blob: 86c61d18b5f355ca7c76bfba0208d03cc3778af5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
# powerdns in namespace
[Unit]
Description=PowerDNS Authoritative Server dn42
Documentation=man:pdns_server(1) man:pdns_control(1)
Documentation=https://doc.powerdns.com
Wants=network-online.target
After=network-online.target time-sync.target
After=dn42_namespace.service
Requires=dn42_namespace.service
[Service]
ExecStart=/usr/sbin/pdns_server --config-name=dn42 --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
SyslogIdentifier=pdns_server-dn42
User=pdns
Group=pdns
Type=notify
Restart=on-failure
RestartSec=1
StartLimitInterval=0
RuntimeDirectory=pdns-dn42
# Sandboxing
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN
LockPersonality=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
# Setting PrivateUsers=true prevents us from opening our sockets
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
# ProtectSystem=full will disallow write access to /etc and /usr, possibly
# not being able to write slaved-zones into sqlite3 or zonefiles.
ProtectSystem=full
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
ProtectProc=invisible
PrivateIPC=true
RemoveIPC=true
DevicePolicy=closed
# Not enabled by default because it does not play well with LuaJIT
# MemoryDenyWriteExecute=true
NetworkNamespacePath=/run/netns/dn42
[Install]
WantedBy=multi-user.target
|
