Re: [systemd-devel] Query regarding "EnvironmentFile"

Tue, 29 Dec 2015 15:02:40 -0800 


Am 26.12.2015 um 20:39 schrieb Manuel Amador (Rudd-O):

On 12/26/2015 07:28 PM, Reindl Harald wrote:


my infrastructure is most likely better managed than anyone leses


So says the person with a limited perspective and a refusal to learn
modern tools and processes



the person with a limited perspective yet converted cronjobs using a 
sourced shell script for a update-system where base locations for every 
server are defined by sourcing a shellscript just defining env-vars



that's part of a complex deplyoment and maintainance infrastrcuture for 
some hundret webhosts on a dozen of servers



guess what: EnvironmentFile can reuse that file which needs still to be 
there for configure a ton of CLI scripts for different tasks


reason for the change to a oneshot-systemd unit?
to restrict capabilities and write/read permissions more

there is a world outside "the daemon" at all1

EnvironmentFile=/scripts/cl-update-service.inc.sh
Type=oneshot
ExecStart=/path/to/cronscript
User=wwwcron
Group=apache
PrivateTmp=yes
PrivateDevices=yes
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_KILL CAP_CHMOD CAP_FOWNER
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadOnlyDirectories=/var/lib
ReadOnlyDirectories=/proc
ReadOnlyDirectories=/sys
InaccessibleDirectories=-/boot
InaccessibleDirectories=-/home
InaccessibleDirectories=-/media
InaccessibleDirectories=-/root
InaccessibleDirectories=-/etc/dbus-1
InaccessibleDirectories=-/etc/modprobe.d
InaccessibleDirectories=-/etc/modules-load.d
InaccessibleDirectories=-/etc/postfix
InaccessibleDirectories=-/etc/ssh
InaccessibleDirectories=-/etc/sysctl.d
InaccessibleDirectories=-/run/console
InaccessibleDirectories=-/run/dbus
InaccessibleDirectories=-/run/lock
InaccessibleDirectories=-/run/mount
InaccessibleDirectories=-/run/systemd/generator
InaccessibleDirectories=-/run/systemd/system
InaccessibleDirectories=-/run/systemd/users
InaccessibleDirectories=-/run/udev
InaccessibleDirectories=-/run/user




Attachment:
signature.asc

Description: OpenPGP digital signature


_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel


























					Reply via email to