From 259a2ae9ac1e516c2bba5d93fe96224f8ff0c6a6 Mon Sep 17 00:00:00 2001 From: Ananth Date: Sun, 21 Dec 2025 12:28:37 +0530 Subject: [PATCH] Revise systemd service configuration for Yellowstone Jet Updated the systemd service configuration for Yellowstone Jet, including configuring resource limits and security settings. --- README.md | 49 ++++++++++++++++++++++++++++++++----------------- 1 file changed, 32 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 3641d75..fbde9be 100644 --- a/README.md +++ b/README.md @@ -36,38 +36,53 @@ A sample configuration file can be found [config.yml](https://github.com/rpcpool Running Jet as a service under SystemD is our recommended approach. A sample systemd file: -``` +```ini [Unit] Description=Yellowstone Jet transaction forwarder After=network-online.target -StartLimitInterval=0 +Wants=network-online.target StartLimitIntervalSec=0 [Service] Type=simple -User=yellowstone-jet -Group=yellowstone-jet -PermissionsStartOnly=true -ExecStart=/usr/local/bin/yellowstone-jet --config /etc/yellowstone-jet.yml +DynamicUser=yes +ConfigDirectory=yellowstone-jet -Environment=RUST_LOG="warn" +ExecStart=/usr/local/bin/yellowstone-jet --config /etc/yellowstone-jet/config.yml -SyslogIdentifier=yellowstone-jet -KillMode=process +Environment=RUST_LOG="warn" Restart=always RestartSec=5 +# Resource Limits LimitNOFILE=700000 LimitNPROC=700000 -LockPersonality=true -NoNewPrivileges=true -PrivateTmp=true -ProtectHome=true -RemoveIPC=true -RestrictSUIDSGID=true - -ProtectSystem=full +# File System Sandboxing +ProtectSystem=strict +ProtectHome=yes +PrivateTmp=yes +PrivateDevices=yes +ProtectHostname=yes +ProtectClock=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes +PrivateUsers=yes + +# Privilege Escalation & System Calls +NoNewPrivileges=yes +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM +SystemCallArchitectures=native [Install] WantedBy=multi-user.target