From: Tim Duesterhus <tim@bastelstu.be>
Date: Tue, 27 Feb 2018 19:19:03 +0000 (+0100)
Subject: MINOR: systemd: Add section for SystemD sandboxing to unit file
X-Git-Tag: v1.9-dev1~394
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1ce8de2d93066d29e57ca2bb9cc0e0ff321f2043;p=thirdparty%2Fhaproxy.git

MINOR: systemd: Add section for SystemD sandboxing to unit file

This commit adds a warning for settings that possibly provide better
sandboxing and explains their tradeoffs.
---

diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in
index 804be3583c..5d8eecf06b 100644
--- a/contrib/systemd/haproxy.service.in
+++ b/contrib/systemd/haproxy.service.in
@@ -12,5 +12,11 @@ KillMode=mixed
 Restart=always
 Type=notify
 
+# The following lines leverage SystemD's sandboxing options to provide
+# defense in depth protection at the expense of restricting some flexibility
+# in your setup (e.g. placement of your configuration files) or possibly
+# reduced performance. See systemd.service(5) and systemd.exec(5) for further
+# information.
+
 [Install]
 WantedBy=multi-user.target