[systemd-devel] restart vs. stop/start

Christian Boltz systemd-devel at cboltz.de
Sun May 22 14:18:53 UTC 2016 

Hello,

Am Samstag, 21. Mai 2016, 10:31:22 CEST schrieb Andrei Borzenkov:
> 21.05.2016 05:59, Reindl Harald пишет:
> > Am 20.05.2016 um 21:50 schrieb Christian Boltz:
> >>     systemctl restart foo
> >> 
> >> is internally mapped to a sequence of
> >> 
> >>     systemctl stop foo; systemctl start foo
> > 
> > what else?

It's a good default, but like every default, there are cases where you 
need something different ;-)

> >> Unfortunately, this behaviour causes quite some trouble for me.
> > 
> > why?
> 
> If you bothered to read URL OP mentioned, you would see one possible
> reason.

I can add my usecase as another reason ;-)

I'm talking about AppArmor, where "stop" means unloading the profiles 
from the kernel. The result is that all AppArmor confinement is removed 
from all running processes.

"start" means loading the profiles and applying the confinement to _newly 
started_ profiles.

This also means that _already running_ processes won't be (re)confined [1], 
which translates a small typo done by the admin ("systemctl restart 
apparmor" instead of "systemctl reload apparmor") to leaving lots of 
processes unconfined and turns that accidential use of "restart" into a 
security risk.

This is why I need to override the "restart" behaviour so that it 
reloads the profiles while keeping running processes confined.

The easiest solution would be an ExecRestart= directive in the service 
file, but unfortunately this isn't available.

Actually, searching for "systemd ExecRestart" brings up that I'm not 
the first one asking for it, see for example
https://lists.freedesktop.org/archives/systemd-devel/2012-November/007595.html
and https://techdetails.agwego.com/2013/06/07/227/

A possible alternative would be to use
    ExecStop=echo "broken by systemd. If you really want to stop AppArmor, please use $newly_invented_command"
I'd really like to avoid this ;-) but it's probably better than silently 
making the system insecure by an accidently typed "restart".

> >> I need a way to know if "restart "or "stop" was used because the
> >> mapping to stop / start gives my service a completely different
> >> behaviour than expected on restart.
> >> 
> >> Is there a way to find out if "stop" or "restart" was used?
> > 
> > if you need to differ here your service is broken by design - why do

s/broken by design/different/ - or s/your service/systemd/  (choose yourself!)

Please don't judge on something that hard just because it doesn't work 
the way you expect ;-)

> > you need to kow what triggered stop and what else do you imagine
> > for "restart" then stop-start?

See above.

> I am curious how you implement "systemctl daemon-restart" using only
> plain "stop systemd" followed by "start systemd".

Yeah, good question. I'm also interested in the answer  ;-)


Regards,

Christian Boltz

[1] According to the AppArmor developers, changing this behaviour in 
    the kernel so that already running applications get (re)confined is 
    close to impossible due to various reasons.
    Details on request, but I know them (and AppArmor) good enough to
    believe in this statement.

-- 
* cboltz wonders if jjohansen already regrets
  calling me "a devs walking nightmare"
<jjohansen> cboltz: no it still fits :P
[from #apparmor]

More information about the systemd-devel mailing list