summaryrefslogtreecommitdiffstats
path: root/units/systemd-journal-remote.service.in (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Drop split-usr and unmerged-usr supportLuca Boccassi2023-07-281-1/+1
| | | | | | | | | | As previously announced, execute order 66: https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html The meson options split-usr, rootlibdir and rootprefix become no-ops that print a warning if they are set to anything other than the default values. We can remove them in a future release.
* meson: use jinja2 for unit templatesZbigniew Jędrzejewski-Szmek2021-05-191-3/+3
| | | | | | | | | We don't need two (and half) templating systems anymore, yay! I'm keeping the changes minimal, to make the diff manageable. Some enhancements due to a better templating system might be possible in the future. For handling of '## ' — see the next commit.
* license: LGPL-2.1+ -> LGPL-2.1-or-laterYu Watanabe2020-11-091-1/+1
|
* units: turn on ProtectProc= wherever suitableLennart Poettering2020-08-241-1/+2
|
* units: add ProtectClock=yesTopi Miettinen2020-04-071-0/+1
| | | | | | Add `ProtectClock=yes` to systemd units. Since it implies certain `DeviceAllow=` rules, make sure that the units have `DeviceAllow=` rules so they are still able to access other devices. Exclude timesyncd and timedated.
* units: set ProtectKernelLogs=yes on relevant unitsKevin Kuehler2019-11-151-0/+1
| | | | | | We set ProtectKernelLogs=yes on all long running services except for udevd, since it accesses /dev/kmsg, and journald, since it calls syslog and accesses /dev/kmsg.
* meson: allow WatchdogSec= in services to be configuredZbigniew Jędrzejewski-Szmek2019-10-251-1/+1
| | | | | | | | | | | | | | | | As discussed on systemd-devel [1], in Fedora we get lots of abrt reports about the watchdog firing [2], but 100% of them seem to be caused by resource starvation in the machine, and never actual deadlocks in the services being monitored. Killing the services not only does not improve anything, but it makes the resource starvation worse, because the service needs cycles to restart, and coredump processing is also fairly expensive. This adds a configuration option to allow the value to be changed. If the setting is not set, there is no change. My plan is to set it to some ridiculusly high value, maybe 1h, to catch cases where a service is actually hanging. [1] https://lists.freedesktop.org/archives/systemd-devel/2019-October/043618.html [2] https://bugzilla.redhat.com/show_bug.cgi?id=1300212
* units: turn on RestrictSUIDSGID= in most of our long-running daemonsLennart Poettering2019-04-021-0/+1
|
* units: enable ProtectHostname=yesTopi Miettinen2019-02-201-0/+1
|
* units: set NoNewPrivileges= for all long-running servicesLennart Poettering2018-11-121-11/+12
| | | | | | | | | | | | | | | | | Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. An while we are at it: sort the settings in the unit files this touches. This might increase the size of the change in this case, but hopefully should result in stabler patches later on. Fixes: #1219
* meson: define @HIGH_RLIMIT_NOFILE@ and use it everywhereZbigniew Jędrzejewski-Szmek2018-10-171-1/+1
|
* units: bump the RLIMIT_NOFILE soft limit for all services that access the ↵Lennart Poettering2018-10-161-0/+4
| | | | | | | | | | | | | | journal This updates the unit files of all our serviecs that deal with journal stuff to use a higher RLIMIT_NOFILE soft limit by default. The new value is the same as used for the new HIGH_RLIMIT_NOFILE we just added. With this we ensure all code that access the journal has higher RLIMIT_NOFILE. The code that runs as daemon via the unit files, the code that is run from the user's command line via C code internal to the relevant tools. In some cases this means we'll redundantly bump the limits as there are tools run both from the command line and as service.
* Add SPDX license headers to unit filesZbigniew Jędrzejewski-Szmek2017-11-191-0/+2
|
* units: set LockPersonality= for all our long-running services (#6819)Lennart Poettering2017-09-141-0/+1
| | | | Let's lock things down. Also, using it is the only way how to properly test this to the fullest extent.
* unit: remove redundant optionsYu Watanabe2017-08-081-1/+0
|
* units: use {State,Logs}Directory= if they are applicableYu Watanabe2017-08-081-1/+1
|
* units: turn on ProtectKernelModules= for most long-running servicesLennart Poettering2017-02-091-0/+1
|
* units: switch on ProtectSystem=strict for our long running servicesLennart Poettering2017-02-091-1/+2
| | | | Let's step up the protection a notch
* units: restrict namespace for a good number of our own servicesLennart Poettering2017-02-091-0/+1
| | | | | | | | Basically, we turn it on for most long-running services, with the exception of machined (whose child processes need to join containers here and there), and importd (which sandboxes tar in a CLONE_NEWNET namespace). machined is left unrestricted, and importd is restricted to use only "net"
* units: set SystemCallArchitectures=native on all our long-running servicesLennart Poettering2017-02-091-0/+1
|
* units: further lock down our long-running servicesLennart Poettering2016-09-251-4/+9
| | | | | | | | | | | | | | | | | | | | | | | | Let's make this an excercise in dogfooding: let's turn on more security features for all our long-running services. Specifically: - Turn on RestrictRealtime=yes for all of them - Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of them - Turn on RestrictAddressFamilies= for all of them, but different sets of address families for each Also, always order settings in the unit files, that the various sandboxing features are close together. Add a couple of missing, older settings for a numbre of unit files. Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively turning of networking from udev rule commands. Since this might break stuff (that is already broken I'd argue) this is documented in NEWS.
* journal-remote: add documents in the unit filesYu Watanabe2015-12-151-0/+1
|
* units: increase watchdog timeout to 3min for all our servicesLennart Poettering2015-09-291-1/+1
| | | | | | | | Apparently, disk IO issues are more frequent than we hope, and 1min waiting for disk IO happens, so let's increase the watchdog timeout a bit, for all our services. See #1353 for an example where this triggers.
* Revert "units: add SecureBits"Lennart Poettering2015-02-111-1/+0
| | | | | | | | This reverts commit 6a716208b346b742053cfd01e76f76fb27c4ea47. Apparently this doesn't work. http://lists.freedesktop.org/archives/systemd-devel/2015-February/028212.html
* units: add SecureBitsTopi Miettinen2015-02-111-0/+1
| | | | | | No setuid programs are expected to be executed, so add SecureBits=noroot noroot-locked to unit files.
* journal-remote: add units and read certs from default locationsZbigniew Jędrzejewski-Szmek2014-07-161-0/+24