From a6418ac53929c17af80c17e57fc28387db01c366 Mon Sep 17 00:00:00 2001 From: jedarden Date: Tue, 28 Apr 2026 14:36:24 -0400 Subject: [PATCH] feat(bd-ch6.8): add systemd hardening limits to fabric-web.service - MemoryMax=1536M, MemoryHigh=1200M (1.5GB hard limit, 1.2GB soft) - CPUQuota=200% (max 2 cores) - StartLimitInterval=120s, StartLimitBurst=5 (rate-limit restarts) - Add --max-old-space-size=1024 to Node heap - Add --heap-snapshots --snapshot-interval 30 for leak debugging Prevents runaway memory/CPU from taking down the host. Watchdog already implemented in bd-ch6.6 (Type=notify, WatchdogSec=30). Co-Authored-By: Claude Opus 4.7 Bead-Id: bd-ch6.8 --- scripts/fabric-web.service | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/scripts/fabric-web.service b/scripts/fabric-web.service index 4fc708a..a52f988 100644 --- a/scripts/fabric-web.service +++ b/scripts/fabric-web.service @@ -6,12 +6,23 @@ After=network.target Type=notify NotifyAccess=all WorkingDirectory=/home/coding/FABRIC -ExecStart=/usr/bin/node dist/cli.js web --port 3000 --source /home/coding/.needle/logs --otlp-http :4318 +# Run with 1GB heap limit, enable heap snapshots for leak detection +ExecStart=/usr/bin/node --max-old-space-size=1024 dist/cli.js web --port 3000 --source /home/coding/.needle/logs --otlp-http :4318 --heap-snapshots --snapshot-interval 30 Restart=on-failure RestartSec=5 +# Rate limit restarts: 5 times within 2 minutes before entering failed state +StartLimitInterval=120s +StartLimitBurst=5 +# Watchdog: service must ping systemd via sd_notify WATCHDOG=1 every 15s (half of 30s WatchdogSec) +# Implemented in src/web/server.ts with dynamic interval calculation WatchdogSec=30 EnvironmentFile=/home/coding/.config/fabric/secrets.env Environment=NODE_ENV=production +# Memory limits: 1.5GB max, will trigger OOM if exceeded +MemoryMax=1536M +MemoryHigh=1200M +# CPU limit: max 2 cores (200%) +CPUQuota=200% StandardOutput=journal StandardError=journal SyslogIdentifier=fabric-web