| # Copyright 2018 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "systemd-journald" |
| author "chromium-os-dev@chromium.org" |
| |
| start on starting boot-services |
| stop on stopping boot-services |
| |
| expect fork |
| respawn |
| |
| pre-start script |
| # File mode includes group write permission to allow rsyslogd to create its |
| # socket. The directory group is root; syslog starts as root, and only after |
| # initialization switches to the syslog user. |
| mkdir -m 0775 -p /run/systemd/journal |
| mkdir -p /run/systemd/journal/pids |
| |
| chown -R syslog /run/systemd/journal |
| |
| mkdir -p /run/log |
| chown syslog /run/log |
| |
| ln -sf /run/systemd/journal/dev-log /dev/log |
| end script |
| |
| # Upstart has limitation on how it can track daemon readiness. See this report |
| # for more details: https://crbug.com/702794#27. net_poll_tool allows us to |
| # emit the started event only after the socket is ready. |
| # /run/systemd/journal/socket is the last socket created by journald. |
| # |
| # We don't use a pid namespace because it breaks journald's ability to log the |
| # remote pid. We don't use a network namespace because journald needs to read |
| # from the audit netlink socket. |
| # |
| # CAP_SYS_PTRACE is required to read /proc/<PID>/exe. |
| # We aren't going to give that capability to journald due to security concerns. |
| exec minijail0 -T static --ambient \ |
| -u syslog -g syslog -c 'cap_syslog,cap_audit_read+e' \ |
| -i -l --uts -f /run/systemd-journald.pid \ |
| -v -P /mnt/empty -b / -b /proc -t -r --mount-dev \ |
| -b /dev/kmsg,,1 \ |
| -k 'run,/run,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \ |
| -b /run/systemd,,1 \ |
| -b /run/log,,1 \ |
| -k 'var,/var,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC' \ |
| -b /var/log,,1 \ |
| /usr/lib/systemd/systemd-journald |
| |
| post-start script |
| # The timeout is high, but it should never be hit unless there's a serious |
| # problem, in which case we want to fall over anyways. We can't set it too |
| # low because we also run in slow environments like VMs. |
| net_poll_tool --timeout=60 --unix_socket=/run/systemd/journal/socket |
| |
| # This is needed to flush the journal to persistent storage |
| pkill -SIGUSR1 --pidfile /run/systemd-journald.pid |
| end script |
| |
| post-stop script |
| rm /dev/log || true |
| rm /run/systemd-journald.pid || true |
| end script |
| |