|
 |
906948 |
|
|
|
906948 |
|
|
|
906948 |
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
|
|
906948 |
|
|
|
906948 |
]>
|
|
|
906948 |
|
|
|
906948 |
Copyright 2018 Red Hat, Inc.
|
|
|
906948 |
|
|
|
906948 |
Licensed to the Apache Software Foundation (ASF) under one or more
|
|
|
906948 |
contributor license agreements. See the NOTICE file distributed with
|
|
|
906948 |
this work for additional information regarding copyright ownership.
|
|
|
906948 |
The ASF licenses this file to You under the Apache License, Version 2.0
|
|
|
906948 |
(the "License"); you may not use this file except in compliance with
|
|
|
906948 |
the License. You may obtain a copy of the License at
|
|
|
906948 |
|
|
|
906948 |
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
906948 |
|
|
|
906948 |
Unless required by applicable law or agreed to in writing, software
|
|
|
906948 |
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
906948 |
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
906948 |
See the License for the specific language governing permissions and
|
|
|
906948 |
limitations under the License.
|
|
|
906948 |
-->
|
|
|
906948 |
|
|
|
906948 |
<refentry>
|
|
|
906948 |
<refentryinfo>
|
|
|
906948 |
<title>httpd systemd units</title>
|
|
|
906948 |
<productname>httpd</productname>
|
|
|
906948 |
<author><contrib>Author</contrib><surname>Orton</surname><firstname>Joe</firstname><email>jorton@redhat.com</email></author>
|
|
|
906948 |
</refentryinfo>
|
|
|
906948 |
|
|
|
906948 |
<refmeta>
|
|
|
906948 |
<refentrytitle>httpd.service</refentrytitle>
|
|
|
906948 |
<manvolnum>8</manvolnum>
|
|
|
906948 |
</refmeta>
|
|
|
906948 |
|
|
|
906948 |
<refnamediv>
|
|
|
906948 |
<refname>httpd.service</refname>
|
|
|
906948 |
<refname>httpd@.service</refname>
|
|
|
906948 |
<refname>httpd.socket</refname>
|
|
|
906948 |
<refname>httpd-init.service</refname>
|
|
|
906948 |
<refpurpose>httpd unit files for systemd</refpurpose>
|
|
|
906948 |
</refnamediv>
|
|
|
906948 |
|
|
|
906948 |
<refsynopsisdiv>
|
|
|
906948 |
<para>
|
|
|
906948 |
<filename>/usr/lib/systemd/system/httpd.service</filename>,
|
|
|
906948 |
<filename>/usr/lib/systemd/system/httpd@.service</filename>,
|
|
|
906948 |
<filename>/usr/lib/systemd/system/httpd-init.service</filename>,
|
|
|
906948 |
<filename>/usr/lib/systemd/system/httpd.socket</filename>
|
|
|
906948 |
</para>
|
|
|
906948 |
</refsynopsisdiv>
|
|
|
906948 |
|
|
|
906948 |
<refsect1>
|
|
|
906948 |
<title>Description</title>
|
|
|
906948 |
|
|
|
906948 |
<para>This manual page describes the <command>systemd</command>
|
|
|
906948 |
unit files used to integrate the <command>httpd</command> daemon
|
|
|
906948 |
with <command>systemd</command>. Two main unit files are
|
|
|
906948 |
available: <command>httpd.service</command> allows the
|
|
|
906948 |
<command>httpd</command> daemon to be run as a system service, and
|
|
|
906948 |
<command>httpd.socket</command> allows httpd to be started via
|
|
|
906948 |
socket-based activation. Most systems will use
|
|
|
906948 |
<command>httpd.service</command>.</para>
|
|
|
906948 |
|
|
|
906948 |
<para>The <command>apachectl</command> command has been modified
|
|
|
906948 |
to invoke <command>systemctl</command> for most uses, so for
|
|
|
906948 |
example, running <command>apachectl start</command> is equivalent
|
|
|
906948 |
to running <command>systemctl start httpd.service</command>. This
|
|
|
906948 |
ensures that the running httpd daemon is tracked and managed by
|
|
|
906948 |
<command>systemd</command>. In contrast, running
|
|
|
906948 |
<command>httpd</command> directly from a root shell will start the
|
|
|
906948 |
service outside of <command>systemd</command>; in this case,
|
|
|
906948 |
default security restrictions described below (including, but not
|
|
|
906948 |
limited to, SELinux) will not be enforced.</para>
|
|
|
906948 |
|
|
|
906948 |
<refsect2>
|
|
|
906948 |
<title>Changing default behaviour</title>
|
|
|
906948 |
|
|
|
906948 |
<para>To change the default behaviour of the httpd service, an
|
|
|
906948 |
<emphasis>over-ride</emphasis> file should be created, rather
|
|
|
906948 |
than changing
|
|
|
906948 |
<filename>/usr/lib/systemd/system/httpd.service</filename>
|
|
|
906948 |
directly, since such changes would be lost over package
|
|
|
906948 |
upgrades. Running <command>systemctl edit
|
|
|
906948 |
httpd.service</command> or <command>systemctl edit
|
|
|
906948 |
httpd.socket</command> as root will create a drop-in file (in
|
|
|
906948 |
the former case, in
|
|
|
906948 |
<filename>/etc/systemd/system/httpd.service.d</filename>) which
|
|
|
906948 |
over-rides the system defaults.</para>
|
|
|
906948 |
|
|
|
906948 |
<para>For example, to set the <option>LD_LIBRARY_PATH</option>
|
|
|
906948 |
environment variable for the daemon, run <command>systemctl edit
|
|
|
906948 |
httpd.service</command> and enter:
|
|
|
906948 |
|
|
|
906948 |
<programlisting>[Service]
|
|
|
906948 |
Environment=LD_LIBRARY_PATH=/opt/vendor/lib</programlisting></para>
|
|
|
906948 |
</refsect2>
|
|
|
906948 |
|
|
|
906948 |
<refsect2>
|
|
|
906948 |
<title>Starting the service at boot time</title>
|
|
|
906948 |
|
|
|
906948 |
<para>The httpd.service and httpd.socket units are
|
|
|
906948 |
<emphasis>disabled</emphasis> by default. To start the httpd
|
|
|
906948 |
service at boot time, run: <command>systemctl enable
|
|
|
906948 |
httpd.service</command>. In the default configuration, the
|
|
|
906948 |
httpd daemon will accept connections on port 80 (and, if mod_ssl
|
|
|
906948 |
is installed, TLS connections on port 443) for any configured
|
|
|
906948 |
IPv4 or IPv6 address.</para>
|
|
|
906948 |
|
|
|
906948 |
<para>If httpd is configured to depend on any specific IP
|
|
|
906948 |
address (for example, with a "Listen" directive) which may only
|
|
|
906948 |
become available during start-up, or if httpd depends on other
|
|
|
906948 |
services (such as a database daemon), the service
|
|
|
906948 |
<emphasis>must</emphasis> be configured to ensure correct
|
|
|
906948 |
start-up ordering.</para>
|
|
|
906948 |
|
|
|
906948 |
<para>For example, to ensure httpd is only running after all
|
|
|
906948 |
configured network interfaces are configured, create a drop-in
|
|
|
906948 |
file (as described above) with the following section:
|
|
|
906948 |
|
|
|
906948 |
<programlisting>[Unit]
|
|
|
906948 |
After=network-online.target
|
|
|
906948 |
Wants=network-online.target</programlisting>
|
|
|
906948 |
|
|
|
906948 |
See
|
|
|
906948 |
url="https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/"/>
|
|
|
906948 |
for more information on start-up ordering with systemd.</para>
|
|
|
906948 |
|
|
|
906948 |
</refsect2>
|
|
|
906948 |
|
|
|
906948 |
<refsect2>
|
|
|
906948 |
<title>SSL/TLS certificate generation</title>
|
|
|
906948 |
|
|
|
906948 |
<para>The <command>httpd-init.service</command> unit is provided
|
|
|
906948 |
with the mod_ssl package. This oneshot unit automatically
|
|
|
906948 |
creates a TLS server certificate and key (using a generated
|
|
|
906948 |
self-signed CA certificate and key) for testing purposes before
|
|
|
906948 |
httpd is started. To inhibit certificate generation, use
|
|
|
906948 |
<command>systemctl mask httpd-init.service</command> after
|
|
|
906948 |
installing mod_ssl, and adjust the mod_ssl configuration to use
|
|
|
906948 |
an appropriate certificate and key.</para>
|
|
|
906948 |
|
|
|
906948 |
</refsect2>
|
|
|
906948 |
|
|
|
906948 |
<refsect2>
|
|
|
906948 |
<title>Reloading and stopping the service</title>
|
|
|
906948 |
|
|
|
906948 |
<para>When running <command>systemctl reload
|
|
|
906948 |
httpd.service</command>, a <emphasis>graceful</emphasis>
|
|
|
906948 |
restart is used, which sends a signal to the httpd parent
|
|
|
906948 |
process to reload the configuration and re-open log files. Any
|
|
|
906948 |
children with open connections at the time of reload will
|
|
|
906948 |
terminate only once they have completed serving requests. This
|
|
|
906948 |
prevents users of the server seeing errors (or potentially
|
|
|
906948 |
losing data) due to the reload, but means some there is some
|
|
|
906948 |
delay before any configuration changes take effect for all
|
|
|
906948 |
users.</para>
|
|
|
906948 |
|
|
|
906948 |
<para>Similarly, a <emphasis>graceful stop</emphasis> is used
|
|
|
906948 |
when <command>systemctl stop httpd.service</command> is run,
|
|
|
906948 |
which terminates the server only once active connections have
|
|
|
906948 |
been processed.</para>
|
|
|
906948 |
|
|
|
906948 |
<para>To "ungracefully" stop the server without waiting for
|
|
|
906948 |
requests to complete, use <command>systemctl kill
|
|
|
906948 |
--kill-who=main httpd</command>; similarly to "ungracefully"
|
|
|
906948 |
reload the configuration, use <command>systemctl kill
|
|
|
906948 |
--kill-who=main --signal=HUP httpd</command>.</para>
|
|
|
906948 |
</refsect2>
|
|
|
906948 |
|
|
|
906948 |
<refsect2>
|
|
|
906948 |
<title>Automated service restarts</title>
|
|
|
906948 |
|
|
|
906948 |
<para>System packages (including the httpd package itself) may
|
|
|
906948 |
restart the httpd service automatically after packages are
|
|
|
906948 |
upgraded, installed, or removed. This is done using the
|
|
|
906948 |
<command>systemctl try-restart httpd.service</command>, which
|
|
|
906948 |
stops then starts the service if it is running.</para>
|
|
|
906948 |
|
|
|
906948 |
<para>To disable automatic restarts, create the file
|
|
|
906948 |
<filename>/etc/sysconfig/httpd-disable-posttrans</filename>.
|
|
|
906948 |
When <command>httpd</command> interfaces are added in an update,
|
|
|
906948 |
it may not be safe to <emphasis>reload</emphasis> a running
|
|
|
906948 |
service after upgrading, if updated modules require interfaces
|
|
|
906948 |
only available in the updated httpd. It is recommended to allow
|
|
|
906948 |
automatic restarts for this reason.</para>
|
|
|
906948 |
</refsect2>
|
|
|
906948 |
|
|
|
906948 |
<refsect2>
|
|
|
906948 |
<title>Changing the default MPM (Multi-Processing Module)</title>
|
|
|
906948 |
|
|
|
906948 |
<para>httpd offers a choice of multi-processing modules (MPMs),
|
|
|
906948 |
which can be configured in
|
|
|
906948 |
<filename>/etc/httpd/conf.modules.d/00-mpm.conf</filename>.
|
|
|
906948 |
See
|
|
|
906948 |
<citerefentry><refentrytitle>httpd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
|
906948 |
for more information on changing the MPM.</para>
|
|
|
906948 |
</refsect2>
|
|
|
906948 |
|
|
|
906948 |
<refsect2>
|
|
|
906948 |
<title>systemd integration and mod_systemd</title>
|
|
|
906948 |
|
|
|
906948 |
<para>The httpd service uses the <option>notify</option> systemd
|
|
|
906948 |
service type. The <literal>mod_systemd</literal> module must be
|
|
|
906948 |
loaded (as in the default configuration) for this to work
|
|
|
906948 |
correctly - the service will fail if this module is not
|
|
|
906948 |
loaded. <literal>mod_systemd</literal> also makes worker and
|
|
|
906948 |
request statistics available when running <command>systemctl status
|
|
|
906948 |
httpd</command>. See
|
|
|
906948 |
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
|
906948 |
for more information on systemd service types.</para>
|
|
|
906948 |
</refsect2>
|
|
|
906948 |
|
|
|
906948 |
<refsect2>
|
|
|
906948 |
<title>Security and SELinux</title>
|
|
|
906948 |
|
|
|
906948 |
<para>The default SELinux policy restricts the httpd service in
|
|
|
906948 |
various ways. For example, the default policy limits the ports
|
|
|
906948 |
to which httpd can bind (using the <literal>Listen</literal>
|
|
|
906948 |
directive), which parts of the filesystem can be accessed, and
|
|
|
906948 |
whether outgoing TCP connections are possible. Many of these
|
|
|
906948 |
restrictions can be relaxed or adjusted by using
|
|
|
906948 |
<command>semanage</command> to change booleans or other
|
|
|
906948 |
types. See
|
|
|
906948 |
<citerefentry><refentrytitle>httpd_selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
|
906948 |
for more information.</para>
|
|
|
906948 |
</refsect2>
|
|
|
906948 |
|
|
|
906948 |
<refsect2>
|
|
|
906948 |
<title>Process policies and restrictions</title>
|
|
|
906948 |
|
|
|
906948 |
<para>The httpd service uses the following options:
|
|
|
906948 |
|
|
|
906948 |
<itemizedlist>
|
|
|
906948 |
<listitem><para><emphasis>PrivateTmp</emphasis> is enabled by
|
|
|
906948 |
default. The <filename>/tmp</filename> and
|
|
|
906948 |
<filename>/var/tmp</filename> directories available within the
|
|
|
906948 |
httpd process (and CGI scripts, etc) are not shared by other
|
|
|
906948 |
processes.</para></listitem>
|
|
|
906948 |
|
|
|
906948 |
<listitem><para><emphasis>OOMPolicy</emphasis> is set to
|
|
|
906948 |
<emphasis>continue</emphasis> by default. Under the default
|
|
|
906948 |
Out-of-Memory policy, the entire service will be terminated if
|
|
|
906948 |
any process is killed by the kernel OOM killer. By setting
|
|
|
906948 |
the policy to <emphasis>continue</emphasis>, httpd will
|
|
|
906948 |
continue to run (and recover) if a single child is terminated
|
|
|
906948 |
because of excess memory consumption.</para></listitem>
|
|
|
906948 |
</itemizedlist>
|
|
|
906948 |
|
|
|
906948 |
See
|
|
|
906948 |
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
|
906948 |
and
|
|
|
906948 |
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
|
906948 |
for more information.</para>
|
|
|
906948 |
</refsect2>
|
|
|
906948 |
|
|
|
906948 |
<refsect2>
|
|
|
906948 |
<title>Logging and log file rotation</title>
|
|
|
906948 |
|
|
|
906948 |
<para>The <command>httpd</command> daemon is configured to log
|
|
|
906948 |
to the <filename>/var/log/httpd</filename> directory by default,
|
|
|
906948 |
and a drop-in for <command>logrotate</command> is provided at
|
|
|
906948 |
<filename>/etc/logrotate.d/httpd</filename> to enable log file
|
|
|
906948 |
rotation. The <command>httpd.service</command> systemd unit is
|
|
|
906948 |
reloaded after a <command>logrotate</command> run.</para>
|
|
|
906948 |
|
|
|
906948 |
<para>Log file compression is not enabled by default; since
|
|
|
906948 |
<command>httpd</command> can continue writing to open log files
|
|
|
906948 |
for some time after a reload (graceful restart), if compression
|
|
|
906948 |
is enabled the <literal>delaycompress</literal> option must be
|
|
|
906948 |
present (as in the default) to delay compression of log files to
|
|
|
906948 |
a later rotation run.</para>
|
|
|
906948 |
</refsect2>
|
|
|
906948 |
|
|
|
906948 |
<refsect2>
|
|
|
906948 |
<title>Socket activation</title>
|
|
|
906948 |
|
|
|
906948 |
<para>Socket activation (see
|
|
|
906948 |
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
|
906948 |
for more information) can be used with <command>httpd</command>
|
|
|
906948 |
by enabling the <command>httpd.socket</command> unit. The
|
|
|
906948 |
<command>httpd</command> listener configuration must exactly
|
|
|
906948 |
match the <literal>ListenStream</literal> options configured for
|
|
|
906948 |
the <command>httpd.socket</command> unit. The default
|
|
|
906948 |
<command>httpd.socket</command> has a
|
|
|
906948 |
<literal>ListenStream=80</literal> and, if mod_ssl is installed,
|
|
|
906948 |
<literal>ListenStream=443</literal> by a drop-in file. If
|
|
|
906948 |
additional <literal>Listen</literal> directives are added to the
|
|
|
906948 |
httpd configuration, corresponding
|
|
|
906948 |
<literal>ListenStream</literal> options should be added via
|
|
|
906948 |
drop-in files, for example via <command>systemctl edit
|
|
|
906948 |
httpd.socket</command>.</para>
|
|
|
906948 |
|
|
|
906948 |
<para>If using socket activation with httpd, only one listener
|
|
|
906948 |
on any given TCP port is supported; a configuration with both
|
|
|
906948 |
"<literal>Listen 127.0.0.1:80</literal>" and "<literal>Listen
|
|
|
906948 |
192.168.1.2:80</literal>" will not work.</para>
|
|
|
906948 |
</refsect2>
|
|
|
906948 |
|
|
|
906948 |
<refsect2>
|
|
|
906948 |
<title>Instantiated services</title>
|
|
|
906948 |
|
|
|
906948 |
<para>The <command>httpd@.service</command> unit is a template
|
|
|
906948 |
for creating instantiated services. An instance of this unit
|
|
|
906948 |
will be started using the configuration file
|
|
|
906948 |
<filename>/etc/httpd/conf/INSTANCE.conf</filename>, where
|
|
|
906948 |
<emphasis>INSTANCE</emphasis> is replaced with the instance
|
|
|
906948 |
name. For example, <command>systemctl start
|
|
|
906948 |
httpd@foobar.service</command> will start httpd using the
|
|
|
906948 |
configuration file
|
|
|
906948 |
<filename>/etc/httpd/conf/foobar.conf</filename>. The
|
|
|
906948 |
<option>HTTPD_INSTANCE</option> environment variable is set to
|
|
|
906948 |
the instance name by the unit and is available for use within
|
|
|
906948 |
the configuration file.</para>
|
|
|
906948 |
|
|
|
906948 |
<para>To allow multiple instances of httpd to run
|
|
|
906948 |
simultaneously, a number of configuration directives must be
|
|
|
906948 |
changed, such as <command>PidFile</command> and
|
|
|
906948 |
<command>DefaultRuntimeDir</command> to pick non-conflicting
|
|
|
906948 |
paths, and <command>Listen</command> to choose different ports.
|
|
|
906948 |
The example configuration file
|
|
|
906948 |
<filename>/usr/share/doc/httpd/instance.conf</filename>
|
|
|
906948 |
demonstrates how to make such changes using the
|
|
|
906948 |
<option>HTTPD_INSTANCE</option> variable.</para>
|
|
|
906948 |
|
|
|
906948 |
<para>It can be useful to configure instances of
|
|
|
906948 |
<command>httpd@.service</command> to reload when
|
|
|
906948 |
<command>httpd.service</command> is reloaded; for example,
|
|
|
906948 |
<command>logrotate</command> will reload only
|
|
|
906948 |
<command>httpd.service</command> when logs are rotated. If this
|
|
|
906948 |
behaviour is required, create a drop-in file for the instance as
|
|
|
906948 |
follows:
|
|
|
906948 |
|
|
|
906948 |
<programlisting>[Unit]
|
|
|
906948 |
ReloadPropagatedFrom=httpd.service</programlisting>
|
|
|
906948 |
|
|
|
906948 |
As with normal units, drop-in files for instances can be created
|
|
|
906948 |
using <command>systemctl edit</command>, e.g. <command>systemctl edit
|
|
|
906948 |
httpd@foobar.service</command>.</para>
|
|
|
906948 |
</refsect2>
|
|
|
906948 |
|
|
|
906948 |
</refsect1>
|
|
|
906948 |
|
|
|
906948 |
<refsect1>
|
|
|
906948 |
<title>Files</title>
|
|
|
906948 |
|
|
|
906948 |
<para><filename>/usr/lib/systemd/system/httpd.service</filename>,
|
|
|
906948 |
<filename>/usr/lib/systemd/system/httpd.socket</filename>,
|
|
|
906948 |
<filename>/usr/lib/systemd/system/httpd@.service</filename>,
|
|
|
906948 |
<filename>/etc/systemd/systemd/httpd.service.d</filename></para>
|
|
|
906948 |
</refsect1>
|
|
|
906948 |
|
|
|
906948 |
<refsect1>
|
|
|
906948 |
<title>See also</title>
|
|
|
906948 |
|
|
|
906948 |
<para>
|
|
|
906948 |
<citerefentry><refentrytitle>httpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
|
|
|
906948 |
<citerefentry><refentrytitle>httpd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
|
906948 |
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
|
906948 |
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
|
906948 |
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
|
906948 |
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
|
906948 |
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
|
906948 |
<citerefentry><refentrytitle>httpd_selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
|
|
|
906948 |
<citerefentry><refentrytitle>semanage</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
|
|
|
906948 |
<citerefentry><refentrytitle>logrotate</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
|
906948 |
</para>
|
|
|
906948 |
</refsect1>
|
|
|
906948 |
|
|
|
906948 |
</refentry>
|
|
|
906948 |
|
|
|
906948 |
|
|
|
906948 |
-->
|