forked from rapiz1/rathole
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: non root user with systemd (rapiz1#269)
* doc: remove 'DynamicUser=yes', so the service can read config file with permission 600 * doc: add example for non-root systemd service * fix(doc): should be 'app2.toml'
- Loading branch information
Showing
6 changed files
with
70 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,12 +2,16 @@ | |
|
|
||
| The directory lists some systemd unit files for example, which can be used to run `rathole` as a service on Linux. | ||
|
|
||
| [The `@` symbol in name of unit files](https://superuser.com/questions/393423/the-symbol-and-systemctl-and-vsftpd) such as | ||
| [The `@` symbol in the name of unit files](https://superuser.com/questions/393423/the-symbol-and-systemctl-and-vsftpd) such as | ||
| `[email protected]` facilitates the management of multiple instances of `rathole`. | ||
|
|
||
| For the naming of the example, `ratholes` stands for `rathole --server`, and `ratholec` stands for `rathole --client`, `rathole` is just `rathole`. | ||
|
|
||
| Assuming that `rathole` is installed in `/usr/bin/rathole`, and the configuration file is in `/etc/rathole/app1.toml`, the following steps shows how to run an instance of `rathole --server`. | ||
| For security, it is suggested to store configuration files with permission `600`, that is, only the owner can read the file, preventing arbitrary users on the system from accessing the secret tokens. | ||
|
|
||
| ### With root privilege | ||
|
|
||
| Assuming that `rathole` is installed in `/usr/bin/rathole`, and the configuration file is in `/etc/rathole/app1.toml`, the following steps show how to run an instance of `rathole --server` with root. | ||
|
|
||
| 1. Create a service file. | ||
|
|
||
|
|
@@ -22,14 +26,49 @@ sudo mkdir -p /etc/rathole | |
| # And create the configuration file named `app1.toml` inside /etc/rathole | ||
| ``` | ||
|
|
||
| 3. Enable and start the service | ||
| 3. Enable and start the service. | ||
|
|
||
| ```bash | ||
| sudo systemctl daemon-reload # Make sure systemd find the new unit | ||
| sudo systemctl enable ratholes@app1 --now | ||
| ``` | ||
|
|
||
| And if there's another configuration named `app2.toml` in `/etc/rathole`, then | ||
| `sudo systemctl enable ratholes@app2 --now` can start an instance for that configuration. | ||
| ### Without root privilege | ||
|
|
||
| Assuming that `rathole` is installed in `~/.local/bin/rathole`, and the configuration file is in `~/.local/etc/rathole/app1.toml`, the following steps show how to run an instance of `rathole --server` without root. | ||
|
|
||
| 1. Edit the example service file as... | ||
|
|
||
| ```txt | ||
| # with root | ||
| # ExecStart=/usr/bin/rathole -s /etc/rathole/%i.toml | ||
| # without root | ||
| ExecStart=%h/.local/bin/rathole -s %h/.local/etc/rathole/%i.toml | ||
| ``` | ||
|
|
||
| 2. Create a service file. | ||
|
|
||
| ```bash | ||
| mkdir -p ~/.config/systemd/user | ||
| cp [email protected] ~/.config/systemd/user/ | ||
| ``` | ||
|
|
||
| 3. Create the configuration file `app1.toml`. | ||
|
|
||
| ```bash | ||
| mkdir -p ~/.local/etc/rathole | ||
| # And create the configuration file named `app1.toml` inside ~/.local/etc/rathole | ||
| ``` | ||
|
|
||
| 4. Enable and start the service. | ||
|
|
||
| ```bash | ||
| systemctl --user daemon-reload # Make sure systemd find the new unit | ||
| systemctl --user enable ratholes@app1 --now | ||
| ``` | ||
|
|
||
| ### Run multiple services | ||
|
|
||
| To run multiple services at once, simply add another configuration, say `app2.toml` under `/etc/rathole` (`~/.local/etc/rathole` for non-root), then run `sudo systemctl enable ratholes@app2 --now` (`systemctl --user enable ratholes@app2 --now` for non-root) to start an instance for that configuration. | ||
|
|
||
| The same applies to `rathole --client` and `rathole`. | ||
| The same applies to `[email protected]` for `rathole --client` and `[email protected]` for `rathole`. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters