From 5b36c591ef0e79ee1fd4a0db4644d9d0e8d183ca Mon Sep 17 00:00:00 2001
From: Matus Honek <mhonek@redhat.com>
Date: Mon, 27 May 2019 10:59:03 +0000
Subject: [PATCH] Issue 49875 - Move SystemD service config to a drop-in file

Bug Description:
Runtime configuration options are mixed into the service specification
which should seldom be changed by users.

Fix Description:
Move the runtime configuration options into a drop-in file. These options
are then automatically pulled in by SystemD.

Additional Info:
Erasing the default values of the mentioned options to implicitly pull in
system defaults which are more sane nowadays.

The .service file is now common for xsan and non-xsan builds, the former
differring only by an additional drop-in file.

Related https://pagure.io/389-ds-base/issue/49875

Author: Matus Honek <mhonek@redhat.com>

Review by: firstyear, mreynolds, vashirov (thanks!)
---
 Makefile.am                                   | 23 ++++--
 configure.ac                                  |  2 +
 .../systemd.template.service.custom.conf.in   | 52 +++++++++++++
 wrappers/systemd.template.service.in          | 57 +-------------
 .../systemd.template.service.xsan.conf.in     | 11 +++
 wrappers/systemd.template.xsan.service.in     | 77 -------------------
 6 files changed, 85 insertions(+), 137 deletions(-)
 create mode 100644 wrappers/systemd.template.service.custom.conf.in
 create mode 100644 wrappers/systemd.template.service.xsan.conf.in
 delete mode 100644 wrappers/systemd.template.xsan.service.in

diff --git a/Makefile.am b/Makefile.am
index 01ac3a04d..de9e0c460 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -300,6 +300,7 @@ serverdir = $(libdir)/@serverdir@
 serverplugindir = $(libdir)@serverplugindir@
 taskdir = $(datadir)@scripttemplatedir@
 systemdsystemunitdir = @with_systemdsystemunitdir@
+systemdsystemunitdropindir = @with_systemdsystemunitdir@/$(PACKAGE_NAME)@.service.d
 systemdsystemconfdir = @with_systemdsystemconfdir@
 systemdgroupname = @with_systemdgroupname@
 initdir = @initdir@
@@ -880,6 +881,11 @@ if SYSTEMD
 systemdsystemunit_DATA = wrappers/$(PACKAGE_NAME)@.service \
 	wrappers/$(systemdgroupname) \
 	wrappers/$(PACKAGE_NAME)-snmp.service
+
+systemdsystemunitdropin_DATA = wrappers/$(PACKAGE_NAME)@.service.d/custom.conf
+if with_sanitizer
+systemdsystemunitdropin_DATA += wrappers/$(PACKAGE_NAME)@.service.d/xsan.conf
+endif
 else
 if INITDDIR
 init_SCRIPTS = wrappers/$(PACKAGE_NAME) \
@@ -2314,12 +2320,17 @@ endif
 # yes, that is an @ in the filename . . .
 %/$(PACKAGE_NAME)@.service: %/systemd.template.service.in
 	if [ ! -d $(dir $@) ] ; then mkdir -p $(dir $@) ; fi
-	if [ ! -z ${SANITIZER} ] ; then \
-		service_template=$(shell echo $^ | sed 's/template/template.xsan/g'); \
-		else \
-		service_template=$^; \
-	fi; \
-	$(fixupcmd) $$service_template > $@
+	$(fixupcmd) $^ > $@
+
+%/$(PACKAGE_NAME)@.service.d/custom.conf: %/systemd.template.service.custom.conf.in
+	if [ ! -d $(dir $@) ] ; then mkdir -p $(dir $@) ; fi
+	$(fixupcmd) $^ > $@
+
+if with_sanitizer
+%/$(PACKAGE_NAME)@.service.d/xsan.conf: %/systemd.template.service.xsan.conf.in
+	if [ ! -d $(dir $@) ] ; then mkdir -p $(dir $@) ; fi
+	$(fixupcmd) $^ > $@
+endif
 
 %/$(systemdgroupname): %/systemd.group.in
 	if [ ! -d $(dir $@) ] ; then mkdir -p $(dir $@) ; fi
diff --git a/configure.ac b/configure.ac
index 3660e6816..d329e84a9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -196,6 +196,8 @@ AC_SUBST([ubsan_cflags])
 AC_SUBST([ubsan_rust_defs])
 AM_CONDITIONAL(enable_ubsan,test "$enable_ubsan" = "yes")
 
+AM_CONDITIONAL(with_sanitizer,test "$enable_asan" = "yes" -o "$enable_msan" = "yes" -o "$enable_tsan" = "yes" -o "$enable_ubsan" = "yes")
+
 # Enable CLANG
 AC_MSG_CHECKING(for --enable-clang)
 AC_ARG_ENABLE(clang, AS_HELP_STRING([--enable-clang], [Enable clang (default: no)]),
diff --git a/wrappers/systemd.template.service.custom.conf.in b/wrappers/systemd.template.service.custom.conf.in
new file mode 100644
index 000000000..0dce62826
--- /dev/null
+++ b/wrappers/systemd.template.service.custom.conf.in
@@ -0,0 +1,52 @@
+# To change any of the below values, please use a drop-in file in which
+# you can declare overrides according to systemd.unit(5), either of:
+# - applying to all instances:
+#   /etc/systemd/system/dirsrv@.service.d/custom.conf
+# - applying to a single instance (overriding the above):
+#   /etc/systemd/system/dirsrv@<instance>.service.d/custom.conf
+#
+# Some of the most interesting coniguration options are mentioned below.
+# See systemd.service(5) and systemd.exec(5) for the respective documentation.
+#
+# After updating the service configuration, do not forget to apply the changes:
+# - reload systemd configuration: systemctl daemon-reload
+# - restart the service: systemctl restart @package_name@@<instance>.service
+
+[Service]
+TimeoutStartSec=0
+TimeoutStopSec=600
+
+# These are from man systemd.exec and man systemd.resource-control
+
+# This controls the resources to the direct child of systemd, in
+# this case ns-slapd. Because we are type notify we recieve these
+# limits correctly.
+
+# This controls the number of file handles avaliable. File handles
+# correlate to sockets for the process, and our access to logs and
+# databases.  Note, the configuration setting in Directory Server,
+# "nsslapd-maxdescriptors", can override this limit.
+#LimitNOFILE=
+
+# You can limit the memory in the cgroup with these, and ns-slapd
+# will account for them in it's autotuning.
+# Memory account may be controlled by DefaultMemoryAccounting= in systemd-system.conf
+#MemoryAccounting=yes
+#MemoryLimit=<bytes>
+
+# Limits on the size of coredump that may be produced by the process. It's not
+# specified how this interacts with coredumpd.
+# 0 means not to produce cores.
+#LimitCORE=<bytes>
+
+# Limit number of processes (threads) we may spawn. We don't advise you change
+# this as DS will autodetect your threads / cpus and adjust as needed.
+#LimitNPROC=
+
+# Possible hardening options:
+#PrivateDevices=yes
+#ProtectSystem=yes
+#ProtectHome=yes
+#PrivateTmp=yes
+
+
diff --git a/wrappers/systemd.template.service.in b/wrappers/systemd.template.service.in
index 7142c3492..2ac6f978f 100644
--- a/wrappers/systemd.template.service.in
+++ b/wrappers/systemd.template.service.in
@@ -1,17 +1,6 @@
-# you usually do not want to edit this file - instead, edit the
-# @initconfigdir@/@package_name@.systemd file instead - otherwise,
-# do not edit this file in /lib/systemd/system - instead, do the following:
-# cp /lib/systemd/system/dirsrv\@.service /etc/systemd/system/dirsrv\@.service
-# mkdir -p /etc/systemd/system/@systemdgroupname@.wants
-# edit /etc/systemd/system/dirsrv\@.service - uncomment the LimitNOFILE=8192 line
-# where %i is the name of the instance
-# you may already have a symlink in
-# /etc/systemd/system/@systemdgroupname@.wants/dirsrv@%i.service pointing to
-# /lib/systemd/system/dirsrv\@.service - you will have to change it to link
-# to /etc/systemd/system/dirsrv\@.service instead
-# ln -s /etc/systemd/system/dirsrv\@.service /etc/systemd/system/@systemdgroupname@.wants/dirsrv@%i.service
-# systemctl daemon-reload 
-# systemctl (re)start @systemdgroupname@
+# You should not need to edit this file. Instead, use a drop-in file as described in:
+#   /usr/lib/systemd/system/@package_name@@.service.d/custom.conf
+
 [Unit]
 Description=@capbrand@ Directory Server %i.
 PartOf=@systemdgroupname@
@@ -21,51 +10,11 @@ Before=radiusd.service
 [Service]
 Type=notify
 NotifyAccess=all
-TimeoutStartSec=0
-TimeoutStopSec=600
 EnvironmentFile=-@initconfigdir@/@package_name@
 EnvironmentFile=-@initconfigdir@/@package_name@-%i
 PIDFile=@localstatedir@/run/@package_name@/slapd-%i.pid
 ExecStartPre=@libexecdir@/ds_systemd_ask_password_acl @instconfigdir@/slapd-%i/dse.ldif
 ExecStart=@sbindir@/ns-slapd -D @instconfigdir@/slapd-%i -i @localstatedir@/run/@package_name@/slapd-%i.pid
 
-#### To change any of these values or directives, you should use a drop in file
-# such as: /etc/systemd/system/dirsrv@<instance>.d/custom.conf
-
-# These are from man systemd.exec and man systemd.resource-control
-
-# This controls the resources to the direct child of systemd, in
-# this case ns-slapd. Because we are type notify we recieve these
-# limits correctly.
-
-# This controls the number of file handles avaliable. File handles
-# correlate to sockets for the process, and our access to logs and
-# databases.  Note, the configuration setting in Directory Server,
-# "nsslapd-maxdescriptors", can override this limit.
-LimitNOFILE=16384
-
-# You can limit the memory in the cgroup with these, and ns-slapd
-# will account for them in it's autotuning.
-# Memory account may be controlled by DefaultMemoryAccounting= in systemd-system.conf
-# MemoryAccounting=true
-# MemoryLimit=bytes
-
-# Limits on the size of coredump that may be produced by the process. It's not
-# specified how this interacts with coredumpd.
-# 0 means not to produce cores.
-# This value is 64G
-LimitCORE=68719476736
-
-# Limit number of processes (threads) we may spawn. We don't advise you change
-# this as DS will autodetect your threads / cpus and adjust as needed.
-# LimitNPROC=
-
-# Hardening options:
-# PrivateDevices=true
-# ProtectSystem=true
-# ProtectHome=true
-# PrivateTmp=true
-
 [Install]
 WantedBy=multi-user.target
-
diff --git a/wrappers/systemd.template.service.xsan.conf.in b/wrappers/systemd.template.service.xsan.conf.in
new file mode 100644
index 000000000..f4bf809b9
--- /dev/null
+++ b/wrappers/systemd.template.service.xsan.conf.in
@@ -0,0 +1,11 @@
+# This file is present because the server has been built with a sanitizer.
+# It is not meant for a production usage.
+[Unit]
+Description=@capbrand@ Directory Server with @SANITIZER@ %i.
+
+[Service]
+# We can't symbolize here, as llvm symbolize crashes when it goes near systemd.
+Environment=ASAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.asan:print_stacktrace=1
+Environment=TSAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.tsan:print_stacktrace=1:second_deadlock_stack=1:history_size=7
+Environment=MSAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.msan:print_stacktrace=1
+Environment=UBSAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.ubsan:print_stacktrace=1
diff --git a/wrappers/systemd.template.xsan.service.in b/wrappers/systemd.template.xsan.service.in
deleted file mode 100644
index 541392ff8..000000000
--- a/wrappers/systemd.template.xsan.service.in
+++ /dev/null
@@ -1,77 +0,0 @@
-# you usually do not want to edit this file - instead, edit the
-# @initconfigdir@/@package_name@.systemd file instead - otherwise,
-# do not edit this file in /lib/systemd/system - instead, do the following:
-# cp /lib/systemd/system/dirsrv\@.service /etc/systemd/system/dirsrv\@.service
-# mkdir -p /etc/systemd/system/@systemdgroupname@.wants
-# edit /etc/systemd/system/dirsrv\@.service - uncomment the LimitNOFILE=8192 line
-# where %i is the name of the instance
-# you may already have a symlink in
-# /etc/systemd/system/@systemdgroupname@.wants/dirsrv@%i.service pointing to
-# /lib/systemd/system/dirsrv\@.service - you will have to change it to link
-# to /etc/systemd/system/dirsrv\@.service instead
-# ln -s /etc/systemd/system/dirsrv\@.service /etc/systemd/system/@systemdgroupname@.wants/dirsrv@%i.service
-# systemctl daemon-reload 
-# systemctl (re)start @systemdgroupname@
-[Unit]
-Description=@capbrand@ Directory Server with @SANITIZER@ %i.
-PartOf=@systemdgroupname@
-After=chronyd.service ntpd.service network-online.target syslog.target
-Before=radiusd.service
-
-[Service]
-Type=notify
-NotifyAccess=all
-TimeoutStartSec=0
-TimeoutStopSec=600
-EnvironmentFile=@initconfigdir@/@package_name@
-EnvironmentFile=@initconfigdir@/@package_name@-%i
-PIDFile=@localstatedir@/run/@package_name@/slapd-%i.pid
-# We can't symbolize here, as llvm symbolize crashes when it goes near systemd.
-Environment=ASAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.asan:print_stacktrace=1
-Environment=TSAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.tsan:print_stacktrace=1:second_deadlock_stack=1:history_size=7
-Environment=MSAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.msan:print_stacktrace=1
-Environment=UBSAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.ubsan:print_stacktrace=1
-LimitCORE=infinity
-ExecStartPre=@libexecdir@/ds_systemd_ask_password_acl @instconfigdir@/slapd-%i/dse.ldif
-ExecStart=@sbindir@/ns-slapd -D @instconfigdir@/slapd-%i -i @localstatedir@/run/@package_name@/slapd-%i.pid
-
-#### To change any of these values or directives, you should use a drop in file
-# such as: /etc/systemd/system/dirsrv@<instance>.d/custom.conf
-
-# These are from man systemd.exec and man systemd.resource-control
-
-# This controls the resources to the direct child of systemd, in
-# this case ns-slapd. Because we are type notify we recieve these
-# limits correctly.
-
-# This controls the number of file handles avaliable. File handles
-# correlate to sockets for the process, and our access to logs and
-# databases.
-LimitNOFILE=16384
-
-# You can limit the memory in the cgroup with these, and ns-slapd
-# will account for them in it's autotuning.
-# Memory account may be controlled by DefaultMemoryAccounting= in systemd-system.conf
-# MemoryAccounting=true
-# MemoryLimit=bytes
-
-# Limits on the size of coredump that may be produced by the process. It's not
-# specified how this interacts with coredumpd.
-# 0 means not to produce cores.
-# This value is 64G
-LimitCORE=68719476736
-
-# Limit number of processes (threads) we may spawn. We don't advise you change
-# this as DS will autodetect your threads / cpus and adjust as needed.
-# LimitNPROC=
-
-# Hardening options:
-# PrivateDevices=true
-# ProtectSystem=true
-# ProtectHome=true
-# PrivateTmp=true
-
-
-[Install]
-WantedBy=multi-user.target
-
-- 
2.21.0