PowerDNS-Admin icon indicating copy to clipboard operation
PowerDNS-Admin copied to clipboard

Published 20 hours ago verified publisher icon PowerDNS-Admin

Update systemd documentation

Open bastelfreak opened this issue 2 years ago • 1 comments

Hi, the wiki has a few pages about systemd units. I did some hardening which results in the following service file:

[Install]
WantedBy=multi-user.target

[Unit]
Description=PowerDNS-Admin
Requires=pdns.service
After=pdns.service

[Service]
Environment="FLASK_CONF=../configs/production.py"
Environment="FLASK_APP=powerdnsadmin/__init__.py"
User=powerdns-admin
Group=powerdns-admin
WorkingDirectory=/opt/powerdns-admin/PowerDNS-Admin/
ExecStart=/opt/powerdns-admin/PowerDNS-Admin/prod/bin/python run.py
PrivateTmp=true
RestrictSUIDSGID=true
NoNewPrivileges=true
RemoveIPC=true
PrivateDevices=true
PrivateMounts=true
ProtectProc=invisible
ProcSubset=pid
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_INET
RestrictRealtime=true
SystemCallArchitectures=native
ProtectHome=true
ProtectSystem=strict
MemoryDenyWriteExecute=true
LockPersonality=true
CapabilityBoundingSet=
SystemCallFilter=
SystemCallFilter=@network-io @file-system @basic-io @system-service
SystemCallFilter=~@aio @chown @clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap userfaultfd mincore
RestrictNamespaces=~user pid net uts mnt cgroup ipc
UMask=0077

[Install]
WantedBy=multi-user.target
  • for testing purposes, this uses the builtin webserver, but gunicorn would work as well
  • this allows IPv4 traffic to the services, meaning it has to connect to postgresql/mysql and powerdns via IPv4. And a Webserver needs to be configured in front of it
  • Allowed syscalls are reduced to a minium

you can analyze this on your own with systemd-analyze security $unit. I would have added it to the wiki, but I think I need write permisions for that? Maybe this unit file will help others. It has a systemd security score of 1.2.

bastelfreak avatar Sep 30 '22 18:09 bastelfreak

Hello,

Thanks for your feedback. We will add it to the documentation later. Keep this issue opened, we'll close it once it's in the docs.

Regards

jbe-dw avatar Oct 06 '22 21:10 jbe-dw

Any reason the [Install] section is there twice?

dmcken avatar Dec 09 '22 01:12 dmcken

ups, that was a copy and paste error.

bastelfreak avatar Dec 09 '22 07:12 bastelfreak

Ok, anyone able to confirm this all works before I update the docs?

dmcken avatar Dec 09 '22 15:12 dmcken

@WhatshallIbreaktoday this is not the appropriate place to start a conversation for help on deployment. Please start a discussion instead.

AzorianMatt avatar Apr 14 '23 15:04 AzorianMatt

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. PDA is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Do not attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see our Contribution Guide.

github-actions[bot] avatar Jul 14 '23 04:07 github-actions[bot]

This issue has been automatically closed due to lack of activity. In an effort to reduce noise, please do not comment any further. Note that the core maintainers may elect to reopen this issue at a later date if deemed necessary.

github-actions[bot] avatar Aug 13 '23 04:08 github-actions[bot]