fb_systemd: properly manage all systemd daemons

Summary: ensure we manage state and config for all the systemd daemons

Reviewed By: bwann

Differential Revision: D3330184

fbshipit-source-id: dee9871908e2baaeb199265e98cc1a25a3e109a5

cookbooks/fb_systemd/README.md

@@ -8,16 +8,29 @@ Attributes
 ----------
 * node['fb_systemd']['default_target']
 * node['fb_systemd']['modules']
-* node['fb_systemd']['journald'][$OPTION]
+* node['fb_systemd']['system']
+* node['fb_systemd']['user']
+* node['fb_systemd']['udevd']['config']
+* node['fb_systemd']['udevd']['hwdb']
+* node['fb_systemd']['udevd']['rules']
+* node['fb_systemd']['journald']['config']
 * node['fb_systemd']['logind']['enable']
-* node['fb_systemd']['tmpfiles'][$FILE]
-* node['fb_systemd']['preset'][$SERVICE]
+* node['fb_systemd']['logind']['config']
+* node['fb_systemd']['networkd']['enable']
+* node['fb_systemd']['resolved']['enable']
+* node['fb_systemd']['resolved']['config']
+* node['fb_systemd']['timesyncd']['enable']
+* node['fb_systemd']['timesyncd']['config']
+* node['fb_systemd']['coredump']
+* node['fb_systemd']['tmpfiles']
+* node['fb_systemd']['preset']
 * node['fb_systemd']['manage_systemd_packages']
 
 Usage
 -----
-This cookbooks manages systemd. It is only supported on CentOS 7 or later. Just
-include `fb_systemd` in your runlist to use it.
+This cookbooks manages systemd. It is only supported on systemd-enabled 
+distributions (e.g. CentOS 7 or Debian 8). Just include `fb_systemd` in your 
+runlist to use it.
 
 ### Providers
 
@@ -44,39 +57,103 @@ The default systemd target can be configured with
 `node['fb_systemd']['default_target']`. It defaults to
 `/lib/systemd/system/multi-user.target`.
 
-### system configuration
-You can tune system-level defaults for systemd by using the attribute 
-`node['fb_systemd']['system']`. This is useful e.g. to set system-level limits
-for services (as systemd doesn't enforce PAM limits set via `fb_limits` for 
-system services), such as:
+### System and session configuration
+You can tune system-level or session-level defaults for systemd by using the 
+attributes `node['fb_systemd']['system']` and `node['fb_systemd']['user']`.
+This is useful e.g. to set system-level limits for services (as systemd doesn't
+enforce PAM limits set via `fb_limits` for system services), such as:
 
   node.default['fb_systemd']['system']['DefaultLimitNOFILE'] = 65535 
 
-Refer to the systemd documentation 
-(https://www.freedesktop.org/software/systemd/man/systemd-system.conf.html) for
-more details on what settings are available.
+Refer to the 
+[systemd documentation](https://www.freedesktop.org/software/systemd/man/systemd-system.conf.html) 
+for more details on what settings are available.
 
-### Journal configuration
-By default we configure the journal to 'auto' storage (disk if directory exists,
-or ram otherwise, default for most distros). You can change these settings and
-more through the attribute `node['fb_systemd']['journald']`.
+### udevd configuration
+Udevd is a critical system daemon and cannot be disabled. General udev settings
+can be configured via `node['fb_systemd']['journald']['config']`, as described 
+in the 
+[udev documentation](https://www.freedesktop.org/software/systemd/man/udev.conf.html).
 
-Refer to the systemd documentation
-(https://www.freedesktop.org/software/systemd/man/journald.conf.html) for more
-details on possible configurations.
+Additional entries to the hardware database can be entered using the
+`node['fb_systemd']['udevd']['hwdb']` attribute, as described in the
+[hwdb documentation](https://www.freedesktop.org/software/systemd/man/hwdb.html).
+Example:
+
+  node.default['fb_systemd']['udevd']['hwdb']['evdev:input:b0003v05AFp8277*'] = {
+    'KEYBOARD_KEY_70039' => 'leftalt',
+    'KEYBOARD_KEY_700e2' => 'leftctrl',
+  }
+
+Additional udev rules can be defined using the 
+`node['fb_systemd']['udevd']['rules']` attribute, as described in the
+[udev documentation](https://www.freedesktop.org/software/systemd/man/udev.html).
+Example:
+
+  node.default['fb_systemd']['udevd']['rules'] += [
+    'KERNEL=="fd[0-9]*", OWNER="john"',
+  ]
+
+### journald configuration
+Journald is a critical system daemon and cannot be disabled. By default we 
+configure journald to use the 'auto' storage (disk if the log directory exists,
+or ram otherwise, which is the default for most distros). You can change these 
+settings and more through `node['fb_systemd']['journald']['config']`.
+
+Refer to the 
+[journald documentation](https://www.freedesktop.org/software/systemd/man/journald.conf.html)
+for more details on possible configurations.
 
 ### logind configuration
 You can choose whether or not to enable `systemd-logind` with the
 `node['fb_systemd']['logind']['enable']` attribute. Note that for user sessions
-to work, this is required, and it defaults to true.
-
-### Modules
+to work, this is required, and it defaults to true. Logind can be configured
+using the `node['fb_systemd']['logind']['config']` attribute, according to the
+[logind documentation](https://www.freedesktop.org/software/systemd/man/logind.conf.html).
+
+### networkd configuration
+You can choose whether or not to enable `systemd-networkd` with the
+`node['fb_systemd']['networkd']['enable']` attribute, which defaults to `false`.
+
+Note that this cookbook does not manage network configuration profiles. If you 
+drop `netdev`, `link`, `network` definitions under `/etc/systemd/network` from
+another cookbook you'll want to request a restart of the `systemd-networkd`
+service.
+
+### resolved configuration
+You can choose whether or not to enable `systemd-resolved` with the
+`node['fb_systemd']['resolved']['enable']` attribute, which defaults to `false`.
+Resolved can be configured using the `node['fb_systemd']['resolved']['config']`
+attribute, as described in the
+[resolved documentation](https://www.freedesktop.org/software/systemd/man/resolved.conf.html).
+
+Note that this cookbook does not manage `/etc/resolv.conf`. If you're using 
+resolved, you probably want to make that a symlink to 
+`/run/systemd/resolve/resolv.conf`. Also, this cookbook does not manage 
+`/etc/nsswitch.conf`. If you want to enable the resolved caching DNS stub
+resolved, you'll need to add `resolve` to the `hosts` entry there.
+
+### timesyncd configuration
+You can choose whether or not to enable `systemd-timesyncd` with the
+`node['fb_systemd']['timesyncd']['enable']` attribute, which defaults to `true`.
+You'll want to disable this if you're running another NTP daemon such as ntpd.
+Timesyncd can be configured with the `node['fb_systemd']['timesyncd']['config']`
+attribute, as described in the
+[timesyncd documentation](https://www.freedesktop.org/software/systemd/man/timesyncd.conf.html).
+
+### Coredump configuration
+systemd provides a facility for collecting and analyzing coredumps of system
+services. This can be configured using the `node['fb_systemd']['coredump']`
+attribute, as described in the
+[coredump documentation](https://www.freedesktop.org/software/systemd/man/coredump.conf.html).
+
+### Kernel modules
 Use `node['fb_systemd']['modules']` to tell systemd to load a list of
 kernel modules on startup. Note that in most cases you probably want to use
 `node['fb_modprobe']['modules_to_load_on_boot']` instead as that'll work
 transparently on non-systemd hosts as well.
 
-### tmpfile configuration
+### tmpfiles configuration
 Use `node['fb_systemd']['tmpfiles']` to control the creation, deletion
 and cleaning of volatile and temporary files. For example:
 
@@ -91,23 +168,23 @@ and cleaning of volatile and temporary files. For example:
 
 If `type` is omitted, it defaults to `f` (create a regular file); if `path` is
 omitted, it defaults to the configuration key (i.e. `/run/user` in the example).
-If any other argument is omitted, it defaults to `-`. Refer to the systemd
-documentation (http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html)
+If any other argument is omitted, it defaults to `-`. Refer to the
+[tmpfiles documentation](http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html)
 for more details on how to use tmpfiles and the meaning of the various options.
 
-### preset
-You can add preset settings to `node['fb_systemd']['preset']`. As an exmaple to
-disable a preset:
+### Presets
+You can add preset settings to `node['fb_systemd']['preset']`. As an example to
+disable a unit:
 
     node.default['fb_systemd']['preset']['tmp.mount'] = 'disable'
 
 Possible values can be found at
 https://www.freedesktop.org/software/systemd/man/systemd.preset.html
 
-They are installed in /etc/systemd/system-preset/00-fb_systemd.preset which will
-take precedence over other preset files.
+They are installed in `/etc/systemd/system-preset/00-fb_systemd.preset` which 
+will take precedence over other preset files.
 
-### packages
+### Packages
 By default this cookbook keeps the systemd packages up-to-date, but if you
 want to manage them locally, simply set
 `node['fb_systemd']['manage_systemd_packages']` to false.

cookbooks/fb_systemd/attributes/default.rb

@@ -1,4 +1,5 @@
 # vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2
+#
 # Copyright (c) 2016-present, Facebook, Inc.
 # All rights reserved.
 #
@@ -11,12 +12,35 @@
   'default_target' => '/lib/systemd/system/multi-user.target',
   'modules' => [],
   'system' => {},
+  'user' => {},
+  'udevd' => {
+    # no enable here as systemd-udevd cannot be disabled
+    'config' => {},
+    'hwdb' => {},
+    'rules' => [],
+  },
   'journald' => {
-    'Storage' => 'auto',
+    # no enable here as systemd-journald cannot be disabled
+    'config' => {
+      'Storage' => 'auto',
+    },
   },
   'logind' => {
     'enable' => true,
+    'config' => {},
+  },
+  'networkd' => {
+    'enable' => false,
+  },
+  'resolved' => {
+    'enable' => false,
+    'config' => {},
+  },
+  'timesyncd' => {
+    'enable' => true,
+    'config' => {},
   },
+  'coredump' => {},
   'tmpfiles' => {
     '/dev/log' => {
       'type' => 'L+',

cookbooks/fb_systemd/recipes/default.rb

@@ -56,19 +56,36 @@
   notifies :run, 'fb_systemd_reload[system instance]', :immediately
 end
 
-include_recipe 'fb_systemd::journal'
-
-# this has to be running for user sessions to work properly
-service 'systemd-logind' do
-  only_if { node['fb_systemd']['logind']['enable'] }
-  action [:enable, :start]
+template '/etc/systemd/user.conf' do
+  source 'systemd.conf.erb'
+  owner 'root'
+  group 'root'
+  mode '0644'
+  variables(
+    :config => 'user',
+    :section => 'Manager',
+  )
+  notifies :run, 'fb_systemd_reload[all user instances]', :immediately
 end
 
-service 'disable systemd-logind' do
-  not_if { node['fb_systemd']['logind']['enable'] }
-  action [:enable, :start]
+template '/etc/systemd/coredump.conf' do
+  source 'systemd.conf.erb'
+  owner 'root'
+  group 'root'
+  mode '0644'
+  variables(
+    :config => 'coredump',
+    :section => 'Coredump',
+  )
 end
 
+include_recipe 'fb_systemd::udevd'
+include_recipe 'fb_systemd::journald'
+include_recipe 'fb_systemd::logind'
+include_recipe 'fb_systemd::networkd'
+include_recipe 'fb_systemd::resolved'
+include_recipe 'fb_systemd::timesyncd'
+
 execute 'process tmpfiles' do
   command "#{systemd_prefix}/bin/systemd-tmpfiles --create"
   action :nothing

cookbooks/fb_systemd/recipes/journal.rb → cookbooks/fb_systemd/recipes/journald.rb

@@ -1,6 +1,6 @@
 #
 # Cookbook Name:: fb_systemd
-# Recipe:: journal
+# Recipe:: journald
 #
 # vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2
 #
@@ -21,6 +21,7 @@
     :config => 'journald',
     :section => 'Journal',
   )
+  # we use :immediately here because this is a critical service
   notifies :restart, 'service[systemd-journald]', :immediately
 end
 

cookbooks/fb_systemd/recipes/logind.rb

@@ -0,0 +1,38 @@
+#
+# Cookbook Name:: fb_systemd
+# Recipe:: logind
+#
+# vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2
+#
+# Copyright (c) 2016-present, Facebook, Inc.
+# All rights reserved.
+#
+# This source code is licensed under the BSD-style license found in the
+# LICENSE file in the root directory of this source tree. An additional grant
+# of patent rights can be found in the PATENTS file in the same directory.
+#
+
+template '/etc/systemd/logind.conf' do
+  source 'systemd.conf.erb'
+  owner 'root'
+  group 'root'
+  mode '0644'
+  variables(
+    :config => 'logind',
+    :section => 'Login',
+  )
+  # we use :immediately here because this is a critical service for user
+  # sessions to work
+  notifies :restart, 'service[systemd-logind]', :immediately
+end
+
+service 'systemd-logind' do
+  only_if { node['fb_systemd']['logind']['enable'] }
+  action [:enable, :start]
+end
+
+service 'disable systemd-logind' do
+  service_name 'systemd-logind'
+  not_if { node['fb_systemd']['logind']['enable'] }
+  action [:stop, :disable]
+end

cookbooks/fb_systemd/recipes/networkd.rb

@@ -0,0 +1,24 @@
+#
+# Cookbook Name:: fb_systemd
+# Recipe:: networkd
+#
+# vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2
+#
+# Copyright (c) 2016-present, Facebook, Inc.
+# All rights reserved.
+#
+# This source code is licensed under the BSD-style license found in the
+# LICENSE file in the root directory of this source tree. An additional grant
+# of patent rights can be found in the PATENTS file in the same directory.
+#
+
+service 'systemd-networkd' do
+  only_if { node['fb_systemd']['networkd']['enable'] }
+  action [:enable, :start]
+end
+
+service 'disable systemd-networkd' do
+  not_if { node['fb_systemd']['networkd']['enable'] }
+  service_name 'systemd-networkd'
+  action [:stop, :disable]
+end

cookbooks/fb_systemd/recipes/resolved.rb

@@ -0,0 +1,36 @@
+#
+# Cookbook Name:: fb_systemd
+# Recipe:: resolved
+#
+# vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2
+#
+# Copyright (c) 2016-present, Facebook, Inc.
+# All rights reserved.
+#
+# This source code is licensed under the BSD-style license found in the
+# LICENSE file in the root directory of this source tree. An additional grant
+# of patent rights can be found in the PATENTS file in the same directory.
+#
+
+template '/etc/systemd/resolved.conf' do
+  source 'systemd.conf.erb'
+  owner 'root'
+  group 'root'
+  mode '0644'
+  variables(
+    :config => 'resolved',
+    :section => 'Resolve',
+  )
+  notifies :restart, 'service[systemd-resolved]'
+end
+
+service 'systemd-resolved' do
+  only_if { node['fb_systemd']['resolved']['enable'] }
+  action [:enable, :start]
+end
+
+service 'disable systemd-resolved' do
+  not_if { node['fb_systemd']['resolved']['enable'] }
+  service_name 'systemd-resolved'
+  action [:stop, :disable]
+end