... | ... | @@ -19,6 +19,19 @@ We use `uid=1010` to not collide with any of the other standard system users, an |
|
|
|
|
|
NOTE: For a site setup where guardctrl will be accessed through a ~passwordless-SSH-interface, the guardian user should not have a password. Otherwise the guardian user can have a password as usual.
|
|
|
|
|
|
### systemd and journald config
|
|
|
|
|
|
The guardian systemd --user setup needs to be configured to be "persistent" so that it won't be shut down if the guardian user is not logged in. This is handled with loginctl:
|
|
|
```shell
|
|
|
# loginctl enable-linger guardian
|
|
|
```
|
|
|
|
|
|
The system journald needs to be configured to store all logs indefinitely. This is done by setting `Storage=persistent` in `/etc/systemd/journald.conf`:
|
|
|
```
|
|
|
[Journal]
|
|
|
Storage=persistent
|
|
|
```
|
|
|
|
|
|
### guardctrl setup
|
|
|
|
|
|
The `guardctrl` interface knows that it's running as the correct user by the presence of a `~/.guardctrl-home` file. Touch this file in the `guardian` user home directory:
|
... | ... | @@ -58,5 +71,17 @@ Occasionally it might be necessary to access the guardian user directly. If pas |
|
|
```shell
|
|
|
root@h1guardian1:~# machinectl shell guardian@ /bin/bash
|
|
|
guardian@h1guardian1:~$ systemctl --user status
|
|
|
...
|
|
|
* h1guardian1
|
|
|
State: running
|
|
|
Jobs: 0 queued
|
|
|
Failed: 0 units
|
|
|
Since: Tue 2018-02-27 15:44:08 PST; 11s ago
|
|
|
CGroup: /user.slice/user-1010.slice/user@1010.service
|
|
|
`-init.scope
|
|
|
|-11818 /lib/systemd/systemd --user
|
|
|
`-11820 (sd-pam)
|
|
|
guardian@h1guardian1:~$ exit
|
|
|
logout
|
|
|
Connection to the local host terminated.
|
|
|
root@h1guardian1:~#
|
|
|
``` |
|
|
\ No newline at end of file |