[Dnsmasq-discuss] systemd service improvements

Simon Kelley simon at thekelleys.org.uk
Thu Jul 7 20:14:04 BST 2016


Replying to original post, but I've also read the rest of the thread.

I agree with most of the other replies: a systemd unit file is
equivalent to an init script - not something to be installed by the
dnsmasq source distribution,

you'll find that

make install

doesn't add any files apart from the dnsmasq binary and man page.

The dnsmasq source distro _does_ have a systemd unit file to act as a
template for distros/installations to use, its in contrib/systemd

I'm happy to add your code there, either as an alternative or
replacement of the existing unit file.

Cheers,

Simon.


On 30/06/16 15:58, Craig Andrews wrote:
> I'd like to propose a couple changes in terms of systemd in dnsmaq.
> First, dnsmasq should always install a systemd unit so all
> distributions/users can use it (if a user/distro doesn't use systemd,
> the unit will be simply be ignored - no harm done). Currently, the unit
> is only part of the Debian packaging. Dnsmaq may want to include an
> alternate unit in the Debian packaging and a generic, for-all-distros
> version in the default installation.
> Second, the systemd unit should be improved a bit to feature hardening
> and not running as root. Here's my proposed dnsmasq.service:
> ---
> [Unit]
> Description=A lightweight DHCP and caching DNS server
> After=network.target
> 
> [Service]
> User=dnsmasq
> Group=dnsmasq
> Type=simple
> PIDFile=/run/dnsmasq/dnsmasq.pid
> ExecStartPre=/usr/sbin/dnsmasq --test
> ExecStart=/usr/sbin/dnsmasq -k -x /run/dnsmasq/dnsmasq.pid
> ExecReload=/bin/kill -HUP $MAINPID
> RuntimeDirectory=dnsmasq
> CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
> AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
> PrivateTmp=yes
> PrivateDevices=yes
> ProtectSystem=full
> ProtectHome=yes
> NoNewPrivileges=yes
> 
> [Install]
> WantedBy=multi-user.target
> ---
> 
> Compared to
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=debian/systemd.service;h=40b8d27cba21400d8b56ecc4a85266879988911d;hb=HEAD
> I think this is a nice improvement.
> 
> The only issue is that the Debian version uses /etc/init.d/dnsmasq and
> depends on Debian's resolvconf which other distros won't have, hence
> dnsmaq will probably want to keep a special unit for Debian.
> 
> Thanks,
> ~Craig
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 




More information about the Dnsmasq-discuss mailing list