security and hardening options for systemd service units
A common and reliable pattern in service unit files is thus:
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=strict
agent: | |
mounts: | |
varlog: true | |
configMap: | |
content: | | |
logging { | |
level = "info" | |
format = "logfmt" | |
} |
all | |
analytics | |
cache-generation-loader | |
compactor | |
distributor | |
ingester | |
ingester-querier | |
querier | |
query-frontend | |
query-scheduler |
{ | |
"transactions": [ | |
{ | |
"transaction_id": "a6fbc63d-27ae-4d8a-bd01-2e879c82c122", | |
"timestamp": "2023-07-26 10:15:30", | |
"sender": "0x3fC2b08dD64eFe84F4E98583F66fAa3105581D8a", | |
"receiver": "0x1B74d2F8947A9c3b32a8C35F44E28e1395d18b98", | |
"amount": 0.025, | |
"currency": "ETH", | |
"hash": "f3f57bf8b6a5f6c1a2dd55a276d679ccdf957ed234521e60784d1a18f3ea6c43" |
#!/bin/sh | |
# cat <<EOF | ./subst.sh zzzlucy | |
# name=Lucy | |
# weather="Good, how about you?!" | |
# family=Smith | |
# EOF | |
set -a |
A common and reliable pattern in service unit files is thus:
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=strict
Time | 1min | 5min | 15min | |
---|---|---|---|---|
14:08:59 | 0.93 | 1.10 | 1.28 | |
14:09:09 | 0.86 | 1.08 | 1.27 | |
14:09:19 | 0.95 | 1.09 | 1.27 | |
14:09:29 | 0.95 | 1.09 | 1.27 | |
14:09:39 | 1.25 | 1.15 | 1.29 | |
14:09:49 | 1.21 | 1.14 | 1.28 | |
14:09:59 | 1.18 | 1.14 | 1.28 | |
14:10:09 | 1.15 | 1.13 | 1.27 | |
14:10:19 | 1.13 | 1.13 | 1.27 |
apiVersion: "kafka.strimzi.io/v1alpha1" | |
kind: KafkaConnector | |
metadata: | |
name: bd6-mongo-connector | |
labels: | |
strimzi.io/cluster: my-connect-cluster | |
spec: | |
class: io.debezium.connector.mongodb.MongoDbConnector | |
image: "quay.io/tdonohue/debenhams-mongo:latest" | |
config: |
Let's deploy nginx!
We'll create a Deployment, a Service and a Route. 🥔🥔
nginx-unprivileged
image (this Nginx image doesn't run nginx as root - because OpenShift doesn't like that!)package com.cleverbuilder.bookservice; | |
import java.util.ArrayList; | |
import java.util.List; | |
import javax.xml.bind.annotation.XmlAccessType; | |
import javax.xml.bind.annotation.XmlAccessorType; | |
import javax.xml.bind.annotation.XmlElement; | |
import javax.xml.bind.annotation.XmlRootElement; | |
import javax.xml.bind.annotation.XmlType; |
! 21/03/2020 https://twitter.com - remove annoyances/distractions | |
! Remove the annoying attention-sapping stuff: trending now, who to follow | |
twitter.com##div[aria-label='Timeline: Trending now'] | |
twitter.com##aside[aria-label='Who to follow'] | |
! 2020-10-03 Medium google login distraction | |
medium.com##div[id='credential_picker_container'] |