[Bug 1115999] New: Please convert SysV init scripts by cyrus-imapd into native systemd services
http://bugzilla.suse.com/show_bug.cgi?id=1115999
Bug ID: 1115999 Summary: Please convert SysV init scripts by cyrus-imapd into native systemd services Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: bnc-team-screening@forge.provo.novell.com Reporter: fbui@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: ---
It would be great if the SysV init scrips shipped by this package could be converted into systemd native services.
Indeed most packages shipped by openSUSE Factory switched to native systemd unit files years ago and we plan to drop the obsolete/limited SysV compat support in the future.
If this appears to be a big task, one quick way to solve it is to copy and ship (as is) the .service unit wrappers generated automatically by systemd-sysv-generator at boot. Indeed such wrappers are generated by systemd in order to support SysV init scripts similarly to native units.
You can see the content of a wrapper unit with:
$ systemctl cat <sysvinit-script>.service
As you could see the wrapper unit simply calls the SysV script, which should be moved out of /etc/init.d, probably in a directory owned by your package.
In all cases we would be glad to provide any help if needed in this task.
Thanks in advance.
http://bugzilla.suse.com/show_bug.cgi?id=1115999
Franck Bui fbui@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|bnc-team-screening@forge.pr |varkoly@suse.com |ovo.novell.com |
http://bugzilla.suse.com/show_bug.cgi?id=1115999
Franck Bui fbui@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |aj@ajaissle.de
http://bugzilla.suse.com/show_bug.cgi?id=1115999 http://bugzilla.suse.com/show_bug.cgi?id=1115999#c1
Matthias Fehring buschmann23@opensuse.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |buschmann23@opensuse.org
--- Comment #1 from Matthias Fehring buschmann23@opensuse.org --- The current revision of the package from OBS project server:mail is not usable with the native systemd service. There are two problems with the service file:
1. User cyrus is not allowed to place the master PID file into /run. I created a fix for this by creating /run/cyrus-imapd through systemd-tmpfiles and place the PID file into that directory. The OBS SR can be found here: https://build.opensuse.org/request/show/653205
2. User cyrus is not allowed to bind to privileged ports below port 1024. I tried to solve this on my server running Leap 42.3 by adding Capabilities=CAP_NET_BIND_SERVICE to the service file, but systemd ignores it with the following error: "Failed to parse capabilities, ignoring: CAP_NET_BIND_SERVICE". It works if I set the capability via setcap command: setcap 'CAP_NET_BIND_SERVICE=+ep' /usr/lib/cyrus/bin/master . systemd version 228 on Leap 42.3 offers the Capabilities= service file entry, while newer versions have AmbientCapabilities= . Not sure how to solve this.
http://bugzilla.suse.com/show_bug.cgi?id=1115999 http://bugzilla.suse.com/show_bug.cgi?id=1115999#c2
--- Comment #2 from Franck Bui fbui@suse.com --- (In reply to Matthias Fehring from comment #1)
The current revision of the package from OBS project server:mail is not usable with the native systemd service. There are two problems with the service file:
- User cyrus is not allowed to place the master PID file into /run. I
created a fix for this by creating /run/cyrus-imapd through systemd-tmpfiles and place the PID file into that directory. The OBS SR can be found here: https://build.opensuse.org/request/show/653205
I think you could use "RuntimeDirectory=cyrus-imapd" instead.
- User cyrus is not allowed to bind to privileged ports below port 1024. I
tried to solve this on my server running Leap 42.3 by adding Capabilities=CAP_NET_BIND_SERVICE to the service file, but systemd ignores it with the following error: "Failed to parse capabilities, ignoring: CAP_NET_BIND_SERVICE".
You should use "Capabilities=cap_net_bind_service=+ep" or something like that instead.
But that said according to the man page Capabilities= is probably not the option to use.
It works if I set the capability via setcap command: setcap 'CAP_NET_BIND_SERVICE=+ep' /usr/lib/cyrus/bin/master . systemd version 228 on Leap 42.3 offers the Capabilities= service file entry, while newer versions have AmbientCapabilities= . Not sure how to solve this.
I'm not sure how well caps work with unprivileged services for v228 (Leap 42.3) and this bug has been opened against Factory so I'm not sure why you would want to fix Leap 42.3...
With systemd shipped by Factory, I believe that AmbientCapabilities= is supported and is the option to use to deal with your case.
http://bugzilla.suse.com/show_bug.cgi?id=1115999 http://bugzilla.suse.com/show_bug.cgi?id=1115999#c3
--- Comment #3 from Matthias Fehring buschmann23@opensuse.org --- (In reply to Franck Bui from comment #2)
(In reply to Matthias Fehring from comment #1)
The current revision of the package from OBS project server:mail is not usable with the native systemd service. There are two problems with the service file:
- User cyrus is not allowed to place the master PID file into /run. I
created a fix for this by creating /run/cyrus-imapd through systemd-tmpfiles and place the PID file into that directory. The OBS SR can be found here: https://build.opensuse.org/request/show/653205
I think you could use "RuntimeDirectory=cyrus-imapd" instead.
Oh, nice, I did not know that directive.
- User cyrus is not allowed to bind to privileged ports below port 1024. I
tried to solve this on my server running Leap 42.3 by adding Capabilities=CAP_NET_BIND_SERVICE to the service file, but systemd ignores it with the following error: "Failed to parse capabilities, ignoring: CAP_NET_BIND_SERVICE".
You should use "Capabilities=cap_net_bind_service=+ep" or something like that instead.
I already tried that. It leads to the same parsing error.
But that said according to the man page Capabilities= is probably not the option to use.
It works if I set the capability via setcap command: setcap 'CAP_NET_BIND_SERVICE=+ep' /usr/lib/cyrus/bin/master . systemd version 228 on Leap 42.3 offers the Capabilities= service file entry, while newer versions have AmbientCapabilities= . Not sure how to solve this.
I'm not sure how well caps work with unprivileged services for v228 (Leap 42.3) and this bug has been opened against Factory so I'm not sure why you would want to fix Leap 42.3...
As written, setting the caps manually works as expected.
I want simply fix it for Leap 42.3 because the changes in the devel project made Cyrus unusable for users of older Leap releases. Either build there should be disabled for older releases or the changes should also work for older releases. The issue was also recognized in other OBS projects relying on that package from server:mail like server:Kolab:Extras.
I added all this stuff to this bug because it was the bug mentioned in the package changelog that leads to the issues with openSUSE Leap 42.3. Also the issue with missing priviliges for writing to /run will be the same on Tumbleweed.
http://bugzilla.suse.com/show_bug.cgi?id=1115999 http://bugzilla.suse.com/show_bug.cgi?id=1115999#c4
--- Comment #4 from Franck Bui fbui@suse.com --- How was the cap granted to the sysv init script BTW ? or is this an improvement you introduced along with the systemd unit files ?
Maybe you could try to make cyrus-imapd socket activable (if it's not already done) and in this case systemd would open and bind the socket for you ?
That would make CAP_NET_BIND_SERVICE undeeded.
Otherwise ship a different unit file depending on the distro you're running on:
- on Factory ship the unit file with "User=xxx" and "AmbientCapabilities=cap_net_bind_service"
- on Leap 42.3, run the service as root. It was probably already the case with the sysv init script.
In both cases you can also rely on different security hardening (if it's not already the case).
http://bugzilla.suse.com/show_bug.cgi?id=1115999 http://bugzilla.suse.com/show_bug.cgi?id=1115999#c8
--- Comment #8 from Swamp Workflow Management swamp@suse.de --- This is an autogenerated message for OBS integration: This bug (1115999) was mentioned in https://build.opensuse.org/request/show/666435 Factory / cyrus-imapd
http://bugzilla.suse.com/show_bug.cgi?id=1115999 http://bugzilla.suse.com/show_bug.cgi?id=1115999#c9
--- Comment #9 from Franck Bui fbui@suse.com --- Hi,
I think this bug can be closed, right ?
If so could you do so ?
Thanks.
http://bugzilla.suse.com/show_bug.cgi?id=1115999 http://bugzilla.suse.com/show_bug.cgi?id=1115999#c10
Josef Möllers josef.moellers@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |josef.moellers@suse.com Resolution|--- |FIXED
--- Comment #10 from Josef Möllers josef.moellers@suse.com --- Closing as per comment #9.
-
bugzilla_noreply@novell.com