From ead9aaa3dd7ca48012b2b21cc930ee73c8eaa9d3 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 3 Nov 2020 03:15:10 +0100 Subject: Bacula: refactor systemd service files. Use unit overrides on top of upstream's service files instead of overriding entire service files. In particular, upstream uses flag `-P` so we don't need to use RuntimeDirectory= anymore. --- .../etc/systemd/system/bacula-director.service | 27 ---------------------- .../system/bacula-director.service.d/override.conf | 13 +++++++++++ roles/bacula-dir/tasks/main.yml | 14 +++++++---- .../files/etc/systemd/system/bacula-sd.service | 27 ---------------------- .../system/bacula-sd.service.d/override.conf | 13 +++++++++++ roles/bacula-sd/tasks/main.yml | 14 +++++++---- .../files/etc/systemd/system/bacula-fd.service | 25 -------------------- .../system/bacula-fd.service.d/override.conf | 13 +++++++++++ roles/common/tasks/bacula.yml | 22 ++++++++---------- 9 files changed, 69 insertions(+), 99 deletions(-) delete mode 100644 roles/bacula-dir/files/etc/systemd/system/bacula-director.service create mode 100644 roles/bacula-dir/files/etc/systemd/system/bacula-director.service.d/override.conf delete mode 100644 roles/bacula-sd/files/etc/systemd/system/bacula-sd.service create mode 100644 roles/bacula-sd/files/etc/systemd/system/bacula-sd.service.d/override.conf delete mode 100644 roles/common/files/etc/systemd/system/bacula-fd.service create mode 100644 roles/common/files/etc/systemd/system/bacula-fd.service.d/override.conf diff --git a/roles/bacula-dir/files/etc/systemd/system/bacula-director.service b/roles/bacula-dir/files/etc/systemd/system/bacula-director.service deleted file mode 100644 index 8b2f5ff..0000000 --- a/roles/bacula-dir/files/etc/systemd/system/bacula-director.service +++ /dev/null @@ -1,27 +0,0 @@ -[Unit] -Description=Bacula Director service -After=network.target - -[Service] -Type=simple -StandardOutput=syslog -User=bacula -Group=bacula -ExecStart=/usr/sbin/bacula-dir -f -c /etc/bacula/bacula-dir.conf - -# Hardening -NoNewPrivileges=yes -PrivateDevices=yes -ProtectHome=yes -ProtectSystem=strict -ReadWriteDirectories=-/var/lib/bacula -ReadWriteDirectories=-/var/log/bacula -RuntimeDirectory=bacula -PrivateDevices=yes -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 - -[Install] -WantedBy=multi-user.target diff --git a/roles/bacula-dir/files/etc/systemd/system/bacula-director.service.d/override.conf b/roles/bacula-dir/files/etc/systemd/system/bacula-director.service.d/override.conf new file mode 100644 index 0000000..f0d36c4 --- /dev/null +++ b/roles/bacula-dir/files/etc/systemd/system/bacula-director.service.d/override.conf @@ -0,0 +1,13 @@ +[Service] +# Hardening +NoNewPrivileges=yes +PrivateDevices=yes +ProtectHome=yes +ProtectSystem=strict +ReadWriteDirectories=-/var/lib/bacula +ReadWriteDirectories=-/var/log/bacula +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 diff --git a/roles/bacula-dir/tasks/main.yml b/roles/bacula-dir/tasks/main.yml index 2f7ab25..2fdb35b 100644 --- a/roles/bacula-dir/tasks/main.yml +++ b/roles/bacula-dir/tasks/main.yml @@ -12,7 +12,7 @@ notify: - Restart bacula-director -# Create with: +# Populate with: # echo bconsole $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-dir # echo $sd-sd $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-dir # echo $fd-fd $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-dir @@ -41,9 +41,15 @@ notify: - Restart bacula-director -- name: Copy bacula-director.service - copy: src=etc/systemd/system/bacula-director.service - dest=/etc/systemd/system/bacula-director.service +- name: Create /etc/systemd/system/bacula-director.service.d + file: path=/etc/systemd/system/bacula-director.service.d + state=directory + owner=root group=root + mode=0755 + +- name: Copy bacula-director.service override + copy: src=etc/systemd/system/bacula-director.service.d/override.conf + dest=/etc/systemd/system/bacula-director.service.d/override.conf owner=root group=root mode=0644 notify: diff --git a/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service b/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service deleted file mode 100644 index 61ba01d..0000000 --- a/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service +++ /dev/null @@ -1,27 +0,0 @@ -[Unit] -Description=Bacula Storage Daemon service -After=network.target - -[Service] -Type=simple -StandardOutput=syslog -User=bacula -Group=tape -ExecStart=/usr/sbin/bacula-sd -f -c /etc/bacula/bacula-sd.conf - -# Hardening -NoNewPrivileges=yes -PrivateDevices=yes -ProtectHome=yes -ProtectSystem=strict -ReadWriteDirectories=-/var/lib/bacula -ReadWriteDirectories=/mnt/backup/bacula -RuntimeDirectory=bacula -PrivateDevices=yes -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -RestrictAddressFamilies=AF_INET AF_INET6 - -[Install] -WantedBy=multi-user.target diff --git a/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service.d/override.conf b/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service.d/override.conf new file mode 100644 index 0000000..e4ed970 --- /dev/null +++ b/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service.d/override.conf @@ -0,0 +1,13 @@ +[Unit] +# Hardening +NoNewPrivileges=yes +PrivateDevices=yes +ProtectHome=yes +ProtectSystem=strict +ReadWriteDirectories=-/var/lib/bacula +ReadWriteDirectories=/mnt/backup/bacula +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_INET AF_INET6 diff --git a/roles/bacula-sd/tasks/main.yml b/roles/bacula-sd/tasks/main.yml index 93958a8..f30fe7f 100644 --- a/roles/bacula-sd/tasks/main.yml +++ b/roles/bacula-sd/tasks/main.yml @@ -1,7 +1,7 @@ - name: Install bacula-sd apt: pkg=bacula-sd -# Create with: +# Populate with: # echo $director-dir $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-sd - name: Ensure /etc/bacula/passwords-sd exists file: path=/etc/bacula/passwords-sd @@ -17,9 +17,15 @@ notify: - Restart bacula-sd -- name: Copy bacula-sd.service - copy: src=etc/systemd/system/bacula-sd.service - dest=/etc/systemd/system/bacula-sd.service +- name: Create /etc/systemd/system/bacula-sd.service.d + file: path=/etc/systemd/system/bacula-sd.service.d + state=directory + owner=root group=root + mode=0755 + +- name: Copy bacula-sd.service override + copy: src=etc/systemd/system/bacula-sd.service.d/override.conf + dest=/etc/systemd/system/bacula-sd.service.d/override.conf owner=root group=root mode=0644 notify: diff --git a/roles/common/files/etc/systemd/system/bacula-fd.service b/roles/common/files/etc/systemd/system/bacula-fd.service deleted file mode 100644 index 119b3a2..0000000 --- a/roles/common/files/etc/systemd/system/bacula-fd.service +++ /dev/null @@ -1,25 +0,0 @@ -[Unit] -Description=Bacula File Daemon service -After=network.target - -[Service] -Type=simple -StandardOutput=syslog -ExecStart=/usr/sbin/bacula-fd -f -c /etc/bacula/bacula-fd.conf - -# Hardening -NoNewPrivileges=yes -ProtectHome=read-only -ProtectSystem=strict -ReadWriteDirectories=/var/lib/bacula -RuntimeDirectory=bacula -PrivateTmp=yes -PrivateDevices=yes -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -CapabilityBoundingSet=CAP_DAC_READ_SEARCH - -[Install] -WantedBy=multi-user.target diff --git a/roles/common/files/etc/systemd/system/bacula-fd.service.d/override.conf b/roles/common/files/etc/systemd/system/bacula-fd.service.d/override.conf new file mode 100644 index 0000000..537bf1e --- /dev/null +++ b/roles/common/files/etc/systemd/system/bacula-fd.service.d/override.conf @@ -0,0 +1,13 @@ +[Service] +# Hardening +NoNewPrivileges=yes +ProtectHome=read-only +ProtectSystem=strict +ReadWriteDirectories=/var/lib/bacula +PrivateTmp=yes +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +CapabilityBoundingSet=CAP_DAC_READ_SEARCH diff --git a/roles/common/tasks/bacula.yml b/roles/common/tasks/bacula.yml index fb37b5b..308e358 100644 --- a/roles/common/tasks/bacula.yml +++ b/roles/common/tasks/bacula.yml @@ -10,7 +10,7 @@ - name: Delete /etc/bacula/common_default_passwords file: path=/etc/bacula/common_default_passwords state=absent -# Create with: +# Populate with: # echo $director-dir $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-fd - name: Ensure /etc/bacula/passwords-fd exists file: path=/etc/bacula/passwords-fd @@ -54,23 +54,21 @@ tags: - genkey -- name: Copy bacula-fd.service - copy: src=etc/systemd/system/bacula-fd.service - dest=/etc/systemd/system/bacula-fd.service +- name: Create /etc/systemd/system/bacula-fd.service.d + file: path=/etc/systemd/system/bacula-fd.service.d + state=directory + owner=root group=root + mode=0755 + +- name: Copy bacula-fd.service override + copy: src=etc/systemd/system/bacula-fd.service.d/override.conf + dest=/etc/systemd/system/bacula-fd.service.d/override.conf owner=root group=root mode=0644 notify: - systemctl daemon-reload - Restart bacula-fd -# We use RuntimeDirectory in our service unit to avoid permission issues -# caused by the restrictive Capability Bounding Set -- name: Mask /usr/lib/tmpfiles.d/bacula.conf - file: src=/dev/null - dest=/etc/tmpfiles.d/bacula.conf - owner=root group=root - state=link - - meta: flush_handlers - name: Enable bacula-fd -- cgit v1.2.3