LINUX.ORG.RU

История изменений

Исправление bogkronas, (текущая версия) : 

cat /etc/systemd/system/peertube.service
=== Вывод команды ===
[Unit]
Description=PeerTube daemon
After=network.target postgresql.service redis-server.service

[Service]
Type=simple
Environment=NODE_ENV=production
Environment=NODE_CONFIG_DIR=/var/www/peertube/config
User=peertube
Group=peertube
ExecStart=/usr/bin/npm start
WorkingDirectory=/var/www/peertube/peertube-latest
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=peertube
Restart=always

; Some security directives.
; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
ProtectSystem=full
; Sets up a new /dev mount for the process and only adds API pseudo devices
; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled
; by default because it may not work on devices like the Raspberry Pi.
PrivateDevices=false
; Ensures that the service process and all its children can never gain new
; privileges through execve().
NoNewPrivileges=true
; This makes /home, /root, and /run/user inaccessible and empty for processes invoked
; by this unit. Make sure that you do not depend on data inside these folders.
ProtectHome=true
; Drops the sys admin capability from the daemon.
CapabilityBoundingSet=~CAP_SYS_ADMIN

[Install]
WantedBy=multi-user.target

Исходная версия bogkronas, :

cat /etc/systemd/system/peertube.service === Вывод команды === [Unit] Description=PeerTube daemon After=network.target postgresql.service redis-server.service

[Service] Type=simple Environment=NODE_ENV=production Environment=NODE_CONFIG_DIR=/var/www/peertube/config User=peertube Group=peertube ExecStart=/usr/bin/npm start WorkingDirectory=/var/www/peertube/peertube-latest StandardOutput=syslog StandardError=syslog SyslogIdentifier=peertube Restart=always

; Some security directives. ; Mount /usr, /boot, and /etc as read-only for processes invoked by this service. ProtectSystem=full ; Sets up a new /dev mount for the process and only adds API pseudo devices ; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled ; by default because it may not work on devices like the Raspberry Pi. PrivateDevices=false ; Ensures that the service process and all its children can never gain new ; privileges through execve(). NoNewPrivileges=true ; This makes /home, /root, and /run/user inaccessible and empty for processes invoked ; by this unit. Make sure that you do not depend on data inside these folders. ProtectHome=true ; Drops the sys admin capability from the daemon. CapabilityBoundingSet=~CAP_SYS_ADMIN

[Install] WantedBy=multi-user.target