mirror of
https://github.com/koverstreet/bcachefs-tools.git
synced 2025-02-02 00:00:03 +03:00
74753de989
Create a script that looks for mounted bcachefs filesystems and tries to run as many of them in parallel as possible without two different scrubbers hitting the same low level block device. Signed-off-by: Darrick J. Wong <djwong@kernel.org>
85 lines
2.3 KiB
SYSTEMD
85 lines
2.3 KiB
SYSTEMD
# SPDX-License-Identifier: GPL-2.0
|
|
#
|
|
# Copyright (C) 2023-2024 Oracle. All Rights Reserved.
|
|
# Author: Darrick J. Wong <djwong@kernel.org>
|
|
|
|
[Unit]
|
|
Description=Online bcachefsck for All Filesystems
|
|
OnFailure=bcachefsck_all_fail.service
|
|
ConditionACPower=true
|
|
Documentation=man:bcachefsck_all(8)
|
|
After=paths.target multi-user.target network.target network-online.target systemd-networkd.service NetworkManager.service connman.service
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
Environment=SERVICE_MODE=1
|
|
ExecStart=bcachefsck_all
|
|
SyslogIdentifier=bcachefsck_all
|
|
|
|
# Create the service underneath the scrub background service slice so that we
|
|
# can control resource usage.
|
|
Slice=system-bcachefsck.slice
|
|
|
|
# Run scrub_all with minimal CPU and IO priority so that nothing will starve.
|
|
IOSchedulingClass=idle
|
|
CPUSchedulingPolicy=idle
|
|
CPUAccounting=true
|
|
Nice=19
|
|
|
|
# No realtime scheduling
|
|
RestrictRealtime=true
|
|
|
|
# No special privileges, but we still have to run as root so that we can
|
|
# contact the service manager to start the sub-units.
|
|
CapabilityBoundingSet=
|
|
NoNewPrivileges=true
|
|
RestrictSUIDSGID=true
|
|
|
|
# Make the entire filesystem readonly except for the media scan stamp file
|
|
# directory. We don't want to hide anything because we need to find all
|
|
# mounted bcachefs filesystems in the host.
|
|
ProtectSystem=strict
|
|
ProtectHome=read-only
|
|
PrivateTmp=false
|
|
|
|
# No network access except to the systemd control socket
|
|
PrivateNetwork=true
|
|
ProtectHostname=true
|
|
RestrictAddressFamilies=AF_UNIX
|
|
IPAddressDeny=any
|
|
|
|
# Don't let the program mess with the kernel configuration at all
|
|
ProtectKernelLogs=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelTunables=true
|
|
ProtectControlGroups=true
|
|
ProtectProc=invisible
|
|
RestrictNamespaces=true
|
|
|
|
# Hide everything in /proc, even /proc/mounts
|
|
ProcSubset=pid
|
|
|
|
# Only allow the default personality Linux
|
|
LockPersonality=true
|
|
|
|
# No writable memory pages
|
|
MemoryDenyWriteExecute=true
|
|
|
|
# Don't let our mounts leak out to the host
|
|
PrivateMounts=true
|
|
|
|
# Restrict system calls to the native arch and only enough to get things going
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=@system-service
|
|
SystemCallFilter=~@privileged
|
|
SystemCallFilter=~@resources
|
|
SystemCallFilter=~@mount
|
|
|
|
# Media scan stamp file shouldn't be readable by regular users
|
|
UMask=0077
|
|
|
|
# lsblk ignores mountpoints if it can't find the device files, so we cannot
|
|
# hide them
|
|
#ProtectClock=true
|
|
#PrivateDevices=true
|