fix: systemd configuration (#1097)

1. Tune some security directives. 2. Fix the flags file that mistakenly configured dragonfly to store its dump files into /run (tmpfs). Signed-off-by: Roman Gershman <roman@dragonflydb.io>
2024-11-21 23:19:53 +00:00 · 2023-04-16 06:41:02 -07:00 · 2023-04-16 06:41:02 -07:00 · e17fb41dee
commit e17fb41dee
parent 74e94ef9bb
2 changed files with 7 additions and 6 deletions
--- a/tools/packaging/debian/dragonfly.conf
+++ b/tools/packaging/debian/dragonfly.conf
@ -1,4 +1,4 @@
 --pidfile=/var/run/dragonfly/dragonfly.pid
 --log_dir=/var/log/dragonfly
--dir=/var/run/dragonfly
+--dir=/var/lib/dragonfly
 --version_check=true
--- a/tools/packaging/debian/dragonfly.service
+++ b/tools/packaging/debian/dragonfly.service
@ -5,9 +5,10 @@ Documentation=

 [Service]
 Type=simple
+EnvironmentFile=-/etc/dragonfly/environment
 ExecStart=/usr/bin/dragonfly --flagfile=/etc/dragonfly/dragonfly.conf
 PIDFile=/var/run/dragonfly/dragonfly.pid
-TimeoutStopSec=0
+TimeoutStopSec=infinity
 Restart=always
 User=dfly
 Group=dfly
@ -16,10 +17,11 @@ RuntimeDirectoryMode=2755

 UMask=007
 PrivateTmp=yes
-LimitNOFILE=65535
+LimitNOFILE=262144
 PrivateDevices=yes
 ProtectHome=yes
-ReadOnlyDirectories=/
+ProtectSystem=full
+
 ReadWritePaths=-/var/lib/dragonfly
 ReadWritePaths=-/var/log/dragonfly
 ReadWritePaths=-/var/run/dragonfly
@ -34,8 +36,7 @@ RestrictRealtime=true
 RestrictNamespaces=true
 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX

-ProtectSystem=true
-ReadWriteDirectories=-/etc/dragonfly
+

 [Install]
 WantedBy=multi-user.target