From bd69e5c18799ab5696e9e19415249af3d41fbe08 Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Sun, 1 Nov 2020 12:49:10 +0100 Subject: [PATCH 1/7] systemd: Add service unit for eturnal.service Taken [from upstream][1]. With `LogsDirectory=eturnal`, eturnal currently logs to `/var/log/eturnal/eturnal.log`. [1]: https://github.com/processone/eturnal/blob/master/config/eturnal.service --- install.sh | 1 + misc_systemd_units/eturnal.service | 26 ++++++++++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 misc_systemd_units/eturnal.service diff --git a/install.sh b/install.sh index b74629b..32f0461 100755 --- a/install.sh +++ b/install.sh @@ -161,6 +161,7 @@ install_data misc_systemd_units/named.service "$DESTDIR$systemdunitdi install_data misc_systemd_units/tonerlow-cupsd.service "$DESTDIR$systemdunitdir/tonerlow-cupsd.service" install_data misc_systemd_units/baucamhttpd.service "$DESTDIR$systemdunitdir/baucamhttpd.service" install_data misc_systemd_units/getcams.service "$DESTDIR$systemdunitdir/getcams.service" +install_data misc_systemd_units/eturnal.service "$DESTDIR$systemdunitdir/eturnal.service" install_exec blink/blinkd.py "$DESTDUR$udev_helperdir/blinkd.py" install_data blink/blinkd.service "$DESTDIR$systemdunitdir/blinkd.service" install_data blink/51-blink.rules "$DESTDIR$udev_rulesdir/51-blink.rules" diff --git a/misc_systemd_units/eturnal.service b/misc_systemd_units/eturnal.service new file mode 100644 index 0000000..ede0c61 --- /dev/null +++ b/misc_systemd_units/eturnal.service @@ -0,0 +1,26 @@ +[Unit] +Description=eturnal STUN/TURN server +Wants=epmd.service +After=epmd.service network.target +Documentation=https://eturnal.net/documentation/ +Documentation=https://github.com/processone/eturnal/blob/1.4.1/README.md +Documentation=https://github.com/processone/eturnal/blob/1.4.1/CHANGELOG.md + +[Service] +Type=notify +User=eturnprj +ExecStart=/project/eturnal/eturnal-current/bin/eturnalctl foreground +ExecReload=/project/eturnal/eturnal-current/bin/eturnalctl reload +ExecStop=/project/eturnal/eturnal-current/bin/eturnalctl stop +Restart=on-failure +RestartSec=3 +WatchdogSec=30 +LimitNOFILE=50000 +RuntimeDirectory=eturnal +LogsDirectory=eturnal +ProtectSystem=full +NoNewPrivileges=true +AmbientCapabilities=CAP_NET_BIND_SERVICE + +[Install] +WantedBy=multi-user.target From 4d2ce76e753c808c588ddefc5bb746451efb5a24 Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Sun, 1 Nov 2020 13:13:12 +0100 Subject: [PATCH 2/7] eturnal: Set env variable `ETURNAL_ETC_PREFIX` for configuration file With `ETURNAL_ETC_PREFIX=/project/eturnal` eturnal uses `/project/eturnal/etc/eturnal.yml`. --- misc_systemd_units/eturnal.service | 1 + 1 file changed, 1 insertion(+) diff --git a/misc_systemd_units/eturnal.service b/misc_systemd_units/eturnal.service index ede0c61..c23873c 100644 --- a/misc_systemd_units/eturnal.service +++ b/misc_systemd_units/eturnal.service @@ -9,6 +9,7 @@ Documentation=https://github.com/processone/eturnal/blob/1.4.1/CHANGELOG.md [Service] Type=notify User=eturnprj +Environment=ETURNAL_ETC_PREFIX=/project/eturnal ExecStart=/project/eturnal/eturnal-current/bin/eturnalctl foreground ExecReload=/project/eturnal/eturnal-current/bin/eturnalctl reload ExecStop=/project/eturnal/eturnal-current/bin/eturnalctl stop From f95afb4e029e209d04bb8f12303a4072c197d5c5 Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Sun, 1 Nov 2020 13:29:58 +0100 Subject: [PATCH 3/7] systemd/eturnal: Let epmd only listen on localhost From [issues #9 (*Document ERL_EPMD_ADDRESS and ERL_EPMD_PORT*)][1]: > === ERL_EPMD_ADDRESS === > > On eturnal startup, an Erlang Port Mapper Daemon (epmd) service is spawned (if > not running already). This service listens on all available interfaces by > default. Setting the `ERL_EPMD_ADDRESS' environment variable tells epmd to > listen on the specified comma-seperated list of IP addresses instead. Note that > the IPv4 and IPv6 loopback addresses are implicitly added to this list if not > specified. It's usually recommended to set `ERL_EPMD_ADDRESS' to `127.0.0.1' > (e.g., by calling `systemctl edit eturnal' and adding an > `Environment="ERL_EPMD_ADDRESS=127.0.0.1"' line to the `[Service]' section). [1]: https://github.com/processone/eturnal/issues/9 --- misc_systemd_units/eturnal.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misc_systemd_units/eturnal.service b/misc_systemd_units/eturnal.service index c23873c..3a13a48 100644 --- a/misc_systemd_units/eturnal.service +++ b/misc_systemd_units/eturnal.service @@ -9,7 +9,7 @@ Documentation=https://github.com/processone/eturnal/blob/1.4.1/CHANGELOG.md [Service] Type=notify User=eturnprj -Environment=ETURNAL_ETC_PREFIX=/project/eturnal +Environment=ETURNAL_ETC_PREFIX=/project/eturnal ERL_EPMD_ADDRESS=127.0.0.1 ExecStart=/project/eturnal/eturnal-current/bin/eturnalctl foreground ExecReload=/project/eturnal/eturnal-current/bin/eturnalctl reload ExecStop=/project/eturnal/eturnal-current/bin/eturnalctl stop From dd75a7bf0f0587e28b19bbe839c3400c99bbc1d2 Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Sun, 1 Nov 2020 13:35:07 +0100 Subject: [PATCH 4/7] systemd/eturnal: Listen on all hosts This reverts commit f95afb4e029e209d04bb8f12303a4072c197d5c5. Despite `net.ipv6.conf.all.disable_ipv6 = 1`, epmd tries to bind to the IPv6 loopback device, [which fails][1]. eturnalctl[91982]: Protocol 'inet_tcp': register/listen error: econnrefused So, remove `ERL_EPMD_ADDRESS=127.0.0.1`, which is no problem, as our firewall blocks access to epmd from the internet. [1]: https://github.com/processone/eturnal/issues/11 --- misc_systemd_units/eturnal.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misc_systemd_units/eturnal.service b/misc_systemd_units/eturnal.service index 3a13a48..c23873c 100644 --- a/misc_systemd_units/eturnal.service +++ b/misc_systemd_units/eturnal.service @@ -9,7 +9,7 @@ Documentation=https://github.com/processone/eturnal/blob/1.4.1/CHANGELOG.md [Service] Type=notify User=eturnprj -Environment=ETURNAL_ETC_PREFIX=/project/eturnal ERL_EPMD_ADDRESS=127.0.0.1 +Environment=ETURNAL_ETC_PREFIX=/project/eturnal ExecStart=/project/eturnal/eturnal-current/bin/eturnalctl foreground ExecReload=/project/eturnal/eturnal-current/bin/eturnalctl reload ExecStop=/project/eturnal/eturnal-current/bin/eturnalctl stop From c0c84351b9e431d7d7772bea09f4ca87e25cf30f Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Sun, 1 Nov 2020 13:49:38 +0100 Subject: [PATCH 5/7] systemd/eturnal: Log to directory `log` in installation prefix `LogsDirectory=` does not support absolute paths: Nov 03 13:23:09 pitti.molgen.mpg.de systemd[1]: /etc/systemd/system/eturnal.service:20: LogsDirectory= path is absolute, ignoring: /project/eturnal/log Therefore, [do not set it all][1]: > If this environment variable is unset as well, a `log' directory is > created within the installation prefix. The directory `log` is a symbolic link to `/project/eturnal/log` [1]: https://github.com/processone/eturnal/blob/f9168eb70d2a1b8f7f110f4022985adb65175e55/doc/overview.edoc#L178-L188 --- misc_systemd_units/eturnal.service | 1 - 1 file changed, 1 deletion(-) diff --git a/misc_systemd_units/eturnal.service b/misc_systemd_units/eturnal.service index c23873c..2d26da6 100644 --- a/misc_systemd_units/eturnal.service +++ b/misc_systemd_units/eturnal.service @@ -18,7 +18,6 @@ RestartSec=3 WatchdogSec=30 LimitNOFILE=50000 RuntimeDirectory=eturnal -LogsDirectory=eturnal ProtectSystem=full NoNewPrivileges=true AmbientCapabilities=CAP_NET_BIND_SERVICE From beb061729310306d2596b0eac34bcd6b2b37bd75 Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Tue, 18 May 2021 07:23:23 +0200 Subject: [PATCH 6/7] systemd/eturnal: Remove install section to prevent accidental installation We use mxstartupctl to start the service. --- misc_systemd_units/eturnal.service | 3 --- 1 file changed, 3 deletions(-) diff --git a/misc_systemd_units/eturnal.service b/misc_systemd_units/eturnal.service index 2d26da6..047c452 100644 --- a/misc_systemd_units/eturnal.service +++ b/misc_systemd_units/eturnal.service @@ -21,6 +21,3 @@ RuntimeDirectory=eturnal ProtectSystem=full NoNewPrivileges=true AmbientCapabilities=CAP_NET_BIND_SERVICE - -[Install] -WantedBy=multi-user.target From c9686d479111523b13f3b53c35617da53bb9e244 Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Tue, 18 May 2021 11:57:02 +0200 Subject: [PATCH 7/7] systemd/eturnal: Use ProtectSystem=strict [`ProtectSystem=strict` mounts more directories as read-only.][1] [The upstream service unit only sets it to `full` to support older systemd releases.][2] systemd 242, currently shipped by MarIuX, support `strict`, so use it. [1]: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem= [2]: https://github.com/processone/eturnal/issues/14#issuecomment-843021648 --- misc_systemd_units/eturnal.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misc_systemd_units/eturnal.service b/misc_systemd_units/eturnal.service index 047c452..5b17d7f 100644 --- a/misc_systemd_units/eturnal.service +++ b/misc_systemd_units/eturnal.service @@ -18,6 +18,6 @@ RestartSec=3 WatchdogSec=30 LimitNOFILE=50000 RuntimeDirectory=eturnal -ProtectSystem=full +ProtectSystem=strict NoNewPrivileges=true AmbientCapabilities=CAP_NET_BIND_SERVICE