The application fails to start with the opendkim service file for systemd because the service file doesn't create the /var/run/opendkim folder before the .pid file gets created. At the moment I have to manually create and set its permissions, but since /var/run -> /run is tmpfs, it will be removed at reboot. I found this link for a possible solution: https://blog.hqcodeshop.fi/archives/93-Handling-varrun-with-systemd.html
I've placed the following in /etc/systemd/system/opendkim.conf on my local machine. It's just a copy of the default opendkim.conf provided by the package with the 2 lines that create and set the permissions before start. [Unit] Description=DomainKeys Identified Mail (DKIM) Milter Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim- testkey http://www.opendkim.org/docs.html After=network.target nss-lookup.target syslog.target [Service] ExecStartPre=-/bin/mkdir /var/run/opendkim ExecStartPre=/bin/chown -R milter:milter /var/run/opendkim ExecStart=/usr/sbin/opendkim -f -x /etc/opendkim/opendkim.conf ExecReload=/bin/kill -USR1 $MAINPID [Install] WantedBy=multi-user.target
I did a bit of more research and it seems that the proper solution is to use the tmpfiles.d stuff of systemd. Basically we can add a line to /etc/tmpfiles.d/opendkim.conf that tell it to create a directory with certain permissions and ownership. This also allows us to tell systemd not to cleanup the contents of that directory. Example 3. Create a directory and prevent its contents from cleanup abrt(1), needs a directory created at boot with specific mode and ownership and its content should be preserved from the automatic cleanup applied to the contents of /var/tmp: # /usr/lib/tmpfiles.d/tmp.conf d /var/tmp 1777 root root 30d # /usr/lib/tmpfiles.d/abrt.conf d /var/tmp/abrt 0755 abrt abrt - From https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html Also a few other links of interest: http://fedoraproject.org/wiki/Packaging:Tmpfiles.d Maybe we should include a default tmpfiles conf file that we can add to the current location where gentoo store's tmpfiles.d files (which is /usr/lib/tmpfiles.d/) ?
Just adding here that recently I had some problems with the directories being deleted when I tried to start opendkim. It turned out that my files in the /etc/opendkim folder were not owned by the milter group. The weird thing that this lead to was that when the systemd service file started, it would delete the /var/run/opendkim folder (and wouldn't recreate it). It's probably more reliable to add the two ExecStartPre lines I mentioned above rather than using the tmpfiles.d method.
We do need a tmpfiles.d entry here, but it's for the local socket (if used) and not the PID file. The daemon runs in the foreground under systemd, and shouldn't need a PID file. Here's my proposal: 1. We add a tmpfiles.d entry that creates /run/opendkim with owner "opendkim". This is where the local socket should always go, regardless of your init system, from then on. 2. We add an example entry to the opendkim.service.conf file, like # This overrides the "Socket" line in your opendkim.conf configuration # file, and is required because we can't parse the config file in a # tmpfiles.d entry. The default below listens on the network. # # If you would rather use a local (UNIX) socket, try the following: # If you would #Environment="OPENDKIM_SOCKET=local:/run/opendkim/opendkim.sock" 3. We update the OpenRC service script to not mess with the socket permissions. OpenRC will respect the tmpfiles.d entry, so the permissions on /run/opendkim should already be correct (i.e. we don't need to call checkpath any more). 4. We update the OpenRC conf.d file to say that the socket must live in /run/opendkim. We can then delete the WARNING in that file. At that point, OpenRC and systemd work more or less the same with regards to the local socket. I've written some documentation here, https://wiki.gentoo.org/wiki/OpenDKIM that will be accurate AFTER these changes. Once it IS accurate (and we mention it in an elog or something), bug 575666 is fixed as well.
Actually we can do a lot better here: 1. We add a tmpfiles.d entry that creates /run/opendkim with owner "opendkim". This is where the local socket should always go, regardless of your init system, from then on. 2. We add BACK the default local "Socket" line to opendkim.conf, and another example line showing how to use an inet socket. These should have a comment mentioning that local sockets MUST live in /run/opendkim, because that is the only directory that will have the correct permissions set at boot time. 3. We delete opendkim.service.conf and opendkim.confd (we don't need the socket variable any more). 4. We delete the socket variable from the systemd unit, and delete all socket stuff from the OpenRC service file. 5. We update the wiki to mention that the local/inet socket choice should be made in the opendkim.conf file instead. Basically, since we have to use a fixed socket directory for systemd, and since the tmpfiles entry will affect OpenRC too, we can just enforce the same fixed socket directory /run/opendkim for both init systems. At that point we don't need the OPENDKIM_SOCKET variable at all, because OpenRC doesn't need to do anything with it.
Ok ok, last update. I've learned that systemd has the ability to instantiate services based on a template where the instance name becomes an argument (much like the $RC_SVCNAME variable in OpenRC). This gives us another option: "hard-coding" the path to the socket, but giving it a name that is unique to each service. For example, in the init script, CONFFILE="/etc/opendkim/${RC_SVCNAME}.conf" SOCKFILE="/run/opendkim/${RC_SVCNAME}.sock" command_args="-P ${pidfile} -x ${CONFFILE} -p ${SOCKFILE}" and likewise in the systemd service file, ExecStart=/usr/sbin/opendkim -f -x /etc/opendkim/%i.conf \ -p /run/opendkim/%i.sock That would let us get rid of both the OPENDKIM_SOCKET variable, *and* the entry in the config file. I don't think there's any reason to change the socket location if it's given a unique name, named after the service, and if we're careful to set the permissions correct. This is probably my favorite option, with the caveat that we would really need someone with systemd to write/test it.
(In reply to Michael Orlitzky from comment #6) > Ok ok, last update. This is what happens when you think too late. We'd still need a flag to switch between a local/inet socket, even if the local socket path (when enabled) is hard-coded. That eliminates the additional elegance of this approach. I think comment #5 is the winner.
Looking at this bug's CC list, I'm not quite sure if this is the best way to ask, but here goes: Could somebody using systemd please test the changes in the linked pull request? As Michael wrote, "Everything should work out-of-the-box if they follow the directions in the sample config."
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=41f1717e1094b877bbede64784644f66fd1825c5 commit 41f1717e1094b877bbede64784644f66fd1825c5 Author: Ralph Seichter <github@seichter.de> AuthorDate: 2019-04-17 15:27:19 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2019-04-24 12:44:26 +0000 mail-filter/opendkim: Improved OpenRC and systemd support Michael Orlitzky and I have been working on improved OpenRC support for OpenDKIM. Our pull request has not yet been accepted upstream (not even acknowledged, in fact). The multi-file patch adds our changes to the existing Gentoo ebuild. Changes to the upstream build files include: * configure.ac: Added workaround to support @runstatedir@. On modern systems /run replaces /var/run, so using @runstatedir@ instead of @localstatedir@/run is preferable. Autoconf 2.70 will support @runstatedir@ , but it has not been released yet, so a workaround is required for version 2.61. * contrib/systemd: Use @runstatedir@ in opendkim.service.in, enable full @VARIABLE@ substitution, fix inconsistencies in the systemd service file, add tmpfiles.d configuration file (https://bugs.gentoo.org/606978). * opendkim/opendkim.conf.*.in: Use @runstatedir@ in PidFile paths, enable full @VARIABLE@ substitution. Bug: https://bugs.gentoo.org/606978 Signed-off-by: Ralph Seichter <gentoo@seichter.de> Package-Manager: Portage-2.3.62, Repoman-2.3.11 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> .../opendkim/files/opendkim-2.10.3-openrc.patch | 303 +++++++++++++++++++++ mail-filter/opendkim/opendkim-2.10.3-r11.ebuild | 222 +++++++++++++++ 2 files changed, 525 insertions(+)
-r11 is in the tree now, with a new tmpfiles.d entry and a rewritten service file. The "systemd-analyze verify" command tells me that nothing is too screwed up, but we'll wait to hear back before calling this done.
Presumably this works since no one has complained. Ralph even went to the trouble of setting up a systemd VM to test, and both the PID file and local socket work (if you follow the wiki for the latter).
