On 27/02/2018 08:19 μμ, Tim Duesterhus wrote: > Willy, > > okay. I added an additional comment about the nature of those options in > the first commit and then added the various settings in commented out > versions. For reference, these are the settings I add on top of Debian's > default unit file (haproxy 1.8.4 om Debian Stretch) for one of my production > instances of haproxy: > > # /lib/systemd/system/haproxy.service.d/config.conf > [Service] > Environment=CONFIG=/usr/share/haproxy/ > # /lib/systemd/system/haproxy.service.d/no-pidfile.conf > [Service] > ExecStart= > ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG > # /lib/systemd/system/haproxy.service.d/security.conf > [Service] > ProtectSystem=strict > ProtectHome=true > ProtectKernelTunables=true > ProtectKernelModules=true > ProtectControlGroups=true > SystemCallFilter=~@cpu-emulation @keyring @module @obsolete @raw-io > NoNewPrivileges=true > # /lib/systemd/system/haproxy.service.d/state.conf > [Service] > RuntimeDirectory=haproxy > ExecReload= > ExecReload=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS > ExecReload=/bin/sh -c "echo show servers state |nc -U > /var/run/haproxy/admin.sock > /run/haproxy/global-state" > ExecReload=/bin/kill -USR2 $MAINPID > > I'm open for further feedback from the other participants in this thread > as well! > > Best regards > > Tim Duesterhus (3): > MINOR: systemd: Add section for SystemD sandboxing to unit file > MINOR: systemd: Add SystemD's Protect*= options to the unit file > MINOR: systemd: Add SystemD's SystemCallFilter option to the unit file >
I am fine with adding the comments and thanks for accepting the feedback. BTW: The commit message is a bit misleading because If I don't read the code I will think that those options are enabled, which isn't true. So, you may want to mention they aren't enabled by default. Thanks, Pavlos
signature.asc
Description: OpenPGP digital signature
