-
-
Notifications
You must be signed in to change notification settings - Fork 907
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create systemd file so the app can run as a Linux system daemon. #2737 #2754
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
@@ -0,0 +1,49 @@ | ||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
# READ ALL STEPS BEFORE PROCEEDING | ||||||||||||||||||||||||||||||||||
# | ||||||||||||||||||||||||||||||||||
# 0) Change the daemon_directory setting in your configuration file to | ||||||||||||||||||||||||||||||||||
# /var/run/talawa-api | ||||||||||||||||||||||||||||||||||
# 1) Copy this file to one of these directories depending on your Linux version | ||||||||||||||||||||||||||||||||||
# i. RedHat variants: /usr/lib/systemd/system/ | ||||||||||||||||||||||||||||||||||
# ii. Debian/Ubuntu variants: /lib/systemd/system/ | ||||||||||||||||||||||||||||||||||
# 2) Edit the CODEROOT path to be the full path of the Talawa API's root directory | ||||||||||||||||||||||||||||||||||
# 3) Edit the TALAWA_API_CONFIGDIR path to be the full path of the Talawa API's configuration directory | ||||||||||||||||||||||||||||||||||
# This defaults to /etc/ directory of the Talawa API codebase | ||||||||||||||||||||||||||||||||||
# 4) Edit the User and Group to match the POSIX user you want the daemon | ||||||||||||||||||||||||||||||||||
# to run as. | ||||||||||||||||||||||||||||||||||
# 5) Run the command "sudo systemctl daemon-reload". This needs to be run only once | ||||||||||||||||||||||||||||||||||
# 6) Run the command "sudo systemctl start talawa-api.service" to start | ||||||||||||||||||||||||||||||||||
# 7) Run the command "sudo systemctl stop talawa-api.service" to stop | ||||||||||||||||||||||||||||||||||
# 8) Run the command "sudo systemctl restart talawa-api.service" to restart | ||||||||||||||||||||||||||||||||||
# 9) Run the command "sudo systemctl enable talawa-api.service" to make | ||||||||||||||||||||||||||||||||||
# talawa-api start automatically on boot | ||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
[Unit] | ||||||||||||||||||||||||||||||||||
Description=Talawa API Service | ||||||||||||||||||||||||||||||||||
After=network.target | ||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
Comment on lines
+27
to
+30
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🛠️ Refactor suggestion Add essential service dependencies The Unit section should include additional dependencies and documentation: [Unit]
Description=Talawa API Service
+Documentation=https://github.com/talawa-api/
After=network.target
+After=postgresql.service redis.service
+Requires=postgresql.service
+Wants=redis.service This ensures proper service startup order and documents the service's dependencies. 📝 Committable suggestion
Suggested change
|
||||||||||||||||||||||||||||||||||
[Service] | ||||||||||||||||||||||||||||||||||
User=talawa | ||||||||||||||||||||||||||||||||||
Group=talawa | ||||||||||||||||||||||||||||||||||
Environment=CODEROOT=/home/talawa/talawa-api | ||||||||||||||||||||||||||||||||||
Environment=TALAWA_API_CONFIGDIR=/etc/talawa | ||||||||||||||||||||||||||||||||||
Environment=VIRTUAL_ENV=$CODEROOT/venv/bin | ||||||||||||||||||||||||||||||||||
Environment=PATH=$VIRTUAL_ENV:$PATH | ||||||||||||||||||||||||||||||||||
Environment=START=--start "STOP=--stop --force" "RESTART=--restart --force" | ||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🛠️ Refactor suggestion Use EnvironmentFile for better security and maintainability Instead of hardcoding environment variables, use an EnvironmentFile: [Service]
User=talawa
Group=talawa
-Environment=CODEROOT=/home/talawa/talawa-api
-Environment=TALAWA_API_CONFIGDIR=/etc/talawa
-Environment=VIRTUAL_ENV=$CODEROOT/venv/bin
-Environment=PATH=$VIRTUAL_ENV:$PATH
-Environment=START=--start "STOP=--stop --force" "RESTART=--restart --force"
+EnvironmentFile=/etc/talawa/talawa-api.env Create
|
||||||||||||||||||||||||||||||||||
# Command to start Talawa API | ||||||||||||||||||||||||||||||||||
ExecStart=/bin/bash -c '${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py $START' | ||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
# Command to stop Talawa API | ||||||||||||||||||||||||||||||||||
ExecStop=/bin/bash -c '${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py $STOP' | ||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
# Command to restart Talawa API | ||||||||||||||||||||||||||||||||||
ExecReload=/bin/bash -c '${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py $RESTART' | ||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Improve service execution security and reliability The current ExecStart/Stop/Reload commands use shell expansion which could be unsafe. Also, missing important security and reliability settings.
-ExecStart=/bin/bash -c '${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py $START'
-ExecStop=/bin/bash -c '${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py $STOP'
-ExecReload=/bin/bash -c '${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py $RESTART'
+ExecStart=${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py ${START}
+ExecStop=${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py ${STOP}
+ExecReload=${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py ${RESTART}
Type=forking
RuntimeDirectory=talawa
+# Restart policy
+Restart=always
+RestartSec=3
+
+# Security settings
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectSystem=full
+ProtectHome=read-only
+
+# Resource limits
+LimitNOFILE=65535
+LimitNPROC=4096 📝 Committable suggestion
Suggested change
|
||||||||||||||||||||||||||||||||||
RemainAfterExit=yes | ||||||||||||||||||||||||||||||||||
GuessMainPID=yes | ||||||||||||||||||||||||||||||||||
Type=forking | ||||||||||||||||||||||||||||||||||
RuntimeDirectory=talawa | ||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🛠️ Refactor suggestion Reconsider service type setting The RemainAfterExit=yes
GuessMainPID=yes
-Type=forking
+Type=simple
RuntimeDirectory=talawa 📝 Committable suggestion
Suggested change
|
||||||||||||||||||||||||||||||||||
[Install] | ||||||||||||||||||||||||||||||||||
WantedBy=multi-user.target | ||||||||||||||||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 💡 Codebase verification Add recommended systemd service hardening directives The service file is missing several important systemd directives that would improve service reliability and security:
🔗 Analysis chainVerify systemd service file syntax Let's verify the service file syntax and check for common configuration patterns. 🏁 Scripts executedThe following scripts were executed for the analysis: Script: #!/bin/bash
# Description: Verify systemd service file syntax and common patterns
# Check syntax
systemd-analyze verify examples/linux/systemd/systemd-talawa-api.service 2>&1 || true
# Check for common systemd service patterns
rg -l "WantedBy=multi-user.target" | while read -r file; do
echo "Analyzing $file for common systemd patterns..."
rg "Restart=" "$file" || echo "Missing Restart directive in $file"
rg "ProtectSystem=" "$file" || echo "Missing ProtectSystem directive in $file"
rg "NoNewPrivileges=" "$file" || echo "Missing NoNewPrivileges directive in $file"
done
Length of output: 1178 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Add security context to setup instructions
The setup instructions should include additional security considerations:
Add these lines after step 4: