Initial implementation of systemd service file, with chroot support, single instance only

doc/INSTALLING.md

@@ -96,6 +96,29 @@ Before starting aprsc edit the configuration file, which can be found in
 /opt/aprsc/etc/aprsc.conf.  Please see the [CONFIGURATION](CONFIGURATION.html)
 document for instructions.
 
+If your distribution has systemd (try 'systemctl' to find out if you do),
+proceed with the systemd instructions. If not, proceed with the non-systemd
+instructions.
+
+Startup with systemd
+-----------------------
+
+Enable the service:
+
+    sudo systemctl enable aprsc
+
+To start it up:
+
+    sudo systemctl start aprsc
+
+To shut it down:
+
+    sudo systemctl stop aprsc
+
+
+Startup the old-fashioned way
+--------------------------------
+
 To enable startup, edit /etc/default/aprsc and change STARTAPRSC="no" to
 "yes". There should not be any need to touch the other options at this time.
 

src/Makefile.in

@@ -223,6 +223,7 @@ install: all
 	$(INSTALL_DIR) $(DESTDIR)/opt/aprsc/web
 	$(INSTALL_PROGRAM) aprsc $(DESTDIR)$(SBINDIR)/aprsc
 	$(INSTALL_PROGRAM) aprsc_munin $(DESTDIR)$(SBINDIR)/aprsc_munin
+	$(INSTALL_PROGRAM) aprsc-prepare-chroot.sh $(DESTDIR)$(SBINDIR)/aprsc-prepare-chroot.sh
 	$(INSTALL_DATA) aprsc.8 $(DESTDIR)$(MANDIR)/man8/aprsc.8
 	$(INSTALL_DATA) $(subst src/,,$(WEBFILES)) $(DESTDIR)/opt/aprsc/web
 	if [ ! -f  $(DESTDIR)$(CFGFILE) ] ; then \

src/aprsc-prepare-chroot.sh

@@ -0,0 +1,33 @@
+#! /bin/sh
+
+# copy files required for chrooted operation, use bind mounts to expose
+# libraries
+
+BASEDIR=/opt/aprsc
+DIRNAME=aprsc
+
+prepare_chroot () {
+	# config files
+	/bin/cp -p /etc/resolv.conf /etc/nsswitch.conf /etc/hosts /etc/gai.conf $BASEDIR/etc/
+	# live upgrade requires libraries to be visible within chroot, so
+	# set up a read-only bind mount of /lib
+	grep -q "$DIRNAME/lib " /proc/mounts || \
+		( mount --bind /lib $BASEDIR/lib \
+		&& mount -o remount,ro,bind $BASEDIR/lib )
+	if [ -e /lib64 ]; then
+		grep -q "$DIRNAME/lib64 " /proc/mounts || \
+			( mount --bind /lib64 $BASEDIR/lib64 \
+			&& mount -o remount,ro,bind $BASEDIR/lib64 )
+	fi
+	grep -q "$DIRNAME/usr/lib " /proc/mounts || \
+		( mount --bind /usr/lib $BASEDIR/usr/lib \
+		&& mount -o remount,ro,bind $BASEDIR/usr/lib )
+	if [ -e /usr/lib64 ]; then
+		grep -q "$DIRNAME/usr/lib64 " /proc/mounts || \
+			( mount --bind /usr/lib64 $BASEDIR/usr/lib64 \
+			&& mount -o remount,ro,bind $BASEDIR/usr/lib64 )
+	fi
+}
+
+prepare_chroot
+

src/debian/aprsc.service

@@ -0,0 +1,35 @@
+[Unit]
+Description=APRS-IS server
+After=network.target
+Documentation=http://he.fi/aprsc/, man:aprsc(8)
+
+[Service]
+Type=simple
+ExecStartPre=/opt/aprsc/sbin/aprsc-prepare-chroot.sh
+ExecStart=/opt/aprsc/sbin/aprsc -u aprsc -t /opt/aprsc -e info -o file -r logs -c etc/aprsc.conf
+PIDFile=/opt/aprsc/logs/aprsc.pid
+TimeoutStopSec=5
+Restart=always
+User=root
+Group=root
+LimitNOFILE=65535
+#PrivateDevices=yes
+#ProtectHome=yes
+#ReadOnlyDirectories=/
+#ReadWriteDirectories=-/var/lib/aprsc
+
+#NoNewPrivileges=true
+#CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
+MemoryDenyWriteExecute=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+ProtectSystem=true
+#ReadWriteDirectories=-/etc/aprsc
+
+[Install]
+WantedBy=multi-user.target
+Alias=aprsc.service