21d0dd5a89
As discussed on systemd-devel [1], in Fedora we get lots of abrt reports about the watchdog firing [2], but 100% of them seem to be caused by resource starvation in the machine, and never actual deadlocks in the services being monitored. Killing the services not only does not improve anything, but it makes the resource starvation worse, because the service needs cycles to restart, and coredump processing is also fairly expensive. This adds a configuration option to allow the value to be changed. If the setting is not set, there is no change. My plan is to set it to some ridiculusly high value, maybe 1h, to catch cases where a service is actually hanging. [1] https://lists.freedesktop.org/archives/systemd-devel/2019-October/043618.html [2] https://bugzilla.redhat.com/show_bug.cgi?id=1300212
63 lines
2 KiB
SYSTEMD
63 lines
2 KiB
SYSTEMD
# SPDX-License-Identifier: LGPL-2.1+
|
|
#
|
|
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
[Unit]
|
|
Description=Login Service
|
|
Documentation=man:systemd-logind.service(8) man:logind.conf(5)
|
|
Documentation=https://www.freedesktop.org/wiki/Software/systemd/logind
|
|
Documentation=https://www.freedesktop.org/wiki/Software/systemd/multiseat
|
|
Wants=user.slice
|
|
After=nss-user-lookup.target user.slice
|
|
|
|
# Ask for the dbus socket.
|
|
Wants=dbus.socket
|
|
After=dbus.socket
|
|
|
|
[Service]
|
|
BusName=org.freedesktop.login1
|
|
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG CAP_LINUX_IMMUTABLE
|
|
DeviceAllow=block-* r
|
|
DeviceAllow=char-/dev/console rw
|
|
DeviceAllow=char-drm rw
|
|
DeviceAllow=char-input rw
|
|
DeviceAllow=char-tty rw
|
|
DeviceAllow=char-vcs rw
|
|
# Make sure the DeviceAllow= lines above can work correctly when referenceing char-drm
|
|
ExecStartPre=-/sbin/modprobe -abq drm
|
|
ExecStart=@rootlibexecdir@/systemd-logind
|
|
FileDescriptorStoreMax=512
|
|
IPAddressDeny=any
|
|
LockPersonality=yes
|
|
MemoryDenyWriteExecute=yes
|
|
NoNewPrivileges=yes
|
|
PrivateTmp=yes
|
|
ProtectControlGroups=yes
|
|
ProtectHome=yes
|
|
ProtectHostname=yes
|
|
ProtectKernelModules=yes
|
|
ProtectSystem=strict
|
|
ReadWritePaths=/etc /run
|
|
Restart=always
|
|
RestartSec=0
|
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
|
RestrictNamespaces=yes
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
RuntimeDirectory=systemd/sessions systemd/seats systemd/users systemd/inhibit systemd/shutdown
|
|
RuntimeDirectoryPreserve=yes
|
|
StateDirectory=systemd/linger
|
|
SystemCallArchitectures=native
|
|
SystemCallErrorNumber=EPERM
|
|
SystemCallFilter=@system-service
|
|
@SERVICE_WATCHDOG@
|
|
|
|
# Increase the default a bit in order to allow many simultaneous logins since
|
|
# we keep one fd open per session.
|
|
LimitNOFILE=@HIGH_RLIMIT_NOFILE@
|