On Tue, Feb 27, 2018 at 07:14:19PM +0100, Tim Düsterhus wrote: > Willy, > > Am 27.02.2018 um 18:33 schrieb Willy Tarreau: > > I think it could make sense to add such lines as a comment to the existing > > files so that they serve as illustration of what can be done for users who > > want to go further. Or maybe this is already well-known from systemd users, > > I don't know. > > > > Based on what I've seen the only services that use these in-depth > sandboxing features are SystemD's own various daemons. One notable > exception is the Debian packaging for Redis: > https://github.com/lamby/pkg-redis/blob/1e044e79f26f85a4510c19883336a4fd2952dd9d/debian/bin/generate-systemd-service-files#L85-L103
OK, thanks for checking. > I'm also totally fine with shipping these settings commented out to > bring them to maintainer's attention. If you consider them useful as an > example I would prepare patches that add example lines for modern > SystemD versions as well as "safe" ones that should be compatible with > almost any SystemD out there. I'm personally fine with this. If nobody has any objection, I'll happily merge this. Thanks, Willy
