diff --git a/src/systemd/Makefile.am b/src/systemd/Makefile.am index 75d6064beb8..536f70b392c 100644 --- a/src/systemd/Makefile.am +++ b/src/systemd/Makefile.am @@ -32,7 +32,6 @@ nodist_systemdunit_DATA = \ dist_systemdunit_DATA = \ src/systemd/cockpit-session.socket \ src/systemd/cockpit-session-socket-user.service \ - src/systemd/cockpit-ws-user.service \ src/systemd/system-cockpithttps.slice \ src/systemd/cockpit-wsinstance-http.socket \ src/systemd/cockpit-wsinstance-https-factory.socket \ diff --git a/src/systemd/cockpit-ws-user.service b/src/systemd/cockpit-ws-user.service deleted file mode 100644 index 0ac74485641..00000000000 --- a/src/systemd/cockpit-ws-user.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=Dynamic user for cockpit-ws -Documentation=man:cockpit-ws(8) -# avoid dependency loop with basic.target/sockets.target shutdown -DefaultDependencies=no -BindsTo=cockpit.service - -[Service] -DynamicUser=yes -User=cockpit-ws -Group=cockpit-ws -Type=oneshot -ExecStart=/bin/true -RemainAfterExit=yes diff --git a/src/systemd/cockpit-wsinstance-http.service.in b/src/systemd/cockpit-wsinstance-http.service.in index 7f4058021c3..f2fc0328e3c 100644 --- a/src/systemd/cockpit-wsinstance-http.service.in +++ b/src/systemd/cockpit-wsinstance-http.service.in @@ -2,11 +2,10 @@ Description=Cockpit Web Service http instance Documentation=man:cockpit-ws(8) BindsTo=cockpit.service -Requires=cockpit-session.socket cockpit-session-socket-user.service -After=cockpit-session.socket cockpit-session-socket-user.service +Requires=cockpit-session.socket +After=cockpit-session.socket [Service] ExecStart=@libexecdir@/cockpit-ws --no-tls --port=0 -User=cockpit-wsinstance-socket -Group=cockpit-wsinstance-socket -SupplementaryGroups=cockpit-session-socket +DynamicUser=true +Group=cockpit-session-socket diff --git a/src/systemd/cockpit-wsinstance-http.socket b/src/systemd/cockpit-wsinstance-http.socket index 9b4d51c7f12..d98fa5ff166 100644 --- a/src/systemd/cockpit-wsinstance-http.socket +++ b/src/systemd/cockpit-wsinstance-http.socket @@ -3,8 +3,8 @@ Description=Socket for Cockpit Web Service http instance Documentation=man:cockpit-ws(8) BindsTo=cockpit.service # ensure our DynamicUser exists -Requires=cockpit-ws-user.service cockpit-wsinstance-socket-user.service -After=cockpit-ws-user.service cockpit-wsinstance-socket-user.service +Requires=cockpit-wsinstance-socket-user.service +After=cockpit-wsinstance-socket-user.service [Socket] ListenStream=/run/cockpit/wsinstance/http.sock diff --git a/src/systemd/cockpit-wsinstance-https-factory.socket b/src/systemd/cockpit-wsinstance-https-factory.socket index 03b6e832c6e..1e552ce31af 100644 --- a/src/systemd/cockpit-wsinstance-https-factory.socket +++ b/src/systemd/cockpit-wsinstance-https-factory.socket @@ -3,8 +3,8 @@ Description=Socket for Cockpit Web Service https instance factory Documentation=man:cockpit-ws(8) BindsTo=cockpit.service # ensure our DynamicUser exists -Requires=cockpit-ws-user.service cockpit-wsinstance-socket-user.service -After=cockpit-ws-user.service cockpit-wsinstance-socket-user.service +Requires=cockpit-wsinstance-socket-user.service +After=cockpit-wsinstance-socket-user.service [Socket] ListenStream=/run/cockpit/wsinstance/https-factory.sock diff --git a/src/systemd/cockpit-wsinstance-https@.service.in b/src/systemd/cockpit-wsinstance-https@.service.in index b1f0b0d7015..8362f0aadfc 100644 --- a/src/systemd/cockpit-wsinstance-https@.service.in +++ b/src/systemd/cockpit-wsinstance-https@.service.in @@ -2,12 +2,11 @@ Description=Cockpit Web Service https instance %I Documentation=man:cockpit-ws(8) BindsTo=cockpit.service -Requires=cockpit-session.socket cockpit-session-socket-user.service -After=cockpit-session.socket cockpit-session-socket-user.service +Requires=cockpit-session.socket +After=cockpit-session.socket [Service] Slice=system-cockpithttps.slice ExecStart=@libexecdir@/cockpit-ws --for-tls-proxy --port=0 -User=cockpit-wsinstance-socket -Group=cockpit-wsinstance-socket -SupplementaryGroups=cockpit-session-socket +DynamicUser=yes +Group=cockpit-session-socket diff --git a/src/systemd/cockpit-wsinstance-https@.socket b/src/systemd/cockpit-wsinstance-https@.socket index 43e342d328b..7277338e918 100644 --- a/src/systemd/cockpit-wsinstance-https@.socket +++ b/src/systemd/cockpit-wsinstance-https@.socket @@ -7,8 +7,8 @@ BindsTo=cockpit.service # the services are resource-limited by system-cockpithttps.slice BindsTo=cockpit-wsinstance-https@%i.service # ensure our DynamicUser exists -Requires=cockpit-ws-user.service cockpit-wsinstance-socket-user.service -After=cockpit-ws-user.service cockpit-wsinstance-socket-user.service +Requires=cockpit-wsinstance-socket-user.service +After=cockpit-wsinstance-socket-user.service [Socket] ListenStream=/run/cockpit/wsinstance/https@%i.sock diff --git a/src/systemd/cockpit.service.in b/src/systemd/cockpit.service.in index 561266b3d97..98a828003fd 100644 --- a/src/systemd/cockpit.service.in +++ b/src/systemd/cockpit.service.in @@ -3,9 +3,6 @@ Description=Cockpit Web Service Documentation=man:cockpit-ws(8) Requires=cockpit.socket Requires=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket -# ensure our DynamicUser exists -Requires=cockpit-ws-user.service cockpit-wsinstance-socket-user.service -After=cockpit-ws-user.service cockpit-wsinstance-socket-user.service # we need to start after the sockets so that we can instantly forward incoming requests After=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket @@ -13,9 +10,10 @@ After=cockpit-wsinstance-http.socket cockpit-wsinstance-https-factory.socket RuntimeDirectory=cockpit/tls ExecStartPre=+@libexecdir@/cockpit-certificate-ensure --for-cockpit-tls ExecStart=@libexecdir@/cockpit-tls -User=cockpit-ws -Group=cockpit-ws -SupplementaryGroups=cockpit-wsinstance-socket +DynamicUser=yes +# otherwise systemd uses 'cockpit' even if it exists as a normal user account +User=cockpit-systemd-service +Group=cockpit-wsinstance-socket NoNewPrivileges=true ProtectSystem=strict ProtectHome=true diff --git a/test/verify/check-connection b/test/verify/check-connection index 40090a82db1..9c7906e5509 100755 --- a/test/verify/check-connection +++ b/test/verify/check-connection @@ -265,7 +265,7 @@ class TestConnection(testlib.MachineCase): m.start_cockpit(tls=False) self.assertIn("HTTP/1.1 200 OK", m.execute("curl --silent --head http://127.0.0.1:9090")) expect_actives(ws_socket=True, instance_sockets=True, http_instances=["http"]) - m.execute("systemctl stop cockpit-ws-user.service") + m.execute("systemctl stop cockpit-wsinstance-socket-user") expect_actives(ws_socket=True, instance_sockets=False, http_instances=[]) # https mode diff --git a/tools/cockpit.spec b/tools/cockpit.spec index b26c5b32d98..07ed05eae1e 100644 --- a/tools/cockpit.spec +++ b/tools/cockpit.spec @@ -377,7 +377,6 @@ authentication via sssd/FreeIPA. %{_unitdir}/cockpit.service %{_unitdir}/cockpit-motd.service %{_unitdir}/cockpit.socket -%{_unitdir}/cockpit-ws-user.service %{_unitdir}/cockpit-session-socket-user.service %{_unitdir}/cockpit-session.socket %{_unitdir}/cockpit-session@.service diff --git a/tools/debian/cockpit-ws.install b/tools/debian/cockpit-ws.install index 5c9c16d76e8..32962193637 100644 --- a/tools/debian/cockpit-ws.install +++ b/tools/debian/cockpit-ws.install @@ -6,7 +6,6 @@ ${env:deb_systemdsystemunitdir}/cockpit.socket ${env:deb_systemdsystemunitdir}/cockpit-session.socket ${env:deb_systemdsystemunitdir}/cockpit-session@.service ${env:deb_systemdsystemunitdir}/cockpit-session-socket-user.service -${env:deb_systemdsystemunitdir}/cockpit-ws-user.service ${env:deb_systemdsystemunitdir}/cockpit-wsinstance-http.service ${env:deb_systemdsystemunitdir}/cockpit-wsinstance-http.socket ${env:deb_systemdsystemunitdir}/cockpit-wsinstance-https-factory@.service