[systemd-devel] Boot ordering

[Reindl Harald]

Am 20.03.2015 um 21:43 schrieb Kai Krakow:
>> PLEASE stop to hang on mysqld, i just explained why staring a service in
>> foreground don't help in any case, the opposite is true, hence i changed
>> the clamd-service which is default forground started to forking to order
>> clamav-milter correctly (just another *example*)
>
> Yes, I'm getting the point.
>
> BTW: I'd be interested in your solution about removing mysqld_safe. Can I
> just change the distribution service file, set the right user/group - or do
> I need to take care of any other stuff that mysqld_safe prepares/does?

do *never* touch the distribution unit-file
it would be overwritten by updates

the most helpful deign change of systemd is that you just can disbale 
any service, copy the systemd-unit for /usr/lib/systemd/system/ to 
/etc/systemd/system/ and enable the service, from that moment on only 
your personalized systemd-unit would be used

below my systemd-unit (for F21 and recent systemd versions)

RuntimeDirectory, RestrictAddressFamilie and SystemCallArchitectures 
won't work with Fedora 20, many of the security options are really 
optional and preferred here that way
________________________________________________________

[Unit]
Description=MariaDB Database
Before=postfix.service dovecot.service dbmail-imapd.service 
dbmail-lmtpd.service dbmail-pop3d.service dbmail-timsieved.service

[Service]
Type=simple
User=mysql
Group=mysql
RuntimeDirectory=mysqld
RuntimeDirectoryMode=0750
ExecStart=/usr/libexec/mysqld --defaults-file=/etc/my.cnf 
--pid-file=/run/mysqld/mysqld.pid
ExecStartPost=/usr/libexec/mysqld-wait-ready $MAINPID
Environment="LANG=en_GB.UTF-8"
Restart=always
RestartSec=1
TimeoutSec=300
LimitNOFILE=infinity
LimitMEMLOCK=infinity
OOMScoreAdjust=-1000
PrivateTmp=yes
PrivateDevices=yes
NoNewPrivileges=yes
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_WRITE 
CAP_DAC_OVERRIDE CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SETGID 
CAP_SETUID CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE CAP_SYS_PTRACE
RestrictAddressFamilies=~AF_APPLETALK AF_ATMPVC AF_AX25 AF_IPX 
AF_NETLINK AF_PACKET AF_X25
SystemCallArchitectures=x86-64
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadOnlyDirectories=/var/lib
ReadWriteDirectories=/var/lib/mysql
InaccessibleDirectories=-/boot
InaccessibleDirectories=-/home
InaccessibleDirectories=-/root
InaccessibleDirectories=-/media

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150320/efc46c28/attachment.sig>