Am 28.01.2015 um 12:11 schrieb Martin Gregorie:
On Tue, 2015-01-27 at 16:40 -0800, John Hardin wrote:On Wed, 28 Jan 2015, Reindl Harald wrote:if understand you correctly we agree that there is no reason /var can't be mounted read-only?Other than the historical practice that /var is intended to contain varying data, and that implies read/write...Years ago I moved my Apache and my PostgreSQL installations from /var to /home. Both are happy in their new location, so I can't see why the same trick wouldn't work equally well for MySQL. Pick any place you want, e.g. its own partition, then you can mount it read-only and know you can't upset anything else by accident. I suspect that HR has done exactly that and symlinked the read-only partition into /var, which is another way to achieving the same end. The main reasons I moved Apache and PostgreSQL to /home was so I could back them up more easily and because /home has its own partition to make Fedora reinstalls/upgrades easier
no need for mount own partitions on recent linux systems that's what namespaces are for and systemd has easy interfacesmy main point is that i don't want the locking IO when nothing then the self developed maintainance scripts for the bayes has a business to write anything there - it should be only read and in the best case from each spamc-forker only opened once in his lifetime for best performance
[root@testserver:~]$ cat /etc/systemd/system/spamassassin.service [Unit] Description=Spamassassin Daemon After=network.service systemd-networkd.service network-online.target Before=postfix.service [Service] Environment="TMPDIR=/tmp" PermissionsStartOnly=trueExecStartPre=/usr/bin/find /var/lib/spamassassin/ -type d -exec /bin/chmod 0755 "{}" \; ExecStartPre=/usr/bin/find /var/lib/spamassassin/ -type f -exec /bin/chmod 0644 "{}" \; ExecStart=/usr/bin/spamd -c -H --max-children=10 --min-children=1 --min-spare=1 --max-spare=3 --port=10028
ExecReload=/usr/bin/kill -HUP $MAINPID Environment="LANG=en_GB.UTF-8" User=sa-milt Group=sa-milt Nice=15 StandardOutput=null StandardError=null SyslogFacility=mail Restart=always RestartSec=1 PrivateTmp=yes PrivateDevices=yes NoNewPrivileges=yesCapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_WRITE CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE CAP_SYS_PTRACE
ReadOnlyDirectories=/etc ReadOnlyDirectories=/usrReadOnlyDirectories=/var/lib
InaccessibleDirectories=-/var/lib/spamassassin-milter/training InaccessibleDirectories=-/boot InaccessibleDirectories=-/home InaccessibleDirectories=-/media InaccessibleDirectories=-/root InaccessibleDirectories=-/etc/dbus-1 InaccessibleDirectories=-/etc/modprobe.d InaccessibleDirectories=-/etc/modules-load.d InaccessibleDirectories=-/etc/postfix InaccessibleDirectories=-/etc/ssh InaccessibleDirectories=-/etc/sysctl.d InaccessibleDirectories=-/run/console InaccessibleDirectories=-/run/dbus InaccessibleDirectories=-/run/lock InaccessibleDirectories=-/run/mount InaccessibleDirectories=-/run/systemd/generator InaccessibleDirectories=-/run/systemd/system InaccessibleDirectories=-/run/systemd/users InaccessibleDirectories=-/run/udev InaccessibleDirectories=-/run/user InaccessibleDirectories=-/usr/lib64/dbus-1 InaccessibleDirectories=-/usr/lib64/xtables InaccessibleDirectories=-/usr/lib/dracut InaccessibleDirectories=-/usr/libexec/iptables InaccessibleDirectories=-/usr/libexec/openssh InaccessibleDirectories=-/usr/libexec/postfix InaccessibleDirectories=-/usr/lib/grub InaccessibleDirectories=-/usr/lib/kernel InaccessibleDirectories=-/usr/lib/modprobe.d InaccessibleDirectories=-/usr/lib/modules InaccessibleDirectories=-/usr/lib/modules-load.d InaccessibleDirectories=-/usr/lib/rpm InaccessibleDirectories=-/usr/lib/sysctl.d InaccessibleDirectories=-/usr/lib/udev InaccessibleDirectories=-/usr/local/scripts InaccessibleDirectories=-/var/db InaccessibleDirectories=-/var/lib/dbus InaccessibleDirectories=-/var/lib/dnf InaccessibleDirectories=-/var/lib/rpm InaccessibleDirectories=-/var/lib/systemd InaccessibleDirectories=-/var/lib/yum InaccessibleDirectories=-/var/spool
signature.asc
Description: OpenPGP digital signature