systemd: add user unit
The user unit omits the "ProtectKernelModules" setting which fails with modular kernels: Failed at step CAPABILITIES spawning /usr/bin/mpd: Operation not permitted It is unfortunate that systemd (version 232) is unable to reduce its own capabilities, because this requires us to split system and user units. https://bugs.musicpd.org/view.php?id=4608
This commit is contained in:
Max Kellermann
@@ -1453,6 +1453,11 @@ systemdsystemunit_DATA = \
|
|||||||
systemd/system/mpd.service
|
systemd/system/mpd.service
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
if HAVE_SYSTEMD_USER
|
||||||
|
systemduserunit_DATA = \
|
||||||
|
systemd/user/mpd.service
|
||||||
|
endif
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Test programs
|
# Test programs
|
||||||
|
|||||||
1
NEWS
1
NEWS
@@ -2,6 +2,7 @@ ver 0.19.20 (not yet released)
|
|||||||
* decoder
|
* decoder
|
||||||
- ffmpeg: fix crash bug
|
- ffmpeg: fix crash bug
|
||||||
* fix unit test failure after recent "setprio" change
|
* fix unit test failure after recent "setprio" change
|
||||||
|
* systemd: add user unit
|
||||||
|
|
||||||
ver 0.19.20 (2016/12/09)
|
ver 0.19.20 (2016/12/09)
|
||||||
* protocol
|
* protocol
|
||||||
|
|||||||
17
configure.ac
17
configure.ac
@@ -52,6 +52,22 @@ if test "x$with_systemdsystemunitdir" != xno; then
|
|||||||
fi
|
fi
|
||||||
AM_CONDITIONAL(HAVE_SYSTEMD, [test -n "$with_systemdsystemunitdir" -a "x$with_systemdsystemunitdir" != xno ])
|
AM_CONDITIONAL(HAVE_SYSTEMD, [test -n "$with_systemdsystemunitdir" -a "x$with_systemdsystemunitdir" != xno ])
|
||||||
|
|
||||||
|
AC_ARG_WITH([systemduserunitdir],
|
||||||
|
AS_HELP_STRING([--with-systemduserunitdir=DIR], [Directory for systemd service files]),
|
||||||
|
[], [with_systemduserunitdir=no])
|
||||||
|
if test "x$with_systemduserunitdir" = xyes; then
|
||||||
|
AC_MSG_CHECKING(for systemd)
|
||||||
|
with_systemduserunitdir=$($PKG_CONFIG --variable=systemduserunitdir systemd)
|
||||||
|
if test -z "$with_systemduserunitdir"; then
|
||||||
|
AC_MSG_ERROR([Failed to detect systemd])
|
||||||
|
fi
|
||||||
|
AC_MSG_RESULT([$with_systemduserunitdir])
|
||||||
|
fi
|
||||||
|
if test "x$with_systemduserunitdir" != xno; then
|
||||||
|
AC_SUBST([systemduserunitdir], [$with_systemduserunitdir])
|
||||||
|
fi
|
||||||
|
AM_CONDITIONAL(HAVE_SYSTEMD_USER, [test -n "$with_systemduserunitdir" -a "x$with_systemduserunitdir" != xno ])
|
||||||
|
|
||||||
dnl ---------------------------------------------------------------------------
|
dnl ---------------------------------------------------------------------------
|
||||||
dnl Declare Variables
|
dnl Declare Variables
|
||||||
dnl ---------------------------------------------------------------------------
|
dnl ---------------------------------------------------------------------------
|
||||||
@@ -1906,6 +1922,7 @@ dnl ---------------------------------------------------------------------------
|
|||||||
AC_CONFIG_FILES(Makefile)
|
AC_CONFIG_FILES(Makefile)
|
||||||
AC_CONFIG_FILES(doc/doxygen.conf)
|
AC_CONFIG_FILES(doc/doxygen.conf)
|
||||||
AC_CONFIG_FILES(systemd/system/mpd.service)
|
AC_CONFIG_FILES(systemd/system/mpd.service)
|
||||||
|
AC_CONFIG_FILES(systemd/user/mpd.service)
|
||||||
AC_OUTPUT
|
AC_OUTPUT
|
||||||
|
|
||||||
echo 'MPD is ready for compilation, type "make" to begin.'
|
echo 'MPD is ready for compilation, type "make" to begin.'
|
||||||
|
|||||||
27
doc/user.xml
27
doc/user.xml
@@ -167,6 +167,33 @@ systemctl start mpd.socket</programlisting>
|
|||||||
<varname>port</varname> settings.
|
<varname>port</varname> settings.
|
||||||
</para>
|
</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section id="systemd_user">
|
||||||
|
<title><filename>systemd</filename> user unit</title>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
You can launch <application>MPD</application> as a
|
||||||
|
<filename>systemd</filename> user unit. The service file will
|
||||||
|
only be installed when <application>MPD</application> was
|
||||||
|
configured with
|
||||||
|
<parameter>--with-systemduserunitdir=/usr/lib/systemd/user</parameter>
|
||||||
|
or
|
||||||
|
<parameter>--with-systemduserunitdir=$HOME/.local/share/systemd/user</parameter>.
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
Once the user unit is installed, you can start and stop
|
||||||
|
<application>MPD</application> like any other service:
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<programlisting>systemctl --user start mpd</programlisting>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
To auto-start <application>MPD</application> upon login, type:
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<programlisting>systemctl --user enable mpd</programlisting>
|
||||||
|
</section>
|
||||||
</chapter>
|
</chapter>
|
||||||
|
|
||||||
<chapter id="config">
|
<chapter id="config">
|
||||||
|
|||||||
29
systemd/user/mpd.service.in
Normal file
29
systemd/user/mpd.service.in
Normal file
@@ -0,0 +1,29 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Music Player Daemon
|
||||||
|
After=network.target sound.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
ExecStart=@prefix@/bin/mpd --no-daemon
|
||||||
|
|
||||||
|
# allow MPD to use real-time priority 50
|
||||||
|
LimitRTPRIO=50
|
||||||
|
LimitRTTIME=infinity
|
||||||
|
|
||||||
|
# disallow writing to /usr, /bin, /sbin, ...
|
||||||
|
ProtectSystem=yes
|
||||||
|
|
||||||
|
# more paranoid security settings
|
||||||
|
NoNewPrivileges=yes
|
||||||
|
ProtectKernelTunables=yes
|
||||||
|
ProtectControlGroups=yes
|
||||||
|
# AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh*
|
||||||
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
|
||||||
|
RestrictNamespaces=yes
|
||||||
|
|
||||||
|
# Note that "ProtectKernelModules=yes" is missing in the user unit
|
||||||
|
# because systemd 232 is unable to reduce its own capabilities
|
||||||
|
# ("Failed at step CAPABILITIES spawning /usr/bin/mpd: Operation not
|
||||||
|
# permitted")
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=default.target
|
||||||
Reference in New Issue
Block a user