-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathanyscan-worker-only.service
More file actions
61 lines (59 loc) · 2.58 KB
/
anyscan-worker-only.service
File metadata and controls
61 lines (59 loc) · 2.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
[Unit]
Description=Remote Agent
After=network-online.target agentd-tunnel.service
Wants=network-online.target agentd-tunnel.service
[Service]
Type=simple
User=agentd
Group=agentd
WorkingDirectory=/opt/agentd
EnvironmentFile=-/etc/agentd/runtime.env
EnvironmentFile=-/var/lib/agentd/agent.env
# Reserve egress bandwidth for control-plane heartbeats so a saturated zmap
# scan cannot starve agentd off the worker registry. Runs as root (the `+`
# prefix bypasses User=/AmbientCapabilities=) and fails-open: the script
# itself returns 0 even if tc/iptables policy rejects the change.
ExecStartPre=+/opt/agentd/bin/reserve-control-bandwidth.sh apply
# Bump kernel queues + NIC txqueuelen so the scanner is not throttled by
# default sysctl values when it pushes >500k pps. Idempotent and
# fail-open. The `-+` prefix runs as root (so sysctl writes bypass
# ProtectKernelTunables=true) AND tells systemd to ignore failures, so a
# partial upgrade that has not yet shipped the helper does not block the
# worker from starting; the persistent /etc/sysctl.d drop-in still gets
# reapplied at the next boot or remote update.
ExecStartPre=-+/opt/agentd/bin/tune-scanner-host.sh apply
ExecStopPost=+/opt/agentd/bin/reserve-control-bandwidth.sh release
ExecStart=/opt/agentd/bin/agentd daemon
Restart=always
RestartSec=5
NoNewPrivileges=true
# CAP_BPF is required for the AF_XDP I/O path the scanner gains in
# Phase 2 of plans/2026-04-27-portscan-afxdp-plan-v1.md (§4.4): opening an
# XSK socket and attaching libxdp's default redirect program both go
# through the bpf() syscall. The scanner only opens an XSK when invoked
# with --io-engine=af_xdp; AF_PACKET (the default) does not need CAP_BPF,
# so granting it here is purely a runtime gate that lets workers opt in
# via ANYSCAN_SCANNER_IO_ENGINE without a unit file refresh. CAP_BPF is
# scoped narrowly: it does not imply CAP_SYS_ADMIN or kernel-module load
# rights. Older (<5.8) kernels collapse it into CAP_SYS_ADMIN and the
# capability bits we set here are simply ignored — the install-time
# probe in install-worker-bundle.sh refuses to enable af_xdp on those
# hosts so the unit-file grant has no effect there either.
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_BPF
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_BPF
PrivateTmp=true
PrivateDevices=true
ProtectSystem=strict
ProtectHome=true
ProtectControlGroups=true
ProtectKernelTunables=true
ProtectKernelModules=true
RestrictSUIDSGID=true
LockPersonality=true
MemoryDenyWriteExecute=true
ReadWritePaths=/var/lib/agentd
StateDirectory=agentd
RuntimeDirectory=agentd
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target