Installing daemontools service supervisor on FreeBSD 7.0

D. J. Bernstein’s daemontools includes a service supervisor which ensures services it supervises are restarted should they ever stop due to a program/system error. Daemontoos is easy to install, and is best installed from FreeBSD’s ports system at /usr/ports/sysutils/daemontools.  Be sure to also install the manual, which you can find in a sub-directory work/daemontools-man. The README file that can be found within instructs to [manually] install the manual entries using the command gzip *.8 ; cp *.8.gz /usr/share/man/man8/ (while residing in the daemontools-man directory). Once installed, there are few additional steps to do:

  1. Copy /usr/ports/sysutils/daemontools/work/svscan.sh.sample to
    /usr/local/etc/rc.d/svscan.sh and give it owner execute privileges with
    chmod 700 /usr/local/etc/rc.d/svscan.sh
  2. Create /var/service and create a symlink to it from /service
    mkdir /var/service
    ln -s /var/service /service
  3. Add following to /etc/rc.conf:
    #start /var/service scanning
    svscan_enable=”YES”
  4. Reboot the system (svscan will *not* start on a BSD system before the system is rebooted)

Optionally you can also install Bruce Guenter’s supervise-scripts that make life a whole lot easier with daemontools’ supervise.

  1. Install latest bglibs if not yet installed
    ** bglibs is best to install from a downloaded tarball rather than from the ports (while the ports version installs the libs in a more logical location at /usr/local/lib/bglibs/ the programs that utilize the library (bcron, ucspi-unix, etc.) have difficulty locating it.** few symlinks are required (these refer to the locations bglibs installs itself when compiled from the tarball rather than from the ports):
    /usr/local/bglibs -> /usr/local/lib/bglibs
    /usr/local/bglibs/lib/libbg-sysdeps.so.2 -> /usr/local/lib/libbg-sysdeps.so.2
    /usr/local/bglibs/lib/libbg.so.2 -> /usr/local/lib/libbg.so.2
  2. Download, compile, and install supervise-scripts. Once installed, you’ll find new commands svc-start, svc-stop, svc-restart, svc-add, svc-remove, svc-isdown, svc-isup, svc-waitdown, svc-waitup, and svc-status in /usr/local/bin. These make scripting and managing services much easier.

When switching programs to be svscan-started and svscan-managed, remember to make sure they’re not being started either as default services by the system, or that a prior startup setting doesn’t exist in  /etc/rc.conf. Disable them (depending on the service) by commenting out the startup in /etc/rc.conf, by adding a “NO” clause in /etc/rc.conf (such as cron_enable=”NO”), or by disabling the corresponding startup script in /usr/local/etc/rc.d.

If you mess up a service initialization, uninstall the failed service (i.e. unlink the service’s primary service directory from /var/service), delete the “supervise” subfolders (and “down” file if present) from the service’s primary service directory (there’s one also in the “log” subfolder). Then reboot the system, and reinstall the service either by using the supervise-scripts command svc-add, or by simply symlinking the service’s primary service directory to /var/service (for example ln -s /var/db/mysql-supervise /var/service/mysql).

3 thoughts on “Installing daemontools service supervisor on FreeBSD 7.0”

  1. Thank you for this post.

    I usually install djbdns from /usr/ports/dns/djbdns, which will install the daemontools, DNS tools, and ucspi-tcp all-together. The port will also allow you to choose to also install the man pages for all these packages, and it creates svscan.sh for you.

    It’s great to run supervise together with the tcpserver program, which allows you to further protect services like e.g. sshd.

    I then disable sshd in /etc/rc.conf, and setup sshd to run with tcpserver and svscan. It works great, I have done it for yeas.

    It’s very important to note that you should always double-triple check all your files before rebooting, because you may end up locking yourself out of the machine if e.g. sshd doesn’t come back up after rebooting! This can be a hassle if your machine is a remote host…

    DrTebi

  2. Like with qmail, it bothers me with djbdns that it hasn’t been updated by its maintainer since 2001 (v1.05). Of DJ Bernstein’s software I still use daemontools, ucspi-tcp and – in production perhaps a month or two longer – qmail.

    Like with mail with DNS new threats and exploits spring up frequently. DJ Bernstein prides himself with having written programs without security vulnerabilities, but his track-record for making updates is so bad that *when* an exploit comes up, I don’t want to be using his software for any critical functionality since he will be unlikely to fix it.

    I personally like BIND since it’s maintained by an organization that can quickly react to issues such as the recent DNS security issues that were rapidly patched by the ISC.

  3. Just a quick note about all of the rebooting you describe here: it’s really never needed.
    I’ve just installed daemontools from ports, created /var/service and configured a service in there, and just ran /usr/local/etc/rc.d/svscan.sh start (the same thing that happens when you put svscan_enable=”YES” in /etc/rc.conf and reboot). Everything works fine, no rebooting required.

Leave a Reply to Ville Walveranta Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.