Created
November 24, 2023 09:05
-
-
Save alanorth/2c3f0a0d7a7036bd986cad5ba371f374 to your computer and use it in GitHub Desktop.
systemd unit for solr
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Unit] | |
Description=Solr 8.11.2 | |
After=network.target | |
[Service] | |
Type=simple | |
WorkingDirectory=/var/solr | |
PIDFile=/var/solr/solr-8983.pid | |
Environment=SOLR_PID_DIR=/var/solr | |
Environment=SOLR_HOME=/var/solr/data | |
Environment=SOLR_LOGS_DIR=/var/solr/logs | |
Environment=SOLR_HEAP=2g | |
PrivateDevices=yes | |
PrivateTmp=yes | |
# Solr does not need access to /home, /root, or /run/user | |
ProtectHome=true | |
# Solr can live with read-only access to the entire file system hierarchy other | |
# than the paths below. | |
ProtectSystem=strict | |
# The service process and all its children can never gain new privileges | |
NoNewPrivileges=true | |
ProtectControlGroups=true | |
ProtectKernelModules=true | |
ProtectKernelTunables=true | |
# Do not allow process or its children to create SUID/SGID files/directories | |
RestrictSUIDSGID=true | |
LockPersonality=true | |
CapabilityBoundingSet=CAP_NET_BIND_SERVICE | |
CapabilityBoundingSet=~CAP_NET_BROADCAST CAP_NET_RAW | |
ProtectHostname=true | |
ProtectKernelLogs=true | |
ProtectKernelModules=true | |
RemoveIPC=true | |
RestrictAddressFamilies=~AF_PACKET AF_NETLINK AF_UNIX | |
RestrictNamespaces=true | |
RestrictRealtime=true | |
SystemCallArchitectures=native | |
SystemCallFilter=@system-service | |
SystemCallFilter=~@privileged @resources | |
# Allow writing to these paths, but don't fail if they don't exist | |
ReadWritePaths=-/var/solr | |
User=solr | |
Group=solr | |
ExecStart=/opt/solr-8.11.2/bin/solr start -f | |
ExecStop=/opt/solr-8.11.2/bin/solr stop | |
# Recommended system limits | |
# See: https://solr.apache.org/guide/8_11/taking-solr-to-production.html | |
LimitNOFILE=65000 | |
LimitNPROC=65000 | |
LimitAS=infinity | |
LimitRSS=infinity | |
# the JVM exits gracefully with 143 when it receives a SIGTERM (128 + 15 == 143) | |
SuccessExitStatus=143 | |
[Install] | |
WantedBy=multi-user.target |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment