alanorth · November 24, 2023 09:05
diff --git a/solr.service b/solr.service
 [Unit]
 Description=Solr 8.11.2
 After=network.target

 [Service]
 Type=simple

 WorkingDirectory=/var/solr
 PIDFile=/var/solr/solr-8983.pid
 Environment=SOLR_PID_DIR=/var/solr
 Environment=SOLR_HOME=/var/solr/data
 Environment=SOLR_LOGS_DIR=/var/solr/logs
 Environment=SOLR_HEAP=2g

 PrivateDevices=yes
 PrivateTmp=yes
 # Solr does not need access to /home, /root, or /run/user
 ProtectHome=true
 # Solr can live with read-only access to the entire file system hierarchy other
 # than the paths below.
 ProtectSystem=strict

 # The service process and all its children can never gain new privileges
 NoNewPrivileges=true

 ProtectControlGroups=true
 ProtectKernelModules=true
 ProtectKernelTunables=true

 # Do not allow process or its children to create SUID/SGID files/directories
 RestrictSUIDSGID=true

 LockPersonality=true
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 CapabilityBoundingSet=~CAP_NET_BROADCAST CAP_NET_RAW
 ProtectHostname=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
 RemoveIPC=true
 RestrictAddressFamilies=~AF_PACKET AF_NETLINK AF_UNIX
 RestrictNamespaces=true
 RestrictRealtime=true
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 SystemCallFilter=~@privileged @resources

 # Allow writing to these paths, but don't fail if they don't exist
 ReadWritePaths=-/var/solr

 User=solr
 Group=solr

 ExecStart=/opt/solr-8.11.2/bin/solr start -f
 ExecStop=/opt/solr-8.11.2/bin/solr stop

 # Recommended system limits
 # See: https://solr.apache.org/guide/8_11/taking-solr-to-production.html
 LimitNOFILE=65000
 LimitNPROC=65000
 LimitAS=infinity
 LimitRSS=infinity

 # the JVM exits gracefully with 143 when it receives a SIGTERM (128 + 15 == 143)
 SuccessExitStatus=143

 [Install]
 WantedBy=multi-user.target
	[Unit]
	Description=Solr 8.11.2
	After=network.target

	[Service]
	Type=simple

	WorkingDirectory=/var/solr
	PIDFile=/var/solr/solr-8983.pid
	Environment=SOLR_PID_DIR=/var/solr
	Environment=SOLR_HOME=/var/solr/data
	Environment=SOLR_LOGS_DIR=/var/solr/logs
	Environment=SOLR_HEAP=2g

	PrivateDevices=yes
	PrivateTmp=yes
	# Solr does not need access to /home, /root, or /run/user
	ProtectHome=true
	# Solr can live with read-only access to the entire file system hierarchy other
	# than the paths below.
	ProtectSystem=strict

	# The service process and all its children can never gain new privileges
	NoNewPrivileges=true

	ProtectControlGroups=true
	ProtectKernelModules=true
	ProtectKernelTunables=true

	# Do not allow process or its children to create SUID/SGID files/directories
	RestrictSUIDSGID=true

	LockPersonality=true
	CapabilityBoundingSet=CAP_NET_BIND_SERVICE
	CapabilityBoundingSet=~CAP_NET_BROADCAST CAP_NET_RAW
	ProtectHostname=true
	ProtectKernelLogs=true
	ProtectKernelModules=true
	RemoveIPC=true
	RestrictAddressFamilies=~AF_PACKET AF_NETLINK AF_UNIX
	RestrictNamespaces=true
	RestrictRealtime=true
	SystemCallArchitectures=native
	SystemCallFilter=@system-service
	SystemCallFilter=~@privileged @resources

	# Allow writing to these paths, but don't fail if they don't exist
	ReadWritePaths=-/var/solr

	User=solr
	Group=solr

	ExecStart=/opt/solr-8.11.2/bin/solr start -f
	ExecStop=/opt/solr-8.11.2/bin/solr stop

	# Recommended system limits
	# See: https://solr.apache.org/guide/8_11/taking-solr-to-production.html
	LimitNOFILE=65000
	LimitNPROC=65000
	LimitAS=infinity
	LimitRSS=infinity

	# the JVM exits gracefully with 143 when it receives a SIGTERM (128 + 15 == 143)
	SuccessExitStatus=143

	[Install]
	WantedBy=multi-user.target