diff options
author | Alex Auvolat <alex@adnab.me> | 2022-02-02 10:05:27 +0100 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2022-02-07 11:47:51 +0100 |
commit | ff04afaa771e1ec2bd482fa47ced1a8e4933c916 (patch) | |
tree | c2e0962ed5e672aea733607e4c16ac37e3b2b40d /doc/book/cookbook/systemd.md | |
parent | 45d6d377d2011d8fb4ceb13bb4584df97c458525 (diff) | |
download | garage-ff04afaa771e1ec2bd482fa47ced1a8e4933c916.tar.gz garage-ff04afaa771e1ec2bd482fa47ced1a8e4933c916.zip |
Move documentation files around and adapt format for new website
Diffstat (limited to 'doc/book/cookbook/systemd.md')
-rw-r--r-- | doc/book/cookbook/systemd.md | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/doc/book/cookbook/systemd.md b/doc/book/cookbook/systemd.md new file mode 100644 index 00000000..b271010b --- /dev/null +++ b/doc/book/cookbook/systemd.md @@ -0,0 +1,53 @@ ++++ +title = "Starting Garage with systemd" +weight = 15 ++++ + +We make some assumptions for this systemd deployment. + + - Your garage binary is located at `/usr/local/bin/garage`. + + - Your configuration file is located at `/etc/garage.toml`. + + - Your `garage.toml` must be set with `metadata_dir=/var/lib/garage/meta` and `data_dir=/var/lib/garage/data`. This is mandatory to use `systemd` hardening feature [Dynamic User](https://0pointer.net/blog/dynamic-users-with-systemd.html). Note that in your host filesystem, Garage data will be held in `/var/lib/private/garage`. + + + +Create a file named `/etc/systemd/system/garage.service`: + +```toml +[Unit] +Description=Garage Data Store +After=network-online.target +Wants=network-online.target + +[Service] +Environment='RUST_LOG=garage=info' 'RUST_BACKTRACE=1' +ExecStart=/usr/local/bin/garage server +StateDirectory=garage +DynamicUser=true +ProtectHome=true +NoNewPrivileges=true + +[Install] +WantedBy=multi-user.target +``` + +*A note on hardening: garage will be run as a non privileged user, its user id is dynamically allocated by systemd. It cannot access (read or write) home folders (/home, /root and /run/user), the rest of the filesystem can only be read but not written, only the path seen as /var/lib/garage is writable as seen by the service (mapped to /var/lib/private/garage on your host). Additionnaly, the process can not gain new privileges over time.* + +To start the service then automatically enable it at boot: + +```bash +sudo systemctl start garage +sudo systemctl enable garage +``` + +To see if the service is running and to browse its logs: + +```bash +sudo systemctl status garage +sudo journalctl -u garage +``` + +If you want to modify the service file, do not forget to run `systemctl daemon-reload` +to inform `systemd` of your modifications. |