XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Hardened systemd unit file for xo-server

    Scheduled Pinned Locked Moved Xen Orchestra
    1 Posts 1 Posters 686 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L Offline
      lavamind
      last edited by

      It's generally considered risky to have long-running, network-facing daemons with root privileges. And while you can run Xen Orchestra as an unprivileged user, some functionality will be missing.

      A good compromise is to run Xen Orchestra with restricted root privileges. The service file below should considerably limit the possibility of the xo-server daemon to misbehave.

      [Unit]
Description=Xen-Orchestra server
After=network-online.target

[Service]
WorkingDirectory=/opt/xen-orchestra/packages/xo-server/
ExecStart=/usr/bin/node ./bin/xo-server
Restart=always
SyslogIdentifier=xo-server
NoNewPrivileges=yes
PrivateTmp=yes
DevicePolicy=closed
DeviceAllow=block-loop rwm
DeviceAllow=/dev/fuse rwm
ProtectSystem=strict
ReadWritePaths=/var/lib/xo-server
ProtectHome=read-only
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictRealtime=yes
RestrictNamespaces=yes

[Install]
WantedBy=multi-user.target

      If you store backups locally you need to add an extra ReadWritePaths entry, and if you use the file restore feature, you need to make sure the loop kernel module is loaded at boot.

      1 Reply Last reply Reply Quote 0

      Hello! It looks like you're interested in this conversation, but you don't have an account yet.

      Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

      With your input, this post could be even better 💗

      Register Login
      • First post
        Last post