[Pki-devel] Progress on systemd on f-16

Ade Lee alee at redhat.com
Thu Sep 1 02:33:59 UTC 2011 

Hey guys, 

So - with Rich's help - I'm made a lot of progress getting dogtag to
come up under systemd.  I've pretty much got it working - and now just
need to confirm with knoxy that this is the way we want to do it - and
then package it up.

Here is the basic setup:

/lib/systemd/system/pki-cad.target 
-- is the native systemd init file for pki-cad used to manage all
   instances
-- will not change
-- to be delivered by pki-ca
-- file attached

/lib/systemd/system/pki-cad at .service
-- is a template file for each individual instance
-- systemd will substitute the relevant instance name for each %i when
invoked
-- will not change
-- delivered by pki-ca
-- file attached

/etc/systemd/system/pki-cad.target.wants
-- directory created by pki-ca rpm install
-- contains symlinks that will be created for each instance that is
created by pkicreate.

For example, if pkicreate is used to create an instance pki-ca, then the
following symbolic link needs to be created by pkicreate under
the /etc/systemd/system/pki-cad.target.wants directory -- 

ln -s /lib/systemd/system/pki-cad at .service pki-cad at pki-ca.service

Thats it!

With the above setup, we can do the following:

 systemctl start pki-cad at pki-ca.service  (or stop, restart, status)
 -- for an individual instance

 systemctl start pki-cad.target (or stop, restart, status)
 -- for all instances in a single command

******************************************************
The new files are attached and the devil is in the details.  

Basically, I modified the tomcat systemd files proposed by the systemd
guys in https://bugzilla.redhat.com/show_bug.cgi?id=719283  and
substituted my own config file to read environment variables.
(/etc/sysconfig/pki/ca/pki-ca.systemd).  

This file - which cannot be like a bash script like environment file
because systemd does not use bash to parse the file as noted here --
http://patrakov.blogspot.com/2011/01/writing-systemd-service-files.html
also will need to be created by pkicreate when the instance is created.

Right now, the file contains all the parameters that were set in the
registry before -- some may no longer be necessary - plus some
parameters that would have been set in the system V tomcat6 init script.

This is the part that needs co-ordination with knoxy - as I am unsure
how he plans to change his scripts to do the systemd stuff.

The other part that has not even been addressed here at all yet is
selinux.  Right now all this is working in permissive mode - and the
resulting java process is unconfined_java_t.  I suspect I may need to
add an intermediate script to runcon to the correct context.

And we may need to consider how to get back all that useful information
we used to report in service pki-cad status.  My guess is this can go in
that intermediate script.

********************************************

Anyways, I'll be out for a couple days - so I'll pick this up when I get
back.

Ade





-------------- next part --------------
JAVA_HOME=/usr/lib/jvm/jre
CATALINA_HOME=/usr/share/tomcat6
JASPER_HOME=/usr/share/tomcat6
CATALINA_TMPDIR=/var/cache/tomcat6/temp
SECURITY_MANAGER=false
SHUTDOWN_WAIT=30
SHUTDOWN_VERBOSE=false
CATALINA_PID=/var/run/tomcat6.pid
PKI_FLAVOR=pki
PKI_SUBSYSTEM_TYPE=ca
PKI_USER=pkiuser
PKI_GROUP=pkiuser
PKI_INSTANCE_ID=pki-ca
PKI_INSTANCE_PATH=/var/lib/pki-ca
PKI_INSTANCE_INITSCRIPT=/var/lib/pki-ca/pki-ca
PKI_SERVER_XML_CONF=/etc/pki-ca/server.xml
CATALINA_BASE=/var/lib/pki-ca
TOMCAT_PROG=pki-ca
TOMCAT_USER=pkiuser
TOMCAT_GROUP=pkiuser
PKI_LOCKDIR=/var/lock/pki/ca
PKI_LOCKFILE=/var/lock/pki/ca/pki-ca
PKI_PIDDIR=/var/run/pki/ca
PKI_PIDFILE=/var/run/pki/ca/pki-ca.pid
TOMCAT_LOCKFILE=/var/lock/subsys/pki-ca
TOMCAT_PIDFILE=/var/run/pki-ca.pid
pki_instance_configuration_file=/var/lib/pki-ca/conf/CS.cfg
RESTART_SERVER=/var/lib/pki-ca/conf/restart_server_after_configuration
-------------- next part --------------
[Unit]
Description=Dogtag PKI Certificate Authority Server
After=syslog.target network.target

[Install]
WantedBy=multi-user.target


-------------- next part --------------
[Unit]
Description=Dogtag PKI Certificate Authority Server %i
After=pki-cad.target
BindTo=pki-cad.target

[Service]
Type=forking
EnvironmentFile=/etc/sysconfig/pki/ca/%i.systemd
ExecStart=/usr/sbin/tomcat6 start
ExecStop=/usr/sbin/tomcat6 stop

[Install]
WantedBy=multi-user.target

More information about the Pki-devel mailing list