Hardened systemd unit file for xo-server



  • It's generally considered risky to have long-running, network-facing daemons with root privileges. And while you can run Xen Orchestra as an unprivileged user, some functionality will be missing.

    A good compromise is to run Xen Orchestra with restricted root privileges. The service file below should considerably limit the possibility of the xo-server daemon to misbehave.

    [Unit]
    Description=Xen-Orchestra server
    After=network-online.target
    
    [Service]
    WorkingDirectory=/opt/xen-orchestra/packages/xo-server/
    ExecStart=/usr/bin/node ./bin/xo-server
    Restart=always
    SyslogIdentifier=xo-server
    NoNewPrivileges=yes
    PrivateTmp=yes
    DevicePolicy=closed
    DeviceAllow=block-loop rwm
    DeviceAllow=/dev/fuse rwm
    ProtectSystem=strict
    ReadWritePaths=/var/lib/xo-server
    ProtectHome=read-only
    ProtectControlGroups=yes
    ProtectKernelModules=yes
    ProtectKernelTunables=yes
    RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
    RestrictRealtime=yes
    RestrictNamespaces=yes
    
    [Install]
    WantedBy=multi-user.target
    

    If you store backups locally you need to add an extra ReadWritePaths entry, and if you use the file restore feature, you need to make sure the loop kernel module is loaded at boot.


Log in to reply
 

XCP-ng Pro Support