Fix read-only filesystem error during systemd handover (#219)

* Fix read-only filesystem error during systemd handover

- Improved checkSocketDirWritable to specifically test Unix socket binding.
- Added RuntimeDirectoryPreserve=yes to systemd service template.
- Updated README with systemd configuration requirements.
- Added unit tests for the improved writability check.

This resolves the issue where systemd would remount /var/run/duckgres as
read-only when the old process exited during a graceful handover.

* Remove scripts/duckgres.service and update README

* Fix lint issue in validation_test.go

Author: fuziontech

README.md

@@ -569,6 +569,8 @@ PGPASSWORD=postgres psql "host=localhost port=5432 user=postgres sslmode=require
 ./duckgres-v2 --mode control-plane --port 5432 --handover-socket /var/run/duckgres/handover.sock
 ```
 
+When running under **systemd** with `RuntimeDirectory`, ensure `RuntimeDirectoryPreserve=yes` is set in your unit file. This prevents systemd from cleaning up or remounting the socket directory as read-only when the old process exits during a handover.
+
 **Rolling worker updates** via signal:
 
 ```bash

controlplane/handover.go

@@ -327,17 +327,29 @@ func recvFD(uc *net.UnixConn) (*os.File, error) {
 }
 
 // checkSocketDirWritable verifies that the socket directory is writable by
-// creating and removing a temporary file. This catches cases where
-// ProtectSystem=strict's ReadWritePaths bind mount has been lost (e.g., after
-// a handover race with systemd's RuntimeDirectory cleanup).
+// creating and removing both a temporary file and a Unix socket. This catches
+// cases where ProtectSystem=strict's ReadWritePaths bind mount has been lost
+// or remounted RO (e.g., after a handover race with systemd's RuntimeDirectory cleanup).
 func checkSocketDirWritable(dir string) error {
+	// Test regular file creation
 	f, err := os.CreateTemp(dir, ".writable-check-*")
 	if err != nil {
 		return fmt.Errorf("cannot write to socket directory %s: %w", dir, err)
 	}
 	name := f.Name()
 	_ = f.Close()
 	_ = os.Remove(name)
+
+	// Test Unix socket binding specifically (catches different EROFS/EPERM cases)
+	socketPath := fmt.Sprintf("%s/.socket-check-%d.sock", dir, os.Getpid())
+	_ = os.Remove(socketPath)
+	l, err := net.Listen("unix", socketPath)
+	if err != nil {
+		return fmt.Errorf("cannot bind unix socket in %s: %w", dir, err)
+	}
+	_ = l.Close()
+	_ = os.Remove(socketPath)
+
 	return nil
 }
 

controlplane/validation_test.go

@@ -1,6 +1,10 @@
 package controlplane
 
-import "testing"
+import (
+	"os"
+	"strings"
+	"testing"
+)
 
 func TestValidateTLSFiles(t *testing.T) {
 	if err := validateTLSFiles("cert.pem", "key.pem"); err != nil {
@@ -92,3 +96,40 @@ func TestValidateControlPlaneSecurity(t *testing.T) {
 		t.Fatalf("expected error for missing users")
 	}
 }
+
+func TestCheckSocketDirWritable(t *testing.T) {
+	// Happy path: writable directory
+	tmpDir := t.TempDir()
+	// Unix socket paths have a max length (~104 bytes on macOS). t.TempDir()
+	// paths can be very long, so use a short filename for the check.
+	if err := checkSocketDirWritable(tmpDir); err != nil {
+		// If t.TempDir is still too long, fallback to /tmp
+		if strings.Contains(err.Error(), "invalid argument") || strings.Contains(err.Error(), "too long") {
+			shortDir, err2 := os.MkdirTemp("/tmp", "dg-test-*")
+			if err2 == nil {
+				defer func() { _ = os.RemoveAll(shortDir) }()
+				if err3 := checkSocketDirWritable(shortDir); err3 != nil {
+					t.Fatalf("expected short directory %s to be writable: %v", shortDir, err3)
+				}
+				return
+			}
+		}
+		t.Fatalf("expected directory %s to be writable: %v", tmpDir, err)
+	}
+
+	// Failure path: non-existent directory
+	if err := checkSocketDirWritable("/non/existent/path/for/duckgres/test"); err == nil {
+		t.Fatalf("expected error for non-existent directory")
+	}
+
+	// Failure path: read-only directory (if we can create one)
+	roDir := t.TempDir()
+	if err := os.Chmod(roDir, 0555); err != nil {
+		t.Fatalf("failed to chmod directory to read-only: %v", err)
+	}
+	defer func() { _ = os.Chmod(roDir, 0755) }() // Restore for cleanup
+
+	if err := checkSocketDirWritable(roDir); err == nil {
+		t.Fatalf("expected error for read-only directory")
+	}
+}