services/api/arvados-railsapi.service

   1 # Copyright (C) The Arvados Authors. All rights reserved.
   2 #
   3 # SPDX-License-Identifier: AGPL-3.0
   4
   5 [Unit]
   6 Description=Arvados API server Rails backend
   7 Documentation=https://doc.arvados.org/
   8 After=network.target
   9 AssertPathExists=/etc/arvados/config.yml
  10 StartLimitIntervalSec=0
  11
  12 [Install]
  13 WantedBy=multi-user.target
  14
  15 [Service]
  16 # It would be nicer to write a Type=simple process, but then Passenger
  17 # duplicates a lot of logs to stdout.
  18 Type=forking
  19 PIDFile=%t/%N/passenger.pid
  20 EnvironmentFile=-/etc/arvados/environment
  21 # Passenger web server settings come from (highest precedence first):
  22 # 1. Command line options
  23 # 2. PASSENGER_* environment variables
  24 # 3. /var/www/arvados-api/current/Passengerfile.json
  25 # You can change or add settings for this unit by running
  26 # `systemctl edit arvados-railsapi.service`.
  27 # Refer to the Passenger standalone configuration reference at
  28 # <https://www.phusionpassenger.com/library/config/standalone/reference>
  29 # for more information about options.
  30 Environment=PASSENGER_ADDRESS=localhost
  31 Environment=PASSENGER_ENVIRONMENT=production
  32 Environment=PASSENGER_LOG_FILE=log/production.log
  33 Environment=PASSENGER_PORT=8004
  34 WorkingDirectory=/var/www/arvados-api/current
  35 ExecStartPre=+/bin/install -d log tmp
  36 ExecStartPre=+/bin/chmod g+srwx log tmp
  37 ExecStartPre=+-/bin/chmod g+rw ${PASSENGER_LOG_FILE}
  38 # Note that `bundle exec` lines should have overrides from the package that
  39 # use specific versions of `bundle` and `passenger`.
  40 ExecStart=/usr/bin/bundle exec passenger start --daemonize --pid-file %t/%N/passenger.pid
  41 ExecStop=/usr/bin/bundle exec passenger stop --pid-file %t/%N/passenger.pid
  42 ExecReload=/usr/bin/bundle exec passenger-config reopen-logs
  43 Restart=always
  44 RestartSec=1
  45
  46 ReadWritePaths=/var/www/arvados-api/current/log
  47 ReadWritePaths=/var/www/arvados-api/current/tmp
  48 ReadWritePaths=/var/www/arvados-api/shared/log
  49 RuntimeDirectory=%N
  50
  51 DynamicUser=true
  52 PrivateTmp=true
  53 ProtectControlGroups=true
  54 ProtectHome=true
  55 ProtectSystem=strict
  56
  57 LockPersonality=true
  58 NoNewPrivileges=true
  59 MemoryDenyWriteExecute=true
  60 PrivateDevices=true
  61 ProtectKernelModules=true
  62 ProtectKernelTunables=true
  63 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
  64 RestrictNamespaces=true
  65 RestrictRealtime=true
  66 SystemCallFilter=@system-service