Adrián Bíro

SystemD Notes

Service managemet

systemctl list-units --state=help

List the queued jobs systemctl list-jobs

systemctl list-units --type service --state=active

Get failed systemctl list-units --failed

List services enabled on boot systemctl list-unit-files --state=enabled

Prevent service from starting systemctl mask <name>

Monitor config file for change with Systemd.path

cat > /etc/systemd/system/<name>.service << EOF
[Unit]
Description=<Name>
After=network-online.target

[Service]
Environment="PORT=9879"
Environment="HOST=::"
ExecStart=/usr/bin/<pwsh> /opt/<name> -start
Restart=always

[Install]
WantedBy=multi-user.target
EOF

Rebuild service oneshot

cat > /etc/systemd/system/<name>-rebuild.service << EOF
[Unit]
Description=Rebuild on Config Changes

[Service]
Type=oneshot
ExecStart=/usr/bin/<pwsh> --cwd=/opt/<name> -build
EOF

Create systemd path to call service on config file change systemd.path

cat > /etc/systemd/system/<name>-rebuild.path << EOF
[Unit]
Description=Monitor Config for Changes

[Path]
PathChanged=/opt/<name>/conf.xml

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable --now <name>
systemctl enable --now <name>-rebuild.path

Minimal service config

exec service unit

[Unit]
Description=Monitor
After=network-online.target

[Service]
ExecStart=/usr/bin/perl /opt/monitor/main.pl -n <n>
Restart=always

[Install]
WantedBy=multi-user.target

$ chmod 664 /etc/systemd/system/monitor.service

Boot target

systemctl get-default
systemctl set-default graphical.target
systemctl isolate multi-user.target

Rescue mode

systemctl rescue

systemd-analyze

reports system boot time broken down into how long the kernel took to load before entering userspace and how long the userspace components took to load.

systemd-analyze

See a list displaying service start times

systemd-analyze blame

optimizing systemd

Hardening

systemd-analyze security <service_name>

Systemd exec (sandboxing)

Systemd resoruce control

...
[Service]
ExecStart=/usr/sbin/<nprogame> -n
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=2
# Hardening
CapabilityBoundingSet=
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
ReadWritePaths=/var/lib
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
StateDirectory=<progname>
...

Files

/etc/systemd/system /usr/lib/systemd/system

Links

managing system services with systemctl