Merge pull request #2551 from crozone/1.14.5-dev
Hardened systemd unit file
This commit is contained in:
commit
b2a55984f8
|
@ -0,0 +1,73 @@
|
|||
# This variant of the unit file is for local installations that are installed with `make install`.
|
||||
#
|
||||
# The relevant paths are:
|
||||
#
|
||||
#/usr/local/bin/dogecoind
|
||||
#/usr/local/etc/dogecoin/
|
||||
#/var/local/dogecoin/
|
||||
|
||||
[Unit]
|
||||
Description=Dogecoin's distributed currency daemon
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/usr/local/bin/dogecoind -conf=/usr/local/etc/dogecoin/dogecoin.conf -datadir=/var/local/dogecoin
|
||||
|
||||
KillSignal=SIGINT
|
||||
Restart=always
|
||||
RestartSec=5
|
||||
TimeoutStopSec=60
|
||||
TimeoutStartSec=5
|
||||
StartLimitIntervalSec=120
|
||||
StartLimitBurst=5
|
||||
|
||||
User=dogecoin
|
||||
Group=dogecoin
|
||||
|
||||
### Restrict resource consumption
|
||||
MemoryAccounting=yes
|
||||
MemoryLimit=3g
|
||||
|
||||
### Restrict access to host file system.
|
||||
#
|
||||
# Hide the entire root file system by default, and *only* mount in exactly what is needed.
|
||||
#
|
||||
|
||||
TemporaryFileSystem=/:ro
|
||||
|
||||
# Add core dependencies
|
||||
BindReadOnlyPaths=/etc/ /lib/ /lib64/
|
||||
|
||||
# Add daemon paths
|
||||
BindReadOnlyPaths=/usr/local/bin/dogecoind /usr/local/etc/dogecoin/
|
||||
BindPaths=/var/local/dogecoin/
|
||||
|
||||
### Restrict access to system.
|
||||
|
||||
NoNewPrivileges=true
|
||||
PrivateTmp=true
|
||||
PrivateDevices=true
|
||||
PrivateUsers=true
|
||||
DevicePolicy=closed
|
||||
ProtectHome=true
|
||||
ProtectHostname=true
|
||||
ProtectControlGroups=true
|
||||
ProtectClock=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelLogs=true
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
MemoryDenyWriteExecute=true
|
||||
LockPersonality=true
|
||||
|
||||
# ProtectSystem=strict would normally be used, however it nullifies TemporaryFileSystem,
|
||||
# since it remounts root as read only over the top.
|
||||
# In this case, do not enable ProtectSystem.
|
||||
#ProtectSystem=strict
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,74 @@
|
|||
# This variant of the unit file is for "opt" add-on installations that do not form part of the default installation.
|
||||
# (i.e. out of band installations by the user, not installed by a system package manager like "apt")
|
||||
#
|
||||
# The relevant paths are:
|
||||
#
|
||||
#/opt/dogecoin/dogecoind
|
||||
#/etc/opt/dogecoin/
|
||||
#/var/opt/dogecoin/
|
||||
|
||||
[Unit]
|
||||
Description=Dogecoin's distributed currency daemon
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/opt/dogecoin/bin/dogecoind -conf=/etc/opt/dogecoin/dogecoin.conf -datadir=/var/opt/dogecoin
|
||||
|
||||
KillSignal=SIGINT
|
||||
Restart=always
|
||||
RestartSec=5
|
||||
TimeoutStopSec=60
|
||||
TimeoutStartSec=5
|
||||
StartLimitIntervalSec=120
|
||||
StartLimitBurst=5
|
||||
|
||||
User=dogecoin
|
||||
Group=dogecoin
|
||||
|
||||
### Restrict resource consumption
|
||||
MemoryAccounting=yes
|
||||
MemoryLimit=3g
|
||||
|
||||
### Restrict access to host file system.
|
||||
#
|
||||
# Hide the entire root file system by default, and *only* mount in exactly what is needed.
|
||||
#
|
||||
|
||||
TemporaryFileSystem=/:ro
|
||||
|
||||
# Add core dependencies
|
||||
BindReadOnlyPaths=/etc/ /lib/ /lib64/
|
||||
|
||||
# Add daemon paths
|
||||
BindReadOnlyPaths=/opt/dogecoin/ /etc/opt/dogecoin/
|
||||
BindPaths=/var/opt/dogecoin/
|
||||
|
||||
### Restrict access to system.
|
||||
|
||||
NoNewPrivileges=true
|
||||
PrivateTmp=true
|
||||
PrivateDevices=true
|
||||
PrivateUsers=true
|
||||
DevicePolicy=closed
|
||||
ProtectHome=true
|
||||
ProtectHostname=true
|
||||
ProtectControlGroups=true
|
||||
ProtectClock=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelLogs=true
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
MemoryDenyWriteExecute=true
|
||||
LockPersonality=true
|
||||
|
||||
# ProtectSystem=strict would normally be used, however it nullifies TemporaryFileSystem,
|
||||
# since it remounts root as read only over the top.
|
||||
# In this case, do not enable ProtectSystem.
|
||||
#ProtectSystem=strict
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -1,22 +1,73 @@
|
|||
# This variant of the unit file is for package installations.
|
||||
#
|
||||
# The relevant paths are:
|
||||
#
|
||||
#/usr/bin/dogecoind
|
||||
#/etc/dogecoin/
|
||||
#/var/lib/dogecoin/
|
||||
|
||||
[Unit]
|
||||
Description=Dogecoin's distributed currency daemon
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/usr/bin/dogecoind -conf=/etc/dogecoin/dogecoin.conf -datadir=/var/lib/dogecoin
|
||||
|
||||
KillSignal=SIGINT
|
||||
Restart=always
|
||||
RestartSec=5
|
||||
TimeoutStopSec=60
|
||||
TimeoutStartSec=5
|
||||
StartLimitIntervalSec=120
|
||||
StartLimitBurst=5
|
||||
|
||||
User=dogecoin
|
||||
Group=dogecoin
|
||||
|
||||
Type=forking
|
||||
PIDFile=/var/lib/dogecoind/dogecoind.pid
|
||||
ExecStart=/usr/bin/dogecoind -daemon -pid=/var/lib/dogecoind/dogecoind.pid \
|
||||
-conf=/etc/dogecoin/dogecoin.conf -datadir=/var/lib/dogecoind -disablewallet
|
||||
### Restrict resource consumption
|
||||
MemoryAccounting=yes
|
||||
MemoryLimit=3g
|
||||
|
||||
Restart=always
|
||||
### Restrict access to host file system.
|
||||
#
|
||||
# Hide the entire root file system by default, and *only* mount in exactly what is needed.
|
||||
#
|
||||
|
||||
TemporaryFileSystem=/:ro
|
||||
|
||||
# Add core dependencies
|
||||
BindReadOnlyPaths=/etc/ /lib/ /lib64/
|
||||
|
||||
# Add daemon paths
|
||||
BindReadOnlyPaths=/usr/bin/dogecoind /etc/dogecoin/
|
||||
BindPaths=/var/lib/dogecoin
|
||||
|
||||
### Restrict access to system.
|
||||
|
||||
NoNewPrivileges=true
|
||||
PrivateTmp=true
|
||||
TimeoutStopSec=60s
|
||||
TimeoutStartSec=2s
|
||||
StartLimitInterval=120s
|
||||
StartLimitBurst=5
|
||||
PrivateDevices=true
|
||||
PrivateUsers=true
|
||||
DevicePolicy=closed
|
||||
ProtectHome=true
|
||||
ProtectHostname=true
|
||||
ProtectControlGroups=true
|
||||
ProtectClock=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelLogs=true
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
MemoryDenyWriteExecute=true
|
||||
LockPersonality=true
|
||||
|
||||
# ProtectSystem=strict would normally be used, however it nullifies TemporaryFileSystem,
|
||||
# since it remounts root as read only over the top.
|
||||
# In this case, do not enable ProtectSystem.
|
||||
#ProtectSystem=strict
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
Loading…
Reference in New Issue