Bug#738548: systemd support
Andreas Henriksson writes:
> I'm happy to help if you can provide the testing and review (as I don't
> personally use amavisd-new myself). I'm quite sure we can also get
> additional help from pkg-systemd-maintainers if they're asked to
> comment.
I hardly use it myself.
How does the following (attached) look?
I am wondering if I should just drop amavis-mc. It looks like it is just
a supervisor for amavisd-new, which systemd provides anyway. Also it
looks like a required dependency may not be in buster (libzeromq-perl
AFAIK).
Actually, I accidentally included the security hardening settings you
said I should not include. So wonder if I should drop these.
--
Brian May
commit 2d8c8fec1ed103caafb9925658788e308420cbcf
Author: Brian May
Date: Tue Feb 4 08:04:01 2020 +1100
Add systemd service files.
Closes: #738548.
diff --git a/debian/amavisd-new.amavis-mc.service b/debian/amavisd-new.amavis-mc.service
new file mode 100644
index 000..91da47c
--- /dev/null
+++ b/debian/amavisd-new.amavis-mc.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=Amavisd Master Supervisor
+Documentation=http://www.ijs.si/software/amavisd/#doc
+After=network.target
+
+[Service]
+User=amavis
+Group=amavis
+ExecStart=/usr/sbin/amavis-mc -f
+ExecStartPre=-/usr/bin/find /var/lib/amavis -maxdepth 1 -name 'amavis-*' -type d -exec rm -rf "{}" \;
+ExecStartPre=-/usr/bin/find /var/lib/amavis/tmp -maxdepth 1 -name 'amavis-*' -type d -exec rm -rf "{}" \;
+Restart=on-failure
+PrivateTmp=true
+CapabilityBoundingSet=
+ProtectSystem=full
+ProtectHome=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/debian/amavisd-new.amavis.service b/debian/amavisd-new.amavis.service
new file mode 100644
index 000..8ec7ef3
--- /dev/null
+++ b/debian/amavisd-new.amavis.service
@@ -0,0 +1,20 @@
+[Unit]
+Description=Interface between MTA and virus scanner/content filters
+Documentation=http://www.ijs.si/software/amavisd/#doc
+After=network.target
+
+[Service]
+User=amavis
+Group=amavis
+ExecStart=/usr/sbin/amavisd-new foreground
+ExecReload=/usr/sbin/amavisd-new reload
+ExecStartPre=-/usr/bin/find /var/lib/amavis -maxdepth 1 -name 'amavis-*' -type d -exec rm -rf "{}" \;
+ExecStartPre=-/usr/bin/find /var/lib/amavis/tmp -maxdepth 1 -name 'amavis-*' -type d -exec rm -rf "{}" \;
+Restart=on-failure
+PrivateTmp=true
+CapabilityBoundingSet=
+ProtectSystem=full
+ProtectHome=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/debian/amavisd-new.amavisd-snmp-subagent.service b/debian/amavisd-new.amavisd-snmp-subagent.service
new file mode 100644
index 000..6c32537
--- /dev/null
+++ b/debian/amavisd-new.amavisd-snmp-subagent.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Exports amavis SNMP data
+Documentation=http://www.ijs.si/software/amavisd/#doc
+After=network.target amavis.service
+
+[Service]
+User=amavis
+Group=amavis
+ExecStart=/usr/sbin/amavisd-snmp-subagent -f
+Restart=on-failure
+PrivateTmp=true
+CapabilityBoundingSet=
+ProtectSystem=full
+ProtectHome=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/debian/changelog b/debian/changelog
index ec28175..2ec262f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+amavisd-new (1:2.11.0-7) unstable; urgency=medium
+
+ * Add systemd service file. Closes: #738548.
+
+ -- Brian May Tue, 04 Feb 2020 07:58:33 +1100
+
amavisd-new (1:2.11.0-6.1) unstable; urgency=medium
* Non-maintainer upload.
diff --git a/debian/rules b/debian/rules
index 1919a8d..9ad9568 100755
--- a/debian/rules
+++ b/debian/rules
@@ -7,9 +7,13 @@
dh $@
override_dh_installinit:
+ dh_systemd_enable -pamavisd-new --name amavis
+ dh_systemd_enable -pamavisd-new --name amavis-mc --no-enable
+ dh_systemd_enable -pamavisd-new --name amavisd-snmp-subagent --no-enable
dh_installinit --name=amavis
dh_installinit --name=amavisd-snmp-subagent --no-enable
dh_installinit --name=amavis-mc --no-enable
+ dh_systemd_start -pamavisd-new --name amavis
override_dh_installchangelogs:
dh_installchangelogs -k RELEASE_NOTES
Bug#738548: systemd support
Andreas Henriksson writes: > The best would be if upstream could provide a set of recommended > service files (including security hardening settings). For the record, this has been raised before: https://groups.google.com/forum/#!msg/mailing.unix.amavis-user/gX_e87BOJfk/UxueACiuCQAJ -- Brian May
Bug#738548: systemd support
Hello Brian May, Thanks for your quick followup on this. On Tue, Feb 04, 2020 at 08:16:54AM +1100, Brian May wrote: > I have no objection to this other then technical issues. Plus the lack > of time on my behalf. I'm happy to help if you can provide the testing and review (as I don't personally use amavisd-new myself). I'm quite sure we can also get additional help from pkg-systemd-maintainers if they're asked to comment. > > I tried making this change, and found it appears to be incomplete, > lintian complains with the following errors: Yes I also noticed that the patch (as described, although not super obviously) only provides a service masking the amavis init script. This is however better than nothing. I hope we can make progress by not letting perfect be the enemy of good. > > E: amavisd-new: omitted-systemd-service-for-init.d-script amavis-mc > E: amavisd-new: omitted-systemd-service-for-init.d-script > amavisd-snmp-subagent > > Maybe we need some sort of disabled by default systemd file for these > services too? Preferably yes. I found that fedora packaging already contains a couple of service files that likely needs some minor tweaking (e.g. make the service file name match the debian init script name) to be proper substitutes for the debian init scripts, see: https://src.fedoraproject.org/rpms/amavis/tree/master (The debian amavisd-snmp-subagent init script also does something funky launching different daemon binaries depending on a variable setting which isn't replicated and I'm not sure how to accomplish or if it's even desired. A drop-in snippet overriding the ExecStart line is probably better if/when someone wants to change the command being used to start the daemon.) There's still one needed for amavis-mc, but it should follow the same style as the two others there. The security hardening settings (after the Restart=... line) need careful review so I'd suggest just dropping those for now until someone with intimate knowledge about the service can add them. The best would be if upstream could provide a set of recommended service files (including security hardening settings). Regards, Andreas Henriksson
Bug#738548: systemd support
Andreas Henriksson writes: > I'd like to ask if there are anything that requires attention before > https://bugs.debian.org/738548 can move forward? Help is available if > actionable problems are described. > > I'd like to remind you that policy now explicitly states that providing > native systemd units is recommended and we have a GR stating that > declarative solutions are preferred. I don't think we can get much > further into a decision-has-been-made territory. > > Seeing that this bug was opened over half a decade ago with patch > provided makes me quite sad about how broken the Debian development > model is and how pointless it apparently is to try to contribute > improvements. I have no objection to this other then technical issues. Plus the lack of time on my behalf. I tried making this change, and found it appears to be incomplete, lintian complains with the following errors: E: amavisd-new: omitted-systemd-service-for-init.d-script amavis-mc E: amavisd-new: omitted-systemd-service-for-init.d-script amavisd-snmp-subagent Maybe we need some sort of disabled by default systemd file for these services too? -- Brian May
Bug#738548: systemd support
Hello, I'd like to ask if there are anything that requires attention before https://bugs.debian.org/738548 can move forward? Help is available if actionable problems are described. I'd like to remind you that policy now explicitly states that providing native systemd units is recommended and we have a GR stating that declarative solutions are preferred. I don't think we can get much further into a decision-has-been-made territory. Seeing that this bug was opened over half a decade ago with patch provided makes me quite sad about how broken the Debian development model is and how pointless it apparently is to try to contribute improvements. Regards, Andreas Henriksson
Bug#738548: systemd support
On 11 February 2014 01:36, Alexander Wirt formo...@debian.org wrote: the attached patch adds a systemd service file for the main amavisd-new daemon. There are some slight changes in comparison to the init script: * the daemon will start, if there are *.disabled files around for configuration files (this was seemingly introduced in 2006, because of a configuration change, so I guess this is probably not needed anymore) * the tmp files will be deleted before the start of amavis The patch was tested against the current git version. This will only get applied until we have a decision about the initsystem. I think a decision has been made, so we can continue with this patch (or similar). It is worth perhaps noting that I don't see any downsides to applying this patch even if some future GR does reverse the TC decision, it will still work with sysvinit exactly as it does now, and regardless systemd isn't going to go away any time soon. -- Brian May br...@microcomaustralia.com.au
Bug#738548: systemd support
On Sun, 16 Feb 2014, Brian May wrote: On 11 February 2014 01:36, Alexander Wirt formo...@debian.org wrote: the attached patch adds a systemd service file for the main amavisd-new daemon. There are some slight changes in comparison to the init script: * the daemon will start, if there are *.disabled files around for configuration files (this was seemingly introduced in 2006, because of a configuration change, so I guess this is probably not needed anymore) * the tmp files will be deleted before the start of amavis The patch was tested against the current git version. This will only get applied until we have a decision about the initsystem. I think a decision has been made, so we can continue with this patch (or similar). It is worth perhaps noting that I don't see any downsides to applying this patch even if some future GR does reverse the TC decision, it will still work with sysvinit exactly as it does now, and regardless systemd isn't going to go away any time soon. Thats only half true. If the file is added, it has to be supported, debugged and so on. I wouldn't add this burden for any third party init system. But yes, the decision has been made. Alex -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#738548: systemd support
Package: amavisd-new
Version: 1:2.7.1-2
Severity: wishlist
Tags: patch
User: pkg-systemd-maintain...@lists.alioth.debian.org
Usertags: systemd-units
X-Debbugs-CC: pkg-systemd-maintain...@lists.alioth.debian.org
Hi,
the attached patch adds a systemd service file for the main amavisd-new
daemon. There are some slight changes in comparison to the init script:
* the daemon will start, if there are *.disabled files around for
configuration files (this was seemingly introduced in 2006, because of a
configuration change, so I guess this is probably not needed anymore)
* the tmp files will be deleted before the start of amavis
The patch was tested against the current git version.
diff -Nru amavisd-new-2.8.0/debian/amavisd-new.amavis.service amavisd-new-2.8.0/debian/amavisd-new.amavis.service
--- amavisd-new-2.8.0/debian/amavisd-new.amavis.service 1970-01-01 01:00:00.0 +0100
+++ amavisd-new-2.8.0/debian/amavisd-new.amavis.service 2014-02-08 17:40:16.0 +0100
@@ -0,0 +1,13 @@
+[Unit]
+Description=Interface between MTA and virus scanner/content filters
+After=network.target
+
+[Service]
+PIDFile=/run/amavis/amavisd.pid
+ExecStart=/usr/sbin/amavisd-new foreground
+ExecReload=/usr/sbin/amavisd-new reload
+ExecStartPre=-/usr/bin/find /var/lib/amavis -maxdepth 1 -name 'amavis-*' -type d -exec rm -rf {} \;
+ExecStartPre=-/usr/bin/find /var/lib/amavis/tmp -maxdepth 1 -name 'amavis-*' -type d -exec rm -rf {} \;
+
+[Install]
+WantedBy=multi-user.target
diff -Nru amavisd-new-2.8.0/debian/amavisd-new.amavis.tmpfile amavisd-new-2.8.0/debian/amavisd-new.amavis.tmpfile
--- amavisd-new-2.8.0/debian/amavisd-new.amavis.tmpfile 1970-01-01 01:00:00.0 +0100
+++ amavisd-new-2.8.0/debian/amavisd-new.amavis.tmpfile 2014-02-08 16:48:30.0 +0100
@@ -0,0 +1 @@
+d /run/amavis 0755 amavis amavis
diff -Nru amavisd-new-2.8.0/debian/control amavisd-new-2.8.0/debian/control
--- amavisd-new-2.8.0/debian/control 2014-02-08 01:10:52.0 +0100
+++ amavisd-new-2.8.0/debian/control 2014-02-07 18:37:17.0 +0100
@@ -4,7 +4,7 @@
Maintainer: Brian May b...@debian.org
Uploaders: Henrique de Moraes Holschuh h...@debian.org,
Alexander Wirt formo...@debian.org
-Build-Depends: debhelper (= 9), po-debconf, dh-exec
+Build-Depends: debhelper (= 9), po-debconf, dh-exec, dh-systemd
Standards-Version: 3.9.4
Vcs-Browser: http://anonscm.debian.org/gitweb/?p=amavisd-new/pkg-amavisd-new.git;a=summary
Vcs-Git: git://anonscm.debian.org/amavisd-new/pkg-amavisd-new.git
diff -Nru amavisd-new-2.8.0/debian/rules amavisd-new-2.8.0/debian/rules
--- amavisd-new-2.8.0/debian/rules 2014-02-08 01:10:52.0 +0100
+++ amavisd-new-2.8.0/debian/rules 2014-02-07 22:15:51.0 +0100
@@ -7,8 +7,10 @@
dh $@
override_dh_installinit:
+ dh_systemd_enable
dh_installinit --name=amavis
dh_installinit --name=amavisd-snmp-subagent
+ dh_systemd_start
override_dh_installchangelogs:
dh_installchangelogs -k RELEASE_NOTES
Bug#738548: systemd support
On Mon, 10 Feb 2014, Christian Dröge wrote: Package: amavisd-new Version: 1:2.7.1-2 Severity: wishlist Tags: patch User: pkg-systemd-maintain...@lists.alioth.debian.org Usertags: systemd-units X-Debbugs-CC: pkg-systemd-maintain...@lists.alioth.debian.org Hi, the attached patch adds a systemd service file for the main amavisd-new daemon. There are some slight changes in comparison to the init script: * the daemon will start, if there are *.disabled files around for configuration files (this was seemingly introduced in 2006, because of a configuration change, so I guess this is probably not needed anymore) * the tmp files will be deleted before the start of amavis The patch was tested against the current git version. This will only get applied until we have a decision about the initsystem. thanks Alex -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#738548: [Pkg-systemd-maintainers] Bug#738548: systemd support
Hi, Am 10.02.2014 15:29, schrieb Christian Dröge: Package: amavisd-new Version: 1:2.7.1-2 Severity: wishlist Tags: patch User: pkg-systemd-maintain...@lists.alioth.debian.org Usertags: systemd-units X-Debbugs-CC: pkg-systemd-maintain...@lists.alioth.debian.org Hi, the attached patch adds a systemd service file for the main amavisd-new daemon. There are some slight changes in comparison to the init script: * the daemon will start, if there are *.disabled files around for configuration files (this was seemingly introduced in 2006, because of a configuration change, so I guess this is probably not needed anymore) * the tmp files will be deleted before the start of amavis The patch was tested against the current git version. @@ -7,8 +7,10 @@ dh $@ override_dh_installinit: + dh_systemd_enable dh_installinit --name=amavis dh_installinit --name=amavisd-snmp-subagent + dh_systemd_start My suggestion would be to use the dh addon like this. dh $@ --with systemd this will automatically insert dh_systemd_enable and dh_systemd_start at the right places. Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
