Skip to main content

Privileged Mode

Run services with system-level privileges when needed.

When to use

Enable privileged mode to:

  • Bind to ports < 1024
  • Run services as different users
  • Apply resource limits
  • Use Linux capabilities
  • Create cgroups or namespaces

Start with privileges

$ sudo sysg --sys start --daemonize

The --sys flag moves state to system directories:

  • /var/lib/systemg/ - Runtime state
  • /var/log/systemg/ - Logs
  • /etc/systemg/ - Configuration

Configuration

services:
web:
command: "./server"
user: "www-data"
group: "www-data"
supplementary_groups: ["www-logs"]
limits:
nofile: 65536
nproc: 4096
memlock: "512M"
nice: -5
cpu_affinity: [0, 1]
cgroup:
memory_max: "512M"
cpu_max: "200000 100000"
capabilities:
- CAP_NET_BIND_SERVICE
- CAP_SYS_NICE
isolation:
network: true
pid: true

User and groups

Drop privileges to specific users:

services:
nginx:
command: "nginx -g 'daemon off;'"
user: "www-data"
group: "www-data"

Service runs as www-data after binding to port 80.

Resource limits

Control system resources per service:

FieldDescription
nofileMax open files
nprocMax processes
memlockLocked memory
nicePriority (-20 to 19)
cpu_affinityPin to CPU cores

Capabilities

Retain specific capabilities after dropping root:

capabilities:
- CAP_NET_BIND_SERVICE # Bind to privileged ports
- CAP_SYS_NICE # Adjust process priority

Cgroups v2

Limit memory and CPU usage:

limits:
cgroup:
memory_max: "512M"
cpu_max: "200000 100000" # 2 CPUs

Namespaces

Isolate services from the host:

isolation:
network: true # Private network namespace
pid: true # Private PID namespace
mount: true # Private mount namespace

Examples

Web server on port 80

services:
web:
command: "./myapp"
user: "appuser"
capabilities:
- CAP_NET_BIND_SERVICE

Database with resource limits

services:
postgres:
command: "postgres"
user: "postgres"
limits:
nofile: 100000
cgroup:
memory_max: "4G"

See also