"Fossies" - the Fresh Open Source Software Archive

Member "memcached-1.6.15/scripts/memcached@.service" (16 Jul 2020, 3675 Bytes) of package /linux/www/memcached-1.6.15.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 # It's not recommended to modify this file in-place, because it will be
    2 # overwritten during upgrades.  If you want to customize, the best
    3 # way is to use the "systemctl edit" command to create an override unit.
    4 #
    5 # For example, to pass additional options, create an override unit
    6 # (as is done by systemctl edit) and enter the following:
    7 #
    8 #     [Service]
    9 #     Environment=OPTIONS="-l 127.0.0.1,::1"
   10 #
   11 # To use the "instanced" version of this, just start 'memcached@11211' or
   12 # whatever port you'd like. If /etc/sysconfig/memcached.<port> exists, it
   13 # will be read first, so you can set different parameters for a given
   14 # instance.
   15 
   16 [Unit]
   17 Description=memcached daemon
   18 After=network.target
   19 
   20 [Service]
   21 EnvironmentFile=/etc/sysconfig/memcached
   22 EnvironmentFile=-/etc/sysconfig/memcached.%i
   23 ExecStart=/usr/bin/memcached -p %i -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS
   24 
   25 # Set up a new file system namespace and mounts private /tmp and /var/tmp
   26 # directories so this service cannot access the global directories and
   27 # other processes cannot access this service's directories.
   28 PrivateTmp=true
   29 
   30 # Mounts the /usr, /boot, and /etc directories read-only for processes
   31 # invoked by this unit.
   32 ProtectSystem=full
   33 
   34 # Ensures that the service process and all its children can never gain new
   35 # privileges
   36 NoNewPrivileges=true
   37 
   38 # Sets up a new /dev namespace for the executed processes and only adds API
   39 # pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as
   40 # the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda.
   41 PrivateDevices=true
   42 
   43 # Required for dropping privileges and running as a different user
   44 CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
   45 
   46 # Restricts the set of socket address families accessible to the processes
   47 # of this unit. Protects against vulnerabilities such as CVE-2016-8655
   48 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
   49 
   50 
   51 # Some security features are not in the older versions of systemd used by
   52 # e.g. RHEL7/CentOS 7. The below settings are automatically edited at package
   53 # build time to uncomment them if the target platform supports them.
   54 
   55 # Attempts to create memory mappings that are writable and executable at
   56 # the same time, or to change existing memory mappings to become executable
   57 # are prohibited.
   58 ##safer##MemoryDenyWriteExecute=true
   59 
   60 # Explicit module loading will be denied. This allows to turn off module
   61 # load and unload operations on modular kernels. It is recommended to turn
   62 # this on for most services that do not need special file systems or extra
   63 # kernel modules to work.
   64 ##safer##ProtectKernelModules=true
   65 
   66 # Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger,
   67 # /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq
   68 # will be made read-only to all processes of the unit. Usually, tunable
   69 # kernel variables should only be written at boot-time, with the sysctl.d(5)
   70 # mechanism. Almost no services need to write to these at runtime; it is hence
   71 # recommended to turn this on for most services.
   72 ##safer##ProtectKernelTunables=true
   73 
   74 # The Linux Control Groups (cgroups(7)) hierarchies accessible through
   75 # /sys/fs/cgroup will be made read-only to all processes of the unit.
   76 # Except for container managers no services should require write access
   77 # to the control groups hierarchies; it is hence recommended to turn this
   78 # on for most services
   79 ##safer##ProtectControlGroups=true
   80 
   81 # Any attempts to enable realtime scheduling in a process of the unit are
   82 # refused.
   83 ##safer##RestrictRealtime=true
   84 
   85 # Takes away the ability to create or manage any kind of namespace
   86 ##safer##RestrictNamespaces=true
   87 
   88 [Install]
   89 WantedBy=multi-user.target