Mailing List Archive

Le lun. 15 mai 2023 à 11:58, Wols Lists <antlists@youngman.org.uk> a écrit :

> Nothing to do with but sparked by the Apache problem ...
>
> One of the emails mentioned that the "ExecStop" section didn't appear to
> be working ... That's caused me considerable grief in a systemd config
> file I've written ...
>
> Basically, somebody else added an ExecStop section - and all hell broke
> loose. It seemed to be firing on boot :-( And the service in question -
> ScarletDME - seemed to be killing processes at random, like DoveCot ...
>
> Okay, accidentally killing processes it shouldn't is probably down the
> fork/exec code in ScarletDME, I haven't dug into it to know, but systemd
> should not be triggering the stop in the first place. Has anybody else
> encountered anything like this?
>
> Sorry I'm not likely to respond quickly to say "solved", as I need to
> get "in the mood" to get back to debugging, but if anybody has any hints
> and tips, they'd be appreciated, and it might shed some light on that
> Apache problem :-)
>
> Cheers,
> Wol
>
>
Hi Wol,

It was very difficult to get Apache working with systemd Gentoo.
No apache2.service found with apache installation.
so i looked at the Linux Mint OS to copy the apache2.service.
These commands

ExecStart=/usr/sbin/apachectl start
ExecStop=/usr/sbin/apachectl graceful-stop
ExecReload=/usr/sbin/apachectl graceful

did not work at all...
BUT,
By manually launching /usr/bin/apache2ctl, it worked.

So i wrote a little simple bash script /usr/bin/op_apache

#!/bin/bash

case ${1} in
"start")
apache2ctl
;;
"stop")
killall apache2
;;
"restart")
killall apache2
sleep 1
apache2ctl
;;
esac

And in apache2.service, i put :

ExecStart=/usr/bin/op_apache start
ExecStop=/usr/bin/op_apache stop
ExecReload=/usr/sbin/op_apache restart

Now it works fine, but what a headache !

Cheers,

--
Jacques

On Tue, 16 May 2023 20:03:36 +0200, Jacques Montier wrote:

> It was very difficult to get Apache working with systemd Gentoo.
> No apache2.service found with apache installation.

Really?

% qfile apache2.service
www-servers/apache: /lib/systemd/system/apache2.service

> so i looked at the Linux Mint OS to copy the apache2.service.
> These commands
>
> ExecStart=/usr/sbin/apachectl start
> ExecStop=/usr/sbin/apachectl graceful-stop
> ExecReload=/usr/sbin/apachectl graceful
>
> did not work at all...

% systemctl cat apache2.service
# /lib/systemd/system/apache2.service
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target

[Service]
EnvironmentFile=/etc/conf.d/apache2
ExecStart=/usr/sbin/apache2 $APACHE2_OPTS -DFOREGROUND
ExecReload=/usr/sbin/apache2 $APACHE2_OPTS -k graceful
ExecStop=/usr/sbin/apache2 $APACHE2_OPTS -k graceful-stop
# We want systemd to give httpd some time to finish gracefully, but still
want # it to kill httpd after TimeoutStopSec if something went wrong
during the # graceful stop. Normally, Systemd sends SIGTERM signal right
after the # ExecStop, which would kill httpd. We are sending useless
SIGCONT here to give # httpd time to finish.
KillSignal=SIGCONT
PrivateTmp=true
#Hardening
CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK
SecureBits=noroot-locked
ProtectSystem=full
PrivateDevices=true
MemoryDenyWriteExecute=true

[Install]
WantedBy=multi-user.target


--
Neil Bothwick

K: (n., adj.) a binary thousand, which isn't a decimal thousand or even
really a binary thousand (which is eight), but is the binary number
closest to a decimal thousand. This has proven so completely confusing
that it has become a standard.

Le mar. 16 mai 2023, 20:58, Neil Bothwick <neil@digimed.co.uk> a écrit :

> On Tue, 16 May 2023 20:03:36 +0200, Jacques Montier wrote:
>
> > It was very difficult to get Apache working with systemd Gentoo.
> > No apache2.service found with apache installation.
>
> Really?
>
> % qfile apache2.service
> www-servers/apache: /lib/systemd/system/apache2.service
>
> Yes.
>
After install, apache2.service not found...

>
>
> > so i looked at the Linux Mint OS to copy the apache2.service.
> > These commands
> >
> > ExecStart=/usr/sbin/apachectl start
> > ExecStop=/usr/sbin/apachectl graceful-stop
> > ExecReload=/usr/sbin/apachectl graceful
> >
> > did not work at all...
>
> % systemctl cat apache2.service
> # /lib/systemd/system/apache2.service
> [Unit]
> Description=The Apache HTTP Server
> After=network.target remote-fs.target nss-lookup.target
>
> [Service]
> EnvironmentFile=/etc/conf.d/apache2
> ExecStart=/usr/sbin/apache2 $APACHE2_OPTS -DFOREGROUND
> ExecReload=/usr/sbin/apache2 $APACHE2_OPTS -k graceful
> ExecStop=/usr/sbin/apache2 $APACHE2_OPTS -k graceful-stop
> # We want systemd to give httpd some time to finish gracefully, but still
> want # it to kill httpd after TimeoutStopSec if something went wrong
> during the # graceful stop. Normally, Systemd sends SIGTERM signal right
> after the # ExecStop, which would kill httpd. We are sending useless
> SIGCONT here to give # httpd time to finish.
> KillSignal=SIGCONT
> PrivateTmp=true
> #Hardening
> CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE
> CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK
> SecureBits=noroot-locked
> ProtectSystem=full
> PrivateDevices=true
> MemoryDenyWriteExecute=true
>
> [Install]
> WantedBy=multi-user.target
>
>
> --
> Neil Bothwick
>
> K: (n., adj.) a binary thousand, which isn't a decimal thousand or even
> really a binary thousand (which is eight), but is the binary number
> closest to a decimal thousand. This has proven so completely confusing
> that it has become a standard.
>


Thanks Neil, i'll have a try.

--
Jacques

>

On Tue, May 16, 2023 at 3:32?PM Jacques Montier <jmontier@gmail.com> wrote:
>
> After install, apache2.service not found...

Have you done something to mask service file installs/etc?

The unit file is in the gentoo repo:
www-servers/apache/files/apache2.4-hardened.service

--
Rich

>Le lun. 15 mai 2023 à 11:58, Wols Lists <antlists@youngman.org.uk> a écrit :
>
>> Nothing to do with but sparked by the Apache problem ...
>>
>> One of the emails mentioned that the "ExecStop" section didn't appear to
>> be working ... That's caused me considerable grief in a systemd config
>> file I've written ...
>>
>> Basically, somebody else added an ExecStop section - and all hell broke
>> loose. It seemed to be firing on boot :-( And the service in question -
>> ScarletDME - seemed to be killing processes at random, like DoveCot ...
>>
>> Okay, accidentally killing processes it shouldn't is probably down the
>> fork/exec code in ScarletDME, I haven't dug into it to know, but systemd
>> should not be triggering the stop in the first place. Has anybody else
>> encountered anything like this?
>>
>> Sorry I'm not likely to respond quickly to say "solved", as I need to
>> get "in the mood" to get back to debugging, but if anybody has any hints
>> and tips, they'd be appreciated, and it might shed some light on that
>> Apache problem :-)
>>
>> Cheers,
>> Wol
>>
>>
>Hi Wol,
>
>It was very difficult to get Apache working with systemd Gentoo.
>No apache2.service found with apache installation.
>so i looked at the Linux Mint OS to copy the apache2.service.
>These commands
>
>ExecStart=/usr/sbin/apachectl start
>ExecStop=/usr/sbin/apachectl graceful-stop
>ExecReload=/usr/sbin/apachectl graceful
>
>did not work at all...
>BUT,
>By manually launching /usr/bin/apache2ctl, it worked.
>

On my gentoo system apache is installed in
/usr/sbin as apache2 and apache2ctl
^
It also installs /lib/systemd/system/apache2.service which references the
above files in a "gentoo-ish" way.

The Linux Mint service file you list above refers to apache without the "2".

Perhaps this shedd some light on your problem.

DaveF

>So i wrote a little simple bash script /usr/bin/op_apache
>
>#!/bin/bash
>
>case ${1} in
>"start")
>apache2ctl
>;;
>"stop")
>killall apache2
>;;
>"restart")
>killall apache2
>sleep 1
>apache2ctl
>;;
>esac
>
>And in apache2.service, i put :
>
>ExecStart=/usr/bin/op_apache start
>ExecStop=/usr/bin/op_apache stop
>ExecReload=/usr/sbin/op_apache restart
>
>Now it works fine, but what a headache !
>
>Cheers,
>
>--
>Jacques
>

Hi all,

Thanks to Neil and Rich.

I Effectively found the file
www-servers/apache/files/apache2.4-hardened.service.
I renamed it as apache2.service in /lib/systemd/system.
Now it works !!! ????

BUT,

As I didn't mask anything, I don't understand why this file was not
installed as it was declared in the apache ebuild...

# Note: wait for mod_systemd to be included in some forthcoming release,
# Then apache2.4.service can be used and systemd support controlled
# through --enable-systemd
systemd_newunit "${FILESDIR}/apache2.4-hardened.service"
"apache2.service"
dotmpfiles "${FILESDIR}/apache.conf"
#insinto /etc/apache2/modules.d
#doins "${FILESDIR}/00_systemd.conf"

My use flags and modules :

Installed versions: 2.4.55-r1(2)(11:11:07 12/05/2023)(gdbm ssl suexec-caps
systemd -debug -doc -ldap -selinux -split-usr -static -suexec
-suexec-syslog -threads APACHE2_MODULES="actions alias auth_basic
authn_anon authn_core authn_dbm authn_file authz_core authz_dbm
authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid
dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter
headers http2 include info log_config logio mime mime_magic negotiation
rewrite setenvif socache_shmcb speling status unique_id unixd userdir
usertrack vhost_alias -access_compat -asis -auth_digest -auth_form
-authn_dbd -authn_socache -authz_dbd -brotli -cache_disk -cache_socache
-cern_meta -charset_lite -dbd -dumpio -ident -imagemap -lbmethod_bybusyness
-lbmethod_byrequests -lbmethod_bytraffic -lbmethod_heartbeat -log_forensic
-lua -macro -md -proxy -proxy_ajp -proxy_balancer -proxy_connect
-proxy_fcgi -proxy_ftp -proxy_hcheck -proxy_html -proxy_http -proxy_http2
-proxy_scgi -proxy_uwsgi -proxy_wstunnel -ratelimit -remoteip -reqtimeout
-session -session_cookie -session_crypto -session_dbd -slotmem_shm
-socache_memcache -substitute -version -watchdog -xml2enc"
APACHE2_MPMS="-event -prefork -worker" LUA_SINGLE_TARGET="lua5-1 -lua5-3
-lua5-4")


However, it works fine and thanks again to all of you !

Cheers,

--
Jacques




Le mar. 16 mai 2023 à 21:43, Rich Freeman <rich0@gentoo.org> a écrit :

> On Tue, May 16, 2023 at 3:32?PM Jacques Montier <jmontier@gmail.com>
> wrote:
> >
> > After install, apache2.service not found...
>
> Have you done something to mask service file installs/etc?
>
> The unit file is in the gentoo repo:
> www-servers/apache/files/apache2.4-hardened.service
>
> --
> Rich
>
>

On Wed, May 17, 2023 at 4:43?AM Jacques Montier <jmontier@gmail.com> wrote:
>
> As I didn't mask anything, I don't understand why this file was not installed as it was declared in the apache ebuild...

You don't have anything set in INSTALL_MASK? Check "emerge --info
www-servers/apache"

You might want to check the build log for anything. I don't think
there is anything conditional about systemd_newunit, and it is
supposed to generate a fatal error if it fails.

--
Rich

Le mer. 17 mai 2023 à 11:30, Rich Freeman <rich0@gentoo.org> a écrit :

> On Wed, May 17, 2023 at 4:43?AM Jacques Montier <jmontier@gmail.com>
> wrote:
> >
> > As I didn't mask anything, I don't understand why this file was not
> installed as it was declared in the apache ebuild...
>
> You don't have anything set in INSTALL_MASK? Check "emerge --info
> www-servers/apache"
>
> You might want to check the build log for anything. I don't think
> there is anything conditional about systemd_newunit, and it is
> supposed to generate a fatal error if it fails.
>
> --
> Rich
>
>
Well, well, Rich, you are completely right, you've found the key ! ????
I have that line in make.conf
INSTALL_MASK="/lib/systemd/system /usr/lib/systemd/system"
I now see where it comes from.
On the same machine, I have another OpenRC Gentoo with systemd masqued.
I just copîed the make.conf without uncommenting that line... How silly i
am !!!
So I delete that bl...y line !

Thanks a lot,

Cheers

--
Jacques

On Wed, May 17, 2023 at 6:18?AM Jacques Montier <jmontier@gmail.com> wrote:
>
> Well, well, Rich, you are completely right, you've found the key ! ????
> I have that line in make.conf
> INSTALL_MASK="/lib/systemd/system /usr/lib/systemd/system"
> I now see where it comes from.
> On the same machine, I have another OpenRC Gentoo with systemd masqued.
> I just copîed the make.conf without uncommenting that line... How silly i am !!!
> So I delete that bl...y line !
>

So, I realize this will be controversial, but this is why I don't make
super-minimalistic builds. If I were trying to make a Gentoo build to
run on a C64 or something and every last inode counted, then sure.
However, things like text files simply don't do anything if nothing
reads them. These days I also tend to be generous with building
kernel modules - it slows down kernel builds, but it has no impact on
running kernels if they aren't actually loaded. I also use -mtune
these days and not -march. Sure, you lose a little performance, but
if I lose a motherboard then I can just build a new PC, stick my hard
drive in it, and it will just work.

Now, if you're building disposable workers in some cluster that
processes lots of jobs, then sure that extra few percent performance
might be worth it, but then the individual hosts are all disposable
anyway. Otherwise, I've found it is much better to optimize things
for MY time than CPU time.

--
Rich