aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorQuentin Dufour <quentin@deuxfleurs.fr>2021-11-04 11:15:25 +0100
committerQuentin Dufour <quentin@deuxfleurs.fr>2021-11-08 12:20:40 +0100
commit860ccf281175b50aaaf66453cfc408ea8c1e70e2 (patch)
tree56f828786a5ce1b79b66f62d8c83cbc91b96439c
parent9df75594461d29a4b286977f3ce2927a853f9c8a (diff)
downloadgarage-860ccf281175b50aaaf66453cfc408ea8c1e70e2.tar.gz
garage-860ccf281175b50aaaf66453cfc408ea8c1e70e2.zip
Harden Garage's systemd service
-rw-r--r--doc/book/src/cookbook/systemd.md21
1 files changed, 16 insertions, 5 deletions
diff --git a/doc/book/src/cookbook/systemd.md b/doc/book/src/cookbook/systemd.md
index aded09ad..ff3541f5 100644
--- a/doc/book/src/cookbook/systemd.md
+++ b/doc/book/src/cookbook/systemd.md
@@ -1,9 +1,14 @@
-# Starting Garage with systemd instead of Docker
+# Starting Garage with systemd
+
+We make some assumptions for this systemd deployment.
+
+ - Your garage binary is located at `/usr/local/bin/garage`.
+
+ - Your configuration file is located at `/etc/garage.toml`.
+
+ - Your `garage.toml` must be set with `metadata_dir=/var/lib/garage/meta` and `data_dir=/var/lib/garage/data`. This is mandatory to use `systemd` hardening feature [Dynamic User](https://0pointer.net/blog/dynamic-users-with-systemd.html). Note that in your host filesystem, Garage data will be held in `/var/lib/private/garage`.
-NOTE: This guide is incomplete. Typicall you would also want to create a separate
-Unix user to run Garage.
-Make sure you have the Garage binary installed on your system (see [quick start](../quick_start/index.md)), e.g. at `/usr/local/bin/garage`.
Create a file named `/etc/systemd/system/garage.service`:
@@ -15,12 +20,18 @@ Wants=network-online.target
[Service]
Environment='RUST_LOG=garage=info' 'RUST_BACKTRACE=1'
-ExecStart=/usr/local/bin/garage server -c /etc/garage/garage.toml
+ExecStart=/usr/local/bin/garage server
+StateDirectory=garage
+DynamicUser=true
+ProtectHome=true
+NoNewPrivileges=true
[Install]
WantedBy=multi-user.target
```
+*A note on hardening: garage will be run as a non privileged user, its user id is dynamically allocated by systemd. It cannot access (read or write) home folders (/home, /root and /run/user), the rest of the filesystem can only be read but not written, only the path seen as /var/lib/garage is writable as seen by the service (mapped to /var/lib/private/garage on your host). Additionnaly, the process can not gain new privileges over time.*
+
To start the service then automatically enable it at boot:
```bash