"Fossies" - the Fresh Open Source Software Archive

Member "memcached-1.6.15/scripts/memcached.service" (16 Jul 2020, 3404 Bytes) of package /linux/www/memcached-1.6.15.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 # It's not recommended to modify this file in-place, because it will be
    2 # overwritten during upgrades.  If you want to customize, the best
    3 # way is to use the "systemctl edit" command to create an override unit.
    4 #
    5 # For example, to pass additional options, create an override unit
    6 # (as is done by systemctl edit) and enter the following:
    7 #
    8 #     [Service]
    9 #     Environment=OPTIONS="-l 127.0.0.1,::1"
   10 
   11 
   12 [Unit]
   13 Description=memcached daemon
   14 After=network.target
   15 
   16 [Service]
   17 EnvironmentFile=/etc/sysconfig/memcached
   18 ExecStart=/usr/bin/memcached -p ${PORT} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS
   19 
   20 # Set up a new file system namespace and mounts private /tmp and /var/tmp
   21 # directories so this service cannot access the global directories and
   22 # other processes cannot access this service's directories.
   23 PrivateTmp=true
   24 
   25 # Mounts the /usr, /boot, and /etc directories read-only for processes
   26 # invoked by this unit.
   27 ProtectSystem=full
   28 
   29 # Ensures that the service process and all its children can never gain new
   30 # privileges
   31 NoNewPrivileges=true
   32 
   33 # Sets up a new /dev namespace for the executed processes and only adds API
   34 # pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as
   35 # the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda.
   36 PrivateDevices=true
   37 
   38 # Required for dropping privileges and running as a different user
   39 CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
   40 
   41 # Restricts the set of socket address families accessible to the processes
   42 # of this unit. Protects against vulnerabilities such as CVE-2016-8655
   43 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
   44 
   45 
   46 # Some security features are not in the older versions of systemd used by
   47 # e.g. RHEL7/CentOS 7. The below settings are automatically edited at package
   48 # build time to uncomment them if the target platform supports them.
   49 
   50 # Attempts to create memory mappings that are writable and executable at
   51 # the same time, or to change existing memory mappings to become executable
   52 # are prohibited.
   53 ##safer##MemoryDenyWriteExecute=true
   54 
   55 # Explicit module loading will be denied. This allows to turn off module
   56 # load and unload operations on modular kernels. It is recommended to turn
   57 # this on for most services that do not need special file systems or extra
   58 # kernel modules to work.
   59 ##safer##ProtectKernelModules=true
   60 
   61 # Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger,
   62 # /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq
   63 # will be made read-only to all processes of the unit. Usually, tunable
   64 # kernel variables should only be written at boot-time, with the sysctl.d(5)
   65 # mechanism. Almost no services need to write to these at runtime; it is hence
   66 # recommended to turn this on for most services.
   67 ##safer##ProtectKernelTunables=true
   68 
   69 # The Linux Control Groups (cgroups(7)) hierarchies accessible through
   70 # /sys/fs/cgroup will be made read-only to all processes of the unit.
   71 # Except for container managers no services should require write access
   72 # to the control groups hierarchies; it is hence recommended to turn this
   73 # on for most services
   74 ##safer##ProtectControlGroups=true
   75 
   76 # Any attempts to enable realtime scheduling in a process of the unit are
   77 # refused.
   78 ##safer##RestrictRealtime=true
   79 
   80 # Takes away the ability to create or manage any kind of namespace
   81 ##safer##RestrictNamespaces=true
   82 
   83 [Install]
   84 WantedBy=multi-user.target