There's no need for PIDFile=, especially not for Type=notify services.
systemd knows the correct pid of the process it manages.
No need for the `--bind` option either, since gunicorn supports the
LISTEN_FDS environment variable and will use all of the sockets that systemd
provides. This way, it's also more flexible, since we can specify several
sockets in a .socket unit.
The .socket unit should specify User=www-data so that nginx can connect to the socket.
The service (gunicorn process) will inherit the file descriptor so it
doesn't even need permissions for the socket (it's nginx which needs
permissions).
tmpfiles.d is not needed.
replace ExecStop=/bin/kill with KillMode=mixed
* add systemd sd_notify support
roughly based on sd_notify() from systemd and https://github.com/bb4242/sdnotify
only implements `READY=1` and `STATUS=Gunicorn arbiter booted` of the
protocol in the arbiter. in the future, reloads can be notified, and
possibly also other statuses.
see https://www.freedesktop.org/software/systemd/man/sd_notify.html for
more info
sd_notify() is a noop when not run in a systemd service (i.e
NOTIFY_SOCKET environment variable is not set)
The doc change introduced in #1037 is initially helpful but then internally
inconsistent. It correctly points out that X-Forwarded-For is no longer
used in setting REMOTE_ADDR (c4873681299212d6082cd9902740eef18c2f14f1),
but then confusingly indicates a solution using the X-Forwarded-For header.
The deployment doc provides a full configuration example which includes
proxy headers as set by nginx. What is missing, before this patch, is a
clear suggestion on how to make use of the header in Gunicorn's access
log.
Accordingly, remove the confusing suggestion and replace it with a drop-in
replacement for Gunicorn's default access log format.
The systemd files recommended in the docs do not work. The socket file disappears after the first request, or after the service is restarted.
This commit updates the systemd files to include the correct settings
The sample as-is was not clear about what file the configuration was to go in.
This sample is to go into nginx.conf, but nginx as of 20180516 has
nginx.conf + conf.f/default.conf. This sample overrides all that into the single
file so being specific is better.
As per [their blog post of the 27th April](https://blog.readthedocs.com/securing-subdomains/) ‘Securing subdomains’:
> Starting today, Read the Docs will start hosting projects from subdomains on the domain readthedocs.io, instead of on readthedocs.org. This change addresses some security concerns around site cookies while hosting user generated data on the same domain as our dashboard.
Test Plan: Manually visited all the links I’ve modified.
Gunicorn v19 removed functionality which updated `REMOTE_ADDR` to the value of
the `X-Forwared-For` header if received from a trusted upstream client. This
was a violation of RFC 3875 CGI Version 1.1, and was hence removed.
Close: #1035
PR-URL: #1037
Related: #633
Signed-off-by: Hans Kristian Flaatten <hans.kristian.flaatten@turistforeningen.no>
This will restore graceful shutdown of workers by master.
Also worker_int callback is moved from handle_exit (INT and TERM before switching) to handle_quit(INT and QUIT).
