Actions
Support #22799
open
Review security hardening of systemd units used for services
Status:
New
Priority:
Normal
Assigned To:
-
Category:
Deployment
Target version:
-
Due date:
Story points:
-
Description
See what systemd offers to make it easy to run as non-privileged users while being able to access the arvados config file.
Updated by Peter Amstutz
Updated by Brett Smith 11 months ago
The simplest way I've found to do this is:
- all our packages ensure an
arvadosgroup exists. (Maybe there's also a way to hook this into systemd?) - All our service units say:
[Service] DynamicUser=on SupplementaryGroups=arvados
Along with whatever other security options we want. source:services/api/arvados-railsapi.service is already doing a lot of this, but doing it with thewww-data/nginxgroup instead (this gets added by the postinst since it's distro-specific). It would be easier to share across services if we created a dedicated group for Arvados services.
Updated by Brett Smith 10 months ago
- Related to Idea #22940: Deploy core services with an arvados group added
Updated by Brett Smith 9 months ago
- Target version deleted (
Development 2025-08-06)
Actions