[systemd-devel] socket activated services and correct dependency mapping

James Hogarth james.hogarth at gmail.com
Fri Jul 24 03:06:06 PDT 2015 

On 24 July 2015 at 10:38, James Hogarth <james.hogarth at gmail.com> wrote:
> Hi,
>
> I'm in the process of adding systemd native sockets to a service
> (rather than using inetd compatibility) and am trying to get my head
> around the proper way to configure the unit files so that the socket
> is optional rather than required but allowing restarting of the socket
> unit.
>
> https://github.com/yrutschle/sslh/pull/56
>
> [root at hoglaptop ~]# systemctl cat sslh.socket
> # /etc/systemd/system/sslh.socket
> [Socket]
> ListenStream=10.81.60.229:443
> ListenStream=10.81.60.229:444
> ListenStream=10.81.60.229:445
> ListenStream=10.81.60.229:446
> ListenStream=10.81.60.229:447
> FreeBind=true
>
> [Install]
> WantedBy=sockets.target
>
> [root at hoglaptop ~]# systemctl cat sslh.service
> # /etc/systemd/system/sslh.service
> [Service]
> ExecStart=/home/hogarthj/workspace/github-sslh/sslh-fork -v -f --ssh
> 127.0.0.1:22
> KillMode=process
>
> I want a user to be able to systemctl start sslh and use listening
> addresses in /etc/sslh.cfg as always (so I'm reluctant to put a
> straight Sockets= in the service unit file) but as it stands the lazy
> activation of sslh works a treat however once the service is activated
> it is listening on the sockets so it's not possible to systemctl
> restart sslh.socket to change an IP or add a port without stopping
> sslh.service first ...
>
> Is what I'm trying to do flat out a bad idea and impossible or is
> there a way of ordering this in such a way that a restart of
> sslh.socket stops sslh.service in the process ... or something to
> attain the goal of a restartable socket unit and an associated that
> has not explicit need of the socket?
>
> Regards,
>
> James

And for the sake of google searches and the archives within 5 minutes
of sending the email I worked out my answer ...

Adding Before=sslh.service to the socket and PartOf=sslh.socket to the
service gets me the behavior I was searching for.


[root at hoglaptop ~]# systemctl cat sslh.service
# /etc/systemd/system/sslh.service
[Unit]
PartOf=sslh.socket

[Service]
ExecStart=/usr/sbin/sslh -v -f --ssh 127.0.0.1:22
KillMode=process
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN CAP_SETGID CAP_SETUID
PrivateTmp=true
PrivateDevices=true
ProtectSystem=full
ProtectHome=true
[root at hoglaptop ~]# systemctl cat sslh.socket
# /etc/systemd/system/sslh.socket
[Unit]
Before=sslh.service

[Socket]
ListenStream=10.81.60.229:443
ListenStream=10.81.60.229:444
ListenStream=10.81.60.229:445
ListenStream=10.81.60.229:446
ListenStream=10.81.60.229:447
FreeBind=true

[Install]
WantedBy=sockets.target

Which is great! Now I can start as a non-root user and not have to
drop user after binding low ports.

More information about the systemd-devel mailing list