Manage web application start and restart on Ubuntu with systemd

I will show you how to let your application start on server startup and restart on failure.

I am ready

This article is part of a series:

• Part1: Config a fresh Ubuntu server
• Part2: Config Nginx to serve over https using certbot on Ubuntu
• Part3: Manage web application start and restart on Ubuntu with systemd

Table of contents

• Manage web application start and restart on Ubuntu with systemd
• Table of contents
• Create a system user
• Control access to the filesystem
• Systemd file, where the action starts
• List of commands
• Links
• Sources
• Tags

Create a system user

You should do this to not give your application more access it needs. In order to create a no-login-, no-home-directory-, system-user issue sudo useradd -r -s /bin/false username. "-r" will create a system user without home directory. "-s bin/false" will change the users login shell to a non-existing one so the user won't be able to login.

Control access to the filesystem

If you don't need to access the filesystem you can skip this step. Otherwise you should enable your previously created user to access only specific paths on your system.

The right place to put variable files on your system is "/var", use "/var/log" for log files and "/var/lib" for other files. For example for file uploads.

In order to make an example we will enable our application to read and write some files to the hard disk. So we choose "/var/lib/myServiceName" to store the data.

• sudo mkdir /var/lib/myServiceName - creates the directory
• sudo chown username /var/lib/myServiceName - makes your user the owner of the directory
• sudo chmod 755 /var/lib/myServiceName - "755" allows your user to "read (4+), write (2+) and execute (1+)" while only "read and execute" to other system users, if you only need to read from this folder you should use "555" instead, or if you want that only the owning user can "read, write and execute" the files you could even use "700".

Systemd file, where the action starts

Once you have figured out how to start your application all you need to do is add the following file using sudo nano /etc/systemd/system/myServiceName.service and modify it according your needs.

Lines you should modify:

• "Description": choose a good descrpition to recognize your application and tell what it does
• "User": the name of your newly created user
• "Group": the name of your newly created user - the command to create the user also creates a group with the same name
• "ExecStart": the start script of your application, make sure the user you created has access to the resources. You can control this with the "chown" and "chmod" commands we have seen previously
• "WorkingDirectory": set the current working directory (cwd) of your application. This matters for example when your application needs to resolve relative paths.
• "Environment": here you can set some environment variables for your application. If you dont need that, you can remove those lines.

[Unit]
Description=your web app description
After=network.target
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=1
User=username
Group=username
ExecStart=your start script here for example "/usr/bin/node index.js" use it without quotes
WorkingDirectory=/srv/www/example.com
Environment=NODE_ENV=production
Environment=PORT=3005

[Install]
WantedBy=multi-user.target

Now run sudo systemctl enable myServiceName.service in order to make sure your service restarts on server restart.

If you are ready to run your service type sudo systemctl start myServiceName.

If you need a detailed log when something goes wrong use sudo journalctl --unit=myServiceName -e. "--unit=myServiceName" to filter for your service. "-e" to jump to the end of the log.

This was a short one. It's really not to hard if somebody tells you what to do. 😁

List of commands

• sudo useradd -r -s /bin/false username - create a system user
  • "-r" will create a system user without home directory
  • "-s bin/false" will change the users login shell to a non-existing one so the user won't be able to login
• sudo mkdir /var/lib/myServiceName - creates a directory and all directories in the path
• sudo chown username /var/lib/myServiceName - makes your user the owner of the directory
• sudo chmod 755 /var/lib/myServiceName - "755" allows your user to "read (4+), write (2+) and execute (1+) (4+2+1=7)", the next number sets the rights for the user group, the last one for everyone

Links

• https://chmod-calculator.com/ - helps you to calculate chmod rights
• https://www.shellbefehle.de/befehle/chmod/ - chmod explained well, its in german though

Sources

• image taken from https://unsplash.com/photos/r9T0LZv8xWQ

Tags

#linux #tutorial #security #ubuntu