LinuxSystemd
Newer versions of Linux increasingly are migrating from old-style System V init scripts to the systemd management framework for services. This framework introduces various changes that deployers may need to be aware of. While some basic compatibility is provided on most systems so that the usual service control commands will work, the RPM packages on these platforms do not install a standard init script or a sysconfig script.
Instead, the package includes a read-only "unit" file installed to /usr/lib/systemd/system/shibd.service that describes how to manage the service. Do not modify this file, as it will be replaced during upgrades.
If you want to modify anything in the file, this can be done by running systemctl edit shibd
, which will start a text editor letting you add only the things you'd like to override. (This will then be written to a file called /etc/systemd/system/shibd.service.d/override.conf and will also take care of reloading systemd to activate the changes.)
To do the same thing manually – or maybe from a configuration management system such as Ansible or Puppet – create a file named /etc/systemd/system/shibd.service.d/shibd.conf and include any overridden lines you want to merge into the file. You can name the file itself anything that ends in the "conf" extension. (Do not create that directory and leave it empty, though!)
Note that if you modify the unit file definition outside of systemctl edit
, e.g. manually or programmatically, you will need to tell systemd about the change using systemctl daemon-reload
Increase startup timeout
if you're trying to load very large SAML 2.0 Metadata (e.g. the size of InCommon or eduGAIN) you may need to increase the startup timeout systemd applies before it kills off shibd and tries to start it again (which is pointless since signature-validating that metadata won't be any faster the next time). This can be done by setting TimeoutStartSec to a rather large value, e.g. 2h
(or infinite
, to disable the startup timeout functionality) for InCommon/eduGAIN-sized metadata. See below for an example or the systemd.service documentation.
Example: Have systemd wait up to 2 hours for shibd to start
echo -e '[Service]\nTimeoutStartSec=2h' | sudo tee /etc/systemd/system/shibd.service.d/timeout.conf
sudo systemctl daemon-reload