From: Tom Hughes <tom@compton.nu>
Date: Sun, 26 Feb 2017 12:11:07 +0000 (+0000)
Subject: Modernise mapserv-fcgi services
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/a709a7e459401578a1fab28d89ba644841c8a661?ds=sidebyside

Modernise mapserv-fcgi services
---

diff --git a/cookbooks/imagery/resources/layer.rb b/cookbooks/imagery/resources/layer.rb
index b1e7cc9d1..957e46b47 100644
--- a/cookbooks/imagery/resources/layer.rb
+++ b/cookbooks/imagery/resources/layer.rb
@@ -65,18 +65,23 @@ action :create do
 
   systemd_service "mapserv-fcgi-#{layer}" do
     description "Map server for #{layer} layer"
-    limit_nofile 16384
     environment "MS_MAPFILE" => "/srv/imagery/mapserver/layer-#{layer}.map",
                 "MS_MAP_PATTERN" => "^/srv/imagery/mapserver/",
                 "MS_DEBUGLEVEL" => "0",
                 "MS_ERRORFILE" => "stderr"
+    limit_nofile 16384
     user "imagery"
     group "imagery"
     exec_start_pre "/bin/rm -f /run/mapserver-fastcgi/layer-#{layer}.socket"
-    exec_start "/usr/bin/spawn-fcgi -s /run/mapserver-fastcgi/layer-#{layer}.socket -M 0666 -P /run/mapserver-fastcgi/layer-#{layer}.pid -- /usr/bin/multiwatch -f 6 --signal=TERM -- /usr/lib/cgi-bin/mapserv"
-    pid_file "/run/mapserver-fastcgi/layer-#{layer}.pid"
-    type "forking"
+    exec_start "/usr/bin/spawn-fcgi -n -s /run/mapserver-fastcgi/layer-#{layer}.socket -M 0666 -P /run/mapserver-fastcgi/layer-#{layer}.pid -- /usr/bin/multiwatch -f 6 --signal=TERM -- /usr/lib/cgi-bin/mapserv"
+    private_tmp true
+    private_devices true
+    private_network true
+    protect_system "full"
+    protect_home true
+    no_new_privileges true
     restart "always"
+    pid_file "/run/mapserver-fastcgi/layer-#{layer}.pid"
   end
 
   service "mapserv-fcgi-#{layer}" do