Feature #29144
Run Puma using systemd socket activation
Description
From https://github.com/puma/puma/blob/master/docs/systemd.md#socket-activation
systemd and puma also support socket activation, where systemd opens the listening socket(s) in advance and provides them to the puma master process on startup. Among other advantages, this keeps listening sockets open across puma restarts and achieves graceful restarts, including when upgraded puma, and is compatible with both clustered mode and application preload.
When using unix sockets, it should also increase security since only the webserver can connect to it.
Associated revisions
Refs #29144 - Use systemd socket activation
This gives reliable service restarts since systemd keeps the socket
open.
Replacement of ExecStart is no longer needed since foreman core now
calls /usr/share/foreman/bin/rails which is already modified to use
/usr/bin/tfm-ruby.
It also correcs the macros to only execute on the subpackage. The
incorrect systemd_postun_with_restart (systemctl try-restart) is changed
to the appropriate systemd_post (systemctl preset).
The unused foreman.sysconfig is also dropped. This file was unused since
fb02554d5059e4817052de13d392320a6f4eb8ac.
Refs #29144 - Use systemd socket activation
This gives reliable service restarts since systemd keeps the socket
open. bundle exec needs to be called with --keep-file-descriptors since
systemd passes these in. The replacement is changed since the service
now uses /usr/share/foreman/bin/rails which doesn't need replacing.
It also makes sure the service enable is called on the foreman-service
subpackage rather than the main package.
Refs #29144 - Use systemd socket activation
When using systemd socket activation, it's important that the
ListenSocket matches what Puma binds on. Otherwise it may fail. This
happens when is configured on [::]:3000 (dual stack) and Puma on
0.0.0.0:3000. Puma will then attempt to bind and fail because the port
is already in use.
The service bind is now made explicit because systemd's
ListenSocket=3000 binds on :: where Puma by default binds on
0.0.0.0:3000. This is IPv4-only, but is what was done prior to this as
well. Apache is configured dual stack and the recommended deployment.
Refs #29144 - Correct socket override
281f1966587ffd3d283cd8ea76371aed02f568b4 introduced the systemd socket
override, but used Service instead of Socket. This causes the service to
bind incorrectly.
Refs #29144 - Use the correct ListenStream
281f1966587ffd3d283cd8ea76371aed02f568b4 introduced the override with
the incorrect section. e642db1c690cdbc01bfc193b643bece1a5b0e91a
corrected the section, but not the headers.
History
#1
Updated by Lukas Zapletal 11 months ago
Nice idea, when this is implemented in Core, let's open the very same ticket for Smart Proxy (once Puma is merged there).
#2
Updated by The Foreman Bot 10 months ago
- Assignee set to Ewoud Kohl van Wijngaarden
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/7536 added
#3
Updated by The Foreman Bot 10 months ago
- Pull request https://github.com/theforeman/foreman-packaging/pull/4894 added
#4
Updated by The Foreman Bot 10 months ago
- Pull request https://github.com/theforeman/foreman-packaging/pull/4895 added
#5
Updated by The Foreman Bot 10 months ago
- Pull request https://github.com/theforeman/puppet-foreman/pull/814 added
#6
Updated by The Foreman Bot 10 months ago
- Fixed in Releases 2.1.0 added
#7
Updated by Ewoud Kohl van Wijngaarden 10 months ago
- Status changed from Ready For Testing to Closed
Applied in changeset 3e38815694272ef06d11efd63ffa29e9c1834c62.
#8
Updated by The Foreman Bot 10 months ago
- Pull request https://github.com/theforeman/foreman-packaging/pull/4901 added
#9
Updated by The Foreman Bot 10 months ago
- Pull request https://github.com/theforeman/puppet-foreman/pull/816 added
#10
Updated by The Foreman Bot 10 months ago
- Pull request https://github.com/theforeman/puppet-foreman/pull/817 added
Fixes #29144 - Use systemd socket activation
From https://github.com/puma/puma/blob/master/docs/systemd.md#socket-activation
When using unix sockets, it should also increase security since only the
webserver can connect to it. This is not configured by default since the
webserver is not assumed to be present. However, it can be deployed via
overrides.
This also needs a packaging change for ExecStart. Currently RPM and Deb
packaging change this, but the wrappers break the passing on the socket.