Add Systemd Service for Deployment

[bupd]

• Fixes: Systemd Service Unit for Satellite #246

Description

Production-ready systemd service for Harbor Satellite with security hardening, multiple authentication methods, and optional container runtime integration.

Changes

• Main service file with strict security (~9.0/10 security score)
• Multi-instance template service
• Automated installation script
• Drop-in overrides for SPIRE dependency and CRI mirroring
• Environment templates for all 4 auth methods
• Complete documentation (installation, configuration, troubleshooting)

Additional context

none

---

Summary by cubic

Adds a production‑ready systemd deployment for Harbor Satellite with strict sandboxing, multi‑instance support, and optional CRI mirroring. Ships an install script, hardened units, auth env templates, and complete docs for setup and operations.

• New Features

  • Systemd units: harbor-satellite.service and harbor-satellite@.service with journald logging, restart policy, and hardened sandbox (~9/10; ~6.5/10 with mirroring).
  • Automated installer: creates user/group, dirs, installs binary and unit, and seeds a config template.
  • Drop-ins: SPIRE agent dependency, CRI mirroring privileges, and per‑CRI mirror configs (Docker, containerd, Podman).
  • Auth templates: token, SPIFFE join-token, SPIFFE x509pop, SPIFFE sshpop.
  • Docs: installation, configuration, monitoring, troubleshooting, upgrades, and multi‑instance guidance.

• Migration

  • Build the binary, then run: sudo ./deploy/systemd/install-satellite.sh ./satellite.
  • Edit /etc/harbor-satellite/satellite.env to set GROUND_CONTROL_URL and TOKEN or SPIFFE settings.
  • Enable and start: sudo systemctl enable --now harbor-satellite.service.
  • Optional: enable CRI mirroring by copying 20-cri-mirroring.conf and a 30-mirrors-*.conf drop‑in; this relaxes security.

^{Written for commit d414989. Summary will update on new commits.}

Summary by CodeRabbit

• New Features
  • Harbor Satellite can now be deployed as a systemd service with production-grade security hardening.
  • Support for multiple authentication methods: token-based and SPIFFE variants.
  • Container runtime mirroring for Docker, Podman, and containerd.
  • Automated installation script simplifies deployment setup.
  • Multi-instance deployment support with comprehensive documentation and configuration examples.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds comprehensive systemd integration for Harbor Satellite including hardened service unit files, drop-in configuration templates for SPIFFE authentication and CRI mirroring, environment variable examples, a detailed production-focused README, and an automated installer script for non-root service deployment.

Changes

Cohort / File(s)	Summary
Documentation deploy/systemd/README.md	Production-focused guide covering systemd integration, security hardening, multiple authentication methods (token, SPIFFE variants), CRI mirroring, multi-instance support, service management, troubleshooting, monitoring, and upgrade paths.
Service Units deploy/systemd/harbor-satellite.service, deploy/systemd/harbor-satellite@.service	Hardened systemd service files with strict security isolation (ProtectSystem, PrivateUsers, SystemCallFilter, CapabilityBoundingSet), resource protections (MemoryDenyWriteExecute, ProtectClock), proper restart/restart behavior, and per-instance support.
Drop-in Configurations deploy/systemd/examples/10-spire-dependency.conf, deploy/systemd/examples/20-cri-mirroring.conf, deploy/systemd/examples/30-mirrors-*.conf	Modular drop-in fragments enabling SPIRE dependency, CRI mirroring with relaxed security settings, and registry mirroring for containerd, Docker, and Podman.
Environment Templates deploy/systemd/examples/satellite.env.example, deploy/systemd/examples/spiffe-*.env, deploy/systemd/examples/token-auth.env	Configuration templates documenting required and optional environment variables for token-based and SPIFFE-based (join-token, x509pop, sshpop) authentication methods.
Installation Script deploy/systemd/install-satellite.sh	Bash installer automating binary installation, systemd service setup, user/directory creation, environment file templating, systemd reload, and next-steps guidance.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~28 minutes

Suggested labels

enhancement, documentation

Suggested reviewers

• amands98

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 7.69% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add Systemd Service for Deployment' clearly and concisely summarizes the main change—introducing a systemd service for Harbor Satellite deployment.
Linked Issues check	✅ Passed	The PR fully satisfies issue #246 objectives: provides systemd unit files (harbor-satellite.service and harbor-satellite@.service), non-root user configuration, automatic restart, journald logging, environment file support, proper dependencies, installation script, example configurations, and comprehensive documentation.
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing systemd service deployment: service files, installation script, environment templates, drop-in configurations, and documentation. No unrelated or extraneous changes detected.
Description check	✅ Passed	The pull request description comprehensively addresses the required template sections with detailed changes, clear objectives, and context.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codacy-production]

Codacy's Analysis Summary

50 new issues (≤ 0 issue)
0 new security issue

Review Pull Request in Codacy →

✨ AI Reviewer available: add the codacy-review label to get contextual insights without leaving GitHub.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@deploy/systemd/examples/satellite.env.example`:
- Around line 42-47: Update the comment block in
deploy/systemd/examples/satellite.env.example that references the drop-in
filename: instead of saying "Create a 30-mirrors.conf drop-in" update the text
and the ExecStart example to reference the actual example filenames (e.g.,
30-mirrors-containerd.conf, 30-mirrors-docker.conf, 30-mirrors-podman.conf) so
the note and the ExecStart example match the provided drop-in files and avoid
confusion when following the instructions.

In `@deploy/systemd/README.md`:
- Around line 578-583: The added StartLimitBurst and StartLimitIntervalSec
directives were placed under the [Service] section but belong in the [Unit]
section for systemd >=230; move the two directives (StartLimitBurst,
StartLimitIntervalSec) from the [Service] block into the [Unit] block in the
README's example (matching how they appear in harbor-satellite.service) so
drop-in snippets created with systemctl edit use the correct section.

🧹 Nitpick comments (3)

deploy/systemd/install-satellite.sh (2)

82-90: Config directory permissions prevent harbor-satellite group access to the env file.

Line 84-85: the directory is chown root:root and chmod 750, so only root (and root-group members) can traverse it. Line 123 installs the env file as root:harbor-satellite with 640, implying the service group should be able to read it. While systemd reads EnvironmentFile as PID 1 (root) so the service itself isn't affected, this makes manual debugging as the service user impossible (e.g., sudo -u harbor-satellite cat /etc/harbor-satellite/satellite.env).

Consider chown root:$SERVICE_GROUP for the directory as well:

Proposed fix

     ## Config directory (root owned, group readable by service)
     mkdir -p "$INSTALL_CONFIG_DIR"
-    chown root:root "$INSTALL_CONFIG_DIR"
+    chown root:"$SERVICE_GROUP" "$INSTALL_CONFIG_DIR"
     chmod 750 "$INSTALL_CONFIG_DIR"

---

103-112: Installer only installs the single-instance service file; the template unit is omitted.

The README documents multi-instance deployment via harbor-satellite@.service, but the installer only copies harbor-satellite.service. Users who want multi-instance need to manually install the template unit. Consider adding an optional step or a flag (e.g., --multi-instance) to also install harbor-satellite@.service.

deploy/systemd/README.md (1)

49-49: Codacy flags multiple Markdown list formatting issues.

Static analysis reports many instances of "Lists should be surrounded by blank lines" throughout this file (e.g., lines 49, 129, 165, 189, 266, etc.). These are CommonMark style nits where numbered list items adjacent to code blocks lack surrounding blank lines. Consider adding blank lines around list items that precede or follow fenced code blocks for stricter Markdown compliance, or suppress these rules if the project doesn't enforce them.

Also applies to: 129-129, 165-177

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Minor: drop-in filename in comment doesn't match actual example filenames.

Line 46 references 30-mirrors.conf, but the actual example files in this PR are named 30-mirrors-containerd.conf, 30-mirrors-docker.conf, and 30-mirrors-podman.conf. Consider updating the reference to avoid confusion.

Suggested fix

-## 2. Create a 30-mirrors.conf drop-in to override ExecStart with --mirrors flags
-## Example: ExecStart=/opt/harbor-satellite/satellite --mirrors=containerd:docker.io,quay.io
+## 2. Install a 30-mirrors-<runtime>.conf drop-in to override ExecStart with --mirrors flags
+## See examples: 30-mirrors-containerd.conf, 30-mirrors-docker.conf, 30-mirrors-podman.conf

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	## NOTE: CRI Mirroring Configuration
	## The --mirrors flag is NOT supported via environment variables
	## To enable container runtime mirroring:
	## 1. Install the 20-cri-mirroring.conf drop-in (see README)
	## 2. Create a 30-mirrors.conf drop-in to override ExecStart with --mirrors flags
	## Example: ExecStart=/opt/harbor-satellite/satellite --mirrors=containerd:docker.io,quay.io
	## NOTE: CRI Mirroring Configuration
	## The --mirrors flag is NOT supported via environment variables
	## To enable container runtime mirroring:
	## 1. Install the 20-cri-mirroring.conf drop-in (see README)
	## 2. Install a 30-mirrors-<runtime>.conf drop-in to override ExecStart with --mirrors flags
	## See examples: 30-mirrors-containerd.conf, 30-mirrors-docker.conf, 30-mirrors-podman.conf

🤖 Prompt for AI Agents

In `@deploy/systemd/examples/satellite.env.example` around lines 42 - 47, Update
the comment block in deploy/systemd/examples/satellite.env.example that
references the drop-in filename: instead of saying "Create a 30-mirrors.conf
drop-in" update the text and the ExecStart example to reference the actual
example filenames (e.g., 30-mirrors-containerd.conf, 30-mirrors-docker.conf,
30-mirrors-podman.conf) so the note and the ExecStart example match the provided
drop-in files and avoid confusion when following the instructions.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

StartLimitBurst/StartLimitIntervalSec should be under [Unit], not [Service].

The base service file correctly places these in [Unit] (lines 6-7 of harbor-satellite.service). In systemd 230+, these directives belong in [Unit]. While systemd may accept them in [Service] for backward compat, a drop-in created via systemctl edit should use the correct section to be consistent and avoid ambiguity.

Proposed fix

-[Service]
+[Unit]
 StartLimitBurst=10
 StartLimitIntervalSec=600

🤖 Prompt for AI Agents

In `@deploy/systemd/README.md` around lines 578 - 583, The added StartLimitBurst
and StartLimitIntervalSec directives were placed under the [Service] section but
belong in the [Unit] section for systemd >=230; move the two directives
(StartLimitBurst, StartLimitIntervalSec) from the [Service] block into the
[Unit] block in the README's example (matching how they appear in
harbor-satellite.service) so drop-in snippets created with systemctl edit use
the correct section.

[cubic-dev-ai]

No issues found across 14 files