[Unit] Description=Elasticsearch (chroot) Documentation=https://www.elastic.co Wants=network-online.target After=network-online.target local-fs.target PartOf=chr-elasticd.target [Service] Type=notify # the elasticsearch process currently sends the notifications back to systemd # and for some reason exec does not work (even though it is a child). We should change # this notify access back to main (the default), see https://github.com/elastic/elasticsearch/issues/86475 NotifyAccess=all #RuntimeDirectory=elasticsearch PrivateTmp=true Environment=ES_HOME=/usr/share/elasticsearch #Environment=ES_PATH_CONF=${path.conf} Environment=ES_PATH_CONF=/etc/elasticsearch Environment=PID_DIR=/run/elasticsearch Environment=ES_SD_NOTIFY=true Environment=ES_TMPDIR=/var/tmp #EnvironmentFile=-${path.env} #EnvironmentFile=-/etc/default/elasticsearch EnvironmentFile=-/chroot/elasticd/etc/default/elasticsearch WorkingDirectory=/usr/share/elasticsearch User=elasticsearch Group=elasticsearch RootDirectory=/chroot/elasticd RootDirectoryStartOnly=no PrivateDevices=yes #ProtectKernelTunables=yes #ExecStart=/usr/share/elasticsearch/bin/systemd-entrypoint -p ${PID_DIR}/elasticsearch.pid --quiet ExecStart=/usr/share/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid --quiet # StandardOutput is configured to redirect to journalctl since # some error messages may be logged in standard output before # elasticsearch logging system is initialized. Elasticsearch # stores its logs in /var/log/elasticsearch and does not use # journalctl by default. If you also want to enable journalctl # logging, you can simply remove the "quiet" option from ExecStart. StandardOutput=journal StandardError=inherit # Specifies the maximum file descriptor number that can be opened by this process LimitNOFILE=65535 # Specifies the maximum number of processes LimitNPROC=4096 # Specifies the maximum size of virtual memory LimitAS=infinity # Specifies the maximum file size LimitFSIZE=infinity # Disable timeout logic and wait until process is stopped TimeoutStopSec=0 # SIGTERM signal is used to stop the Java process KillSignal=SIGTERM # Send the signal only to the JVM rather than its control group KillMode=process # Java process is never killed SendSIGKILL=no # When a JVM receives a SIGTERM signal it exits with code 143 SuccessExitStatus=143 #################### PrivateTmp=true MountAPIVFS=true NoNewPrivileges=true PrivateDevices=true DevicePolicy=closed ProtectSystem=full ProtectKernelTunables=true ProtectKernelModules=true ProtectKernelLogs=true ProtectProc=invisible ###ProcSubset=pid ProtectControlGroups=true ProtectClock=true ProtectHome=true #RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK #CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH #RestrictNamespaces=uts ipc pid user cgroup #RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes #MemoryDenyWriteExecute=yes #LockPersonality=yes ReadOnlyPaths=/bin /sbin /lib /lib64 /usr /boot /etc ReadOnlyPaths=/chroot/elasticd ReadWritePaths=/chroot/elasticd/run ReadWritePaths=/chroot/elasticd/var/lib/elasticsearch /chroot/elasticd/var/log/elasticsearch InaccessiblePaths=/chroot/elasticd/boot /chroot/elasticd/sys # run BindPaths=/chroot/elasticd/run:/run:norbind # log, systemd notify BindPaths=/run/systemd/notify:/run/systemd/notify:norbind /run/systemd/journal/dev-log:/run/systemd/journal/dev-log:norbind [Install] #WantedBy=multi-user.target WantedBy=chr-elasticd.target # Built for ${project.name}-${project.version} (${project.name})