Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Setting up geth as a service under systemd (Updated for Fedora 27)
[Unit]
Description=Ethereum go client
After=syslog.target network.target
[Service]
User=geth
Group=geth
Environment=HOME=/home/geth
Type=simple
# ExecStart=/home/geth/go-ethereum/build/bin/geth --cache 2048 --rpc --rpcaddr="0.0.0.0" --rpcvhosts=ethjsonrpc.mchange.com --ipcdisable
# ExecStart=/home/geth/go-ethereum/build/bin/geth --cache 2048 --rpc --rpcaddr="127.0.0.1" --rpcvhosts=ethjsonrpc.mchange.com --ipcdisable
ExecStart=/home/geth/go-ethereum/build/bin/geth --cache 2048 --http --http.addr="127.0.0.1" --http.vhosts=ethjsonrpc.mchange.com --ipcdisable
KillMode=process
KillSignal=SIGINT
TimeoutStopSec=90
Restart=on-failure
RestartSec=10s
[Install]
WantedBy=multi-user.target

Setting up geth as a service under systemd Fedora 27

Prerequisite: dnf install golang

  1. Create user geth with useradd
  2. As user geth fast sync the blockchain, geth --fast --cache 1024
  3. Manually run geth --rpc as user geth and watch to see that the blockchain continues to sync properly
  4. Install the geth.service file (also in this gist) in /usr/lib/systemd/system/
  5. Make a symlink from /etc/systemd/system/multi-user.target.wants/geth.service to /usr/lib/systemd/system/geth.service
  6. systemctl enable geth followed by systemctl start geth
  7. Over and over and over again, until geth runs with no permission-denied log messages, repeat this cycle:
grep geth /var/log/audit/audit.log | audit2allow -M local-geth
semodule -i local-geth.pp
systemctl start geth
systemctl status geth.service
journalctl --follow -u geth
semodule -r local-geth

...and around again

Some Notes

  • /home/geth/go-ethereum is a clone of the git archive, from which I rebuild from source to do upgrades. Remember to fetch and checkout the latest release version, don't run development snapshots. The geth binary itself shows up in /home/geth/go-ethereum/build/bin, after everything is built with make all.

  • I had trouble getting geth to shutdown properly on systemctl stop geth. The signal needed to be made SIGINT rather than SIGTERM to prevent an immediate shutdown without closing the datavase. I had to pass the --ipcdisable flag to geth because the file /home/geth/.ethereum/geth.ipc was not properly cleaned up.

  • geth 1.8.0 has tighter security now for named domains, thus --rpcvhosts=ethjsonrpc.mchange.com, which is new.

  • The final (I hope) version of the SELinux policy file generated by audit2allow is included in this gist as local-geth.te

module local-geth 1.0;
require {
type ephemeral_port_t;
type user_home_t;
type init_t;
type user_tmp_t;
type unreserved_port_t;
class file { append create execute execute_no_trans lock map open read rename unlink write };
class sock_file { create setattr };
class tcp_socket name_connect;
}
#============= init_t ==============
#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow init_t ephemeral_port_t:tcp_socket name_connect;
#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow init_t unreserved_port_t:tcp_socket name_connect;
allow init_t user_home_t:file { append create lock map open read rename unlink write };
allow init_t user_home_t:sock_file { create setattr };
allow init_t user_tmp_t:file { execute execute_no_trans map };
@jayboy-mabushi
Copy link

jayboy-mabushi commented Aug 2, 2021

I have been getting unclean shutdowns whiich ends up corrupting the level db everytime I stop geth. I am not sure what I am doing wrong and how to resolve this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment