9985ecc56c
Drop MountFlags=shared (the assumption that it propagated fuse mounts
to host was incorrect on systemd 257 with ProtectSystem+ReadWritePaths).
Restore PrivateTmp=true (was dropped in 593611e for fuse propagation
that did not work). Rewrite the comment block to describe the new
model: mounts go through the left4me-overlay helper which nsenters
into PID 1's mount namespace, so the unit's mount-ns layout is no
longer load-bearing.
Update the three user-facing READMEs (root, l4d2host, deploy) to drop
fuse-overlayfs / fusermount3 prereqs and call out the kernel overlayfs
mount path through the privileged helper.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
31 lines
1.1 KiB
Desktop File
31 lines
1.1 KiB
Desktop File
[Unit]
|
|
Description=left4me web application
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=left4me
|
|
Group=left4me
|
|
WorkingDirectory=/opt/left4me
|
|
Environment=HOME=/var/lib/left4me
|
|
Environment=PATH=/opt/left4me/.venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
|
EnvironmentFile=/etc/left4me/host.env
|
|
EnvironmentFile=/etc/left4me/web.env
|
|
ExecStart=/opt/left4me/.venv/bin/gunicorn --workers 1 --threads 32 --bind 0.0.0.0:8000 'l4d2web.app:create_app()'
|
|
Restart=on-failure
|
|
RestartSec=3
|
|
# NoNewPrivileges intentionally not set: the worker invokes sudo to run
|
|
# the left4me-systemctl, left4me-journalctl, and left4me-overlay
|
|
# privileged helpers, all setuid via sudo.
|
|
# ProtectSystem=full + ReadWritePaths implicitly give this unit a private
|
|
# mount namespace, but mount visibility no longer depends on it: overlay
|
|
# mounts are performed by the left4me-overlay helper, which nsenters into
|
|
# PID 1's mount namespace, so the resulting mount lives in the host
|
|
# namespace where the per-instance gameserver units can see it.
|
|
ProtectSystem=full
|
|
ReadWritePaths=/var/lib/left4me
|
|
PrivateTmp=true
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|