|
Packit |
4e8bc4 |
# It's not recommended to modify this file in-place, because it will be
|
|
Packit |
4e8bc4 |
# overwritten during upgrades. If you want to customize, the best
|
|
Packit |
4e8bc4 |
# way is to use the "systemctl edit" command to create an override unit.
|
|
Packit |
4e8bc4 |
#
|
|
Packit |
4e8bc4 |
# For example, to pass additional options, create an override unit
|
|
Packit |
4e8bc4 |
# (as is done by systemctl edit) and enter the following:
|
|
Packit |
4e8bc4 |
#
|
|
Packit |
4e8bc4 |
# [Service]
|
|
Packit |
4e8bc4 |
# Environment=OPTIONS="-l 127.0.0.1,::1"
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
[Unit]
|
|
Packit |
4e8bc4 |
Description=memcached daemon
|
|
Packit |
5a8fa0 |
Before=httpd.service
|
|
Packit |
4e8bc4 |
After=network.target
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
[Service]
|
|
Packit |
4e8bc4 |
EnvironmentFile=/etc/sysconfig/memcached
|
|
Packit |
4e8bc4 |
ExecStart=/usr/bin/memcached -p ${PORT} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
# Set up a new file system namespace and mounts private /tmp and /var/tmp
|
|
Packit |
4e8bc4 |
# directories so this service cannot access the global directories and
|
|
Packit |
4e8bc4 |
# other processes cannot access this service's directories.
|
|
Packit |
4e8bc4 |
PrivateTmp=true
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
# Mounts the /usr, /boot, and /etc directories read-only for processes
|
|
Packit |
4e8bc4 |
# invoked by this unit.
|
|
Packit |
4e8bc4 |
ProtectSystem=full
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
# Ensures that the service process and all its children can never gain new
|
|
Packit |
4e8bc4 |
# privileges
|
|
Packit |
4e8bc4 |
NoNewPrivileges=true
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
# Sets up a new /dev namespace for the executed processes and only adds API
|
|
Packit |
4e8bc4 |
# pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as
|
|
Packit |
4e8bc4 |
# the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda.
|
|
Packit |
4e8bc4 |
PrivateDevices=true
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
# Required for dropping privileges and running as a different user
|
|
Packit |
4e8bc4 |
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
# Restricts the set of socket address families accessible to the processes
|
|
Packit |
4e8bc4 |
# of this unit. Protects against vulnerabilities such as CVE-2016-8655
|
|
Packit |
4e8bc4 |
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
# Some security features are not in the older versions of systemd used by
|
|
Packit |
4e8bc4 |
# e.g. RHEL7/CentOS 7. The below settings are automatically edited at package
|
|
Packit |
4e8bc4 |
# build time to uncomment them if the target platform supports them.
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
# Attempts to create memory mappings that are writable and executable at
|
|
Packit |
4e8bc4 |
# the same time, or to change existing memory mappings to become executable
|
|
Packit |
4e8bc4 |
# are prohibited.
|
|
Packit |
4e8bc4 |
##safer##MemoryDenyWriteExecute=true
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
# Explicit module loading will be denied. This allows to turn off module
|
|
Packit |
4e8bc4 |
# load and unload operations on modular kernels. It is recommended to turn
|
|
Packit |
4e8bc4 |
# this on for most services that do not need special file systems or extra
|
|
Packit |
4e8bc4 |
# kernel modules to work.
|
|
Packit |
4e8bc4 |
##safer##ProtectKernelModules=true
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger,
|
|
Packit |
4e8bc4 |
# /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq
|
|
Packit |
4e8bc4 |
# will be made read-only to all processes of the unit. Usually, tunable
|
|
Packit |
4e8bc4 |
# kernel variables should only be written at boot-time, with the sysctl.d(5)
|
|
Packit |
4e8bc4 |
# mechanism. Almost no services need to write to these at runtime; it is hence
|
|
Packit |
4e8bc4 |
# recommended to turn this on for most services.
|
|
Packit |
4e8bc4 |
##safer##ProtectKernelTunables=true
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
# The Linux Control Groups (cgroups(7)) hierarchies accessible through
|
|
Packit |
4e8bc4 |
# /sys/fs/cgroup will be made read-only to all processes of the unit.
|
|
Packit |
4e8bc4 |
# Except for container managers no services should require write access
|
|
Packit |
4e8bc4 |
# to the control groups hierarchies; it is hence recommended to turn this
|
|
Packit |
4e8bc4 |
# on for most services
|
|
Packit |
4e8bc4 |
##safer##ProtectControlGroups=true
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
# Any attempts to enable realtime scheduling in a process of the unit are
|
|
Packit |
4e8bc4 |
# refused.
|
|
Packit |
4e8bc4 |
##safer##RestrictRealtime=true
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
# Takes away the ability to create or manage any kind of namespace
|
|
Packit |
4e8bc4 |
##safer##RestrictNamespaces=true
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
[Install]
|
|
Packit |
4e8bc4 |
WantedBy=multi-user.target
|