From 7887c289d90f78913401ce15bb41840eb998daaf Mon Sep 17 00:00:00 2001 From: Leo Date: Sat, 18 Sep 2021 14:30:59 +0200 Subject: [PATCH] docs: undocument systemd sockets We don't need zero-downtime restarts anymore, and the socket unit lifecycle is annoying to deal with (the socket can't be enabled if the unit is already started). Much easier to use the capability. Change-Id: I9d3cb5428eb0e35554866e6e42b7759569b12efb --- docs/operations.md | 28 ++-------------------------- 1 file changed, 2 insertions(+), 26 deletions(-) diff --git a/docs/operations.md b/docs/operations.md index 59a9a8408..0490c080b 100644 --- a/docs/operations.md +++ b/docs/operations.md @@ -215,34 +215,10 @@ It is safe to expose the publicWeb port on signing nodes. For better resiliency future guardiand releases will include listen-only mode such that multiple guardiand instances without guardian keys can be operated behind a load balancer. -### systemd socket activation - -guardiand optionally supports systemd socket activation for unprivileged binding to port 443 and restarts -with minimal downtime. - -It can be enabled by prefixing your `--publicWeb` endpoint by `sd:`. guardiand will then use the specified -socket provided by systemd (e.g. `--publicWeb=sd:[::]:443`). - -You'll need a second systemd unit bound to your main `guardiand.service`: - -``` -# /etc/systemd/system/guardiand-web.socket - -[Socket] -ListenStream=443 -Service=guardiand.service - -[Install] -WantedBy=sockets.target -``` - -... and enable it: `systemctl enable --now guardiand-web.socket`. You need to restart `guardiand.service` as well. - ### Binding to privileged ports -If you want to bind `--publicWeb` to a port <1024 **without** using socket activation as described above, you need to assign -the CAP_NET_BIND_SERVICE capability. This can be accomplished by either adding the capability to the binary -(like in non-systemd environments): +If you want to bind `--publicWeb` to a port <1024, you need to assign the CAP_NET_BIND_SERVICE capability. +This can be accomplished by either adding the capability to the binary (like in non-systemd environments): sudo setcap cap_net_bind_service=+ep guardiand