-
Notifications
You must be signed in to change notification settings - Fork 661
Expand file tree
/
Copy pathgenerate-systemd-service-files
More file actions
executable file
·129 lines (116 loc) · 3.23 KB
/
generate-systemd-service-files
File metadata and controls
executable file
·129 lines (116 loc) · 3.23 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
#!/bin/sh
SYSTEMD_VER=$(systemctl --version | head -1 | cut -d' ' -f2)
if [ ${SYSTEMD_VER} -lt 237 ]
then
SYSTEMD_EXTRA=""
else
SYSTEMD_EXTRA=$(cat <<EOF
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
#MemoryDenyWriteExecute=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=true
EOF
)
fi
for BINARY in keydb-server keydb-sentinel
do
for MODE in default templated
do
case "${BINARY}" in
keydb-server)
NAME="keydb"
;;
keydb-sentinel)
NAME="sentinel"
;;
esac
case "${MODE}" in
default)
EXTRA="Alias=${NAME}.service"
TARGET="debian/${BINARY}.service"
NAMESPACED="${NAME}"
DESCRIPTION="Advanced key-value store"
;;
templated)
EXTRA=""
TARGET="debian/${BINARY}@.service"
NAMESPACED="${NAME}-%i"
DESCRIPTION="Advanced key-value store (%I)"
;;
esac
: >${TARGET}
if [ "${MODE}" = "templated" ]
then
cat >> ${TARGET} <<EOF
# Templated service file for ${BINARY}(1)
#
# Each instance of ${BINARY} requires its own configuration file:
#
# $ cp /etc/keydb/${NAME}.conf /etc/keydb/${NAME}-myname.conf
# $ chown keydb:keydb /etc/keydb/${NAME}-myname.conf
#
# Ensure each instance is using their own database:
#
# $ sed -i -e 's@^dbfilename .*@dbfilename dump-myname.rdb@' /etc/keydb/${NAME}-myname.conf
#
# We then listen exlusively on UNIX sockets to avoid TCP port collisions:
#
# $ sed -i -e 's@^port .*@port 0@' /etc/keydb/${NAME}-myname.conf
# $ sed -i -e 's@^\\(# \\)\\{0,1\\}unixsocket .*@unixsocket /var/run/${NAME}-myname/${BINARY}.sock@' /etc/keydb/${NAME}-myname.conf
#
# ... and ensure we are logging, etc. in a unique location:
#
# $ sed -i -e 's@^logfile .*@logfile /var/log/keydb/${BINARY}-myname.log@' /etc/keydb/${NAME}-myname.conf
# $ sed -i -e 's@^pidfile .*@pidfile /var/run/keydb-myname/${BINARY}.pid@' /etc/keydb/${NAME}-myname.conf
#
# We can then start the service as follows, validating we are using our own
# configuration:
#
# $ systemctl start ${BINARY}@myname.service
# $ keydb-cli -s /var/run/${NAME}-myname/${BINARY}.sock info | grep config_file
EOF
fi
cat >> ${TARGET} <<EOF
[Unit]
Description=${DESCRIPTION}
After=network.target
Documentation=https://docs.keydb.dev, man:${BINARY}(1)
[Service]
Type=notify
ExecStart=/usr/bin/${BINARY} /etc/keydb/${NAMESPACED}.conf
ExecStop=/bin/kill -s TERM \$MAINPID
PIDFile=/var/run/${NAMESPACED}/${BINARY}.pid
TimeoutStopSec=0
Restart=always
User=keydb
Group=keydb
RuntimeDirectory=${NAMESPACED}
RuntimeDirectoryMode=2755
UMask=007
PrivateTmp=yes
LimitNOFILE=65535
PrivateDevices=yes
ProtectHome=yes
ReadOnlyDirectories=/
ReadWriteDirectories=-/var/lib/keydb
ReadWriteDirectories=-/var/log/keydb
ReadWriteDirectories=-/var/run/${NAMESPACED}
NoNewPrivileges=true
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE${SYSTEMD_EXTRA}
# ${BINARY} can write to its own config file when in cluster mode so we
# permit writing there by default. If you are not using this feature, it is
# recommended that you replace the following lines with "ProtectSystem=full".
ProtectSystem=true
ReadWriteDirectories=-/etc/keydb
[Install]
WantedBy=multi-user.target
EOF
if [ "${EXTRA}" != "" ]
then
echo "${EXTRA}" >> "${TARGET}"
fi
done
done