ansible/roles/jenkins_base/files/check-outbound-network.service

   1 ### This file is managed by Ansible
   2 # Copyright (C) The Arvados Authors. All rights reserved.
   3 #
   4 # SPDX-License-Identifier: Apache-2.0
   5
   6 [Unit]
   7 Description=Wait for outbound network connections to succeed
   8 Before=ssh.service sshd.service
   9
  10 [Install]
  11 WantedBy=ssh.service sshd.service
  12
  13 [Service]
  14 Type=oneshot
  15 TimeoutStartSec=9min
  16 ExecStart=/bin/sh -c 'while ! nc -w1 -z git.arvados.org 443; do sleep 1s; done;:'
  17
  18 ### Everything below this line is security boilerplate
  19 DynamicUser=on
  20 CapabilityBoundingSet=
  21 DevicePolicy=closed
  22 LockPersonality=on
  23 MemoryDenyWriteExecute=on
  24 PrivateDevices=on
  25 PrivateMounts=on
  26 PrivateUsers=on
  27 ProtectControlGroups=on
  28 ProtectHome=on
  29 ProtectKernelModules=on
  30 ProtectKernelTunables=on
  31 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
  32 RestrictNamespaces=on
  33 RestrictRealtime=on
  34 SystemCallErrorNumber=EPERM
  35 SystemCallFilter=@system-service