Merge pull request #2551 from crozone/1.14.5-dev
Hardened systemd unit file
This commit is contained in:
commit
b2a55984f8
73
contrib/init/dogecoind.local.service
Normal file
73
contrib/init/dogecoind.local.service
Normal file
|
@ -0,0 +1,73 @@
|
||||||
|
# This variant of the unit file is for local installations that are installed with `make install`.
|
||||||
|
#
|
||||||
|
# The relevant paths are:
|
||||||
|
#
|
||||||
|
#/usr/local/bin/dogecoind
|
||||||
|
#/usr/local/etc/dogecoin/
|
||||||
|
#/var/local/dogecoin/
|
||||||
|
|
||||||
|
[Unit]
|
||||||
|
Description=Dogecoin's distributed currency daemon
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
ExecStart=/usr/local/bin/dogecoind -conf=/usr/local/etc/dogecoin/dogecoin.conf -datadir=/var/local/dogecoin
|
||||||
|
|
||||||
|
KillSignal=SIGINT
|
||||||
|
Restart=always
|
||||||
|
RestartSec=5
|
||||||
|
TimeoutStopSec=60
|
||||||
|
TimeoutStartSec=5
|
||||||
|
StartLimitIntervalSec=120
|
||||||
|
StartLimitBurst=5
|
||||||
|
|
||||||
|
User=dogecoin
|
||||||
|
Group=dogecoin
|
||||||
|
|
||||||
|
### Restrict resource consumption
|
||||||
|
MemoryAccounting=yes
|
||||||
|
MemoryLimit=3g
|
||||||
|
|
||||||
|
### Restrict access to host file system.
|
||||||
|
#
|
||||||
|
# Hide the entire root file system by default, and *only* mount in exactly what is needed.
|
||||||
|
#
|
||||||
|
|
||||||
|
TemporaryFileSystem=/:ro
|
||||||
|
|
||||||
|
# Add core dependencies
|
||||||
|
BindReadOnlyPaths=/etc/ /lib/ /lib64/
|
||||||
|
|
||||||
|
# Add daemon paths
|
||||||
|
BindReadOnlyPaths=/usr/local/bin/dogecoind /usr/local/etc/dogecoin/
|
||||||
|
BindPaths=/var/local/dogecoin/
|
||||||
|
|
||||||
|
### Restrict access to system.
|
||||||
|
|
||||||
|
NoNewPrivileges=true
|
||||||
|
PrivateTmp=true
|
||||||
|
PrivateDevices=true
|
||||||
|
PrivateUsers=true
|
||||||
|
DevicePolicy=closed
|
||||||
|
ProtectHome=true
|
||||||
|
ProtectHostname=true
|
||||||
|
ProtectControlGroups=true
|
||||||
|
ProtectClock=true
|
||||||
|
ProtectKernelModules=true
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
ProtectKernelLogs=true
|
||||||
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||||
|
RestrictNamespaces=true
|
||||||
|
RestrictRealtime=true
|
||||||
|
RestrictSUIDSGID=true
|
||||||
|
MemoryDenyWriteExecute=true
|
||||||
|
LockPersonality=true
|
||||||
|
|
||||||
|
# ProtectSystem=strict would normally be used, however it nullifies TemporaryFileSystem,
|
||||||
|
# since it remounts root as read only over the top.
|
||||||
|
# In this case, do not enable ProtectSystem.
|
||||||
|
#ProtectSystem=strict
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
74
contrib/init/dogecoind.opt.service
Normal file
74
contrib/init/dogecoind.opt.service
Normal file
|
@ -0,0 +1,74 @@
|
||||||
|
# This variant of the unit file is for "opt" add-on installations that do not form part of the default installation.
|
||||||
|
# (i.e. out of band installations by the user, not installed by a system package manager like "apt")
|
||||||
|
#
|
||||||
|
# The relevant paths are:
|
||||||
|
#
|
||||||
|
#/opt/dogecoin/dogecoind
|
||||||
|
#/etc/opt/dogecoin/
|
||||||
|
#/var/opt/dogecoin/
|
||||||
|
|
||||||
|
[Unit]
|
||||||
|
Description=Dogecoin's distributed currency daemon
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
ExecStart=/opt/dogecoin/bin/dogecoind -conf=/etc/opt/dogecoin/dogecoin.conf -datadir=/var/opt/dogecoin
|
||||||
|
|
||||||
|
KillSignal=SIGINT
|
||||||
|
Restart=always
|
||||||
|
RestartSec=5
|
||||||
|
TimeoutStopSec=60
|
||||||
|
TimeoutStartSec=5
|
||||||
|
StartLimitIntervalSec=120
|
||||||
|
StartLimitBurst=5
|
||||||
|
|
||||||
|
User=dogecoin
|
||||||
|
Group=dogecoin
|
||||||
|
|
||||||
|
### Restrict resource consumption
|
||||||
|
MemoryAccounting=yes
|
||||||
|
MemoryLimit=3g
|
||||||
|
|
||||||
|
### Restrict access to host file system.
|
||||||
|
#
|
||||||
|
# Hide the entire root file system by default, and *only* mount in exactly what is needed.
|
||||||
|
#
|
||||||
|
|
||||||
|
TemporaryFileSystem=/:ro
|
||||||
|
|
||||||
|
# Add core dependencies
|
||||||
|
BindReadOnlyPaths=/etc/ /lib/ /lib64/
|
||||||
|
|
||||||
|
# Add daemon paths
|
||||||
|
BindReadOnlyPaths=/opt/dogecoin/ /etc/opt/dogecoin/
|
||||||
|
BindPaths=/var/opt/dogecoin/
|
||||||
|
|
||||||
|
### Restrict access to system.
|
||||||
|
|
||||||
|
NoNewPrivileges=true
|
||||||
|
PrivateTmp=true
|
||||||
|
PrivateDevices=true
|
||||||
|
PrivateUsers=true
|
||||||
|
DevicePolicy=closed
|
||||||
|
ProtectHome=true
|
||||||
|
ProtectHostname=true
|
||||||
|
ProtectControlGroups=true
|
||||||
|
ProtectClock=true
|
||||||
|
ProtectKernelModules=true
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
ProtectKernelLogs=true
|
||||||
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||||
|
RestrictNamespaces=true
|
||||||
|
RestrictRealtime=true
|
||||||
|
RestrictSUIDSGID=true
|
||||||
|
MemoryDenyWriteExecute=true
|
||||||
|
LockPersonality=true
|
||||||
|
|
||||||
|
# ProtectSystem=strict would normally be used, however it nullifies TemporaryFileSystem,
|
||||||
|
# since it remounts root as read only over the top.
|
||||||
|
# In this case, do not enable ProtectSystem.
|
||||||
|
#ProtectSystem=strict
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
|
@ -1,22 +1,73 @@
|
||||||
|
# This variant of the unit file is for package installations.
|
||||||
|
#
|
||||||
|
# The relevant paths are:
|
||||||
|
#
|
||||||
|
#/usr/bin/dogecoind
|
||||||
|
#/etc/dogecoin/
|
||||||
|
#/var/lib/dogecoin/
|
||||||
|
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=Dogecoin's distributed currency daemon
|
Description=Dogecoin's distributed currency daemon
|
||||||
After=network.target
|
After=network.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
ExecStart=/usr/bin/dogecoind -conf=/etc/dogecoin/dogecoin.conf -datadir=/var/lib/dogecoin
|
||||||
|
|
||||||
|
KillSignal=SIGINT
|
||||||
|
Restart=always
|
||||||
|
RestartSec=5
|
||||||
|
TimeoutStopSec=60
|
||||||
|
TimeoutStartSec=5
|
||||||
|
StartLimitIntervalSec=120
|
||||||
|
StartLimitBurst=5
|
||||||
|
|
||||||
User=dogecoin
|
User=dogecoin
|
||||||
Group=dogecoin
|
Group=dogecoin
|
||||||
|
|
||||||
Type=forking
|
### Restrict resource consumption
|
||||||
PIDFile=/var/lib/dogecoind/dogecoind.pid
|
MemoryAccounting=yes
|
||||||
ExecStart=/usr/bin/dogecoind -daemon -pid=/var/lib/dogecoind/dogecoind.pid \
|
MemoryLimit=3g
|
||||||
-conf=/etc/dogecoin/dogecoin.conf -datadir=/var/lib/dogecoind -disablewallet
|
|
||||||
|
|
||||||
Restart=always
|
### Restrict access to host file system.
|
||||||
|
#
|
||||||
|
# Hide the entire root file system by default, and *only* mount in exactly what is needed.
|
||||||
|
#
|
||||||
|
|
||||||
|
TemporaryFileSystem=/:ro
|
||||||
|
|
||||||
|
# Add core dependencies
|
||||||
|
BindReadOnlyPaths=/etc/ /lib/ /lib64/
|
||||||
|
|
||||||
|
# Add daemon paths
|
||||||
|
BindReadOnlyPaths=/usr/bin/dogecoind /etc/dogecoin/
|
||||||
|
BindPaths=/var/lib/dogecoin
|
||||||
|
|
||||||
|
### Restrict access to system.
|
||||||
|
|
||||||
|
NoNewPrivileges=true
|
||||||
PrivateTmp=true
|
PrivateTmp=true
|
||||||
TimeoutStopSec=60s
|
PrivateDevices=true
|
||||||
TimeoutStartSec=2s
|
PrivateUsers=true
|
||||||
StartLimitInterval=120s
|
DevicePolicy=closed
|
||||||
StartLimitBurst=5
|
ProtectHome=true
|
||||||
|
ProtectHostname=true
|
||||||
|
ProtectControlGroups=true
|
||||||
|
ProtectClock=true
|
||||||
|
ProtectKernelModules=true
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
ProtectKernelLogs=true
|
||||||
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||||
|
RestrictNamespaces=true
|
||||||
|
RestrictRealtime=true
|
||||||
|
RestrictSUIDSGID=true
|
||||||
|
MemoryDenyWriteExecute=true
|
||||||
|
LockPersonality=true
|
||||||
|
|
||||||
|
# ProtectSystem=strict would normally be used, however it nullifies TemporaryFileSystem,
|
||||||
|
# since it remounts root as read only over the top.
|
||||||
|
# In this case, do not enable ProtectSystem.
|
||||||
|
#ProtectSystem=strict
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|
Loading…
Reference in a new issue