我的 systemd 服务找不到该文件夹,但是当我在 shell 中尝试时它可以工作。
我正在使用 nixos,我的服务配置如下:
{
systemd.services.intranet_dev = {
wantedBy = [ "multi-user.target" ];
description = "Intranet Dev Server";
serviceConfig = {
Type = "simple";
User = "gitlabrunner";
Group = "users";
WorkingDirectory = "/home/gitlabrunner/intranet/intranet_dev";
ExecStart = "/home/gitlabrunner/intranet/intranet_dev/bin/intranet_dev start";
ExecStop = "/home/gitlabrunner/intranet/intranet_dev/bin/intranet_dev stop";
Restart = "always";
# Filesystem
ProtectHome = true;
PrivateDevices = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ReadWritePaths = "/home/gitlabrunner/intranet/intranet_dev/files/";
# Caps
CapabilityBoundingSet = "";
NoNewPrivileges = true;
# Misc.
LockPersonality = true;
RestrictRealtime = true;
PrivateMounts = true;
PrivateUsers = true;
MemoryDenyWriteExecute = true;
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap";
SystemCallArchitectures = "native";
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
};
# Only needed if secrets are not compiled INTO the application
# environmentFile = "/opt/pm/secrets/.env";
};
}
谢谢你的帮助 :D
答案1
正如评论中所述,这是由ProtectHome = true您的服务配置引起的。通过以下方式禁用保护:
ProtectHome = false;
或者保持保护并将相关目录列入白名单:
ProtectHome = "tmpfs";
BindPaths = "/home/gitlabrunner";