summaryrefslogtreecommitdiffstats
path: root/debian/bin/generate-systemd-service-files
diff options
context:
space:
mode:
Diffstat (limited to 'debian/bin/generate-systemd-service-files')
-rwxr-xr-xdebian/bin/generate-systemd-service-files137
1 files changed, 137 insertions, 0 deletions
diff --git a/debian/bin/generate-systemd-service-files b/debian/bin/generate-systemd-service-files
new file mode 100755
index 0000000..c7eafab
--- /dev/null
+++ b/debian/bin/generate-systemd-service-files
@@ -0,0 +1,137 @@
+#!/bin/sh
+
+for BINARY in redis-server redis-sentinel
+do
+ for MODE in default templated
+ do
+ case "${BINARY}" in
+ redis-server)
+ NAME="redis"
+ ;;
+ redis-sentinel)
+ NAME="sentinel"
+ ;;
+ esac
+
+ case "${MODE}" in
+ default)
+ EXTRA="Alias=${NAME}.service"
+ TARGET="debian/${BINARY}.service"
+ NAMESPACED="${NAME}"
+ DESCRIPTION="Advanced key-value store"
+ ;;
+ templated)
+ EXTRA=""
+ TARGET="debian/${BINARY}@.service"
+ NAMESPACED="${NAME}-%i"
+ DESCRIPTION="Advanced key-value store (%I)"
+ ;;
+ esac
+
+ : >${TARGET}
+
+ if [ "${MODE}" = "templated" ]
+ then
+ cat >> ${TARGET} <<EOF
+# Templated service file for ${BINARY}(1)
+#
+# Each instance of ${BINARY} requires its own configuration file:
+#
+# $ cp /etc/redis/${NAME}.conf /etc/redis/${NAME}-myname.conf
+# $ chown redis:redis /etc/redis/${NAME}-myname.conf
+#
+# Ensure each instance is using their own database:
+#
+# $ sed -i -e 's@^dbfilename .*@dbfilename dump-myname.rdb@' /etc/redis/${NAME}-myname.conf
+#
+# We then listen exlusively on UNIX sockets to avoid TCP port collisions:
+#
+# $ sed -i -e 's@^port .*@port 0@' /etc/redis/${NAME}-myname.conf
+# $ sed -i -e 's@^\\(# \\)\\{0,1\\}unixsocket .*@unixsocket /run/${NAME}-myname/${BINARY}.sock@' /etc/redis/${NAME}-myname.conf
+#
+# ... and ensure we are logging, etc. in a unique location:
+#
+# $ sed -i -e 's@^logfile .*@logfile /var/log/redis/${BINARY}-myname.log@' /etc/redis/${NAME}-myname.conf
+# $ sed -i -e 's@^pidfile .*@pidfile /run/redis-myname/${BINARY}.pid@' /etc/redis/${NAME}-myname.conf
+#
+# We can then start the service as follows, validating we are using our own
+# configuration:
+#
+# $ systemctl start ${BINARY}@myname.service
+# $ redis-cli -s /run/${NAME}-myname/${BINARY}.sock info | grep config_file
+#
+# -- Chris Lamb <lamby@debian.org> Mon, 09 Oct 2017 22:17:24 +0100
+EOF
+ fi
+
+ cat >> ${TARGET} <<EOF
+[Unit]
+Description=${DESCRIPTION}
+After=network.target
+Documentation=http://redis.io/documentation, man:${BINARY}(1)
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/${BINARY} /etc/redis/${NAMESPACED}.conf --supervised systemd --daemonize no
+PIDFile=/run/${NAMESPACED}/${BINARY}.pid
+TimeoutStopSec=0
+Restart=always
+User=redis
+Group=redis
+RuntimeDirectory=${NAMESPACED}
+RuntimeDirectoryMode=2755
+
+UMask=007
+PrivateTmp=true
+LimitNOFILE=65535
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=strict
+ReadWritePaths=-/var/lib/redis
+ReadWritePaths=-/var/log/redis
+ReadWritePaths=-/var/run/${NAMESPACED}
+
+CapabilityBoundingSet=
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+RemoveIPC=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~ @privileged @resources
+
+# ${BINARY} can write to its own config file when in cluster mode so we
+# permit writing there by default. If you are not using this feature, it is
+# recommended that you remove this line.
+ReadWriteDirectories=-/etc/redis
+
+# This restricts this service from executing binaries other than ${BINARY}
+# itself. This is really effective at e.g. making it impossible to an
+# attacker to spawn a shell on the system, but might be more restrictive
+# than desired. If you need to, you can permit the execution of extra
+# binaries by adding an extra ExecPaths= directive with the command
+# systemctl edit ${BINARY}.service
+NoExecPaths=/
+ExecPaths=/usr/bin/${BINARY} /usr/lib /lib
+
+[Install]
+WantedBy=multi-user.target
+EOF
+ if [ "${EXTRA}" != "" ]
+ then
+ echo "${EXTRA}" >> "${TARGET}"
+ fi
+ done
+done