From 33598452420f1b6372c60c3d418cf9dfbeacaa41 Mon Sep 17 00:00:00 2001 From: Arto Jantunen Date: Wed, 2 Oct 2019 19:18:58 +0300 Subject: [PATCH 1/3] Stop setting PIDFile, useless when Type=simple This has been unneeded since commit 528a7a5ab which converted this from Type=forking to Type=simple. --- files/fail2ban.service.in | 1 - 1 file changed, 1 deletion(-) diff --git a/files/fail2ban.service.in b/files/fail2ban.service.in index 9a245c61..98b0fc11 100644 --- a/files/fail2ban.service.in +++ b/files/fail2ban.service.in @@ -13,7 +13,6 @@ ExecStart=@BINDIR@/fail2ban-server -xf start # ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start ExecStop=@BINDIR@/fail2ban-client stop ExecReload=@BINDIR@/fail2ban-client reload -PIDFile=/run/fail2ban/fail2ban.pid Restart=on-failure RestartPreventExitStatus=0 255 From 60b136333e69b1fc042200df1c5e63022c7dda41 Mon Sep 17 00:00:00 2001 From: Arto Jantunen Date: Wed, 2 Oct 2019 18:21:09 +0300 Subject: [PATCH 2/3] Use RuntimeDirectory to create /run/fail2ban Instead of the duplicated tmpfiles + ExecStartPre. This way the lifetime of that directory becomes fixed, and also User is automatically respected for the ownership of the directory (making it easy to run fail2ban as a non-root user, like it was with at least the Debian init script). --- files/fail2ban-tmpfiles.conf | 1 - files/fail2ban.service.in | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 files/fail2ban-tmpfiles.conf diff --git a/files/fail2ban-tmpfiles.conf b/files/fail2ban-tmpfiles.conf deleted file mode 100644 index 68f8e345..00000000 --- a/files/fail2ban-tmpfiles.conf +++ /dev/null @@ -1 +0,0 @@ -D /run/fail2ban 0755 root root - \ No newline at end of file diff --git a/files/fail2ban.service.in b/files/fail2ban.service.in index 98b0fc11..ddaa41b4 100644 --- a/files/fail2ban.service.in +++ b/files/fail2ban.service.in @@ -7,7 +7,7 @@ PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftabl [Service] Type=simple Environment="PYTHONNOUSERSITE=1" -ExecStartPre=/bin/mkdir -p /run/fail2ban +RuntimeDirectory=fail2ban ExecStart=@BINDIR@/fail2ban-server -xf start # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local # ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start From f376da4bec5742097b27feb4171aca9dfe1af1cb Mon Sep 17 00:00:00 2001 From: Arto Jantunen Date: Fri, 4 Oct 2019 18:08:47 +0300 Subject: [PATCH 3/3] Set StateDirectory This automatically handles permissions for /var/lib/fail2ban when run as a non-root user. --- files/fail2ban.service.in | 1 + 1 file changed, 1 insertion(+) diff --git a/files/fail2ban.service.in b/files/fail2ban.service.in index ddaa41b4..e93fd596 100644 --- a/files/fail2ban.service.in +++ b/files/fail2ban.service.in @@ -8,6 +8,7 @@ PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftabl Type=simple Environment="PYTHONNOUSERSITE=1" RuntimeDirectory=fail2ban +StateDirectory=fail2ban ExecStart=@BINDIR@/fail2ban-server -xf start # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local # ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start