Skip to content

Commit af8b59d

Browse files
ananthbananthb
authored
Revise systemd service configuration for Yellowstone Jet (#115)
* Revise systemd service configuration for Yellowstone Jet Updated the systemd service configuration for Yellowstone Jet, including configuring resource limits and security settings. * jet service file
1 parent c74a92b commit af8b59d

File tree

2 files changed

+56
-36
lines changed

2 files changed

+56
-36
lines changed

README.md

Lines changed: 7 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -34,43 +34,14 @@ A sample configuration file can be found [config.yml](https://github.com/rpcpool
3434

3535
### Systemd
3636

37-
Running Jet as a service under SystemD is our recommended approach. A sample systemd file:
37+
Running Jet as a service under SystemD is our recommended approach. A sample systemd file is provided at [systemd/yellowstone-jet.service](systemd/yellowstone-jet.service).
3838

39-
```
40-
[Unit]
41-
Description=Yellowstone Jet transaction forwarder
42-
After=network-online.target
43-
StartLimitInterval=0
44-
StartLimitIntervalSec=0
45-
46-
[Service]
47-
Type=simple
48-
User=yellowstone-jet
49-
Group=yellowstone-jet
50-
PermissionsStartOnly=true
51-
ExecStart=/usr/local/bin/yellowstone-jet --config /etc/yellowstone-jet.yml
52-
53-
Environment=RUST_LOG="warn"
54-
55-
SyslogIdentifier=yellowstone-jet
56-
KillMode=process
57-
Restart=always
58-
RestartSec=5
59-
60-
LimitNOFILE=700000
61-
LimitNPROC=700000
62-
63-
LockPersonality=true
64-
NoNewPrivileges=true
65-
PrivateTmp=true
66-
ProtectHome=true
67-
RemoveIPC=true
68-
RestrictSUIDSGID=true
69-
70-
ProtectSystem=full
71-
72-
[Install]
73-
WantedBy=multi-user.target
39+
To install:
40+
41+
```bash
42+
sudo cp systemd/yellowstone-jet.service /etc/systemd/system/
43+
sudo systemctl daemon-reload
44+
sudo systemctl enable --now yellowstone-jet
7445
```
7546

7647
## Attribution

systemd/yellowstone-jet.service

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
[Unit]
2+
Description=Yellowstone Jet transaction forwarder
3+
After=network-online.target
4+
Wants=network-online.target
5+
StartLimitIntervalSec=0
6+
7+
[Service]
8+
Type=simple
9+
DynamicUser=yes
10+
ConfigDirectory=yellowstone-jet
11+
12+
ExecStart=/usr/local/bin/yellowstone-jet --config /etc/yellowstone-jet/config.yml
13+
14+
Environment=RUST_LOG="warn"
15+
Restart=always
16+
RestartSec=5
17+
18+
# Resource Limits
19+
LimitNOFILE=700000
20+
LimitNPROC=700000
21+
22+
# File System Sandboxing
23+
ProtectSystem=strict
24+
ProtectHome=yes
25+
PrivateTmp=yes
26+
PrivateDevices=yes
27+
ProtectHostname=yes
28+
ProtectClock=yes
29+
ProtectKernelTunables=yes
30+
ProtectKernelModules=yes
31+
ProtectKernelLogs=yes
32+
ProtectControlGroups=yes
33+
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
34+
RestrictNamespaces=yes
35+
LockPersonality=yes
36+
MemoryDenyWriteExecute=yes
37+
RestrictRealtime=yes
38+
RestrictSUIDSGID=yes
39+
RemoveIPC=yes
40+
PrivateUsers=yes
41+
42+
# Privilege Escalation & System Calls
43+
NoNewPrivileges=yes
44+
SystemCallFilter=@system-service
45+
SystemCallErrorNumber=EPERM
46+
SystemCallArchitectures=native
47+
48+
[Install]
49+
WantedBy=multi-user.target

0 commit comments

Comments
 (0)