Re: [systemd-devel] Boot ordering

Fri, 20 Mar 2015 13:56:20 -0700 


Am 20.03.2015 um 21:43 schrieb Kai Krakow:

PLEASE stop to hang on mysqld, i just explained why staring a service in
foreground don't help in any case, the opposite is true, hence i changed
the clamd-service which is default forground started to forking to order
clamav-milter correctly (just another *example*)


Yes, I'm getting the point.

BTW: I'd be interested in your solution about removing mysqld_safe. Can I
just change the distribution service file, set the right user/group - or do
I need to take care of any other stuff that mysqld_safe prepares/does?


do *never* touch the distribution unit-file
it would be overwritten by updates


the most helpful deign change of systemd is that you just can disbale 
any service, copy the systemd-unit for /usr/lib/systemd/system/ to 
/etc/systemd/system/ and enable the service, from that moment on only 
your personalized systemd-unit would be used


below my systemd-unit (for F21 and recent systemd versions)


RuntimeDirectory, RestrictAddressFamilie and SystemCallArchitectures 
won't work with Fedora 20, many of the security options are really 
optional and preferred here that way

________________________________________________________

[Unit]
Description=MariaDB Database

Before=postfix.service dovecot.service dbmail-imapd.service 
dbmail-lmtpd.service dbmail-pop3d.service dbmail-timsieved.service


[Service]
Type=simple
User=mysql
Group=mysql
RuntimeDirectory=mysqld
RuntimeDirectoryMode=0750

ExecStart=/usr/libexec/mysqld --defaults-file=/etc/my.cnf 
--pid-file=/run/mysqld/mysqld.pid

ExecStartPost=/usr/libexec/mysqld-wait-ready $MAINPID
Environment="LANG=en_GB.UTF-8"
Restart=always
RestartSec=1
TimeoutSec=300
LimitNOFILE=infinity
LimitMEMLOCK=infinity
OOMScoreAdjust=-1000
PrivateTmp=yes
PrivateDevices=yes
NoNewPrivileges=yes

CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_WRITE 
CAP_DAC_OVERRIDE CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SETGID 
CAP_SETUID CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE CAP_SYS_PTRACE
RestrictAddressFamilies=~AF_APPLETALK AF_ATMPVC AF_AX25 AF_IPX 
AF_NETLINK AF_PACKET AF_X25

SystemCallArchitectures=x86-64
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadOnlyDirectories=/var/lib
ReadWriteDirectories=/var/lib/mysql
InaccessibleDirectories=-/boot
InaccessibleDirectories=-/home
InaccessibleDirectories=-/root
InaccessibleDirectories=-/media




Attachment:
signature.asc

Description: OpenPGP digital signature


_______________________________________________
systemd-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/systemd-devel























					Reply via email to