Re: [systemd-devel] Conditionally reload a service from another service

[Ian Pilcher]

On 7/31/23 17:18, Nils Kattenbeck wrote:
Huh, I am actually surprised to discover that httpd does not watch these 
files itself.


To be honest, I never even considered the posibility that it might do
that.  Unfortunately, testing reveals that it doesn't do so.

Regardless, I think the systemd way to achieve this would be to use path 
units, though I gotta admit that I have not played with them myself yet:
https://www.freedesktop.org/software/systemd/man/systemd.path.html 



I had honestly forgotten that those exist.  Looks very promising.

Alternative you could likely write custom polkit policies which would 
allow your script to reload https without elevated privileges. Not sure 
if there is an easier way to do this.


That sounds painful!  A path unit definitely sounds the the way to go
any way, because I'd prefer not to give that level of permission to an
unprivileged service.

Thanks!

--

Google  Where SkyNet meets Idiocracy

Re: [systemd-devel] Conditionally reload a service from another service

[Peter Hoeg]

1. decide on a global path like `/run/http/restart'
2. give your LE script access to write there
3. use a `.path' unit to trigger on the file above being created and triggering 
a one-liner that running as root restarts apache and deletes the file again

This way your “run as root” is limited to that one, tiny script

Re: [systemd-devel] Conditionally reload a service from another service

[Kevin P. Fleming]

That's how I do it. Path units are a good solution here as they maintain loose 
coupling between the cert management and consumption.

On Mon, Jul 31, 2023, at 16:56, Max Gautier wrote:
> On Mon, Jul 31, 2023 at 03:23:26PM -0500, Ian Pilcher wrote:
>> I have created service (along with an associated timer) that checks the
>> remaining life of a TLS certificate and retrieves an updated certificate
>> from Let's Encrypt if the remaining life is too short.
>
> Is the updated certificate placed in the same file ? If so, maybe you
> could use a path unit with PathChanged=/path/to/your/cert ?
>
> -- 
> Max Gautier

Re: [systemd-devel] Conditionally reload a service from another service

[Max Gautier]

On Mon, Jul 31, 2023 at 03:23:26PM -0500, Ian Pilcher wrote:
> I have created service (along with an associated timer) that checks the
> remaining life of a TLS certificate and retrieves an updated certificate
> from Let's Encrypt if the remaining life is too short.

Is the updated certificate placed in the same file ? If so, maybe you
could use a path unit with PathChanged=/path/to/your/cert ?

-- 
Max Gautier

[systemd-devel] Conditionally reload a service from another service

[Ian Pilcher]

What is the recommended way for a service that runs as a non-root user
to *conditionally* restart (or reload) another service?

I have created service (along with an associated timer) that checks the
remaining life of a TLS certificate and retrieves an updated certificate
from Let's Encrypt if the remaining life is too short.

I am trying to figure out the best way to restart Apache (httpd.service)
*if* the certificate is updated.

* My service runs as a non-root user, so (AFAIK), there is no way for it
  to directly restart httpd.  (At least not without all the pain of
  starting as root, dropping privileges, etc.)

* I could add 'ExecStartPost=systemctl reload httpd.service' to my unit
  file, but I don't believe that there's any way to make that
  conditional.

Any ideas?

Thanks!

--

Google  Where SkyNet meets Idiocracy

[systemd-devel] How to limit network bandwidth on a nspawn container

[Paulo Coghi - Coghi IT]

After reading both nspwan and machinectl documentation, I couldn't find
instructions on how to limit network bandwidth on a nspawn container
through nspawn itself (or machinectl).

Doesn nspawn and/or machinectl offer such an option and, if not, is it a
problem to use external tools like "tc" (traffic control) or wondershaper?

If tc or wondershaper aren't a good option, what do you recommend?

Paulo Coghi