[Cialug] The systemd Init System
Todd E Thomas
todd.dsm at gmail.com
Wed Dec 9 13:12:49 CST 2015
I'll keep the sharing going; spirit of the season and all...
This writeup <https://fedoramagazine.org/what-is-an-init-system/> on
systemd came though not long ago; short, solid bursts of intro info. The
one on Journal > metadata really shows the power of asking for something
specific and getting it on a per/host basis. Just fantastic. systemd also
allows for the user to write compliant messages to the journal
<http://www.freedesktop.org/software/systemd/python-systemd/index.html>.
Something I'm thankful for on a daily basis is the reordering of the
command to turn service start/stop/restart/etc. Example, the old way:
(example)
service named start
service dhcpd start
service svc-name action
The systemd way:
systemctl action svc1 svc2 svc3
systemctl restart named dhcpd firewalld
3 lines reduced to a single command; carpal tunnel threat: neutralized -
automation becomes simpler as well.
---
I found one writeup
<https://major.io/2014/11/24/trust-ip-address-firewallds-rich-rules/>
particularly interesting on firewalld
<https://fedoraproject.org/wiki/FirewallD>; it's unrelated to systemd
but seems to follow it in design/implementation while demonstrating
increased simplicity *and* security. Since firewalld manages multiple
firewall "zones" per connection, in a break-glass situation a given
set/subset of hosts can go shields-up in moments - and in very granular way
by blocking:
- an entire zone (possible; seems excessive)
- range of IPs (potentially useful)
- single IP (a more surgical strike)
With a little authentication and automation security can be increased within
moments <https://www.madboa.com/blog/2014/09/01/firewalld-block-host/> on a
"public" zone for example without having to disturb the "internal" zone;
providing time analyze a security breach without disturbing business. Easy
looks like this:
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source
address="a.b.c.d" reject'
family= allows for even more specificity.
Rewind to before systemd/firewalld days - all options were far more
complex, required service restarts and tons of testing. A good intro here
<http://www.certdepot.net/rhel7-get-started-firewalld/>.
---
So, systemd <http://www.freedesktop.org/wiki/Software/systemd/>; tastes
great, costs less, makes life easier <https://youtu.be/kFwRNp7NQ-Y> and its
answers are far more specific. Since it also appears to be highly
influential we're more likely to see more implementations like it. The fact
that it's the anointed solution for all major distros makes it unavoidable.
The upside, it's been in use for years, is stable and is accessible via
Bash and Python. This could be a LUG mini-presentation all by itself.
--
Merry whatever-you-celebrate-mas,
Todd E Thomas
*"It's a frail music knits the world together."-Robert Dana*
More information about the Cialug
mailing list