主页 / unix / 问题

问题[systemd](unix)

Martin Hope
metablaster
Asked: 2025-03-15 20:16:56 +0800 CST
  • 5

列出缺失的服务

systemctl --state=not-found --all

输出:

      UNIT                           LOAD      ACTIVE   SUB  DESCRIPTION                   
● boot.automount                 not-found inactive dead boot.automount                
● home.mount                     not-found inactive dead home.mount
● tmp.mount                      not-found inactive dead tmp.mount                     
● connman.service                not-found inactive dead connman.service
● console-screen.service         not-found inactive dead console-screen.service
● dpdk.service                   not-found inactive dead dpdk.service
● fcoe.service                   not-found inactive dead fcoe.service
● firewalld.service              not-found inactive dead firewalld.service
● haveged.service                not-found inactive dead haveged.service
● ip6tables.service              not-found inactive dead ip6tables.service
● iptables.service               not-found inactive dead iptables.service
● iscsi-shutdown.service         not-found inactive dead iscsi-shutdown.service
● iscsi.service                  not-found inactive dead iscsi.service
● iscsid.service                 not-found inactive dead iscsid.service
● kbd.service                    not-found inactive dead kbd.service
● rbdmap.service                 not-found inactive dead rbdmap.service
● systemd-hwdb-update.service    not-found inactive dead systemd-hwdb-update.service
● systemd-oomd.service           not-found inactive dead systemd-oomd.service
● systemd-update-done.service    not-found inactive dead systemd-update-done.service
● systemd-vconsole-setup.service not-found inactive dead systemd-vconsole-setup.service
● xencommons.service             not-found inactive dead xencommons.service
● xendomains.service             not-found inactive dead xendomains.service            
● virtlxcd.socket                not-found inactive dead virtlxcd.socket
● virtqemud.socket               not-found inactive dead virtqemud.socket
● virtvboxd.socket               not-found inactive dead virtvboxd.socket
● virtvzd.socket                 not-found inactive dead virtvzd.socket
● virtxend.socket                not-found inactive dead virtxend.socket

查找引用缺失服务的单元

grep -rR "<service_name>" /usr/lib/systemd
grep -rR "<service_name>" /etc/systemd

# See tables in man page for more directories to search with grep and to learn their purpose
man systemd.unit

样品tmp.mount

grep -rR "tmp.mount" /usr/lib/systemd
grep -rR "tmp.mount" /etc/systemd

输出:

/usr/lib/systemd/system/basic.target:After=sysinit.target sockets.target paths.target slices.target tmp.mount
/usr/lib/systemd/system/basic.target:Wants=tmp.mount

清理引用

sudo nano /usr/lib/systemd/system/basic.target

内容:

[Unit]
Description=Basic System
Documentation=man:systemd.special(7)
Requires=sysinit.target
Wants=sockets.target timers.target paths.target slices.target
After=sysinit.target sockets.target paths.target slices.target tmp.mount

RequiresMountsFor=/var /var/tmp
Wants=tmp.mount

在这里我们发现tmp.mountAfter=Wants=

我想删除这些条目以便systemctl --state=not-found --all不再列出它,对于每个缺失的单元也是如此。

问题

删除系统上每个缺失单元的此类条目是否安全?

systemd
Martin Hope
Stewart
Asked: 2025-03-04 19:20:35 +0800 CST
  • 6

我的一项服务最近因 而停止运行oom-kill

$ systemctl status my-server.service
● my-server.service - "General purposes load-independent HTTP server"
     Loaded: loaded (/lib/systemd/system/my-server.service; enabled; vendor preset: enabled)
     Active: failed (Result: oom-kill) since Thu 2025-02-27 12:47:44 CST; 17h ago
    Process: 636 ExecStart=/usr/bin/my-server --listen-http :13668 --threads 10 (code=exited, status=0/SUCCESS)
   Main PID: 636 (code=exited, status=0/SUCCESS)
        CPU: 52min 57.893s

Feb 27 12:47:44 ios systemd[1]: my-server.service: A process of this unit has been killed by the OOM killer.
Feb 27 12:47:44 ios my-server[636]: Received signal to stop (15). Stopping...
Feb 27 12:47:44 ios systemd[1]: my-server.service: Failed with result 'oom-kill'.
Feb 27 12:47:44 ios systemd[1]: my-server.service: Consumed 52min 57.893s CPU time.

man systemd.exec当“服务进程被内存不足(OOM)终止程序终止”时,表示$SERVICE_RESULT设置为“服务进程被内存不足(OOM)终止程序终止”。oom-kill

这是 的长期运行子进程中发生的内存泄漏/usr/bin/my-server。发生这种情况时,我希望Restart=服务能够正常运行。

问题:

是否$SERVICE_RESULT=oom-kill触发不干净的退出代码,或者不干净的信号?

我想Restart=尽可能地限制自己。因此,我想oom-kill从以下列表中选择符合条件的第一个条件:

  • Restart=on-abort如果它是一个不干净的信号,则可以使用它。
  • Restart=on-abormal可以用于上述情况,或者如果它触发超时原因,或看门狗原因(可能不适用)。
  • Restart=on-failure适用于上述所有情况,外加不干净的退出代码。
  • Restart=always理论上涵盖一切

man systemd.service

Table 2. Exit causes and the effect of the Restart= settings
┌──────────────────────┬────┬────────┬────────────┬────────────┬─────────────┬──────────┬─────────────┐
│Restart settings/Exit │ no │ always │ on-success │ on-failure │ on-abnormal │ on-abort │ on-watchdog │
│causes                │    │        │            │            │             │          │             │
├──────────────────────┼────┼────────┼────────────┼────────────┼─────────────┼──────────┼─────────────┤
│Clean exit code or    │    │ X      │ X          │            │             │          │             │
│signal                │    │        │            │            │             │          │             │
├──────────────────────┼────┼────────┼────────────┼────────────┼─────────────┼──────────┼─────────────┤
│Unclean exit code     │    │ X      │            │ X          │             │          │             │
├──────────────────────┼────┼────────┼────────────┼────────────┼─────────────┼──────────┼─────────────┤
│Unclean signal        │    │ X      │            │ X          │ X           │ X        │             │
├──────────────────────┼────┼────────┼────────────┼────────────┼─────────────┼──────────┼─────────────┤
│Timeout               │    │ X      │            │ X          │ X           │          │             │
├──────────────────────┼────┼────────┼────────────┼────────────┼─────────────┼──────────┼─────────────┤
│Watchdog              │    │ X      │            │ X          │ X           │          │ X           │
└──────────────────────┴────┴────────┴────────────┴────────────┴─────────────┴──────────┴─────────────┘
systemd
Martin Hope
Ali Sarbanha
Asked: 2025-02-15 03:23:16 +0800 CST
  • 5

我正在尝试在我的邮件服务器 (Rocky Linux 9.5) 上设置 SpamAssassin。只是一个基本设置!

这是选项变量/etc/sysconfig/spamassassin

SPAMDOPTIONS="-d -c -m5 -H --create-prefs --max-children 2 -u spamd -g spamd --socketpath=/var/lib/spamassassin/spamd.sock --socketowner=spamd --socketgroup=spamd --socketmode=0666 -s /var/log/spamd.log --debug"

--debug临时添加

当我使用启动SpamAssassin时systemctl,它会因随机错误而退出,并且systemd会再次重新启动它,我将截断的日志放在下面:

.
.
Fri Feb 14 19:59:03 2025 [2133] info: spamd: server successfully spawned child process, pid 2135
Fri Feb 14 19:59:03 2025 [2133] dbg: prefork: child 2135: entering state 0
Fri Feb 14 19:59:03 2025 [2133] dbg: prefork: new lowest idle kid: none
Fri Feb 14 19:59:03 2025 [2135] dbg: spamd: Privilege de-escalation from user 0 and groups 0
Fri Feb 14 19:59:03 2025 [2135] dbg: spamd: setgid ERRNO is 
Fri Feb 14 19:59:03 2025 [2135] dbg: util: get_user_groups: uid is 98
Fri Feb 14 19:59:03 2025 [2133] info: spamd: server successfully spawned child process, pid 2136
Fri Feb 14 19:59:03 2025 [2133] dbg: prefork: child 2136: entering state 0
Fri Feb 14 19:59:03 2025 [2133] dbg: prefork: new lowest idle kid: none
Fri Feb 14 19:59:03 2025 [2136] dbg: spamd: Privilege de-escalation from user 0 and groups 0
Fri Feb 14 19:59:03 2025 [2136] dbg: spamd: setgid ERRNO is 
Fri Feb 14 19:59:03 2025 [2136] dbg: util: get_user_groups: uid is 98
Fri Feb 14 19:59:03 2025 [2133] info: spamd: server killed by SIGTERM, shutting down
Fri Feb 14 19:59:04 2025 [2137] dbg: logger: successfully added file method
.
.

我决定使用以下命令并spamdcli前台和守护进程运行,它完美地运行!

sudo -u spamd -- spamd -c -m5 -H --create-prefs --max-children 2 -u spamd -g spamd --socketpath=/var/lib/spamassassin/spamd.sock --socketowner=spamd --socketgroup=spamd --socketmode=0666 -s /var/log/spamd.log --debug

sudo即使没有!它也能正常工作。

有人遇到过与 SpamAssassin 或任何其他服务类似的问题吗?

systemd
Martin Hope
Thomas P
Asked: 2025-02-12 23:54:48 +0800 CST
  • 5

我们获得了三项服务PrivateTmp=yestomcatclamdsoffice)。 clamdsofficeJoinsNamespaceOf=tomcat.service设置。

clamd应该能够读取tomcat写入它的所有内容/tmp,对吗?

有没有可能(例如重新启动服务)导致此连接在运行时中断(例如clamd失去读取能力tomcat's /tmp)?

我如何在运行时验证该连接是否存在(是否仍然有效)?

我尝试使用lsnslsns NS来查看任何关系,但无法识别任何东西。

systemd
Martin Hope
Pompey Magnus
Asked: 2025-01-04 23:44:45 +0800 CST
  • 5

我有这个可以工作的脚本:

#! /usr/bin/bash

export SEQVAL=$(date +%s) &&  sed -i "s/^SEQ1=.*$/SEQ1=${SEQVAL}/" /etc/environment
systemctl restart ccs-srvapp-telemetry.service

就我而言,我无法使上述内容在单元文件中正常工作。

我拥有的最新版本如下,但曾尝试过几次,各种设置都因变量未设置或 sed 命令中某些内容未正确转义而失败。

[Unit]
Description=restarts fluent bit with a new SEQ1 to force a logrotate
After=network.target


[Service]
Type=oneshot
EnvironmentFile=/etc/environment
ExecStart=/usr/bin/sh -c 'export SEQVAL=$(date +%s) && sed -i "s/^SEQ1=.*$/SEQ1=${SEQVAL}/" /etc/environment'
ExecStartPost=/bin/systemctl restart ccs-srvapp-telemety.service


[Install]
WantedBy=multi-user.target
systemd
Martin Hope
Ketho
Asked: 2024-12-25 00:27:16 +0800 CST
  • 9

我想通过遵循xzbot漏洞演示并设置环境来了解 XZ Utils 后门。我知道xz-utils 5.6.1版本应该有后门,但我无法安装这个被感染的软件包。

从干净的 Kali Linux 2024.4 环境开始,它具有 liblzma 5.6.3,并且sshd似乎不依赖于 libsystemd 和 liblzma。显然,无论是原装还是便携式 OpenSSH 都没有提供 systemd 支持。我对所有指南都期望sshd已经链接到 liblzma 感到困惑,但它不适合我。

└─$ dpkg -l | grep liblzma5
ii  liblzma5:amd64                                 5.6.3-1+b1                               amd64        XZ-format compression library

└─$ ldconfig -p | grep liblzma
        liblzma.so.5 (libc6,x86-64) => /lib/x86_64-linux-gnu/liblzma.so.5

└─$ sshd -V
OpenSSH_9.9p1 Debian-3, OpenSSL 3.3.2 3 Sep 2024

└─$ ldd $(which sshd)
        linux-vdso.so.1 (0x00007fc3de0b8000)
        libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007fc3ddfde000)
        libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x00007fc3dda00000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc3dd80a000)
        libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007fc3dd768000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fc3de0ba000)
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fc3ddfbe000)
        libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x00007fc3dd6a7000)

当降级到 liblzma 5.6.1 包并ldd再次检查时,似乎没有任何变化。

└─$ wget https://snapshot.debian.org/archive/debian/20240328T025657Z/pool/main/x/xz-utils/liblzma5_5.6.1-1_amd64.deb             
2024-12-24 00:45:29 (4.72 MB/s) - ‘liblzma5_5.6.1-1_amd64.deb’ saved [252188/252188]

└─$ sudo dpkg -i ./liblzma5_5.6.1-1_amd64.deb
dpkg: warning: downgrading liblzma5:amd64 from 5.6.3-1+b1 to 5.6.1-1
(Reading database ... 425071 files and directories currently installed.)
Preparing to unpack ./liblzma5_5.6.1-1_amd64.deb ...
Unpacking liblzma5:amd64 (5.6.1-1) over (5.6.3-1+b1) ...
Setting up liblzma5:amd64 (5.6.1-1) ...
Processing triggers for libc-bin (2.40-3) ...

└─$ dpkg -l | grep liblzma5
ii  liblzma5:amd64                                 5.6.1-1                                  amd64        XZ-format compression library
                                                                                          
└─$ sudo systemctl restart ssh

└─$ ldd $(which sshd)                                                                                               
        linux-vdso.so.1 (0x00007f705e59b000)
        libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007f705e4c1000)
        libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x00007f705de00000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f705dc0a000)
        libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007f705e41f000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f705e59d000)
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f705e3ff000)
        libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x00007f705db49000)

然后我尝试构建 OpenSSH 9.7p1,因为那是在后门公开之前,如果这也许有帮助的话。这需要重新启动才能sshd -V显示 9.7p1

wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.7p1.tar.gz
tar -xvf openssh-9.7p1.tar.gz
cd openssh-9.7p1
sudo apt install libssl-dev
./configure
make
sudo make install

但是 libsystemd 和 liblzma 仍然没有链接到 sshd。

到目前为止,我甚至不知道如何安装或构建易受攻击的 xz-utils 包。当我在 Ubuntu 24.04 上尝试同样的步骤时,也遇到了类似的问题

systemd
Martin Hope
John Siu
Asked: 2024-12-05 23:24:16 +0800 CST
  • 5

环境

这是 vps Ubuntu 服务器 22.04.5。Wireguard 使用 tuntap 而不是内核模块。

脚本

/etc/wireguard/gw0.sh如果从命令行运行,可以正确启动 wireguard:

# cleanup
echo "$(date) - cleanup"
/usr/sbin/ip link del gw0 2>&1
/usr/sbin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o venet0 -j MASQUERADE 2>&1

# setup
echo "$(date) - setup"
#/usr/sbin/ip tuntap add dev gw0 mode tun
/usr/bin/wireguard gw0 2>&1
/usr/sbin/ip a add 10.0.0.1/24 dev gw0
/usr/bin/wg set gw0 listen-port 12345
/usr/bin/wg set gw0 private-key /etc/wireguard/gw0.key
# wg0
/usr/bin/wg set gw0 peer <wg0 key> allowed-ips 10.0.0.2/32
# wg1
/usr/bin/wg set gw0 peer <wg1 key> allowed-ips 10.0.0.3/32

# start
echo "$(date) - start"
/usr/sbin/ip link set gw0 up 2>&1
/usr/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o venet0 -j MASQUERADE 2>&1

# end
echo "$(date) - end"

exit 0

输出:

# /etc/wireguard/gw0.sh
Thu Dec  5 10:03:32 EST 2024 - cleanup
Cannot find device "gw0"
Thu Dec  5 10:03:32 EST 2024 - setup
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘
Thu Dec  5 10:03:32 EST 2024 - start
Thu Dec  5 10:03:33 EST 2024 - end

系统服务

/etc/systemd/system/gw0.service

[Unit]
Description = Start Wireguard gw0
After = network-online.target
Wants = network-online.target
[Service]
Type = oneshot
ExecStart = /usr/bin/bash -c "/etc/wireguard/gw0.sh >> /tmp/gw0.log"

[Install]
WantedBy=multi-user.target

启动服务总是会出现超时错误,并且没有wireguard进程:

# systemctl start gw0.service
Job for gw0.service failed because a timeout was exceeded.
See "systemctl status gw0.service" and "journalctl -xeu gw0.service" for details.

# systemctl status gw0.service
× gw0.service - Start Wireguard gw0
     Loaded: loaded (/etc/systemd/system/gw0.service; disabled; vendor preset: enabled)
     Active: failed (Result: timeout) since Thu 2024-12-05 10:12:07 EST; 34s ago
    Process: 95515 ExecStart=/usr/bin/bash -c /etc/wireguard/gw0.sh >> /tmp/gw0.log (code=exited, status=0/SUCCESS)
   Main PID: 95515 (code=exited, status=0/SUCCESS)

Dec 05 10:10:37 mybox systemd[1]: Starting Start Wireguard gw0...
Dec 05 10:12:07 mybox systemd[1]: gw0.service: State 'stop-sigterm' timed out. Killing.
Dec 05 10:12:07 mybox systemd[1]: gw0.service: Failed with result 'timeout'.
Dec 05 10:12:07 mybox systemd[1]: Failed to start Start Wireguard gw0.

# journalctl -xeu gw0.service
Dec 05 10:10:37 mybox systemd[1]: Starting Start Wireguard gw0...
░░ Subject: A start job for unit gw0.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit gw0.service has begun execution.
░░
░░ The job identifier is 2611.
Dec 05 10:12:07 mybox systemd[1]: gw0.service: State 'stop-sigterm' timed out. Killing.
Dec 05 10:12:07 mybox systemd[1]: gw0.service: Failed with result 'timeout'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit gw0.service has entered the 'failed' state with result 'timeout'.
Dec 05 10:12:07 mybox systemd[1]: Failed to start Start Wireguard gw0.
░░ Subject: A start job for unit gw0.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit gw0.service has finished with a failure.
░░
░░ The job identifier is 2611 and the job result is failed.

但是,/tmp/gw0.log显示脚本已完成:

Thu Dec  5 10:10:37 EST 2024 - cleanup
Thu Dec  5 10:10:37 EST 2024 - setup
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘
Thu Dec  5 10:10:37 EST 2024 - start
Thu Dec  5 10:10:37 EST 2024 - end

问题

有人知道该如何gw0.service工作吗?

systemd