1

I have an HTTP service (let's call it Foo) with systemd socket activation. I would like to support this setup:

  1. monitoring service tells Foo to stop (e.g. POST /stop)
  2. Foo finishes it's (potentially long) work then exits.
  3. monitoring service polls an HTTP endpoint on Foo (e.g. GET /are-you-up) waiting for it to exit.

At step 3 when the monitoring service hits /are-you-up, systemd's socket activation restarts the HTTP service!

I'd still like systemd to manage the socket (so that my service doesn't have to run/start as root). I'd also still like systemd to restart my service if it crashes (non-0 exit code).

Are either of these possible?

  • systemd manages the socket but doesn't do socket activation?
  • OR Foo service on shutdown tells systemd to close the socket / stop responding to it. I tried having the service run 'systemctl stop foo.socket' but it runs as an unprivileged user.

The big picture is that the service is being replaced. After it shuts down the (cloud) server will be deleted.

Graham King
  • 191
  • 1
  • 6
  • Why must your service start as root if you don't use socket activation? Why doesn't your monitoring service ask systemd when the service has stopped? – Michael Hampton Feb 01 '19 at 03:33
  • root (or capabilities) because it listens on port 443. How would the remote monitoring system talk to systemd? – Graham King Feb 01 '19 at 17:17
  • This is not a good use case for socket activation. You should instead configure your web server to drop privileges, like every other web server does. You could also run it on an unprivileged port with a standard web server in front of it, which is possibly a better idea. – Michael Hampton Feb 01 '19 at 17:56

1 Answers1

1

For anyone else stuck with this, what I ended up doing is shutting down the HTTP listener but keeping the process running. In pseudo code the Foo service does: close(httpSocket) print("Stopped") sleep(forever)

This means the monitoring service's GET /are-you-up will know the service is done, systemd won't restart it, and I still get all the other systemd goodness. In practice it has been working well for several months now.

If there is a cleaner option please add your answer. Thanks!

Graham King
  • 191
  • 1
  • 6
  • Answered here: https://superuser.com/a/1470329 – seriousdev Oct 17 '20 at 20:23
  • Thanks. That answer says `systemctl mask foo`, but the service is unprivileged. I don't think it can mask itself. Same problem as `systemctl stop foo`, see the second bullet point in question. – Graham King Oct 21 '20 at 18:51