aboutsummaryrefslogtreecommitdiff
path: root/doc/book/cookbook/systemd.md
diff options
context:
space:
mode:
authorAlex <alex@adnab.me>2023-06-14 10:57:32 +0000
committerAlex <alex@adnab.me>2023-06-14 10:57:32 +0000
commit5e291c64b3539c11cd4f107852686c7865b8b036 (patch)
tree62e8bf6e275ce045e29baf7a660706899e54ed8e /doc/book/cookbook/systemd.md
parent01346143ca09eab262f0d8f8a0a744c2f6d667cc (diff)
parent9092c71a01311f8f7174fa03facdb4d95a7b1389 (diff)
downloadgarage-5e291c64b3539c11cd4f107852686c7865b8b036.tar.gz
garage-5e291c64b3539c11cd4f107852686c7865b8b036.zip
Merge pull request 'Documentation updates' (#587) from doc-updates into main
Reviewed-on: https://git.deuxfleurs.fr/Deuxfleurs/garage/pulls/587
Diffstat (limited to 'doc/book/cookbook/systemd.md')
-rw-r--r--doc/book/cookbook/systemd.md15
1 files changed, 14 insertions, 1 deletions
diff --git a/doc/book/cookbook/systemd.md b/doc/book/cookbook/systemd.md
index b271010b..c0ed7d1f 100644
--- a/doc/book/cookbook/systemd.md
+++ b/doc/book/cookbook/systemd.md
@@ -33,7 +33,20 @@ NoNewPrivileges=true
WantedBy=multi-user.target
```
-*A note on hardening: garage will be run as a non privileged user, its user id is dynamically allocated by systemd. It cannot access (read or write) home folders (/home, /root and /run/user), the rest of the filesystem can only be read but not written, only the path seen as /var/lib/garage is writable as seen by the service (mapped to /var/lib/private/garage on your host). Additionnaly, the process can not gain new privileges over time.*
+**A note on hardening:** Garage will be run as a non privileged user, its user
+id is dynamically allocated by systemd (set with `DynamicUser=true`). It cannot
+access (read or write) home folders (`/home`, `/root` and `/run/user`), the
+rest of the filesystem can only be read but not written, only the path seen as
+`/var/lib/garage` is writable as seen by the service. Additionnaly, the process
+can not gain new privileges over time.
+
+For this to work correctly, your `garage.toml` must be set with
+`metadata_dir=/var/lib/garage/meta` and `data_dir=/var/lib/garage/data`. This
+is mandatory to use the DynamicUser hardening feature of systemd, which
+autocreates these directories as virtual mapping. If the directory
+`/var/lib/garage` already exists before starting the server for the first time,
+the systemd service might not start correctly. Note that in your host
+filesystem, Garage data will be held in `/var/lib/private/garage`.
To start the service then automatically enable it at boot: