Systemd Unit Management
ESF 7.5.0 default configuration restricts the set of systemd units that ESF process is allowed to start and stop to the following list:
named.service
(only allowed on ESF distributions with network management support)bluetooth.service
docker.service
avahi-daemon.service
fail2ban-server.service
fail2ban.service
chrony.service
chronyd.service
dnsmasq.service
sshd
related units- Ansible activity related units
Attempting to start and stop other service units from ESF will fail, even if the operation is performed using the privileged executor service.
If an ESF application requires to start and stop other systemd units, it is suggested to add a dedicated polkit rule that allows the esfd
user (privileged executor service) or esf
user (unprivileged executor service) to perform the desired operation.
Warning
Restricting the set of services that ESF is allowed to manage is only supported on devices where Polkit version is greater than 0.105, in the other cases (e.g. Ubuntu 22.04, which provides Polkit 0.105) ESF is able to start and stop any systemd unit.
Updated 4 months ago