Installing Boundary under Systemd

This section covers how to install Boundary under the systemd init system on modern Linux distributions. In this section, we’ll cover an example of breaking out the controller and worker servers onto separate instances, though you can opt to run both on a single server.

Filesystem Configuration

TYPE below can be either worker or controller if you want to run them independently, e.g. for high availability. If you want to run combined nodes, modify as desired.

  1. /etc/boundary-${TYPE}.hcl: Configuration file for the boundary service.

  2. /usr/local/bin/boundary: The Boundary binary, which can be built from the source or downloaded from our release page.

  3. /etc/systemd/system/boundary-${TYPE}.service: Systemd unit file for the Boundary service.

User & Group Configuration

We recommend running Boundary as a non-root user and using this user to manage the Boundary process running under systemd. The example init files here do exactly that. Our example install script below creates a user and group on Ubuntu or Debian-like systems.

Systemd Unit file

  1. [Unit]
  2. Description=${NAME} ${TYPE}
  3. [Service]
  4. ExecStart=/usr/local/bin/${NAME} server -config /etc/${NAME}-${TYPE}.hcl
  5. User=boundary
  6. Group=boundary
  7. LimitMEMLOCK=infinity
  8. Capabilities=CAP_IPC_LOCK+ep
  9. CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
  10. [Install]
  11. WantedBy=multi-user.target
  1. [Unit]Description=${NAME} ${TYPE}
  2. [Service]ExecStart=/usr/local/bin/${NAME} server -config /etc/${NAME}-${TYPE}.hclUser=boundaryGroup=boundaryLimitMEMLOCK=infinityCapabilities=CAP_IPC_LOCK+epCapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
  3. [Install]WantedBy=multi-user.target

Systemd All-in-One Installation Script

Here’s a simple install script that creates the boundary group and user, installs the systemd unit file, and enables it at startup:

  1. #!/bin/bash
  2. # Installs the boundary as a service for systemd on linux
  3. # Usage: ./install.sh <worker|controller>
  4. TYPE=$1
  5. NAME=boundary
  6. sudo cat << EOF > /etc/systemd/system/${NAME}-${TYPE}.service
  7. [Unit]
  8. Description=${NAME} ${TYPE}
  9. [Service]
  10. ExecStart=/usr/local/bin/${NAME} server -config /etc/${NAME}-${TYPE}.hcl
  11. User=boundary
  12. Group=boundary
  13. LimitMEMLOCK=infinity
  14. Capabilities=CAP_IPC_LOCK+ep
  15. CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
  16. [Install]
  17. WantedBy=multi-user.target
  18. EOF
  19. # Add the boundary system user and group to ensure we have a no-login
  20. # user capable of owning and running Boundary
  21. sudo adduser --system --group boundary || true
  22. sudo chown boundary:boundary /etc/${NAME}-${TYPE}.hcl
  23. sudo chown boundary:boundary /usr/local/bin/boundary
  24. # Make sure to initialize the DB before starting the service. This will result in
  25. # a database already initialized warning if another controller or worker has done this
  26. # already, making it a lazy, best effort initialization
  27. if [ "${TYPE}" = "controller" ]; then
  28. sudo /usr/local/bin/boundary database init -config /etc/${NAME}-${TYPE}.hcl || true
  29. fi
  30. sudo chmod 664 /etc/systemd/system/${NAME}-${TYPE}.service
  31. sudo systemctl daemon-reload
  32. sudo systemctl enable ${NAME}-${TYPE}
  33. sudo systemctl start ${NAME}-${TYPE}
  1. #!/bin/bash# Installs the boundary as a service for systemd on linux# Usage: ./install.sh <worker|controller>
  2. TYPE=$1NAME=boundary
  3. sudo cat << EOF > /etc/systemd/system/${NAME}-${TYPE}.service[Unit]Description=${NAME} ${TYPE}
  4. [Service]ExecStart=/usr/local/bin/${NAME} server -config /etc/${NAME}-${TYPE}.hclUser=boundaryGroup=boundaryLimitMEMLOCK=infinityCapabilities=CAP_IPC_LOCK+epCapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
  5. [Install]WantedBy=multi-user.targetEOF
  6. # Add the boundary system user and group to ensure we have a no-login# user capable of owning and running Boundarysudo adduser --system --group boundary || truesudo chown boundary:boundary /etc/${NAME}-${TYPE}.hclsudo chown boundary:boundary /usr/local/bin/boundary
  7. # Make sure to initialize the DB before starting the service. This will result in# a database already initialized warning if another controller or worker has done this# already, making it a lazy, best effort initializationif [ "${TYPE}" = "controller" ]; then sudo /usr/local/bin/boundary database init -config /etc/${NAME}-${TYPE}.hcl || truefi
  8. sudo chmod 664 /etc/systemd/system/${NAME}-${TYPE}.servicesudo systemctl daemon-reloadsudo systemctl enable ${NAME}-${TYPE}sudo systemctl start ${NAME}-${TYPE}