2019-11-25 17:37:35 +03:00
# SPDX-License-Identifier: LGPL-2.1+
#
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
[Unit]
Description = Journal Service for Namespace %i
Documentation = man:systemd-journald.service(8) man:journald.conf(5)
2019-11-27 16:47:37 +03:00
Requires = systemd-journald@%i.socket systemd-journald-varlink@%i.socket
After = systemd-journald@%i.socket systemd-journald-varlink@%i.socket
2019-11-25 17:37:35 +03:00
[Service]
CapabilityBoundingSet = CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
DevicePolicy = closed
ExecStart = @rootlibexecdir@/systemd-journald %i
FileDescriptorStoreMax = 4224
Group = systemd-journal
IPAddressDeny = any
LockPersonality = yes
LogsDirectory = journal/%m.%i
LogsDirectoryMode = 02755
MemoryDenyWriteExecute = yes
NoNewPrivileges = yes
RestrictAddressFamilies = AF_UNIX AF_NETLINK
RestrictNamespaces = yes
RestrictRealtime = yes
RestrictSUIDSGID = yes
RuntimeDirectory = systemd/journal.%i
RuntimeDirectoryPreserve = yes
Sockets = systemd-journald@%i.socket
StandardOutput = null
SystemCallArchitectures = native
SystemCallErrorNumber = EPERM
SystemCallFilter = @system-service
Type = notify
@ S E R V I C E _ W A T C H D O G @
# If there are many split up journal files we need a lot of fds to access them
# all in parallel.
LimitNOFILE = @HIGH_RLIMIT_NOFILE@