Volt CLI: source-available under AGPSL v5.0
Complete infrastructure platform CLI: - Container runtime (systemd-nspawn) - VoltVisor VMs (Neutron Stardust / QEMU) - Stellarium CAS (content-addressed storage) - ORAS Registry - GitOps integration - Landlock LSM security - Compose orchestration - Mesh networking Copyright (c) Armored Gates LLC. All rights reserved. Licensed under AGPSL v5.0
This commit is contained in:
Karl Clinger
73
configs/systemd/volt-vm@.service
Normal file
73
configs/systemd/volt-vm@.service
Normal file
@@ -0,0 +1,73 @@
|
||||
# Volt VM SystemD Unit Template
|
||||
# Usage: systemctl start volt-vm@myvm.service
|
||||
|
||||
[Unit]
|
||||
Description=Volt VM %i
|
||||
Documentation=https://voltvisor.io
|
||||
After=network.target volt-runtime.service
|
||||
Requires=volt-runtime.service
|
||||
Wants=volt-network.service
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
NotifyAccess=all
|
||||
|
||||
# VM Runtime
|
||||
ExecStartPre=/usr/bin/volt-runtime prepare %i
|
||||
ExecStart=/usr/bin/volt-runtime run %i
|
||||
ExecStop=/usr/bin/volt-runtime stop %i
|
||||
ExecStopPost=/usr/bin/volt-runtime cleanup %i
|
||||
|
||||
# Restart policy
|
||||
Restart=on-failure
|
||||
RestartSec=5s
|
||||
TimeoutStartSec=30s
|
||||
TimeoutStopSec=30s
|
||||
|
||||
# Resource limits via cgroups v2
|
||||
# These are defaults, overridden per-VM in drop-in files
|
||||
MemoryMax=512M
|
||||
MemoryHigh=400M
|
||||
CPUQuota=100%
|
||||
TasksMax=4096
|
||||
IOWeight=100
|
||||
|
||||
# Security hardening
|
||||
NoNewPrivileges=yes
|
||||
ProtectSystem=strict
|
||||
ProtectHome=yes
|
||||
PrivateTmp=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectHostname=yes
|
||||
ProtectClock=yes
|
||||
RestrictNamespaces=no
|
||||
RestrictRealtime=yes
|
||||
RestrictSUIDSGID=yes
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=no
|
||||
RemoveIPC=yes
|
||||
|
||||
# Capabilities
|
||||
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SETUID CAP_SETGID CAP_MKNOD
|
||||
AmbientCapabilities=
|
||||
|
||||
# Namespaces (used for VM isolation)
|
||||
PrivateUsers=yes
|
||||
PrivateNetwork=no
|
||||
PrivateMounts=yes
|
||||
|
||||
# Filesystem restrictions
|
||||
ReadWritePaths=/var/lib/volt/vms/%i
|
||||
ReadOnlyPaths=/var/lib/volt/kernels /var/lib/volt/images
|
||||
InaccessiblePaths=/home /root
|
||||
|
||||
# Logging
|
||||
StandardOutput=journal
|
||||
StandardError=journal
|
||||
SyslogIdentifier=volt-vm-%i
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Reference in New Issue
Block a user