[nailer]

Woo. Have been using the RHEL 7 Amazon AMI images, and it's nice not to worry about shell scripts / custom supervisord stuff for your web services anymore.

My node app is deployed with a single `myapp.service` file thanks to systemd:

    [Service]
    ExecStart=/usr/local/bin/node --harmony /var/www/myapp/server.js
    Restart=always
    User=nobody
    Group=nobody
    Environment=PATH=/usr/bin:/usr/local/bin
    Environment=NODE_ENV=production

    [Install]
    WantedBy=multi-user.target

Then:

  iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3000

(since I run my app on a low port so it can run as nobody, and 3000 isn't visible to the outside)

  cp myapp.service /etc/systemd/system

  systemctl enable myapp.service

  systemctl start myapp.service

This has all the stuff you expect:

- Not restarting repeatedly if the app is bouncing up and down.

- I can see how it goes with `journalctl` which reads journald messages, and those messages come from a source called `myapp` rather than the old ancient syslog facilities (local0, uucp, lpd) which everyone just ignored in favour of grepping.

[jfindley]

You could potentially register your application with firewalld to make the iptables part even more elegant - then the port would only be open when the service was running.

That said I'm somewhat on the fence about firewalld in a server context - the zones are really designed around mobile computing use-cases, and I'm not a fan of xml as a configuration language.

[Alupis]

I gave CentOS 7 a spin last night (been waiting for the release!).

I installed it on VirtualBox (using a Windows host pc). I must say, my first impressions are that this is a very nice release.

They implemented the same new installer from Fedora, which I really like. It makes for 2 clicks (Language and Keyboard) and then it's installing in the background while you can setup your passwords and accounts. This makes for a very fast install.

The system just seems to feel "faster". I know that is completely objective, but mind you, I did not have the VirtualBox Guest Tools installed on the VM, and it still felt "native". I'm not sure what about it specifically feels faster, just everything I guess... especially booting.

eth0 was set to "ONBOOT=no" by default, which tripped me up for a half second (since all previous releases came with all adapters up). A quick config change and restart the network service, and up and running. I was surprised there was already update packages available, including a kernel update.

VirtualBox did not want to install it's Guest Additions/Tools on the VM, due to some change with "numa", from my understanding it's memory allocation related (could be wrong). In any event, I got the "struct mm_struct has no member named numa_next_reset" error.

Some digging around and I located this patch: https://www.virtualbox.org/ticket/12638

Applied it to the VirtualBox src once it unpacked itself to the /opt directory. After the patch, the Virtualbox Tools compile ok and installed.

I have a lot more playing around to do this evening... but so far, happy to say, this is shaping up to be a great release.

[ck2]

How do you do "configtest" and "graceful" with systemd/systemctl

(trick question, you cannot, use old init.d scripts)

[jrslack]

>trick question, you cannot

  [Unit]
  Description=The Apache HTTP Server
  After=remote-fs.target nss-lookup.target
  [Service]
  Type=notify
  EnvironmentFile=/etc/sysconfig/httpd
  ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
  ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
  ExecStop=/usr/sbin/httpd $OPTIONS -k graceful-stop
  KillSignal=SIGCONT
  PrivateTmp=true
  [Install]
  WantedBy=multi-user.target

and 'apachectl configtest' or 'nginx -t' iirc

[frio]

Why would I do a `configtest` with a thing that starts or stops a service in the first place? That's what `apachectl configtest` or whatever is for.

I wouldn't expect to go to Windows' list of services, right click one and run arbitrary commands either.

[Shish2k]

How do you do "configtest" and "graceful" with old init.d scripts?

    # /etc/init.d/mysqld configtest
    Usage: /etc/init.d/mysqld {start|stop|status|restart|condrestart|try-restart|reload|force-reload}

    # /etc/init.d/mysqld graceful
    Usage: /etc/init.d/mysqld {start|stop|status|restart|condrestart|try-restart|reload|force-reload}

[ck2]

configtest and graceful are "commands" used by other scripts such as httpd (apache) and nginx scripts which can take alternate signals to do other actions

but even in your example, condrestart, try-restart, those aren't supported by pure systemd scripts - however if you were using the init.d version you could do the easy-to-remember/type service mysqld condrestart

Fortunately with 7.0 you can keep using the old init.d scripts and custom commands, hopefully that will never go away with any of the later 7.x versions (I don't see why).

[nailer]

I'm not a systemd expert, but for configtest, you could add a 'Config' parameter and patch systemd to record the hash of each config file at start time. From then on, all .services, ever, that supplied their Config would be able to do a configtest and condrestart. DRY.

What's 'graceful'? A particular signal?

[netcraft]

that looks so much cleaner than init.d scripts. I have heard some people refer to systemd as not very linux-esque - can someone comment on what that might mean?

[keeperofdakeys]

Systemd isn't just replacing the init process and service manager, it encompasses many other boot and session related features. As an example, Gnome now uses parts of systemd for session management (replacing consoleskit, and others). While there are workarounds, this means no one can really use any other init system besides systemd, or things won't work correctly.

This is what many people view un-unix like, a big dependency, that can't be replaced in the chain. The systemd developers also develop udev (which actually builds out of the same source tree as systemd), and there have been a few arguments about whether certain responsibilities are that of the kernel, or udev/userspace http://lwn.net/Articles/518942/, http://lwn.net/Articles/593676/. Systemd also touts its cgroup usage, though they view that they should be the only user of cgroups, since they are in a spot to "manage things properly" (which is partially true). (Some services have also started relying on systemd's cgroups to clean up orphan processes, which is bad for other init systems that don't do this).

So no one really hates how systemd works, just how its managed, and what it aims to do. If it were a simple init system and service manager, there would probably have been no arguments.

[jrslack]

>though they view that they should be the only user of cgroups

And they're absolutely correct. There can only be one cgroups manager on the system. cgmanager isn't finished, either.

>As an example, Gnome now uses parts of systemd for session management (replacing consoleskit, and others). While there are workarounds, this means no one can really use any other init system besides systemd, or things won't work correctly.

Gnome requires logind, which is the successor to consolekit. Gnome has repeatedly stated that they're willing to work with the BSDs et al with workarounds. You can either use the old logind, which doesn't require systemd as PID1 (due to cgroups management changes) or you can develop your own replacement to logind, one that doesn't require systemd as PID1.

People criticize these decisions, but they have no suggestions on how to fix it and, for the most part, they have no inkling of why there's a requirement.

[mackal]

1) Lennart Poettering

2) MAH FREEDOMS!

There are technical reasons people don't like systemd that are valid, but usually the die hard anti-systemd people boil down to hating Lennart Poettering and complaining about how the US Constitution must some where say they never have to use systemd.

There are some valid concerns (big scope, bloat, feature creep, etc) but they really haven't come to fruition, although are still valid concerns.

At the end of the day, without much effort or trouble of switching to systemd from OpenRC, my system boots faster, which is great.

[Torgo]

Does "years of fucking with PulseAudio problems" count as its own item, or is that a subset of item 1?

[mackal]

I've never had issues with PulseAudio personally.

[beedogs]

...said no one ever.

The very first thing I used to do on any new Linux install (until most distros stopped including it) was to uninstall Pulse and all of its dependencies.

[michaelmike]

I still uninstall it, even though I know it's improved a bit. I just can't get to the point of trusting it, or see the point for yet another layer of latency and bugs between programs generating audio and the sound card. They should have spent all that effort making a nice interface to dmix or something. Rather than bash ALSA for being "Linux only", then turn around and create systemd which is Linux only by design. I mean, we get it. You're the next Miguel de Icaza. The savior of Linux, coming to save us from the terror of text files, open standards, and clean dependencies. People must be forgetting the hell that was CORBA and Linux circa 2001 or so. You still can't install many apps without installing half of GNOME.

[ldng]

I'll say it too.

There is a lot of unfairness around PulseAudio. Sure, it had its share of bugs BUT so did Alsa. PulseAudio was pushing the envelope so crappy Alsa drivers showed they limits. Crappy sound chips too. But PA took most of the blame although it was not always it fault. It could have been handled differently, maybe.

[keithpeter]

What sound card(s)?

Pulse audio on various old Thinkpads (X200s, X60, X61s) seems fine (Debian Wheezy and CentOS 6/pre-release 7) with built in sound card and a cheapo USB microphone as 'input'.

[mackal]

I did.

[makomk]

It depends what sound hardware and software you use, what the memory layout of the PulseAudio daemon happens to end up like on your system, your tolerance for audio glitches, and how long you go between reboots. The code quality's awful but if you're lucky you can miss out on the worst of the issues.

[e12e]

I can at least vouch for 1) drivers (arguably this is an alsa thing, but pulseaudio had a way of exposing problems), and 2) your tolerance not just for glitches, but also latency (in the form of buffers) and overall sound quality.

I suspect, based on how few people seem to be upset about pulse audio (as opposed to what one might expect) that some subset of popular sound hw worked rather well. It's just not a subset I ever owned.

[mackal]

Haven't had issues across multiple systems, even back when it first came out.

[dale-cooper]

I still use ALSA on my desktop system due to weird issues that only happen with PulseAudio.

I still don't trust Lennart, even though systemd looks nice from what i've seen.

[mateuszf]

Did you report the issues?

[girvo]

Neither, funnily enough. I've never quite understood the hate, but to be fair, if the complaints I've seen were wide-spread problems, that would make sense.

[Hello71]

s/pulseaudio/linux/

does that suck too?

[bitJericho]

http://boycottsystemd.org/

[netcraft]

>...an abhorrent and violent slap in the face to the Unix philosophy...

I can't imagine why this didn't get more traction.

[jrslack]

>Oh, an embedded HTTP server is loaded to read them. QR codes are served, as well.

And outright falsehoods. systemd-journald-gatewayd is entirely optional. People keep harping on a packaging mistake when it was first pushed to Fedora for testing, but repeating it so many times doesn't make it true.

>In fact, udev merged with systemd a long time ago

systemd relies on udev and dbus, but udev doesn't pull in systemd as a hard dependency: another falsehood I've seen parroted by those in support of the eudev fork.

[jfindley]

I'd be very interested to see a qualified crypto expert on the "sealing" that journald uses. This is one of two indicators of a troubling level of arrogance from the developers. The crypto method used by journald to verify messages haven't been tampered with is called Forward Secure Sealing [0]. It's based on an invention of the brother of Lennart - the lead developer, and for a long time after first release even the whitepaper describing it in detail was "coming soon" The code he finally produced is [1] - but rather light on documentation. I'm still unaware of any proper analysis of this, and using your brothers own crypto methods and ignoring all the questions this has raised does not come across well - and appears to seriously violate the "don't roll your own crypto system" rule.

The second indicator is the attitude to bugs, of which [2] is a good example - several of the developers appear to be extremely defensive towards any suggestion of defects in their software, and simply close bugs blaming the users, other software, anything else.

I'd be hopeful that RedHat manage to reign this behavior in, but that didn't seem to work for Ulrich Drepper when he was employed by RedHat to work on glibc, and I'm not sure if it's going to work here.

That said - I'm not in the "systemd is awful" camp - I do think there's a whole bunch of things it does really well, and that a lot of the hate is really quite reactionary - but the thing that frustrates me is that between the haters and the supporters, there are important questions that are getting lost in the noise.

[0]: http://lwn.net/Articles/512895/ [1]: https://github.com/mezcalero/fsprg [2]: https://bugs.freedesktop.org/show_bug.cgi?id=76935

[tene]

I just can't agree with your [2] as a problem. The actual problem (an assertion failure in systemd) was fixed, several alternative workarounds are provided in case the user can't or doesn't want to upgrade systemd immediately, and functionality changes about when and where and how to log were going on on the mailing list, as they should be, and the reporters were directed there politely, even after violent vitriolic attacks. After discussion concluded on the mailing list, systemd was changed to direct debug logs away from kmsg as soon as journald is available.

I can't find anything to complain about from the systemd team on that bug report. I'd just dismiss it as varying personal standards of politeness, but the complaints on that bug report are themselves far far worse, with vitriolic abuse and death threats, so there's got to be something else going on here.

[xorcist]

Relevant work in the area is Log Hash Chaining as described in RFC 5848, which at least has been through some peer review.

I don't know why they chose to ignore that, let alone what their design is really supposed to guard against. Their design allows an attacker a window of 15 minutes where they can rewrite the log at will.

So the short of it is: Keep using remote logging. Authenticate that. Don't rely on journald.

(I too have had Drepper vibes about the whole situation for quite some time. But a new init standard was long overdue and if distros can finally rally around systemd it might be worth it.)

[dale-cooper]

I like linus comment[0] about a workaround on the issue in your 3rd link.

[0]: http://lkml.iu.edu/hypermail/linux/kernel/1404.0/01331.html

[JetSpiegel]

From your [2]: Like for the kernel, there are options to fin-grain control systemd's logging behaviour; just do not use the generic term "debug" which is a convenience shortcut for the kernel AND the Base OS.

[2]: https://bugs.freedesktop.org/show_bug.cgi?id=76935

[Hello71]

all I got from [2] is "if you would like to have productive discussion, move to the mailing list. if not, prepare to be banned."

[vezzy-fnord]

Optional, but enabled by default. Most distros seem to ship with defaults and only customize flags related to library paths and FHS details (besides whatever patching they may apply). The fact that it's even there is distressing enough, really.

No one is saying udev pulls in systemd as a dependency. Where is that said?

[jrslack]

>Optional, but enabled by default

Where is it enabled by default? In what distro does gatewayd get pulled in by default?

>No one is saying udev pulls in systemd as a dependency.

By the eudev hobbyists, whose justification for their fork was largely "we don't want to force people to use systemd" and "no, we didn't contact upstream with fixes before we forked" in their presentation.

[beedogs]

Why do people use words like "violent" to describe the decision to change process launchers? Maybe if they'd toned down the rhetoric just a tiny bit that campaign might've worked better.

[vezzy-fnord]

Linux did kind of get the short end of the stick with System V initialization. BSD rc scripts are also written in shell, but much cleaner (particularly when you make use of rcorder(8) dependencies).

systemd's declarative unit file syntax is easier to reason with, but comes at the expense of having to memorize a ton of options and being fundamentally dependent on the toolbox provided to you by systemd, since you can't code your way out of unconventional corner cases as easily.

The unit file syntax isn't the reason people complain, though.

[jerven]

Of course your systemd startup can start a sh script at ease. I think systemd is going to make my life so much easier. Being more on the dev side of devops, but still needing to deploy correctly restarting aps depending on complex systems working. i.e. NFS mounts being available for data etc...

[mprovost]

Slackware has always used BSD init scripts and it's one of the oldest distros. You used to be able to choose any init system you wanted but it seems that systemd is becoming entwined with "Linux" in some nasty ways. I wonder how long Slackware (or any other distro) will be able to avoid using it since software like Gnome is starting to require it.

[SEJeff]

FWIW, systemd can also call scripts under /etc/init.d if that is really what floats your boat. It is fully backwards compatible, you just lose a lot of the flexibility of systemd when doing that. The redis-server package in RHEL7 (from EPEL) installs an init script and I know that systemctl starts it.

[jftuga]

It looks like your node deployment is very clean. For your application, are you simply using npm and a package.json file?

[nailer]

Yes. I commit node_modules though.

[martindale]

Can you enumerate your reasons why?

[nailer]

http://www.futurealoof.com/posts/nodemodules-in-git.html

[nailer]

Er 'low port' should be 'high port', ahem.