"Fossies" - the Fresh Open Source Software Archive 
Member "memcached-1.6.15/scripts/memcached.service" (16 Jul 2020, 3404 Bytes) of package /linux/www/memcached-1.6.15.tar.gz:
As a special service "Fossies" has tried to format the requested text file into HTML format (style:
standard) with prefixed line numbers.
Alternatively you can here
view or
download the uninterpreted source code file.
1 # It's not recommended to modify this file in-place, because it will be
2 # overwritten during upgrades. If you want to customize, the best
3 # way is to use the "systemctl edit" command to create an override unit.
4 #
5 # For example, to pass additional options, create an override unit
6 # (as is done by systemctl edit) and enter the following:
7 #
8 # [Service]
9 # Environment=OPTIONS="-l 127.0.0.1,::1"
10
11
12 [Unit]
13 Description=memcached daemon
14 After=network.target
15
16 [Service]
17 EnvironmentFile=/etc/sysconfig/memcached
18 ExecStart=/usr/bin/memcached -p ${PORT} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS
19
20 # Set up a new file system namespace and mounts private /tmp and /var/tmp
21 # directories so this service cannot access the global directories and
22 # other processes cannot access this service's directories.
23 PrivateTmp=true
24
25 # Mounts the /usr, /boot, and /etc directories read-only for processes
26 # invoked by this unit.
27 ProtectSystem=full
28
29 # Ensures that the service process and all its children can never gain new
30 # privileges
31 NoNewPrivileges=true
32
33 # Sets up a new /dev namespace for the executed processes and only adds API
34 # pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as
35 # the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda.
36 PrivateDevices=true
37
38 # Required for dropping privileges and running as a different user
39 CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
40
41 # Restricts the set of socket address families accessible to the processes
42 # of this unit. Protects against vulnerabilities such as CVE-2016-8655
43 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
44
45
46 # Some security features are not in the older versions of systemd used by
47 # e.g. RHEL7/CentOS 7. The below settings are automatically edited at package
48 # build time to uncomment them if the target platform supports them.
49
50 # Attempts to create memory mappings that are writable and executable at
51 # the same time, or to change existing memory mappings to become executable
52 # are prohibited.
53 ##safer##MemoryDenyWriteExecute=true
54
55 # Explicit module loading will be denied. This allows to turn off module
56 # load and unload operations on modular kernels. It is recommended to turn
57 # this on for most services that do not need special file systems or extra
58 # kernel modules to work.
59 ##safer##ProtectKernelModules=true
60
61 # Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger,
62 # /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq
63 # will be made read-only to all processes of the unit. Usually, tunable
64 # kernel variables should only be written at boot-time, with the sysctl.d(5)
65 # mechanism. Almost no services need to write to these at runtime; it is hence
66 # recommended to turn this on for most services.
67 ##safer##ProtectKernelTunables=true
68
69 # The Linux Control Groups (cgroups(7)) hierarchies accessible through
70 # /sys/fs/cgroup will be made read-only to all processes of the unit.
71 # Except for container managers no services should require write access
72 # to the control groups hierarchies; it is hence recommended to turn this
73 # on for most services
74 ##safer##ProtectControlGroups=true
75
76 # Any attempts to enable realtime scheduling in a process of the unit are
77 # refused.
78 ##safer##RestrictRealtime=true
79
80 # Takes away the ability to create or manage any kind of namespace
81 ##safer##RestrictNamespaces=true
82
83 [Install]
84 WantedBy=multi-user.target