我尝试使用 systemd 覆盖标准 slapd (OpenLDAP) 守护进程启动参数,但只要我覆盖 ExecStart,守护进程就会启动失败。我的问题是为什么会失败以及如何更改守护进程的启动参数?
我已经用以下内容覆盖了 systemd slapd.service 文件:
root@debian:~ $ systemctl edit slapd
[Service]
ExecStart=
ExecStart=/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d
这里仅列出一些需要调试的内容:
root@debian:~ $ systemctl cat slapd
# /run/systemd/generator.late/slapd.service
# Automatically generated by systemd-sysv-generator
[Unit]
Documentation=man:systemd-sysv-generator(8)
SourcePath=/etc/init.d/slapd
Description=LSB: OpenLDAP standalone server (Lightweight Directory Access Protoc
Before=multi-user.target
Before=multi-user.target
Before=multi-user.target
Before=graphical.target
After=remote-fs.target
After=network-online.target
Wants=network-online.target
[Service]
Type=forking
Restart=no
TimeoutSec=5min
IgnoreSIGPIPE=no
KillMode=process
GuessMainPID=no
RemainAfterExit=yes
SuccessExitStatus=5 6
ExecStart=/etc/init.d/slapd start
ExecStop=/etc/init.d/slapd stop
运行守护进程而不覆盖 show:
root@debian:~ $ systemctl status slapd
● slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)
Loaded: loaded (/etc/init.d/slapd; generated; vendor preset: enabled)
Active: active (running) since Mon 2018-07-30 11:33:40 CEST; 1h 20min ago
Docs: man:systemd-sysv-generator(8)
Process: 429 ExecStart=/etc/init.d/slapd start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/slapd.service
└─509 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d
使用覆盖方式运行守护进程,在“systemctl daemon-reload”和“systemctl restart slapd”之后会抛出以下错误:
root@debian:~ $ sudo systemctl status slapd
● slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)
Loaded: loaded (/etc/init.d/slapd; generated; vendor preset: enabled)
Drop-In: /etc/systemd/system/slapd.service.d
└─override.conf
Active: failed (Result: exit-code) since Mon 2018-07-30 13:50:13 CEST; 37s ago
Docs: man:systemd-sysv-generator(8)
Jul 30 13:50:11 udamc systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)...
Jul 30 13:50:13 udamc slapd[438]: @(#) $OpenLDAP: slapd (Aug 10 2017 19:12:46) $
Debian OpenLDAP Maintainers <[email protected]>
Jul 30 13:50:13 udamc slapd[438]: daemon: bind(9) failed errno=2 (No such file or directory)
Jul 30 13:50:13 udamc slapd[438]: slapd stopped.
Jul 30 13:50:13 udamc slapd[438]: connections_destroy: nothing to destroy.
Jul 30 13:50:13 udamc systemd[1]: slapd.service: Control process exited, code=exited status=1
Jul 30 13:50:13 udamc systemd[1]: Failed to start LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol).
Jul 30 13:50:13 udamc systemd[1]: slapd.service: Unit entered failed state.
Jul 30 13:50:13 udamc systemd[1]: slapd.service: Failed with result 'exit-code'.
答案1
您的 Debian 系统实际上并未使用真正的 systemd 单元来执行 slapd。相反,它使用slapd位于/etc/init.d目录中的古老风格的 init 脚本。systemd 单元是一个生成的单元,它只是尝试调用 init 脚本。
如果您无法升级到 Debian 稳定版,请对旧的 init 脚本进行定制。
答案2
做过拍打真的在重新启动之前停止吗?我怀疑缺少了执行停止。
由于这是 Debian,可能包装了一个旧的 SysV init 脚本,因此我还建议使用存储在 /etc/systemd/system/ 中具有不同名称的单独单元文件。并确保服务拍打已禁用并停止。这还允许您使用一些其他与安全相关的配置选项,并确保在 Debian 打包程序更改单元文件的情况下升级后不会出现任何问题。
请参阅下面我所使用的。systemd开始拍打作为非特权用户。另请注意type=simple和PIDFile=。当然 YMMV。
#-----------------------------------------------------------------------
# initiate: systemctl enable ae-slapd.service
# start: systemctl start ae-slapd.service
# get status: systemctl status ae-slapd.service
#-----------------------------------------------------------------------
[Unit]
Description=AE-DIR OpenLDAP server
Requires=network.target
After=network.target
[Service]
Type=simple
Environment=LDAPNOINIT=1
PIDFile=/opt/ae-dir/run/slapd/slapd.pid
ExecStart=/usr/lib64/slapd -n ae-slapd -l LOCAL4 -s 7 -f /opt/ae-dir/etc/openldap/slapd.conf -h 'ldapi://%%2Fopt%%2Fae-dir%%2Frun%%2Fslapd%%2Fldapi ldap://*:389 ldaps://*:636' -o slp=off
User=ae-dir-slapd
Group=ae-dir-slapd
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
MemoryDenyWriteExecute=yes
# various hardening options
PrivateTmp=yes
ProtectSystem=full
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes
NoNewPrivileges=yes
MountFlags=private
SystemCallArchitectures=native
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
PrivateDevices=yes
[Install]
WantedBy=multi-user.target