go-carbon-dynamicuser.diff


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

--- a/go-carbon.service
+++ b/go-carbon.service
@@ -4,8 +4,8 @@
 After=network.target
 
 [Service]
-Type=forking
-ExecStart=/usr/bin/go-carbon -config /etc/go-carbon/go-carbon.conf -pidfile /var/run/go-carbon.pid -daemon
+Type=simple
+ExecStart=/usr/bin/go-carbon -config /etc/go-carbon/go-carbon.conf
 ExecReload=/bin/kill -HUP $MAINPID
 KillSignal=USR2
 Restart=on-failure
@@ -14,5 +14,23 @@
 LimitNOFILE=55555
 LimitMEMLOCK=infinity
 
+User=carbon
+DynamicUser=true
+RuntimeDirectory=go-carbon
+StateDirectory=graphite
+LogsDirectory=go-carbon
+ConfigurationDirectory=go-carbon
+
+CapabilityBoundingSet=
+AmbientCapabilities=
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+LockPersonality=true
+
 [Install]
 WantedBy=multi-user.target