From 3df58430a41fe7f28d33271833f3f5ed094c09c8 Mon Sep 17 00:00:00 2001 From: David Anderson Date: Tue, 31 Jan 2017 17:53:45 -0800 Subject: [PATCH] Add a sample systemd service file for pixiecore. The service file is added as documentation, rather than in the system services directory, because it will almost certainly require customization before it can be used. So why bother including one at all? Because I've gone through the trouble of figuring out the various systemd-exec security flags to lock down pixiecore as much as possible with chroots, capabilties, syscall filters, etc. Having that as a baseline will encourage people to run Pixiecore with maximum constraints, even if they have to write their own ExecStart for it. --- .travis.yml | 2 ++ pixiecore/pixiecore.service | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 pixiecore/pixiecore.service diff --git a/.travis.yml b/.travis.yml index 361d9e9..41e8aa4 100644 --- a/.travis.yml +++ b/.travis.yml @@ -22,7 +22,9 @@ script: - fpm -s dir -t deb -n pixiecore -v $(date '+%Y%m%d%H%M%S') --license Apache2 --vendor "David Anderson " --maintainer "David Anderson " --description "All-in-one PXE booting" --url "https://github.com/google/netboot" + --directories /usr/share/doc/pixiecore ./pixiecore.amd64=/usr/bin/pixiecore + ./pixiecore/pixiecore.service=/usr/share/doc/pixiecore/pixiecore.service.example env: global: # Packagecloud API token diff --git a/pixiecore/pixiecore.service b/pixiecore/pixiecore.service new file mode 100644 index 0000000..20a56c9 --- /dev/null +++ b/pixiecore/pixiecore.service @@ -0,0 +1,32 @@ +# This is an example service file for Pixiecore, which starts it in +# API mode with as many execution restrictions as possible: read-only +# filesystems, chroot, capability limitations, syscall filters... +# +# You will probably need to adjust this to your particular needs, but +# this should be a comprehensive starting point. + +[Unit] +Description=PXE booting server +Documentation=https://github.com/google/netboot/tree/master/pixiecore + +[Service] +WorkingDirectory=/tmp +ExecStart=/usr/bin/pixiecore api https://example.com/api +Restart=always +User=nobody +Group=nobody +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW +AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW +PrivateTmp=true +PrivateDevices=true +ProtectSystem=strict +ProtectHome=true +ProtectKernelTunables=true +ProtectControlGroups=true +ProtectKernelModules=true +NoNewPrivileges=true +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX + +[Install] +WantedBy=multi-user.target