2014-11-26 20:07:30 +03:00
[Unit]
Description = OpenNebula Web UI Server
2018-02-21 19:06:20 +03:00
After = syslog.target network.target
2014-11-26 20:07:30 +03:00
After = opennebula.service
2018-02-21 19:06:20 +03:00
Wants = opennebula-novnc.service
AssertFileNotEmpty = /var/lib/one/.one/sunstone_auth
2014-11-26 20:07:30 +03:00
[Service]
Type = simple
Group = oneadmin
User = oneadmin
2021-10-15 17:44:11 +03:00
AmbientCapabilities = CAP_NET_BIND_SERVICE
2022-12-12 13:50:54 +03:00
ExecStartPre = -/usr/sbin/logrotate -f /etc/logrotate.d/opennebula-sunstone -s /var/lib/one/.logrotate.status
2023-11-22 14:45:36 +03:00
ExecStartPre = -/bin/sh -c 'for file in /var/log/one/sunstone*.log; do if [ ! -f "$file.gz" ]; then gzip -9 "$file"; fi; done'
2014-11-26 20:07:30 +03:00
ExecStart = /usr/bin/ruby /usr/lib/one/sunstone/sunstone-server.rb
2021-10-11 15:48:25 +03:00
ReadWriteDirectories = /var/lib/one /var/log/one/
ReadOnlyDirectories = -/var/lib/one/remotes
InaccessibleDirectories = -/var/lib/one/datastores
2021-10-15 17:44:11 +03:00
InaccessibleDirectories = -/var/lib/one/.ssh
InaccessibleDirectories = -/var/lib/one/.ssh-oneprovision
2021-10-11 15:48:25 +03:00
ReadWriteDirectories = /var/tmp
PrivateTmp = no
NoNewPrivileges = yes
PrivateDevices = yes
# ProtectSystem=strict is not known by old systemd, so we set
# full everywhere, and override by strict only where supported.
ProtectSystem = full
ProtectSystem = strict
ProtectHome = yes
ProtectKernelTunables = yes
ProtectKernelModules = yes
ProtectKernelLogs = yes
2019-09-18 11:05:16 +03:00
StartLimitInterval = 60
StartLimitBurst = 3
Restart = on-failure
RestartSec = 5
2022-05-09 14:42:50 +03:00
SyslogIdentifier = opennebula-sunstone
2014-11-26 20:07:30 +03:00
[Install]
WantedBy = multi-user.target
