# This is a generic systemd unit to run system-wide TTBD # # - run as root: systemctl enable ttbd@[tag].service # # Note it is set to user ttbd, so you will likely have permission # issues. For your system's deployment, you will want to copy this to # another name and set the ttbd user to the user who can access the # resources it will need. # # Requirements: # - Python package sdnotify (pip install sdnotify) # [Unit] Description = Test Targer Broker Daemon %I # We need network to be online (require) but want to start after it is # done starting Requires = network-online.target After = network-online.target # Say there is a daemon that controls the infrastructure #Requires = ttbd@infrastructure.service [Service] # Run ExcecStartPre as root PermissionsStartOnly = True # Some needed tools might configure themselves in /etc/environment # (-: do not fail if file does not exist) EnvironmentFile = -/etc/environment # - CAP_AUDIT_WRITE: [bounding] so sudo can send audit messages and # not die trying # - CAP_DAC_READ_SEARCH: [ambient] for ttbl.rsync.pci, which can be # started to serve images to install in other machines -- this is # dropped by the daemon and given to rsync as inherited capability # - CAP_DAC_OVERRIDE & CAP_FOWNER: [bounding] access files of other # users once we sudo # - CAP_NET_ADMIN: [ambient] to be able to setup network interfaces # - from within the daemon calling ip and other network setup tools # - CAP_NET_BIND_SERVICE: [ambient] to start dhcpd and # be able to attach to network ports < 1024 as given in # configuration (for example, to listen in well known ports) # - CAP_NET_RAW: for DHCPd and tcpdump # - CAP_SETUID & CAP_SETGID: [bounding] to be able to run # sudo/suid,sgid from inside us # - CAP_SYS_ADMIN: [bounding] so sudo-launched helpers can do stuff, # but the daemon itself doesn't need them. Things like re-reading # partition tables, etc # - CAP_SYS_CHROOT: [ambient] for running rsync as a server FIXME: # should we drop and just inherit like CAP_DAC_READ_SEARCH? AmbientCapabilities = \ CAP_DAC_READ_SEARCH \ CAP_NET_ADMIN \ CAP_NET_BIND_SERVICE \ CAP_NET_RAW \ CAP_SYS_CHROOT \ # Allow stuff started by this daemon to access the following # capabilities (but the daemon doesn't need them/use them): CapabilityBoundingSet = \ CAP_AUDIT_WRITE \ CAP_DAC_OVERRIDE \ CAP_DAC_READ_SEARCH \ CAP_FOWNER \ CAP_NET_ADMIN \ CAP_NET_BIND_SERVICE \ CAP_NET_RAW \ CAP_SETGID \ CAP_SETUID \ CAP_SYS_ADMIN \ CAP_SYS_CHROOT \ Type = notify User = ttbd Group = ttbd # audio&video so we can do audio/video capture SupplementaryGroups = dialout root kvm video audio # Clean compiled Python to avoid old files (from removed .py) ExecStartPre = /bin/rm -f /etc/ttbd-%i/*.pyc ExecStartPre = /usr/bin/install -vv -d --mode 2770 --owner ttbd --group ttbd /var/run/ttbd-%i /var/cache/ttbd-%i ExecStart = /usr/bin/ttbd -vv -w %i TimeoutSec = 300 NotifyAccess = all Restart = always # Send SIGKILL after 5s TimeoutStopSec = 5 # The cleanup thread has to ping systemd at regular internvals; we # give a long breather as sometimes targets get icky and # won't respond quick. 2m was tried but it was too short when we were # dealing with a recovery for a YK doing a power-{get,off} operation. WatchdogSec = 360 [Install] WantedBy = multi-user.target