[gentoo-commits] repo/gentoo:master commit in: app-admin/vault/files/, app-admin/vault/

Mon, 15 Jul 2019 13:52:10 -0700 

commit:     b2cc4c52499d3a6cf509d7372a603bc265423c9e
Author:     Zac Medico <zachary.medico <AT> sony <DOT> com>
AuthorDate: Mon Jul 15 20:42:47 2019 +0000
Commit:     Zac Medico <zmedico <AT> gentoo <DOT> org>
CommitDate: Mon Jul 15 20:51:48 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b2cc4c52

app-admin/vault: increase max open files

See: 
https://learn.hashicorp.com/vault/operations/ops-deployment-guide#step-3-configure-systemd
Package-Manager: Portage-2.3.69, Repoman-2.3.16
Copyright: Sony Interactive Entertainment Inc.
Signed-off-by: Zac Medico <zmedico <AT> gentoo.org>

 app-admin/vault/files/vault.initd                  |  3 ++-
 app-admin/vault/files/vault.service                | 25 ++++++++++++++++------
 .../{vault-1.1.2.ebuild => vault-1.1.2-r1.ebuild}  |  0
 3 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/app-admin/vault/files/vault.initd 
b/app-admin/vault/files/vault.initd
index d430bb8d39a..e4bd3e7c13d 100644
--- a/app-admin/vault/files/vault.initd
+++ b/app-admin/vault/files/vault.initd
@@ -1,10 +1,11 @@
 #!/sbin/openrc-run
-# Copyright 2015-2017 Gentoo Foundation
+# Copyright 2015-2019 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 description="vault server"
 group=${group:-${RC_SVCNAME}}
 pidfile=${pidfile:-"/run/${RC_SVCNAME}.pid"}
+rc_ulimit=${rc_ulimit-"-n 65536"}
 user=${user:-${RC_SVCNAME}}
 
 command="/usr/bin/${RC_SVCNAME}"

diff --git a/app-admin/vault/files/vault.service 
b/app-admin/vault/files/vault.service
index 3071d034627..939d8cafc24 100644
--- a/app-admin/vault/files/vault.service
+++ b/app-admin/vault/files/vault.service
@@ -4,15 +4,28 @@ Requires=network-online.target
 After=network-online.target
 
 [Service]
-User=vault
 Environment=VAULT_SERVER_OPTS="-config=/etc/vault.d"
-ExecStart=/usr/bin/vault server $VAULT_SERVER_OPTS
-CapabilityBoundingSet=CAP_IPC_LOCK
-AmbientCapabilities=CAP_IPC_LOCK
-Capabilities=CAP_IPC_LOCK=ep
+User=vault
+Group=vault
+ProtectSystem=full
+ProtectHome=read-only
+PrivateTmp=yes
+PrivateDevices=yes
 SecureBits=keep-caps
+AmbientCapabilities=CAP_IPC_LOCK
+Capabilities=CAP_IPC_LOCK+ep
+CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
+NoNewPrivileges=yes
+ExecStart=/usr/bin/vault server $VAULT_SERVER_OPTS
+ExecReload=/bin/kill --signal HUP $MAINPID
+KillMode=process
+KillSignal=SIGINT
 Restart=on-failure
-SuccessExitStatus=2
+RestartSec=5
+TimeoutStopSec=30
+StartLimitIntervalSec=60
+StartLimitBurst=3
+LimitNOFILE=65536
 
 [Install]
 WantedBy=default.target

diff --git a/app-admin/vault/vault-1.1.2.ebuild 
b/app-admin/vault/vault-1.1.2-r1.ebuild
similarity index 100%
rename from app-admin/vault/vault-1.1.2.ebuild
rename to app-admin/vault/vault-1.1.2-r1.ebuild

Reply via email to