dist: systemd service definition template

fixes #117 refs #145
2024-11-21 16:03:32 +01:00 · 2019-03-16 16:02:21 +01:00 · 2019-03-16 16:02:21 +01:00 · b0898ec8bc
commit b0898ec8bc
parent 71d331af16
3 changed files with 49 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -26,6 +26,7 @@ Check out the *Coding Workflow* section below for details.
 * Make sure your distro is compatible with the paths in `docs/installation.rst`.
 * Ship a default config that adheres to your distro's `hier` and logging system.
 * Ship a service manager file and _please_ try to upstream it to this repository.
+  * `dist/systemd` contains a Systemd unit template
 * Use `make release ZREPL_VERSION='mydistro-1.2.3_1'`
    * Your distro's name and any versioning supplemental to zrepl's (e.g. package revision) should be in this string
 * Make sure you are informed about new zrepl versions, e.g. by subscribing to GitHub's release RSS feed.
--- a/dist/systemd/zrepl.service
+++ b/dist/systemd/zrepl.service
@ -0,0 +1,41 @@
+[Unit]
+Description=zrepl daemon
+Documentation=https://zrepl.github.io
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/zrepl --config /etc/zrepl/zrepl.yml daemon
+RuntimeDirectory=zrepl
+RuntimeDirectoryMode=0700
+
+ProtectSystem=strict
+#PrivateDevices=yes # TODO ZFS needs access to /dev/zfs, could we limit this?
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+PrivateTmp=yes
+#PrivateUsers=yes # TODO Does not work, why?
+ProtectKernelModules=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=yes
+SystemCallArchitectures=native
+
+# BEGIN ProtectHome
+ProtectHome=read-only   # DEBIAN STRETCH
+# ProtectHome=tmpfs     # FEDORA 28 / 29
+# END ProtectHome
+
+# BEGIN SystemCallFilter
+## BEGIN DEBIAN STRETCH
+SystemCallFilter=~ @mount @cpu-emulation @keyring @module @obsolete @privileged @raw-io @debug @clock @resources
+## END DEBIAN STRETCH
+## BEGIN FEDORA 28/29 
+## Syscall blacklist (should be fairly stable)
+#SystemCallFilter=~ @mount @aio @cpu-emulation @keyring @memlock @module @obsolete @privileged @raw-io @reboot @setuid @swap @sync @timer @debug @clock @chown @resources
+## Syscall whitelist (not sure how stable)
+#SystemCallFilter=@default @file-system @process @basic-io @ipc @network-io @signal @io-event brk mprotect sched_getaffinity ioctl getrandom
+## END END FEDORA 28/29
+# END SystemCallFilter
+
+[Install]
+WantedBy=multi-user.target
--- a/docs/usage.rst
+++ b/docs/usage.rst
@ -64,3 +64,10 @@ Restarting
 The daemon handles SIGINT and SIGTERM for graceful shutdown.
 Graceful shutdown means at worst that a job will not be rescheduled for the next interval.
 The daemon exits as soon as all jobs have reported shut down.
+
+Systemd Unit File
+~~~~~~~~~~~~~~~~~
+
+A systemd service defintion template is available in :repomasterlink:`dist/systemd`.
+Note that some of the options only work on recent versions of systemd.
+Any help & improvements are very welcome, see :issue:`145`.