Systemd Deployment

PRISM can run as a native systemd service for bare-metal or VM deployments.

Package Installation

Debian / Ubuntu

sudo dpkg -i prism_1.0.0_amd64.deb

RHEL / Fedora / CentOS

sudo rpm -i prism-1.0.0-1.x86_64.rpm

Both packages install:

Binary: /usr/local/bin/prism
Config: /etc/prism/prism.toml
License: /etc/prism/license.key
Service: /etc/systemd/system/prism.service

Systemd Service File

[Unit]
Description=Trident PRISM Dynamic Rendering Proxy
After=network-online.target
Wants=network-online.target
StartLimitIntervalSec=60
StartLimitBurst=5

[Service]
Type=simple
User=prism
Group=prism
ExecStart=/usr/local/bin/prism --config /etc/prism/prism.toml
Restart=on-failure
RestartSec=5

# Graceful shutdown: send SIGTERM, wait for drain
KillMode=mixed
TimeoutStopSec=45

# Environment
Environment=RUST_LOG=info

# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=true
RestrictSUIDSGID=true
LockPersonality=true

# Resource limits
MemoryMax=2G
TasksMax=512

# Allow Chrome to use /dev/shm
ReadWritePaths=/dev/shm

# Config and license are read-only
ReadOnlyPaths=/etc/prism

[Install]
WantedBy=multi-user.target

Setup

Create Service User

sudo useradd --system --no-create-home --shell /usr/sbin/nologin prism

Install Chrome

PRISM requires Chromium or Google Chrome. Install the system package:

# Debian/Ubuntu
sudo apt install chromium-browser

# RHEL/Fedora
sudo dnf install chromium

Configure

Edit /etc/prism/prism.toml with your origin and settings. Place your license key at /etc/prism/license.key.

Enable and Start

sudo systemctl daemon-reload
sudo systemctl enable prism
sudo systemctl start prism

Check Status

sudo systemctl status prism
sudo journalctl -u prism -f

Security Hardening Explained

Directive	Purpose
`NoNewPrivileges=true`	Prevents privilege escalation via setuid binaries
`ProtectSystem=strict`	Mounts the filesystem read-only except explicitly allowed paths
`ProtectHome=true`	Makes `/home`, `/root`, `/run/user` inaccessible
`PrivateTmp=true`	Isolates `/tmp` and `/var/tmp`
`ProtectKernelTunables=true`	Denies write access to `/proc` and `/sys` kernel tunables
`ProtectKernelModules=true`	Prevents loading kernel modules
`RestrictAddressFamilies`	Only allows IPv4, IPv6, and Unix sockets
`RestrictNamespaces=true`	Prevents creating new namespaces
`LockPersonality=true`	Locks the execution domain
`MemoryMax=2G`	Hard memory limit -- OOM-killed if exceeded
`TasksMax=512`	Limits the number of threads/processes

Log Management

PRISM logs to stdout/stderr, which systemd captures in the journal. For JSON-structured logging:

[logging]
format = "json"
level = "info"

To forward logs to a file:

sudo journalctl -u prism -o cat >> /var/log/prism/prism.log

Or configure journald forwarding to syslog/rsyslog for centralized log management.

Package Installation​

Debian / Ubuntu​

RHEL / Fedora / CentOS​

Systemd Service File​

Setup​

Create Service User​

Install Chrome​

Configure​

Enable and Start​

Check Status​

Security Hardening Explained​

Log Management​