[systemd-devel] Query regarding "EnvironmentFile"
Reindl Harald
h.reindl at thelounge.net
Tue Dec 29 15:01:27 PST 2015
Am 26.12.2015 um 20:39 schrieb Manuel Amador (Rudd-O):
> On 12/26/2015 07:28 PM, Reindl Harald wrote:
>>
>> my infrastructure is most likely better managed than anyone leses
>
> So says the person with a limited perspective and a refusal to learn
> modern tools and processes
the person with a limited perspective yet converted cronjobs using a
sourced shell script for a update-system where base locations for every
server are defined by sourcing a shellscript just defining env-vars
that's part of a complex deplyoment and maintainance infrastrcuture for
some hundret webhosts on a dozen of servers
guess what: EnvironmentFile can reuse that file which needs still to be
there for configure a ton of CLI scripts for different tasks
reason for the change to a oneshot-systemd unit?
to restrict capabilities and write/read permissions more
there is a world outside "the daemon" at all1
EnvironmentFile=/scripts/cl-update-service.inc.sh
Type=oneshot
ExecStart=/path/to/cronscript
User=wwwcron
Group=apache
PrivateTmp=yes
PrivateDevices=yes
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_KILL CAP_CHMOD CAP_FOWNER
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadOnlyDirectories=/var/lib
ReadOnlyDirectories=/proc
ReadOnlyDirectories=/sys
InaccessibleDirectories=-/boot
InaccessibleDirectories=-/home
InaccessibleDirectories=-/media
InaccessibleDirectories=-/root
InaccessibleDirectories=-/etc/dbus-1
InaccessibleDirectories=-/etc/modprobe.d
InaccessibleDirectories=-/etc/modules-load.d
InaccessibleDirectories=-/etc/postfix
InaccessibleDirectories=-/etc/ssh
InaccessibleDirectories=-/etc/sysctl.d
InaccessibleDirectories=-/run/console
InaccessibleDirectories=-/run/dbus
InaccessibleDirectories=-/run/lock
InaccessibleDirectories=-/run/mount
InaccessibleDirectories=-/run/systemd/generator
InaccessibleDirectories=-/run/systemd/system
InaccessibleDirectories=-/run/systemd/users
InaccessibleDirectories=-/run/udev
InaccessibleDirectories=-/run/user
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20151230/08f68b50/attachment.sig>
More information about the systemd-devel
mailing list