233873f620
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Reachability Corpus Validation / validate-corpus (push) Has been cancelled
Reachability Corpus Validation / validate-ground-truths (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Reachability Corpus Validation / determinism-check (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
59 lines
1.2 KiB
Desktop File
59 lines
1.2 KiB
Desktop File
[Unit]
|
|
Description=StellaOps Zastava Agent - Container Runtime Monitor
|
|
Documentation=https://docs.stellaops.org/zastava/agent/
|
|
After=network-online.target docker.service containerd.service
|
|
Wants=network-online.target
|
|
Requires=docker.service
|
|
|
|
[Service]
|
|
Type=notify
|
|
ExecStart=/opt/stellaops/zastava-agent/StellaOps.Zastava.Agent
|
|
WorkingDirectory=/opt/stellaops/zastava-agent
|
|
Restart=always
|
|
RestartSec=5
|
|
|
|
# Environment configuration
|
|
EnvironmentFile=-/etc/stellaops/zastava-agent.env
|
|
Environment=DOTNET_ENVIRONMENT=Production
|
|
Environment=ASPNETCORE_ENVIRONMENT=Production
|
|
|
|
# User and permissions
|
|
User=zastava-agent
|
|
Group=docker
|
|
|
|
# Security hardening
|
|
NoNewPrivileges=true
|
|
ProtectSystem=strict
|
|
ProtectHome=true
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectControlGroups=true
|
|
RestrictRealtime=true
|
|
RestrictSUIDSGID=true
|
|
|
|
# Allow read access to Docker socket
|
|
ReadWritePaths=/var/run/docker.sock
|
|
ReadWritePaths=/var/lib/zastava-agent
|
|
|
|
# Capabilities
|
|
CapabilityBoundingSet=
|
|
AmbientCapabilities=
|
|
|
|
# Resource limits
|
|
LimitNOFILE=65536
|
|
LimitNPROC=4096
|
|
MemoryMax=512M
|
|
|
|
# Logging
|
|
StandardOutput=journal
|
|
StandardError=journal
|
|
SyslogIdentifier=zastava-agent
|
|
|
|
# Watchdog (5 minute timeout)
|
|
WatchdogSec=300
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|