Discussion:
[systemd-devel] systemd user instance
Kai Krakow
2013-05-06 21:44:45 UTC
Permalink
Hey list,

I've built a server with systemd and it really worked out well. Fast booting
(that means shorter maintenance times) and most important: Reliable service
teardown and auto-restarts of crashed services. And yeah, I love the
journal. I'm logging everything there.

But now I want to (and need to) give some users cron-like abilities. I
discovered that systemd supports user instances - perfect!

So I enabled a session service for one user (actually, that's me):

# sudo systemctl enable ***@kakra.service

But I cannot start it, and the user can neither. Starting it states in the
journal:

# sudo systemctl start ***@kakra.service

May 06 23:35:00 vweb002.jugendinfo.de systemd[1]: Starting User Manager for
root...
-- Subject: Unit ***@kakra.service has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit ***@kakra.service has begun starting up.
May 06 23:35:00 vweb002.jugendinfo.de systemd[4438]: Failed at step PAM
spawning /usr/lib/systemd/systemd: Operation not permitted
-- Subject: Process /usr/lib/systemd/systemd could not be executed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Documentation:
http://www.freedesktop.org/wiki/Software/systemd/catalog/641257651c1b4ec9a8624d7a40a9e1e7
--
-- The process /usr/lib/systemd/systemd could not be executed and failed.
--
-- The error number returned while executing this process is 1.
May 06 23:35:00 vweb002.xxxxxx.de systemd[1]: Started User Manager for root.
-- Subject: Unit ***@kakra.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit ***@kakra.service has finished starting up.
--
-- The start-up result is done.

Why does it say "Starting user manager for root" (and not my username) and
why does it fail with pam? If I start "systemd --user &", then I can enable
and run the user services defined in .config/systemd.

The server is running Gentoo with systemd-201. Here's the systemd unit:

***@vweb002 ~ $ cat /etc/systemd/system/user\@kakra.service
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.

[Unit]
Description=User Manager for %u
After=systemd-user-sessions.service

[Service]
User=%I
PAMName=systemd-shared
# in order to allow MEM_CG features to work, add "memory:/" here
ControlGroup=%R/user/%u/shared cpu:/
ControlGroupModify=yes
Type=notify
ExecStart=-/usr/lib/systemd/systemd --user
Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/%U/dbus/user_bus_socket

[Install]
Alias=user@%i.service


# as user:
# systemctl start ***@kakra.service
Failed to issue method call: Access denied


***@vweb002 ~ $ cat /etc/pam.d/system-auth
auth required pam_env.so
auth required pam_unix.so try_first_pass likeauth nullok
auth optional pam_permit.so

account required pam_unix.so
account optional pam_permit.so

password required pam_cracklib.so difok=2 minlen=8 dcredit=2
ocredit=2 retry=3
password required pam_unix.so try_first_pass use_authtok
nullok sha512 shadow
password optional pam_permit.so

session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so

session optional pam_loginuid.so
session optional pam_systemd.so


Regards,
Kai
Jóhann B. Guðmundsson
2013-05-06 21:50:28 UTC
Permalink
Post by Kai Krakow
But now I want to (and need to) give some users cron-like abilities. I
discovered that systemd supports user instances - perfect!
Then install cronie...

JBG
Kai Krakow
2013-05-06 22:14:04 UTC
Permalink
Post by Jóhann B. Guðmundsson
Post by Kai Krakow
But now I want to (and need to) give some users cron-like abilities. I
discovered that systemd supports user instances - perfect!
Then install cronie...
That's the obvious solution but a little bit counter-productive with respect
to my question...

Anyway, one has to take that route if everything else fails.

Regards,
Kai
David Strauss
2013-05-07 02:02:06 UTC
Permalink
I don't recommend spawning user instances of systemd just for their
timer units to run. Each instance comes with a few MB of overhead, and
you'll have no fun trying to spawn sessions in a way isolated from
(but somehow integrated with) the PAM session initialization process.
Post by Kai Krakow
Post by Jóhann B. Guðmundsson
Post by Kai Krakow
But now I want to (and need to) give some users cron-like abilities. I
discovered that systemd supports user instances - perfect!
Then install cronie...
That's the obvious solution but a little bit counter-productive with respect
to my question...
Anyway, one has to take that route if everything else fails.
Regards,
Kai
_______________________________________________
systemd-devel mailing list
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
David Strauss
| ***@davidstrauss.net
| +1 512 577 5827 [mobile]
Kai Krakow
2013-05-07 21:48:01 UTC
Permalink
Well, actually the timers are a nice benefit only. We want to control user-
initiated background-services for a web application server with this and
cron hasn't been our best friend for this in the past.
Post by David Strauss
I don't recommend spawning user instances of systemd just for their
timer units to run. Each instance comes with a few MB of overhead, and
you'll have no fun trying to spawn sessions in a way isolated from
(but somehow integrated with) the PAM session initialization process.
Post by Kai Krakow
Post by Jóhann B. Guðmundsson
Post by Kai Krakow
But now I want to (and need to) give some users cron-like abilities. I
discovered that systemd supports user instances - perfect!
Then install cronie...
That's the obvious solution but a little bit counter-productive with
respect to my question...
Anyway, one has to take that route if everything else fails.
Regards,
Kai
_______________________________________________
systemd-devel mailing list
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Jóhann B. Guðmundsson
2013-05-07 05:37:23 UTC
Permalink
Post by Kai Krakow
Post by Jóhann B. Guðmundsson
Post by Kai Krakow
But now I want to (and need to) give some users cron-like abilities. I
discovered that systemd supports user instances - perfect!
Then install cronie...
That's the obvious solution but a little bit counter-productive with respect
to my question...
Systemd is not ready for users cron like behavior.

Not from a usability perspective ( complexity of time units vs cron's
one liner ) and from the fact that there are cron features which cannot
be support ( for now ) and of those that will not be supported.

I threw some ideas out there on the table in brno but how we might try
to solve that ( from an user usability perspective ) but to do so, along
with supporting few other things in the future like container ( startup
) templates and the fact that the drop-in snippets in .d/*.conf does not
scale very well ( due to it's own unit directory implementation ) I'm
afraid we will need to rethink and reconstruct /etc/systemd/ directory
structure sooner rather then later since it's slowly becoming too
complex and ill manageable in the process.

Anyway basically just think of systemd timer units cron like
implementation like systemd's (x)inetd replacement which only replaces
it up to 80% - 90%

JBG
Kai Krakow
2013-05-07 21:45:36 UTC
Permalink
Post by Jóhann B. Guðmundsson
Post by Kai Krakow
Post by Jóhann B. Guðmundsson
Post by Kai Krakow
But now I want to (and need to) give some users cron-like abilities. I
discovered that systemd supports user instances - perfect!
Then install cronie...
That's the obvious solution but a little bit counter-productive with
respect to my question...
Systemd is not ready for users cron like behavior.
Okay... Well, I did not expect a full replacement anyway. But...
Post by Jóhann B. Guðmundsson
Not from a usability perspective ( complexity of time units vs cron's
one liner ) and from the fact that there are cron features which cannot
be support ( for now ) and of those that will not be supported.
True...
Post by Jóhann B. Guðmundsson
I threw some ideas out there on the table in brno but how we might try
to solve that ( from an user usability perspective ) but to do so, along
with supporting few other things in the future like container ( startup
) templates and the fact that the drop-in snippets in .d/*.conf does not
scale very well ( due to it's own unit directory implementation ) I'm
afraid we will need to rethink and reconstruct /etc/systemd/ directory
structure sooner rather then later since it's slowly becoming too
complex and ill manageable in the process.
Yes, it looks a bit messy there but it is maintainable for me.
Post by Jóhann B. Guðmundsson
Anyway basically just think of systemd timer units cron like
implementation like systemd's (x)inetd replacement which only replaces
it up to 80% - 90%
Sure.

...but: I just want some simple timers and just for a few users (maybe two
or three) and these should be able to tear down the spawned process cleanly
which cron really cannot do so well.

The nice features from systemd as a "simple" (more or less) cron replacement
are:

* clean process teardown and keeping track of "run-away" processes
* very good logging capabilities
* easy to maintain cpu and io policies

Actually it's meant to be used for an application server which has to spawn
and watch background jobs every now and then and keep user-initiated
services running. I don't think that can be done "right" with cron. At least
we had our headaches with that in the past and here systemd seems to come in
just right and handy.

Thanks for an elaborated answer thou, I appreciate it.

PS: I know that cron is the better tool for launching simple one-liners...

Regards,
Kai
Kok, Auke-jan H
2013-05-07 03:31:40 UTC
Permalink
Post by Kai Krakow
Hey list,
I've built a server with systemd and it really worked out well. Fast booting
(that means shorter maintenance times) and most important: Reliable service
teardown and auto-restarts of crashed services. And yeah, I love the
journal. I'm logging everything there.
But now I want to (and need to) give some users cron-like abilities. I
discovered that systemd supports user instances - perfect!
But I cannot start it, and the user can neither. Starting it states in the
May 06 23:35:00 vweb002.jugendinfo.de systemd[1]: Starting User Manager for
root...
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
May 06 23:35:00 vweb002.jugendinfo.de systemd[4438]: Failed at step PAM
spawning /usr/lib/systemd/systemd: Operation not permitted
-- Subject: Process /usr/lib/systemd/systemd could not be executed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
http://www.freedesktop.org/wiki/Software/systemd/catalog/641257651c1b4ec9a8624d7a40a9e1e7
--
-- The process /usr/lib/systemd/systemd could not be executed and failed.
--
-- The error number returned while executing this process is 1.
May 06 23:35:00 vweb002.xxxxxx.de systemd[1]: Started User Manager for root.
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
--
-- The start-up result is done.
Why does it say "Starting user manager for root" (and not my username) and
why does it fail with pam? If I start "systemd --user &", then I can enable
and run the user services defined in .config/systemd.
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
[Unit]
Description=User Manager for %u
After=systemd-user-sessions.service
[Service]
User=%I
PAMName=systemd-shared
^^ this line is the cause of your problems, as the
/etc/pam.d/systemd-shared file does not exist.
Post by Kai Krakow
# in order to allow MEM_CG features to work, add "memory:/" here
ControlGroup=%R/user/%u/shared cpu:/
ControlGroupModify=yes
Type=notify
ExecStart=-/usr/lib/systemd/systemd --user
Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/%U/dbus/user_bus_socket
[Install]
Failed to issue method call: Access denied
auth required pam_env.so
auth required pam_unix.so try_first_pass likeauth nullok
auth optional pam_permit.so
account required pam_unix.so
account optional pam_permit.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2
ocredit=2 retry=3
password required pam_unix.so try_first_pass use_authtok
nullok sha512 shadow
password optional pam_permit.so
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so
session optional pam_loginuid.so
session optional pam_systemd.so
You can copy /etc/pam.d/login to /etc/pam.d/systemd-shared, and then
things should somewhat work. Additionally, you may want to copy the
dbus user session service files from
github.com/sofar/user-session-units to get user based dbus services
working.

Auke
Kai Krakow
2013-05-07 21:33:51 UTC
Permalink
Post by Kok, Auke-jan H
Post by Kai Krakow
[Service]
User=%I
PAMName=systemd-shared
^^ this line is the cause of your problems, as the
/etc/pam.d/systemd-shared file does not exist.
I thought this is virtually profided by pam_systemd.so? But I may try your
suggestion.

Regards,
Kai
Loading...