diff --git a/httpd.service.xml b/httpd.service.xml index 5455f09..807b69c 100644 --- a/httpd.service.xml +++ b/httpd.service.xml @@ -59,6 +59,17 @@ socket-based activation. Most systems will use httpd.service. + The apachectl command has been modified + to invoke systemctl for most uses, so for + example, running apachectl start is equivalent + to running systemctl start httpd.service. This + ensures that the running httpd daemon is tracked and managed by + systemd. In contrast, running + httpd directly from a root shell will start the + service outside of systemd; in this case, + default security restrictions described below (including, but not + limited to, SELinux) will not be enforced. + Changing default behaviour @@ -73,13 +84,12 @@ /etc/systemd/system/httpd.service.d which over-rides the system defaults. - For example, to set the LD_LIBRARY_PATH + For example, to set the environment variable for the daemon, run systemctl edit httpd.service and enter: [Service] Environment=LD_LIBRARY_PATH=/opt/vendor/lib - @@ -94,7 +104,7 @@ Environment=LD_LIBRARY_PATH=/opt/vendor/lib IPv4 or IPv6 address. If httpd is configured to depend on any specific IP - address (for example, with a "Listen" directive), which may only + address (for example, with a "Listen" directive) which may only become available during startup, or if httpd depends on other services (such as a database daemon), the service must be configured to ensure correct @@ -102,7 +112,7 @@ Environment=LD_LIBRARY_PATH=/opt/vendor/lib For example, to ensure httpd is only running after all configured network interfaces are configured, create a drop-in - file (as described above) with the following: + file (as described above) with the following section: [Unit] After=network-online.target @@ -118,7 +128,7 @@ Wants=network-online.target Reloading and stopping the service When running systemctl reload - httpd.service, a "graceful" + httpd.service, a graceful restart is used, which sends a signal to the httpd parent process to reload the configuration and re-open log files. Any children with open connections at the time of reload will @@ -128,7 +138,7 @@ Wants=network-online.target delay before any configuration changes take effect for all users. - Similarly, a "graceful stop" is used + Similarly, a graceful stop is used when systemctl stop httpd.service is run, which terminates the server only once active connections have been processed. @@ -138,7 +148,7 @@ Wants=network-online.target systemd integration and mod_systemd - httpd.service uses the "" systemd + The httpd service uses the systemd service type. The mod_systemd module must be loaded (as in the default configuration) for this to work correctly - the service will fail if this module is not @@ -153,12 +163,12 @@ Wants=network-online.target Security and SELinux The default SELinux policy restricts the httpd service in - various ways. The ports to which httpd can bind (using the - Listen directive), which parts of the - filesystem can be accessed, whether outgoing TCP connections are - possible, are limited by default, for example. Many of these - restrictions can be lifted using SELinux booleans and port - types. See + various ways. For example, the default policy limits the ports + to which httpd can bind (using the Listen + directive), which parts of the filesystem can be accessed, and + whether outgoing TCP connections are possible. Many of these + restrictions can be adjusted using semanage + to change booleans or other types. See httpd_selinux8 for more information. @@ -191,7 +201,8 @@ Wants=network-online.target systemctl1, systemd.service5, systemd.exec5, - httpd_selinux8 + httpd_selinux8, + semanage8