smithfarm
commented
3 years ago @ddiss @jsegitz
Closed smithfarm closed 3 years ago
smithfarm
commented
3 years ago @ddiss @jsegitz
jsegitz
commented
3 years ago Thank you for bringing this upstream. Systemd offers many of those, these are just the first batch I try to bring to as many packages in openSUSE as possible. You can try to go this rather minimal route for now or use a more complete list (see https://www.freedesktop.org/software/systemd/man/systemd.exec.html). Especially NoNewPrivileges and PrivateTmp are great ones that I didn't include in the first run to prevent to much breakage, but maybe it fits for you
smithfarm
commented
3 years ago Especially NoNewPrivileges and PrivateTmp are great ones
Looks like we already have the latter one:
PrivateTmp=true
idryomov
commented
3 years ago A general note: in pacific+ ceph-iscsi is supposed to be managed by cephadm and IIRC these service files are not used there.
jsegitz
commented
3 years ago no testing from my side either, I do this mass scale for openSUSE and rely on the packagers for testing.
smithfarm
commented
3 years ago UPDATE: dropped ProtectKernelTunables=true
lxbsz
commented
3 years ago Run some tests without using the containers, the basic functions worked well for me, but the gwcli ls will stuck for a long time and I can reproduce this very easy.
smithfarm
commented
3 years ago Gone stale, I guess.
As the systemd developers introduce security features, we endeavor to put them to use for the benefit of security-thirsty users.
Signed-off-by: Nathan Cutler ncutler@suse.com