#!/usr/bin/bash
#
# Create httpd systemd override for CRIU compatibility.
# Called from criu.service ExecStartPre on first start.
# On CL10+ this relaxes sandboxing that blocks checkpoint/restore;
# on CL7-CL9 these directives are harmless no-ops (the defaults
# are already "no" when not set in the service file).
#

OVERRIDE_DIR="/etc/systemd/system/httpd.service.d"
OVERRIDE_FILE="${OVERRIDE_DIR}/cloudlinux-criu-override.conf"

if [ -f "$OVERRIDE_FILE" ]; then
    exit 0
fi

mkdir -p "$OVERRIDE_DIR"

cat > "$OVERRIDE_FILE" << 'EOF'
[Service]
# CRIU checkpoint/restore needs access to kernel module paths, kernel logs,
# kernel tunables, and writable system directories.
ProtectKernelModules=no
ProtectKernelLogs=no
ProtectKernelTunables=no
ProtectSystem=no
EOF

systemctl daemon-reload
