1# SPDX-License-Identifier: LGPL-2.1-or-later 2# 3# This file is part of systemd. 4# 5# systemd is free software; you can redistribute it and/or modify it 6# under the terms of the GNU Lesser General Public License as published by 7# the Free Software Foundation; either version 2.1 of the License, or 8# (at your option) any later version. 9 10[Unit] 11Description=Journal Service for Namespace %i 12Documentation=man:systemd-journald.service(8) man:journald.conf(5) 13Requires=systemd-journald@%i.socket systemd-journald-varlink@%i.socket 14After=systemd-journald@%i.socket systemd-journald-varlink@%i.socket 15 16[Service] 17CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE 18DevicePolicy=closed 19ExecStart={{ROOTLIBEXECDIR}}/systemd-journald %i 20FileDescriptorStoreMax=4224 21Group=systemd-journal 22IPAddressDeny=any 23LockPersonality=yes 24LogsDirectory=journal/%m.%i 25LogsDirectoryMode=02755 26MemoryDenyWriteExecute=yes 27NoNewPrivileges=yes 28RestrictAddressFamilies=AF_UNIX AF_NETLINK 29RestrictNamespaces=yes 30RestrictRealtime=yes 31RestrictSUIDSGID=yes 32RuntimeDirectory=systemd/journal.%i 33RuntimeDirectoryPreserve=yes 34Sockets=systemd-journald@%i.socket 35SystemCallArchitectures=native 36SystemCallErrorNumber=EPERM 37SystemCallFilter=@system-service 38Type=notify 39{{SERVICE_WATCHDOG}} 40 41# If there are many split up journal files we need a lot of fds to access them 42# all in parallel. 43LimitNOFILE={{HIGH_RLIMIT_NOFILE}} 44