From 3cd01b932e1c85394272ae64fae67ebeda92fb00 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 13 Apr 2024 23:11:59 +0200 Subject: Adding upstream version 1.8.3. Signed-off-by: Daniel Baumann --- dnsdist.service.in | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 dnsdist.service.in (limited to 'dnsdist.service.in') diff --git a/dnsdist.service.in b/dnsdist.service.in new file mode 100644 index 0000000..eb75e76 --- /dev/null +++ b/dnsdist.service.in @@ -0,0 +1,61 @@ +[Unit] +Description=DNS Loadbalancer +Documentation=man:dnsdist(1) +Documentation=https://dnsdist.org +Wants=network-online.target +After=network-online.target time-sync.target + +[Service] +ExecStartPre=@bindir@/dnsdist --check-config +# Note: when editing the ExecStart command, keep --supervised and --disable-syslog +ExecStart=@bindir@/dnsdist --supervised --disable-syslog +User=@service_user@ +Group=@service_group@ +SyslogIdentifier=dnsdist +Type=notify +Restart=on-failure +RestartSec=2 +TimeoutStopSec=5 +StartLimitInterval=0 + +# Tuning +TasksMax=8192 +LimitNOFILE=16384 +# Note: increasing the amount of lockable memory is required to use eBPF support +# LimitMEMLOCK=infinity + +# Sandboxing +# Note: adding CAP_SYS_ADMIN (or CAP_BPF for Linux >= 5.8) is required to use eBPF support, +# and CAP_NET_RAW to be able to set the source interface to contact a backend +# If an AppArmor policy is in use, it might have to be updated to allow dnsdist to keep the +# capability: adding a 'capability bpf,' (for CAP_BPF) line to the policy is usually enough. +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE +LockPersonality=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +# Setting PrivateUsers=true prevents us from opening our sockets +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete +ProtectProc=invisible +PrivateIPC=true +RemoveIPC=true +DevicePolicy=closed +# Not enabled by default because it does not play well with LuaJIT +# MemoryDenyWriteExecute=true + +[Install] +WantedBy=multi-user.target -- cgit v1.2.3