Skip to content

Linux Debian Service Configuration

bmwl edited this page Nov 22, 2025 · 1 revision

Linux Service Configuration

This page covers running the Soft Data Diode Tools as system services on Linux. For basic installation, see the Install Guide.

Debian/Ubuntu systemd Service

The repository includes example systemd service files in the hardening folder. These examples should be adapted to your specific needs, particularly regarding read-write paths and resource limits.

Multi-Receiver Service Example

Create /etc/systemd/system/datadiode-receiver.service:

[Unit]
Description=Soft Data Diode Multi-Receiver
After=network.target

[Service]
Type=simple
User=datadiode
Group=datadiode
ExecStart=/opt/SoftDataDiode/venv/bin/python /opt/SoftDataDiode/multireceiver/ddmultireceiver.py --config /etc/datadiode/receiver_config.json
Restart=always
RestartSec=10

# Security and resource limits
CPUQuota=5%
MemoryLimit=512M
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/datadiode

[Install]
WantedBy=multi-user.target

Note: The example caps CPU usage at 5%, which is sustainable for most VPS services but may need adjustment for production use.

Creating Service User

sudo useradd -r -s /bin/false datadiode
sudo mkdir -p /var/lib/datadiode
sudo chown datadiode:datadiode /var/lib/datadiode

Managing the Service

sudo systemctl daemon-reload
sudo systemctl enable datadiode-receiver
sudo systemctl start datadiode-receiver
sudo systemctl status datadiode-receiver

Sender Service Example

Create /etc/systemd/system/datadiode-sender.service:

[Unit]
Description=Soft Data Diode Sender
After=network.target

[Service]
Type=simple
User=datadiode
Group=datadiode
ExecStart=/opt/SoftDataDiode/venv/bin/python /opt/SoftDataDiode/sender/ddsender.py --config /etc/datadiode/sender_config.json
Restart=always
RestartSec=10
Environment=PATH=/opt/SoftDataDiode/venv/bin:/usr/local/bin:/usr/bin:/bin

[Install]
WantedBy=multi-user.target

Security Hardening for Services

When running as a service, follow these principles:

  • Create dedicated service accounts without interactive login rights
  • Restrict network and filesystem privileges to the minimum necessary
  • Use systemd security directives to sandbox the service
  • Set appropriate resource limits based on your workload

See Security Model and Hardening for additional hardening guidance.

Log Management

Service logs can be viewed with:

sudo journalctl -u datadiode-receiver -f
sudo journalctl -u datadiode-sender -f

Clone this wiki locally