Current systemd versions have a NotifyAccess key for services, which
defaults to "main", meaning systemd checks the credentials of the process
that writes to the socket and rejects if it's not the PID it spawned. Since
sdnotify-wrapper runs as a (grand)child of daemon, this means its READY=1
message gets rejected, and the service gets stuck as "activating...".
This inverts the parent-child relationship so users don't have to tweak
this option to "all" (meaning daemon + whatever is running in the same
Unitâ„¢) manually. The MAINPID half of the message tells it to look after the
real daemon.
If only there was an easy, portable way of ensuring only a process, its
descendants, or trusted local services had access to the communication
channel for readiness notification, without a central registry of
everything running in the system...
Received on Wed Jun 05 2024 - 15:11:04 CEST