starlingx/integ
Code Issues Proposed changes
3d5300ec25
integ/config-files/memcached-custom/files/memcached.service
zhipengl 9c13b8b88e Move memcached changes from platform-utils 
Use mecached-custom package to package service file to system
folder instead of platform-utils.
Basic deployment test pass and service file status check pass.

Story: 2004108
Task: 27517
Depends-on: https://review.openstack.org/#/c/614085/

Change-Id: Ic66f077159be2f21caa6e8e68241aae65b9f2245
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
2018-11-02 01:48:23 +00:00

56 lines
1.9 KiB
Desktop File
Raw Blame History

#
# This service file is a customized version in platform-util package from
# openstack/stx-integ project
[Unit]
Description=memcached daemon
Before=httpd.service
After=network-online.target
[Service]
EnvironmentFile=/etc/sysconfig/memcached
ExecStart=/usr/bin/memcached -p ${PORT} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS
# Set up a new file system namespace and mounts private /tmp and /var/tmp directories
# so this service cannot access the global directories and other processes cannot
# access this service's directories.
PrivateTmp=true
# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
ProtectSystem=full
# Ensures that the service process and all its children can never gain new privileges
NoNewPrivileges=true
# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices
# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
# but no physical devices such as /dev/sda.
PrivateDevices=true
# Required for dropping privileges and running as a different user
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
LimitNOFILE=16384
# Attempts to create memory mappings that are writable and executable at the same time,
# or to change existing memory mappings to become executable are prohibited.
# XXX: this property is supported with systemd 231+ which is not yet on EL7
# MemoryDenyWriteExecute=true
# Restricts the set of socket address families accessible to the processes of this unit.
# Protects against vulnerabilities such as CVE-2016-8655
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
# These service parameters are commented out since they are incompatible with
# Centos 7 and generate warning messages when included.
#ProtectKernelModules=true
#ProtectKernelTunables=true
#ProtectControlGroups=true
#RestrictRealtime=true
#RestrictNamespaces=true
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
View Git Blame Copy Permalink