mediawiki: Actually allow AF_UNIX.

[chef.git] / cookbooks / mediawiki / recipes / default.rb

diff --git a/cookbooks/mediawiki/recipes/default.rb b/cookbooks/mediawiki/recipes/default.rb
index 0295c413fad56f3e8c174d5910d2b3e5d9efc089..59638e4e97c6852ced9f8b76b1840b6d7d9fb0e4 100644 (file)
--- a/cookbooks/mediawiki/recipes/default.rb
+++ b/cookbooks/mediawiki/recipes/default.rb
@@ -85,7 +85,7 @@ systemd_service "mediawiki-sitemap@" do
   exec_start "/usr/bin/php -d memory_limit=2048M -d error_reporting=22517 /srv/%i/w/maintenance/generateSitemap.php --server=https://%i --urlpath=https://%i/ --fspath=/srv/%i --quiet --skip-redirects"
   user node[:mediawiki][:user]
   nice 10
-  sandbox true
+  sandbox :enable_network => true
   memory_deny_write_execute false
   restrict_address_families "AF_UNIX"
   read_write_paths "/srv/%i"
@@ -101,7 +101,7 @@ systemd_service "mediawiki-jobs@" do
   exec_start "/usr/bin/php -d memory_limit=2048M -d error_reporting=22517 /srv/%i/w/maintenance/runJobs.php --server=https://%i --maxtime=175 --memory-limit=2048M --procs=8 --nothrottle --quiet"
   user node[:mediawiki][:user]
   nice 10
-  sandbox true
+  sandbox :enable_network => true
   memory_deny_write_execute false
   restrict_address_families "AF_UNIX"
   read_write_paths "/srv/%i"
@@ -121,6 +121,7 @@ systemd_service "mediawiki-email-jobs@" do
   sandbox :enable_network => true
   memory_deny_write_execute false
   restrict_address_families "AF_UNIX"
+  read_write_paths "/srv/%i"
 end
 
 systemd_timer "mediawiki-email-jobs@" do
@@ -134,9 +135,10 @@ systemd_service "mediawiki-refresh-links@" do
   exec_start "/usr/bin/php -d memory_limit=2048M -d error_reporting=22517 /srv/%i/w/maintenance/refreshLinks.php --server=https://%i --memory-limit=2048M --quiet"
   user node[:mediawiki][:user]
   nice 10
-  sandbox true
+  sandbox :enable_network => true
   memory_deny_write_execute false
   restrict_address_families "AF_UNIX"
+  read_write_paths "/srv/%i"
 end
 
 systemd_timer "mediawiki-refresh-links@" do