1
0
mirror of https://github.com/tommytran732/Fedora-CoreOS-Ignition synced 2024-11-22 17:21:34 -05:00
Fedora-CoreOS-Ignition/etc/systemd/system/gvisor-updater.service

50 lines
1.7 KiB
SYSTEMD
Raw Normal View History

2024-06-28 19:13:33 -04:00
[Unit]
Description=Update gVisor
After=network-online.target
Before=docker.service
[Service]
Type=oneshot
RuntimeDirectory=gvisor-updater
WorkingDirectory=/run/gvisor-updater
ExecStart=/usr/bin/sleep 5
ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc
ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512
ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1
ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512
ExecStart=/usr/bin/sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512
ExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512
ExecStart=+/usr/bin/chown root:root runsc containerd-shim-runsc-v1
ExecStart=+/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1
ExecStart=+/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin
ExecStart=+/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc
DynamicUser=true
CapabilityBoundingSet=
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateIPC=true
PrivateTmp=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
RuntimeDirectoryMode=700
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@obsolete
[Install]
WantedBy=multi-user.target