sniproxy icon indicating copy to clipboard operation
sniproxy copied to clipboard

Published 20 hours ago verified publisher icon dlundquist

Add systemd unit file

Open robinbowes opened this issue 9 years ago • 6 comments

I'm deploying on CentOS 7 - I'd like a systemd unit file. I will craft one and send a PR, and modify the spec file to use it.

robinbowes avatar Mar 12 '15 00:03 robinbowes

@robinbowes You might consider using the package from Fedora: http://pkgs.fedoraproject.org/cgit/sniproxy.git/tree/

dlundquist avatar Mar 12 '15 00:03 dlundquist

Aha, that's useful, thanks.

Any chance you can backport their files into your repo so building from source produces the same result?

R.

robinbowes avatar Mar 12 '15 09:03 robinbowes

I use the following unit file, which is slightly different from the one provided in the fedora package:

/usr/lib/systemd/system/sniproxy.unit

[Unit]
Description=Transparent TLS proxy
Documentation=https://github.com/dlundquist/sniproxy
After=syslog.target
After=network-online.target

[Service]
Type=forking
PIDFile=/var/run/sniproxy.pid
ExecStart=/usr/sbin/sniproxy
Restart=always

[Install]
WantedBy=multi-user.target

Should be disted with an initial configuration that at least contains:

user sniproxy

pidfile /var/run/sniproxy.pid

error_log {
	syslog daemon
	priority notice
}

access_log {
	filename /var/log/sniproxy/access.log
}

Must have a user "sniproxy", must have a directory /var/log/sniproxy (owned by root).

mkdir -p /var/log/sniproxy
adduser -d /var/empty -M -s /sbin/nologin -r sniproxy
  • update 2019, no longer need /var/run/sniproxy directory, write pid directly in /var/run

jornane avatar Feb 09 '16 10:02 jornane

@jornane, never use Type=forking or PIDFile unless you absolutely have to (due to hard-to-change legacy daemons). It just introduces race conditions and a risk that systemd will track the wrong PID.

Use Type=simple and sniproxy -f, and omit the pidfile directive from sniproxy.conf.

adamel avatar Apr 15 '17 15:04 adamel

I had a discussion with someone with better knowledge than me who persuaded me that Type=forking was always the safest choice as it works with badly-behaved daemons.

I seem to recall his reasoning was that systemd uses process groups to correctly identify the daemon process.

I can't find the discussion anywhere, but I was persuaded at the time and don't have a problem with Type=forking any more.

R.

robinbowes avatar Apr 15 '17 20:04 robinbowes

@robinbowes Type=forking allows to better distinguish between still starting and running daemons.

Probably even nicer would be supporting sd_notify: https://www.systutorials.com/docs/linux/man/3-sd_notify/.

That way, systemd could detect hangs and restart the service automatically by using the software/service watchdog functionality: http://0pointer.de/blog/projects/watchdog.html

flokli avatar Jan 02 '20 18:01 flokli