diff options
author | Blair Bonnett | 2021-04-25 12:54:31 +0200 |
---|---|---|
committer | Blair Bonnett | 2021-04-25 12:54:31 +0200 |
commit | efdc65659a1a725ed90e08c1485c2ec9bd1f3367 (patch) | |
tree | 9625517e578bc21131fa2dbbb8ab7af8859c0d65 /jupyterhub.service | |
parent | 0015e58680c8d9fad29dfc8da8469638f3e007c5 (diff) | |
download | aur-efdc65659a1a725ed90e08c1485c2ec9bd1f3367.tar.gz |
Update to 1.4.0
* Include default configuration in package
* Run tests in check()
* Add systemd service with some hardening. Install script will notify
users on upgrade. Since its in /usr/lib/systemd/system, any custom
services in /etc/systemd/system will continue to be used instead of
the package one.
Diffstat (limited to 'jupyterhub.service')
-rw-r--r-- | jupyterhub.service | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/jupyterhub.service b/jupyterhub.service new file mode 100644 index 000000000000..34a31173b1db --- /dev/null +++ b/jupyterhub.service @@ -0,0 +1,46 @@ +[Unit] +Description=JupyterHub server +After=network.target +Documentation=https://jupyterhub.readthedocs.io/en/stable/ + +[Service] +# Where the PID and other runtime files will be placed. +RuntimeDirectory=jupyterhub +RuntimeDirectoryMode=0755 + +# Paths in the configuration are relative to the working directory. +WorkingDirectory=/etc/jupyterhub + +# The actual command to run. Note this service doesn't need the PID files, but +# JupyterHub does use them internally. +ExecStart=/usr/bin/jupyterhub \ + -f /etc/jupyterhub/jupyterhub_config.py \ + --pid-file=/run/jupyterhub/jupyterhub.pid \ + --ConfigurableHTTPProxy.pid_file=/run/jupyterhub/jupyterhub-proxy.pid + +# Apply some service hardening. +# The default LocalProcess spawner needs SETUID and SETGID to run the +# single-user servers. +CapabilityBoundingSet=CAP_SETUID CAP_SETGID +LockPersonality=true +NoNewPrivileges=true +PrivateTmp=true +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=invisible +ProtectSystem=full +ReadWritePaths=/etc/jupyterhub +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service + +[Install] +WantedBy=multi-user.target |