systemd: add user unit
The user unit omits the "ProtectKernelModules" setting which fails with modular kernels: Failed at step CAPABILITIES spawning /usr/bin/mpd: Operation not permitted It is unfortunate that systemd (version 232) is unable to reduce its own capabilities, because this requires us to split system and user units. https://bugs.musicpd.org/view.php?id=4608
This commit is contained in:
parent
53e22b81ef
commit
ab332d7b2e
@ -1453,6 +1453,11 @@ systemdsystemunit_DATA = \
|
||||
systemd/system/mpd.service
|
||||
endif
|
||||
|
||||
if HAVE_SYSTEMD_USER
|
||||
systemduserunit_DATA = \
|
||||
systemd/user/mpd.service
|
||||
endif
|
||||
|
||||
|
||||
#
|
||||
# Test programs
|
||||
|
1
NEWS
1
NEWS
@ -2,6 +2,7 @@ ver 0.19.20 (not yet released)
|
||||
* decoder
|
||||
- ffmpeg: fix crash bug
|
||||
* fix unit test failure after recent "setprio" change
|
||||
* systemd: add user unit
|
||||
|
||||
ver 0.19.20 (2016/12/09)
|
||||
* protocol
|
||||
|
17
configure.ac
17
configure.ac
@ -52,6 +52,22 @@ if test "x$with_systemdsystemunitdir" != xno; then
|
||||
fi
|
||||
AM_CONDITIONAL(HAVE_SYSTEMD, [test -n "$with_systemdsystemunitdir" -a "x$with_systemdsystemunitdir" != xno ])
|
||||
|
||||
AC_ARG_WITH([systemduserunitdir],
|
||||
AS_HELP_STRING([--with-systemduserunitdir=DIR], [Directory for systemd service files]),
|
||||
[], [with_systemduserunitdir=no])
|
||||
if test "x$with_systemduserunitdir" = xyes; then
|
||||
AC_MSG_CHECKING(for systemd)
|
||||
with_systemduserunitdir=$($PKG_CONFIG --variable=systemduserunitdir systemd)
|
||||
if test -z "$with_systemduserunitdir"; then
|
||||
AC_MSG_ERROR([Failed to detect systemd])
|
||||
fi
|
||||
AC_MSG_RESULT([$with_systemduserunitdir])
|
||||
fi
|
||||
if test "x$with_systemduserunitdir" != xno; then
|
||||
AC_SUBST([systemduserunitdir], [$with_systemduserunitdir])
|
||||
fi
|
||||
AM_CONDITIONAL(HAVE_SYSTEMD_USER, [test -n "$with_systemduserunitdir" -a "x$with_systemduserunitdir" != xno ])
|
||||
|
||||
dnl ---------------------------------------------------------------------------
|
||||
dnl Declare Variables
|
||||
dnl ---------------------------------------------------------------------------
|
||||
@ -1906,6 +1922,7 @@ dnl ---------------------------------------------------------------------------
|
||||
AC_CONFIG_FILES(Makefile)
|
||||
AC_CONFIG_FILES(doc/doxygen.conf)
|
||||
AC_CONFIG_FILES(systemd/system/mpd.service)
|
||||
AC_CONFIG_FILES(systemd/user/mpd.service)
|
||||
AC_OUTPUT
|
||||
|
||||
echo 'MPD is ready for compilation, type "make" to begin.'
|
||||
|
27
doc/user.xml
27
doc/user.xml
@ -167,6 +167,33 @@ systemctl start mpd.socket</programlisting>
|
||||
<varname>port</varname> settings.
|
||||
</para>
|
||||
</section>
|
||||
|
||||
<section id="systemd_user">
|
||||
<title><filename>systemd</filename> user unit</title>
|
||||
|
||||
<para>
|
||||
You can launch <application>MPD</application> as a
|
||||
<filename>systemd</filename> user unit. The service file will
|
||||
only be installed when <application>MPD</application> was
|
||||
configured with
|
||||
<parameter>--with-systemduserunitdir=/usr/lib/systemd/user</parameter>
|
||||
or
|
||||
<parameter>--with-systemduserunitdir=$HOME/.local/share/systemd/user</parameter>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Once the user unit is installed, you can start and stop
|
||||
<application>MPD</application> like any other service:
|
||||
</para>
|
||||
|
||||
<programlisting>systemctl --user start mpd</programlisting>
|
||||
|
||||
<para>
|
||||
To auto-start <application>MPD</application> upon login, type:
|
||||
</para>
|
||||
|
||||
<programlisting>systemctl --user enable mpd</programlisting>
|
||||
</section>
|
||||
</chapter>
|
||||
|
||||
<chapter id="config">
|
||||
|
29
systemd/user/mpd.service.in
Normal file
29
systemd/user/mpd.service.in
Normal file
@ -0,0 +1,29 @@
|
||||
[Unit]
|
||||
Description=Music Player Daemon
|
||||
After=network.target sound.target
|
||||
|
||||
[Service]
|
||||
ExecStart=@prefix@/bin/mpd --no-daemon
|
||||
|
||||
# allow MPD to use real-time priority 50
|
||||
LimitRTPRIO=50
|
||||
LimitRTTIME=infinity
|
||||
|
||||
# disallow writing to /usr, /bin, /sbin, ...
|
||||
ProtectSystem=yes
|
||||
|
||||
# more paranoid security settings
|
||||
NoNewPrivileges=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectControlGroups=yes
|
||||
# AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh*
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
|
||||
RestrictNamespaces=yes
|
||||
|
||||
# Note that "ProtectKernelModules=yes" is missing in the user unit
|
||||
# because systemd 232 is unable to reduce its own capabilities
|
||||
# ("Failed at step CAPABILITIES spawning /usr/bin/mpd: Operation not
|
||||
# permitted")
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
Loading…
Reference in New Issue
Block a user