[sslh] systemd activation of services
James Hogarth
james.hogarth at gmail.com
Fri Jul 24 17:39:48 CEST 2015
With Debian switching over and the introduction of sslh to Fedora it
seemed a good time to look at this.
For an in depth dive on how systemd carries out activation this blog
is a good start:
http://0pointer.de/blog/projects/socket-activation.html
It's relatively simple to add and little code change. The pull request is here:
https://github.com/yrutschle/sslh/pull/56
It's defaulted to off in the Makefile for obvious reasons but when
enabled compiling requires systemd (or possibly libsystemd0 in debian
world ... but I sit mostly in the Red Hat world).
The behaviour is that if systemd has already bound sockets then sslh
won't use the ones on a command line or in config.
This is thus an 'opt-in' behaviour for sslh users in a systemd world.
The pull request includes example systemd units to make use of this.
The key benefit of doing this is that sslh does not need to run as
root to bind low ports thus minimising the potential attack area.
If there are no sockets for systemd to pass over to sslh
(sd_listen_fds == 0) then the usual bind and listen code gets
executed.
With the example units in the README.md diff these sockets survive a
systemctl restart sslh correctly and restarting the socket unit to
pick up and binding changes restarts the service correctly.
Kind regards,
James
More information about the sslh
mailing list