summaryrefslogtreecommitdiffstats
path: root/debian/netdata-core.netdata.service
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 01:22:32 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 01:22:32 +0000
commit0bbc0c292e607f3a40017a23d237c5d44eb30783 (patch)
tree550fdcacb3ba2f56c4a9cf93cab9581fd9b3ab97 /debian/netdata-core.netdata.service
parentAdding upstream version 1.12.0. (diff)
downloadnetdata-0bbc0c292e607f3a40017a23d237c5d44eb30783.tar.xz
netdata-0bbc0c292e607f3a40017a23d237c5d44eb30783.zip
Adding debian version 1.12.0-1+deb10u1.debian/1.12.0-1+deb10u1debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/netdata-core.netdata.service')
-rw-r--r--debian/netdata-core.netdata.service52
1 files changed, 52 insertions, 0 deletions
diff --git a/debian/netdata-core.netdata.service b/debian/netdata-core.netdata.service
new file mode 100644
index 0000000..64bbabd
--- /dev/null
+++ b/debian/netdata-core.netdata.service
@@ -0,0 +1,52 @@
+# netdata systemd target
+
+[Unit]
+Description=netdata - Real-time performance monitoring
+Documentation=man:netdata
+Documentation=file:///usr/share/doc/netdata/html/index.html
+Documentation=https://github.com/netdata/netdata
+After=network-online.target httpd.service squid.service nfs-server.service mysqld.service named.service postfix.service
+ConditionPathExists=/etc/netdata/netdata.conf
+
+[Service]
+Type=simple
+Environment="netdata_LOG_LOCATION=/var/log/netdata/log"
+ExecStart=/usr/sbin/netdata -D
+TimeoutStopSec=10
+KillMode=mixed
+KillSignal=SIGTERM
+OOMScoreAdjust=-900
+
+User=netdata
+Group=netdata
+Restart=on-abnormal
+RestartSec=2s
+LimitNOFILE=65536
+
+WorkingDirectory=/tmp
+
+# Hardening
+
+NoNewPrivileges=false
+PermissionsStartOnly=true
+# CAP_SETGID is required for setgroups()
+# CAP_NET_RAW is needed by fping, see #864370
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_SETGID CAP_SETUID CAP_NET_RAW
+PrivateTmp=true
+ProtectHome=read-only
+ProtectSystem=full
+
+ReadOnlyDirectories=/
+ReadWriteDirectories=/proc/self
+ReadWriteDirectories=/var
+
+# Access to devices and kernel modules and tunables is required
+PrivateDevices=no
+ProtectKernelModules=no
+ProtectKernelTunables=no
+
+StandardOutput=syslog+console
+StandardError=syslog+console
+
+[Install]
+WantedBy=multi-user.target