[systemd-devel] Porting init script using unshare, overlayfs to systemd

Daniel Farina daniel at fdr.io
Tue Dec 3 19:27:49 UTC 2019 

Hello everyone,

I'm porting a patch to an init script to systemd, and I have a few
questions.

More specifically, I'm porting a relatively small patch to the existing
PostgreSQL Development Group (PGDG yum) Redhat init scripts to systemd.

The patch looks something like this:

  echo -n "$PSQL_START"
- $SU -l postgres -c "$PGENGINE/postmaster -D '$PGDATA' ${PGOPTS}
>>\"$PGLOG\" 2>&1 &"
+ ulimit -S -c unlimited
+ hugepage-set excessive
+ unshare --mount -- sh -c "mount -t overlay overlay -o
lowerdir=/some/overlayfs/etc:/etc /etc && exec $SU -l postgres -c
"\""$PGENGINE/postmaster -D '$PGDATA' ${PGOPTS} >>\"\""$PGLOG\"\"" 2>&1
&"\"""
  sleep 2
+ hugepage-set trim
  pid=`head -n 1 "$PGDATA/postmaster.pid" 2>/dev/null`
  if [ "x$pid" != x ]
  then

Of note is messing around with hugepages (which requires root) and the use
of unshare (which requires root and manipulation of a mount namespace
before switching users and execing Postgres).

The reason overlayfs is used is to provide a dynamic, atomically updated
/etc/hosts that is only used by the Postgres process hierarchy. To do that,
another program will perform an atomic rename, then uses nsenter and
remount to invalidate the directory cache held in overlayfs. Bind mounts,
unfortunately, complicate atomicity here.

By comparison, the entire modern PGDG systemd service file looks like this:

# It's not recommended to modify this file in-place, because it will be
# overwritten during package upgrades.  If you want to customize, the
# best way is to create a file "/etc/systemd/system/postgresql-11.service",
# containing
# .include /usr/lib/systemd/system/postgresql-11.service
# ...make your changes here...
# For more info about custom unit files, see
#
http://fedoraproject.org/wiki/Systemd#How_do_I_customize_a_unit_file.2F_add_a_custom_unit_file.3F

# Note: changing PGDATA will typically require adjusting SELinux
# configuration as well.

# Note: do not use a PGDATA pathname containing spaces, or you will
# break postgresql-setup.
[Unit]
Description=PostgreSQL 11 database server
Documentation=https://www.postgresql.org/docs/11/static/
After=syslog.target
After=network.target

[Service]
Type=notify

User=postgres
Group=postgres

# Note: avoid inserting whitespace in these Environment= lines, or you may
# break postgresql-setup.

# Location of database directory
Environment=PGDATA=/var/lib/pgsql/11/data/

# Where to send early-startup messages from the server (before the logging
# options of postgresql.conf take effect)
# This is normally controlled by the global default set by systemd
# StandardOutput=syslog

# Disable OOM kill on the postmaster
OOMScoreAdjust=-1000
Environment=PG_OOM_ADJUST_FILE=/proc/self/oom_score_adj
Environment=PG_OOM_ADJUST_VALUE=0

ExecStartPre=/usr/pgsql-11/bin/postgresql-11-check-db-dir ${PGDATA}
ExecStart=/usr/pgsql-11/bin/postmaster -D ${PGDATA}
ExecReload=/bin/kill -HUP $MAINPID
KillMode=mixed
KillSignal=SIGINT


# Do not set any timeout value, so that systemd will not kill postmaster
# during crash recovery.
TimeoutSec=0

[Install]
WantedBy=multi-user.target

Fairly neat and tidy, but of some trouble is the fact that I need a few
root manipulations, and "User=postgres" becomes a liability for that. I
could change that to root and then pepper "su" everywhere to get the deed
done, but I felt inclined to write into the list to ask if that is in the
grain of systemd's design.

Thanks for your considerations,
Daniel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20191203/9b439848/attachment.html>

More information about the systemd-devel mailing list