walkero
/
nghttp2
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

nghttpx: add systemd support 

Add systemd's Type=notify support by sending information about
 master process PID around forks.
  Add some hardening option to service unit.
This commit is contained in:
Tomasz Torcz 2017-02-08 19:15:25 +01:00
parent a231874e1e
commit fdb75ba5fe
4 changed files with 59 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
configure.ac
View File

@ -395,6 +395,18 @@ else
AC_MSG_NOTICE($JANSSON_PKG_ERRORS) AC_MSG_NOTICE($JANSSON_PKG_ERRORS)
fi fi
# libsystemd
PKG_CHECK_MODULES([SYSTEMD], [libsystemd >= 209], [have_libsystemd=yes],
[have_libsystemd=no])
if test "x${have_libsystemd}" = "xyes"; then
AC_DEFINE([HAVE_LIBSYSTEMD], [1],
[Define to 1 if you have `libsystemd` library.])
else
AC_MSG_NOTICE($SYSTEMD_PKG_ERRORS)
fi
# libxml2 (for src/nghttp) # libxml2 (for src/nghttp)
PKG_CHECK_MODULES([LIBXML2], [libxml-2.0 >= 2.7.7], PKG_CHECK_MODULES([LIBXML2], [libxml-2.0 >= 2.7.7],
[have_libxml2=yes], [have_libxml2=no]) [have_libxml2=yes], [have_libxml2=no])
@ -914,6 +926,7 @@ AC_MSG_NOTICE([summary of build options:
Jansson: ${have_jansson} (CFLAGS='${JANSSON_CFLAGS}' LIBS='${JANSSON_LIBS}') Jansson: ${have_jansson} (CFLAGS='${JANSSON_CFLAGS}' LIBS='${JANSSON_LIBS}')
Jemalloc: ${have_jemalloc} (LIBS='${JEMALLOC_LIBS}') Jemalloc: ${have_jemalloc} (LIBS='${JEMALLOC_LIBS}')
Zlib: ${have_zlib} (CFLAGS='${ZLIB_CFLAGS}' LIBS='${ZLIB_LIBS}') Zlib: ${have_zlib} (CFLAGS='${ZLIB_CFLAGS}' LIBS='${ZLIB_LIBS}')
systemd: ${have_libsystemd} (LIBS='${SYSTEMD_LIBS}')
Boost CPPFLAGS: ${BOOST_CPPFLAGS} Boost CPPFLAGS: ${BOOST_CPPFLAGS}
Boost LDFLAGS: ${BOOST_LDFLAGS} Boost LDFLAGS: ${BOOST_LDFLAGS}
Boost::ASIO: ${BOOST_ASIO_LIB} Boost::ASIO: ${BOOST_ASIO_LIB}

11
contrib/nghttpx.service.in
View File

@ -1,10 +1,17 @@
[Unit] [Unit]
Description=HTTP/2 proxy Description=HTTP/2 proxy
Documentation=man:nghttpx
After=network.target After=network.target
[Service] [Service]
Type=forking Type=notify
ExecStart=@bindir@/nghttpx --conf=/etc/nghttpx/nghttpx.conf --pid-file=/run/nghttpx.pid --daemon ExecStart=@bindir@/nghttpx --conf=/etc/nghttpx/nghttpx.conf
ExecReload=/bin/kill --signal HUP $MAINPID
KillSignal=SIGQUIT
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full
Restart=always
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

1
src/Makefile.am
View File

@ -57,6 +57,7 @@ LDADD = $(top_builddir)/lib/libnghttp2.la \
@LIBEV_LIBS@ \ @LIBEV_LIBS@ \
@OPENSSL_LIBS@ \ @OPENSSL_LIBS@ \
@LIBCARES_LIBS@ \ @LIBCARES_LIBS@ \
@SYSTEMD_LIBS@ \
@JANSSON_LIBS@ \ @JANSSON_LIBS@ \
@ZLIB_LIBS@ \ @ZLIB_LIBS@ \
@APPLDFLAGS@ @APPLDFLAGS@

36
src/shrpx.cc
View File

@ -56,6 +56,9 @@
#include <sys/time.h> #include <sys/time.h>
#endif // HAVE_SYS_TIME_H #endif // HAVE_SYS_TIME_H
#include <sys/resource.h> #include <sys/resource.h>
#ifdef HAVE_LIBSYSTEMD
#include <systemd/sd-daemon.h>
#endif // HAVE_LIBSYSTEMD
#include <cinttypes> #include <cinttypes>
#include <limits> #include <limits>
@ -363,6 +366,18 @@ int save_pid() {
} }
} // namespace } // namespace
namespace {
void shrpx_sd_notifyf(int unset_environment, const char *format, ...) {
#ifdef HAVE_LIBSYSTEMD
va_list args;
va_start(args, format);
sd_notifyf(unset_environment, format, va_arg(args, char *));
va_end(args);
#endif // HAVE_LIBSYSTEMD
}
} // namespace
namespace { namespace {
void exec_binary() { void exec_binary() {
int rv; int rv;
@ -371,6 +386,8 @@ void exec_binary() {
LOG(NOTICE) << "Executing new binary"; LOG(NOTICE) << "Executing new binary";
shrpx_sd_notifyf(0, "RELOADING=1");
rv = shrpx_signal_block_all(&oldset); rv = shrpx_signal_block_all(&oldset);
if (rv != 0) { if (rv != 0) {
auto error = errno; auto error = errno;
@ -386,6 +403,9 @@ void exec_binary() {
if (pid == -1) { if (pid == -1) {
auto error = errno; auto error = errno;
LOG(ERROR) << "fork() failed errno=" << error; LOG(ERROR) << "fork() failed errno=" << error;
} else {
// update PID tracking information in systemd
shrpx_sd_notifyf(0, "MAINPID=%d\n", pid);
} }
rv = shrpx_signal_set(&oldset); rv = shrpx_signal_set(&oldset);
@ -489,6 +509,9 @@ void exec_binary() {
// restores original stderr // restores original stderr
restore_original_fds(); restore_original_fds();
// reloading finished
shrpx_sd_notifyf(0, "READY=1");
if (execve(argv[0], argv.get(), envp.get()) == -1) { if (execve(argv[0], argv.get(), envp.get()) == -1) {
auto error = errno; auto error = errno;
LOG(ERROR) << "execve failed: errno=" << error; LOG(ERROR) << "execve failed: errno=" << error;
@ -1088,6 +1111,13 @@ int call_daemon() {
#ifdef __sgi #ifdef __sgi
return _daemonize(0, 0, 0, 0); return _daemonize(0, 0, 0, 0);
#else // !__sgi #else // !__sgi
#ifdef HAVE_LIBSYSTEMD
if (sd_booted() && (getenv("NOTIFY_SOCKET") != NULL)) {
LOG(NOTICE) << "Daemonising disabled under systemd";
chdir("/");
return 0;
}
#endif // HAVE_LIBSYSTEMD
return daemon(0, 0); return daemon(0, 0);
#endif // !__sgi #endif // !__sgi
} }
@ -1245,6 +1275,9 @@ int event_loop() {
redirect_stderr_to_errorlog(); redirect_stderr_to_errorlog();
} }
// update systemd PID tracking
shrpx_sd_notifyf(0, "MAINPID=%d\n", config->pid);
{ {
auto iaddrs = get_inherited_addr_from_env(config); auto iaddrs = get_inherited_addr_from_env(config);
@ -1275,6 +1308,9 @@ int event_loop() {
save_pid(); save_pid();
} }
// ready to serve requests
shrpx_sd_notifyf(0, "READY=1");
ev_run(loop, 0); ev_run(loop, 0);
return 0; return 0;