From f56840a68271c52fa17a51f7de2601e55da14018 Mon Sep 17 00:00:00 2001 From: Holger Weiss Date: Wed, 19 Oct 2016 23:11:26 +0200 Subject: [PATCH 1/7] Don't let systemd hide /home and /tmp Admins might expect ejabberd to be able to access data below /home or /tmp. For example, they might use those locations to dump/restore Mnesia backups, or as a document root for mod_http_fileserver or mod_http_upload. Fixes #1297. --- ejabberd.service.template | 2 -- 1 file changed, 2 deletions(-) diff --git a/ejabberd.service.template b/ejabberd.service.template index 49ba14737..fdb8fd0b7 100644 --- a/ejabberd.service.template +++ b/ejabberd.service.template @@ -14,9 +14,7 @@ Type=oneshot RemainAfterExit=yes # The CAP_DAC_OVERRIDE capability is required for pam authentication to work CapabilityBoundingSet=CAP_DAC_OVERRIDE -PrivateTmp=true PrivateDevices=true -ProtectHome=true ProtectSystem=full NoNewPrivileges=true From c3b62d2f75d70a6a6069f4e6a49c374e2fd52809 Mon Sep 17 00:00:00 2001 From: Holger Weiss Date: Wed, 19 Oct 2016 23:29:46 +0200 Subject: [PATCH 2/7] Don't set "NoNewPrivileges" in systemd unit The "NoNewPrivileges" setting breaks some PAM and extauth setups. Fixes #1281. --- ejabberd.service.template | 3 --- 1 file changed, 3 deletions(-) diff --git a/ejabberd.service.template b/ejabberd.service.template index fdb8fd0b7..4a2635776 100644 --- a/ejabberd.service.template +++ b/ejabberd.service.template @@ -12,11 +12,8 @@ ExecStop=@ctlscriptpath@/ejabberdctl stop ExecReload=@ctlscriptpath@/ejabberdctl reload_config Type=oneshot RemainAfterExit=yes -# The CAP_DAC_OVERRIDE capability is required for pam authentication to work -CapabilityBoundingSet=CAP_DAC_OVERRIDE PrivateDevices=true ProtectSystem=full -NoNewPrivileges=true [Install] WantedBy=multi-user.target From 686305bb2174c0c8b8cc9c1b4a5635567a90b519 Mon Sep 17 00:00:00 2001 From: Holger Weiss Date: Wed, 19 Oct 2016 23:32:07 +0200 Subject: [PATCH 3/7] Use "Type=forking" in systemd unit ejabberd is not a "oneshot" process. --- ejabberd.service.template | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ejabberd.service.template b/ejabberd.service.template index 4a2635776..7322e07c3 100644 --- a/ejabberd.service.template +++ b/ejabberd.service.template @@ -3,6 +3,7 @@ Description=XMPP Server After=network.target [Service] +Type=forking User=ejabberd Group=ejabberd LimitNOFILE=16000 @@ -10,8 +11,6 @@ RestartSec=5 ExecStart=@ctlscriptpath@/ejabberdctl start ExecStop=@ctlscriptpath@/ejabberdctl stop ExecReload=@ctlscriptpath@/ejabberdctl reload_config -Type=oneshot -RemainAfterExit=yes PrivateDevices=true ProtectSystem=full From 76215648396144ea7b8268e040de67b96b75dd83 Mon Sep 17 00:00:00 2001 From: Holger Weiss Date: Wed, 19 Oct 2016 23:35:22 +0200 Subject: [PATCH 4/7] Let systemd restart ejabberd on failure The "RestartSec=5" setting has no effect if "Restart" is not also specified. --- ejabberd.service.template | 1 + 1 file changed, 1 insertion(+) diff --git a/ejabberd.service.template b/ejabberd.service.template index 7322e07c3..ff159f85c 100644 --- a/ejabberd.service.template +++ b/ejabberd.service.template @@ -7,6 +7,7 @@ Type=forking User=ejabberd Group=ejabberd LimitNOFILE=16000 +Restart=on-failure RestartSec=5 ExecStart=@ctlscriptpath@/ejabberdctl start ExecStop=@ctlscriptpath@/ejabberdctl stop From 0a3fcc9adea3db4c92bbb2a6d9d2b8ff5b8c8675 Mon Sep 17 00:00:00 2001 From: Holger Weiss Date: Wed, 19 Oct 2016 23:37:26 +0200 Subject: [PATCH 5/7] Don't specify "ExecReload" command in systemd unit The "reload_config" command doesn't work the way admins would typically expect, so it shouldn't be exposed via systemd. Those who understand the behavior can execute the command using ejabberdctl. --- ejabberd.service.template | 1 - 1 file changed, 1 deletion(-) diff --git a/ejabberd.service.template b/ejabberd.service.template index ff159f85c..80f023889 100644 --- a/ejabberd.service.template +++ b/ejabberd.service.template @@ -11,7 +11,6 @@ Restart=on-failure RestartSec=5 ExecStart=@ctlscriptpath@/ejabberdctl start ExecStop=@ctlscriptpath@/ejabberdctl stop -ExecReload=@ctlscriptpath@/ejabberdctl reload_config PrivateDevices=true ProtectSystem=full From a5e737157c2e2b17f745334441a0aa59df08c0a6 Mon Sep 17 00:00:00 2001 From: Holger Weiss Date: Thu, 20 Oct 2016 00:12:02 +0200 Subject: [PATCH 6/7] Increase file descriptor limit in systemd unit 16,000 file descriptors will only suffice for small setups. --- ejabberd.service.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ejabberd.service.template b/ejabberd.service.template index 80f023889..560a93265 100644 --- a/ejabberd.service.template +++ b/ejabberd.service.template @@ -6,7 +6,7 @@ After=network.target Type=forking User=ejabberd Group=ejabberd -LimitNOFILE=16000 +LimitNOFILE=65536 Restart=on-failure RestartSec=5 ExecStart=@ctlscriptpath@/ejabberdctl start From 1bdbe54442098ed4c54219de834f22109a4e9868 Mon Sep 17 00:00:00 2001 From: Holger Weiss Date: Thu, 20 Oct 2016 00:27:50 +0200 Subject: [PATCH 7/7] Let systemd stop ejabberd gracefully Make sure the "ExecStop" command line blocks until ejabberd is actually stopped. This prevents systemd from killing the ejabberd process(es) immediately. Also, let the "ExecStart" command line block until ejabberd's startup is completed. This makes sure that services which depend on ejabberd aren't started up too early. --- ejabberd.service.template | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ejabberd.service.template b/ejabberd.service.template index 560a93265..a70d2254d 100644 --- a/ejabberd.service.template +++ b/ejabberd.service.template @@ -9,8 +9,8 @@ Group=ejabberd LimitNOFILE=65536 Restart=on-failure RestartSec=5 -ExecStart=@ctlscriptpath@/ejabberdctl start -ExecStop=@ctlscriptpath@/ejabberdctl stop +ExecStart=/bin/sh -c '@ctlscriptpath@/ejabberdctl start && @ctlscriptpath@/ejabberdctl started' +ExecStop=/bin/sh -c '@ctlscriptpath@/ejabberdctl stop && @ctlscriptpath@/ejabberdctl stopped' PrivateDevices=true ProtectSystem=full