mirror of
https://github.com/koverstreet/bcachefs-tools.git
synced 2025-01-22 00:04:31 +03:00
01b4965104
Correctly generate libexecdir based path for the bcachefsck_all service, like the bcachefsck_all_fail service already does. Signed-off-by: Christopher Snowhill <kode54@gmail.com>
85 lines
2.3 KiB
SYSTEMD
85 lines
2.3 KiB
SYSTEMD
# SPDX-License-Identifier: GPL-2.0
|
|
#
|
|
# Copyright (C) 2023-2024 Oracle. All Rights Reserved.
|
|
# Author: Darrick J. Wong <djwong@kernel.org>
|
|
|
|
[Unit]
|
|
Description=Online bcachefsck for All Filesystems
|
|
OnFailure=bcachefsck_all_fail.service
|
|
ConditionACPower=true
|
|
Documentation=man:bcachefsck_all(8)
|
|
After=paths.target multi-user.target network.target network-online.target systemd-networkd.service NetworkManager.service connman.service
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
Environment=SERVICE_MODE=1
|
|
ExecStart=@libexecdir@/bcachefsck_all
|
|
SyslogIdentifier=bcachefsck_all
|
|
|
|
# Create the service underneath the scrub background service slice so that we
|
|
# can control resource usage.
|
|
Slice=system-bcachefsck.slice
|
|
|
|
# Run scrub_all with minimal CPU and IO priority so that nothing will starve.
|
|
IOSchedulingClass=idle
|
|
CPUSchedulingPolicy=idle
|
|
CPUAccounting=true
|
|
Nice=19
|
|
|
|
# No realtime scheduling
|
|
RestrictRealtime=true
|
|
|
|
# No special privileges, but we still have to run as root so that we can
|
|
# contact the service manager to start the sub-units.
|
|
CapabilityBoundingSet=
|
|
NoNewPrivileges=true
|
|
RestrictSUIDSGID=true
|
|
|
|
# Make the entire filesystem readonly except for the media scan stamp file
|
|
# directory. We don't want to hide anything because we need to find all
|
|
# mounted bcachefs filesystems in the host.
|
|
ProtectSystem=strict
|
|
ProtectHome=read-only
|
|
PrivateTmp=false
|
|
|
|
# No network access except to the systemd control socket
|
|
PrivateNetwork=true
|
|
ProtectHostname=true
|
|
RestrictAddressFamilies=AF_UNIX
|
|
IPAddressDeny=any
|
|
|
|
# Don't let the program mess with the kernel configuration at all
|
|
ProtectKernelLogs=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelTunables=true
|
|
ProtectControlGroups=true
|
|
ProtectProc=invisible
|
|
RestrictNamespaces=true
|
|
|
|
# Hide everything in /proc, even /proc/mounts
|
|
ProcSubset=pid
|
|
|
|
# Only allow the default personality Linux
|
|
LockPersonality=true
|
|
|
|
# No writable memory pages
|
|
MemoryDenyWriteExecute=true
|
|
|
|
# Don't let our mounts leak out to the host
|
|
PrivateMounts=true
|
|
|
|
# Restrict system calls to the native arch and only enough to get things going
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=@system-service
|
|
SystemCallFilter=~@privileged
|
|
SystemCallFilter=~@resources
|
|
SystemCallFilter=~@mount
|
|
|
|
# Media scan stamp file shouldn't be readable by regular users
|
|
UMask=0077
|
|
|
|
# lsblk ignores mountpoints if it can't find the device files, so we cannot
|
|
# hide them
|
|
#ProtectClock=true
|
|
#PrivateDevices=true
|