[2/2] paccache.service.in: Lower priority of unit

Message ID 20210709101037.yjjcibln6s2ew7x7@gmail.com
State Accepted
Headers show
Series [1/2] paccache.service.in: Harden unit | expand

Commit Message

Frederik “Freso” S. Olesen July 9, 2021, 10:10 a.m. UTC
The unit will be run in the background and is not essential for systems
to operate, so giving it the lowest priority will help make it less
disruptive on its system.

Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com>
---
 src/paccache.service.in | 7 +++++++
 1 file changed, 7 insertions(+)

Comments

Frederik “Freso” S. Olesen July 9, 2021, 10:19 a.m. UTC | #1
Hello.

These are basically just copy/pasted (with minor tweaks for Makefile)
from my own override file running on two systems. Since I put in the
work writing and testing these options/settings, I figured I’d share
them and possibly have them upstreamed if deemed acceptable.

[PATCH 1] tightens the unit down a good deal, which may be too much for
some people’s systems. E.g., the ReadWritePaths path is the pacman.conf
default, which is a fairly easy one to edit. If people run setups they
use paccache.service with multiple pacman caches, they probably need to
edit the .service file anyway, at with point they can also edit the
ReadWritePaths to match their setup.

[PATCH 2] basically just deprioritises that paccache process as much as
possible. I split that out since it’s not hardening and it might not be
something that would be wanted across all systems. Not sure what systems
would have this be an important service that should not be as
undisruptive as possible, but 🤷.
morganamilo July 9, 2021, 10:32 a.m. UTC | #2
On 09/07/2021 11:19, Frederik “Freso” S. Olesen via pacman-contrib wrote:
> they probably need to edit the .service file anyway

Why? doesn't the service just call `paccache -r` which in turns reads
pacman.conf?
Frederik “Freso” S. Olesen July 9, 2021, 11:09 a.m. UTC | #3
On Fri, Jul 09, 2021 at 11:32:18AM +0100, Morgan Adamiec via pacman-contrib wrote:
> On 09/07/2021 11:19, Frederik “Freso” S. Olesen via pacman-contrib wrote:
> > they probably need to edit the .service file anyway
> 
> Why? doesn't the service just call `paccache -r` which in turns reads
> pacman.conf?

Yeah, you’re right. I forgot that CacheDir can take multiple
directories.

v2 of patch 1 changes `ProtectSystem=strict` to `ProtectSystem=full`
which removes the need to specify ReadWritePaths. It can be demoted
further to `ProtectSystem=yes` if people use /etc/… as one of the cache
directories, or removed entirely if /usr/… or /boot/… or /efi/… are
used cache paths. I guess /usr/local/… might be? /usr/local/ could be
added in as a ReadWritePaths if we want to support that while still
locking down /usr/ otherwise.

(Patch 2/2 still applies frictionlessly on top of patch 1 v2, so I
didn’t resend that.)
Daniel M. Capella July 28, 2021, 12:24 a.m. UTC | #4
Pushed, thank you!

On 7/9/21 6:10 AM, Frederik “Freso” S. Olesen via pacman-contrib wrote:
> The unit will be run in the background and is not essential for systems
> to operate, so giving it the lowest priority will help make it less
> disruptive on its system.
>
> Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com>
> ---
>   src/paccache.service.in | 7 +++++++
>   1 file changed, 7 insertions(+)
>
> diff --git a/src/paccache.service.in b/src/paccache.service.in
> index 0f71f5f..79b1c91 100644
> --- a/src/paccache.service.in
> +++ b/src/paccache.service.in
> @@ -4,6 +4,13 @@ Description=Remove unused cached package files
>   [Service]
>   Type=oneshot
>   ExecStart=@bindir@/paccache -r
> +# Lowering priority
> +OOMScoreAdjust=1000
> +Nice=19
> +CPUSchedulingPolicy=idle
> +CPUSchedulingPriority=1
> +IOSchedulingClass=idle
> +IOSchedulingPriority=7
>   # Sandboxing and other hardening
>   ProtectProc=invisible
>   ProcSubset=pid

Patch

diff --git a/src/paccache.service.in b/src/paccache.service.in
index 0f71f5f..79b1c91 100644
--- a/src/paccache.service.in
+++ b/src/paccache.service.in
@@ -4,6 +4,13 @@  Description=Remove unused cached package files
 [Service]
 Type=oneshot
 ExecStart=@bindir@/paccache -r
+# Lowering priority
+OOMScoreAdjust=1000
+Nice=19
+CPUSchedulingPolicy=idle
+CPUSchedulingPriority=1
+IOSchedulingClass=idle
+IOSchedulingPriority=7
 # Sandboxing and other hardening
 ProtectProc=invisible
 ProcSubset=pid