Customize container systemd service file

kovand · May 22, 2024, 7:54am

NethServer Version: 8
Module: webserver

Hi,

I am running an application in webserver vhost that should authenticate users against ad ldap.

I found this in the dev manual:

https://nethserver.github.io/ns8-core/core/user_domains/

Perfect, so I added this line

--network=slirp4netns:allow_host_loopback=true

to the webserver container systemd service file.

Now the authentication works through the ldapproxy, but the service file is overwritten by the app updates.

Can this change to the

[imageroot]/.config/systemd/user/webserver.service

file be made permanent without forking the ns8-webserver app?

TIA
Andras

mrmarkuz · May 22, 2024, 11:13am

Hi and welcome to NethServer Community,

thanks for pointing out that LDAP isn’t reachable from the webserver app and how to solve it.
I think we need to add this feature but let’s first ask @stephdl about that. Maybe there are other ways.
Usually the next step then would be to create an issue/PR, see also Development process | NS8 dev manual

stephdl · May 22, 2024, 11:17am

yep it makes sense, please open a feature request in the GH of the project

stephdl · May 22, 2024, 2:33pm

you do not need to fork webserver,

edit the custom systemd service
runagent -m webserver1 systemctl --user edit webserver
verify the service is amended
runagent -m webserver1 systemctl --user cat webserver
check the files manually
cat /home/webserver1/.config/systemd/user/webserver.service.d/override.conf
reload and restart systemd

runagent -m webserver1 systemctl --user daemon-reload
runagent -m webserver1 systemctl --user restart webserver

kovand · May 22, 2024, 4:27pm

Well, I definitely should have dug deeper into systemd first.

So this is the place and method to customize the containers’ systemd services.

The override.conf content is now:

[Service]
ExecStartPre=
ExecStartPre=/bin/rm -f %t/webserver.pid %t/webserver.pod-id
ExecStartPre=/usr/bin/podman pod create --infra-conmon-pidfile %t/webserver.pid \
    --pod-id-file %t/webserver.pod-id \
    --name webserver \
    --publish 127.0.0.1:${NGINX_TCP_PORT}:80 \
    --publish  ${SFTP_TCP_PORT}:2022 \
    --publish  127.0.0.1:${SFTPGO_TCP_PORT}:8080 \
    --network=slirp4netns:allow_host_loopback=true \
    --replace

The first line clears the original ExecStartPre option, the next two lines are recreating the original with the addition.

Thank you @stephdl.
I just started testing NS8 and the upgrade path from NS7. Very promising so far. Great work by the Dev Team. Customization will be an important thing on the production servers.

mrmarkuz · May 22, 2024, 5:48pm

Here is the feature request:

github.com/NethServer/dev

Allow LDAP access for Webserver app

opened 05:46PM - 22 May 24 UTC

mrmarkuz

When installing a site using LDAP on the Webserver app, the ldapproxy isn't reac…hable. As a lot of web apps use LDAP we should allow it. **Proposed solution** Add `--network=slirp4netns:allow_host_loopback=true` to the webserver service to allow LDAP access. **Alternative solutions** Use the custom configuration as explained in the [community](https://community.nethserver.org/t/customize-container-systemd-service-file/23687/4?u=mrmarkuz) **See also** https://community.nethserver.org/t/customize-container-systemd-service-file/23687 ---- Thanks to kovand for proposing this feature.

davidep · May 31, 2024, 2:29pm

If you upload an application in the Webserver app, I understand connecting AD through Ldapproxy is still desirable, however as workaround you can use the AD IP address directly.

kovand · June 1, 2024, 7:13am

I tried, but was not working.

In my case the webserver app and the samba app is on the same node.
I can connect to the AD ldap from other machines, but not from the webserver app on the same node.