Modifying systemd unit files

Discussion in 'all things UNIX' started by summerheat, Jun 25, 2015.

  1. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    720
    Since most big distros are using systemd now it might be interesting for some of you how to modify the unit files provided by the respective packages.

    Those unit files are located in the

    /usr/lib/systemd/system/

    directory. You could edit them directly - but those changes would be overwritten by the next update of those packages. As a much better alternative you can create drop-in snippets as described in the Arch Linux wiki.

    It's easy. I've done it for dnsmasq. The default unit file in Arch is this one:

    Code:
    [Unit]
    Description=A lightweight DHCP and caching DNS server
    After=network.target
    Documentation=man:dnsmasq(8)
    
    [Service]
    Type=dbus
    BusName=uk.org.thekelleys.dnsmasq
    ExecStartPre=/usr/bin/dnsmasq --test
    ExecStart=/usr/bin/dnsmasq -k --enable-dbus --user=dnsmasq --pid-file
    ExecReload=/bin/kill -HUP $MAINPID
    
    [Install]
    WantedBy=multi-user.target
    I wanted to add logging to dnsmasq. In order to do this just execute

    Code:
    sudo systemctl edit dnsmasq
    which opens your default editor with an empty file. I added the following lines:

    Code:
    [Service]
    ExecStart=
    ExecStart=/usr/bin/dnsmasq -k --enable-dbus --user=dnsmasq --pid-file --log-queries --log-facility=/home/heat/dnsmasq/dnsmasq.log
    saved that file and exited the editor. (Note that the ExecStart= entry is necessary in order to clear the original ExecStart entry as explained on that wiki page).) This automatically creates the directory

    /etc/systemd/system/dnsmasq.service.d

    and the file

    override.conf

    therein with the lines above. dnsmasq should be restarted automatically. sudo systemctl status dnsmasq now reports the following:

    I find this method very useful in order to tailor unit files to your needs.
     
    Last edited: Jun 25, 2015
  2. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    720
    Just another example: dnscrypt-proxy. The default unit file in Arch is this:

    Code:
    [Unit]
    Description=A tool for securing communications between a client and a DNS resolver.
    After=network.target
    # Only needed if you use pdnsd, other caching DNS servers can go here. Could be ignored too.
    #Before=pdnsd.service
    
    [Service]
    EnvironmentFile=/etc/conf.d/dnscrypt-proxy
    ExecStart=/usr/bin/dnscrypt-proxy \
        --local-address=${DNSCRYPT_LOCALIP}:${DNSCRYPT_LOCALPORT} \
        --resolver-address=${DNSCRYPT_RESOLVERIP}:${DNSCRYPT_RESOLVERPORT} \
        --provider-name=${DNSCRYPT_PROVIDER_NAME} \
        --provider-key=${DNSCRYPT_PROVIDER_KEY} \
        --user=${DNSCRYPT_USER}
    Restart=on-abort
    
    [Install]
    WantedBy=multi-user.target
    
    I had noticed on http://dnscrypt.org/ that the new versions support an --ephemeral-keys switch and a --resolver-name switch which refers to /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv list which makes it much easier to select a DNSCrypt resolver. Both switches are not reflected in the default unit file. So by executing sudo systemctl edit dnscrypt-proxy I automatically created the following override.conf file in /etc/systemd/system/dnscrypt-proxy.service.d :

    Code:
    [Service]
    ExecStart=
    ExecStart=/usr/bin/dnscrypt-proxy --ephemeral-keys --resolver-name=dnscrypt.eu-nl \
        --local-address=${DNSCRYPT_LOCALIP}:${DNSCRYPT_LOCALPORT} \
            --user=${DNSCRYPT_USER}
    In this case dnscrypt-proxy wasn't restarted automatically (contrary to what the Arch wiki page says), so I executed sudo systemctl restart dnscrypt-proxy. sudo systemctl status dnscrypt-proxy now reports:

     
  3. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    720
    FWIW, I modified the override.conf for dnsmasq again. Since dnsmasq is a network-related service and was affected by some vulnerabilities in the past I decided to sandbox it with Firejail:

    Code:
    [Service]
    ExecStart=
    #ExecStart=/usr/bin/dnsmasq -k --enable-dbus --user=dnsmasq --pid-file --log-queries --log-facility=/home/heat/dnsmasq/dnsmasq.log
    ExecStart=/usr/bin/firejail --profile=/home/heat/.config/firejail/dnsmasq.profile /usr/bin/dnsmasq -k --enable-dbus --user=dnsmasq --pid-file --log-queries --log-facility=/home/heat/dnsmasq/dnsmasq.log
    
    In dnsmasq.profile I had to remove "include /etc/firejail/disable-mgmt.inc" since blacklisting /sbin and /usr/sbin broke caching in dnsmasq:

    Code:
    # system management
    blacklist ${PATH}/umount
    blacklist ${PATH}/mount
    blacklist ${PATH}/fusermount
    blacklist ${PATH}/su
    blacklist ${PATH}/sudo
    blacklist ${PATH}/xinput
    blacklist ${PATH}/strace
    include /etc/firejail/disable-secret.inc
    blacklist ${HOME}/.adobe
    blacklist ${HOME}/.macromedia
    blacklist ${HOME}/.mozilla
    blacklist ${HOME}/.icedove
    blacklist ${HOME}/.thunderbird
    blacklist ${HOME}/.mozilla
    blacklist ${HOME}/.local
    blacklist ${HOME}/.config
    caps
    seccomp
    Works well.
     
Loading...