Project

General

Profile

Feature #29144

Run Puma using systemd socket activation

Added by Ewoud Kohl van Wijngaarden 6 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Ewoud Kohl van Wijngaarden
Category:
Packaging
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
https://github.com/theforeman/puppet-foreman/pull/814, https://github.com/theforeman/foreman-packaging/pull/4895, https://github.com/theforeman/puppet-foreman/pull/817, https://github.com/theforeman/foreman/pull/7536, https://github.com/theforeman/foreman-packaging/pull/4894, https://github.com/theforeman/puppet-foreman/pull/816, https://github.com/theforeman/foreman-packaging/pull/4901
Fixed in Releases:
2.1.0
Found in Releases:

Description

From https://github.com/puma/puma/blob/master/docs/systemd.md#socket-activation

systemd and puma also support socket activation, where systemd opens the listening socket(s) in advance and provides them to the puma master process on startup. Among other advantages, this keeps listening sockets open across puma restarts and achieves graceful restarts, including when upgraded puma, and is compatible with both clustered mode and application preload.

When using unix sockets, it should also increase security since only the webserver can connect to it.

Associated revisions

Revision 3e388156 (diff)
Added by Ewoud Kohl van Wijngaarden 5 months ago

Fixes #29144 - Use systemd socket activation

From https://github.com/puma/puma/blob/master/docs/systemd.md#socket-activation

systemd and puma also support socket activation, where systemd opens the
listening socket(s) in advance and provides them to the puma master
process on startup. Among other advantages, this keeps listening sockets
open across puma restarts and achieves graceful restarts, including when
upgraded puma, and is compatible with both clustered mode and
application preload.

When using unix sockets, it should also increase security since only the
webserver can connect to it. This is not configured by default since the
webserver is not assumed to be present. However, it can be deployed via
overrides.

This also needs a packaging change for ExecStart. Currently RPM and Deb
packaging change this, but the wrappers break the passing on the socket.

Revision 5a8db7a8 (diff)
Added by Ewoud Kohl van Wijngaarden 5 months ago

Refs #29144 - Use systemd socket activation

This gives reliable service restarts since systemd keeps the socket
open.

Replacement of ExecStart is no longer needed since foreman core now
calls /usr/share/foreman/bin/rails which is already modified to use
/usr/bin/tfm-ruby.

It also correcs the macros to only execute on the subpackage. The
incorrect systemd_postun_with_restart (systemctl try-restart) is changed
to the appropriate systemd_post (systemctl preset).

The unused foreman.sysconfig is also dropped. This file was unused since
fb02554d5059e4817052de13d392320a6f4eb8ac.

Revision cd0965ff (diff)
Added by Ewoud Kohl van Wijngaarden 5 months ago

Refs #29144 - Use systemd socket activation

This gives reliable service restarts since systemd keeps the socket
open. bundle exec needs to be called with --keep-file-descriptors since
systemd passes these in. The replacement is changed since the service
now uses /usr/share/foreman/bin/rails which doesn't need replacing.

It also makes sure the service enable is called on the foreman-service
subpackage rather than the main package.

Revision 281f1966 (diff)
Added by Ewoud Kohl van Wijngaarden 5 months ago

Refs #29144 - Use systemd socket activation

When using systemd socket activation, it's important that the
ListenSocket matches what Puma binds on. Otherwise it may fail. This
happens when is configured on [::]:3000 (dual stack) and Puma on
0.0.0.0:3000. Puma will then attempt to bind and fail because the port
is already in use.

The service bind is now made explicit because systemd's
ListenSocket=3000 binds on :: where Puma by default binds on
0.0.0.0:3000. This is IPv4-only, but is what was done prior to this as
well. Apache is configured dual stack and the recommended deployment.

Revision e642db1c (diff)
Added by Ewoud Kohl van Wijngaarden 5 months ago

Refs #29144 - Correct socket override

281f1966587ffd3d283cd8ea76371aed02f568b4 introduced the systemd socket
override, but used Service instead of Socket. This causes the service to
bind incorrectly.

Revision 1e10f6c4 (diff)
Added by Ewoud Kohl van Wijngaarden 5 months ago

Refs #29144 - Use the correct ListenStream

281f1966587ffd3d283cd8ea76371aed02f568b4 introduced the override with
the incorrect section. e642db1c690cdbc01bfc193b643bece1a5b0e91a
corrected the section, but not the headers.

History

#1 Updated by Lukas Zapletal 6 months ago

Nice idea, when this is implemented in Core, let's open the very same ticket for Smart Proxy (once Puma is merged there).

#2 Updated by The Foreman Bot 5 months ago

  • Assignee set to Ewoud Kohl van Wijngaarden
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/7536 added

#3 Updated by The Foreman Bot 5 months ago

  • Pull request https://github.com/theforeman/foreman-packaging/pull/4894 added

#4 Updated by The Foreman Bot 5 months ago

  • Pull request https://github.com/theforeman/foreman-packaging/pull/4895 added

#5 Updated by The Foreman Bot 5 months ago

  • Pull request https://github.com/theforeman/puppet-foreman/pull/814 added

#6 Updated by The Foreman Bot 5 months ago

  • Fixed in Releases 2.1.0 added

#7 Updated by Ewoud Kohl van Wijngaarden 5 months ago

  • Status changed from Ready For Testing to Closed

#8 Updated by The Foreman Bot 5 months ago

  • Pull request https://github.com/theforeman/foreman-packaging/pull/4901 added

#9 Updated by The Foreman Bot 5 months ago

  • Pull request https://github.com/theforeman/puppet-foreman/pull/816 added

#10 Updated by The Foreman Bot 5 months ago

  • Pull request https://github.com/theforeman/puppet-foreman/pull/817 added

Also available in: Atom PDF