mirror of
https://github.com/kanidm/kanidm.git
synced 2025-02-23 20:47:01 +01:00
a61038f400
The kanidm-unixd-tasks service refuses to start before kanidm-unixd:
```
systemd[1]: Started Kanidm Local Tasks.
(xd_tasks)[29469]: kanidm-unixd-tasks.service: Failed to set up mount namespacing: /run/systemd/unit-root/run/kanidm-unixd: No such file or directory
(xd_tasks)[29469]: kanidm-unixd-tasks.service: Failed at step NAMESPACE spawning /usr/sbin/kanidm_unixd_tasks: No such file or directory
systemd[1]: kanidm-unixd-tasks.service: Main process exited, code=exited, status=226/NAMESPACE
systemd[1]: kanidm-unixd-tasks.service: Failed with result 'exit-code'.
```
Resolve this by ensuring kanidm-unixd gets activated as a dependency.
The ordering ("After") is already in place.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
34 lines
879 B
Desktop File
34 lines
879 B
Desktop File
# You should not need to edit this file. Instead, use a drop-in file:
|
|
# systemctl edit kanidm-unixd-tasks.service
|
|
|
|
[Unit]
|
|
Description=Kanidm Local Tasks
|
|
After=chronyd.service ntpd.service network-online.target kanidm-unixd.service
|
|
Requires=kanidm-unixd.service
|
|
|
|
[Service]
|
|
User=root
|
|
Type=notify
|
|
ExecStart=/usr/sbin/kanidm_unixd_tasks
|
|
|
|
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH
|
|
# SystemCallFilter=@aio @basic-io @chown @file-system @io-event @network-io @sync
|
|
ProtectSystem=strict
|
|
ReadWritePaths=/home /var/run/kanidm-unixd
|
|
RestrictAddressFamilies=AF_UNIX
|
|
NoNewPrivileges=true
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
PrivateNetwork=true
|
|
ProtectHostname=true
|
|
ProtectClock=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelLogs=true
|
|
ProtectControlGroups=true
|
|
MemoryDenyWriteExecute=true
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
|