starlingx/config-files
Code Issues Proposed changes
config-files/memcached-custom/source-debian/memcached.service
Matheus Machado Guilhermino 0c2d36e634 Migrate memcached-custom to Debian 
Modified memcached-custom to add support for Debian packaging.
TODO: Test commented out service file parameters on Debian.

Test Plan:

PASS: Package installed and ISO built successfully

Story: 2009256
Task: 43737

Signed-off-by: Matheus Machado Guilhermino <Matheus.MachadoGuilhermino@windriver.com>
Change-Id: Ibddb64317d72fefe04e1e9ce18ad9b61839c5fca
2022-01-17 17:27:21 -03:00

57 lines
2.0 KiB
Desktop File
Raw Blame History

#
# This service file is a customized version in platform-util package from
# openstack/stx-integ project
[Unit]
Description=memcached daemon
Before=httpd.service
After=network-online.target
[Service]
EnvironmentFile=/etc/sysconfig/memcached
ExecStart=/usr/bin/memcached -p ${PORT} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS
# Set up a new file system namespace and mounts private /tmp and /var/tmp directories
# so this service cannot access the global directories and other processes cannot
# access this service's directories.
PrivateTmp=true
# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
ProtectSystem=full
# Ensures that the service process and all its children can never gain new privileges
NoNewPrivileges=true
# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices
# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
# but no physical devices such as /dev/sda.
PrivateDevices=true
# Required for dropping privileges and running as a different user
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
LimitNOFILE=16384
# Attempts to create memory mappings that are writable and executable at the same time,
# or to change existing memory mappings to become executable are prohibited.
# XXX: this property is supported with systemd 231+ which is not yet on EL7
# MemoryDenyWriteExecute=true
# Restricts the set of socket address families accessible to the processes of this unit.
# Protects against vulnerabilities such as CVE-2016-8655
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
# These service parameters are commented out since they are incompatible with
# Centos 7 and generate warning messages when included.
# TODO: This was taken directly from Centos and needs to be tested with Debian
#ProtectKernelModules=true
#ProtectKernelTunables=true
#ProtectControlGroups=true
#RestrictRealtime=true
#RestrictNamespaces=true
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
View Git Blame Copy Permalink