[nsd-users] systemd integration test

Paul Wouters paul at nohats.ca
Tue Jul 10 15:44:10 UTC 2018


On Fri, 6 Jul 2018, Wouter Wijngaards wrote:

> Recently I have written systemd integration code for NSD, based on the
> code that was contributed to Unbound previously.  This code can pick up
> sockets (systemds socket activation) for a port without having
> widespread port permissions, and can signal systemd that the server is
> ready (sd_notify).

The unbound systemd code caused crashes even when it was disabled in
fedora/rhel.  So we decided to not compile the support anymore.

But additionally, socket activation is useful for services that exist
on their own port, which only get used when rarely needed. That is,
as an inetd replacement it is great.

It is not great for a port where several programs might try to grab the
port. On linux systems with qemu/kvm/libvirt we have dnsmasq that needs
to share this space with unbound. Some have unbound + nsd running and
they need to ensure they each grab only some IP addresses port 53.
Making these decisions based on random incoming packets leads to
problems.

For other applications, (like libreswan IKE daemon) I also rejected
socket activation because it simply makes no sense for daemons that are
guaranteed to get started anyway pretty quickly after boot.

Socket activation with systemd is a boot speed up fetish. It makes the
boot appear faster. In most cases other then the rarely used service use
case of inetd started, there is no valid reason for socket activation.

I think adding/enabling socket activation with DNS software is a mistake.

That said, sd_notify is a useful software watchdog device. It would be
nice to be able to support that compile time without making it a package
deal with socket activation. (case in point: libreswan supports sd_notify,
but not socket activation)

> But before I could mark the feature as available for general use, I need
> to know if it works.

Earlier attempst to compile in support but leave it disabled for unbound
(for the above stated reasons) caused crashes and we ended up disabling
it at compile time. If this code is that similar to unbound, I would
also not enable it for nsd at compile time. It would be sad if that
means missing out on the software watchdog sd_notify.

Paul



More information about the nsd-users mailing list