67 lines
2.2 KiB
Markdown
67 lines
2.2 KiB
Markdown
+++
|
|
title = "Starting Garage with systemd"
|
|
weight = 15
|
|
+++
|
|
|
|
We make some assumptions for this systemd deployment.
|
|
|
|
- Your garage binary is located at `/usr/local/bin/garage`.
|
|
|
|
- Your configuration file is located at `/etc/garage.toml`.
|
|
|
|
- Your `garage.toml` must be set with `metadata_dir=/var/lib/garage/meta` and `data_dir=/var/lib/garage/data`. This is mandatory to use `systemd` hardening feature [Dynamic User](https://0pointer.net/blog/dynamic-users-with-systemd.html). Note that in your host filesystem, Garage data will be held in `/var/lib/private/garage`.
|
|
|
|
|
|
|
|
Create a file named `/etc/systemd/system/garage.service`:
|
|
|
|
```toml
|
|
[Unit]
|
|
Description=Garage Data Store
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
Environment='RUST_LOG=garage=info' 'RUST_BACKTRACE=1'
|
|
ExecStart=/usr/local/bin/garage server
|
|
StateDirectory=garage
|
|
DynamicUser=true
|
|
ProtectHome=true
|
|
NoNewPrivileges=true
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
```
|
|
|
|
**A note on hardening:** Garage will be run as a non privileged user, its user
|
|
id is dynamically allocated by systemd (set with `DynamicUser=true`). It cannot
|
|
access (read or write) home folders (`/home`, `/root` and `/run/user`), the
|
|
rest of the filesystem can only be read but not written, only the path seen as
|
|
`/var/lib/garage` is writable as seen by the service. Additionnaly, the process
|
|
can not gain new privileges over time.
|
|
|
|
For this to work correctly, your `garage.toml` must be set with
|
|
`metadata_dir=/var/lib/garage/meta` and `data_dir=/var/lib/garage/data`. This
|
|
is mandatory to use the DynamicUser hardening feature of systemd, which
|
|
autocreates these directories as virtual mapping. If the directory
|
|
`/var/lib/garage` already exists before starting the server for the first time,
|
|
the systemd service might not start correctly. Note that in your host
|
|
filesystem, Garage data will be held in `/var/lib/private/garage`.
|
|
|
|
To start the service then automatically enable it at boot:
|
|
|
|
```bash
|
|
sudo systemctl start garage
|
|
sudo systemctl enable garage
|
|
```
|
|
|
|
To see if the service is running and to browse its logs:
|
|
|
|
```bash
|
|
sudo systemctl status garage
|
|
sudo journalctl -u garage
|
|
```
|
|
|
|
If you want to modify the service file, do not forget to run `systemctl daemon-reload`
|
|
to inform `systemd` of your modifications.
|