为了避免可能的错误,我想定义和使用在systemd
单元文件本身中使用的变量,即:不是用于执行的命令。
例如考虑这个(无效)单位:
[Unit]
CONFIG=/etc/some_dir/%i.conf
AssertPathExists=$CONFIG
#...
[Service]
EnvironmentFile=$CONFIG
# ...
所以我想定义变量CONFIG
并将其用于多个单元指令。这可能吗?
为了避免可能的错误,我想定义和使用在systemd
单元文件本身中使用的变量,即:不是用于执行的命令。
例如考虑这个(无效)单位:
[Unit]
CONFIG=/etc/some_dir/%i.conf
AssertPathExists=$CONFIG
#...
[Service]
EnvironmentFile=$CONFIG
# ...
所以我想定义变量CONFIG
并将其用于多个单元指令。这可能吗?
我有一个运行 Raspberry Pi 操作系统的 Raspberry Pi 5 8gb,我遇到的问题是qbittorrent-nox
,我使用 apt 安装的设备在大约 1 分 30 秒后不断崩溃。
由于我有一个qbittorrent-nox
自动启动的服务,它会在 3 秒内重新启动,但重新启动很烦人,而且显然不利于播种和水蛭,我想知道为什么会发生这种情况。
进行了一些实验,日志中有些内容表明该systemd
服务正在超时,并且可以肯定的是,我运行的用户 qbitqbittorrent-nox
似乎运行良好,无需重新启动。
日志和systemd
服务文件之前已经包含在内,我使用了样板代码,没有做太多调整,也不太理解其中的很多内容。
Service:
[Unit]
Description=qBittorrent Command Line Client
After=network.target
[Service]
#Do not change to "simple"
Type=forking
User=qbit
Group=qbit
ExecStart=/usr/bin/qbittorrent-nox
ExecStop=/usr/bin/killall -w qbittorrent-nox
Restart=on-failure
[Install]
WantedBy=multi-user.target
服务日志:
MAGPi@raspberrypi:~ $ journalctl -xeu qbit.service
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A start job for unit qbit.service has finished with a failure.
░░
░░ The job identifier is 152795 and the job result is failed.
Dec 18 00:05:26 raspberrypi systemd[1]: qbit.service: Consumed 1.685s CPU time.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A start job for unit qbit.service has finished with a failure.
░░
░░ Defined-By: systemd
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A start job for unit qbit.service has finished with a failure.
░░
░░ The job identifier is 152795 and the job result is failed.
Dec 18 00:05:26 raspberrypi systemd[1]: qbit.service: Consumed 1.685s CPU time.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ The unit qbit.service completed and consumed the indicated resources.
Dec 18 00:05:26 raspberrypi systemd[1]: qbit.service: Scheduled restart job, restart counter is at 1784.
░░ Subject: Automatic restarting of a unit has been scheduled
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ Automatic restarting of the unit qbit.service has been scheduled, as the result for
░░ the configured Restart= setting for the unit.
Dec 18 00:05:26 raspberrypi systemd[1]: Stopped qbit.service - qBittorrent Command Line Client.
░░ Subject: A stop job for unit qbit.service has finished
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A stop job for unit qbit.service has finished.
░░
░░ The job identifier is 152877 and the job result is done.
Dec 18 00:05:26 raspberrypi systemd[1]: qbit.service: Consumed 1.685s CPU time.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ The unit qbit.service completed and consumed the indicated resources.
Dec 18 00:05:26 raspberrypi systemd[1]: Starting qbit.service - qBittorrent Command Line Client...
░░ Subject: A start job for unit qbit.service has begun execution
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A start job for unit qbit.service has begun execution.
░░
░░ The job identifier is 152877.
```
自从本周早些时候我上次更新计算机以来,我的计算机开始需要大约 11 分钟才能关闭。乍一看,是 NetworkManager.service 和 wpa_supplicant.service 导致了问题(它们的 90 秒超时延长了 6 倍,总共 10.5 分钟)。
解决办法:设置DefaultTimeoutStopSec=5s
并DefaultTimeoutAbortSec=5s
在/etc/systemd/system.conf
尝试更改任何网络设置都会导致 NetworkManager 崩溃(例如,简单地断开当前连接)。GUI 和 CLI 都会发生这种情况 ( nmcli con down 'WiFi-2.4-xxxx'
)。
结果:
sudo
冻结(无法使用 sudo)(不知道为什么)nmcli con up 'PiVPN'
或nmcli con down 'PiVPN'
(openvpn) 不会导致 NetworkManager 崩溃并且连接正常。root@mylinuxpc:~# dpkg-reconfigure network-manager network-manager-gnome network-manager-openvpn network-manager-openvpn-gnome wpasupplicant
但没有成功。root@mylinuxpc:~# neofetch
_,met$$$$$gg. root@mylinuxpc
,g$$$$$$$$$$$$$$$P. --------------
,g$$P" """Y$$.". OS: Debian GNU/Linux 12 (bookworm) x86_64
,$$P' `$$$. Host: 82XG IdeaPad Slim 5 16ABR8
',$$P ,ggs. `$$b: Kernel: 6.1.0-15-amd64
`d$$' ,$P"' . $$$ Uptime: 11 mins
$$P d$' , $$P Packages: 3173 (dpkg), 39 (flatpak)
$$: $$. - ,d$$' Shell: bash 5.2.15
$$; Y$b._ _,d$P' Resolution: 2560x1600
Y$$. `.`"Y$$$$P"' DE: GNOME 43.9
`$$b "-.__ WM: Mutter
`Y$$ WM Theme: Adwaita
`Y$$. Theme: Adwaita [GTK2/3]
`$$b. Icons: Adwaita [GTK2/3]
`Y$$b. Terminal: gnome-terminal
`"Y$b._ CPU: AMD Ryzen 7 7730U with Radeon Graphics (16) @
`""" GPU: AMD ATI 04:00.0 Barcelo
Memory: 1787MiB / 13825MiB
我的目标是将该 USB 的解锁延迟到系统以ssh.service
活动状态启动之后,并且在键入之前永远不会超时。然而超时仍然发生并继续进行getty
。一旦出现密码提示,您就无法输入密码(未附加 TTY)
我一直在复制via 中的auto
结果。我也一直在寻找是否可以连接到控制台 TTY。/etc/crypttab
systemd-cryptsetup-generator
systemctl list-dependencies
sysinit.target
systemd-ask-password-console.path
/etc/crypttab
crypt /dev/disk/by-label/crypt none nofail,noauto,timeout=0,x-systemd.device-timeout=0
/etc/systemd/system/finish.target
[Unit]
Description=Mount crypt USB
Requires=multi-user.target
[email protected] systemd-ask-password-console.path
After=ssh.target
[email protected]
[Install]
WantedBy=multi-user.target
如果我这样做Wants=mnt-crypt.mount
或者Wants=dev-mapper-crypt.device
它实际上尊重超时,但仍然不接受密码输入。
ls -la /etc/systemd/system/multi-user.target.wants/finish.target
lrwxrwxrwx. 1 root root 33 Jun 6 00:04 /etc/systemd/system/multi-user.target.wants/finish.target -> /etc/systemd/system/finish.target
systemctl list-dependencies
● ├─finish.target
● │ ├─systemd-ask-password-console.path
● │ ├─[email protected]
│ └─...
如果我这样做,systemctl restart systemd-ask-password-console.service
我实际上可以开始输入密码,并且它在执行终端和屏幕上的控制台上都按预期工作(/dev/tty1
)。
似乎有某种关系阻止了systemd-ask-password-console
初始启动后的启动,因为它很乐意稍后启动systemd-ask-password-wall
。
同样,如果我复制它并将其编辑为新服务,它也会启动该systemd-ask password --watch --console
过程。
使用 filebeat-8.7.1,我将其配置为将多个源推送到远程 elastisearch。我无法让它将自己的日志记录到本地文件中/var/log/filebeat/filebeat.log
,并且我无法阻止它将其日志转储到/var/log/syslog
(这也将用于 elastisearch)。
相关配置来自/etc/filebeat/filebeat.yml
:
filebeat.inputs:
- type: filestream
id: rsc-server
enabled: true
paths:
- /var/log/rstudio/rstudio-connect/rstudio*.log
fields:
log_type: rsc_server
- type: filestream
enabled: true
ignore_older: 5m
id: rsc-jobs
paths:
- /srv/R/RSC/jobs/[0-9]*/*/*
fields:
log_type: rsc
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
host: "http://my.elasti.host:30002"
output.elasticsearch:
hosts: ["http://my.elasti.host:30003"]
allow_older_versions: true
username: "myuser"
password: "mypass"
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
logging:
- level: warning
- to_syslog: false
- to_stderr: false
- json: true
- files:
- path: /var/log/filebeat
- name: filebeat
- keepfile: 3
- permissions: 0644
从/etc/filebeat/modules.d/
目录中,生成的启用配置是:
# Module: nginx
# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-nginx.html
- module: nginx
# Access logs
access:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Error logs
error:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Ingress-nginx controller logs. This is disabled by default. It could be used in Kubernetes environments to parse ingress-nginx logs
ingress_controller:
enabled: false
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Module: redis
# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-redis.html
- module: redis
# Main logs
log:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths: ["/var/log/redis/redis-server.log*"]
# Slow logs, retrieved via the Redis API (SLOWLOG)
slowlog:
enabled: false
# The Redis hosts to connect to.
#var.hosts: ["localhost:6379"]
# Optional, the password to use when connecting to Redis.
#var.password:
# Module: system
# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-system.html
- module: system
# Syslog
syslog:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Authorization logs
auth:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
我相信系统模块的使用syslog
是从中提取 /var/log/syslog
,而不是推送到中。(当我禁用该模块时,行为不会改变。)
如何修复将logging.*
日志发送到的部分/var/log/filebeat/
,以及如何防止它发送到 syslog 和/var/log/syslog
?
(这是在 ubuntu-22.04 虚拟机上。)
编辑:/lib/systemd/system/filebeat.service
有一个空BEAT_LOG_OPTS
参数(这是默认文件,不是我编辑的):
[Unit]
Description=Filebeat sends log files to Logstash or directly to Elasticsearch.
Documentation=https://www.elastic.co/beats/filebeat
Wants=network-online.target
After=network-online.target
[Service]
UMask=0027
Environment="GODEBUG='madvdontneed=1'"
Environment="BEAT_LOG_OPTS="
Environment="BEAT_CONFIG_OPTS=-c /etc/filebeat/filebeat.yml"
Environment="BEAT_PATH_OPTS=--path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat"
ExecStart=/usr/share/filebeat/bin/filebeat --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS
Restart=always
[Install]
WantedBy=multi-user.target
重新加载(并且性能没有变化):
# systemctl daemon-reload
# systemctl restart filebeat.service
# systemctl status filebeat.service
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/lib/systemd/system/filebeat.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2023-05-04 14:49:12 UTC; 20s ago
Docs: https://www.elastic.co/beats/filebeat
Main PID: 2080223 (filebeat)
Tasks: 25 (limit: 76964)
Memory: 114.4M
CPU: 5.315s
CGroup: /system.slice/filebeat.service
└─2080223 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat
该进程以 root 身份运行,/var/log/filebeat
目录由具有正常权限的 root 拥有:
# ps faxu | grep [/]filebeat
root 2080223 9.4 0.1 2635592 169112 ? Ssl 14:49 0:36 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat
# ll -d /var/log/filebeat
drwxr-xr-x 2 root root 4096 May 4 12:54 /var/log/filebeat/
# ll /var/log/filebeat
total 8
drwxr-xr-x 2 root root 4096 May 4 12:54 ./
drwxr-xr-x 18 root syslog 4096 May 4 12:54 ../
我看到--environment systemd
每个filebeat 命令行选项意味着
如果指定了 systemd 或 container,Filebeat 将默认记录到 stdout 和 stderr。
/var/log/syslog
这表明日志记录将由于systemd
处理进程中的 stdout/stderr 的方式而发生。这似乎是一个进步,但我们仍然没有日志记录到/var/log/filebeat/
,这最终是 stdout/stderr 应该去的地方(这将解决日志记录到的问题/var/log/syslog
)。
在我的 Ubuntu 23.04 系统上,systemd 将尝试在 systemd-networkd 启动网络桥之前启动 sshd
首先它报告:无法分配请求的地址
然后:br0: netdev 就绪
systemd[1]: Listening on dbus.socket - D-Bus System Message Bus Socket.
systemd[730]: ssh.socket: Failed to create listening socket (10.1.0.1:22): s
systemd[1]: ssh.socket: Failed to receive listening socket (10.1.0.1:22): Input/output error
systemd[1]: ssh.socket: Failed to listen on sockets: Input/output error
systemd[1]: ssh.socket: Failed with result 'resources'.
systemd[1]: Failed to listen on ssh.socket - OpenBSD Secure Shell server socket.
systemd[1]: Dependency failed for ssh.service - OpenBSD Secure Shell server.
systemd[1]: ssh.service: Job ssh.service/start failed with result 'dependency'.
systemd[1]: Listening on uuidd.socket - UUID daemon activation socket.
systemd[1]: Reached target sockets.target - Socket Units.
systemd[1]: systemd-pcrphase-sysinit.service - TPM2 PCR Barrier (Initialization) was skipped because of an unmet condition check (Condition>
systemd[1]: Reached target basic.target - Basic System.
systemd[1]: Started acpid.service - ACPI event daemon.
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=acpid comm="systemd" exe="/usr/lib/systemd/sys>
systemd[1]: alsa-state.service - Manage Sound Card State (restore and store) was skipped because of an unmet condition check (ConditionPath>
systemd[1]: Starting alsa-restore.service - Save/Restore Sound Card State...
systemd[1]: Started anacron.service - Run anacron jobs.
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=anacron comm="systemd" exe="/usr/lib/systemd/s>
systemd[1]: Starting atopacct.service - Atop process accounting daemon...
anacron[733]: Anacron 2.3 started on 2023-04-21
systemd[1]: Starting avahi-daemon.service - Avahi mDNS/DNS-SD Stack...
anacron[733]: Normal exit (0 jobs run)
systemd[1]: Starting dbus.service - D-Bus System Message Bus...
kernel: bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
systemd[1]: Started dmesg.service - Save initial kernel messages after boot.
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=dmesg comm="systemd" exe="/usr/lib/systemd/sys>
avahi-daemon[735]: Found user 'avahi' (UID 115) and group 'avahi' (GID 121).
systemd-networkd[619]: br0: netdev ready
为什么 systemd 在执行 sshd 服务之前不等到桥接起来?
我的网络设备:
$ networkctl
IDX LINK TYPE OPERATIONAL SETUP
1 lo loopback carrier unmanaged
2 enp101s0 ether enslaved configured
3 eno1 ether enslaved configured
4 eno2 ether routable configured
5 br0 bridge routable configured
我的网络配置了这个 netplan:
# Bridge config
network:
version: 2
renderer: networkd
ethernets:
# WAN port to cable modem.
eno2:
dhcp4: yes
dhcp6: no
# Currently not used.
enx00242788156c:
dhcp4: no
dhcp6: no
# LAN port to WAP
eno1:
dhcp4: no
dhcp6: no
# LAN port to switch.
enp101s0:
dhcp4: no
dhcp6: no
bridges:
br0:
interfaces:
#- enx00242788156c
- eno1
- enp101s0
addresses:
- 10.1.0.1/16
注意:重新启动 sshd 服务会按预期工作,因为那时网桥可用。
在 Spring Boot 应用程序中,它会查找本地resources
文件夹来加载配置。因此,它的启动shell脚本需要在这个文件夹中运行:
x.jar
resources
|- application.yml
|- more.yml
startup.sh
我在写app.service
,我被困在这里:
[Unit]
Description=service for app
After=syslog.target network.target
[Service]
Type=forking
ExecStart=cd /data/flume; ./control.sh start
ExecReload=cd /data/flume; ./control.sh restart
ExecStop=cd /data/flume; ./control.sh stop
Restart=on-failure
RestartSec=5s
[Install]
WantedBy=multi-user.target
可执行路径不是绝对的,忽略: cd /data/flume; /bin/bash 启动.sh
是否有可能Chdir
在 systemd 中有一个?或者有没有一种体面的方法来实现这一目标?
我编写了一个 systemd 单元,它使用 PassEnvironment 启动一个可执行脚本,将一组环境变量传递给脚本。其中一个变量是从具有换行符的文件中读取的证书,它根本没有传递给脚本:打印它我没有得到任何内容。如果我删除换行符,那么变量会正确传递。
我想不出另一种将变量传递给脚本的方法:一切都在 docker 容器中运行,我开始定义包含证书的环境变量的值,该值是传递给 systemd 的容器进程,而后者又是容器进程将其传递给脚本。我无法将证书文件挂载为 docker 机密,因为一切都将在 Gitlab CI 中运行,因此我只能使用 env 变量来传递机密。而且出于安全原因,我也不能将证书放在图像中。
那么如何让 systemd 直接将带有换行符的 env 变量传递给脚本呢?我在 CentOS 容器中使用 systemd 219。
似乎每当我尝试禁用 systemd 服务时,该服务都会找到某种方法来重新启用自己。最近的例子是 PackageKit,我发现它是我在这个问题中提出的问题的根源。如果我运行这个:
systemctl disable packagekit
然后几天我的磁盘保持稳定,但几天后,PackageKit 重新启用,运行,/var/cache/yum
再次填充,将我的磁盘固定在 100%。
我不是专门询问 PackageKit。真的,我想了解 systemd 服务停用应该如何工作。
是否有任何通用的方式来表示“禁用此服务,并禁用任何自动重新启用它的方式?” 还是我唯一的选择是彻底删除我不想运行的包?
更新:我的部分问题被误导了:systemctl disable
确保服务无论如何都不会运行不是我们的工作;所做systemctl disable
的只是说该服务不应该在启动时自动运行。
根据 user1686 的回答中的建议,我尝试了
busctl --activatable | grep -i packagekit
并得到
org.freedesktop.PackageKit - - - (activatable) - -
所以这很可能表明是什么事情开始了(如果不是在启动时)。busctl tree
但在继续下一步之前,我没想过要尝试。
再次根据 user1686 的建议,我尝试了
systemctl mask packagekit
这似乎起到了作用——无论以前启动过什么,现在都不再启动了。我不知道这是否会被视为丑陋、暴力或危险的解决方案;我不知道它是否会永远有效,但它似乎现在有效。
systemctl
有一个--host
选项,用于在名称主机上执行命名的 systemctl 命令。手册页建议这在引擎盖下使用 ssh,所以在我的情况下,这对我来说更加令人困惑
systemctl --host root@pc2 is-active docker
不工作(没有输出,退出代码:)1
,但是
ssh root@pc2 systemctl is-active docker
是(输出:active
,退出代码:)0
。
我似乎找不到调试它的方法。systemctl 命令的设置-o verbose
不再提供任何输出。
知道可能有什么问题或如何调试吗?
更新
使用journalctl -f | grep ssh
onpc2
我已经能够看到systemctl --host root@pc2 is-active docker
运行时,ssh 连接似乎成功(Accepted publickey for root from IP-of-PC1...
)。