[systemd-devel] [PATCH weston] doc/systemd: system service example

Pekka Paalanen ppaalanen at gmail.com
Thu Nov 30 10:09:15 UTC 2017 

On Wed, 29 Nov 2017 19:05:07 +0100
Lennart Poettering <lennart at poettering.net> wrote:

> On Di, 28.11.17 12:14, Pekka Paalanen (ppaalanen at gmail.com) wrote:
> 
> > +
> > +[Unit]
> > +Description=Weston, a Wayland compositor, as a system service
> > +Documentation=man:weston(1) man:weston.ini(5)
> > +Documentation=http://wayland.freedesktop.org/
> > +
> > +# Make sure we are started after logins are permitted.
> > +After=systemd-user-sessions.service
> > +
> > +# If Plymouth is used, we want to start when it is on its way out.
> > +After=plymouth-quit-wait.service
> > +
> > +# D-Bus is necessary for contacting logind. Logind is required.
> > +Wants=dbus.socket
> > +After=dbus.socket
> > +
> > +# This scope is created by pam_systemd when logging in as the user.
> > +# This directive is a workaround to a systemd bug, where the setup of the
> > +# user session by PAM has some race condition, possibly leading to a failure.
> > +# See README for more details.
> > +After=session-c1.scope  
> 
> Hmm, what is this about?
> 
> This is racy, as the session ID is not really reliably predictable,
> and is synthesized in different contexts in different ways, for
> example depnding on whether audit is enabled in the kernel it might be
> session-1.scope rather than session-c1.scope.

Hi Lennart,

this is the bit Martyn talked you in person some time ago, maybe Martyn
could refresh your memory?

Yes, I am definitely not happy about this directive, but it serves as
the reminder of the issue Martyn was debugging a long time ago, and
this was the workaround chosen for the particular project at that time.
I guessed it's not portable.

I have it here so it would trigger the discussion, in the hopes that
someone could recall the details of the fundamental problem. I heard it
was deemed to be a hard-to-reproduce systemd bug, but I have no other
details.

If we could determine the bug doesn't exist anymore, that would be
awesome and I could just drop this.

> > +# Set up a full user session for the user, required by Weston.
> > +PAMName=login  
> 
> Piggy-backing on "login" is a bad idea. "login" is a text tool, and
> thus the PAM rules for it usually pull in some TTY specific PAM
> modules. YOu shoudl really use your own PAM fragment here, and
> configure only the bits you need.

Ok. Is there any guide or example I could point people to, so that they
can write their own stuff correctly? Any example I could put into
Weston docs?

Personally I have no understanding of what PAM does. I just copied
weston-launch (setuid-root helper for non-systemd systems) that also
uses "login" for PAM name if it was asked to create a new session(?).


Thanks,
pq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/wayland-devel/attachments/20171130/a608b287/attachment-0001.sig>

More information about the wayland-devel mailing list