc -l -p 5000 | ||
- | |||
- | [Install] | ||
- | WantedBy=multi-user.target | ||
</file> | </file> | ||
- | Systemd Konfiguration neu laden | + | (( |
+ | Lennart Poettering [[https://mastodon.social/@pid_eins/115128485057447501|schreibt]] auf die Frage, warum alle Netzwerkdienste Socket Activation nutzen sollten: | ||
+ | "robustness (because your service can go away, and then get restarted without clients noticing much), security (because priv code in pid1 binds the socket, and service can be entirely unpriv), resource use (because you can bind thousands of sockets, without having to pay upfront for starting the services behind), flexibility (because admins can configure .socket units in a *lot* of detail, and schedule binding of sockets precisely, for example bind certain IP sockets only after some network interface showed up and has been configured), simplicity (because as mentioned you don't need to configure deps anymore), compatibility with soft-reboot, … and the list goes on and on and on and on…" | ||
+ | |||
+ | )) | ||
+ | |||
+ | Syntax des Unit Files prüfen: | ||
+ | systemd-analyze verify nc.service | ||
+ | (( | ||
+ | Fehlermeldung "Attempted to remove disk file system, and we can't allow that." in systemd Versionen vor v239 kann ignoriert werden: https://github.com/systemd/systemd/issues/8592 | ||
+ | )) | ||
+ | |||
+ | Systemd Konfiguration neu laden (( nicht nötig, wenn das Unit File mit ''systemctl edit'' angelegt oder bearbeitet wurde )) | ||
systemctl daemon-reload | systemctl daemon-reload | ||
Zeile 19: | Zeile 28: | ||
Start überprüfen | Start überprüfen | ||
+ | systemctl status nc | ||
+ | |||
+ | Beschreibung hinzufügen: | ||
+ | systemctl edit --full nc.service | ||
+ | |||
+ | <file txt /etc/systemd/system/nc.service> | ||
+ | [Unit] | ||
+ | Description=my netcat service | ||
+ | |||
+ | … | ||
+ | </file> | ||
+ | |||
+ | Beschreibung überprüfen | ||
systemctl status nc | systemctl status nc | ||
Beim Booten starten | Beim Booten starten | ||
+ | systemctl edit --full nc.service | ||
+ | |||
+ | <file txt /etc/systemd/system/nc.service> | ||
+ | … | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </file> | ||
+ | |||
systemctl enable nc | systemctl enable nc | ||
+ | |||
+ | Nach beendeter Verbindung neustarten: | ||
+ | |||
+ | <file txt /etc/systemd/system/nc.service> | ||
+ | … | ||
+ | |||
+ | [Service] | ||
+ | … | ||
+ | Restart=always | ||
+ | </file> | ||
+ | |||
+ | ====== Beispiel für ein User Service Unit ====== | ||
+ | Sinnloses Skript anlegen: | ||
+ | mkdir ~/bin | ||
+ | vim ~/bin/fillfs.sh | ||
+ | |||
+ | <code bash ~/bin/fillfs.sh> | ||
+ | #!/bin/bash | ||
+ | dd if=/dev/zero of=/tmp/zero oflag=append conv=notrunc bs=1M | ||
+ | </code> | ||
+ | |||
+ | Als Benutzer Unit File anlegen: | ||
+ | systemctl --user edit --force --full fillfs.service | ||
+ | |||
+ | <file txt ~/.config/systemd/user/fillfs.service> | ||
+ | [Service] | ||
+ | ExecStart=/home/nutzer45/bin/fill-fs.sh | ||
+ | </file> | ||
+ | |||
+ | Syntax des Unit Files überprüfen: | ||
+ | systemd-analyze --user verify fillfs.service | ||
+ | |||
+ | "Dienst" starten: | ||
+ | systemctl --user start fillfs | ||
+ | |||
+ | Sehen was passiert: | ||
+ | systemctl --user status fillfs | ||
+ | journalctl --user -fu fillfs | ||
+ | watch -d df -h | ||
+ | |||
+ | |||
===== vmstat daemon service unit ===== | ===== vmstat daemon service unit ===== | ||
Zeile 44: | Zeile 116: | ||
VMDELAY="5" | VMDELAY="5" | ||
VMLOGFILE="/tmp/vmstat.log" | VMLOGFILE="/tmp/vmstat.log" | ||
+ | </file> | ||
+ | |||
+ | ====== Dienste absichern ====== | ||
+ | ((Lennart Poettering schreibt: //There's quite some stuff now we | ||
+ | should enable wherever we can. Specifically ProtectSystem=, | ||
+ | ProtectHome=, ProtectKernelTunables=, ProtectKernelModules=, | ||
+ | ProtectedControlGroups=, PrivateUsers=, PrivateTmp=, PrivateDevices=, | ||
+ | PrivateNetwork=, SystemCallFilter=, RestrictAddressFamilies=, | ||
+ | RestrictNamespaces=, MemoryDenyWriteExecute=, RestrictRealtime=// https://lwn.net/Articles/709764/)) | ||
+ | |||
+ | TODO: noch nicht getestet | ||
+ | |||
+ | <file txt> | ||
+ | ProtectSystem=full | ||
+ | </file> | ||
+ | oder | ||
+ | <file txt> | ||
+ | ProtectSystem=strict | ||
+ | ReadWritePaths=/var/lib/… | ||
+ | ReadOnlyPaths=/var/lib/… | ||
+ | CapabilityBoundingSet=~CAP_SYS_ADMIN | ||
+ | SystemCallFilter=~@mount,~@swap,~@setuid,~@resources,~@reboot,~@privileged,~@obsolete,~@module | ||
+ | </file> | ||
+ | |||
+ | <file txt> | ||
+ | ProtectHome=true | ||
+ | ProtectKernelTunables=true | ||
+ | ProtectKernelModules=true | ||
+ | ProtectedControlGroups=true | ||
+ | PrivateTmp=true | ||
+ | PrivateDevices=true | ||
+ | SystemCallFilter=~@mount,~@swap,~@setuid,~@resources,~@reboot,~@privileged,~@obsolete,~@module,~@keyring,~@cpu-emulation,~@clock,~@chown | ||
+ | RestrictAddressFamilies=AF_UNIX,AF_INET,AF_INET6 | ||
+ | RestrictNamespaces=true | ||
+ | RestrictRealtime=true | ||
+ | #PrivateUsers= | ||
+ | #MemoryDenyWriteExecute= | ||
+ | #IPAddressAllow= | ||
+ | #IPAddressDeny= | ||
+ | #AmbientCapabilitySet= | ||
+ | </file> | ||
+ | |||
+ | Für lokale Dienste (systlog ohne netzwerk, cron (falls keine Jobs auf das Netzwerk zugreifen sollen), ...) zusätzlich: | ||
+ | <file txt> | ||
+ | PrivateNetwork=true | ||
+ | RestrictAddressFamilies=AF_UNIX | ||
+ | </file> | ||
+ | |||
+ | TODO: Für Dienste, die keine Daten dauerhaft speichern (ntpd? unbound?): | ||
+ | <file txt> | ||
+ | DynamicUser=yes | ||
+ | User=unbound | ||
+ | Group=unbound | ||
</file> | </file> |