Handling /var/run with systemd

Tuesday, August 6. 2013

Previously I've studied the init.d replacement systemd.
Update 4th Jun 2017: See the new version

To my surprise, my contraption from the previous article didn't survive a reboot. WTF?! It turned out that in Fedora 19 the /var/run/ is a symlink into /run/ which has been turned into tmpfs. Goddamnit! It literally means, that it is pointless to create /var/run/<the daemon name here>/ with correct permissions in RPM spec-file. Everything will be wiped clean on next reboot anyway.

So, I just had to study the systemd some more.

This is my version 2 (the Unit and Install -parts are unchanged):

[Service]
Type=forking
PrivateTmp=yes
User=nobody
Group=nobody
# Run ExecStartPre with root-permissions
PermissionsStartOnly=true
ExecStartPre=-/usr/bin/mkdir /var/run/dhis
ExecStartPre=/usr/bin/chown -R nobody:nobody /var/run/dhis/
# Run ExecStart with User=nobody / Group=nobody
ExecStart=/usr/sbin/dhid -P /var/run/dhis/dhid.pid
PIDFile=/var/run/dhis/dhid.pid

The solution is two-fold. First an ExecStartPre-directive is required. It allows to run stuff before actually executing the deamon. My first thing to do is create a directory, the minus sign before the command says to ignore any possible errors during creation. The target is mainly to ignore any errors from the fact that creation would fail due to the directory already existing. Anyway, all errors are ignored regardless of the reason.

The second command to run is to make sure that permissions are set correctly for my daemon to create a PID-file into the directory created earlier. That must succeed or there will be no attempt to start the daemon. chowning the directory will fail if the directory does not exist, or any other possible reason.

Sounds nice, huh? Initially I couldn't get that working. It was simply due to reason, that the entire Service-part is run as the user pointed by the User=nobody and Group=nobody -directives. That user was intentionally chosen, because it has very limited permission anywhere or anything. Now it cannot create any new directories into/var/run/. Darn!

This where the solution's 2nd part comes in. Somebody designing the systemd thought about this. Using the PermissionsStartOnly-directive does the security context switch at the last moment before starting the daemon. This effectively changes the default behavior to allow running Service-part as root, except for the daemon. Exactly what I was looking for! Now my daemon starts each and every time. Even during boot.

Another thing which I noticed, is that when I edit a systemd service-file, the changes really don't affect before I do a systemctl --system daemon-reload. It was a big surprise to me, after all in traditional init.d everything was effective immediately.

PS.
Why cronie does not create a PID-file? I had an issue in CentOS where I had not one, but two cron-daemons running at the same time. This is yet another reason to go systemd, it simply works better with ill-behaving deamons like cronie.

by Jari Turkia in Linux at 06:12 | Comments (26) | Share in LinkedIn

Comments
Display comments as (Linear | Threaded)

erick j on :

Thanks for the write up, this helped me find the "real" answer to this issue. I looked in my /var/run and saw that avahi and apache were being created with their own users/groups for their lock and pid files. So I looked at their service scripts to see if they did it similar to your method, they didn't... so I kept digging and found this:

http://fedoraproject.org/wiki/Packaging:Tmpfiles.d
man tmpfiles.d

Essentially you can just add an entry to /etc/tmpfiles.d/foo.conf like this:

$ cat /etc/tmpfiles.d/fail2ban.conf
D /var/run/fail2ban 0755 fail2ban fail2ban
Comment (1)

egmont on :

Thanks for this article!

PermissionsStartOnly has the drawback that you can't run e.g. an ExecStartPost with the desired non-root user (unless you do a manual "su").

tmpfiles.d is cumbersome to maintain, it's nicer if the required directory can be specified in the .service file.

Seems that there's a new directive RuntimeDirectory=, designed specifically to create a directory under /run. If you have a recent enough systemd (>= 211), probably that's the simplest way to go.
Comment (1)

Jari Turkia on :

Thanks for the update.

It is obvious, that everybody have been having the same problem. The obvious fix is to add the new directive, just as they did into newer versions.
Comments (8)

Eric on :

tmpfiles.d is the proper solution for this

http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html
Comment (1)

Jari Turkia on :

Yes. You're absolutely right.

I already updated my RPM-package with tmpfiles.d. I'll get back to this subject to explain my recent changes.
Comments (8)

Jack on :

Another possible solution to the problem is to use /usr/bin/install to create the directory and set permissions at once:

ExecStartPre=/usr/bin/install -o nobody -g nobody -d /var/run/dhis
Comment (1)

Jari Turkia on :

Using the install-command, excellent idea! Why didn't I think of that. :-)

Anyway, as number of people pointed out, using the systemd-tmpfiles is the kosher way of handling the issue.
Comments (8)

Andy on :

doing "-/usr/bin/mkdir" is not the best idea - mkdir has key "-p" - "no error if existing, make parent directories as needed".
You'd better used it than skipped all errors by - flag.
Comment (1)

Jari Turkia on :

Ok. What if directory creation fails? I most definitelly will emit an error than continue with a guaranteed non-working setup.
Comments (8)

Daniels on :

Hi Jari.

As pointed by Andy, it's better to use 'mkdir -p'. The '-p' only ignore errors if the directory already exists. It will return an error if other problem rises (like permission denied).

This way if you do a "systemctl status" in your service, you will not have a "failure" status in the PreExecStart phase.

Thank you for the post. It was very helpful. Regards.
Comment (1)

Jari Turkia on :

Now that you explained it, I totally agree. Not suppressing the error is not the best approach. Doing the -p as suggested by Andy is a better approach.
Comments (8)

Prashant on :

What I have realised on my CentOS Linux release 7.1.1503 (Core) is that the sequence in which it is given (under [service] section) also mattered.

I had a different sequence earlier and the system wouldn't let me use 'mkdir'

Only after adjusting the sequence as shown in the example, it was successful.
Comment (1)

Charlie on :

Try this. I found that, systemd doesn't create files , dirs.

/usr/lib/tmpfiles.d/
do the create job on boot.
Comment (1)

Jari Turkia on :

Yes. Thanks for the info.

The thing is, I've learned couple of new tricks since August 2013. It's another thing to update this article. :-)
Comments (8)

SegFaulty on :

the correct solution seems:

RuntimeDirectory=dhis


see: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RuntimeDirectory=
Comment (1)

Jari Turkia on :

Thanks for your comment. I'm 100% sure, that no such directive existed at the time of writing my post.

Confirmed!
https://github.com/systemd/systemd/commit/5732a7dbb0efa79cc36c6864a4af2e98685b53d6#diff-f3f577c0bbbeb92b4c86bf42eb2a83be
Is dated 2 Nov 2015.

But thanks for letting me know about that. I've been planning a re-visit post about that subject anyway. Now there are enough reasons to actually do it.
Comments (8)

Jim Ciallella on :

Thanks. I used your info and the RedHat site (link-backs provided) to fix a memcached sockets issue with systemd and CentOS 7.

https://www.orangecoat.com/how-to/run-memcached-as-a-socket-under-systemd-in-centos-or-rhel-7

Thanks again,
Jim
Comment (1)

Attila Kreiner on :

Cool! Just what I was looking for. Thanks!
Comment (1)

Kelran on :

To solve your problem, your systemd file (i. e. /etc/systemd/system/dhid.service) should look like (just a summary of the information here):

[Service]
Type=forking
PrivateTmp=yes
User=nobody
Group=nobody

RuntimeDirectory=dhis
RuntimeDirectoryMode=0750

# Run ExecStart with User=nobody / Group=nobody
# because User and group have been set
ExecStart=/usr/sbin/dhid -P /var/run/dhis/dhid.pid
PIDFile=/var/run/dhis/dhid.pid

Best regards,
Kelran
Comments (2)

Jari Turkia on :

Again, I'm pretty sure your suggested RuntimeDirectory and RuntimeDirectoryMode introduced after I wrote about this. Looks like systemd is still in quite rapid development.
Comments (8)

Kelran on :

@Jari:
No doubt, you're right. RuntimeDirectory and RuntimeDirectoryMode have been introduced with systemd 211 in march 2014.

I posted a valid and full configuration just to help other users with the same problem and a recent version of systemd.

- Kelran
Comments (2)

Ap.Muthu on :

I was able to solve the /run/mysqld folder reverting to root:root permissions on each reboot instead of remaining at mysql:mysql by editing /usr/bin/mysql-systemd-start file as stated in https://github.com/ChurchCRM/CRM/issues/2475#issuecomment-299319905
Comment (1)

löchlein deluxe on :

In addition to all that has been said re tmpfiles.d or RunTimeDirectory, mkdir/chmod/chown is written more concisely as "/usr/bin/install -d -m 0700 -o nobody -g nobody /run/dhis"
Comment (1)

F on :

Thanks. I'm using haproxy to load balance database connections using UNIX-socket to remote hosts using TCP. This helped me create the required directories in /var/run php-mysql expects when connecting to localhost.

- F
Comment (1)

M on :

Thanks a lot for the writeup, you made a humble user very happy today.
I completely missed out on the PermissionsStartOnly option.
Comment (1)

Brandon Leroux on :

Thanks a lot. In my case, it solved a problem to create a new systemd service, using a script shell.
Comment (1)

Add Comment
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

Submitted comments will be subject to moderation before being displayed.

Calendar

Mon Tue Wed Thu Fri Sat Sun
Back November '24 Forward
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  

Quicksearch

Archives

Categories

RSS feeds of this Blog

Blog Administration

Open login screen

Powered by

Parts of this serendipity template are by Abdussamad Abdurrazzaq and Jari Turkia. License