33

How can I disable all services except ssh on modern (systemd based) linux distributions?

I need to implement a maintenance mode.

All these services need to be down:

  • postgres
  • postfix
  • apache
  • cups
  • cron
  • dovecot

But ssh must not be shut down, since this gets used to do tasks during the maintenance mode.

Of course I could write a shell script which loops over a list of services which I would like to disable. But this feels like I reinventing something which already exists, but which I don't know up to now.

guettli
  • 3,113
  • 14
  • 59
  • 110
  • 1
    What type of tasks? Why do you need this? – ewwhite Nov 25 '17 at 13:30
  • @user430214 I updated the question. I added: Of course I could write a shell script which loops over a list of services which I would like to disable. But this feels like I reinventing something which already exists, but which I don't know up to now. – guettli Nov 25 '17 at 14:04

3 Answers3

59

This sounds a lot like runlevels, replaced with targets in Systemd. So, instead of writing a script that starts and stop a list of services, you could create a new maintenance.target containing only the services necessary, like SSH. Of course, SSH is not quite useful without networking, so in this example a simple emergency-net.target is modified to include SSH.

[Unit]
Description=Maintenance Mode with Networking and SSH
Requires=maintenance.target systemd-networkd.service sshd.service
After=maintenance.target systemd-networkd.service sshd.service
AllowIsolate=yes

Then, you could enter your maintenance mode using

# systemctl isolate maintenance.target

and back

# systemctl isolate multi-user.target
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • 2
    Thank you very much for this answer. It shows me that asking is useful, even if you think there is no nice answer except writing a dirty shell script. The emergency-net.target is a simple and elegant solution - great :-) – guettli Nov 27 '17 at 11:40
  • It certainly is, as it also takes care of all the dependencies, and you don't need to update your script every time you install a new service. – Esa Jokinen Nov 27 '17 at 11:41
  • 1
    Could you please post what the maintenance.target file looks like? The above isn't working for me and I wonder if it's something I'm getting wrong in maintenance.target. – chilicheech Apr 14 '20 at 18:51
  • @chilicheech: Sorry for the late reply. You can take any suitable `.target` from `/lib/systemd/system` and modify your desired `maintenance.target` from that. It seems e.g. Debian 10 doesn't have the `emergency-net.target` used here anymore. – Esa Jokinen Jul 24 '20 at 08:42
3

Based on the excellent answer of @Esa, on Debian 10, you have the file rescue-ssh.target to disable all services, except ssh and networking:

/lib/systemd/system/rescue-ssh.target

[Unit]
Description=Rescue with network and ssh
Documentation=man:systemd.special(7)
Requires=network-online.target ssh.service
After=network-online.target ssh.service
AllowIsolate=yes

So now, you can proceed as fallows:

1. Enter in the maintenance mode:

systemctl isolate rescue-ssh.target (only ssh and networking)

2. Check the maintenance mode:

lsof -i:1-65535 (and you will only see the port of the ssh running)

3. Exit from the maintenance mode:

systemctl isolate multi-user.target (and everything is back again)

robe007
  • 203
  • 1
  • 2
  • 9
3

First list your services and search for their corresponding systemd-names.

Then build a list and stop each list member to enter maintenance, start each member after maintenance.

Nils
  • 7,657
  • 3
  • 31
  • 71