Initial addition of systemd socket based activiation

[hogarth-sv]

This is defaulted to off in the Makefile.

If make USESYSTEMD=1 is provided then the following systemd feature is added:

If a socket file is created then on-demand execution of sslh is possible. In this mode the addr_listen is ignored and the file descriptors passed by systemd are used.

Usage:
Create socket file:
cat > /etc/systemd/system/sslh.socket <<EOF
[Socket]
ListenStream=10.81.60.232:443
ListenStream=10.81.60.232:444
ListenStream=10.81.60.232:445
ListenStream=10.81.60.232:446
ListenStream=10.81.60.232:447
FreeBind=true

[Install]
WantedBy=sockets.target
EOF

Create service file:
cat > /etc/systemd/system/sslh.service <<EOF
[Service]
ExecStart=/usr/local/sbin/sslh-fork -v -f --ssh 127.0.0.1:22
KillMode=process
EOF

Reload unit files:
systemctl daemon-reload

Start the socket:
systemctl start sslh.socket

Connect to one of the ports listed in the socket file and watch the sslh.service systemd unit start automatically making use of the file descriptors from the socket file.

The benefit of this is being able to listen on privileged ports without even having to do so by starting as root and dropping the user ... instead starting the service as a basic service user at the outset.

This is the first of a series of patches adding systemd functionality to improve the usage of the sslh daemon.

[t-8ch]

The capabilieties could be dropped in this case, no?

[hogarth-sv]

Indeed no capabilities are needed as the socket is all set up in this
scenario...

However the sockets are optional. In the event systemd sockets have decided
not to be used by the administrator caps are then needed.

The idea is to provide flexibility... I'm unsure yet how I'll go with the
Fedora and EPEL7 default behaviour...

I'm also in the process of writing a systemd generator to parse the
sslh.cfg and generate socket files from that.
On 19 Aug 2015 23:06, "Thomas Weißschuh" notifications@github.com wrote:

In README.md
#56 (comment):

• ListenStream=5.6.7.8:444
• ListenStream=9.10.11.12:445
• FreeBind=true

• [Install]
• WantedBy=sockets.target

+Example service unit:
+

• [Unit]
• PartOf=sslh.socket
• [Service]
• ExecStart=/usr/sbin/sslh -v -f --ssh 127.0.0.1:22 --ssl 127.0.0.1:443
• KillMode=process
• CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN CAP_SETGID CAP_SETUID

The capabilieties could be dropped in this case, no?

—
Reply to this email directly or view it on GitHub
https://github.com/yrutschle/sslh/pull/56/files#r37474816.

[hogarth-sv]

Life got busy which drew me away from this a bit.

Have you had a chance to review the patches Yves?

I'd love to get some basic systemd socket capabilities in place before 1.18 gets tagged as this would be a significant gain to my Fedora and EPEL7 packages.

[yrutschle]

Ok, this is the only issue I have with the patch: mixing compilation directives within the code. It's ugly and makes the code really hard to read!
Please move the conditional code (lines 74-89) to another function which entire content will be conditional, and make start_listen_sockets call that unconditionally. There are lots of examples of that in sslh-main.c with the LIBCAP and LIBCONFIG symbols.

[hogarth-sv]

Thanks for the feedback Yves

I'll amend this weekend.

[hogarth-sv]

I've built and tested this on F23.

I've included the generator but not building it automatically yet... will probably move to it in F24.

The conditional code has now been moved to its own function that gets called unconditionally as requested, and in the event of USESYSTEMD being disabled is a noop in behaviour.

I've tested using it with the socket file and without... and with the generator and the socket and without the generator.

[yrutschle]

Looks good, thank you for your submission!