Closed smithfarm closed 3 years ago
@ddiss @jsegitz
Thank you for bringing this upstream. Systemd offers many of those, these are just the first batch I try to bring to as many packages in openSUSE as possible. You can try to go this rather minimal route for now or use a more complete list (see https://www.freedesktop.org/software/systemd/man/systemd.exec.html). Especially NoNewPrivileges and PrivateTmp are great ones that I didn't include in the first run to prevent to much breakage, but maybe it fits for you
Especially NoNewPrivileges and PrivateTmp are great ones
Looks like we already have the latter one:
PrivateTmp=true
A general note: in pacific+ ceph-iscsi is supposed to be managed by cephadm and IIRC these service files are not used there.
no testing from my side either, I do this mass scale for openSUSE and rely on the packagers for testing.
UPDATE: dropped ProtectKernelTunables=true
Run some tests without using the containers, the basic functions worked well for me, but the gwcli ls
will stuck for a long time and I can reproduce this very easy.
Gone stale, I guess.
As the systemd developers introduce security features, we endeavor to put them to use for the benefit of security-thirsty users.
Signed-off-by: Nathan Cutler ncutler@suse.com