Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create systemd file so the app can run as a Linux system daemon. #2737 #2754

Closed
Closed
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions examples/linux/systemd/systemd-talawa-api.service
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@

# READ ALL STEPS BEFORE PROCEEDING
#
# 0) Change the daemon_directory setting in your configuration file to
# /var/run/talawa-api
# 1) Copy this file to one of these directories depending on your Linux version
# i. RedHat variants: /usr/lib/systemd/system/
# ii. Debian/Ubuntu variants: /lib/systemd/system/
# 2) Edit the CODEROOT path to be the full path of the Talawa API's root directory
# 3) Edit the TALAWA_API_CONFIGDIR path to be the full path of the Talawa API's configuration directory
# This defaults to /etc/ directory of the Talawa API codebase
# 4) Edit the User and Group to match the POSIX user you want the daemon
# to run as.
# 5) Run the command "sudo systemctl daemon-reload". This needs to be run only once
# 6) Run the command "sudo systemctl start talawa-api.service" to start
# 7) Run the command "sudo systemctl stop talawa-api.service" to stop
# 8) Run the command "sudo systemctl restart talawa-api.service" to restart
# 9) Run the command "sudo systemctl enable talawa-api.service" to make
# talawa-api start automatically on boot

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Add security context to setup instructions

The setup instructions should include additional security considerations:

  1. File permissions for configuration directory
  2. SELinux/AppArmor context if applicable
  3. Secure ownership of the runtime directory

Add these lines after step 4:

 # 4) Edit the User and Group to match the POSIX user you want the daemon
 #    to run as.
+# 4a) Set appropriate permissions:
+#     sudo chown -R talawa:talawa /etc/talawa
+#     sudo chmod 750 /etc/talawa
+# 4b) If using SELinux, set the correct context:
+#     sudo semanage fcontext -a -t bin_t "/home/talawa/talawa-api/main.py"
+#     sudo restorecon -v /home/talawa/talawa-api/main.py

Committable suggestion skipped: line range outside the PR's diff.

[Unit]
Description=Talawa API Service
After=network.target

Comment on lines +27 to +30
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Add essential service dependencies

The Unit section should include additional dependencies and documentation:

 [Unit]
 Description=Talawa API Service
+Documentation=https://github.com/talawa-api/
 After=network.target
+After=postgresql.service redis.service
+Requires=postgresql.service
+Wants=redis.service

This ensures proper service startup order and documents the service's dependencies.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
[Unit]
Description=Talawa API Service
After=network.target
[Unit]
Description=Talawa API Service
Documentation=https://github.com/talawa-api/
After=network.target
After=postgresql.service redis.service
Requires=postgresql.service
Wants=redis.service

[Service]
User=talawa
Group=talawa
Environment=CODEROOT=/home/talawa/talawa-api
Environment=TALAWA_API_CONFIGDIR=/etc/talawa
Environment=VIRTUAL_ENV=$CODEROOT/venv/bin
Environment=PATH=$VIRTUAL_ENV:$PATH
Environment=START=--start "STOP=--stop --force" "RESTART=--restart --force"

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Use EnvironmentFile for better security and maintainability

Instead of hardcoding environment variables, use an EnvironmentFile:

 [Service]
 User=talawa
 Group=talawa
-Environment=CODEROOT=/home/talawa/talawa-api
-Environment=TALAWA_API_CONFIGDIR=/etc/talawa
-Environment=VIRTUAL_ENV=$CODEROOT/venv/bin
-Environment=PATH=$VIRTUAL_ENV:$PATH
-Environment=START=--start "STOP=--stop --force" "RESTART=--restart --force"
+EnvironmentFile=/etc/talawa/talawa-api.env

Create /etc/talawa/talawa-api.env with:

CODEROOT=/home/talawa/talawa-api
TALAWA_API_CONFIGDIR=/etc/talawa
VIRTUAL_ENV=${CODEROOT}/venv/bin
PATH=${VIRTUAL_ENV}:${PATH}
START=--start
STOP=--stop --force
RESTART=--restart --force

Committable suggestion skipped: line range outside the PR's diff.

# Command to start Talawa API
ExecStart=/bin/bash -c '${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py $START'

# Command to stop Talawa API
ExecStop=/bin/bash -c '${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py $STOP'

# Command to restart Talawa API
ExecReload=/bin/bash -c '${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py $RESTART'

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Improve service execution security and reliability

The current ExecStart/Stop/Reload commands use shell expansion which could be unsafe. Also, missing important security and reliability settings.

  1. Simplify execution commands:
-ExecStart=/bin/bash -c '${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py $START'
-ExecStop=/bin/bash -c '${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py $STOP'
-ExecReload=/bin/bash -c '${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py $RESTART'
+ExecStart=${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py ${START}
+ExecStop=${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py ${STOP}
+ExecReload=${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py ${RESTART}
  1. Add security and reliability directives:
 Type=forking
 RuntimeDirectory=talawa
+# Restart policy
+Restart=always
+RestartSec=3
+
+# Security settings
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectSystem=full
+ProtectHome=read-only
+
+# Resource limits
+LimitNOFILE=65535
+LimitNPROC=4096
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Command to start Talawa API
ExecStart=/bin/bash -c '${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py $START'
# Command to stop Talawa API
ExecStop=/bin/bash -c '${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py $STOP'
# Command to restart Talawa API
ExecReload=/bin/bash -c '${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py $RESTART'
# Command to start Talawa API
ExecStart=${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py ${START}
# Command to stop Talawa API
ExecStop=${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py ${STOP}
# Command to restart Talawa API
ExecReload=${VIRTUAL_ENV}/python3 ${CODEROOT}/main.py ${RESTART}

RemainAfterExit=yes
GuessMainPID=yes
Type=forking
RuntimeDirectory=talawa

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Reconsider service type setting

The Type=forking setting suggests the application daemonizes itself, which is not recommended for systemd services. Modern systemd services should use Type=exec or Type=simple and let systemd handle the daemonization.

 RemainAfterExit=yes
 GuessMainPID=yes
-Type=forking
+Type=simple
 RuntimeDirectory=talawa
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
RemainAfterExit=yes
GuessMainPID=yes
Type=forking
RuntimeDirectory=talawa
RemainAfterExit=yes
GuessMainPID=yes
Type=simple
RuntimeDirectory=talawa

[Install]
WantedBy=multi-user.target
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

Add recommended systemd service hardening directives

The service file is missing several important systemd directives that would improve service reliability and security:

  • Add Restart=on-failure to automatically restart the service on failures
  • Add ProtectSystem=full to make the /usr and /boot directories read-only
  • Add NoNewPrivileges=yes to prevent privilege escalation
  • Consider adding other hardening options like:
    • ProtectHome=yes
    • RestartSec=5
    • PrivateTmp=yes
🔗 Analysis chain

Verify systemd service file syntax

Let's verify the service file syntax and check for common configuration patterns.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify systemd service file syntax and common patterns

# Check syntax
systemd-analyze verify examples/linux/systemd/systemd-talawa-api.service 2>&1 || true

# Check for common systemd service patterns
rg -l "WantedBy=multi-user.target" | while read -r file; do
  echo "Analyzing $file for common systemd patterns..."
  rg "Restart=" "$file" || echo "Missing Restart directive in $file"
  rg "ProtectSystem=" "$file" || echo "Missing ProtectSystem directive in $file"
  rg "NoNewPrivileges=" "$file" || echo "Missing NoNewPrivileges directive in $file"
done

Length of output: 1178

Loading