From 6c34d945a289677bf3955ab43527461c8ce24373 Mon Sep 17 00:00:00 2001 From: Malavan Sotheeswaran Date: Mon, 13 Mar 2023 10:22:40 -0700 Subject: [PATCH 1/2] update systemd type to notify and add capabilities --- .../keydb_build/keydb_rpm/usr/lib/systemd/system/keydb.service | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/rpm/keydb_build/keydb_rpm/usr/lib/systemd/system/keydb.service b/pkg/rpm/keydb_build/keydb_rpm/usr/lib/systemd/system/keydb.service index e36f5f2cf..a4f84794d 100644 --- a/pkg/rpm/keydb_build/keydb_rpm/usr/lib/systemd/system/keydb.service +++ b/pkg/rpm/keydb_build/keydb_rpm/usr/lib/systemd/system/keydb.service @@ -4,7 +4,7 @@ After=network.target Documentation=https://docs.keydb.dev, man:keydb-server(1) [Service] -Type=forking +Type=notify ExecStart=/usr/bin/keydb-server /etc/keydb/keydb.conf ExecStop=/bin/kill -s TERM $MAINPID PIDFile=/var/run/keydb/keydb-server.pid @@ -27,6 +27,7 @@ ReadWriteDirectories=-/var/run/keydb NoNewPrivileges=true CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE +AmbientCapabilities=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX # keydb-server can write to its own config file when in cluster mode so we From f205df0cdcb26b5ca03c4ceb04d86e3ef1d95a88 Mon Sep 17 00:00:00 2001 From: Malavan Sotheeswaran Date: Mon, 13 Mar 2023 10:46:45 -0700 Subject: [PATCH 2/2] update debian packages systemd type to notify --- pkg/deb/debian/bin/generate-systemd-service-files | 2 +- pkg/deb/debian_dh9/bin/generate-systemd-service-files | 2 +- .../keydb_build/keydb_rpm/usr/lib/systemd/system/keydb.service | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/pkg/deb/debian/bin/generate-systemd-service-files b/pkg/deb/debian/bin/generate-systemd-service-files index 14e23d50a..c0f95bf32 100755 --- a/pkg/deb/debian/bin/generate-systemd-service-files +++ b/pkg/deb/debian/bin/generate-systemd-service-files @@ -88,7 +88,7 @@ After=network.target Documentation=https://docs.keydb.dev, man:${BINARY}(1) [Service] -Type=forking +Type=notify ExecStart=/usr/bin/${BINARY} /etc/keydb/${NAMESPACED}.conf ExecStop=/bin/kill -s TERM \$MAINPID PIDFile=/var/run/${NAMESPACED}/${BINARY}.pid diff --git a/pkg/deb/debian_dh9/bin/generate-systemd-service-files b/pkg/deb/debian_dh9/bin/generate-systemd-service-files index 59031d99f..d3c23835b 100755 --- a/pkg/deb/debian_dh9/bin/generate-systemd-service-files +++ b/pkg/deb/debian_dh9/bin/generate-systemd-service-files @@ -90,7 +90,7 @@ After=network.target Documentation=https://docs.keydb.dev, man:${BINARY}(1) [Service] -Type=forking +Type=notify ExecStart=/usr/bin/${BINARY} /etc/keydb/${NAMESPACED}.conf ExecStop=/bin/kill -s TERM \$MAINPID PIDFile=/var/run/${NAMESPACED}/${BINARY}.pid diff --git a/pkg/rpm/keydb_build/keydb_rpm/usr/lib/systemd/system/keydb.service b/pkg/rpm/keydb_build/keydb_rpm/usr/lib/systemd/system/keydb.service index a4f84794d..56291d514 100644 --- a/pkg/rpm/keydb_build/keydb_rpm/usr/lib/systemd/system/keydb.service +++ b/pkg/rpm/keydb_build/keydb_rpm/usr/lib/systemd/system/keydb.service @@ -27,7 +27,6 @@ ReadWriteDirectories=-/var/run/keydb NoNewPrivileges=true CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE -AmbientCapabilities=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX # keydb-server can write to its own config file when in cluster mode so we