Willy, okay. I added an additional comment about the nature of those options in the first commit and then added the various settings in commented out versions. For reference, these are the settings I add on top of Debian's default unit file (haproxy 1.8.4 om Debian Stretch) for one of my production instances of haproxy:
# /lib/systemd/system/haproxy.service.d/config.conf [Service] Environment=CONFIG=/usr/share/haproxy/ # /lib/systemd/system/haproxy.service.d/no-pidfile.conf [Service] ExecStart= ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG # /lib/systemd/system/haproxy.service.d/security.conf [Service] ProtectSystem=strict ProtectHome=true ProtectKernelTunables=true ProtectKernelModules=true ProtectControlGroups=true SystemCallFilter=~@cpu-emulation @keyring @module @obsolete @raw-io NoNewPrivileges=true # /lib/systemd/system/haproxy.service.d/state.conf [Service] RuntimeDirectory=haproxy ExecReload= ExecReload=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS ExecReload=/bin/sh -c "echo show servers state |nc -U /var/run/haproxy/admin.sock > /run/haproxy/global-state" ExecReload=/bin/kill -USR2 $MAINPID I'm open for further feedback from the other participants in this thread as well! Best regards Tim Duesterhus (3): MINOR: systemd: Add section for SystemD sandboxing to unit file MINOR: systemd: Add SystemD's Protect*= options to the unit file MINOR: systemd: Add SystemD's SystemCallFilter option to the unit file contrib/systemd/haproxy.service.in | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) -- 2.16.2