On Wed, Aug 17, 2016 at 10:23:51AM +0200, Lukas Slebodnik wrote:
> On (15/08/16 16:05), Jakub Hrozek wrote:
> >From 86a24747f45bdb3caeb8c36d63c74a08aed90421 Mon Sep 17 00:00:00 2001
> >From: Jakub Hrozek <jhro...@redhat.com>
> >Date: Mon, 15 Aug 2016 14:10:23 +0200
> >Subject: [PATCH 3/3] BUILD: Ship systemd service file for sssd-secrets
> >
> >Adds two new files: sssd-secrets.socket and sssd-secrets.service. These
> >can be used to socket-acticate the secrets responder even without
> >explicitly starting it in the sssd config file.
> >
> >The specfile activates the socket after installation which means that
> >the admin would just be able to use the secrets socket and the
> >sssd_secrets responder would be started automatically by systemd.
> >
> >The sssd-secrets responder is started as root, mostly because I didn't
> >think of an easy way to pass the uid/gid to the responders without
> >asking about the sssd user identity in the first place. But nonetheless,
> >the sssd-secrets responder wasn't tested as non-root and at least the
> >initialization should be performed as root for the time being.
> >---
> > Makefile.am | 21 +++++++++++++++++++--
> > contrib/sssd.spec.in | 5 +++++
> > src/sysv/systemd/sssd-secrets.service.in | 2 ++
> > src/sysv/systemd/sssd-secrets.socket.in | 5 +++++
> > 4 files changed, 31 insertions(+), 2 deletions(-)
> > create mode 100644 src/sysv/systemd/sssd-secrets.service.in
> > create mode 100644 src/sysv/systemd/sssd-secrets.socket.in
> >
> >diff --git a/Makefile.am b/Makefile.am
> >index
> >7c15bd7cdb336bc38f2055382121d73a3583b1e7..5d38fc96462356471f1f1506403b2d76961d485d
> > 100644
> >--- a/Makefile.am
> >+++ b/Makefile.am
> >@@ -3848,7 +3848,10 @@ systemdunit_DATA =
> > systemdconf_DATA =
> > if HAVE_SYSTEMD_UNIT
> > systemdunit_DATA += \
> >- src/sysv/systemd/sssd.service
> >+ src/sysv/systemd/sssd.service \
> >+ src/sysv/systemd/sssd-secrets.socket \
> >+ src/sysv/systemd/sssd-secrets.service \
> >+ $(NULL)
> > if WITH_JOURNALD
> > systemdconf_DATA += \
> > src/sysv/systemd/journal.conf
> >@@ -3886,6 +3889,7 @@ edit_cmd = $(SED) \
> > -e 's|@sbindir[@]|$(sbindir)|g' \
> > -e 's|@environment_file[@]|$(environment_file)|g' \
> > -e 's|@localstatedir[@]|$(localstatedir)|g' \
> >+ -e 's|@libexecdir[@]|$(libexecdir)|g' \
> > -e 's|@prefix[@]|$(prefix)|g'
> >
> > replace_script = \
> >@@ -3897,7 +3901,10 @@ replace_script = \
> >
> > EXTRA_DIST += \
> > src/sysv/systemd/sssd.service.in \
> >- src/sysv/systemd/journal.conf.in
> >+ src/sysv/systemd/journal.conf.in \
> >+ src/sysv/systemd/sssd-secrets.socket.in \
> >+ src/sysv/systemd/sssd-secrets.service.in \
> >+ $(NULL)
> >
> > src/sysv/systemd/sssd.service: src/sysv/systemd/sssd.service.in Makefile
> > @$(MKDIR_P) src/sysv/systemd/
> >@@ -3907,6 +3914,14 @@ src/sysv/systemd/journal.conf:
> >src/sysv/systemd/journal.conf.in Makefile
> > @$(MKDIR_P) src/sysv/systemd/
> > $(replace_script)
> >
> >+src/sysv/systemd/sssd-secrets.socket:
> >src/sysv/systemd/sssd-secrets.socket.in Makefile
> >+ @$(MKDIR_P) src/sysv/systemd/
> >+ $(replace_script)
> >+
> >+src/sysv/systemd/sssd-secrets.service:
> >src/sysv/systemd/sssd-secrets.service.in Makefile
> >+ @$(MKDIR_P) src/sysv/systemd/
> >+ $(replace_script)
> >+
> > SSSD_USER_DIRS = \
> > $(DESTDIR)$(dbpath) \
> > $(DESTDIR)$(keytabdir) \
> >@@ -4122,6 +4137,8 @@ endif
> > done;
> > rm -Rf ldb_mod_test_dir
> > rm -f $(builddir)/src/sysv/systemd/sssd.service
> >+ rm -f $(builddir)/src/sysv/systemd/sssd-secrets.socket
> >+ rm -f $(builddir)/src/sysv/systemd/sssd-secrets.service
> > rm -f $(builddir)/src/sysv/systemd/journal.conf
> >
> > CLEANFILES += *.X */*.X */*/*.X
> >diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
> >index
> >a9a43560e61acf1cb4b2388d50303587252c2c19..b58eebba54a82a041f72507b430ceca708a34632
> > 100644
> >--- a/contrib/sssd.spec.in
> >+++ b/contrib/sssd.spec.in
> >@@ -746,6 +746,8 @@ done
> > %{_sbindir}/sssd
> > %if (0%{?use_systemd} == 1)
> > %{_unitdir}/sssd.service
> >+%{_unitdir}/sssd-secrets.socket
> >+%{_unitdir}/sssd-secrets.service
> > %else
> > %{_initrddir}/%{name}
> > %endif
> >@@ -1077,12 +1079,15 @@ getent passwd sssd >/dev/null || useradd -r -g sssd
> >-d / -s /sbin/nologin -c "Us
> > # systemd
> > %post common
> > %systemd_post sssd.service
> >+%systemd_post sssd-secrets.socket
> >
> > %preun common
> > %systemd_preun sssd.service
> >+%systemd_preun sssd-secrets.socket
> >
> > %postun common
> > %systemd_postun_with_restart sssd.service
> >+%systemd_postun_with_restart sssd-secrets.socket
> >
> systemd_post and systemd_preun should be used just with *.socket
> Because you do not want to directly enable/disable socket activated service
>
> systemd_postun_with_restart is an alias for "systemctl try-restart"
> for package upgrade. So we shoudl try to restart sssd-secrets.service
I agree about not starting, but are you sure about not *enabling*? I can
test that, but I thought that if the service wasn't enabled, then
systemd wouldn't start it.
>
> > %else
> > # sysv
> >diff --git a/src/sysv/systemd/sssd-secrets.service.in
> >b/src/sysv/systemd/sssd-secrets.service.in
> >new file mode 100644
> >index
> >0000000000000000000000000000000000000000..4236cc2eb85c83c574da8a96ca9d760922aacbd9
> >--- /dev/null
> >+++ b/src/sysv/systemd/sssd-secrets.service.in
> >@@ -0,0 +1,2 @@
> >+[Service]
> >+ExecStart=@libexecdir@/sssd/sssd_secrets --uid 0 --gid 0 --debug-to-files
>
> I checked another socket activated service (cups, pcscd)
> and they have "Also=$name.socket" in Install section for service
> But on the other hand other socket activated services(cockpit, dbus,
> systemd-journald) does not have it. So I'm not sure whether we need it.
Hmm, Also= seems to imply that if the service is enabled, the socket
should be enabled as well, which IMO makes sense. So I will add it.
>
>
> Anyway, It would be good to add "[Unit]" section to both files + Description
> and later also Documentation=man:$name($number)
Do we need Unit? I thought that if it's not set, then systemd would use
the same name as the socket for the service. But I /can/ add it if you
prefer.
I'm still working on the manpage..
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
