This library generates a systemd unit file to manage an Elixir release. It supports releases generated by Elixir 1.9+ mix release or Distillery.
At its heart, it's a mix task which reads information about the project from
mix.exs and config/config.exs then generates systemd unit files using Eex
templates. The goal is that the project defaults will generate a good systemd
unit file, and standard options support more specialized use cases.
It uses standard systemd functions and conventions to make your app a more "native" OS citizen and takes advantage of systemd features to improve security and reliability. While it can be used standalone, more advanced use cases use scripts from e.g., mix_deploy.
This complete example app puts the pieces together.
Add mix_systemd to the list of dependencies in mix.exs:
def deps do
[
{:mix_systemd, "~> 0.7"},
]
endThe library tries to choose reasonable defaults, so you may not need to
configure anything. It reads the app name from mix.exs and calculates default
values for its configuration parameters. For example, if your app is named
foo_bar, it will create a service named foo-bar, deployed to
/srv/foo-bar, running under the user foo-bar.
You can override these parameters using settings in config/config.exs, e.g.:
config :mix_systemd,
app_user: "app",
app_group: "app",
base_dir: "/opt",
env_vars: [
"PORT=8080",
]There are four different kinds of things that we may want to configure:
-
Static information about application layout, e.g., file paths. This is the same for all machines in an environment, e.g., staging or prod.
-
Information specific to the environment, e.g., the hostname of the db server.
-
Secrets such as db passwords, API keys, or encryption keys.
-
Dynamic information such as the IP address of the server or other machines in the cluster.
Elixir has a couple of mechanisms for storing configuration. When you compile
the release, it converts Elixir-format config files like config/config.exs
into an initial application environment that is read by Application.get_env/3.
That's good for simple, relatively static apps. It's not ideal to store
passwords in the release file, though.
Elixir 1.9+ releases support dynamic configuration at runtime. You can configure
via the Elixir file config/runtime.exs which is loaded when the VM boots or
use the shell script rel/env.sh.eex to set environment vars.
With these you can theoretically do anything. In practice, however, it can be
more convenient and secure to process the config outside of the app. That's
where mix_systemd and mix_deploy come in.
The simplest thing is to set environment variables. Add individual vars to
env_vars, and they will be set in the systemd unit file. Add files to
env_files and systemd will load them before starting your app.
Your application then calls System.get_env/1 in config/runtime.exs or
application startup. Note that these environment vars are read at runtime,
not when building your app.
env_vars: [
# Set a variable, good for things that are not sensitive and don't change
"PORT=8080",
],
dirs: [
# create /etc/foo
:configuration,
],
env_files: [
# Read environment vars from the file /etc/foo/environment
["-", :configuration_dir, "/environment"],
]/etc/foo/environment looks like:
DATABASE_URL="ecto://foo_prod:Sekrit!@db.foo.local/foo_prod"
SECRET_KEY_BASE="EOdJB1T39E5Cdeebyc8naNrOO4HBoyfdzkDy2I8Cxiq4mLvIQ/0tK12AK1ahrV4y"
HOST="www.example.com"
ASSETS_HOST="assets.example.com"
RELEASE_COOKIE="LmCMGNz04yEJ4MQc6jt3cS7QjAppYOw_bQa7NE5hPZJGqL3Yry1jUg=="
config/runtime.exs does something like the following (the default files are good):
config :foo, Foo.Repo,
url: System.get_env("DATABASE_URL")
config :foo, FooWeb.Endpoint,
http: [:inet6, port: System.get_env("PORT") || 4000],
url: [host: System.get_env("HOST"), port: 443],
static_url: [host: System.get_env("ASSETS_HOST"), port: 443],
secret_key_base: System.get_env("SECRET_KEY_BASE"),
cache_static_manifest: "priv/static/cache_manifest.json"The question is how to get the environment files onto the server. For simple server deployments, we can copy the config to the server when doing the initial setup.
In cloud environments, we may run from a read-only image, e.g., an Amazon AMI, which gets configured at start up based on the environment by copying the config from an S3 bucket, e.g.:
umask 077
aws s3 sync --exact-timestamps --no-progress "s3://${CONFIG_BUCKET}/" "/etc/foo/"
chown -R $DEPLOY_USER:$APP_GROUP /etc/foo
find /etc/foo -type f -exec chmod 640 {} \;
find /etc/foo -type d -exec chmod 750 {} \;The following example runs the script /srv/foo/bin/deploy-sync-config-s3 from
mix_deploy. It uses an environment file in /srv/foo/etc/environment
to bootstrap the sync, e.g., setting the S3 bucket name. That file
is placed there by CodeDeploy at deploy time.
config :mix_systemd,
exec_start_pre: [
# Run before starting the app
# The `!` means the script is run as root, not as the app user
["!", :deploy_dir, "/bin/deploy-sync-config-s3"]
],
dirs: [
:configuration, # /etc/foo, app configuration, e.g. db passwords
:runtime, # /run/foo, temp files which may be deleted between runs
],
env_files: [
["-", :deploy_dir, "/etc/environment"], # /srv/foo/etc/environment
]
env_vars: [
# Tell release to use /run/foo for temp files
["RELEASE_TMP=", :runtime_dir],
]At a certain point, making everything into an environment var becomes annoying. It's verbose and vars are simple strings, so you have to encode values safely and convert them back to lists, integers or atoms.
Config providers let you load files in standard formats like TOML.
[foo."Foo.Repo"]
url = "ecto://foo_prod:Sekrit!@db.foo.local/foo_prod"
pool_size = 15
[foo."FooWeb.Endpoint"]
secret_key_base = "EOdJB1T39E5Cdeebyc8naNrOO4HBoyfdzkDy2I8Cxiq4mLvIQ/0tK12AK1ahrV4y"The app reads these config files on startup and merges them into the app config.
defp releases do
[
prod: [
include_executables_for: [:unix],
config_providers: [
{TomlConfigProvider, path: "/etc/foo/config.toml"}
],
steps: [:assemble, :tar]
]
]
endThe startup scripts read the initial application environment compiled into the
release, parse the config file, merge the values, write it to a temp file, then
start the VM. Because of that, they need a writable directory. That is
configured using the RELEASE_TMP environment var, normally set to the app's
runtime_dir.
dirs: [
:configuration,
:runtime,
],
env_vars: [
["RELEASE_TMP=", :runtime_dir],
],You can also store config params in an external configuration system and read them at runtime. An example is AWS Systems Manager Parameter Store.
Set a parameter using the AWS CLI:
aws ssm put-parameter --name '/foo/prod/db/password' --type ‘SecureString’ --value 'Sekrit!"While it's possible to read params in config/runtime.exs, it's tedious.
Better is to grab all of them at once and write them to a file, then read it in
with a Config Provider like aws_ssm_provider.
aws --region us-east-1 ssm get-parameters-by-path --path "/foo/prod/" --recursive --with-decryption --query "Parameters[]" > /etc/foo/ssm.jsondefp releases do
[
prod: [
include_executables_for: [:unix],
config_providers: [
{AwsSsmProvider, path: "/etc/foo/ssm.json"}
],
steps: [:assemble, :tar]
]
]
endYou can write code to do things like query the system for the primary IP
address, but cloud-init
already does it.
You just have to read the JSON file.
The most common use for this is setting up the VM node name. In env.sh:
CLOUD_NAME=$(jq -r '.v1.cloud_name' < /run/cloud-init/instance-data.json)
if [ "$CLOUD_NAME" = "digitalocean" ]; then
IP_ADDR=$(jq -r '.ds.meta_data.interfaces.public[0].anchor_ipv4.ip_address' < /run/cloud-init/instance-data.json)
DEFAULT_IPV4="$IP_ADDR"
elif [ "$CLOUD_NAME" = "aws" ]; then
IP_ADDR=$(jq -r '.ds.meta_data."local-ipv4"' < /run/cloud-init/instance-data.json)
# IP_ADDR=$(jq -r '.ds.meta_data."public-ipv4"' < /run/cloud-init/instance-data.json)
AWS_REGION=$(jq -r '.v1.region' < /run/cloud-init/instance-data.json)
fi
RELEASE_DISTRIBUTION="name"
RELEASE_NODE="${RELEASE_NAME}@${IP_ADDR}"An important security principle is "least privilege". If an attacker manages to compromise the app, then they can do whatever it has permissions to do, not just what you expect. Because of that, I prefer that the account that the app runs under cannot write files, and having a writable config file that is also executed is the worst case scenario.
First, use the systemd.init task to template files from the library to the
rel/templates/systemd directory in your project.
mix systemd.initNext, generate output files in the build directory under
_build/#{mix_env}/systemd/lib/systemd/system.
MIX_ENV=prod mix systemd.generateThe following sections describe common configuration options.
See lib/mix/tasks/systemd.ex for the details of more obscure options.
If you need to make changes not supported by the config options,
then you can check the templates in rel/templates/systemd
into source control and make your own changes. Contributions are welcome!
app_name: Elixir application name, an atom, from the app or app_name
field in the mix.exs project. For umbrella apps, set app_name.
module_name: Elixir camel case module name version of app_name, e.g.,
FooBar.
release_name: Name of release, default app_name.
ext_name: External name, used for files and directories, default app_name
with underscores converted to "-", e.g., foo-bar.
service_name: Name of the systemd service, default ext_name.
release_system: :mix | :distillery, default :mix
Identifies the system used to generate the releases, Mix or Distillery.
app_user: OS user account that the app runs under, default ext_name.
app_group: OS group account, default ext_name.
base_dir: Base directory for app files on target, default /srv.
deploy_dir: Directory for app files on target, default #{base_dir}/#{ext_name}.
We use the
standard app directories,
for modern Linux systems. App files are under /srv, configuration under
/etc, transient files under /run, data under /var/lib.
Directories are named based on the app name, e.g. /etc/#{ext_name}.
The dirs variable specifies which directories the app uses.
By default, it doesn't set up anything. To enable them, configure the dirs
param, e.g.:
dirs: [
# :runtime, # App runtime files which may be deleted between runs, /run/#{ext_name}
# :configuration, # App configuration, e.g. db passwords, /etc/#{ext_name}
# :state, # App data or state persisted between runs, /var/lib/#{ext_name}
# :cache, # App cache files which can be deleted, /var/cache/#{ext_name}
# :logs, # App external log files, not via journald, /var/log/#{ext_name}
# :tmp, # App temp files, /var/tmp/#{ext_name}
],Recent versions of systemd (since 235) will create these directories at start time based on the settings in the unit file. With earlier systemd versions, create them beforehand using installation scripts, e.g., mix_deploy.
For security, we set permissions to 750, more restrictive than the systemd
defaults of 755. You can configure them with variables like
configuration_directory_mode. See the defaults in
lib/mix/tasks/systemd.ex.
systemd_version: Sets the systemd version on the target system, default 235.
This determines which systemd features the library will enable. If you are
targeting an older OS release, you may need to change it. Here are the systemd
versions in common OS releases:
- CentOS 7: 219
- Ubuntu 16.04: 229
- Ubuntu 18.04: 237
The library uses a directory structure under deploy_dir which supports
multiple releases, similar to Capistrano.
scripts_dir: deployment scripts which, e.g., start and stop the unit, defaultbin.current_dir: where the current Erlang release is unpacked or referenced by symlink, defaultcurrent.releases_dir: where versioned releases are unpacked, defaultreleases.flags_dir: dir for flag files to trigger restart, e.g., whenrestart_methodis:systemd_flag, defaultflags.
When using multiple releases and symlinks, the deployment process works as follows:
-
Create a new directory for the release with a timestamp like
/srv/foo/releases/20181114T072116. -
Upload the new release tarball to the server and unpack it to the releases dir.
-
Make a symlink from
/srv/#{ext_name}/currentto the new release dir. -
Restart the app.
If you are only keeping a single version, then deploy it to the directory
/srv/#{ext_name}/current.
The following variables support variable expansion:
expand_keys: [
:env_files,
:env_vars,
:runtime_environment_service_script,
:exec_start_pre,
:exec_start_wrap,
:read_write_paths,
:read_only_paths,
:inaccessible_paths,
]You can specify values as a list of terms, and it will look up atoms as keys in
the config. This lets you reference, e.g., the deploy dir or configuration dir without
having to specify the full path, e.g., ["!", :deploy_dir, "/bin/myscript"] gets
converted to "!/srv/foo/bin/myscript".
The library sets env vars in the unit file:
-
MIX_ENV:mix_env, defaultMix.env() -
LANG:env_lang, defaulten_US.utf8 -
RUNTIME_DIR:runtime_dir, if:runtimeindirs -
CONFIGURATION_DIR:configuration_dir, if:configurationindirs -
LOGS_DIR:logs_dir, if:logsindirs -
CACHE_DIR:cache_dir, if:cacheindirs -
STATE_DIR:state_dir, if:stateindirs -
TMP_DIR:tmp_dir, if:tmpindirs
You can set additional vars using env_vars, e.g.:
env_vars: [
"PORT=8080",
]You can also reference the value of other parameters by name, e.g.:
env_vars: [
["RELEASE_TMP=", :runtime_dir],
]You can read environment vars from files with env_files, e.g.:
env_files: [
["-", :deploy_dir, "/etc/environment"],
["-", :configuration_dir, "environment"],
["-", :runtime_dir, "environment"],
],The "-" at the beginning makes the file optional; the system will start without it. Later values override earlier values, so you can set defaults which get overridden in the local or runtime environment.
The release scripts may need to write temp files and log files, e.g., when
generating the application config files. By default, they do this under
the release dir, e.g., /srv/foo/current/tmp.
For security, it's better to deploy the app using a different user account from the one that the app runs under, with the source files read only. This makes it harder for an attacker to make changes to the source and then have the app run them.
In that case, we need to set an environment var which tells the release
startup scripts where they can write files. For Mix releases, that is
RELEASE_TMP and for Distillery it is RELEASE_MUTABLE_DIR, e.g.:
env_vars: [
{"RELEASE_TMP=", :runtime_dir},
]By default systemd will delete the runtime directory when restarting the app.
This can be annoying when debugging startup issues. You can set
runtime_directory_preserve to restart or yes (see
RuntimeDirectoryPreserve).
The following variables set systemd variables:
service_type: :simple | :exec | :notify | :forking. systemd
Type, default :simple.
Modern applications don't fork, they run in the foreground and rely on the
supervisor to manage them as a daemon. This is done by setting service_type
to :simple or :exec. Note that in simple mode, systemd doesn't actually
check if the app started successfully, it just continues starting other units.
If something depends on your app being up, :exec may be better.
Set service_type to :forking, and the library sets pid_file to
#{runtime_directory}/#{app_name}.pid and sets the PIDFILE env var to tell
the boot scripts where it is.
The Erlang VM runs pretty well in foreground mode, but traditionally runs as as a standard Unix-style daemon, so forking might be better. Systemd expects foregrounded apps to die when their pipe closes. See https://elixirforum.com/t/systemd-cant-shutdown-my-foreground-app-cleanly/14581/2
restart_method: :systemctl | :systemd_flag | :touch, default :systemctl
Set this to :systemd_flag, and the library will generate an additional
unit file which watches for changes to a flag file and restarts the
main unit. This allows updates to be pushed to the target machine by an
unprivileged user account which does not have permissions to restart
processes. Touch the file #{flags_dir}/restart.flag and systemd will
restart the unit.
working_dir: Current working dir for app. systemd
WorkingDirectory,
default current_dir.
limit_nofile: Limit on open files, systemd
LimitNOFILE,
default 65535.
umask: Process umask, systemd
UMask,
default "0027". Note that this is octal, so it needs to be a string.
restart_sec: Time in seconds to wait between restarts, systemd
RestartSec,
default 100ms.
syslog_identifier: Logging name, systemd
SyslogIdentifier,
default service_name
Scripts specified in exec_start_pre (systemd
ExecStartPre])
run before the main ExecStart script runs, e.g.:
exec_start_pre: [
["!", :deploy_dir, "/bin/deploy-sync-config-s3"]
]This runs the deploy-sync-config-s3 script from mix_deploy, which
copies config files from an S3 bucket into /etc/foo. By default,
scripts run as the same user and group as the main script. Putting
! in front makes the script run with elevated
privileges,
allowing it to write config to /etc/foo even if the main user account cannot for security reasons.
Instead of running the main ExecStart script directly, you can run a shell script
which sets up the environment, then runs the main script with exec.
Set exec_start_wrap to the name of the script, e.g.
deploy-runtime-environment-wrap from mix_deploy.
In Elixir 1.9+ releases you can use env.sh, but this runs earlier
with elevated permissions, so a wrapper script may still be useful.
You can run your own separate service to configure the runtime environment
before the app runs. Set runtime_environment_service_script to a script such
as deploy-runtime-environment-file from mix_deploy. This library will
create a #{service_name}-runtime-environment.service unit and make it a
systemd runtime dependency of the app.
Systemd starts units in parallel when possible. To enforce ordering, set
unit_after_targets to the names of systemd units that this unit depends on.
For example, if this unit should run after cloud-init to get runtime network
information,
set:
unit_after_targets: [
"cloud-init.target"
]paranoia: Enable systemd security options, default false.
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectSystem=full
ProtectHome=yes
PrivateUsers=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes
MountAPIVFS=yes
│
chroot: Enable systemd chroot, default false.
Sets systemd RootDirectory is set to current_dir. You can also set systemd ReadWritePaths=, ReadOnlyPaths=,
InaccessiblePaths=
with the read_write_paths, read_only_paths and inaccessible_paths vars, respectively.
Distillery has largely been replaced by Elixir native releases.
This library works fine with it, though. exec_start_pre scripts
are particularly useful in the absence of env.sh.
Configure the library by setting release_system: :distillery, e.g..
config :mix_systemd,
release_system: :distillery,
exec_start_pre: [
# Run script as root before starting
["!", :deploy_dir, "/bin/deploy-sync-config-s3"]
],
dirs: [
:configuration,
:runtime,
],
runtime_directory_preserve: "yes",
env_vars: [
# Use /run/foo for temp files
["RELEASE_MUTABLE_DIR=", :runtime_dir],
# expand $CONFIGURATION_DIR in config files
REPLACE_OS_VARS=true,
]Set up
config providers
in rel/config.exs:
environment :prod do
set config_providers: [
{Mix.Releases.Config.Providers.Elixir, ["${CONFIGURATION_DIR}/config.exs"]}
]
endThis reads files in Elixir config format. Instead of including your
prod.secret.exs file in prod.exs, you can copy it to the server separately,
and it will be read at startup.
The TOML configuration provider works similarly:
environment :prod do
set config_providers: [
{Toml.Provider, [path: "${CONFIGURATION_DIR}/config.toml"]},
]
endAdd the TOML config provider to mix.exs:
{:toml_config_provider, "~> 0.2.0"}You can generate a file under the release with an overlay in
rel/config.exs, e.g.:
environment :prod do
set overlays: [
{:mkdir, "etc"},
{:copy, "rel/etc/environment", "etc/environment"},
# {:template, "rel/etc/environment", "etc/environment"}
]
endThat results in a file that would be read by:
env_files: [
["-", :current_dir, "/etc/environment"],
],Documentation is here: https://hexdocs.pm/mix_systemd
This project uses the Contributor Covenant version 2.1. Check CODE_OF_CONDUCT.md for more information.
I am jakemorrison on on the Elixir Slack and Discord, reachfh on Freenode
#elixir-lang IRC channel. Happy to chat or help with your projects.