mirrors/dnscrypt-proxy
1
0
Fork 0
mirror of https://github.com/DNSCrypt/dnscrypt-proxy.git synced 2025-03-04 02:14:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Updated systemd (markdown)

szemley 2021-01-28 10:20:42 +00:00
parent 00acf45914
commit b4e287e5da
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
systemd.md

@ -165,9 +165,9 @@ sudo systemctl enable dnscrypt-proxy.service
In order to use DNSCrypt-Proxy but without systemd socket activation, User should consider various pros and cons. For example, main Developer - Mr Frank Denis suggests to not using systemd socket at all. On the other hand, some Users express their own opinions, saying that systemd socket activaction is a better choice (for more informations, please check **[1]** - there are various threads about systemd and socket activation etc.)
Despite all of this, User must know that systemd socket mechanism is designed to conserve system resources by preventing services starting until they are needed. There is also `NoDelay` option used (vide `/lib/systemd/system/dnscrypt-proxy.socket` file) to disable [Nagle's algorithm](https://en.wikipedia.org/wiki/Nagle's_algorithm) for "_reducing the number of packets that need to be sent over the network_" (generally it aims to combine many smaller TCP segments into larger one and send such packet over the network).
Despite all of this, User must know that systemd socket mechanism is designed to conserve system resources by preventing services starting until they are needed. There is also `NoDelay` option (vide `/lib/systemd/system/dnscrypt-proxy.socket` file) used to disable [Nagle's algorithm](https://en.wikipedia.org/wiki/Nagle's_algorithm) for "_reducing the number of packets that need to be sent over the network_" (generally it aims to combine many smaller TCP segments into larger one and send such packet over the network).
Moreover, there is additional advantage: systemd will open sockets, not the application process itself. That way, User don't have to grant additional permissions, such as `CAP_NET_BIND_SERVICE` capability (allows bind/listen on ports less than `1024` - so called **Privileged Ports**). And one of the most important thing: using sockets, systemd runs `dnscrypt-proxy` as a dedicated user, so there is no need to drop privileges etc.
Moreover, there is additional advantage: systemd will open sockets, not the application process itself. That way, User don't have to grant additional permissions, such as `CAP_NET_BIND_SERVICE` capability (allows bind/listen on ports less than `1024` - so called "_Privileged Ports_"). And one of the most important thing: using sockets, systemd runs DNSCrypt-Proxy as a dedicated user (e.g. `_dnscrypt-proxy` in Debian-based distributions), so there is no need to drop privileges etc.
Anyway, disabling systemd socket activation is relative simple, not to say trivial. In short, everything is about to stop and disable `dnscrypt-proxy.socket` unit, comment or remove options - related with systemd sockets - found in `dnscrypt-proxy.service` file (and eventually `dnscrypt-proxy-resolvconf.service`; see above examples [in:] **Usage with systemd**). The next step is to add a correct IP address to the `listen_addresses` option found in `dnscrypt-proxy.toml` configuration file. Finally, restart DNSCrypt-Proxy and check service status.