-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support socket activation with non-default ports #257
base: main
Are you sure you want to change the base?
Support socket activation with non-default ports #257
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the PR. I've added a couple of comments.
Is there anything else that would need to be added to ensure complete managements of socket base instantiation? Ubuntu 22.10 appears to use sockets by default. Do you know if this change will fully support that implementation?
I can give Ubuntu 22.10 a try, but in general, I don't see why this shouldn't work. What should probably be done is to set the OS specific defaults for I have pushed a few more commits to handle non-default SSH ports properly and converted the PR to a Draft for now, since I think a few more changes might be needed:
|
e87de8d
to
7846250
Compare
Control via the var `sshd_socket_activation` whether SSH should run as a single permanent service or whether on each incoming connection request, a new instance of `sshd@.service` should be spawned. This improves security, allows for easier per-connection troubleshooting and eliminates the need to restart the service after config changes. Co-authored-by: Rich Megginson <rmeggins@redhat.com>
Since the .socket unit needs to be rewritten in case of a custom port, a more fine-grained control over which unit is managed is required.
Co-authored-by: Rich Megginson <rmeggins@redhat.com>
7846250
to
b35a771
Compare
|
||
- name: Reload the SSH service | ||
ansible.builtin.service: | ||
name: "{{ sshd_service }}" | ||
name: "{{ sshd_service }}{{ '.socket' if sshd_socket_activation | bool else '' }}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: I would propose to use temporary variable for this as it is not visible on the first sight what is being done. Something like
__sshd_systemd_unit: "{{ sshd_service }}{{ '.socket' if sshd_socket_activation | bool else '' }}"
and then
ansible.builtin.service:
name: "{{ __sshd_systemd_unit }}"
The task name no longer matches description either. It should be Reload the SSH unit
or something like that.
@@ -1,8 +1,16 @@ | |||
--- | |||
- name: Reload systemd units |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This reloads the systemd daemon (man systemctl, find daemon-reload
for description). Reloading units is only part of the task.
|
||
- name: Service enabled and running | ||
ansible.builtin.service: | ||
name: "{{ sshd_service }}" | ||
name: "{{ sshd_service }}{{ '.socket' if sshd_socket_activation | bool else '' }}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as in the main.yml -- this should be defined only in one place.
Additionally, when you enable socket activation, you need to make sure the normal service is disabled and vice versa (because they conflict with each other and systemd had in the past huge issues resolving such conflicts resulting in non-accessible systems).
ping - any update? |
Enhancement:
Control via the var
sshd_socket_activation
whether SSH should run as a single permanent service or whether on each incoming connection request, a new instance ofsshd@.service
should be spawned.Reason:
This improves security, allows for easier per-connection troubleshooting and eliminates the need to restart the service after config changes.
Result:
sshd.socket
is running,sshd.service
is notsshd@1-10.13.13.5:22-192.168.178.53:44876.service
is spawnedIssue Tracker Tickets (Jira or BZ if any): -