From ArchWiki
Jump to: navigation, search

Should the section "writing a custom .service" be expanded?

I think so.. as long as I got, this is necessary to run self-made scripts during the boot process, but this is not clear and the structure of the files is not well presented.

Moreover, when explain how to transit from the initscript, some referrals on how to move the old custom hooks in /etc/rc.d/functions.d to be executed by systemd, should be made.
-- DarioP (talk) 12:42, 18 November 2012 (UTC)

I think it needs to be expanded indeed. As a newbie, it is easy to grasp the concept of "put your code in rc.local", and it's not clear how to transition. Specific questions, as also mentioned by DarioP: In what directory should I place my service definition? On the examples page, there are some files named with an at-sign (@), what difference does that make? It would be very helpful to have a complete example for running a single command at boot (my example: echo noop > /sys/block/sdb/queue/scheduler).
-- Fa2k (talk) 3 February 2013
I third this motion, I had no idea what I was doing the whole time I was translating a service file. I happened to run accross this stackoverflow post that helped a lot: - but I'm going to also add some edits to the section to help save other people time. (talk) 00:42, 7 July 2014 (UTC)
There's actually no template in the Wiki for a basic .service file. --Dettalk 12:54, 23 July 2015 (UTC)
What is a "basic" service file anyway? Since systemd.service(5) contains an entire section with examples, I think that we can leave it that way. -- Lahwaacz (talk) 15:35, 23 July 2015 (UTC)
The Example 1. Simple service in there (Description/ExecStart/WantedBy, where each would be explained). If we're just going to leave that to a manpage or copying a "finished" .service, the link should at least be moved to the top of the section from under #Service types. I'd still be in favor of directly linking to the examples section. --Dettalk 06:37, 24 July 2015 (UTC)
Good idea. That manpage itself is so huge, it sure is helpful to point to the example section explicitly. Added an earlier-on link to it with [1]. --Indigo (talk) 22:21, 24 July 2015 (UTC)
Very nice. What about that second mention under #Service types? It starts sounding kind of "duh". --Dettalk 22:30, 24 July 2015 (UTC)
I've added a link also to the second section, or have you had something more radical in mind? -- Lahwaacz (talk) 09:36, 25 July 2015 (UTC)
No, I meant why need a man mention there at all? Isn't it obvious from the link in the intro that all the sub-section details are also located there? --Dettalk 21:12, 26 July 2015 (UTC)
Ok, yes. Could do without. Though the last man reference is way up in another section and ending a section with a bullet always looks incomplete for my reading habit. Then ending a topic with a man reference also implies "That's all we got here and the next section is another topic". So it's a bit of a phrase, but has a good didactic purpose in my view. --Indigo (talk) 09:16, 27 July 2015 (UTC)
I agree on systemic references to the manuals. Where possible, wiki pages should introduce to the upstream documentation. -- Alad (talk) 13:48, 27 July 2015 (UTC)
Oh, it links to #Type. Shouldn't it at least talk about the type section like the one in the intro? --Dettalk 00:38, 28 July 2015 (UTC)

The Service Types section is certainly a good comprehensive overview of the options available when writing a unit file but it may help those newer to systemd if we highlighted a little more why 'simple' is the default and that they will likely only need that option, 'oneshot' or possibly 'forking' at least to get started. Perhaps expanding on 'forking' that it is specifically for launching services that background themselves (i.e. where the parent launches a child process and terminates) might be helpful too. Table 8.10 under this section of the RedHat portal could also be a useful addition. Kal (talk) 22:01, 9 December 2015 (UTC)

Systemd defaults / to rshared, gotcha

Still reading up on this, so I'm not 100% solid but I discovered during the systemd transition that it defaults the / mount to rshared (see Shared subtree for definitions). Excerpted from core/mount-setup.c in systemd github:
/* Mark the root directory as shared in regards to mount
 * propagation. The kernel defaults to "private", but we think
 * it makes more sense to have a default of "shared" so that
 * nspawn and the container tools work out of the box. If
 * specific setups need other settings they can reset the
 * propagation mode to private if needed. */
if (detect_container(NULL) <= 0)
        if (mount(NULL, "/", NULL, MS_REC|MS_SHARED, NULL) < 0)
                log_warning("Failed to set up the root directory for shared mount propagation: %m");

This means that all bind mounts made through fstab will default to shared behavior, not private. For those users who depend on non-recursive bind mounts, this can be a very big gotcha (as the mount propagation effectively nullifies the non-recursion). I think it should be at least noted under Filesystem Mounts, since fstab bind entries definitely may not preserve behavior across the systemd transition and there are definitely some systems that would fail to start up/operate properly due to this, perhaps even silently.

As a side note, for nested bind mounts this also results in multiplicative bloat of the mount table, depending on what kind of nesting structure is used (it's actually relatively easy to construct a nesting sequence that makes 2^n mounts out of n mount calls).

Still looking into good (and easy) configuration solutions.

Compgamer89 (talk) 07:16, 4 December 2012 (UTC)

You may find this commit useful. --David Strauss (talk) 22:58, 13 December 2012 (UTC)

Make section "Targets" more clearly

In general, the introductory paragraph does not explain the concept enough (it seems like one sentence is missing explaning what a target is).

Then there are some occurences of words (first in the article) which might confuse unexperienced users:

  • "runlevel" - Link to Wikipedia?
  • In subsection "Create custom target" Fedora is mentioned: "The runlevels that are assigned a specific purpose on vanilla Fedora installs"; This adds confusion to the first point.

Xry (talk) 16:06, 9 September 2015 (UTC)

Section "Writing unit files" does not distinguish between overrides and new files

If you want to override a unit, create /etc/systemd/<unit>.service.d/override.conf. (.d directories are for overriding a unit.) A new service created as override will *not* be found by systemctl daemon-reload! (Not knowing this did cost me some hours of frustration.) Instead if you want to add a new service, you need it to go straight into /etc/systemd/system. After systemctl daemon-reload you can do systemctl enable <service> or systemctl start <service>.

—This unsigned comment is by Bwe (talk) 17:48, 30 November 2015‎. Please sign your posts with ~~~~!

And which part of Systemd#Writing_unit_files is inaccurate? Systemd#Editing_provided_unit_files says (emphasis mine):
There are two ways to edit a unit file provided by a package: replace the entire unit file with a new one or create drop-in snippets which are applied on top of the existing unit file.
-- Lahwaacz (talk) 19:08, 30 November 2015 (UTC)
Nowhere in that section does it claim that a new service will be created for the override. I've tweaked the language a little bit to emphasize that both methods edit the original unit, even when you create a new file. Silverhammermba (talk) 16:45, 1 December 2015 (UTC)

Subsection "dependent services are not started when starting a service manually"

As far as I know the systemd behaviour for dependent services is a design ... decision (I'd call it a design error, but that's just me). Thus I documented the nonintuitive behaviour in the wiki instead of reporting it as bug.

Maybe the unit file for libvirtd is not correct and needs additional Wants/Requires lines. If that solves the problem, I'll update the entry and place it as clarification for writing own systemd unit files. Until then I'd suggest to keep the entry as it is.

—This unsigned comment is by Vtanger (talk) 09:01, 19 May 2016‎. Please sign your posts with ~~~~!

As per Libvirt#Daemon for a manual start of libvird, you should also start virtlogd.service. It may be non-intuitive, but have a reason upstream split it like that. Personally, I think upstream should package an alternative libvirtd.socket unit which starts all requires. See also redhat bug I find it non-intuitive if a .service automatically starts a socket by itself. I'd rather control such myself.
In any case it seems the wrong example for the systemd article because of existing Libvirt#Daemon instructions in my view.
. You still disagree? --Indigo (talk) 10:17, 19 May 2016 (UTC)

Journald in conjunction with syslog

The socket described for syslog forwarding does not exist, is not created and I have no idea how to change this. --Bachsau (talk) 04:30, 9 December 2016 (UTC)

As described, the ForwardToSyslog option in journald.conf is responsible for this. -- Lahwaacz (talk) 08:31, 9 December 2016 (UTC)
Which I set to yes, then restarted journald, even rebootet the system, but there's still no socket file. --Bachsau (talk) 09:11, 9 December 2016 (UTC)
Fixed it: --Bachsau (talk) 06:25, 10 December 2016 (UTC)

Removal consideration: Sandboxing application environments

There has been systemd upstream talk: LWN: CVE-2016-8655 and LWN: Re: CVE-2016-8655. Poettering discusses the same here. I was considering dropping this section into Security but deferred to the tips and tricks section here. If the concern is that the content is not officially enabled upstream, the counterargument is that 1. the directives used in the sandbox are provided by official systemd upstream documentation 2. the unbound.service file is an Arch-specific creation. The new OpenVPN unit files are using environment directives, but those are provided by OpenVPN upstream. I see the section as a tip which attempts to improve upon defaults that could be of benefit to others (particularly those with long-running, network-bound services). But I am not opposed to it being moved to Security or under a more appropriate sub here (preferred). Thoughts? -- Adamlau (talk) 06:41, 18 January 2017 (UTC)

File a bug against the unbound package then? An updated service can then be linked to from here as illustration of the various directives. -- Alad (talk) 07:23, 18 January 2017 (UTC)
Updated service would be neat, yes. Yet, it would miss the verbose. How about moving it to Capabilities and crosslink back? That article only has utterly simple examples so far. --Indigo (talk) 20:20, 19 January 2017 (UTC)
I was thinking on keeping the explanations, but not the code block, because more users would benefit from an updated service (at least downstream in Arch) than a diff copied in this article. I'm not sure if the scope fits within Capabilities, but I leave that up to you guys. -- Alad (talk) 20:30, 19 January 2017 (UTC)
Relocating to Capabilities will work so long as the example provides additional focus with respect to the capability directive. systemd unit files are able to provide breadth of isolation mechanisms including namespaces, overlays and seccomp. Though Unbound is but one example, I plan to add a few more including hardened unit files for dhcpcd and nftables. Figuring out where unit file sandboxing discussion should go is up to you two. I figure that its proper location within the Wiki will become clearer as the topic is expanded upon. Move it to where you will and I will follow :) -- Adamlau (talk) 03:50, 20 January 2017 (UTC)
You noting you want to add further examples, made me come up with an even different approach:
  1. I moved the example to Unbound#Sandboxing. Note I left the remove template for the unit itself in, please consider adding a FS# for it.[2]
  2. I initialized a bullet list in Systemd#Sandboxing application environments [3]. This could be gradually expanded, be it for restricting capabilities or other related systemd features, or pinpoint also individual options (e.g. ProtectSystem=strict).
What's going amiss is expanding capabilities itself a little. For CapabilityBoundingSet= it seems more useful to to have it here really on second thought. Yet, we don't want to duplicate elaborations on capabilities themselves like you do in explaining the unbound example. Perhaps shorten it and reference capabilities(7)?
What do you two think about this approach? --Indigo (talk) 19:07, 20 January 2017 (UTC)
Sounds good to me. I'll rework an example for capabilities and expand it accordingly. -- Adamlau (talk) 04:35, 23 January 2017 (UTC)