Dustin C. Hatch
f3c432dbff
We don't want `podman` pulling a new container image and updating without our concent. The image will already be there on the first start, since we pulled it in an Ansible task.
43 lines
1.0 KiB
Django/Jinja
43 lines
1.0 KiB
Django/Jinja
[Unit]
|
|
Description=MinIO Object Storage
|
|
Wants=network.target
|
|
After=network.target
|
|
RequiresMountsFor={{ minio_storage_path }}
|
|
|
|
[Container]
|
|
Image={{ minio_container_image }}:{{ minio_version }}
|
|
Pull=never
|
|
Exec=server {% if minio_address|d %}--address {{ minio_address }} {% endif %}/data --certs-dir /certs
|
|
User=224
|
|
Group=224
|
|
EnvironmentFile=/etc/sysconfig/minio
|
|
Volume={{ minio_storage_path }}:/data:rw
|
|
Volume=/etc/minio/certs:/certs:ro,z
|
|
Network=host
|
|
NoNewPrivileges=yes
|
|
|
|
[Service]
|
|
ExecReload=/usr/bin/podman kill -s HUP --cidfile %t/%N.cid
|
|
TimeoutStartSec=5min
|
|
Restart=always
|
|
MemoryDenyWriteExecute=yes
|
|
PrivateTmp=yes
|
|
ProtectClock=yes
|
|
ProtectHome=yes
|
|
ProtectKernelLogs=yes
|
|
ProtectKernelModules=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectProc=invisible
|
|
ProtectSystem=strict
|
|
ReadWritePaths=/etc/minio/certs
|
|
ReadWritePaths=/etc/containers/networks
|
|
ReadWritePaths=/run
|
|
ReadWritePaths=/var/lib/containers/storage
|
|
ReadWritePaths={{ minio_storage_path }}
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
UMask=0077
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|