[systemd-devel] starting Oracle with systemd
Reindl Harald
h.reindl at thelounge.net
Fri Oct 31 10:16:09 PDT 2014
Am 31.10.2014 um 18:10 schrieb Reindl Harald:
> Am 31.10.2014 um 18:06 schrieb Fisher, Charles J. (Top Echelon):
>> From: systemd-devel
>> [mailto:systemd-devel-bounces at lists.freedesktop.org] On Behalf Of
>> Reindl Harald
>>
>>>> For some reason, the iptables didn't happen. Maybe it needs to be
>>>> fully qualified.
>>
>>> yes it needs to be as any other path
>>> the documentation is very clear here
>>
>> No, [unix] user oracle doesn't have permission to run iptables.
>
> but it needs to be full qualified anyways
>
>> I either need to sudo something up, or put this elsewhere.
>> Letting different commands run with different uids/gids would be a
>> nice feature
>
> "PermissionsStartOnly=true" exists and so you can have helper processes
> as root while restrict the main process - anything else is hardly
> maintainable with the now clear ini-style of a unit
BTW: add such a firewall rule to a systemd-unit is a *very* bad
attitude, if it is your personal service in /etc fine, but you must not
do that anywhere else
ExecStartPost=iptables -I INPUT -p tcp --dport 1521 --syn -j ACCEPT
* who says that it should be reachable from everywhere
* who says it should be reachable on every interface
* who says that not firewalld or shorewall or something else
does firewall managment on the machine and that this works
hence in a different environment
* who configures iptables on that machine
* consider what harm are you doing to that person no understanding
why a port is open while not in the global firewall defined
* even in your personal service it *does not* belog here
it is called with every restart
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20141031/8b0e01c6/attachment-0001.sig>
More information about the systemd-devel
mailing list