From 5706d38c1efac614dab126676053daaf6a2f9308 Mon Sep 17 00:00:00 2001 From: openoms Date: Mon, 20 Dec 2021 14:09:24 +0000 Subject: [PATCH] #2827 improve lnd.service files added: ExecStop=/usr/local/bin/lncli -n=${CHAIN} --rpcserver localhost:1${rpcportmod}009 stop PIDFile=/home/bitcoin/.lnd/${netprefix}lnd.pid Restart=on-failure # was always Type=notify # was simple MemoryDenyWriteExecute=true Increased timeouts: TimeoutStartSec=1200 TimeoutStopSec=3600 --- home.admin/assets/lnd.service | 44 +++++++++++++++++---- home.admin/config.scripts/lnd.install.sh | 50 +++++++++++++++++++----- 2 files changed, 77 insertions(+), 17 deletions(-) diff --git a/home.admin/assets/lnd.service b/home.admin/assets/lnd.service index 523bc7940..10d679318 100644 --- a/home.admin/assets/lnd.service +++ b/home.admin/assets/lnd.service @@ -1,8 +1,11 @@ # RaspiBlitz: systemd unit for lnd +# based on https://github.com/lightningnetwork/lnd/blob/master/contrib/init/lnd.service [Unit] -Description=LND Lightning Daemon -Wants=bitcoind.service +Description=Lightning Network Daemon + +# Make sure lnd starts after bitcoind is ready +Requires=bitcoind.service After=bitcoind.service # for use with sendmail alert @@ -11,22 +14,47 @@ After=bitcoind.service [Service] ExecStartPre=-/home/admin/config.scripts/lnd.check.sh prestart mainnet ExecStart=/usr/local/bin/lnd --configfile=/home/bitcoin/.lnd/lnd.conf +ExecStop=/usr/local/bin/lncli stop PIDFile=/home/bitcoin/.lnd/lnd.pid + User=bitcoin Group=bitcoin -LimitNOFILE=128000 -Type=simple -TimeoutSec=180 -Restart=always + +# Try restarting lnd if it stops due to a failure +Restart=on-failure RestartSec=60 + +# Type=notify is required for lnd to notify systemd when it is ready +Type=notify + +# An extended timeout period is needed to allow for database compaction +# and other time intensive operations during startup. We also extend the +# stop timeout to ensure graceful shutdowns of lnd. +TimeoutStartSec=1200 +TimeoutStopSec=3600 + +LimitNOFILE=128000 StandardOutput=null StandardError=journal -# Hardening measures -PrivateTmp=true +# Hardening Measures +#################### + +# Mount /usr, /boot/ and /etc read-only for the process. ProtectSystem=full + +# Disallow the process and all of its children to gain +# new privileges through execve(). NoNewPrivileges=true + +# Use a new /dev namespace only populated with API pseudo devices +# such as /dev/null, /dev/zero and /dev/random. PrivateDevices=true +# Deny the creation of writable and executable memory mappings. +MemoryDenyWriteExecute=true + +PrivateTmp=true + [Install] WantedBy=multi-user.target \ No newline at end of file diff --git a/home.admin/config.scripts/lnd.install.sh b/home.admin/config.scripts/lnd.install.sh index ca6d8ecfc..8222da6f5 100644 --- a/home.admin/config.scripts/lnd.install.sh +++ b/home.admin/config.scripts/lnd.install.sh @@ -275,29 +275,61 @@ bitcoin.node=bitcoind # systemd service removeParallelService echo "# Create /etc/systemd/system/.lnd.service" + # based on https://github.com/lightningnetwork/lnd/blob/master/contrib/init/lnd.service echo " [Unit] -Description=LND on $CHAIN +Description=Lightning Network Daemon on $CHAIN + +# Make sure lnd starts after bitcoind is ready +Requires=${netprefix}bitcoind.service +After=${netprefix}bitcoind.service [Service] -User=bitcoin -Group=bitcoin -Type=simple EnvironmentFile=/mnt/hdd/raspiblitz.conf + ExecStartPre=-/home/admin/config.scripts/lnd.check.sh prestart ${CHAIN} ExecStart=/usr/local/bin/lnd --configfile=/home/bitcoin/.lnd/${netprefix}lnd.conf -Restart=always -TimeoutSec=240 -RestartSec=30 +ExecStop=/usr/local/bin/lncli -n=${CHAIN} --rpcserver localhost:1${rpcportmod}009 stop +PIDFile=/home/bitcoin/.lnd/${netprefix}lnd.pid + +User=bitcoin +Group=bitcoin + +# Try restarting lnd if it stops due to a failure +Restart=on-failure +RestartSec=60 + +# Type=notify is required for lnd to notify systemd when it is ready +Type=notify + +# An extended timeout period is needed to allow for database compaction +# and other time intensive operations during startup. We also extend the +# stop timeout to ensure graceful shutdowns of lnd. +TimeoutStartSec=1200 +TimeoutStopSec=3600 + StandardOutput=null StandardError=journal -# Hardening measures -PrivateTmp=true +# Hardening Measures +#################### + +# Mount /usr, /boot/ and /etc read-only for the process. ProtectSystem=full + +# Disallow the process and all of its children to gain +# new privileges through execve(). NoNewPrivileges=true + +# Use a new /dev namespace only populated with API pseudo devices +# such as /dev/null, /dev/zero and /dev/random. PrivateDevices=true +# Deny the creation of writable and executable memory mappings. +MemoryDenyWriteExecute=true + +PrivateTmp=true + [Install] WantedBy=multi-user.target " | sudo tee /etc/systemd/system/${netprefix}lnd.service