mariadb/mariadb.service.in

83 lines
2.4 KiB
SYSTEMD

# It's not recommended to modify this unit file because your changes
# would be overwritten during the package update.
#
# However, there are 2 methods how to customize this unit file:
#
# 1) Copy this unit file from /usr/lib/systemd/system to
# /etc/systemd/system and modify the chosen settings.
#
# 2) Create a directory named mariadb.service.d/ within /etc/systemd/system
# and place a drop-in file name.conf there that only changes the specific
# settings one is interested in.
#
# see systemd.unit(5) for details
#
# Example - increasing of the TimeoutSec= limit
# mkdir /etc/systemd/system/mariadb.service.d
# cat > /etc/systemd/system/mariadb.service.d/timeout.conf << EOF
# [Service]
# TimeoutSec=600
# EOF
[Unit]
Description=MariaDB database server
Documentation=man:mysqld(8)
Documentation=https://mariadb.com/kb/en/library/systemd/
Conflicts=mariadb.target
After=network.target time-sync.target
[Install]
WantedBy=multi-user.target
Alias=mysql.service
[Service]
ExecStartPre=@LIBEXECDIR@/mysql/mysql-systemd-helper install
ExecStartPre=@LIBEXECDIR@/mysql/mysql-systemd-helper upgrade
ExecStart=@LIBEXECDIR@/mysql/mysql-systemd-helper start
Type=notify
User=mysql
Group=mysql
KillSignal=SIGTERM
# Don't want to see an automated SIGKILL ever
SendSIGKILL=no
# Restart crashed server only, on-failure would also restart, for example, when
# my.cnf contains unknown option
Restart=on-abort
RestartSec=5s
# Configures the time to wait for start-up/stop
TimeoutSec=300
# CAP_IPC_LOCK To allow memlock to be used as non-root user
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
# does nothing for non-root, not needed if /etc/shadow is u+r
# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
# Prevent writes to /usr, /boot, and /etc
ProtectSystem=full
# Prevent accessing /home, /root and /run/user
ProtectHome=true
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions
# Execute pre and post scripts as root, otherwise it does it as User=
PermissionsStartOnly=true
UMask=007