68 lines
2.4 KiB
Diff
68 lines
2.4 KiB
Diff
From 1d9f43c5ecb20fe0a2a4abe9b94abd0d389edb40 Mon Sep 17 00:00:00 2001
|
|
From: Jack Ding <jack.ding@windriver.com>
|
|
Date: Mon, 14 May 2018 22:44:32 -0400
|
|
Subject: [PATCH 2/2] Add dependencies and comment out incompatible service
|
|
parameters
|
|
|
|
---
|
|
scripts/memcached.service | 14 +++++++-------
|
|
1 file changed, 7 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/scripts/memcached.service b/scripts/memcached.service
|
|
index 8e58485..021b8b4 100644
|
|
--- a/scripts/memcached.service
|
|
+++ b/scripts/memcached.service
|
|
@@ -12,7 +12,7 @@
|
|
[Unit]
|
|
Description=memcached daemon
|
|
Before=httpd.service
|
|
-After=network.target
|
|
+After=network-online.target
|
|
|
|
[Service]
|
|
EnvironmentFile=/etc/sysconfig/memcached
|
|
@@ -46,34 +46,34 @@ LimitNOFILE=16384
|
|
# Explicit module loading will be denied. This allows to turn off module load and unload
|
|
# operations on modular kernels. It is recommended to turn this on for most services that
|
|
# do not need special file systems or extra kernel modules to work.
|
|
-ProtectKernelModules=true
|
|
+#ProtectKernelModules=true
|
|
|
|
# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats,
|
|
# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes
|
|
# of the unit. Usually, tunable kernel variables should only be written at boot-time, with the
|
|
# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence
|
|
# recommended to turn this on for most services.
|
|
-ProtectKernelTunables=true
|
|
+#ProtectKernelTunables=true
|
|
|
|
# The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be
|
|
# made read-only to all processes of the unit. Except for container managers no services should
|
|
# require write access to the control groups hierarchies; it is hence recommended to turn this on
|
|
# for most services
|
|
-ProtectControlGroups=true
|
|
+#ProtectControlGroups=true
|
|
|
|
# Any attempts to enable realtime scheduling in a process of the unit are refused.
|
|
-RestrictRealtime=true
|
|
+#RestrictRealtime=true
|
|
|
|
# Restricts the set of socket address families accessible to the processes of this unit.
|
|
# Protects against vulnerabilities such as CVE-2016-8655
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
|
|
|
# Takes away the ability to create or manage any kind of namespace
|
|
-RestrictNamespaces=true
|
|
+#RestrictNamespaces=true
|
|
|
|
# WRS
|
|
Restart=always
|
|
-RestartSec=0
|
|
+RestartSec=10
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
--
|
|
1.8.3.1
|
|
|