[systemd-devel] starting Oracle with systemd

[Reindl Harald]

Am 31.10.2014 um 18:10 schrieb Reindl Harald:
> Am 31.10.2014 um 18:06 schrieb Fisher, Charles J. (Top Echelon):
>> From: systemd-devel
>> [mailto:systemd-devel-bounces at lists.freedesktop.org] On Behalf Of
>> Reindl Harald
>>
>>>> For some reason, the iptables didn't happen. Maybe it needs to be
>>>> fully qualified.
>>
>>> yes it needs to be as any other path
>>> the documentation is very clear here
>>
>> No, [unix] user oracle doesn't have permission to run iptables.
>
> but it needs to be full qualified anyways
>
>> I either need to sudo something up, or put this elsewhere.
>> Letting different commands run with different uids/gids would be a
>> nice feature
>
> "PermissionsStartOnly=true" exists and so you can have helper processes
> as root while restrict the main process - anything else is hardly
> maintainable with the now clear ini-style of a unit

BTW: add such a firewall rule to a systemd-unit is a *very* bad 
attitude, if it is your personal service in /etc fine, but you must not 
do that anywhere else

ExecStartPost=iptables -I INPUT -p tcp --dport 1521 --syn -j ACCEPT

* who says that it should be reachable from everywhere
* who says it should be reachable on every interface
* who says that not firewalld or shorewall or something else
   does firewall managment on the machine and that this works
   hence in a different environment
* who configures iptables on that machine
* consider what harm are you doing to that person no understanding
   why a port is open while not in the global firewall defined
* even in your personal service it *does not* belog here
   it is called with every restart

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20141031/8b0e01c6/attachment-0001.sig>