Forum
SystemD
celilo
23 October 2012, 09:50
I've converted my init system to Systemd, which is now the default for Arch Linux, and am really enjoying the simplicity. Following are Systemd start up scripts that I've created for Hiawatha and Php-fcgi. These should work for any SystemD user.
Hiawatha Script:
[Unit]
Description=Hiawatha Web Server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=simple
SyslogIdentifier=hiawatha
ExecStartPre=/usr/sbin/hiawatha -k ; /usr/sbin/wigwam
ExecStart= /usr/sbin/hiawatha -d
TimeoutSec=10
LimitNOFILE=infinity
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID
[Install]
WantedBy=multi-user.target
PHP-FCGI Script:
[Unit]
Description=PHP FCGI Daemon for the Hiawatha Web Server
After=network.target
[Service]
Type=forking
SyslogIdentifier=php-fcgi
ExecStart= /usr/sbin/php-fcgi
ExecStop=/usr/sbin/php-fcgi -k
[Install]
WantedBy=multi-user.target
These scripts are working fine for me, however, I am trying to refine the scripts to utilize some of the security features of Systemd. I could use some advice regarding the CapabilityBoundingSet required by Hiawatha. I also tried to use the PrivateTmp=true feature in Systemd, but was unsuccessful. Any feedback would be appreciated before I publish my upgraded package on Arch Linux.
Hiawatha version: 8.5
Operating System: Arch Linux
Hiawatha Script:
[Unit]
Description=Hiawatha Web Server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=simple
SyslogIdentifier=hiawatha
ExecStartPre=/usr/sbin/hiawatha -k ; /usr/sbin/wigwam
ExecStart= /usr/sbin/hiawatha -d
TimeoutSec=10
LimitNOFILE=infinity
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID
[Install]
WantedBy=multi-user.target
PHP-FCGI Script:
[Unit]
Description=PHP FCGI Daemon for the Hiawatha Web Server
After=network.target
[Service]
Type=forking
SyslogIdentifier=php-fcgi
ExecStart= /usr/sbin/php-fcgi
ExecStop=/usr/sbin/php-fcgi -k
[Install]
WantedBy=multi-user.target
These scripts are working fine for me, however, I am trying to refine the scripts to utilize some of the security features of Systemd. I could use some advice regarding the CapabilityBoundingSet required by Hiawatha. I also tried to use the PrivateTmp=true feature in Systemd, but was unsuccessful. Any feedback would be appreciated before I publish my upgraded package on Arch Linux.
Hiawatha version: 8.5
Operating System: Arch Linux
Hugo Leisink
23 October 2012, 11:47
In the next release of Hiawatha, php-fcgi wil be marked deprecated, in favor of php-fpm. My advice is to already switch to php-fpm.
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
