|
 |
710b63c |
|
|
|
710b63c |
|
|
|
710b63c |
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
|
|
710b63c |
|
|
|
710b63c |
]>
|
|
|
ae962f3 |
|
|
|
ae962f3 |
Copyright 2017 Red Hat, Inc.
|
|
|
ae962f3 |
|
|
|
ae962f3 |
Licensed to the Apache Software Foundation (ASF) under one or more
|
|
|
ae962f3 |
contributor license agreements. See the NOTICE file distributed with
|
|
|
ae962f3 |
this work for additional information regarding copyright ownership.
|
|
|
ae962f3 |
The ASF licenses this file to You under the Apache License, Version 2.0
|
|
|
ae962f3 |
(the "License"); you may not use this file except in compliance with
|
|
|
ae962f3 |
the License. You may obtain a copy of the License at
|
|
|
ae962f3 |
|
|
|
ae962f3 |
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
ae962f3 |
|
|
|
ae962f3 |
Unless required by applicable law or agreed to in writing, software
|
|
|
ae962f3 |
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
ae962f3 |
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
ae962f3 |
See the License for the specific language governing permissions and
|
|
|
ae962f3 |
limitations under the License.
|
|
|
ae962f3 |
-->
|
|
|
710b63c |
|
|
|
710b63c |
<refentry>
|
|
|
710b63c |
<refentryinfo>
|
|
|
710b63c |
<title>httpd systemd units</title>
|
|
|
710b63c |
<productname>httpd</productname>
|
|
|
710b63c |
<author><contrib>Author</contrib><surname>Orton</surname><firstname>Joe</firstname><email>jorton@redhat.com</email></author>
|
|
|
710b63c |
</refentryinfo>
|
|
|
710b63c |
|
|
|
710b63c |
<refmeta>
|
|
|
710b63c |
<refentrytitle>httpd.service</refentrytitle>
|
|
|
fce414a |
<manvolnum>8</manvolnum>
|
|
|
710b63c |
</refmeta>
|
|
|
710b63c |
|
|
|
710b63c |
<refnamediv>
|
|
|
710b63c |
<refname>httpd.service</refname>
|
|
|
710b63c |
<refname>httpd.socket</refname>
|
|
|
710b63c |
<refpurpose>httpd unit files for systemd</refpurpose>
|
|
|
710b63c |
</refnamediv>
|
|
|
710b63c |
|
|
|
710b63c |
<refsynopsisdiv>
|
|
|
710b63c |
<para>
|
|
|
710b63c |
<filename>/usr/lib/systemd/system/httpd.service</filename>,
|
|
|
710b63c |
<filename>/usr/lib/systemd/system/httpd.socket</filename>
|
|
|
710b63c |
</para>
|
|
|
710b63c |
</refsynopsisdiv>
|
|
|
710b63c |
|
|
|
710b63c |
<refsect1>
|
|
|
710b63c |
<title>Description</title>
|
|
|
710b63c |
|
|
|
710b63c |
<para>This manual page describes the <command>systemd</command>
|
|
|
710b63c |
unit files used to integrate the <command>httpd</command> daemon
|
|
|
710b63c |
with <command>systemd</command>. Two unit files are available:
|
|
|
710b63c |
<command>httpd.service</command> allows the
|
|
|
710b63c |
<command>httpd</command> daemon to be run as a system service, and
|
|
|
710b63c |
<command>httpd.socket</command> allows httpd to be started via
|
|
|
710b63c |
socket-based activation. Most systems will use
|
|
|
710b63c |
<command>httpd.service</command>.</para>
|
|
|
710b63c |
|
|
|
6fd8793 |
<para>The <command>apachectl</command> command has been modified
|
|
|
6fd8793 |
to invoke <command>systemctl</command> for most uses, so for
|
|
|
6fd8793 |
example, running <command>apachectl start</command> is equivalent
|
|
|
6fd8793 |
to running <command>systemctl start httpd.service</command>. This
|
|
|
6fd8793 |
ensures that the running httpd daemon is tracked and managed by
|
|
|
6fd8793 |
<command>systemd</command>. In contrast, running
|
|
|
6fd8793 |
<command>httpd</command> directly from a root shell will start the
|
|
|
6fd8793 |
service outside of <command>systemd</command>; in this case,
|
|
|
6fd8793 |
default security restrictions described below (including, but not
|
|
|
6fd8793 |
limited to, SELinux) will not be enforced.</para>
|
|
|
6fd8793 |
|
|
|
710b63c |
<refsect2>
|
|
|
710b63c |
<title>Changing default behaviour</title>
|
|
|
710b63c |
|
|
|
710b63c |
<para>To change the default behaviour of the httpd service, an
|
|
|
710b63c |
<emphasis>over-ride</emphasis> file should be created, rather
|
|
|
710b63c |
than changing
|
|
|
710b63c |
<filename>/usr/lib/systemd/system/httpd.service</filename>
|
|
|
710b63c |
directly, since such changes would be lost over package
|
|
|
710b63c |
upgrades. Running <command>systemctl edit
|
|
|
710b63c |
httpd.service</command> or <command>systemctl edit
|
|
|
710b63c |
httpd.socket</command> as root will create a drop-in file in
|
|
|
710b63c |
<filename>/etc/systemd/system/httpd.service.d</filename> which
|
|
|
710b63c |
over-rides the system defaults.</para>
|
|
|
710b63c |
|
|
|
6fd8793 |
<para>For example, to set the <option>LD_LIBRARY_PATH</option>
|
|
|
710b63c |
environment variable for the daemon, run <command>systemctl edit
|
|
|
710b63c |
httpd.service</command> and enter:
|
|
|
710b63c |
|
|
|
710b63c |
<programlisting>[Service]
|
|
|
710b63c |
Environment=LD_LIBRARY_PATH=/opt/vendor/lib</programlisting></para>
|
|
|
710b63c |
</refsect2>
|
|
|
710b63c |
|
|
|
710b63c |
<refsect2>
|
|
|
710b63c |
<title>Starting the service at boot time</title>
|
|
|
710b63c |
|
|
|
710b63c |
<para>The httpd.service and httpd.socket units are
|
|
|
710b63c |
<emphasis>disabled</emphasis> by default. To start the httpd
|
|
|
710b63c |
service at boot time, run: <command>systemctl enable
|
|
|
710b63c |
httpd.service</command>. In the default configuration, the
|
|
|
710b63c |
httpd daemon will accept connections on port 80 (and, if mod_ssl
|
|
|
710b63c |
is installed, TLS connections on port 443) for any configured
|
|
|
710b63c |
IPv4 or IPv6 address.</para>
|
|
|
710b63c |
|
|
|
710b63c |
<para>If httpd is configured to depend on any specific IP
|
|
|
6fd8793 |
address (for example, with a "Listen" directive) which may only
|
|
|
710b63c |
become available during startup, or if httpd depends on other
|
|
|
710b63c |
services (such as a database daemon), the service
|
|
|
710b63c |
<emphasis>must</emphasis> be configured to ensure correct
|
|
|
710b63c |
startup ordering.</para>
|
|
|
710b63c |
|
|
|
710b63c |
<para>For example, to ensure httpd is only running after all
|
|
|
710b63c |
configured network interfaces are configured, create a drop-in
|
|
|
6fd8793 |
file (as described above) with the following section:
|
|
|
710b63c |
|
|
|
710b63c |
<programlisting>[Unit]
|
|
|
710b63c |
After=network-online.target
|
|
|
710b63c |
Wants=network-online.target</programlisting>
|
|
|
710b63c |
|
|
|
710b63c |
See
|
|
|
710b63c |
url="https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/"/>
|
|
|
710b63c |
for more information on startup ordering with systemd.</para>
|
|
|
710b63c |
|
|
|
710b63c |
</refsect2>
|
|
|
710b63c |
|
|
|
710b63c |
<refsect2>
|
|
|
710b63c |
<title>Reloading and stopping the service</title>
|
|
|
710b63c |
|
|
|
710b63c |
<para>When running <command>systemctl reload
|
|
|
6fd8793 |
httpd.service</command>, a <emphasis>graceful</emphasis>
|
|
|
710b63c |
restart is used, which sends a signal to the httpd parent
|
|
|
710b63c |
process to reload the configuration and re-open log files. Any
|
|
|
710b63c |
children with open connections at the time of reload will
|
|
|
710b63c |
terminate only once they have completed serving requests. This
|
|
|
710b63c |
prevents users of the server seeing errors (or potentially
|
|
|
710b63c |
losing data) due to the reload, but means some there is some
|
|
|
710b63c |
delay before any configuration changes take effect for all
|
|
|
710b63c |
users.</para>
|
|
|
710b63c |
|
|
|
6fd8793 |
<para>Similarly, a <emphasis>graceful stop</emphasis> is used
|
|
|
710b63c |
when <command>systemctl stop httpd.service</command> is run,
|
|
|
710b63c |
which terminates the server only once active connections have
|
|
|
710b63c |
been processed.</para>
|
|
|
710b63c |
|
|
|
710b63c |
</refsect2>
|
|
|
710b63c |
|
|
|
710b63c |
<refsect2>
|
|
|
710b63c |
<title>systemd integration and mod_systemd</title>
|
|
|
710b63c |
|
|
|
6fd8793 |
<para>The httpd service uses the <option>notify</option> systemd
|
|
|
710b63c |
service type. The <literal>mod_systemd</literal> module must be
|
|
|
710b63c |
loaded (as in the default configuration) for this to work
|
|
|
710b63c |
correctly - the service will fail if this module is not
|
|
|
710b63c |
loaded. <literal>mod_systemd</literal> also makes worker and
|
|
|
710b63c |
request statistics available when running <command>systemctl status
|
|
|
710b63c |
httpd</command>. See
|
|
|
710b63c |
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
|
710b63c |
for more information on systemd service types.</para>
|
|
|
710b63c |
</refsect2>
|
|
|
710b63c |
|
|
|
710b63c |
<refsect2>
|
|
|
710b63c |
<title>Security and SELinux</title>
|
|
|
710b63c |
|
|
|
710b63c |
<para>The default SELinux policy restricts the httpd service in
|
|
|
6fd8793 |
various ways. For example, the default policy limits the ports
|
|
|
6fd8793 |
to which httpd can bind (using the <literal>Listen</literal>
|
|
|
6fd8793 |
directive), which parts of the filesystem can be accessed, and
|
|
|
6fd8793 |
whether outgoing TCP connections are possible. Many of these
|
|
|
6fd8793 |
restrictions can be adjusted using <command>semanage</command>
|
|
|
6fd8793 |
to change booleans or other types. See
|
|
|
710b63c |
<citerefentry><refentrytitle>httpd_selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
|
710b63c |
for more information.</para>
|
|
|
710b63c |
|
|
|
710b63c |
<para>The httpd service enables <emphasis>PrivateTmp</emphasis>
|
|
|
710b63c |
by default. The <filename>/tmp</filename> and
|
|
|
710b63c |
<filename>/var/tmp</filename> directories available within the
|
|
|
710b63c |
httpd process (and CGI scripts, etc) are not shared by other
|
|
|
710b63c |
processes. See
|
|
|
710b63c |
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
|
710b63c |
for more information.</para>
|
|
|
710b63c |
|
|
|
710b63c |
</refsect2>
|
|
|
710b63c |
|
|
|
710b63c |
</refsect1>
|
|
|
710b63c |
|
|
|
710b63c |
<refsect1>
|
|
|
710b63c |
<title>Files</title>
|
|
|
710b63c |
|
|
|
710b63c |
<para><filename>/usr/lib/systemd/system/httpd.service</filename>,
|
|
|
710b63c |
<filename>/usr/lib/systemd/system/httpd.socket</filename>,
|
|
|
710b63c |
<filename>/etc/systemd/systemd/httpd.service.d</filename></para>
|
|
|
710b63c |
</refsect1>
|
|
|
710b63c |
|
|
|
710b63c |
<refsect1>
|
|
|
710b63c |
<title>See also</title>
|
|
|
710b63c |
|
|
|
710b63c |
<para>
|
|
|
710b63c |
<citerefentry><refentrytitle>httpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
|
|
|
710b63c |
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
|
710b63c |
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
|
710b63c |
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
|
710b63c |
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
|
6fd8793 |
<citerefentry><refentrytitle>httpd_selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
|
|
|
6fd8793 |
<citerefentry><refentrytitle>semanage</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
|
710b63c |
</para>
|
|
|
710b63c |
</refsect1>
|
|
|
710b63c |
|
|
|
710b63c |
</refentry>
|