Overriding BIND systemd script in Debian

Ever wondered how to modify/override a systemd script in Debian?

Let’s take the BIND9 systemd script as example. There’s a best practices draft at ISC which states that by design, and for security purposes, the most common mode of failure for BIND is intentional process termination when it encounters an inconsistent state. An automated minder process capable of restarting BIND intelligently is recommended [..].

Following that recommendation one wants to make sure that BIND is restarted automatically (which is per default not the case) in case of a failure. To make systemd restart a service in an automatic manner you’ll need to add Restart= to the service file. There’s a helpful table in the man page.

Restart settings/Exit causes no always on-success on-failure on-abnormal on-abort on-watchdog
Clean exit code or signal X X
Unclean exit code X X
Unclean signal X X X X
Timeout X X X
Watchdog X X X X

Because DNS is pretty important, I’d just pick Restart=always which will make sure that it is restarted even if it exited successful. Mind that it won’t automatically restart if you issue service bind9 stop / systemctl stop bind9.

To add Restart= to the service file issue:

systemctl edit bind9.service

and add:

[Service]
Restart=always

Save and exit the file. Take a look at systemctl status bind9

● bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/bind9.service.d
           └─override.conf
   Active: active (running) since Mon 2017-06-05 11:41:42 CEST; 37s ago
     Docs: man:named(8)
  Process: 7728 ExecStop=/usr/sbin/rndc stop (code=exited, status=1/FAILURE)
 Main PID: 7733 (named)
    Tasks: 5 (limit: 4915)
   CGroup: /system.slice/bind9.service
           └─7733 /usr/sbin/named -f -u bind

You’ll notice Drop-In shows the override.conf. Let’s pick the Main PID: 7733 and kill it:

kill -9 7733

And re-check systemctl status:

● bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/bind9.service.d
           └─override.conf
   Active: active (running) since Mon 2017-06-05 11:43:06 CEST; 1min 25s ago
     Docs: man:named(8)
  Process: 7744 ExecStop=/usr/sbin/rndc stop (code=exited, status=1/FAILURE)
 Main PID: 7749 (named)
    Tasks: 5 (limit: 4915)
   CGroup: /system.slice/bind9.service
           └─7749 /usr/sbin/named -f -u bind

It does have a new PID now. journalctl -xe shows even more:

Jun 05 11:43:05 dns1 systemd[1]: bind9.service: Main process exited, code=killed, status=9/KILL
Jun 05 11:43:05 dns1 rndc[7744]: rndc: connect failed: 127.0.0.1#953: connection refused
Jun 05 11:43:05 dns1 systemd[1]: bind9.service: Control process exited, code=exited status=1
Jun 05 11:43:05 dns1 systemd[1]: bind9.service: Unit entered failed state.
Jun 05 11:43:05 dns1 systemd[1]: bind9.service: Failed with result 'signal'.
Jun 05 11:43:06 dns1 systemd[1]: bind9.service: Service hold-off time over, scheduling restart.
Jun 05 11:43:06 dns1 systemd[1]: Stopped BIND Domain Name Server.
-- Subject: Unit bind9.service has finished shutting down
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit bind9.service has finished shutting down.
Jun 05 11:43:06 dns1 systemd[1]: Started BIND Domain Name Server.
-- Subject: Unit bind9.service has finished start-up

Note how systemd noticed that BIND has been killed and restarted it 🙂

No Comments

Post a Comment