gerrit rc.d script fails due to "non-root pidfile", systemd unit

[James Muir]

https://gerrit-review.googlesource.com/Documentation/install.html#rc_d

The gerrit rc.d script seems to have been broken by a recent ubuntu 22.04 update:

Jul 16 13:06:27 gerrit gerrit[919]: Starting Gerrit Code Review:

Jul 16 13:06:27 gerrit gerrit[989]: start-stop-daemon: matching only on non-root pidfile /var/gerrit/logs/gerrit.pid is insecure

Jul 16 13:06:27 gerrit systemd[1]: gerrit.service: Control process exited, code=exited, status=2/INVALIDARGUMENT

Jul 16 13:06:27 gerrit systemd[1]: gerrit.service: Failed with result 'exit-code'.

Jul 16 13:06:27 gerrit systemd[1]: Failed to start LSB: Start/stop Gerrit Code Review.

I have a more detailed log (captured when executing the script using "sh -x") if anyone is interested.

Instead of trying to fix the rc.d script, I thought I would move on from it and add a systemd unit for gerrit.

That was straightforward to do using the example gerrit.service file provided.  Here is my updated version:

# Systemd unit file for gerrit

[Unit]

Description=Gerrit Code Review

After=syslog.target network.target

[Service]

Type=simple

WorkingDirectory=/var/gerrit/

Environment=GERRIT_HOME=/var/gerrit JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64

ExecStart=/usr/bin/java -Xmx1024m -jar ${GERRIT_HOME}/bin/gerrit.war daemon -d ${GERRIT_HOME}

User=gerrit

SyslogIdentifier=GerritCodeReview

#StandardInput=socket

[Install]

WantedBy=multi-user.target

I had to comment out "StandardInput=socket" to get it to work.

Can someone tell me why that line is there?  I guess it is related to the other systemd example file, gerrit.socket.

Should I add a socket unit for gerrit as well?

-James M

[Kenyon Ralph]

Right, it's for using systemd socket activation. This is how I've been running Gerrit. I use ListenStream=8080 and BindToDevice=lo with nginx in front of Gerrit. Works very reliably.

[James Muir]

Thanks for your reply.

So if gerrit isn't running and someone visits its url, then systemd will attempt to start it up.

I guess the advantage there is that it saves devs from waiting for a sys-admin to login and do it manually.

 

[Kenyon Ralph]

There are other benefits too: https://0pointer.de/blog/projects/socket-activation.html

The only problem is that Gerrit also has an ssh service, which AFAIK is not able to use systemd socket activation (it's been a while since I looked into this and tried it, would be nice if it works now).