Why Would I Use "Service Sshd Reload" in Preference to "Service Sshd Restart"

gitolite not working with sshd service

I suspect the keys are working in both cases.

But running sshd as a service is different than running it from the current session: see "Why would I use “service sshd reload” in preference to “service sshd restart”?".

The service cancels all inherited environment variables, and keep only PATH and TERM.

Gitolite uses a forced command registered in ~gitolite/.ssh/authorized_keys, and there must be an environment variable missing (when sshd is run as a service) which prevents the execution of the command.

There was a similar case with "public key authentication fails ONLY when sshd is daemon":

SELinux is likely the cause.

The .ssh dir is probably mislabeled.

Look at /var/log/audit/audit.log. It should be labeled ssh_home_t.

Check with ls -laZ. Run restorecon -r -vv /root/.ssh if need be.

docker container can't use `service sshd restart`

The build process only builds an image. Processes that are run at that time (using RUN) are no longer running after the build, and are not started again when a container is launched using the image.

What you need to do is get sshd to start at container runtime. The simplest way to do that is using an entrypoint script.

Dockerfile:

COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

ENTRYPOINT ["/entrypoint.sh"]
CMD ["whatever", "your", "command", "is"]

entrypoint.sh:

#!/bin/sh

# Start the ssh server
/etc/init.d/ssh restart

# Execute the CMD
exec "$@"

Rebuild the image using the above, and when you use it to start a container, it should start sshd before running your CMD.

You can also change the base image you start from to something like Phusion baseimage if you prefer. It makes it easy to start some services like syslogd, sshd, that you may wish the container to have running.

Restart service when service file changes when using Ansible

There are two solutions.

Register + When changed

You can register template module output (with its status change),

register: service_conf

and then use when clause.

when: service_conf.changed

For example:

---
- name: Systemd service
  template:
    src: sonar.unit.j2
    dest: /etc/systemd/system/sonarqube.service
  when: "ansible_service_mgr == 'systemd'" 
  register: service_conf

- name: restart service
  service:
    name: sonarqube
    state: restarted
  when: service_conf.changed

Handler + Notify

You define your restart service task as handler. And then in your template task you notify the handler.

tasks:
  - name: Add Sonarqube to Systemd service
    template:
      src: sonar.unit.j2
      dest: /etc/systemd/system/sonarqube.service
    when: "ansible_service_mgr == 'systemd'"
    notify: Restart Sonarqube
  - …

handlers:
  - name: Restart Sonarqube
    service:
      name: sonarqube
      state: restarted

More info can be found in Ansible Doc.

Difference between those 2?

In the first case, the service will restart directly. In the case of the handler the restart will happen at the end of the play.

Another difference will be, if you have several tasks changes that need to restart of your service, you simply add the notify to all of them.

The handler will run if any of those task get a changed status. With the first solution, you will have to register several return. And it will generate a longer when clause_1 or clause_2 or …
The handler will run only once even if notified several times.

Ansible Service Restart Failed

As the comments above state, this is an Ansible issue that will apparently be fixed in the 2.0 release.

I just changed my handler to use the command module and moved on:

- name: restart sshd
  command: service ssh restart