Created
January 18, 2021 12:03
-
-
Save 0x4E0x650x6F/0a4ed814406fdc5ce70e35dc9beaf58a to your computer and use it in GitHub Desktop.
PowerDNS service start fix pdns-server 4.2.1-1build2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- original service config --- | |
| [Unit] | |
| Description=PowerDNS Authoritative Server | |
| Documentation=man:pdns_server(1) man:pdns_control(1) | |
| Documentation=https://doc.powerdns.com | |
| Wants=network-online.target | |
| After=network-online.target mysqld.service postgresql.service slapd.service mariadb.service | |
| [Service] | |
| ExecStart=/usr/sbin/pdns_server --guardian=no --daemon=no --log-timestamp=no --disable-syslog --write-pid=no | |
| Type=notify | |
| Restart=on-failure | |
| RestartSec=1 | |
| StartLimitInterval=0 | |
| # Sandboxing | |
| CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT | |
| LockPersonality=true | |
| ProtectControlGroups=true | |
| ProtectHome=true | |
| ProtectKernelModules=true | |
| ProtectKernelTunables=true | |
| # ProtectSystem=full will disallow write access to /etc and /usr, possibly | |
| # not being able to write slaved-zones into sqlite3 or zonefiles. | |
| ProtectSystem=full | |
| RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 | |
| RestrictNamespaces=true | |
| RestrictRealtime=true | |
| SystemCallArchitectures=native | |
| SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete | |
| [Install] | |
| WantedBy=multi-user.target | |
| ------------ | |
| -----modifiled service config ------ | |
| [Unit] | |
| Description=PowerDNS Authoritative Server | |
| Documentation=man:pdns_server(1) man:pdns_control(1) | |
| Documentation=https://doc.powerdns.com | |
| Wants=network-online.target | |
| After=network-online.target mysqld.service postgresql.service slapd.service mariadb.service | |
| [Service] | |
| ExecStart=/usr/sbin/pdns_server --guardian=no --daemon=no --log-timestamp=no --disable-syslog --write-pid=no | |
| Type=notify | |
| Restart=on-failure | |
| RestartSec=1 | |
| StartLimitInterval=0 | |
| RuntimeDirectory=pdns | |
| # Sandboxing | |
| CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT | |
| LockPersonality=true | |
| NoNewPrivileges=true | |
| PrivateDevices=true | |
| PrivateTmp=true | |
| PrivateClock=true | |
| ProtectControlGroups=true | |
| ProtectHome=true | |
| ProtectHostname=True | |
| ProtectKernelModules=true | |
| ProtectKernelTunables=true | |
| # ProtectSystem=full will disallow write access to /etc and /usr, possibly | |
| # not being able to write slaved-zones into sqlite3 or zonefiles. | |
| ProtectSystem=full | |
| RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 | |
| RestrictNamespaces=true | |
| RestrictRealtime=true | |
| SystemCallArchitectures=native | |
| SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete | |
| [Install] | |
| WantedBy=multi-user.target | |
| ------------------------------------ | |
| ----- DIFF --- | |
| 14d13 | |
| < RuntimeDirectory=pdns | |
| 19,22d17 | |
| < NoNewPrivileges=true | |
| < PrivateDevices=true | |
| < PrivateTmp=true | |
| < PrivateClock=true | |
| 25d19 | |
| < ProtectHostname=True | |
| 39,40d32 | |
| ------------- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment