Overview

File berghain.service of Package berghain

# This unit file is part of the berghain package
# Georg Pfuetzenreuter <mail+rpm@georg-pfuetzenreuter.net>

[Unit]
Description=Berghain Stream Processing Offload Agent HAProxy

ConditionFileIsExecutable=/usr/bin/%N

[Service]
User=%N
Group=%N

# to have the socket created with group-writable permissions
# needed for the POSIX ACL to let the "haproxy" user read+write
UMask=007

ExecStart=/usr/bin/%N -config /etc/%N.yaml

# executing the application manually, it correctly cleans up after itself
# why is it not doing so under systemd?
ExecStopPost=rm /run/berghain/spop.sock

KeyringMode=private
LockPersonality=yes
MemoryDenyWriteExecute=yes
MountFlags=private
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProcSubset=pid
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
# ioctl for rm
SystemCallFilter=@basic-io @file-system @io-event @ipc @network-io @process @signal madvise ioctl

Restart=on-failure
RestartSec=10s
StartLimitBurst=3

[Install]
WantedBy=multi-user.target
openSUSE Build Service is sponsored by
Places