Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Running as daemon with systemd #24

Open
svengo opened this issue Jan 31, 2017 · 2 comments

Comments

Projects
None yet
3 participants
@svengo
Copy link

commented Jan 31, 2017

I managed to run The Onion Box as daemon with systemd (under Ubuntu 16.04) based on the wiki:

  • Create user theonionbox
  • Install The Onion Box to ~theonionbox and sudo chmod 755 ./theonionbox.py
  • Edit ~theonionbox/config/theonionbox.cfgto your needs
  • Create service file with sudo vi /etc/systemd/system/theonionbox.service with the following content:
# Run The Onion Box as background service
# https://github.com/ralphwetzel/theonionbox/

[Unit]
Description=The Onion Box
Documentation=https://github.com/ralphwetzel/theonionbox/wiki
After=network.target

[Service]
Type=simple
User=theonionbox
WorkingDirectory=~
ExecStart=/srv/theonionbox/theonionbox.py --mode=service
Restart=on-failure

[Install]
WantedBy=multi-user.target
  • Start the new service with sudo systemctl start theonionbox.service
  • If everything is okay, start the service on next boot with sudo systemctl enable theonionbox.service
@ralphwetzel

This comment has been minimized.

Copy link
Owner

commented Jan 31, 2017

Thank you for this great contribution!
I'll add the service file to the next release.

@AnanasPfirsichSaft

This comment has been minimized.

Copy link

commented Nov 26, 2017

Maybe the service file can be hardened? My Debian Jessie box (Bananian Linux) use no systemd by default. Therefore I cannot dive into it at the moment. But my snippet should be a good start. Capabilities and syscalls whitelist are still missing. Some directives may be only available on newer systemd versions.

[service]
ProtectSystem=full
ReadWriteDirectories=/var/log/theonionbox
CapabilityBoundingSet=???
SystemCallFilter=???
NoNewPrivileges=true
PrivateTmp=true
PrivateDevices=true

What do others think?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.