From ede8879672a7ae92491cd3cc898f7980b72a658a Mon Sep 17 00:00:00 2001 From: Alexey Avramov Date: Sun, 22 Dec 2019 03:15:28 +0900 Subject: [PATCH] update unit files --- nohang/nohang-desktop.service.in | 47 ++++++++++++++++++++------------ nohang/nohang.service.in | 47 ++++++++++++++++++++------------ 2 files changed, 60 insertions(+), 34 deletions(-) diff --git a/nohang/nohang-desktop.service.in b/nohang/nohang-desktop.service.in index 90e02a9..3918f91 100644 --- a/nohang/nohang-desktop.service.in +++ b/nohang/nohang-desktop.service.in @@ -1,36 +1,49 @@ [Unit] -Description=Highly configurable OOM prevention daemon +Description=Sophisticated low memory handler Documentation=man:nohang(1) https://github.com/hakavlad/nohang Conflicts=nohang.service After=system.slice [Service] -ExecStart=:TARGET_BIN:/nohang --config :TARGET_CONF:/nohang/nohang-desktop.conf +ExecStart=/usr/local/bin/nohang --config /etc/nohang/nohang-desktop.conf SyslogIdentifier=nohang-desktop -OOMScoreAdjust=-5 + KillMode=mixed + Restart=always RestartSec=0 -TasksMax=50 -UMask=0027 -Nice=-5 +Nice=-5 CPUSchedulingResetOnFork=true -ProtectKernelModules=true -PrivateNetwork=true -PrivateTmp=true -LockPersonality=yes RestrictRealtime=yes + +TasksMax=20 +MemoryMax=200M + +# Restrict access to the file system +UMask=0027 +ReadOnlyPaths=/ +ReadWritePaths=/var/log +InaccessiblePaths=/home /root + +# Capabilities whitelist: +# CAP_KILL is required to send signals (SIGTERM and SIGKILL) +# CAP_IPC_LOCK is required to mlockall() +# CAP_SYS_PTRACE are required to check /proc/[pid]/exe realpathes +# CAP_DAC_READ_SEARCH is required to read /proc/[pid]/environ files +# CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE are required to send GUI notifications + +CapabilityBoundingSet=CAP_KILL CAP_IPC_LOCK CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE +AmbientCapabilities=CAP_KILL CAP_IPC_LOCK CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE + +# It breaks GUI notifications on oldstable distros (Debian 8, CentOS 7) +PrivateNetwork=true + +LockPersonality=yes RestrictNamespaces=yes +ProtectKernelModules=true MemoryDenyWriteExecute=yes SystemCallArchitectures=native -ReadOnlyPaths=/ -ReadWritePaths=/tmp /var/tmp /var/log/nohang /dev/shm -InaccessiblePaths=/home /root - -CapabilityBoundingSet=CAP_KILL CAP_IPC_LOCK CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE -AmbientCapabilities=CAP_KILL CAP_IPC_LOCK CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE - [Install] WantedBy=multi-user.target diff --git a/nohang/nohang.service.in b/nohang/nohang.service.in index 30b2d21..0c6f13c 100644 --- a/nohang/nohang.service.in +++ b/nohang/nohang.service.in @@ -1,36 +1,49 @@ [Unit] -Description=Highly configurable OOM prevention daemon +Description=Sophisticated low memory handler Documentation=man:nohang(1) https://github.com/hakavlad/nohang Conflicts=nohang-desktop.service After=system.slice [Service] -ExecStart=:TARGET_BIN:/nohang --config :TARGET_CONF:/nohang/nohang.conf +ExecStart=/usr/local/bin/nohang --config /etc/nohang/nohang.conf SyslogIdentifier=nohang -OOMScoreAdjust=-5 + KillMode=mixed + Restart=always RestartSec=0 -TasksMax=50 -UMask=0027 -Nice=-5 +Nice=-5 CPUSchedulingResetOnFork=true -ProtectKernelModules=true -PrivateNetwork=true -PrivateTmp=true -LockPersonality=yes RestrictRealtime=yes + +TasksMax=25 +MemoryMax=250M + +# Restrict access to the file system +UMask=0027 +ReadOnlyPaths=/ +ReadWritePaths=/var/log +InaccessiblePaths=/home /root + +# Capabilities whitelist: +# CAP_KILL is required to send signals (SIGTERM and SIGKILL) +# CAP_IPC_LOCK is required to mlockall() +# CAP_SYS_PTRACE are required to check /proc/[pid]/exe realpathes +# CAP_DAC_READ_SEARCH is required to read /proc/[pid]/environ files +# CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE are required to send GUI notifications + +CapabilityBoundingSet=CAP_KILL CAP_IPC_LOCK CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE +AmbientCapabilities=CAP_KILL CAP_IPC_LOCK CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE + +# It breaks GUI notifications on oldstable distros (Debian 8, CentOS 7) +PrivateNetwork=true + +LockPersonality=yes RestrictNamespaces=yes +ProtectKernelModules=true MemoryDenyWriteExecute=yes SystemCallArchitectures=native -ReadOnlyPaths=/ -ReadWritePaths=/tmp /var/tmp /var/log/nohang /dev/shm -InaccessiblePaths=/home /root - -CapabilityBoundingSet=CAP_KILL CAP_IPC_LOCK CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE -AmbientCapabilities=CAP_KILL CAP_IPC_LOCK CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE - [Install] WantedBy=multi-user.target