# SPDX-License-Identifier: GPL-3.0-or-later
[Unit]
Description=Real time performance monitoring

# append here other services you want netdata to wait for them to start
After=network.target

[Service]
LogNamespace=netdata
Type=simple
User=root
RuntimeDirectory=netdata
RuntimeDirectoryMode=0775
PIDFile=/run/netdata/netdata.pid
ExecStart=@sbindir_POST@/netdata -P /run/netdata/netdata.pid -D
ExecStartPre=/bin/mkdir -p @localstatedir_POST@/cache/netdata
ExecStartPre=/bin/chown -R @netdata_user_POST@ @localstatedir_POST@/cache/netdata
ExecStartPre=/bin/mkdir -p /run/netdata
ExecStartPre=/bin/chown -R @netdata_user_POST@ /run/netdata
PermissionsStartOnly=true

# saving a big db on slow disks may need some time
TimeoutStopSec=150

# restart netdata if it crashes
Restart=on-failure
RestartSec=30

# Valid policies: other (the system default) | batch | idle | fifo | rr
# To give netdata the max priority, set CPUSchedulingPolicy=rr and CPUSchedulingPriority=99
CPUSchedulingPolicy=batch

# This sets the scheduling priority (for policies: rr and fifo).
# Priority gets values 1 (lowest) to 99 (highest).
#CPUSchedulingPriority=1

# For scheduling policy 'other' and 'batch', this sets the lowest niceness of netdata (-20 highest to 19 lowest).
Nice=0

# Capabilities
# is required for freeipmi and slabinfo plugins
CapabilityBoundingSet=CAP_DAC_OVERRIDE
# is required for apps plugin
CapabilityBoundingSet=CAP_DAC_READ_SEARCH
# is required for freeipmi plugin
CapabilityBoundingSet=CAP_FOWNER CAP_SYS_RAWIO
# is required for apps, perf and slabinfo plugins
CapabilityBoundingSet=CAP_SETPCAP
# is required for perf plugin
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_PERFMON
# is required for apps plugin
CapabilityBoundingSet=CAP_SYS_PTRACE
# is required for ebpf plugin
CapabilityBoundingSet=CAP_SYS_RESOURCE
# is required for go.d/ping app
CapabilityBoundingSet=CAP_NET_RAW
# is required for cgroups plugin
CapabilityBoundingSet=CAP_SYS_CHROOT
# is required for nfacct plugin (bandwidth accounting)
CapabilityBoundingSet=CAP_NET_ADMIN
# is required for plugins that use sudo
CapabilityBoundingSet=CAP_SETGID CAP_SETUID
# is required to change file ownership
CapabilityBoundingSet=CAP_CHOWN
# is required for logs-management.plugin
CapabilityBoundingSet=CAP_SYSLOG

# Sandboxing
ProtectSystem=full
ProtectHome=read-only
# PrivateTmp break netdatacli functionality. See - https://github.com/netdata/netdata/issues/7587
#PrivateTmp=true
ProtectControlGroups=on
# We whitelist this because it's the standard location to listen on a UNIX socket.
ReadWriteDirectories=/run/netdata
# This is needed to make email-based alert deliver work if Postfix is the email provider on the system.
ReadWriteDirectories=-/var/spool/postfix/maildrop
# LXCFS directories (https://github.com/lxc/lxcfs#lxcfs)
# If we don't set them explicitly, systemd mounts procfs from the host. See https://github.com/netdata/netdata/issues/14238. 
BindReadOnlyPaths=-/proc/cpuinfo -/proc/diskstats -/proc/loadavg -/proc/meminfo
BindReadOnlyPaths=-/proc/stat -/proc/swaps -/proc/uptime -/proc/slabinfo

[Install]
WantedBy=multi-user.target