Discussion:
[gentoo-user] Systemd query ...
(too old to reply)
Wols Lists
2023-05-15 10:00:01 UTC
Permalink
Nothing to do with but sparked by the Apache problem ...

One of the emails mentioned that the "ExecStop" section didn't appear to
be working ... That's caused me considerable grief in a systemd config
file I've written ...

Basically, somebody else added an ExecStop section - and all hell broke
loose. It seemed to be firing on boot :-( And the service in question -
ScarletDME - seemed to be killing processes at random, like DoveCot ...

Okay, accidentally killing processes it shouldn't is probably down the
fork/exec code in ScarletDME, I haven't dug into it to know, but systemd
should not be triggering the stop in the first place. Has anybody else
encountered anything like this?

Sorry I'm not likely to respond quickly to say "solved", as I need to
get "in the mood" to get back to debugging, but if anybody has any hints
and tips, they'd be appreciated, and it might shed some light on that
Apache problem :-)

Cheers,
Wol
Jacques Montier
2023-05-16 18:10:01 UTC
Permalink
Post by Wols Lists
Nothing to do with but sparked by the Apache problem ...
One of the emails mentioned that the "ExecStop" section didn't appear to
be working ... That's caused me considerable grief in a systemd config
file I've written ...
Basically, somebody else added an ExecStop section - and all hell broke
loose. It seemed to be firing on boot :-( And the service in question -
ScarletDME - seemed to be killing processes at random, like DoveCot ...
Okay, accidentally killing processes it shouldn't is probably down the
fork/exec code in ScarletDME, I haven't dug into it to know, but systemd
should not be triggering the stop in the first place. Has anybody else
encountered anything like this?
Sorry I'm not likely to respond quickly to say "solved", as I need to
get "in the mood" to get back to debugging, but if anybody has any hints
and tips, they'd be appreciated, and it might shed some light on that
Apache problem :-)
Cheers,
Wol
Hi Wol,

It was very difficult to get Apache working with systemd Gentoo.
No apache2.service found with apache installation.
so i looked at the Linux Mint OS to copy the apache2.service.
These commands

ExecStart=/usr/sbin/apachectl start
ExecStop=/usr/sbin/apachectl graceful-stop
ExecReload=/usr/sbin/apachectl graceful

did not work at all...
BUT,
By manually launching /usr/bin/apache2ctl, it worked.

So i wrote a little simple bash script /usr/bin/op_apache

#!/bin/bash

case ${1} in
"start")
apache2ctl
;;
"stop")
killall apache2
;;
"restart")
killall apache2
sleep 1
apache2ctl
;;
esac

And in apache2.service, i put :

ExecStart=/usr/bin/op_apache start
ExecStop=/usr/bin/op_apache stop
ExecReload=/usr/sbin/op_apache restart

Now it works fine, but what a headache !

Cheers,

--
Jacques
Neil Bothwick
2023-05-16 19:00:01 UTC
Permalink
Post by Jacques Montier
It was very difficult to get Apache working with systemd Gentoo.
No apache2.service found with apache installation.
Really?

% qfile apache2.service
www-servers/apache: /lib/systemd/system/apache2.service
Post by Jacques Montier
so i looked at the Linux Mint OS to copy the apache2.service.
These commands
ExecStart=/usr/sbin/apachectl start
ExecStop=/usr/sbin/apachectl graceful-stop
ExecReload=/usr/sbin/apachectl graceful
did not work at all...
% systemctl cat apache2.service
# /lib/systemd/system/apache2.service
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target

[Service]
EnvironmentFile=/etc/conf.d/apache2
ExecStart=/usr/sbin/apache2 $APACHE2_OPTS -DFOREGROUND
ExecReload=/usr/sbin/apache2 $APACHE2_OPTS -k graceful
ExecStop=/usr/sbin/apache2 $APACHE2_OPTS -k graceful-stop
# We want systemd to give httpd some time to finish gracefully, but still
want # it to kill httpd after TimeoutStopSec if something went wrong
during the # graceful stop. Normally, Systemd sends SIGTERM signal right
after the # ExecStop, which would kill httpd. We are sending useless
SIGCONT here to give # httpd time to finish.
KillSignal=SIGCONT
PrivateTmp=true
#Hardening
CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK
SecureBits=noroot-locked
ProtectSystem=full
PrivateDevices=true
MemoryDenyWriteExecute=true

[Install]
WantedBy=multi-user.target
--
Neil Bothwick

K: (n., adj.) a binary thousand, which isn't a decimal thousand or even
really a binary thousand (which is eight), but is the binary number
closest to a decimal thousand. This has proven so completely confusing
that it has become a standard.
Jacques Montier
2023-05-16 19:40:01 UTC
Permalink
Post by Neil Bothwick
Post by Jacques Montier
It was very difficult to get Apache working with systemd Gentoo.
No apache2.service found with apache installation.
Really?
% qfile apache2.service
www-servers/apache: /lib/systemd/system/apache2.service
Yes.
After install, apache2.service not found...
Post by Neil Bothwick
Post by Jacques Montier
so i looked at the Linux Mint OS to copy the apache2.service.
These commands
ExecStart=/usr/sbin/apachectl start
ExecStop=/usr/sbin/apachectl graceful-stop
ExecReload=/usr/sbin/apachectl graceful
did not work at all...
% systemctl cat apache2.service
# /lib/systemd/system/apache2.service
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target
[Service]
EnvironmentFile=/etc/conf.d/apache2
ExecStart=/usr/sbin/apache2 $APACHE2_OPTS -DFOREGROUND
ExecReload=/usr/sbin/apache2 $APACHE2_OPTS -k graceful
ExecStop=/usr/sbin/apache2 $APACHE2_OPTS -k graceful-stop
# We want systemd to give httpd some time to finish gracefully, but still
want # it to kill httpd after TimeoutStopSec if something went wrong
during the # graceful stop. Normally, Systemd sends SIGTERM signal right
after the # ExecStop, which would kill httpd. We are sending useless
SIGCONT here to give # httpd time to finish.
KillSignal=SIGCONT
PrivateTmp=true
#Hardening
CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE
CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK
SecureBits=noroot-locked
ProtectSystem=full
PrivateDevices=true
MemoryDenyWriteExecute=true
[Install]
WantedBy=multi-user.target
--
Neil Bothwick
K: (n., adj.) a binary thousand, which isn't a decimal thousand or even
really a binary thousand (which is eight), but is the binary number
closest to a decimal thousand. This has proven so completely confusing
that it has become a standard.
Thanks Neil, i'll have a try.

--
Jacques
Rich Freeman
2023-05-16 19:50:01 UTC
Permalink
Post by Jacques Montier
After install, apache2.service not found...
Have you done something to mask service file installs/etc?

The unit file is in the gentoo repo:
www-servers/apache/files/apache2.4-hardened.service
--
Rich
Jacques Montier
2023-05-17 08:50:01 UTC
Permalink
Hi all,

Thanks to Neil and Rich.

I Effectively found the file
www-servers/apache/files/apache2.4-hardened.service.
I renamed it as apache2.service in /lib/systemd/system.
Now it works !!! 👍

BUT,

As I didn't mask anything, I don't understand why this file was not
installed as it was declared in the apache ebuild...

# Note: wait for mod_systemd to be included in some forthcoming release,
# Then apache2.4.service can be used and systemd support controlled
# through --enable-systemd
systemd_newunit "${FILESDIR}/apache2.4-hardened.service"
"apache2.service"
dotmpfiles "${FILESDIR}/apache.conf"
#insinto /etc/apache2/modules.d
#doins "${FILESDIR}/00_systemd.conf"

My use flags and modules :

Installed versions: 2.4.55-r1(2)(11:11:07 12/05/2023)(gdbm ssl suexec-caps
systemd -debug -doc -ldap -selinux -split-usr -static -suexec
-suexec-syslog -threads APACHE2_MODULES="actions alias auth_basic
authn_anon authn_core authn_dbm authn_file authz_core authz_dbm
authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid
dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter
headers http2 include info log_config logio mime mime_magic negotiation
rewrite setenvif socache_shmcb speling status unique_id unixd userdir
usertrack vhost_alias -access_compat -asis -auth_digest -auth_form
-authn_dbd -authn_socache -authz_dbd -brotli -cache_disk -cache_socache
-cern_meta -charset_lite -dbd -dumpio -ident -imagemap -lbmethod_bybusyness
-lbmethod_byrequests -lbmethod_bytraffic -lbmethod_heartbeat -log_forensic
-lua -macro -md -proxy -proxy_ajp -proxy_balancer -proxy_connect
-proxy_fcgi -proxy_ftp -proxy_hcheck -proxy_html -proxy_http -proxy_http2
-proxy_scgi -proxy_uwsgi -proxy_wstunnel -ratelimit -remoteip -reqtimeout
-session -session_cookie -session_crypto -session_dbd -slotmem_shm
-socache_memcache -substitute -version -watchdog -xml2enc"
APACHE2_MPMS="-event -prefork -worker" LUA_SINGLE_TARGET="lua5-1 -lua5-3
-lua5-4")


However, it works fine and thanks again to all of you !

Cheers,

--
Jacques
Post by Rich Freeman
Post by Jacques Montier
After install, apache2.service not found...
Have you done something to mask service file installs/etc?
www-servers/apache/files/apache2.4-hardened.service
--
Rich
Rich Freeman
2023-05-17 09:40:01 UTC
Permalink
As I didn't mask anything, I don't understand why this file was not installed as it was declared in the apache ebuild...
You don't have anything set in INSTALL_MASK? Check "emerge --info
www-servers/apache"

You might want to check the build log for anything. I don't think
there is anything conditional about systemd_newunit, and it is
supposed to generate a fatal error if it fails.
--
Rich
Jacques Montier
2023-05-17 10:20:02 UTC
Permalink
Post by Jacques Montier
Post by Jacques Montier
As I didn't mask anything, I don't understand why this file was not
installed as it was declared in the apache ebuild...
You don't have anything set in INSTALL_MASK? Check "emerge --info
www-servers/apache"
You might want to check the build log for anything. I don't think
there is anything conditional about systemd_newunit, and it is
supposed to generate a fatal error if it fails.
--
Rich
Well, well, Rich, you are completely right, you've found the key ! 👍
I have that line in make.conf
INSTALL_MASK="/lib/systemd/system /usr/lib/systemd/system"
I now see where it comes from.
On the same machine, I have another OpenRC Gentoo with systemd masqued.
I just copîed the make.conf without uncommenting that line... How silly i
am !!!
So I delete that bl...y line !

Thanks a lot,

Cheers

--
Jacques
Rich Freeman
2023-05-17 10:40:01 UTC
Permalink
Well, well, Rich, you are completely right, you've found the key ! 👍
I have that line in make.conf
INSTALL_MASK="/lib/systemd/system /usr/lib/systemd/system"
I now see where it comes from.
On the same machine, I have another OpenRC Gentoo with systemd masqued.
I just copîed the make.conf without uncommenting that line... How silly i am !!!
So I delete that bl...y line !
So, I realize this will be controversial, but this is why I don't make
super-minimalistic builds. If I were trying to make a Gentoo build to
run on a C64 or something and every last inode counted, then sure.
However, things like text files simply don't do anything if nothing
reads them. These days I also tend to be generous with building
kernel modules - it slows down kernel builds, but it has no impact on
running kernels if they aren't actually loaded. I also use -mtune
these days and not -march. Sure, you lose a little performance, but
if I lose a motherboard then I can just build a new PC, stick my hard
drive in it, and it will just work.

Now, if you're building disposable workers in some cluster that
processes lots of jobs, then sure that extra few percent performance
might be worth it, but then the individual hosts are all disposable
anyway. Otherwise, I've found it is much better to optimize things
for MY time than CPU time.
--
Rich
David M. Fellows
2023-05-17 00:50:01 UTC
Permalink
Post by Jacques Montier
Post by Wols Lists
Nothing to do with but sparked by the Apache problem ...
One of the emails mentioned that the "ExecStop" section didn't appear to
be working ... That's caused me considerable grief in a systemd config
file I've written ...
Basically, somebody else added an ExecStop section - and all hell broke
loose. It seemed to be firing on boot :-( And the service in question -
ScarletDME - seemed to be killing processes at random, like DoveCot ...
Okay, accidentally killing processes it shouldn't is probably down the
fork/exec code in ScarletDME, I haven't dug into it to know, but systemd
should not be triggering the stop in the first place. Has anybody else
encountered anything like this?
Sorry I'm not likely to respond quickly to say "solved", as I need to
get "in the mood" to get back to debugging, but if anybody has any hints
and tips, they'd be appreciated, and it might shed some light on that
Apache problem :-)
Cheers,
Wol
Hi Wol,
It was very difficult to get Apache working with systemd Gentoo.
No apache2.service found with apache installation.
so i looked at the Linux Mint OS to copy the apache2.service.
These commands
ExecStart=/usr/sbin/apachectl start
ExecStop=/usr/sbin/apachectl graceful-stop
ExecReload=/usr/sbin/apachectl graceful
did not work at all...
BUT,
By manually launching /usr/bin/apache2ctl, it worked.
On my gentoo system apache is installed in
/usr/sbin as apache2 and apache2ctl
^
It also installs /lib/systemd/system/apache2.service which references the
above files in a "gentoo-ish" way.

The Linux Mint service file you list above refers to apache without the "2".

Perhaps this shedd some light on your problem.

DaveF
Post by Jacques Montier
So i wrote a little simple bash script /usr/bin/op_apache
#!/bin/bash
case ${1} in
"start")
apache2ctl
;;
"stop")
killall apache2
;;
"restart")
killall apache2
sleep 1
apache2ctl
;;
esac
ExecStart=/usr/bin/op_apache start
ExecStop=/usr/bin/op_apache stop
ExecReload=/usr/sbin/op_apache restart
Now it works fine, but what a headache !
Cheers,
--
Jacques
Loading...