systemg 0.33.0

A simple process manager.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124

---
title: Security
---

# Security

Defense-in-depth security features for production deployments.

## Principle of least privilege

Services drop to minimum required permissions:

```yaml
services:
  web:
    command: "./server"
    user: "www-data"
    capabilities:
      - CAP_NET_BIND_SERVICE  # Only what's needed
```

## Current features

### Capabilities (Linux)

Services retain only specified capabilities:

```yaml
capabilities:
  - CAP_NET_BIND_SERVICE  # Bind ports < 1024
  - CAP_SYS_NICE          # Adjust priority
  - CAP_DAC_READ_SEARCH   # Read any file
```

### Resource limits

Prevent resource exhaustion:

```yaml
limits:
  nofile: 65536      # Max file descriptors
  nproc: 1024        # Max processes
  memlock: "100M"    # Locked memory
  cgroup:
    memory_max: "2G"
    cpu_max: "100000 50000"  # 1 CPU
```

### Namespace isolation

Isolate from host system:

```yaml
isolation:
  network: true  # Private network
  pid: true      # Private process tree
  mount: true    # Private mounts
  user: true     # User namespace
```

## Upcoming features

| Feature | Status | Purpose |
|---------|--------|---------|
| `seccomp` | Planned | System call filtering |
| `apparmor_profile` | Planned | Mandatory access control |
| `selinux_context` | Planned | SELinux labels |
| `private_devices` | In progress | Device isolation |
| `private_tmp` | In progress | Temp directory isolation |

## Best practices

### Run unprivileged when possible

```bash
# User mode (default)
$ sysg start

# System mode (only when needed)
$ sudo sysg --sys start
```

### Drop privileges immediately

```yaml
services:
  nginx:
    command: "nginx"
    user: "www-data"  # Drops root after binding port 80
```

`--drop-privileges` affects child service spawning (`start`/`restart`) and does
not change privileges for read-only control commands.

### Isolate untrusted workloads

```yaml
services:
  untrusted:
    command: "./third-party-app"
    user: "nobody"
    isolation:
      network: true
      pid: true
    limits:
      cgroup:
        memory_max: "100M"
```

## Troubleshooting

**Permission denied on namespace creation**
- Add `CAP_SYS_ADMIN` capability

**Cgroup write failures in containers**
- Set `limits.cgroup.root` to writable path

**Socket activation with systemd**
- systemg preserves `LISTEN_FDS` automatically

## See also

- [Privileged Mode](how-it-works/privileged-mode) - System-level features
- [Configuration](how-it-works/configuration) - Security options