anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dccb410bb3f9a48b114ef9c590e3a9583221f604
DECNET/deploy/decnet-swarmctl.service.j2
anti d4b714dc39 fix(deploy): wire per-unit log files on master systemd services 
The agent-side enroll-bundle templates (decnet/web/templates/*) always
set DECNET_SYSTEM_LOGS + StandardOutput/StandardError to a per-unit
file under /var/log/decnet. The master-side init templates (deploy/*)
never did, so every 'decnet init'-installed service:

- inherited the default DECNET_SYSTEM_LOGS=decnet.system.log — a
  relative path, landing in the unit's WorkingDirectory. All 13 units
  shared the same cwd and fought for the same file, or more often
  just failed to write it under ProtectSystem=full,
- emitted stdout/stderr to the journal by default, which is fine for
  uvicorn's INFO banter but makes per-service grepping a pain when
  you're chasing a single worker's trace.

Mirror the agent-side wiring on all 13 master templates:
- Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.<name>.log
- StandardOutput=append:/var/log/decnet/decnet.<name>.log
- StandardError=append:/var/log/decnet/decnet.<name>.log

/var/log/decnet is already in ReadWritePaths so ProtectSystem=full
stays compatible. Operators now get a dedicated
/var/log/decnet/decnet.<unit>.log per service, both from the app's
structured logger and from any stray stderr — journalctl still
works too, but no longer the only option.
2026-04-24 00:57:23 -04:00

44 lines
1.3 KiB
Django/Jinja
Raw Blame History

[Unit]
Description=DECNET Swarm Controller (master)
Documentation=https://git.resacachile.cl/anti/DECNET/wiki/SWARM-Mode
After=network-online.target decnet-api.service
Wants=network-online.target
[Service]
Type=simple
User={{ user }}
Group={{ group }}
WorkingDirectory={{ install_dir }}
EnvironmentFile=-{{ install_dir }}/.env.local
# Default bind is loopback — the controller is a master-local orchestrator
# reached by the CLI and the web dashboard, not by workers.
Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.swarmctl.log
ExecStart={{ venv_dir }}/bin/decnet swarmctl --host 127.0.0.1 --port 8770
StandardOutput=append:/var/log/decnet/decnet.swarmctl.log
StandardError=append:/var/log/decnet/decnet.swarmctl.log
# No special capabilities — the controller issues mTLS certs and talks to
# workers over TCP on unprivileged ports.
CapabilityBoundingSet=
AmbientCapabilities=
# Security Hardening
NoNewPrivileges=yes
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes
LockPersonality=yes
# Reads/writes the CA bundle and the master DB.
ReadWritePaths={{ install_dir }} /var/log/decnet
ReadOnlyPaths=/etc/decnet
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
Reference in New Issue View Git Blame Copy Permalink