Systemd

Rootless Services

systemctl edit --force --full --user server.service: Create a server service file for user
users have their own systemd at /lib/systemd/systemd: get using ps -ef | grep $user

[Service]
ExecStart=/usr/local/bin/server $parameter
Restart=always

systemctl cat server --user: View service config
systemctl start|stop|status server --user: Start/Stop service or get status

Lingering

When user log off, the user service will be inactive -> need lingering to enable the user service to continue to run when user log out
ps -ef | grep systemd
loginctl show-user $user: get linger status of user
loginctl enable-linger $user: enable linger for user (can only enable by root)

Target

when server reboot, service will not be started -> set target by add [Install] section

[Service]
ExecStart=/usr/local/bin/server $parameter
Restart=always

[Install]
WantedBy=default.target

Then enable the service: systemctl enable server.service --user
- view service dependency: tree .config/systemd/
systemctl list-units --type=target [--user]: list target in the system
systemctl list-dependencies getty.target: list dependencies of getty.target
systemctl get-default [--user]: get default target that the system tries to reach
systemd-analyze critical-chain: get the time to reach a target
systemd-analyze plot > boot.svg: get analyze of the whole system

Secure Network Services

Feature depends on systemd version, check using: systemctl --version
man systemd.resource-control to get more information about which version support which features

IP Accounting

Add IP Accounting to Service section to get amount of IP Packets in and out by a service

[Unit]
Description=iperf3
Requires=network.target

[Service]
ExecStart=/usr/bin/iperf3 -s
IPAccounting=true
Restart=on-failure

[Install]
WantedBy=multi-user.target

systemctl daemon-reload: reload daemons
systemctl restart iperf3
systemctl show iperf3 | grep IP: get accounting information about packets in and out by iperf3 service

Address Allow and Deny

journalctl -fu $service: Viewing log of services
Add IPAddressAllow and IPAddressDeny to Service section to allow or deny connection from and to kkspecific ip

[Service]
ExecStart=/usr/bin/ncat -4lk -p 1234
IPAddressAllow=localhost 192.168.1.0/24
IPAddressDeny=any

With this feature, the system apply an eBPF filtering to the process

Systemd Drop-ins:

Customizing Service configuration without modifyin original file by not add --full option in systemd edit command: systemctl edit --force server.service

Socket Bind Controls

Using SocketBindAllow and SocketBindDeny

[Service]
ExecStart=/usr/bin/ncat -4lk -p 1234
IPAddressAllow=localhost 192.168.1.0/24
IPAddressDeny=any
SocketBindAllow=ipv4:tcp:1234
SocketBindDeny=any

Systemd Timer

Run Service Periodically like Cron

# /etc/systemd/system/backupconfig.service
[Unit]
Description=Run ConfigBackup.py

[Service]
Type=oneshot
User=UserA
Group=GroupA
WorkingDirectory=/path/to/folder
ExecStart=/path/to/folder/configbackup.py -option
StandardOutput=journal
StandardError=journal

# /etc/systemd/system/backupconfig.timer
[Unit]
Description=Run ConfigBackup.py Daily at 7am and 7pm

[Timer]
OnCalendar=07,19:00
Persistent=true

[Install]
WantedBy=timers.target

Verification Command

systemctl list-timers [--all] $ServiceName
systemd-analyze calendar

Reference

PreviousNGINX NextTraefik

Last updated 14 days ago