Fix systemd configs (#18135)

RajatGupta02 · Rajat Gupta · web-flow · commit 82348c4eb568 · 2025-04-29T06:04:16.000-04:00
Signed-off-by: Rajat Gupta &lt;gptrajat@amazon.com&gt;
Co-authored-by: Rajat Gupta &lt;gptrajat@amazon.com&gt;
diff --git a/distribution/packages/src/common/systemd/opensearch.service b/distribution/packages/src/common/systemd/opensearch.service
@@ -26,6 +26,9 @@ WorkingDirectory=/usr/share/opensearch
 User=opensearch
 Group=opensearch
 
+ExecStartPre=/bin/mkdir -p /dev/shm/performanceanalyzer
+ExecStartPre=/bin/chown opensearch:opensearch /dev/shm/performanceanalyzer
+
 ExecStart=/usr/share/opensearch/bin/systemd-entrypoint -p ${PID_DIR}/opensearch.pid --quiet
 
 # StandardOutput is configured to redirect to journalctl since
@@ -130,6 +133,7 @@ RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 
 ReadWritePaths=/var/log/opensearch
 ReadWritePaths=/var/lib/opensearch
+ReadWritePaths=/dev/shm/
 ReadWritePaths=-/etc/opensearch
 ReadWritePaths=-/mnt/snapshots
 
@@ -149,17 +153,25 @@ RestrictNamespaces=true
 NoNewPrivileges=true
 
 # Memory and execution protection
-MemoryDenyWriteExecute=true           # Prevent creating writable executable memory mappings
-SystemCallArchitectures=native        # Allow only native system calls
-KeyringMode=private                   # Service does not share key material with other services
-LockPersonality=true                  # Prevent changing ABI personality
-RestrictSUIDSGID=true                 # Prevent creating SUID/SGID files
-RestrictRealtime=true                 # Prevent acquiring realtime scheduling
-ProtectHostname=true                  # Prevent changes to system hostname
-ProtectKernelLogs=true                # Prevent reading/writing kernel logs
-ProtectClock=true                     # Prevent tampering with the system clock
+
+# Allow only native system calls
+SystemCallArchitectures=native
+# Service does not share key material with other services
+KeyringMode=private
+# Prevent changing ABI personality
+LockPersonality=true
+# Prevent creating SUID/SGID files
+RestrictSUIDSGID=true
+# Prevent acquiring realtime scheduling
+RestrictRealtime=true
+# Prevent changes to system hostname
+ProtectHostname=true
+# Prevent reading/writing kernel logs
+ProtectKernelLogs=true
+# Prevent tampering with the system clock
+ProtectClock=true
 
 [Install]
 WantedBy=multi-user.target
 
-# Built for ${project.name}-${project.version} (${project.name})
+# Built for ${project.name}-${project.version} (${project.name})
