Categories
Uncategorized

How to manage systemd services remotely

Manage systemd services remotely over SSH protocol.

Create user for systemd manager

Create systemd-manager user on remote machine.

$ sudo useradd --create-home systemd-manager

Prepare the directory and file that will contain public keys for public key authentication.

$ sudo mkdir /home/systemd-manager/.ssh
$ sudo touch /home/systemd-manager/.ssh/authorized_keys
$ sudo chown systemd-manager:systemd-manager /home/systemd-manager/.ssh /home/systemd-manager/.ssh/authorized_keys
$ sudo chmod 700 /home/systemd-manager/.ssh
$ sudo chmod 600 /home/systemd-manager/.ssh/authorized_keys

Populate public keys.

Remember to limit public keys to the systemd-stdio-bridge application that will be used to connect standard input to the D-Bus transport.

command="systemd-stdio-bridge",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc ssh-rsa AAAAC6Mye[...]RhUZQC systemd@manager

Configure authorization framework

Install policykit-1 application-level toolkit for managing administrative policies and privileges to populate configuration files.

$ sudo apt install policykit-1

Create authorization policy to allow systemd-manager user to execute systemctl commands without sudo.

$ cat << EOF | sudo tee /etc/polkit-1/localauthority/50-local.d/systemd-manager.pkla
[Allow user systemd-manager to execute systemctl commands]
Identity=unix-user:systemd-manager
Action=org.freedesktop.systemd1.manage-units
ResultAny=yes
EOF

Manage systemd services remotely

Display service status.

$ systemctl --host systemd-manager@server.example.org status nginx
● nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
    Drop-In: /etc/systemd/system.control/nginx.service.d
             └─50-MemoryLimit.conf
     Active: active (running) since Mon 2020-09-21 00:00:38 CEST; 25min ago
       Docs: man:nginx(8)
    Process: 1571 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
    Process: 1572 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
   Main PID: 1573
      Tasks: 3 (limit: 1149)
     Memory: 3.8M (limit: 1.0G)
     CGroup: /system.slice/nginx.service
             ├─1573 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
             ├─1574 nginx: worker process
             └─1575 nginx: worker process

Restart service.

$ systemctl --host systemd-manager@server.example.org restart nginx

Set property.

$ systemctl --host systemd-manager@server.example.org set-property nginx  MemoryLimit=2G

Check if service is enabled.

$ systemctl --host systemd-manager@server.example.org is-enabled nginx
enabled

List timers.

$ systemctl --host systemd-manager@server.example.org list-timers
NEXT                         LEFT               LAST                         PASSED      UNIT                         ACTIVATES
Thu 2020-09-03 23:50:16 CEST 2 weeks 3 days ago Sun 2020-09-20 23:23:30 CEST 1h 4min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Mon 2020-09-21 00:47:04 CEST 18min left         Sun 2020-09-20 13:24:52 CEST 11h ago     apt-daily.timer              apt-daily.service
Mon 2020-09-21 02:00:00 CEST 1h 31min left      Sun 2020-09-20 13:24:52 CEST 11h ago     logrotate.timer              logrotate.service
Mon 2020-09-21 02:00:00 CEST 1h 31min left      Sun 2020-09-20 13:24:52 CEST 11h ago     man-db.timer                 man-db.service
Mon 2020-09-21 08:05:29 CEST 7h left            Sun 2020-09-20 13:24:52 CEST 11h ago     apt-daily-upgrade.timer      apt-daily-upgrade.service
5 timers listed.
Pass --all to see loaded but inactive timers, too.

List sockets.

$ systemctl --host systemd-manager@server.example.org list-sockets
LISTEN                          UNITS                           ACTIVATES
/run/initctl                    systemd-initctl.socket          systemd-initctl.service
/run/systemd/fsck.progress      systemd-fsckd.socket            systemd-fsckd.service
/run/systemd/journal/dev-log    systemd-journald-dev-log.socket systemd-journald.service
/run/systemd/journal/socket     systemd-journald.socket         systemd-journald.service
/run/systemd/journal/stdout     systemd-journald.socket         systemd-journald.service
/run/systemd/journal/syslog     syslog.socket                   rsyslog.service
/run/udev/control               systemd-udevd-control.socket    systemd-udevd.service
/var/run/dbus/system_bus_socket dbus.socket                     dbus.service
audit 1                         systemd-journald-audit.socket   systemd-journald.service
kobject-uevent 1                systemd-udevd-kernel.socket     systemd-udevd.service
10 sockets listed.
Pass --all to see loaded but inactive sockets, too.

Authorize additional operations

Sometimes you need to authorize additional operations, for example to reload the systemd manager configuration.

$ systemctl --host systemd-manager@server.example.org daemon-reload
Failed to reload daemon: Interactive authentication required.

You just need to add an additional action or use an asterisk (not recommended).

Action=org.freedesktop.systemd1.manage-units;org.freedesktop.systemd1.reload-daemon
Action=org.freedesktop.systemd1.*

Use pkaction utility to display every possible action.

$ pkaction
org.dpkg.pkexec.update-alternatives
org.freedesktop.hostname1.get-product-uuid
org.freedesktop.hostname1.set-hostname
org.freedesktop.hostname1.set-machine-info
org.freedesktop.hostname1.set-static-hostname
org.freedesktop.locale1.set-keyboard
org.freedesktop.locale1.set-locale
org.freedesktop.login1.attach-device
org.freedesktop.login1.flush-devices
org.freedesktop.login1.halt
org.freedesktop.login1.halt-ignore-inhibit
org.freedesktop.login1.halt-multiple-sessions
org.freedesktop.login1.hibernate
org.freedesktop.login1.hibernate-ignore-inhibit
org.freedesktop.login1.hibernate-multiple-sessions
org.freedesktop.login1.inhibit-block-idle
org.freedesktop.login1.inhibit-block-shutdown
org.freedesktop.login1.inhibit-block-sleep
org.freedesktop.login1.inhibit-delay-shutdown
org.freedesktop.login1.inhibit-delay-sleep
org.freedesktop.login1.inhibit-handle-hibernate-key
org.freedesktop.login1.inhibit-handle-lid-switch
org.freedesktop.login1.inhibit-handle-power-key
org.freedesktop.login1.inhibit-handle-suspend-key
org.freedesktop.login1.lock-sessions
org.freedesktop.login1.manage
org.freedesktop.login1.power-off
org.freedesktop.login1.power-off-ignore-inhibit
org.freedesktop.login1.power-off-multiple-sessions
org.freedesktop.login1.reboot
org.freedesktop.login1.reboot-ignore-inhibit
org.freedesktop.login1.reboot-multiple-sessions
org.freedesktop.login1.set-reboot-to-firmware-setup
org.freedesktop.login1.set-self-linger
org.freedesktop.login1.set-user-linger
org.freedesktop.login1.set-wall-message
org.freedesktop.login1.suspend
org.freedesktop.login1.suspend-ignore-inhibit
org.freedesktop.login1.suspend-multiple-sessions
org.freedesktop.policykit.exec
org.freedesktop.policykit.lockdown
org.freedesktop.resolve1.register-service
org.freedesktop.resolve1.unregister-service
org.freedesktop.systemd1.manage-unit-files
org.freedesktop.systemd1.manage-units
org.freedesktop.systemd1.reload-daemon
org.freedesktop.systemd1.reply-password
org.freedesktop.systemd1.set-environment
org.freedesktop.timedate1.set-local-rtc
org.freedesktop.timedate1.set-ntp
org.freedesktop.timedate1.set-time
org.freedesktop.timedate1.set-timezone

Inspect specific action from the above-mentioned list.

$ pkaction --verbose --action-id org.freedesktop.systemd1.manage-units
org.freedesktop.systemd1.manage-units:
  description:       Manage system services or other units
  message:           Authentication is required to manage system services or other units.
  vendor:            The systemd Project
  vendor_url:        http://www.freedesktop.org/wiki/Software/systemd
  icon:
  implicit any:      auth_admin
  implicit inactive: auth_admin
  implicit active:   auth_admin_keep

Alternatively, inspect systemd policy file to identify possible actions.

$ cat /usr/share/polkit-1/actions/org.freedesktop.systemd1.policy
<?xml version="1.0" encoding="UTF-8"?> <!--*-nxml-*-->
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
        "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<!--
  SPDX-License-Identifier: LGPL-2.1+
  This file is part of systemd.
  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.
-->
<policyconfig>
        <vendor>The systemd Project</vendor>
        <vendor_url>http://www.freedesktop.org/wiki/Software/systemd</vendor_url>
        <action id="org.freedesktop.systemd1.reply-password">
                <description gettext-domain="systemd">Send passphrase back to system</description>
                <message gettext-domain="systemd">Authentication is required to send the entered passphrase back to the system.</message>
                <defaults>
                        <allow_any>no</allow_any>
                        <allow_inactive>no</allow_inactive>
                        <allow_active>auth_admin_keep</allow_active>
                </defaults>
                <annotate key="org.freedesktop.policykit.exec.path">/lib/systemd/systemd-reply-password</annotate>
        </action>
        <action id="org.freedesktop.systemd1.manage-units">
                <description gettext-domain="systemd">Manage system services or other units</description>
                <message gettext-domain="systemd">Authentication is required to manage system services or other units.</message>
                <defaults>
                        <allow_any>auth_admin</allow_any>
                        <allow_inactive>auth_admin</allow_inactive>
                        <allow_active>auth_admin_keep</allow_active>
                </defaults>
        </action>
        <action id="org.freedesktop.systemd1.manage-unit-files">
                <description gettext-domain="systemd">Manage system service or unit files</description>
                <message gettext-domain="systemd">Authentication is required to manage system service or unit files.</message>
                <defaults>
                        <allow_any>auth_admin</allow_any>
                        <allow_inactive>auth_admin</allow_inactive>
                        <allow_active>auth_admin_keep</allow_active>
                </defaults>
                <annotate key="org.freedesktop.policykit.imply">org.freedesktop.systemd1.reload-daemon org.freedesktop.systemd1.manage-units</annotate>
        </action>
        <action id="org.freedesktop.systemd1.set-environment">
                <description gettext-domain="systemd">Set or unset system and service manager environment variables</description>
                <message gettext-domain="systemd">Authentication is required to set or unset system and service manager environment variables.</message>
                <defaults>
                        <allow_any>auth_admin</allow_any>
                        <allow_inactive>auth_admin</allow_inactive>
                        <allow_active>auth_admin_keep</allow_active>
                </defaults>
        </action>
        <action id="org.freedesktop.systemd1.reload-daemon">
                <description gettext-domain="systemd">Reload the systemd state</description>
                <message gettext-domain="systemd">Authentication is required to reload the systemd state.</message>
                <defaults>
                        <allow_any>auth_admin</allow_any>
                        <allow_inactive>auth_admin</allow_inactive>
                        <allow_active>auth_admin_keep</allow_active>
                </defaults>
        </action>
</policyconfig>

Limitations

You cannot edit services.

$ systemctl --host systemd-manager@server.example.org edit nginx
Cannot edit units remotely.

You cannot inspect service logs which should be obvious.