From bb8041a73ae8f9666f61e9ae021b6cb46980d45f Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 28 Jun 2024 16:13:33 -0700 Subject: [PATCH] New gvisor-updater.service --- etc/systemd/system/gvisor-updater.service | 50 +++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 etc/systemd/system/gvisor-updater.service diff --git a/etc/systemd/system/gvisor-updater.service b/etc/systemd/system/gvisor-updater.service new file mode 100644 index 0000000..3da037a --- /dev/null +++ b/etc/systemd/system/gvisor-updater.service @@ -0,0 +1,50 @@ +[Unit] +Description=Update gVisor +After=network-online.target +Before=docker.service + +[Service] +Type=oneshot +RuntimeDirectory=gvisor-updater +WorkingDirectory=/run/gvisor-updater +ExecStart=/usr/bin/sleep 5 +ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc +ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512 +ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1 +ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512 +ExecStart=/usr/bin/sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512 +ExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512 +ExecStart=+/usr/bin/chown root:root runsc containerd-shim-runsc-v1 +ExecStart=+/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1 +ExecStart=+/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin +ExecStart=+/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc + +DynamicUser=true +CapabilityBoundingSet= +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateIPC=true +PrivateTmp=true +ProcSubset=pid +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=invisible +ProtectSystem=strict +RestrictAddressFamilies= +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +RuntimeDirectoryMode=700 +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@obsolete + +[Install] +WantedBy=multi-user.target \ No newline at end of file