2014-11-26 18:07:30 +01:00
[Unit]
Description = OpenNebula Web UI Server
2018-02-21 17:06:20 +01:00
After = syslog.target network.target
2014-11-26 18:07:30 +01:00
After = opennebula.service
2018-02-21 17:06:20 +01:00
Wants = opennebula-novnc.service
AssertFileNotEmpty = /var/lib/one/.one/sunstone_auth
2014-11-26 18:07:30 +01:00
[Service]
Type = simple
Group = oneadmin
User = oneadmin
2021-10-15 16:44:11 +02:00
AmbientCapabilities = CAP_NET_BIND_SERVICE
2022-12-12 11:50:54 +01:00
ExecStartPre = -/usr/sbin/logrotate -f /etc/logrotate.d/opennebula-sunstone -s /var/lib/one/.logrotate.status
2023-11-22 13:45:36 +02:00
ExecStartPre = -/bin/sh -c 'for file in /var/log/one/sunstone*.log; do if [ ! -f "$file.gz" ]; then gzip -9 "$file"; fi; done'
2014-11-26 18:07:30 +01:00
ExecStart = /usr/bin/ruby /usr/lib/one/sunstone/sunstone-server.rb
2021-10-11 14:48:25 +02:00
ReadWriteDirectories = /var/lib/one /var/log/one/
ReadOnlyDirectories = -/var/lib/one/remotes
InaccessibleDirectories = -/var/lib/one/datastores
2021-10-15 16:44:11 +02:00
InaccessibleDirectories = -/var/lib/one/.ssh
InaccessibleDirectories = -/var/lib/one/.ssh-oneprovision
2021-10-11 14:48:25 +02:00
ReadWriteDirectories = /var/tmp
PrivateTmp = no
NoNewPrivileges = yes
PrivateDevices = yes
# ProtectSystem=strict is not known by old systemd, so we set
# full everywhere, and override by strict only where supported.
ProtectSystem = full
ProtectSystem = strict
ProtectHome = yes
ProtectKernelTunables = yes
ProtectKernelModules = yes
ProtectKernelLogs = yes
2019-09-18 10:05:16 +02:00
StartLimitInterval = 60
StartLimitBurst = 3
Restart = on-failure
RestartSec = 5
2022-05-09 13:42:50 +02:00
SyslogIdentifier = opennebula-sunstone
2014-11-26 18:07:30 +01:00
[Install]
WantedBy = multi-user.target
