Commit Graph

17 Commits

Author SHA1 Message Date
Badlop 5f3c8dcca4 Use the configured user in systemd's ejabberd.service 2021-10-21 16:12:38 +02:00
Holger Weiss 7844d86ea3 Allow for listening on privileged ports
Let systemd give ejabberd the capability to bind to ports below 1024.
2021-01-06 18:56:08 +01:00
Holger Weiss 6f026ca26d Integrate nicely with systemd
Support systemd's watchdog feature and enable it by default in the unit
file, so that ejabberd is auto-restarted if the VM becomes unresponsive.
Also, set the systemd startup type to 'notify', so that startup of
followup units is delayed until ejabberd signals readiness.  While at
it, also notify systemd of configuration reload and shutdown states.

Note: "NotifyAccess=all" is required as long as "ejabberdctl foreground"
runs the VM as a new child process, rather than "exec"ing it.  This way,
systemd views the ejabberdctl process itself as the main service
process, and would discard notifications from other processes by
default.
2021-01-06 00:20:12 +01:00
Andreas Oberritter 5c6ffaafd6 Let systemd start ejabberd in foreground
Daemons started by systemd shouldn't fork into the background if
possible, because if multiple forked processes exist, systemd has
a hard time determining the main process ID.

In a memory constrained environment, the OOM killer may cause
ejabberd to exit without any trace. Because epmd keeps running,
systemd wouldn't notice the error condition, and as a result it
won't restart the server.

With ejabberd running in foreground, systemd is able to obtain the
correct exit code (137 in this case, instead of 0) and schedules a
restart. The administrator can then see what happend by looking at
systemctl status ejabberd.
2020-11-19 20:43:51 +01:00
Holger Weiss 00534d4566 Increase start-up/stop timeout in systemd unit
On slow systems, it can take quite a while for "ejabberdctl started"
and/or "ejabberdctl stopped" to return.
2018-06-07 17:40:05 +02:00
Holger Weiss ed792274e3 Omit "ProtectSystem" option from systemd unit
With "ProtectSystem", /usr is mounted read-only, so things will fail
when e.g. /usr/local is used as the installation prefix.  Whether such
options make sense depends on the environment, so they should rather be
set by package maintainers and/or admins.
2017-10-28 21:31:04 +02:00
Holger Weiss 519f3db6b6 Specify "ExecReload" command in systemd unit
Now that "ejabberdctl reload_config" works the way most admins would
expect, expose the command via systemd.
2017-02-23 18:16:56 +01:00
Holger Weiss 1bdbe54442 Let systemd stop ejabberd gracefully
Make sure the "ExecStop" command line blocks until ejabberd is actually
stopped.  This prevents systemd from killing the ejabberd process(es)
immediately.

Also, let the "ExecStart" command line block until ejabberd's startup is
completed.  This makes sure that services which depend on ejabberd
aren't started up too early.
2016-10-20 00:27:50 +02:00
Holger Weiss a5e737157c Increase file descriptor limit in systemd unit
16,000 file descriptors will only suffice for small setups.
2016-10-20 00:12:02 +02:00
Holger Weiss 0a3fcc9ade Don't specify "ExecReload" command in systemd unit
The "reload_config" command doesn't work the way admins would typically
expect, so it shouldn't be exposed via systemd.  Those who understand
the behavior can execute the command using ejabberdctl.
2016-10-19 23:37:26 +02:00
Holger Weiss 7621564839 Let systemd restart ejabberd on failure
The "RestartSec=5" setting has no effect if "Restart" is not also
specified.
2016-10-19 23:35:22 +02:00
Holger Weiss 686305bb21 Use "Type=forking" in systemd unit
ejabberd is not a "oneshot" process.
2016-10-19 23:32:07 +02:00
Holger Weiss c3b62d2f75 Don't set "NoNewPrivileges" in systemd unit
The "NoNewPrivileges" setting breaks some PAM and extauth setups.

Fixes #1281.
2016-10-19 23:29:46 +02:00
Holger Weiss f56840a682 Don't let systemd hide /home and /tmp
Admins might expect ejabberd to be able to access data below /home or
/tmp.  For example, they might use those locations to dump/restore
Mnesia backups, or as a document root for mod_http_fileserver or
mod_http_upload.

Fixes #1297.
2016-10-19 23:11:26 +02:00
Craig Andrews 2e28d06744 Harden the systemd unit
Restrict capabilities, have a private tmp directory, private /dev, and don't accessing file system locations that really shouldn't be accessed.
2016-06-28 17:02:41 -04:00
Christophe Romain 914578a85e Fix start via systemd (#978) 2016-03-24 11:06:42 +01:00
Christophe Romain e0ffcbe45d Add script for systemd (Guthub #434) 2015-02-23 15:52:18 +01:00