Ever wondered how to modify/override a systemd script in Debian?
Let’s take the BIND9 systemd script as example. There’s a best practices draft at ISC which states that by design, and for security purposes, the most common mode of failure for BIND is intentional process termination when it encounters an inconsistent state. An automated minder process capable of restarting BIND intelligently is recommended [..].
Following that recommendation one wants to make sure that BIND is restarted automatically (which is per default not the case) in case of a failure. To make systemd restart a service in an automatic manner you’ll need to add Restart= to the service file. There’s a helpful table in the man page.
| Restart settings/Exit causes | no | always | on-success | on-failure | on-abnormal | on-abort | on-watchdog |
|---|---|---|---|---|---|---|---|
| Clean exit code or signal | X | X | |||||
| Unclean exit code | X | X | |||||
| Unclean signal | X | X | X | X | |||
| Timeout | X | X | X | ||||
| Watchdog | X | X | X | X |
Because DNS is pretty important, I’d just pick Restart=always which will make sure that it is restarted even if it exited successful. Mind that it won’t automatically restart if you issue service bind9 stop / systemctl stop bind9.
To add Restart= to the service file issue:
systemctl edit bind9.service
and add:
[Service] Restart=always
Save and exit the file. Take a look at systemctl status bind9
● bind9.service - BIND Domain Name Server Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled) Drop-In: /etc/systemd/system/bind9.service.d └─override.conf Active: active (running) since Mon 2017-06-05 11:41:42 CEST; 37s ago Docs: man:named(8) Process: 7728 ExecStop=/usr/sbin/rndc stop (code=exited, status=1/FAILURE) Main PID: 7733 (named) Tasks: 5 (limit: 4915) CGroup: /system.slice/bind9.service └─7733 /usr/sbin/named -f -u bind
You’ll notice Drop-In shows the override.conf. Let’s pick the Main PID: 7733 and kill it:
kill -9 7733
And re-check systemctl status:
● bind9.service - BIND Domain Name Server Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled) Drop-In: /etc/systemd/system/bind9.service.d └─override.conf Active: active (running) since Mon 2017-06-05 11:43:06 CEST; 1min 25s ago Docs: man:named(8) Process: 7744 ExecStop=/usr/sbin/rndc stop (code=exited, status=1/FAILURE) Main PID: 7749 (named) Tasks: 5 (limit: 4915) CGroup: /system.slice/bind9.service └─7749 /usr/sbin/named -f -u bind
It does have a new PID now. journalctl -xe shows even more:
Jun 05 11:43:05 dns1 systemd[1]: bind9.service: Main process exited, code=killed, status=9/KILL Jun 05 11:43:05 dns1 rndc[7744]: rndc: connect failed: 127.0.0.1#953: connection refused Jun 05 11:43:05 dns1 systemd[1]: bind9.service: Control process exited, code=exited status=1 Jun 05 11:43:05 dns1 systemd[1]: bind9.service: Unit entered failed state. Jun 05 11:43:05 dns1 systemd[1]: bind9.service: Failed with result 'signal'. Jun 05 11:43:06 dns1 systemd[1]: bind9.service: Service hold-off time over, scheduling restart. Jun 05 11:43:06 dns1 systemd[1]: Stopped BIND Domain Name Server. -- Subject: Unit bind9.service has finished shutting down -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- Unit bind9.service has finished shutting down. Jun 05 11:43:06 dns1 systemd[1]: Started BIND Domain Name Server. -- Subject: Unit bind9.service has finished start-up
Note how systemd noticed that BIND has been killed and restarted it 🙂
No Comments