[Cialug] The systemd Init System
David Champion
dchamp1337 at gmail.com
Wed Dec 9 13:30:01 CST 2015
Question: I'm used to being able to type "service named status" for
instance, and it give you some useful information back, like the number of
zones you have, the number of clients connected etc. On a newer box (CentOS
7) using systemd, I haven't found a good way to get the same type of info
back.
Any pointers on that?
-dc
On Wed, Dec 9, 2015 at 1:12 PM, Todd E Thomas <todd.dsm at gmail.com> wrote:
> I'll keep the sharing going; spirit of the season and all...
>
> This writeup <https://fedoramagazine.org/what-is-an-init-system/> on
> systemd came though not long ago; short, solid bursts of intro info. The
> one on Journal > metadata really shows the power of asking for something
> specific and getting it on a per/host basis. Just fantastic. systemd also
> allows for the user to write compliant messages to the journal
> <http://www.freedesktop.org/software/systemd/python-systemd/index.html>.
>
> Something I'm thankful for on a daily basis is the reordering of the
> command to turn service start/stop/restart/etc. Example, the old way:
> (example)
> service named start
> service dhcpd start
> service svc-name action
>
> The systemd way:
> systemctl action svc1 svc2 svc3
> systemctl restart named dhcpd firewalld
>
> 3 lines reduced to a single command; carpal tunnel threat: neutralized -
> automation becomes simpler as well.
> ---
>
> I found one writeup
> <https://major.io/2014/11/24/trust-ip-address-firewallds-rich-rules/>
> particularly interesting on firewalld
> <https://fedoraproject.org/wiki/FirewallD>; it's unrelated to systemd
> but seems to follow it in design/implementation while demonstrating
> increased simplicity *and* security. Since firewalld manages multiple
> firewall "zones" per connection, in a break-glass situation a given
> set/subset of hosts can go shields-up in moments - and in very granular way
> by blocking:
>
> - an entire zone (possible; seems excessive)
> - range of IPs (potentially useful)
> - single IP (a more surgical strike)
>
> With a little authentication and automation security can be increased
> within
> moments <https://www.madboa.com/blog/2014/09/01/firewalld-block-host/> on
> a
> "public" zone for example without having to disturb the "internal" zone;
> providing time analyze a security breach without disturbing business. Easy
> looks like this:
>
> firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source
> address="a.b.c.d" reject'
>
> family= allows for even more specificity.
>
> Rewind to before systemd/firewalld days - all options were far more
> complex, required service restarts and tons of testing. A good intro here
> <http://www.certdepot.net/rhel7-get-started-firewalld/>.
> ---
>
> So, systemd <http://www.freedesktop.org/wiki/Software/systemd/>; tastes
> great, costs less, makes life easier <https://youtu.be/kFwRNp7NQ-Y> and
> its
> answers are far more specific. Since it also appears to be highly
> influential we're more likely to see more implementations like it. The fact
> that it's the anointed solution for all major distros makes it unavoidable.
>
> The upside, it's been in use for years, is stable and is accessible via
> Bash and Python. This could be a LUG mini-presentation all by itself.
>
> --
> Merry whatever-you-celebrate-mas,
>
> Todd E Thomas
>
> *"It's a frail music knits the world together."-Robert Dana*
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
More information about the Cialug
mailing list