diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 21:11:59 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 21:11:59 +0000 |
| commit | 3cd01b932e1c85394272ae64fae67ebeda92fb00 (patch) | |
| tree | c5a3115d710afc1879ddea5349362a2bc651733c /dnsdist.service.in | |
| parent | Initial commit. (diff) | |
| download | dnsdist-3cd01b932e1c85394272ae64fae67ebeda92fb00.tar.xz dnsdist-3cd01b932e1c85394272ae64fae67ebeda92fb00.zip | |
Adding upstream version 1.8.3.upstream/1.8.3
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
| -rw-r--r-- | dnsdist.service.in | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/dnsdist.service.in b/dnsdist.service.in new file mode 100644 index 0000000..eb75e76 --- /dev/null +++ b/dnsdist.service.in @@ -0,0 +1,61 @@ +[Unit] +Description=DNS Loadbalancer +Documentation=man:dnsdist(1) +Documentation=https://dnsdist.org +Wants=network-online.target +After=network-online.target time-sync.target + +[Service] +ExecStartPre=@bindir@/dnsdist --check-config +# Note: when editing the ExecStart command, keep --supervised and --disable-syslog +ExecStart=@bindir@/dnsdist --supervised --disable-syslog +User=@service_user@ +Group=@service_group@ +SyslogIdentifier=dnsdist +Type=notify +Restart=on-failure +RestartSec=2 +TimeoutStopSec=5 +StartLimitInterval=0 + +# Tuning +TasksMax=8192 +LimitNOFILE=16384 +# Note: increasing the amount of lockable memory is required to use eBPF support +# LimitMEMLOCK=infinity + +# Sandboxing +# Note: adding CAP_SYS_ADMIN (or CAP_BPF for Linux >= 5.8) is required to use eBPF support, +# and CAP_NET_RAW to be able to set the source interface to contact a backend +# If an AppArmor policy is in use, it might have to be updated to allow dnsdist to keep the +# capability: adding a 'capability bpf,' (for CAP_BPF) line to the policy is usually enough. +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE +LockPersonality=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +# Setting PrivateUsers=true prevents us from opening our sockets +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete +ProtectProc=invisible +PrivateIPC=true +RemoveIPC=true +DevicePolicy=closed +# Not enabled by default because it does not play well with LuaJIT +# MemoryDenyWriteExecute=true + +[Install] +WantedBy=multi-user.target |