Support socket activation with non-default ports #257
Conversation
There was a problem hiding this comment.
Thank you for the PR. I've added a couple of comments.
Is there anything else that would need to be added to ensure complete managements of socket base instantiation? Ubuntu 22.10 appears to use sockets by default. Do you know if this change will fully support that implementation?
eliasp
changed the title
I can give Ubuntu 22.10 a try, but in general, I don't see why this shouldn't work. What should probably be done is to set the OS specific defaults for I have pushed a few more commits to handle non-default SSH ports properly and converted the PR to a Draft for now, since I think a few more changes might be needed:
|
eliasp
force-pushed
the
socket-activated-non-default-port
branch
2 times, most recently
from
e87de8d
to
7846250
Compare
Control via the var `sshd_socket_activation` whether SSH should run as a single permanent service or whether on each incoming connection request, a new instance of `sshd@.service` should be spawned. This improves security, allows for easier per-connection troubleshooting and eliminates the need to restart the service after config changes. Co-authored-by: Rich Megginson <rmeggins@redhat.com>
Since the .socket unit needs to be rewritten in case of a custom port, a more fine-grained control over which unit is managed is required.
Co-authored-by: Rich Megginson <rmeggins@redhat.com>
eliasp
force-pushed
the
socket-activated-non-default-port
branch
from
7846250
to
b35a771
Compare
|
|
||
| - name: Reload the SSH service | ||
| ansible.builtin.service: | ||
| name: "{{ sshd_service }}" | ||
| name: "{{ sshd_service }}{{ '.socket' if sshd_socket_activation | bool else '' }}" |
There was a problem hiding this comment.
nit: I would propose to use temporary variable for this as it is not visible on the first sight what is being done. Something like
__sshd_systemd_unit: "{{ sshd_service }}{{ '.socket' if sshd_socket_activation | bool else '' }}"
and then
ansible.builtin.service:
name: "{{ __sshd_systemd_unit }}"
The task name no longer matches description either. It should be Reload the SSH unit or something like that.
| @@ -1,8 +1,16 @@ | |||
| --- | |||
| - name: Reload systemd units | |||
There was a problem hiding this comment.
This reloads the systemd daemon (man systemctl, find daemon-reload for description). Reloading units is only part of the task.
|
|
||
| - name: Service enabled and running | ||
| ansible.builtin.service: | ||
| name: "{{ sshd_service }}" | ||
| name: "{{ sshd_service }}{{ '.socket' if sshd_socket_activation | bool else '' }}" |
There was a problem hiding this comment.
same as in the main.yml -- this should be defined only in one place.
Additionally, when you enable socket activation, you need to make sure the normal service is disabled and vice versa (because they conflict with each other and systemd had in the past huge issues resolving such conflicts resulting in non-accessible systems).
|
ping - any update? |
Enhancement:
Control via the var
sshd_socket_activationwhether SSH should run as a single permanent service or whether on each incoming connection request, a new instance ofsshd@.serviceshould be spawned.Reason:
This improves security, allows for easier per-connection troubleshooting and eliminates the need to restart the service after config changes.
Result:
sshd.socketis running,sshd.serviceis notsshd@1-10.13.13.5:22-192.168.178.53:44876.serviceis spawnedIssue Tracker Tickets (Jira or BZ if any): -