On 27/02/2018 04:00 μμ, Willy Tarreau wrote: > Hi Tim, > > On Thu, Feb 22, 2018 at 03:03:58PM +0100, Tim Duesterhus wrote: >> I'm running this exact settings on my Debian Stretch machine using haproxy >> 1.8.x, without issues so far. >> >> The first patch could cause issues for users that store their configuration >> in /home or /root, but I consider this unlikely. >>
How do you know that? >> Tim Duesterhus (2): >> MINOR: systemd: Add SystemD's Protect*= options to the unit file >> MINOR: systemd: Add SystemD's SystemCallFilter option to the unit file > > I took a look, but my systemd incompetence limited my ability to understand > what this really does. How does systemd act to do this exactly ? I'm very > worried that the only way it could proceed would be by running the process > under ptrace causing a tremendous slowdown, and additionally making the > process unobservable/undebuggable. Do you know how it proceeds internally ? > > Thanks, > Willy > I am pretty much against this. systemd allows users to extend the systemd configuration of a service (haproxy in this case), by dropping a file under etc/systemd/system/haproxy.service.d directory. If user X or Distribution X wants to harden the default systemd configuration of HAProxy then they can do it. But, I don't think it is the task of haproxy devs to ship a configuration with zero Return Of Investment and potential breakage. My 2 cents, Pavlos
signature.asc
Description: OpenPGP digital signature
