mmr-retention.service 1.2 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061
  1. [Unit]
  2. After=network-online.target
  3. Description=mmr-retention
  4. [Service]
  5. DynamicUser=yes
  6. Type=simple
  7. ExecStart=/usr/bin/mmr-retention
  8. TimeoutStartSec=1200000
  9. TimeoutStopSec=10
  10. Restart=on-failure
  11. RestartSec=120s
  12. OOMPolicy=stop
  13. OOMScoreAdjust=100
  14. EnvironmentFile=/etc/mmr-retention/envs
  15. CapabilityBoundingSet=
  16. AmbientCapabilities=
  17. IPAddressDeny=multicast
  18. DevicePolicy=closed
  19. ProtectSystem=strict
  20. ProtectHome=yes
  21. PrivateTmp=yes
  22. PrivateDevices=yes
  23. ProtectHostname=yes
  24. ProtectClock=yes
  25. ProtectKernelTunables=yes
  26. ProtectKernelModules=yes
  27. ProtectKernelLogs=yes
  28. ProtectControlGroups=yes
  29. RestrictAddressFamilies=AF_INET AF_INET6
  30. RestrictNamespaces=yes
  31. LockPersonality=yes
  32. MemoryDenyWriteExecute=yes
  33. RestrictRealtime=yes
  34. RestrictSUIDSGID=yes
  35. RemoveIPC=yes
  36. SystemCallArchitectures=native
  37. ProtectProc=invisible
  38. ProcSubset=pid
  39. PrivateUsers=yes
  40. SystemCallFilter=~@clock
  41. SystemCallFilter=~@cpu-emulation
  42. SystemCallFilter=~@debug
  43. SystemCallFilter=~@module
  44. SystemCallFilter=~@mount
  45. SystemCallFilter=~@obsolete
  46. SystemCallFilter=~@privileged
  47. SystemCallFilter=~@raw-io
  48. SystemCallFilter=~@reboot
  49. SystemCallFilter=~@resources
  50. SystemCallFilter=~@swap
  51. UMask=077
  52. [Install]
  53. WantedBy=multi-user.target