Systemd Chef Cookbook

A resource-driven Chef cookbook for managing GNU/Linux systems via systemd.

<a name="toc">Table of Contents</a>

• Recommended Reading
• Usage Tips
• Attributes
• Recipes
  • Daemons
  • Utilities
  • Helpers
• Resources
  • Units
    • systemd_automount
    • systemd_mount
    • systemd_path
    • systemd_service
    • systemd_slice
    • systemd_socket
    • systemd_swap
    • systemd_target
    • systemd_timer
  • Daemons
    • systemd_journald
    • systemd_logind
    • systemd_resolved
    • systemd_timesyncd
  • Utilities
    • systemd_bootchart
    • systemd_coredump
    • systmd_sleep
    • systemd_run
  • Miscellaneous
    • systemd_system
    • systemd_user
    • systemd_binfmt
    • systemd_modules
    • systemd_networkd_link
    • systemd_sysctl
    • systemd_sysuser
    • systemd_tmpfile
    • systemd_udev_rules
  • Common Attributes
    • Organization
    • Exec
    • Kill
    • Resource Control
    • Unit
    • Install
    • Drop-In

<a name="recommended-reading">Recommended Reading</a>

• This README
• Overview of systemd for RHEL 7
• systemd docs
• Lennart's blog series
• libraries in libraries/*.rb
• test cookbook in test/fixtures/cookbooks/setup

<a name="usage-tips">Usage Tips</a>

Drop Ins

Systemd provides support for "drop-in" units that work really well for config-
mgmt systems; rather than taking over an entire unit definition, you can apply
custom configuration (e.g. resource limits) that will be merged into the vendor-
provided unit. It's recommended to use these when modifying units installed via
the package manager. See drop-in docs for more info.

Daemon Reloads

By default, changes to unit resources will be applied to the system immediately
via calls to systemctl daemon-reload. However, on systems with large numbers
of units, daemon-reload can be problematic. For users encountering
problems (hangs, slowness) with systemctl daemon-reload calls, this cookbook
allows users to disable daemon-reloads by setting the auto_reload attribute
to false.

In some cases, it may be possible to avoid daemon-reload entirely by using the
set_properties action. However, only a subset of unit properties are supported
by systemctl set-property, so, unfortunately, in some cases a daemon-reload
may be unavoidable. For these cases, it's possible run a daemon-reload once
at the end of a converge.

This cookbook provides the daemon_reload recipe to help with this. It removes
the need to have every resource send a notification, and triggers a reload at
the end of a converge if any auto_reload false units have been updated.

<a name="attributes">Attributes</a>

too many to describe in detail ;).
in general, the attributes correspond to the related resource attributes.

<a name="recipes">Recipes</a>

• default: no-op recipe

<a name="daemon-recipes">Daemon Recipes</a>

• journald: configure, manage systemd-journald
• journal_gatewayd: configure, manage systemd-journal-gatewayd
• logind: configure, manage systemd-logind
• machined: manage systemd-machined service
• networkd: manage systemd-networkd service
• resolved: configure, manage systemd-resolved
• timesyncd: configure, manage systemd-timesyncd
• udevd: configure, manage systemd-udevd

<a name="utility-recipes">Utility Recipes</a>

• binfmt: manage systemd-binfmt one-shot boot-up unit
• bootchart: configure systemd-bootchart
• coredump: configure systemd-coredump
• hostname: configure, manage hostname with systemd-hostnamed
• locale: configure, manage locale with systemd-localed
• real_time_clock: configure system clock mode (UTC,local) with timedatectl
• sleep: configure system sleep, suspend, hibernate behavior with systemd-sleep
• sysctl: manage systemd-sysctl one-shot boot-up unit (apply sysctl at boot)
• system: configure systemd manager system-mode defaults
• sysusers: manage systemd-sysusers one-shot boot-up unit (set up system users at boot)
• timedated: manage systemd-timedated one-shot boot-up unit (set time/date at boot)
• timezone: configure, manage timezone with timedatectl
• user: configure systemd manager user-mode defaults
• vconsole: configure, manage virtual console font and keymap with systemd-vconsole

<a name="helper-recipes">Helper Recipes</a>

• daemon_reload: run delayed daemon-reload (for use with auto_reload false)

<a name="resources"></a>Resources

<a name="unit-resources"></a>Unit Resources

All unit resources support the following actions:

Important: The notable exception is when the unit is a drop-in unit,
in which case it supports only the :create, :delete, and :set_properties actions.

<a name="systemd-automount"></a>systemd_automount

Unit which describes a file system automount point controlled by systemd.
Documentation

Example usage (always paired with a mount unit):

systemd_mount 'proc-sys-fs-binfmt_misc' do
  description 'Arbitrary Executable File Formats File System'
  default_dependencies false
  mount do
    what 'binfmt_misc'
    where '/proc/sys/fs/binfmt_misc'
    type 'binfmt_misc'
  end
end

systemd_automount 'proc-sys-fs-binfmt_misc' do
  description 'Arbitrary Executable File Formats File System Automount Point'
  default_dependencies false
  before 'sysinit.target'
  condition_path_exists '/proc/sys/fs/binfmt_misc/'
  condition_path_is_read_write '/proc/sys/'
  automount do
    where '/proc/sys/fs/binfmt_misc'
  end
end

Also supports:

• organization
• unit
• install
• drop-in

--

<a name="systemd-mount"></a>systemd_mount

Unit which describes a file system mount point controlled by systemd.
Documentation

Example usage:

systemd_mount 'tmp' do
  description 'Temporary Directory'
  condition_path_is_symbolic_link '!/tmp'
  default_dependencies false
  conflicts 'umount.target'
  before %w( local-fs.target umount.target )
  mount do
    what 'tmpfs'
    where '/tmp'
    type 'tmpfs'
    options 'mode=1777,strictatime,noexec,nosuid'
  end
end

Also supports:

• organization
• unit
• install
• drop-in
• exec
• kill
• resource-control

--

<a name="systemd-path"></a>systemd_path

Unit which describes information about a path monitored by systemd for
path-based activities.
Documentation

Example usage (showing cups service activation when work is available):

systemd_path 'cups' do
  description 'CUPS Scheduler'
  install do
    wanted_by 'multi-user.target'
  end
  path do
    path_exists_glob '/var/spool/cups/d*'
  end
  action [:create, :enable, :start]
end

systemd_service 'cups' do
  description 'CUPS Scheduler'
  after 'network.target'
  install do
    wanted_by 'printer.target'
    also %w( cups.socket cups.path )
  end
  service do
    type 'notify'
    exec_start '/usr/sbin/cupsd -l'
  end
end

Also supports:

• organization
• unit
• install
• drop-in

--

<a name="systemd-service"></a>systemd_service

Unit which describes information about a process controlled and supervised by
systemd. Documentation.

While there is some overlap with the service resource in Chef-core,
this resource is more narrowly focused on service unit config/management on
systemd-based platforms, whereas the Chef-core service resource works
across multiple service-management frameworks.

As such, while it is possible to perform lifecycle management of services
on systemd platforms using the systemd_service resource, the systemd cookbook
authors do not recommend doing so. Instead, it is recommended to pair
systemd_service instances with platform-agnostic service resources,
as demonstrated below.

Example usage:

cookbook_file '/etc/init/httpd.conf' do
  source 'httpd.conf'
  only_if { ::File.executable?('/sbin/initctl') } # Upstart
end

systemd_service 'httpd' do
  description 'Apache HTTP Server'
  after %w( network.target remote-fs.target nss-lookup.target )
  install do
    wanted_by 'multi-user.target'
  end
  service do
    environment 'LANG' => 'C'
    exec_start '/usr/sbin/httpd $OPTIONS -DFOREGROUND'
    exec_reload '/usr/sbin/httpd $OPTIONS -k graceful'
    kill_signal 'SIGWINCH'
    kill_mode 'mixed'
    private_tmp true
  end
  only_if { ::File.open('/proc/1/comm').gets.chomp == 'systemd' } # systemd
end

service 'httpd' do
  action [:enable, :start]
end

Also supports:

• organization
• unit
• install
• drop-in
• exec
• kill
• resource-control

--

<a name="systemd-slice"></a>systemd_slice

Unit which describes a "slice" of the system; useful for managing resources
for of a group of processes.
Documentation

This resource has no specific options.

Example usage:

systemd_slice 'user' do
  description 'User and Session Slice'
  documentation 'man:systemd.special(7)'
  before 'slices.target'
end

Also supports:

• organization
• unit
• install
• drop-in
• resource-control

--

<a name="systemd-socket"></a>systemd_socket

Unit which describes an IPC, network socket, or file-system FIFO controlled
and supervised by systemd for socket-based service activation.
Documentation

Example usage:

# Set up OpenSSH Server socket-activation
systemd_socket 'sshd' do
  description 'OpenSSH Server Socket'
  documentation 'man:sshd(8) man:sshd_config(5)'
  conflicts 'sshd.service'
  install do
    wanted_by 'sockets.target'
  end
  socket do
    listen_stream 22
    accept true
  end
  action [:create, :enable, :start]
end

# No need to enable/start the service, the socket-activation will
systemd_service 'sshd' do
  description 'OpenSSH Server Daemon'
  documentation 'man:sshd(8) man:sshd_config(5)'
  after %w( network.target sshd-keygen.service )
  wants %w( sshd-keygen.service )
  service do
    environment_file '/etc/sysconfig/sshd'
    exec_start '/usr/sbin/sshd -D $OPTIONS'
    exec_reload '/bin/kill -HUP $MAINPID'
    kill_mode 'process'
    restart 'on-failure'
    restart_sec '42s'
  end
  install do
    wanted_by 'multi-user.target'
  end
end

Also supports:

• organization
• unit
• install
• drop-in
• exec
• kill
• resource-control

--

<a name="systemd-swap"></a>systemd_swap

Unit which describes a swap device or file for memory paging.
Documentation

Example usage:

systemd_swap 'dev-vdb' do
  install do
    wanted_by 'swap.target'
  end
  swap do
    what '/dev/vdb'
  end
end

Also supports:

• organization
• unit
• install
• drop-in
• exec
• kill
• resource-control

--

<a name="systemd-target"></a>systemd_target

Unit which describes a systemd target, used for grouping units and
synchronization points during system start-up.
Documentation

This unit has no specific options.

Example usage:

systemd_target 'plague' do
  description 'Never fear, I is here.'
  documentation 'man:systemd.special(7)'
end

Also supports:

• organization
• unit
• install
• drop-in

--

<a name="systemd-timer"></a>systemd_timer

Unit which describes a timer managed by systemd, for timer-based unit
activation (typically a service of the same name).
Documentation

Example usage:

# Given this example service
systemd_service 'mlocate-updatedb' do
  description 'Update a database for mlocate'
  service do
    type 'oneshot'
    exec_start '/usr/libexec/mlocate-run-updatedb'
    nice 19
    io_scheduling_class 2
    io_scheduling_priority 7
    private_tmp true
    private_devices true
    private_network true
    protect_system true
  end
end

# Set up a corresponding timer unit
systemd_timer 'mlocate-updatedb' do
  description 'Updates mlocate database every day'
  install do
    wanted_by 'timers.target'
  end
  timer do
    on_calendar 'daily'
    accuracy_sec '24h'
    persistent true
  end
  action [:create, :enable, :start]
end

Also supports:

• organization
• unit
• install
• drop-in

<a name="daemon-resources"></a>Daemon Resources

Resources for managing configuration of common systemd daemons.

All daemon resources support the following actions:

<a name="systemd-journald"></a>systemd_journald

Resource for configuring systemd-journald

Example use:

systemd_journald 'forward-to-syslog' do
  forward_to_syslog true
end

Also supports:

• drop-in

--

<a name="systemd-logind"></a>systemd_logind

Resource for configuring systemd-logind

Example use:

systemd_logind 'power-down-when-idle' do
  idle_action 'hibernate'
  idle_action_sec 3_600
end

Also supports:

• drop-in

--

<a name="systemd-resolved"></a>systemd_resolved

Resource for configuring systemd-resolved

Example usage:

systemd_resolved 'enable-llmnr' do
  llmnr true
end

Also supports:

• drop-in

--

<a name="systemd-timesyncd"></a>systemd_timesyncd

Resource for configuring systemd-timesyncd

Example usage:

systemd_timesyncd 'my-resolver' do
  ntp %w( 1.2.3.4 2.3.4.5 )
  fallback_ntp %w( 8.8.8.8 8.8.4.4 )
end

Also supports:

• drop-in

<a name="utility-resources"></a>Utility Resources

Resources for configuring common systemd utilities.

All utility resources support the following actions:

<a name="systemd-bootchart"></a>systemd_bootchart

Resource for configuring systemd-bootchart

Example usage:

systemd_bootchart 'include-cgroup-info' do
  control_group true
end

Also supports:

• drop-in

--

<a name="systemd-coredump"></a>systemd_coredump

Resource for configuring systemd-coredump

Example usage:

systemd_coredump 'compress-coredumps' do
  compress true
end

Also supports:

• drop-in

--

<a name="systemd-sleep"></a>systemd_sleep

Resource for configuring systemd-sleep

Example usage:

systemd_sleep 'freeze-suspend' do
  suspend_state 'freeze'
end

Also supports:

• drop-in

<a name="systemd-run"></a>systemd_run

Resource for running (optionally) resource-constrained transient units
with systemd-run. Think of it like an "execute" resource with cgroups.

Example usage:

systemd_run 'sshd-2222.service' do
  command ''/usr/sbin/sshd -D -o Port=2222'
  cpu_shares 1_024
  nice 19
  service_type 'simple'
  kill_mode 'mixed'
end

<a name="misc-resources"></a>Miscellaneous Resources

<a name="systemd-system"></a>systemd_system

Resource for configuring systemd system service manager:

systemd_system supports the following actions:

Example usage:

systemd_system 'reboot-on-crash' do
  crash_reboot true
end

Also supports:

• drop-in

--

<a name="systemd-user"></a>systemd_user

Supports same options as the systemd_system resource.

--

<a name="systemd-binfmt"></a>systemd_binfmt

Resource for managing binfmt_misc files
(configure binary formats for executables at boot)

systemd_binfmt supports the following actions:

Example usage:

systemd_binfmt 'DOSWin' do
  magic 'MZ'
  interpreter '/usr/bin/wine'
end

--

<a name="systemd-modules"></a>systemd_modules

Resource for managing modules

systemd_modules supports the following actions:

Example usage:

systemd_modules 'die-beep-die' do
  blacklist true
  modules %w( pcspkr )
  action [:create, :unload]
end

systemd_modules 'zlib' do
  modules %w( zlib )
  action [:create, :load]
end

--

<a name="systemd-networkd-link"></a>systemd_networkd_link

Resource for managing network devices

systemd_networkd_link supports the following actions:

Example usage:

systemd_networkd_link 'wireless' do
  match do
    match_mac_addr '12:34:56:78:9a:bc'
    driver 'brcmsmac'
    path 'pci-0000:02:00.0-*'
    type 'wlan'
    virtualization false
    host 'my-laptop'
    architecture 'x86-64'
  end
  link do
    name 'wireless0'
    mtu_bytes 1_450
    bits_per_second '10M'
    wake_on_lan 'magic'
    link_mac_addr 'cb:a9:87:65:43:21'
  end
end

--

<a name="systemd-sysctl"></a>systemd_sysctl

Resource for managing sysctls with systemd-sysctl

systemd_sysctl supports the following actions:

Example usage:

systemd_sysctl 'vm.swappiness' do
  value 10
  action [:create, :apply] # next boot, immediately
end

--

<a name="systemd-sysuser"></a>systemd_sysuser

Resource for managing system users with systemd-sysusers

systemd_sysuser supports the following actions:

Example usage:

systemd_sysuser '_testuser' do
  id 65_530
  gecos 'my test user'
  home '/var/lib/test'
end

--

<a name="systemd-tmpfile"></a>systemd_tmpfile

Resource for managing tmp files with systemd-tmpfiles

systemd_tmpfile supports the following actions:

Example usage:

systemd_tmpfile 'my-app' do
  path '/tmp/my-app'
  age '10d'
  type 'f'
end

--

<a name="systemd-udev-rules"></a>systemd_udev_rules

Resource for managing udev rules files

systemd_udev_rules supports the following actions:

Example usage:

# hide docker's loopback devices from udisks, and thus from user desktops
systemd_udev_rules 'udev-test' do
  rules [
    [
      {
        'key' => 'SUBSYSTEM',
        'operator' => '==',
        'value' => 'block'
      },
      {
        'key' => 'ENV{DM_NAME}',
        'operator' => '==',
        'value' => 'docker-*'
      },
      {
        'key' => 'ENV{UDISKS_PRESENTATION_HIDE}',
        'operator' => '=',
        'value' => 1
      },
      {
        'key' => 'ENV{UDISKS_IGNORE}',
        'operator' => '=',
        'value' => 1
      }
    ],
    [
      {
        'key' => 'SUBSYSTEM',
        'operator' => '==',
        'value' => 'block'
      },
      {
        'key' => 'DEVPATH',
        'operator' => '==',
        'value' => '/devices/virtual/block/loop*'
      },
      {
        'key' => 'ATTR{loop/backing_file}',
        'operator' => '==',
        'value' => '/var/lib/docker/*'
      },
      {
        'key' => 'ENV{UDISKS_PRESENTATION_HIDE}',
        'operator' => '=',
        'value' => 1
      },
      {
        'key' => 'ENV{UDISKS_IGNORE}',
        'operator' => '=',
        'value' => 1
      }
    ]
  ]
  action [:create]
end

<a name="common-resource-attributes"></a>Common Resource Attributes

<a name="common-organization"></a>Organization

special no-op attributes that yield a block for the purpose of being
able to group attributes of a resource similar to their rendered grouping.

By way of explanation:

systemd_automount 'vagrant-home' do
  description 'Test Automount'
  install do
    wanted_by 'local-fs.target'
  end
  automount do
    where '/home/vagrant'
  end
end

is the same as...

systemd_automount 'vagrant-home' do
  description 'Test Automount'
  wanted_by 'local-fs.target'
  where '/home/vagrant'
end

--

<a name="common-exec"></a>Exec

Execution environment configuration. Documentation

--

<a name="common-kill"></a>Kill

Process killing procedure configuration. Documentation

--

<a name="common-resource-control"></a>Resource Control

Resource control unit settings. Documentation

--

<a name="common-unit"></a>Unit

Common configuration options of all the unit types.
Documentation

--

<a name="common-install"></a>Install

Carries installation information for units. Used exclusively by
enable/disable commands of systemctl. Documentation

--

<a name="common-drop-in"></a>Drop-In

Cookbook-specific attributes that activate and control drop-in mode for units.

--