Open Source

Use runit to supervise Linux services

Gerrit Pape's runit is similar to djb's daemontools and allows you to run supervised services, like daemontools, and also allows you to replace SysV init completely if you so desire. Vincent Danen tells you how to get started with runit.

Traditional Linux systems use SysV init for starting the system: running init scripts to start and stop services and also to manage system runlevels and one-time startup scripts. The problem with using a SysV init system is that services are also treated as one-time startup scripts. When init starts the system and calls a service, such as sshd, the service will start; but if sshd dies for some reason, it will remain down until an administrator issues a service sshd start command to restart the service.

This can be mitigated to some degree by starting services like sshd directly from /etc/inittab, similar to getties for login. All the console logins are separate getties, and init restarts them when users log out. Running all services out of /etc/inittab has its own shortcomings, however, as they cannot be easily stopped without rebooting.

Gerrit Pape's runit is similar to djb's daemontools and allows you to run supervised services, like daemontools, and also allows you to replace SysV init completely if you so desire.

Some distributions provide runit, some do not. If your chosen distribution does not, runit is easy to download and compile.

runit can still be used without replacing init and it works just fine, with minimal effort. To begin, create a script called /sbin/runsvdir-start with the following:

#!/bin/sh

PATH=/command:/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin

exec env - PATH=$PATH
runsvdir -P /service 'log: ...........................................................................................................................................................................................................................................................................................................................................................................................................'

This is the script that init will start. What it does is call the runsvdir program on the /service directory; this is the directory where all supervised services will be linked in order to tell runsvdir what to manage.

Next, edit /etc/inittab and add:

SV:123456:respawn:/sbin/runsvdir-start

to the bottom of the file. This will start (and re-start, if it ever exits) the /sbin/runsvdir-start program.

Next, you need to create run scripts for supervised services. This is quite easy; a number of run scripts can be found on the runit Web site. For instance, to create a supervised sshd, create the directory /var/service/sshd and inside it create a file called ./run; this is the run script. It should have the following contents:

#!/bin/sh
exec /usr/sbin/sshd -D >/dev/null 2>&1

Make sure the run script is mode 0750 so that it is executable. Next, create a symbolic link of /var/service/sshd into the /service directory:

# cd /service
# ln -s /var/service/sshd .

Within a few seconds, runsvdir will notice the new symbolic link, create any control files that are required, and will execute the ./run script. If the script terminates, runsvdir will re-execute the ./run script until told to stop. The sv program can control services; using sv start /service/sshd will bring up the service (if down), and sv stop /service/sshd will stop the service. Otherwise, runsvdir will always ensure the service is up.

Obviously there is a lot more to using supervised services; you can create logging services that will take the output of the service and write it to log files. In the above example we simply redirected the output to /dev/null, letting sshd log to syslog instead. In that case, a log service is not necessary, but on any service that has output, be it to stderr or stdout, a logging service can be used to capture and log it, regardless of whether it logs to syslog as well. We'll take a look at logging services next week.

Download tip as a PDF.

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

Editor's Picks