bcachefs-tools/fsck/bcachefsck_all.service.in

# SPDX-License-Identifier: GPL-2.0
#
# Copyright (C) 2023-2024 Oracle.  All Rights Reserved.
# Author: Darrick J. Wong <djwong@kernel.org>

[Unit]
Description=Online bcachefsck for All Filesystems
OnFailure=bcachefsck_all_fail.service
ConditionACPower=true
Documentation=man:bcachefsck_all(8)
After=paths.target multi-user.target network.target network-online.target systemd-networkd.service NetworkManager.service connman.service

[Service]
Type=oneshot
Environment=SERVICE_MODE=1
ExecStart=bcachefsck_all
SyslogIdentifier=bcachefsck_all

# Create the service underneath the scrub background service slice so that we
# can control resource usage.
Slice=system-bcachefsck.slice

# Run scrub_all with minimal CPU and IO priority so that nothing will starve.
IOSchedulingClass=idle
CPUSchedulingPolicy=idle
CPUAccounting=true
Nice=19

# No realtime scheduling
RestrictRealtime=true

# No special privileges, but we still have to run as root so that we can
# contact the service manager to start the sub-units.
CapabilityBoundingSet=
NoNewPrivileges=true
RestrictSUIDSGID=true

# Make the entire filesystem readonly except for the media scan stamp file
# directory.  We don't want to hide anything because we need to find all
# mounted bcachefs filesystems in the host.
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=false

# No network access except to the systemd control socket
PrivateNetwork=true
ProtectHostname=true
RestrictAddressFamilies=AF_UNIX
IPAddressDeny=any

# Don't let the program mess with the kernel configuration at all
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
ProtectProc=invisible
RestrictNamespaces=true

# Hide everything in /proc, even /proc/mounts
ProcSubset=pid

# Only allow the default personality Linux
LockPersonality=true

# No writable memory pages
MemoryDenyWriteExecute=true

# Don't let our mounts leak out to the host
PrivateMounts=true

# Restrict system calls to the native arch and only enough to get things going
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
SystemCallFilter=~@mount

# Media scan stamp file shouldn't be readable by regular users
UMask=0077

# lsblk ignores mountpoints if it can't find the device files, so we cannot
# hide them
#ProtectClock=true
#PrivateDevices=true
fsck: add a service to schedule and run bcachefsck@ services Create a script that looks for mounted bcachefs filesystems and tries to run as many of them in parallel as possible without two different scrubbers hitting the same low level block device. Signed-off-by: Darrick J. Wong <djwong@kernel.org> 2023-12-05 05:43:31 +03:00			`# SPDX-License-Identifier: GPL-2.0`
			`#`
			`# Copyright (C) 2023-2024 Oracle. All Rights Reserved.`
			`# Author: Darrick J. Wong <djwong@kernel.org>`

			`[Unit]`
			`Description=Online bcachefsck for All Filesystems`
			`OnFailure=bcachefsck_all_fail.service`
			`ConditionACPower=true`
			`Documentation=man:bcachefsck_all(8)`
			`After=paths.target multi-user.target network.target network-online.target systemd-networkd.service NetworkManager.service connman.service`

			`[Service]`
			`Type=oneshot`
			`Environment=SERVICE_MODE=1`
			`ExecStart=bcachefsck_all`
			`SyslogIdentifier=bcachefsck_all`

			`# Create the service underneath the scrub background service slice so that we`
			`# can control resource usage.`
			`Slice=system-bcachefsck.slice`

			`# Run scrub_all with minimal CPU and IO priority so that nothing will starve.`
			`IOSchedulingClass=idle`
			`CPUSchedulingPolicy=idle`
			`CPUAccounting=true`
			`Nice=19`

			`# No realtime scheduling`
			`RestrictRealtime=true`

			`# No special privileges, but we still have to run as root so that we can`
			`# contact the service manager to start the sub-units.`
			`CapabilityBoundingSet=`
			`NoNewPrivileges=true`
			`RestrictSUIDSGID=true`

			`# Make the entire filesystem readonly except for the media scan stamp file`
			`# directory. We don't want to hide anything because we need to find all`
			`# mounted bcachefs filesystems in the host.`
			`ProtectSystem=strict`
			`ProtectHome=read-only`
			`PrivateTmp=false`

			`# No network access except to the systemd control socket`
			`PrivateNetwork=true`
			`ProtectHostname=true`
			`RestrictAddressFamilies=AF_UNIX`
			`IPAddressDeny=any`

			`# Don't let the program mess with the kernel configuration at all`
			`ProtectKernelLogs=true`
			`ProtectKernelModules=true`
			`ProtectKernelTunables=true`
			`ProtectControlGroups=true`
			`ProtectProc=invisible`
			`RestrictNamespaces=true`

			`# Hide everything in /proc, even /proc/mounts`
			`ProcSubset=pid`

			`# Only allow the default personality Linux`
			`LockPersonality=true`

			`# No writable memory pages`
			`MemoryDenyWriteExecute=true`

			`# Don't let our mounts leak out to the host`
			`PrivateMounts=true`

			`# Restrict system calls to the native arch and only enough to get things going`
			`SystemCallArchitectures=native`
			`SystemCallFilter=@system-service`
			`SystemCallFilter=~@privileged`
			`SystemCallFilter=~@resources`
			`SystemCallFilter=~@mount`

			`# Media scan stamp file shouldn't be readable by regular users`
			`UMask=0077`

			`# lsblk ignores mountpoints if it can't find the device files, so we cannot`
			`# hide them`
			`#ProtectClock=true`
			`#PrivateDevices=true`