Zde můžete vidět rozdíly mezi vybranou verzí a aktuální verzí dané stránky.
Předchozí verzePoslední revize | |||
— | systemd [2019/04/19 14:41] – Knot DNS with systemd and OpenVZ wwcovh | ||
---|---|---|---|
Řádek 1: | Řádek 1: | ||
+ | ====== Systemd ====== | ||
+ | Page describes steps to verify systemd functionality and possible fixes for troublesome parts. | ||
+ | |||
+ | To check if everything works correctly use < | ||
+ | |||
+ | ===== Required overrides ===== | ||
+ | |||
+ | Some systems require systemd override files to disable security hardening not supported by our OpenVZ kernel - this includes seccomp filter and memory deny write execute. | ||
+ | |||
+ | These can be disabled for specific service with following override file: | ||
+ | |||
+ | < | ||
+ | [Service] | ||
+ | SystemCallFilter= | ||
+ | MemoryDenyWriteExecute=no | ||
+ | </ | ||
+ | |||
+ | File needs to be placed in < | ||
+ | |||
+ | To create it manually for e.g. systemd-journald.service use | ||
+ | < | ||
+ | systemctl edit systemd-journald | ||
+ | # paste override code from above | ||
+ | systemctl daemon-reload | ||
+ | systemctl start systemd-journald | ||
+ | </ | ||
+ | |||
+ | ===== Knot DNS ===== | ||
+ | |||
+ | With systemd and OpenVZ, [[https:// | ||
+ | < | ||
+ | ... systemd[22357]: | ||
+ | -- Subject: Process / | ||
+ | -- Defined-By: systemd | ||
+ | -- Support: https:// | ||
+ | -- | ||
+ | -- The process / | ||
+ | -- | ||
+ | -- The error number returned by this process is 22. | ||
+ | ... systemd[1]: knot.service: | ||
+ | ... systemd[1]: Failed to start Knot DNS server. | ||
+ | </ | ||
+ | |||
+ | The reason is that Knot DNS systemd unit specifies a few required capabilities which vpsFree does not support under OpenVZ, namely: | ||
+ | |||
+ | < | ||
+ | # cat / | ||
+ | |||
+ | [...] | ||
+ | CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETPCAP | ||
+ | AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETPCAP | ||
+ | [...] | ||
+ | </ | ||
+ | |||
+ | For explanation of what these capabilities mean visit [[http:// | ||
+ | |||
+ | The first step is either commenthing these out or even better, [[https:// | ||
+ | |||
+ | < | ||
+ | systemctl edit knot.service | ||
+ | |||
+ | [Service] | ||
+ | CapabilityBoundingSet=~ | ||
+ | AmbientCapabilities= | ||
+ | </ | ||
+ | (note the '' | ||
+ | |||
+ | and reload with '' | ||
+ | |||
+ | Now Knot DNS starts but fails to bind to port '' | ||
+ | |||
+ | So first we override once more and add '' | ||
+ | |||
+ | < | ||
+ | systemctl edit knot.service | ||
+ | |||
+ | [Service] | ||
+ | User= | ||
+ | Group= | ||
+ | CapabilityBoundingSet=~ | ||
+ | AmbientCapabilities= | ||
+ | </ | ||
+ | |||
+ | Then we edit the Knot DNS configuration itself and specify user and group '' | ||
+ | |||
+ | < | ||
+ | nano / | ||
+ | |||
+ | server: | ||
+ | [...] | ||
+ | user: knot:knot | ||
+ | |||
+ | [...] | ||
+ | </ | ||
+ | |||
+ | Reload once again with '' |