Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Extremely minimal wrapper around
sd_notify
8.0.0
Firstly you need some systemd development files, on Ubuntu these can be installed via:
$ sudo apt install libsystemd-dev
...then using npm
:
$ npm install --save sd-notify
Example:
const notify = require('sd-notify')
// call notify after some async start up process
// such as in the `http` or `express` listen callback
app.listen(PORT, () => {
console.log('listening on port ' + PORT)
notify.ready()
})
Calling .ready()
will inform systemd that the process has started, when using notify
type in a service definition file, eg:
[Unit]
Description=Simple notifying service
[Service]
Environment="NODE_ENV=production"
Type=notify
ExecStart=/usr/sbin/simple-notifying-service
TimeoutStartSec=30
Restart=always
[Install]
WantedBy=multi-user.target
"Watchdog" mode:
In the service file add WatchdogSec=n
where n
is the amount of seconds systemd
should
stop (or restart) the service if there is no contact.
[Service]
Environment="NODE_ENV=production"
Type=notify
ExecStart=/usr/sbin/simple-notifying-service
TimeoutStartSec=30
Restart=always
WatchdogSec=3
...and in Node, you can call the native method .watchdog()
directly in a setInterval
or any other mechanism
depending on what kind of application you are developing, or you can use the helper function
startWatchdogMode(milliseconds)
:
const notify = require('sd-notify')
app.listen(PORT, () => {
console.log('listening on port ' + PORT)
notify.ready()
notify.startWatchdogMode(2800)
})
...above the number supplied to the startWatchdogMode
method is the amount of milliseconds
we want to ping systemd
, in the example this is 200ms less than the 3 seconds set in the
service file. Due to the event loop there is no guarantee the setInterval
underneath will
fire exactly 2800ms, this will change depending on how many functions are being called in the process,
though this has a nice side effect, as if the process gets that busy, that blocked, systemd
will kill it
(and restart it with the Restart=
config set); and in the context of having multiple processes being load
balanced with Nginx (as an example) and across multiple machines, ensures that no one process is blocking
for any significant amount of time.
You can also check if the process was called by systemd with Watchdog mode
enabled, using watchdogInterval()
which returns the amount of milliseconds
watchdog has been set to, or 0
if it has not been set:
app.listen(PORT, () => {
console.log('listening on port ' + PORT)
notify.ready()
const watchdogInterval = notify.watchdogInterval()
if (watchdogInterval > 0) {
const interval = Math.floor(watchdogInterval / 2)
notify.startWatchdogMode(interval)
}
})
...this way the Node process will behave in the correct manner in either situation.
Status:
You can also send some status string to systemd, which will append to the service's log.
const notify = require('sd-notify')
// ...
notify.sendStatus('send some status to systemd')
// ...
...then, for example:
$ journalctl -u node-status
...
Apr 22 17:29:41 lenovo node[8275]: (8275) listening on 8000
Apr 22 17:29:41 lenovo systemd[1]: Started Express Node.js.
Apr 22 17:35:50 lenovo node[8275]: send some status to systemd
...
FAQs
wrapper around sd_notify for using systemd as a node process manager
We found that sd-notify demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.