Skip to content

Fix systemd configs in main #18135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
peterzhuamazon merged 1 commit into from
Apr 29, 2025
Merged

Fix systemd configs in main #18135

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 22 additions & 10 deletions distribution/packages/src/common/systemd/opensearch.service
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,9 @@ WorkingDirectory=/usr/share/opensearch
User=opensearch
Group=opensearch

ExecStartPre=/bin/mkdir -p /dev/shm/performanceanalyzer
ExecStartPre=/bin/chown opensearch:opensearch /dev/shm/performanceanalyzer

ExecStart=/usr/share/opensearch/bin/systemd-entrypoint -p ${PID_DIR}/opensearch.pid --quiet

# StandardOutput is configured to redirect to journalctl since
Expand Down Expand Up @@ -130,6 +133,7 @@ RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX

ReadWritePaths=/var/log/opensearch
ReadWritePaths=/var/lib/opensearch
ReadWritePaths=/dev/shm/
ReadWritePaths=-/etc/opensearch
ReadWritePaths=-/mnt/snapshots

Expand All @@ -149,17 +153,25 @@ RestrictNamespaces=true
NoNewPrivileges=true

# Memory and execution protection
MemoryDenyWriteExecute=true # Prevent creating writable executable memory mappings
SystemCallArchitectures=native # Allow only native system calls
KeyringMode=private # Service does not share key material with other services
LockPersonality=true # Prevent changing ABI personality
RestrictSUIDSGID=true # Prevent creating SUID/SGID files
RestrictRealtime=true # Prevent acquiring realtime scheduling
ProtectHostname=true # Prevent changes to system hostname
ProtectKernelLogs=true # Prevent reading/writing kernel logs
ProtectClock=true # Prevent tampering with the system clock

# Allow only native system calls
SystemCallArchitectures=native
# Service does not share key material with other services
KeyringMode=private
# Prevent changing ABI personality
LockPersonality=true
# Prevent creating SUID/SGID files
RestrictSUIDSGID=true
# Prevent acquiring realtime scheduling
RestrictRealtime=true
# Prevent changes to system hostname
ProtectHostname=true
# Prevent reading/writing kernel logs
ProtectKernelLogs=true
# Prevent tampering with the system clock
ProtectClock=true

[Install]
WantedBy=multi-user.target

# Built for ${project.name}-${project.version} (${project.name})
# Built for ${project.name}-${project.version} (${project.name})
Loading