FreeIPA その3 IdMサーバの初期設定~動作確認~ログ管理の調査のつづき
■サービスと起動
FreeIPA その1 IdMサーバのインストールでipa-serverとipa-server-dnsをインストールした際に、依存してるパッケージも含めて全部で198個のパッケージがインストールされたが、これらのパッケージの中でsystemdユニットファイルを含むパッケージとユニットファイル名は下記の通り。
-------- 389-ds-base ---------
/usr/lib/systemd/system/dirsrv@.service
-------- bind ---------
/usr/lib/systemd/system/named-setup-rndc.service
/usr/lib/systemd/system/named.service
-------- bind-pkcs11 ---------
/usr/lib/systemd/system/named-pkcs11.service
-------- hsqldb ---------
/usr/lib/systemd/system/hsqldb.service
-------- httpd ---------
/usr/lib/systemd/system/htcacheclean.service
/usr/lib/systemd/system/httpd.service
-------- ipa-server-common ---------
/usr/lib/systemd/system/ipa-custodia.service
-------- krb5-server ---------
/usr/lib/systemd/system/kadmin.service
/usr/lib/systemd/system/kprop.service
/usr/lib/systemd/system/krb5kdc.service
-------- opencryptoki ---------
/usr/lib/systemd/system/pkcsslotd.service
-------- opendnssec ---------
/usr/lib/systemd/system/ods-enforcerd.service
/usr/lib/systemd/system/ods-signerd.service
-------- pki-server ---------
/usr/lib/systemd/system/pki-tomcatd-nuxwdog@.service
/usr/lib/systemd/system/pki-tomcatd@.service
-------- sssd-dbus ---------
/usr/lib/systemd/system/sssd-ifp.service
-------- tomcat ---------
/usr/lib/systemd/system/tomcat.service
/usr/lib/systemd/system/tomcat@.service
-------- certmonger ---------
/usr/lib/systemd/system/certmonger.service
-------- dbus ---------
/usr/lib/systemd/system/dbus.service
/usr/lib/systemd/system/messagebus.service
/usr/lib/systemd/system/multi-user.target.wants/dbus.service
-------- sssd-common ---------
/usr/lib/systemd/system/sssd-autofs.service
/usr/lib/systemd/system/sssd-nss.service
/usr/lib/systemd/system/sssd-pac.service
/usr/lib/systemd/system/sssd-pam.service
/usr/lib/systemd/system/sssd-secrets.service
/usr/lib/systemd/system/sssd-ssh.service
/usr/lib/systemd/system/sssd-sudo.service
/usr/lib/systemd/system/sssd.service
・ユニットファイルの中身
------- /usr/lib/systemd/system/dirsrv@.service --------
# you usually do not want to edit this file - instead, edit the
# /etc/sysconfig/dirsrv.systemd file instead - otherwise,
# do not edit this file in /lib/systemd/system - instead, do the following:
# cp /lib/systemd/system/dirsrv\@.service /etc/systemd/system/dirsrv\@.service
# mkdir -p /etc/systemd/system/dirsrv.target.wants
# edit /etc/systemd/system/dirsrv\@.service - uncomment the LimitNOFILE=8192 line
# where %i is the name of the instance
# you may already have a symlink in
# /etc/systemd/system/dirsrv.target.wants/dirsrv@%i.service pointing to
# /lib/systemd/system/dirsrv\@.service - you will have to change it to link
# to /etc/systemd/system/dirsrv\@.service instead
# ln -s /etc/systemd/system/dirsrv\@.service /etc/systemd/system/dirsrv.target.wants/dirsrv@%i.service
# systemctl daemon-reload
# systemctl (re)start dirsrv.target
[Unit]
Description=389 Directory Server %i.
PartOf=dirsrv.target
After=chronyd.service ntpd.service network-online.target syslog.target
Before=radiusd.service
[Service]
Type=notify
NotifyAccess=all
TimeoutStartSec=0
TimeoutStopSec=600
EnvironmentFile=/etc/sysconfig/dirsrv
EnvironmentFile=/etc/sysconfig/dirsrv-%i
PIDFile=/var/run/dirsrv/slapd-%i.pid
ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl /etc/dirsrv/slapd-%i/dse.ldif
ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid
# Hardening options:
# PrivateDevices=true
# ProtectSystem=true
# ProtectHome=true
# PrivateTmp=true
# if you need to set other directives e.g. LimitNOFILE=8192
# set them in this file
.include /etc/sysconfig/dirsrv.systemd
[Install]
WantedBy=multi-user.target
------- /usr/lib/systemd/system/named-setup-rndc.service --------
[Unit]
Description=Generate rndc key for BIND (DNS)
[Service]
Type=oneshot
ExecStart=/usr/libexec/generate-rndc-key.sh
------- /usr/lib/systemd/system/named.service --------
[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target
Wants=named-setup-rndc.service
Before=nss-lookup.target
After=network.target
After=named-setup-rndc.service
[Service]
Type=forking
Environment=NAMEDCONF=/etc/named.conf
EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
PrivateTmp=true
[Install]
WantedBy=multi-user.target
------- /usr/lib/systemd/system/named-pkcs11.service --------
[Unit]
Description=Berkeley Internet Name Domain (DNS) with native PKCS#11
Wants=nss-lookup.target
Wants=named-setup-rndc.service
Before=nss-lookup.target
After=network.target
After=named-setup-rndc.service
[Service]
Type=forking
Environment=NAMEDCONF=/etc/named.conf
EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
PrivateTmp=true
[Install]
WantedBy=multi-user.target
------- /usr/lib/systemd/system/hsqldb.service --------
[Unit]
Description=HyperSQL Database Engine
After=network.target
[Service]
Type=simple
User=hsqldb
Group=hsqldb
ExecStart=/usr/lib/hsqldb/hsqldb-wrapper
ExecStartPost=/usr/lib/hsqldb/hsqldb-post
ExecStop=/usr/lib/hsqldb/hsqldb-stop
[Install]
WantedBy=multi-user.target
------- /usr/lib/systemd/system/htcacheclean.service --------
[Unit]
Description=Disk Cache Cleaning Daemon for Apache HTTP Server
After=httpd.service
Documentation=man:htcacheclean(8)
[Service]
Type=forking
User=apache
PIDFile=/run/httpd/htcacheclean/pid
EnvironmentFile=/etc/sysconfig/htcacheclean
ExecStart=/usr/sbin/htcacheclean -P /run/httpd/htcacheclean/pid -d $INTERVAL -p $CACHE_ROOT -l $LIMIT $OPTIONS
------- /usr/lib/systemd/system/httpd.service --------
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target
Documentation=man:httpd(8)
Documentation=man:apachectl(8)
[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/httpd
ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
ExecStop=/bin/kill -WINCH ${MAINPID}
# We want systemd to give httpd some time to finish gracefully, but still want
# it to kill httpd after TimeoutStopSec if something went wrong during the
# graceful stop. Normally, Systemd sends SIGTERM signal right after the
# ExecStop, which would kill httpd. We are sending useless SIGCONT here to give
# httpd time to finish.
KillSignal=SIGCONT
PrivateTmp=true
[Install]
WantedBy=multi-user.target
------- /usr/lib/systemd/system/ipa-custodia.service --------
[Unit]
Description=IPA Custodia Service
[Service]
Type=notify
ExecStart=/usr/libexec/ipa/ipa-custodia /etc/ipa/custodia/custodia.conf
PrivateTmp=yes
Restart=on-failure
RestartSec=60s
[Install]
WantedBy=multi-user.target
------- /usr/lib/systemd/system/kadmin.service --------
[Unit]
Description=Kerberos 5 Password-changing and Administration
Wants=network-online.target
After=syslog.target network.target network-online.target
[Service]
Type=forking
PIDFile=/var/run/kadmind.pid
EnvironmentFile=-/etc/sysconfig/kadmin
ExecStart=/usr/sbin/_kadmind -P /var/run/kadmind.pid $KADMIND_ARGS
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target
------- /usr/lib/systemd/system/kprop.service --------
[Unit]
Description=Kerberos 5 Propagation
Wants=network-online.target
After=syslog.target network.target network-online.target
[Service]
Type=forking
EnvironmentFile=-/etc/sysconfig/kprop
ExecStart=/usr/sbin/_kpropd $KPROPD_ARGS
[Install]
WantedBy=multi-user.target
------- /usr/lib/systemd/system/krb5kdc.service --------
[Unit]
Description=Kerberos 5 KDC
Wants=network-online.target
After=syslog.target network.target network-online.target
[Service]
Type=forking
PIDFile=/var/run/krb5kdc.pid
EnvironmentFile=-/etc/sysconfig/krb5kdc
ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target
------- /usr/lib/systemd/system/pkcsslotd.service --------
[Unit]
Description=Daemon which manages cryptographic hardware tokens for the openCryptoki package
After=local-fs.target
[Service]
Type=forking
PIDFile=/var/run/pkcsslotd.pid
ExecStart=/usr/sbin/pkcsslotd
[Install]
WantedBy=multi-user.target
------- /usr/lib/systemd/system/ods-enforcerd.service --------
[Unit]
Description=OpenDNSSEC Enforcer daemon
After=syslog.target network.target
[Service]
Type=forking
PIDFile=/var/run/opendnssec/enforcerd.pid
EnvironmentFile=-/etc/sysconfig/ods
ExecStart=/usr/sbin/ods-enforcerd $ODS_ENFORCERD_OPT
[Install]
WantedBy=multi-user.target
------- /usr/lib/systemd/system/ods-signerd.service --------
[Unit]
Description=OpenDNSSEC signer daemon
After=syslog.target network.target ods-enforcerd
[Service]
Type=simple
PIDFile=/var/run/opendnssec/signerd.pid
EnvironmentFile=-/etc/sysconfig/ods
ExecStart=/usr/sbin/ods-signerd -d $ODS_SIGNERD_OPT
[Install]
WantedBy=multi-user.target
------- /usr/lib/systemd/system/pki-tomcatd-nuxwdog@.service --------
[Unit]
Description=PKI Tomcat Server %i Started by Nuxwdog
PartOf=pki-tomcatd-nuxwdog.target
[Service]
Type=forking
EnvironmentFile=/etc/tomcat/tomcat.conf
Environment="NAME=%i"
Environment="STARTED_BY_SYSTEMD=1"
EnvironmentFile=-/etc/sysconfig/%i
ExecStartPre=/usr/bin/pkidaemon start %i
ExecStart=/bin/nuxwdog -f /etc/pki/%i/nuxwdog.conf
SuccessExitStatus=143
TimeoutStartSec=180
PIDFile=/var/lib/pki/%i/logs/wd-%i.pid
------- /usr/lib/systemd/system/pki-tomcatd@.service --------
[Unit]
Description=PKI Tomcat Server %i
PartOf=pki-tomcatd.target
[Service]
Type=simple
EnvironmentFile=/etc/tomcat/tomcat.conf
Environment="NAME=%i"
EnvironmentFile=-/etc/sysconfig/%i
ExecStartPre=/usr/bin/pkidaemon start %i
ExecStart=/usr/libexec/tomcat/server start
ExecStop=/usr/libexec/tomcat/server stop
SuccessExitStatus=143
User=pkiuser
Group=pkiuser
------- /usr/lib/systemd/system/sssd-ifp.service --------
[Unit]
Description=SSSD IFP Service responder
Documentation=man:sssd-ifp(5)
After=sssd.service
BindsTo=sssd.service
[Service]
Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-/etc/sysconfig/sssd
Type=dbus
BusName=org.freedesktop.sssd.infopipe
ExecStart=/usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --dbus-activated ${DEBUG_LOGGER}
Restart=on-failure
------- /usr/lib/systemd/system/tomcat.service --------
# Systemd unit file for default tomcat
#
# To create clones of this service:
# DO NOTHING, use tomcat@.service instead.
[Unit]
Description=Apache Tomcat Web Application Container
After=syslog.target network.target
[Service]
Type=simple
EnvironmentFile=/etc/tomcat/tomcat.conf
Environment="NAME="
EnvironmentFile=-/etc/sysconfig/tomcat
ExecStart=/usr/libexec/tomcat/server start
SuccessExitStatus=143
User=tomcat
[Install]
WantedBy=multi-user.target
------- /usr/lib/systemd/system/tomcat@.service --------
# Systemd unit file for tomcat instances.
#
# To create clones of this service:
# 0. systemctl enable tomcat@name.service
# 1. create catalina.base directory structure in
# /var/lib/tomcats/name
# 2. profit.
[Unit]
Description=Apache Tomcat Web Application Container
After=syslog.target network.target
[Service]
Type=simple
EnvironmentFile=/etc/tomcat/tomcat.conf
Environment="NAME=%I"
EnvironmentFile=-/etc/sysconfig/tomcat@%I
ExecStart=/usr/libexec/tomcat/server start
ExecStop=/usr/libexec/tomcat/server stop
SuccessExitStatus=143
User=tomcat
[Install]
WantedBy=multi-user.target
------- /usr/lib/systemd/system/certmonger.service --------
[Unit]
Description=Certificate monitoring and PKI enrollment
After=syslog.target network.target dbus.service
[Service]
Type=dbus
PIDFile=/var/run/certmonger.pid
EnvironmentFile=-/etc/sysconfig/certmonger
ExecStart=/usr/sbin/certmonger -S -p /var/run/certmonger.pid -n $OPTS
BusName=org.fedorahosted.certmonger
[Install]
WantedBy=multi-user.target
------- /usr/lib/systemd/system/dbus.service --------
[Unit]
Description=D-Bus System Message Bus
Documentation=man:dbus-daemon(1)
Requires=dbus.socket
[Service]
ExecStart=/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
ExecReload=/usr/bin/dbus-send --print-reply --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig
OOMScoreAdjust=-900
------- /usr/lib/systemd/system/messagebus.service --------
[Unit]
Description=D-Bus System Message Bus
Documentation=man:dbus-daemon(1)
Requires=dbus.socket
[Service]
ExecStart=/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
ExecReload=/usr/bin/dbus-send --print-reply --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig
OOMScoreAdjust=-900
------- /usr/lib/systemd/system/multi-user.target.wants/dbus.service --------
[Unit]
Description=D-Bus System Message Bus
Documentation=man:dbus-daemon(1)
Requires=dbus.socket
[Service]
ExecStart=/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
ExecReload=/usr/bin/dbus-send --print-reply --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig
OOMScoreAdjust=-900
------- /usr/lib/systemd/system/sssd-autofs.service --------
[Unit]
Description=SSSD AutoFS Service responder
Documentation=man:sssd.conf(5)
After=sssd.service
BindsTo=sssd.service
RefuseManualStart=true
[Install]
Also=sssd-autofs.socket
[Service]
Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-/etc/sysconfig/sssd
ExecStartPre=-/bin/chown sssd:sssd /var/log/sssd/sssd_autofs.log
ExecStart=/usr/libexec/sssd/sssd_autofs ${DEBUG_LOGGER} --socket-activated
Restart=on-failure
User=sssd
Group=sssd
PermissionsStartOnly=true
------- /usr/lib/systemd/system/sssd-nss.service --------
[Unit]
Description=SSSD NSS Service responder
Documentation=man:sssd.conf(5)
After=sssd.service
BindsTo=sssd.service
RefuseManualStart=true
[Install]
Also=sssd-nss.socket
[Service]
Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-/etc/sysconfig/sssd
ExecStart=/usr/libexec/sssd/sssd_nss ${DEBUG_LOGGER} --socket-activated
Restart=on-failure
------- /usr/lib/systemd/system/sssd-pac.service --------
[Unit]
Description=SSSD PAC Service responder
Documentation=man:sssd.conf(5)
After=sssd.service
BindsTo=sssd.service
RefuseManualStart=true
[Install]
Also=sssd-pac.socket
[Service]
Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-/etc/sysconfig/sssd
ExecStartPre=-/bin/chown sssd:sssd /var/log/sssd/sssd_pac.log
ExecStart=/usr/libexec/sssd/sssd_pac ${DEBUG_LOGGER} --socket-activated
Restart=on-failure
User=sssd
Group=sssd
PermissionsStartOnly=true
------- /usr/lib/systemd/system/sssd-pam.service --------
[Unit]
Description=SSSD PAM Service responder
Documentation=man:sssd.conf(5)
After=sssd.service
BindsTo=sssd.service
RefuseManualStart=true
[Install]
Also=sssd-pam.socket sssd-pam-priv.socket
[Service]
Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-/etc/sysconfig/sssd
ExecStartPre=-/bin/chown sssd:sssd /var/log/sssd/sssd_pam.log
ExecStart=/usr/libexec/sssd/sssd_pam ${DEBUG_LOGGER} --socket-activated
Restart=on-failure
User=sssd
Group=sssd
PermissionsStartOnly=true
------- /usr/lib/systemd/system/sssd-secrets.service --------
[Unit]
Description=SSSD Secrets Service responder
Documentation=man:sssd-secrets(5)
Requires=sssd-secrets.socket
After=sssd-secrets.socket
[Install]
Also=sssd-secrets.socket
[Service]
Environment=DEBUG_LOGGER=--logger=files
ExecStart=/usr/libexec/sssd/sssd_secrets --uid 0 --gid 0 ${DEBUG_LOGGER}
------- /usr/lib/systemd/system/sssd-ssh.service --------
[Unit]
Description=SSSD SSH Service responder
Documentation=man:sssd.conf(5)
After=sssd.service
BindsTo=sssd.service
RefuseManualStart=true
[Install]
Also=sssd-ssh.socket
[Service]
Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-/etc/sysconfig/sssd
ExecStartPre=-/bin/chown sssd:sssd /var/log/sssd/sssd_ssh.log
ExecStart=/usr/libexec/sssd/sssd_ssh ${DEBUG_LOGGER} --socket-activated
Restart=on-failure
User=sssd
Group=sssd
PermissionsStartOnly=true
------- /usr/lib/systemd/system/sssd-sudo.service --------
[Unit]
Description=SSSD Sudo Service responder
Documentation=man:sssd.conf(5) man:sssd-sudo(5)
After=sssd.service
BindsTo=sssd.service
RefuseManualStart=true
[Install]
Also=sssd-sudo.socket
[Service]
Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-/etc/sysconfig/sssd
ExecStartPre=-/bin/chown sssd:sssd /var/log/sssd/sssd_sudo.log
ExecStart=/usr/libexec/sssd/sssd_sudo --socket-activated
Restart=on-failure
User=sssd
Group=sssd
PermissionsStartOnly=true
------- /usr/lib/systemd/system/sssd.service --------
[Unit]
Description=System Security Services Daemon
# SSSD must be running before we permit user sessions
Before=systemd-user-sessions.service nss-user-lookup.target
Wants=nss-user-lookup.target
[Service]
Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-/etc/sysconfig/sssd
ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER}
Type=notify
NotifyAccess=main
PIDFile=/var/run/sssd.pid
[Install]
WantedBy=multi-user.target
