Setup Your Blackcoin Client As A Systemd Service!
Systemd services are very useful for programs that are intended to run all the time. If your system restarts, or something causes the client to crash, it will restart automatically. Systemd also offers simple switches for adding security features, as you will see below.
The example is a systemd
blackmored.service file, but you can alter as a
blackmore-qt.service file by removing
blackmored -daemon and substituting
blackmore-qt if you prefer. Or, run both as described in Running blackmore-qt and blackmore-cli at the same time!
I keep my
blackmored binary in
/etc/blackmore/ and have a symlink to
/usr/local/bin/ in order to execute the files from my path. You can skip the symlink, but if you want to use
ProtectHome you need to keep the files outside of your home directory. Adjust the path to your liking. Ditto for the
Note: Because your files are not in the default position you will need to call
blackmore-cli with the
-data-dir every time!
If you use
Blackmore-cli from the terminal setup an
alias to simplify your life. You can checkout the article about Using Blackcoin From The Command Line if you need guidance.
[Unit] Description=Blackmore daemon After=network.target [Service] ExecStart=/usr/local/bin/blackmored -daemon -conf=/var/lib/.blackmore/blackmore.conf -datadir=/var/lib/.blackmore ExecStop=/usr/local/bin/blackmored stop User=daniel Restart=on-failure # Because it's a daemon process Type=forking # Hardening NoNewPrivileges=true ProtectHome=true ProtectSystem=full PrivateTmp=true PrivateDevices=true MemoryDenyWriteExecute=true [Install] WantedBy=multi-user.target
Several useful settings are implemented like this. The two most useful and general ones are
ProtectSystem=. The first uses an unshared mount namespace to make
/homeeither read-only or entirely inaccessible. The second is about protecting
/etc.A third also useful but very specific setting is
PrivateTmp=. It uses mount namespaces to make a private directory visible as
/var/tmpfor the service. The service's temporary files are hidden from other users to avoid any issues due to filename collisions or wrong permissions. citation
You can read more from the command
systemd-analyze security blackmore.service | grep ✓
This will show you:
✓ User=/DynamicUser= Service runs under a static non-root user identity ✓ CapabilityBoundingSet=~CAP_RAWIO Service has no raw I/O access ✓ DeviceAllow= Service has a minimal device ACL ✓ KeyringMode= Service doesn't share key material with other services ✓ NoNewPrivileges= Service processes cannot acquire new privileges ✓ NotifyAccess= Service child processes cannot alter service state ✓ PrivateDevices= Service has no access to hardware devices ✓ PrivateMounts= Service cannot install system mounts ✓ PrivateTmp= Service has no access to other software's temporary files ✓ ProtectHome= Service has no access to home directories ✓ AmbientCapabilities= Service process does not receive ambient capabilities ✓ CapabilityBoundingSet=~CAP_MKNOD Service cannot create device nodes ✓ SupplementaryGroups= Service has no supplementary groups ✓ Delegate= Service does not maintain its own delegated control group subtree ✓ MemoryDenyWriteExecute= Service cannot create writable executable memory mappings
grep to see everything! It's a lot!
You can make things more complicated, but this will offer better security and more convenience than just running
blackmore-qt stand alone.
BlackcoinNL supported chatrooms:
- BlackcoinNL Discord Invite -> https://discord.gg/EmWf2teMma
- Discord for countries that block it -> https://www.blackcoin.nl/chat-service-bridge/
- Telegram by BlackcoinNL -> T.me/BlackcoinNL
- Keybase -> https://keybase.io/blackcoin
Other commonly used Blackcoin Social Media:
- IRC -> https://en.irc2go.com/webchat/?net=freenode&room=blackcoin
- Gitter -> https://gitter.im/BlackCoin_Hub/
- Reddit -> https://reddit.com/r/blackcoin
- BlackcoinNL Twitter -> https://twitter.com/BlackcoinNL
- BlackcoinOrg Twitter -> https://twitter.com/BlackcoinOrg
- BlackcoinOrg Facebook -> https://facebook.com/BlackcoinOrg