[RPKI] [PATCH] install a systemd unit file
Marco d'Itri
md at linux.it
Tue May 21 01:37:36 UTC 2019
---
Cargo.toml | 1 +
etc/routinator.service | 34 ++++++++++++++++++++++++++++++++++
2 files changed, 35 insertions(+)
create mode 100644 etc/routinator.service
diff --git a/Cargo.toml b/Cargo.toml
index c840565..d2b362a 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -58,6 +58,7 @@ assets = [
["README.md", "usr/share/doc/routinator/", "644"],
["doc/misc.md", "usr/share/doc/routinator/misc.md", "644"],
["doc/routinator.1", "usr/share/man/man1/routinator.1", "644"],
+ ["etc/routinator.service", "lib/systemd/system/routinator.service", "644"]
]
maintainer-scripts = "debian"
diff --git a/etc/routinator.service b/etc/routinator.service
new file mode 100644
index 0000000..b9d6e27
--- /dev/null
+++ b/etc/routinator.service
@@ -0,0 +1,34 @@
+[Unit]
+Description=Routinator 3000
+Documentation=man:routinator(1)
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/routinator --config=/etc/routinator/routinator.conf --syslog rtrd -a
+Type=exec
+RestartSec=0
+User=routinator
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+ReadWritePaths=/var/lib/routinator/
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+StateDirectory=routinator
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=multi-user.target
+
--
2.20.1
More information about the RPKI
mailing list