From 2c3835d445c881e7479bdf903ab5cb5402843519 Mon Sep 17 00:00:00 2001 From: surtur Date: Sun, 20 Mar 2022 20:54:52 +0100 Subject: [PATCH] manage system access of the service using systemd * add drone.slice (control resource usage) * restrict can be accessed by the service * adjust IO priority and NICEness of processes created withing the service * use "-p" with docker-compose invocation to specify a project that the newly-spawned containers belong to (best practice) * add commented override --- drone.service | 41 ++++++++++++++++++++++++++++++++++++++--- drone.slice | 14 ++++++++++++++ 2 files changed, 52 insertions(+), 3 deletions(-) create mode 100644 drone.slice diff --git a/drone.service b/drone.service index c1ffef8..3098566 100644 --- a/drone.service +++ b/drone.service @@ -1,12 +1,47 @@ +# /etc/systemd/system/drone.service [Unit] Description=Drone server After=docker.service nginx.service -OnFailure=systemd-email@%n.service [Service] +Slice=drone.slice +Delegate=yes Restart=always -ExecStart=/usr/bin/docker-compose -f /etc/drone/docker-compose.yml up -ExecStop=/usr/bin/docker-compose -f /etc/drone/docker-compose.yml stop +RestartSec=5 +ExecStart=/usr/bin/docker-compose -p drone -f /etc/drone/docker-compose.yml up +ExecStop=/usr/bin/docker-compose -p drone -f /etc/drone/docker-compose.yml stop + +Nice=-14 +IOSchedulingClass=1 +IOSchedulingPriority=0 + +CapabilityBoundingSet= +# ProtectProc=invisible +ProtectHome=true +RestrictNamespaces=uts ipc pid user cgroup +NoNewPrivileges=True +# SecureBits=noroot-locked +ProtectSystem=strict +PrivateTmp=true +PrivateDevices=true +PrivateUsers=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +LockPersonality=true +MemoryDenyWriteExecute=true +RestrictRealtime=true +RestrictSUIDSGID=true +# SystemCallFilter=~memfd_create +SystemCallArchitectures=native [Install] WantedBy=multi-user.target + +# /etc/systemd/system/drone.service.d/override.conf +# drone service override +# [Unit] +# OnFailure=status_email_wanderer@%n diff --git a/drone.slice b/drone.slice new file mode 100644 index 0000000..75de940 --- /dev/null +++ b/drone.slice @@ -0,0 +1,14 @@ +# /etc/systemd/system/drone.slice +[Unit] +Description=Slice that limits drone.service resources +Before=slices.target +After=docker.service docker.slice + +[Slice] +CPUAccounting=yes +CPUQuota=315% + +MemoryAccounting=yes +MemoryHigh=4.1G +MemoryMax=4.2G +MemorySwapMax=200M