Harden systemd unit file
Use simple invocation type instead of forking daemon Add alternative unit file for /usr/local installs Add /opt/ systemd unit variant Fix comments Add 3GB memory limit to systemd unit Restore newlines at end of systemd unit files Remove "via official sources" comment from the opt systemd unit file Use term "variant" instead of "variation" since the former is more specific and correct for this context Correct dogecoin package directory from "dogecoind" to "dogecoin" Use tarball bin path Co-authored-by: Patrick Lodder <patricklodder@users.noreply.github.com>
This commit is contained in:
parent
88e79c9cc5
commit
8632c83881
73
contrib/init/dogecoind.local.service
Normal file
73
contrib/init/dogecoind.local.service
Normal file
|
@ -0,0 +1,73 @@
|
||||||
|
# This variant of the unit file is for local installations that are installed with `make install`.
|
||||||
|
#
|
||||||
|
# The relevant paths are:
|
||||||
|
#
|
||||||
|
#/usr/local/bin/dogecoind
|
||||||
|
#/usr/local/etc/dogecoin/
|
||||||
|
#/var/local/dogecoin/
|
||||||
|
|
||||||
|
[Unit]
|
||||||
|
Description=Dogecoin's distributed currency daemon
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
ExecStart=/usr/local/bin/dogecoind -conf=/usr/local/etc/dogecoin/dogecoin.conf -datadir=/var/local/dogecoin
|
||||||
|
|
||||||
|
KillSignal=SIGINT
|
||||||
|
Restart=always
|
||||||
|
RestartSec=5
|
||||||
|
TimeoutStopSec=60
|
||||||
|
TimeoutStartSec=5
|
||||||
|
StartLimitIntervalSec=120
|
||||||
|
StartLimitBurst=5
|
||||||
|
|
||||||
|
User=dogecoin
|
||||||
|
Group=dogecoin
|
||||||
|
|
||||||
|
### Restrict resource consumption
|
||||||
|
MemoryAccounting=yes
|
||||||
|
MemoryLimit=3g
|
||||||
|
|
||||||
|
### Restrict access to host file system.
|
||||||
|
#
|
||||||
|
# Hide the entire root file system by default, and *only* mount in exactly what is needed.
|
||||||
|
#
|
||||||
|
|
||||||
|
TemporaryFileSystem=/:ro
|
||||||
|
|
||||||
|
# Add core dependencies
|
||||||
|
BindReadOnlyPaths=/etc/ /lib/ /lib64/
|
||||||
|
|
||||||
|
# Add daemon paths
|
||||||
|
BindReadOnlyPaths=/usr/local/bin/dogecoind /usr/local/etc/dogecoin/
|
||||||
|
BindPaths=/var/local/dogecoin/
|
||||||
|
|
||||||
|
### Restrict access to system.
|
||||||
|
|
||||||
|
NoNewPrivileges=true
|
||||||
|
PrivateTmp=true
|
||||||
|
PrivateDevices=true
|
||||||
|
PrivateUsers=true
|
||||||
|
DevicePolicy=closed
|
||||||
|
ProtectHome=true
|
||||||
|
ProtectHostname=true
|
||||||
|
ProtectControlGroups=true
|
||||||
|
ProtectClock=true
|
||||||
|
ProtectKernelModules=true
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
ProtectKernelLogs=true
|
||||||
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||||
|
RestrictNamespaces=true
|
||||||
|
RestrictRealtime=true
|
||||||
|
RestrictSUIDSGID=true
|
||||||
|
MemoryDenyWriteExecute=true
|
||||||
|
LockPersonality=true
|
||||||
|
|
||||||
|
# ProtectSystem=strict would normally be used, however it nullifies TemporaryFileSystem,
|
||||||
|
# since it remounts root as read only over the top.
|
||||||
|
# In this case, do not enable ProtectSystem.
|
||||||
|
#ProtectSystem=strict
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
74
contrib/init/dogecoind.opt.service
Normal file
74
contrib/init/dogecoind.opt.service
Normal file
|
@ -0,0 +1,74 @@
|
||||||
|
# This variant of the unit file is for "opt" add-on installations that do not form part of the default installation.
|
||||||
|
# (i.e. out of band installations by the user, not installed by a system package manager like "apt")
|
||||||
|
#
|
||||||
|
# The relevant paths are:
|
||||||
|
#
|
||||||
|
#/opt/dogecoin/dogecoind
|
||||||
|
#/etc/opt/dogecoin/
|
||||||
|
#/var/opt/dogecoin/
|
||||||
|
|
||||||
|
[Unit]
|
||||||
|
Description=Dogecoin's distributed currency daemon
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
ExecStart=/opt/dogecoin/bin/dogecoind -conf=/etc/opt/dogecoin/dogecoin.conf -datadir=/var/opt/dogecoin
|
||||||
|
|
||||||
|
KillSignal=SIGINT
|
||||||
|
Restart=always
|
||||||
|
RestartSec=5
|
||||||
|
TimeoutStopSec=60
|
||||||
|
TimeoutStartSec=5
|
||||||
|
StartLimitIntervalSec=120
|
||||||
|
StartLimitBurst=5
|
||||||
|
|
||||||
|
User=dogecoin
|
||||||
|
Group=dogecoin
|
||||||
|
|
||||||
|
### Restrict resource consumption
|
||||||
|
MemoryAccounting=yes
|
||||||
|
MemoryLimit=3g
|
||||||
|
|
||||||
|
### Restrict access to host file system.
|
||||||
|
#
|
||||||
|
# Hide the entire root file system by default, and *only* mount in exactly what is needed.
|
||||||
|
#
|
||||||
|
|
||||||
|
TemporaryFileSystem=/:ro
|
||||||
|
|
||||||
|
# Add core dependencies
|
||||||
|
BindReadOnlyPaths=/etc/ /lib/ /lib64/
|
||||||
|
|
||||||
|
# Add daemon paths
|
||||||
|
BindReadOnlyPaths=/opt/dogecoin/ /etc/opt/dogecoin/
|
||||||
|
BindPaths=/var/opt/dogecoin/
|
||||||
|
|
||||||
|
### Restrict access to system.
|
||||||
|
|
||||||
|
NoNewPrivileges=true
|
||||||
|
PrivateTmp=true
|
||||||
|
PrivateDevices=true
|
||||||
|
PrivateUsers=true
|
||||||
|
DevicePolicy=closed
|
||||||
|
ProtectHome=true
|
||||||
|
ProtectHostname=true
|
||||||
|
ProtectControlGroups=true
|
||||||
|
ProtectClock=true
|
||||||
|
ProtectKernelModules=true
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
ProtectKernelLogs=true
|
||||||
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||||
|
RestrictNamespaces=true
|
||||||
|
RestrictRealtime=true
|
||||||
|
RestrictSUIDSGID=true
|
||||||
|
MemoryDenyWriteExecute=true
|
||||||
|
LockPersonality=true
|
||||||
|
|
||||||
|
# ProtectSystem=strict would normally be used, however it nullifies TemporaryFileSystem,
|
||||||
|
# since it remounts root as read only over the top.
|
||||||
|
# In this case, do not enable ProtectSystem.
|
||||||
|
#ProtectSystem=strict
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
|
@ -1,22 +1,73 @@
|
||||||
|
# This variant of the unit file is for package installations.
|
||||||
|
#
|
||||||
|
# The relevant paths are:
|
||||||
|
#
|
||||||
|
#/usr/bin/dogecoind
|
||||||
|
#/etc/dogecoin/
|
||||||
|
#/var/lib/dogecoin/
|
||||||
|
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=Dogecoin's distributed currency daemon
|
Description=Dogecoin's distributed currency daemon
|
||||||
After=network.target
|
After=network.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
ExecStart=/usr/bin/dogecoind -conf=/etc/dogecoin/dogecoin.conf -datadir=/var/lib/dogecoin
|
||||||
|
|
||||||
|
KillSignal=SIGINT
|
||||||
|
Restart=always
|
||||||
|
RestartSec=5
|
||||||
|
TimeoutStopSec=60
|
||||||
|
TimeoutStartSec=5
|
||||||
|
StartLimitIntervalSec=120
|
||||||
|
StartLimitBurst=5
|
||||||
|
|
||||||
User=dogecoin
|
User=dogecoin
|
||||||
Group=dogecoin
|
Group=dogecoin
|
||||||
|
|
||||||
Type=forking
|
### Restrict resource consumption
|
||||||
PIDFile=/var/lib/dogecoind/dogecoind.pid
|
MemoryAccounting=yes
|
||||||
ExecStart=/usr/bin/dogecoind -daemon -pid=/var/lib/dogecoind/dogecoind.pid \
|
MemoryLimit=3g
|
||||||
-conf=/etc/dogecoin/dogecoin.conf -datadir=/var/lib/dogecoind -disablewallet
|
|
||||||
|
|
||||||
Restart=always
|
### Restrict access to host file system.
|
||||||
|
#
|
||||||
|
# Hide the entire root file system by default, and *only* mount in exactly what is needed.
|
||||||
|
#
|
||||||
|
|
||||||
|
TemporaryFileSystem=/:ro
|
||||||
|
|
||||||
|
# Add core dependencies
|
||||||
|
BindReadOnlyPaths=/etc/ /lib/ /lib64/
|
||||||
|
|
||||||
|
# Add daemon paths
|
||||||
|
BindReadOnlyPaths=/usr/bin/dogecoind /etc/dogecoin/
|
||||||
|
BindPaths=/var/lib/dogecoin
|
||||||
|
|
||||||
|
### Restrict access to system.
|
||||||
|
|
||||||
|
NoNewPrivileges=true
|
||||||
PrivateTmp=true
|
PrivateTmp=true
|
||||||
TimeoutStopSec=60s
|
PrivateDevices=true
|
||||||
TimeoutStartSec=2s
|
PrivateUsers=true
|
||||||
StartLimitInterval=120s
|
DevicePolicy=closed
|
||||||
StartLimitBurst=5
|
ProtectHome=true
|
||||||
|
ProtectHostname=true
|
||||||
|
ProtectControlGroups=true
|
||||||
|
ProtectClock=true
|
||||||
|
ProtectKernelModules=true
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
ProtectKernelLogs=true
|
||||||
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||||
|
RestrictNamespaces=true
|
||||||
|
RestrictRealtime=true
|
||||||
|
RestrictSUIDSGID=true
|
||||||
|
MemoryDenyWriteExecute=true
|
||||||
|
LockPersonality=true
|
||||||
|
|
||||||
|
# ProtectSystem=strict would normally be used, however it nullifies TemporaryFileSystem,
|
||||||
|
# since it remounts root as read only over the top.
|
||||||
|
# In this case, do not enable ProtectSystem.
|
||||||
|
#ProtectSystem=strict
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|
Loading…
Reference in a new issue