mastodon/dist/mastodon-sidekiq.service

[Unit]
Description=mastodon-sidekiq
After=network.target

[Service]
Type=simple
User=mastodon
WorkingDirectory=/home/mastodon/live
Environment="RAILS_ENV=production"
Environment="DB_POOL=25"
Environment="MALLOC_ARENA_MAX=2"
Environment="LD_PRELOAD=libjemalloc.so"
ExecStart=/home/mastodon/.rbenv/shims/bundle exec sidekiq -c 25
TimeoutSec=15
Restart=always
# Capabilities
CapabilityBoundingSet=
# Security
NoNewPrivileges=true
# Sandboxing
ProtectSystem=strict
PrivateTmp=true
PrivateDevices=true
PrivateUsers=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_INET
RestrictAddressFamilies=AF_INET6
RestrictAddressFamilies=AF_NETLINK
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=true
LockPersonality=true
RestrictRealtime=true
RestrictSUIDSGID=true
PrivateMounts=true
ProtectClock=true
# System Call Filtering
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap

[Install]
WantedBy=multi-user.target
Add nginx and systemd templates (#8770) So they can be copied during installation instead of looking them up in the documentation Make default sidekiq configuration use weighted queues Remove deprecated docs directory 2018-09-24 16:46:05 +02:00			`[Unit]`
			`Description=mastodon-sidekiq`
			`After=network.target`

			`[Service]`
			`Type=simple`
			`User=mastodon`
			`WorkingDirectory=/home/mastodon/live`
			`Environment="RAILS_ENV=production"`
			`Environment="DB_POOL=25"`
			`Environment="MALLOC_ARENA_MAX=2"`
Preload libjemalloc.so for long-running Ruby (#16462) Always mark jemalloc needed if jemalloc is enabled by akihikodaki · Pull Request #4627 · ruby/ruby https://github.com/ruby/ruby/pull/4627 > Symbols exported by jemalloc is referred by the shared library but not > by the executables when building Ruby as a shared library with > jemalloc. It causes shared libraries such as the GNU C++ library > occasionally rely on the memory allocator provided by the standard C > library. Worse, the resolved symbols can later be replaced with > jemalloc, and jemalloc may see pointers from the standard C library, > which results in various failures. > e.g. https://github.com/tootsuite/mastodon/issues/15751 As a workaround, do not rely on jemalloc enablement of Ruby, and preload libjemalloc.so instead. 2021-07-06 02:16:35 +09:00			`Environment="LD_PRELOAD=libjemalloc.so"`
Add nginx and systemd templates (#8770) So they can be copied during installation instead of looking them up in the documentation Make default sidekiq configuration use weighted queues Remove deprecated docs directory 2018-09-24 16:46:05 +02:00			`ExecStart=/home/mastodon/.rbenv/shims/bundle exec sidekiq -c 25`
			`TimeoutSec=15`
			`Restart=always`
templates/systemd/mastodon: enable sandbox mode (#15937) 2021-03-24 12:46:13 +03:00			`# Capabilities`
			`CapabilityBoundingSet=`
			`# Security`
			`NoNewPrivileges=true`
			`# Sandboxing`
			`ProtectSystem=strict`
			`PrivateTmp=true`
			`PrivateDevices=true`
			`PrivateUsers=true`
			`ProtectHostname=true`
			`ProtectKernelLogs=true`
			`ProtectKernelModules=true`
			`ProtectKernelTunables=true`
			`ProtectControlGroups=true`
			`RestrictAddressFamilies=AF_INET`
			`RestrictAddressFamilies=AF_INET6`
			`RestrictAddressFamilies=AF_NETLINK`
			`RestrictAddressFamilies=AF_UNIX`
			`RestrictNamespaces=true`
			`LockPersonality=true`
			`RestrictRealtime=true`
			`RestrictSUIDSGID=true`
			`PrivateMounts=true`
			`ProtectClock=true`
			`# System Call Filtering`
			`SystemCallArchitectures=native`
templates/systemd/mastodon: optimize SystemCallFilters (#16127) 2021-04-27 21:34:53 +03:00			`SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap`
Add nginx and systemd templates (#8770) So they can be copied during installation instead of looking them up in the documentation Make default sidekiq configuration use weighted queues Remove deprecated docs directory 2018-09-24 16:46:05 +02:00
			`[Install]`
			`WantedBy=multi-user.target`