httpd/httpd.service.xml

393 lines
17 KiB
XML
Raw Normal View History

<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
]>
2017-05-19 10:47:21 +00:00
<!--
Copyright 2018 Red Hat, Inc.
2017-05-19 10:47:21 +00:00
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<refentry>
<refentryinfo>
<title>httpd systemd units</title>
<productname>httpd</productname>
<author><contrib>Author</contrib><surname>Orton</surname><firstname>Joe</firstname><email>jorton@redhat.com</email></author>
</refentryinfo>
<refmeta>
<refentrytitle>httpd.service</refentrytitle>
<manvolnum>8</manvolnum>
</refmeta>
<refnamediv>
<refname>httpd.service</refname>
<refname>httpd@.service</refname>
<refname>httpd.socket</refname>
<refname>httpd-init.service</refname>
<refpurpose>httpd unit files for systemd</refpurpose>
</refnamediv>
<refsynopsisdiv>
<para>
<filename>/usr/lib/systemd/system/httpd.service</filename>,
<filename>/usr/lib/systemd/system/httpd@.service</filename>,
<filename>/usr/lib/systemd/system/httpd-init.service</filename>,
<filename>/usr/lib/systemd/system/httpd.socket</filename>
</para>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This manual page describes the <command>systemd</command>
unit files used to integrate the <command>httpd</command> daemon
2018-07-23 12:43:03 +00:00
with <command>systemd</command>. Two main unit files are
available: <command>httpd.service</command> allows the
<command>httpd</command> daemon to be run as a system service, and
<command>httpd.socket</command> allows httpd to be started via
socket-based activation. Most systems will use
<command>httpd.service</command>.</para>
2017-05-26 15:51:56 +00:00
<para>The <command>apachectl</command> command has been modified
to invoke <command>systemctl</command> for most uses, so for
example, running <command>apachectl start</command> is equivalent
to running <command>systemctl start httpd.service</command>. This
ensures that the running httpd daemon is tracked and managed by
<command>systemd</command>. In contrast, running
<command>httpd</command> directly from a root shell will start the
service outside of <command>systemd</command>; in this case,
default security restrictions described below (including, but not
limited to, SELinux) will not be enforced.</para>
<refsect2>
<title>Changing default behaviour</title>
<para>To change the default behaviour of the httpd service, an
<emphasis>over-ride</emphasis> file should be created, rather
than changing
<filename>/usr/lib/systemd/system/httpd.service</filename>
directly, since such changes would be lost over package
upgrades. Running <command>systemctl edit
httpd.service</command> or <command>systemctl edit
httpd.socket</command> as root will create a drop-in file (in
the former case, in
<filename>/etc/systemd/system/httpd.service.d</filename>) which
over-rides the system defaults.</para>
2017-05-26 15:51:56 +00:00
<para>For example, to set the <option>LD_LIBRARY_PATH</option>
environment variable for the daemon, run <command>systemctl edit
httpd.service</command> and enter:
<programlisting>[Service]
Environment=LD_LIBRARY_PATH=/opt/vendor/lib</programlisting></para>
</refsect2>
<refsect2>
<title>Starting the service at boot time</title>
<para>The httpd.service and httpd.socket units are
<emphasis>disabled</emphasis> by default. To start the httpd
service at boot time, run: <command>systemctl enable
httpd.service</command>. In the default configuration, the
httpd daemon will accept connections on port 80 (and, if mod_ssl
is installed, TLS connections on port 443) for any configured
IPv4 or IPv6 address.</para>
<para>If httpd is configured to depend on any specific IP
2017-05-26 15:51:56 +00:00
address (for example, with a "Listen" directive) which may only
2018-07-06 09:33:09 +00:00
become available during start-up, or if httpd depends on other
services (such as a database daemon), the service
<emphasis>must</emphasis> be configured to ensure correct
2018-07-06 09:33:09 +00:00
start-up ordering.</para>
<para>For example, to ensure httpd is only running after all
configured network interfaces are configured, create a drop-in
2017-05-26 15:51:56 +00:00
file (as described above) with the following section:
<programlisting>[Unit]
After=network-online.target
Wants=network-online.target</programlisting>
See <ulink
url="https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/"/>
2018-07-06 09:33:09 +00:00
for more information on start-up ordering with systemd.</para>
</refsect2>
<refsect2>
<title>SSL/TLS certificate generation</title>
<para>The <command>httpd-init.service</command> unit is provided
with the mod_ssl package. This oneshot unit automatically
creates a TLS server certificate and key (using a generated
self-signed CA certificate and key) for testing purposes before
httpd is started. To inhibit certificate generation, use
<command>systemctl mask httpd-init.service</command> after
installing mod_ssl, and adjust the mod_ssl configuration to use
2018-05-01 07:54:09 +00:00
an appropriate certificate and key.</para>
</refsect2>
<refsect2>
<title>Reloading and stopping the service</title>
<para>When running <command>systemctl reload
2017-05-26 15:51:56 +00:00
httpd.service</command>, a <emphasis>graceful</emphasis>
restart is used, which sends a signal to the httpd parent
process to reload the configuration and re-open log files. Any
children with open connections at the time of reload will
terminate only once they have completed serving requests. This
prevents users of the server seeing errors (or potentially
losing data) due to the reload, but means some there is some
delay before any configuration changes take effect for all
users.</para>
2017-05-26 15:51:56 +00:00
<para>Similarly, a <emphasis>graceful stop</emphasis> is used
when <command>systemctl stop httpd.service</command> is run,
which terminates the server only once active connections have
been processed.</para>
<para>To "ungracefully" stop the server without waiting for
requests to complete, use <command>systemctl kill
--kill-who=main httpd</command>; similarly to "ungracefully"
reload the configuration, use <command>systemctl kill
--kill-who=main --signal=HUP httpd</command>.</para>
</refsect2>
2018-03-28 19:15:39 +00:00
<refsect2>
<title>Automated service restarts</title>
<para>System packages (including the httpd package itself) may
restart the httpd service automatically after packages are
upgraded, installed, or removed. This is done using the
2023-10-18 08:15:16 +00:00
<command>systemctl try-restart httpd.service</command> command, which
stops then starts the service if it is running.</para>
<para>To disable automatic restarts, create the file
<filename>/etc/sysconfig/httpd-disable-posttrans</filename>.
When <command>httpd</command> interfaces are added in an update,
it may not be safe to <emphasis>reload</emphasis> a running
service after upgrading, if updated modules require interfaces
2023-10-18 08:15:16 +00:00
only available in the updated <command>httpd</command> binary.
It is recommended to allow automatic restarts for this
reason.</para>
2018-03-28 19:15:39 +00:00
</refsect2>
<refsect2>
<title>Changing the default MPM (Multi-Processing Module)</title>
<para>httpd offers a choice of multi-processing modules (MPMs),
which can be configured in
<filename>/etc/httpd/conf.modules.d/00-mpm.conf</filename>.
See
<citerefentry><refentrytitle>httpd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information on changing the MPM.</para>
</refsect2>
<refsect2>
<title>systemd integration and mod_systemd</title>
2017-05-26 15:51:56 +00:00
<para>The httpd service uses the <option>notify</option> systemd
service type. The <literal>mod_systemd</literal> module must be
loaded (as in the default configuration) for this to work
correctly - the service will fail if this module is not
loaded. <literal>mod_systemd</literal> also makes worker and
request statistics available when running <command>systemctl status
httpd</command>. See
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information on systemd service types.</para>
</refsect2>
<refsect2>
<title>Security and SELinux</title>
<para>The default SELinux policy restricts the httpd service in
2017-05-26 15:51:56 +00:00
various ways. For example, the default policy limits the ports
to which httpd can bind (using the <literal>Listen</literal>
directive), which parts of the filesystem can be accessed, and
whether outgoing TCP connections are possible. Many of these
2018-07-23 12:43:03 +00:00
restrictions can be relaxed or adjusted by using
<command>semanage</command> to change booleans or other
types. See
<citerefentry><refentrytitle>httpd_selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for more information.</para>
</refsect2>
<refsect2>
<title>Process policies and restrictions</title>
<para>The <command>httpd.service</command> unit enables a
variety of sandboxing options. Many of these prevent the service
from changing the system configuration or attributes of the
kernel - such as <emphasis>ProtectClock</emphasis> and
<emphasis>ProtectKernelModules</emphasis>. See
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
and
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information on these options. Particular notice should
be taken of the following:
<itemizedlist>
<listitem><para><emphasis>PrivateTmp</emphasis> is enabled by
default. The <filename>/tmp</filename> and
<filename>/var/tmp</filename> directories available within the
httpd process (and CGI scripts, etc) are not shared by other
processes.</para></listitem>
<listitem><para><emphasis>OOMPolicy</emphasis> is set to
<emphasis>continue</emphasis> by default. Under the default
Out-of-Memory policy, the entire service will be terminated if
any process is killed by the kernel OOM killer. By setting
the policy to <emphasis>continue</emphasis>, httpd will
continue to run (and recover) if a single child is terminated
because of excess memory consumption.</para></listitem>
<listitem><para><emphasis>ProtectHome</emphasis> is set to
<emphasis>read-only</emphasis> by default. CGI scripts run via
<emphasis>UserDir</emphasis> will not be able modify any
content in <filename>/home</filename> by
default.</para></listitem>
<listitem><para><emphasis>ProtectSystem</emphasis> is set to
<emphasis>yes</emphasis> by default; this mounts various
system paths like <filename>/usr</filename> and
<filename>/boot</filename> as read-only by
default.</para></listitem>
</itemizedlist></para>
</refsect2>
<refsect2>
<title>Logging and log file rotation</title>
<para>The <command>httpd</command> daemon is configured to log
to the <filename>/var/log/httpd</filename> directory by default,
and a drop-in for <command>logrotate</command> is provided at
<filename>/etc/logrotate.d/httpd</filename> to enable log file
rotation. The <command>httpd.service</command> systemd unit is
reloaded after a <command>logrotate</command> run.</para>
<para>Log file compression is not enabled by default; since
<command>httpd</command> can continue writing to open log files
for some time after a reload (graceful restart), if compression
is enabled the <literal>delaycompress</literal> option must be
present (as in the default) to delay compression of log files to
a later rotation run.</para>
</refsect2>
2017-11-03 16:52:50 +00:00
<refsect2>
<title>Socket activation</title>
<para>Socket activation (see
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information) can be used with <command>httpd</command>
by enabling the <command>httpd.socket</command> unit. The
<command>httpd</command> listener configuration must exactly
match the <literal>ListenStream</literal> options configured for
the <command>httpd.socket</command> unit. The default
<command>httpd.socket</command> has a
<literal>ListenStream=80</literal> and, if mod_ssl is installed,
<literal>ListenStream=443</literal> by a drop-in file. If
additional <literal>Listen</literal> directives are added to the
httpd configuration, corresponding
<literal>ListenStream</literal> options should be added via
drop-in files, for example via <command>systemctl edit
httpd.socket</command>.</para>
<para>If using socket activation with httpd, only one listener
on any given TCP port is supported; a configuration with both
"<literal>Listen 127.0.0.1:80</literal>" and "<literal>Listen
192.168.1.2:80</literal>" will not work.</para>
</refsect2>
<refsect2>
2018-07-06 09:33:09 +00:00
<title>Instantiated services</title>
2020-02-07 11:44:02 +00:00
<para>The <command>httpd@.service</command> unit is a template
for creating instantiated services. An instance of this unit
will be started using the configuration file
<filename>/etc/httpd/conf/INSTANCE.conf</filename>, where
<emphasis>INSTANCE</emphasis> is replaced with the instance
name. For example, <command>systemctl start
httpd@foobar.service</command> will start httpd using the
configuration file
<filename>/etc/httpd/conf/foobar.conf</filename>. The
<option>HTTPD_INSTANCE</option> environment variable is set to
2018-05-01 07:54:09 +00:00
the instance name by the unit and is available for use within
the configuration file.</para>
<para>To allow multiple instances of httpd to run
simultaneously, a number of configuration directives must be
2018-05-01 07:54:09 +00:00
changed, such as <command>PidFile</command> and
<command>DefaultRuntimeDir</command> to pick non-conflicting
paths, and <command>Listen</command> to choose different ports.
The example configuration file
<filename>/usr/share/doc/httpd/instance.conf</filename>
2020-04-20 14:26:31 +00:00
demonstrates how to make such changes using the
<option>HTTPD_INSTANCE</option> variable.</para>
<para>It can be useful to configure instances of
<command>httpd@.service</command> to reload when
<command>httpd.service</command> is reloaded; for example,
<command>logrotate</command> will reload only
<command>httpd.service</command> when logs are rotated. If this
behaviour is required, create a drop-in file for the instance as
follows:
<programlisting>[Unit]
ReloadPropagatedFrom=httpd.service</programlisting>
As with normal units, drop-in files for instances can be created
using <command>systemctl edit</command>, e.g. <command>systemctl edit
httpd@foobar.service</command>.</para>
</refsect2>
</refsect1>
<refsect1>
<title>Files</title>
<para><filename>/usr/lib/systemd/system/httpd.service</filename>,
<filename>/usr/lib/systemd/system/httpd.socket</filename>,
2018-05-01 07:54:09 +00:00
<filename>/usr/lib/systemd/system/httpd@.service</filename>,
<filename>/etc/systemd/systemd/httpd.service.d</filename></para>
</refsect1>
<refsect1>
<title>See also</title>
<para>
<citerefentry><refentrytitle>httpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>httpd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
2017-11-03 16:52:50 +00:00
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
2017-05-26 15:51:56 +00:00
<citerefentry><refentrytitle>httpd_selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>semanage</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>logrotate</refentrytitle><manvolnum>8</manvolnum></citerefentry>
</para>
</refsect1>
</refentry>
2018-07-06 09:33:09 +00:00
<!-- LocalWords: systemd PidFile
-->