Dustin C. Hatch
7ec7cad26a
Modern versions of Podman use Netavark, which needs to write various files on the host file system (even when the container uses the host's network namespace).
42 lines
1.0 KiB
Django/Jinja
42 lines
1.0 KiB
Django/Jinja
[Unit]
|
|
Description=MinIO Object Storage
|
|
Wants=network-online.target
|
|
After=network-online.target
|
|
RequiresMountsFor={{ minio_storage_path }}
|
|
|
|
[Container]
|
|
Image={{ minio_container_image }}:{{ minio_version }}
|
|
Exec=server {% if minio_address|d %}--address {{ minio_address }} {% endif %}/data --certs-dir /certs
|
|
User=224
|
|
Group=224
|
|
EnvironmentFile=/etc/sysconfig/minio
|
|
Volume={{ minio_storage_path }}:/data:rw,Z
|
|
Volume=/etc/minio/certs:/certs:ro,z
|
|
Network=host
|
|
NoNewPrivileges=yes
|
|
|
|
[Service]
|
|
ExecReload=/usr/bin/podman kill -s HUP --cidfile %t/%N.cid
|
|
TimeoutStartSec=5min
|
|
Restart=always
|
|
MemoryDenyWriteExecute=yes
|
|
PrivateTmp=yes
|
|
ProtectClock=yes
|
|
ProtectHome=yes
|
|
ProtectKernelLogs=yes
|
|
ProtectKernelModules=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectProc=invisible
|
|
ProtectSystem=strict
|
|
ReadWritePaths=/etc/minio/certs
|
|
ReadWritePaths=/etc/containers/networks
|
|
ReadWritePaths=/run
|
|
ReadWritePaths=/var/lib/containers/storage
|
|
ReadWritePaths={{ minio_storage_path }}
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
UMask=0077
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|