package/haveged: change systemd service file to run earlier

Drop default dependencies, haveged needs nothing but local sockets and /dev/random. The service file now mostly matches the upstream Fedora file, except a lot of isolation options have been dropped. The benefit for a completely controlled system is small, and those option would pull in dependencies, delaying entropy being filled up. Signed-off-by: Norbert Lange <nolange79@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-06-10 00:41:15 +02:00 · 2020-06-10 00:41:15 +02:00 · d872a9dbba
commit d872a9dbba
parent cf8162ce51
1 changed files with 17 additions and 5 deletions
--- a/package/haveged/haveged.service
+++ b/package/haveged/haveged.service
@ -1,10 +1,22 @@
 [Unit]
-Description=Entropy Harvesting Daemon
-Documentation=man:haveged(8)
+# inspiration from upstream init.d/service.fedora
+Description=Entropy Daemon based on the HAVEGE algorithm
+Documentation=man:haveged(8) http://www.issihosts.com/haveged/
+DefaultDependencies=no
+# This would wait for filesystems, but we only need /dev/random, which
+# is certainly available after systemd initialised
+# After=systemd-tmpfiles-setup-dev.service
+Before=sysinit.target shutdown.target systemd-journald.service

 [Service]
-ExecStart=/usr/sbin/haveged -F -w 1024 -v 1
-SuccessExitStatus=143
+ExecStart=/usr/sbin/haveged -w 1024 -v 1 --Foreground
+Restart=always
+SuccessExitStatus=137 143
+
+# Only simple isolation methods that don't pull in dependencies
+CapabilityBoundingSet=CAP_SYS_ADMIN
+SecureBits=noroot-locked
+ProtectSystem=full

 [Install]
-WantedBy=multi-user.target
+WantedBy=sysinit.target