diff options
-rw-r--r-- | debian/netdata.dirs | 4 | ||||
-rw-r--r-- | debian/netdata.lintian-overrides | 15 | ||||
-rw-r--r-- | debian/netdata.service | 58 |
3 files changed, 77 insertions, 0 deletions
diff --git a/debian/netdata.dirs b/debian/netdata.dirs new file mode 100644 index 000000000..0dfa79010 --- /dev/null +++ b/debian/netdata.dirs @@ -0,0 +1,4 @@ +etc/netdata +var/cache/netdata +var/log/netdata +var/run diff --git a/debian/netdata.lintian-overrides b/debian/netdata.lintian-overrides new file mode 100644 index 000000000..a50a17531 --- /dev/null +++ b/debian/netdata.lintian-overrides @@ -0,0 +1,15 @@ +# See Debian policy 10.9. apps.plugin has extra capabilities, so don't let +# normal users run it. +netdata: non-standard-executable-perm usr/lib/*/netdata/plugins.d/apps.plugin 0754 != 0755 + + +# FontAwesome is at least in the fonts-font-awesome package, but this is +# not available in wheezy. glyphicons-halflings-regular isn't currently in +# a Debian package. Therefore don't complain about shipping them with netdata +# for the time being. +netdata: duplicate-font-file usr/share/netdata/fonts/* +netdata: font-in-non-font-package usr/share/netdata/fonts/* + +# Files here are marked as conffiles so that local updates to the html files +# isn't clobbered on upgrade. +netdata: non-etc-file-marked-as-conffile var/lib/netdata/www/* diff --git a/debian/netdata.service b/debian/netdata.service new file mode 100644 index 000000000..de65617dc --- /dev/null +++ b/debian/netdata.service @@ -0,0 +1,58 @@ +# netdata systemd target + +[Unit] +Description=netdata - Real-time performance monitoring +Documentation=man:netdata +Documentation=file:///usr/share/doc/netdata/html/index.html +Documentation=https://github.com/firehol/netdata +After=network.target httpd.service squid.service nfs-server.service mysqld.service named.service postfix.service +Wants=network-online.target +ConditionPathExists=/etc/netdata/netdata.conf + +[Service] +Type=forking +#PIDFile=/run/netdata.pid +PIDFile=/var/run/netdata/netdata.pid +Environment="netdata_LOG_LOCATION=/var/log/netdata/log" +ExecStart=/usr/sbin/netdata +ExecReload=/usr/sbin/netdata reload +#ExecStop=/bin/kill -SIGTERM $MAINPID +ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry=TERM/5/KILL/5 --pidfile /run/netdata.pid +#ExecStop=/bin/kill -SIGTERM $MAINPID +TimeoutStopSec=30 +KillMode=mixed + +EnvironmentFile=-/etc/default/%p +User=netdata +PermissionsStartOnly=true +Restart=on-abnormal +RestartSec=2s +LimitNOFILE=65536 + +WorkingDirectory=/tmp +User=root +Group=root + +# Hardening +# AppArmorProfile=system_netdata +# CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN CAP_FOWNER +NoNewPrivileges=yes +#PrivateDevices=yes +PrivateTmp=yes +ProtectHome=yes +ProtectSystem=full +# TODO: restrict ReadOnlyDirectories +ReadOnlyDirectories=/ +ReadWriteDirectories=-/proc +ReadWriteDirectories=-/run +ReadWriteDirectories=-/var/log/netdata +ReadWriteDirectories=-/var +ReadWriteDirectories=-/var/cache +ReadWriteDirectories=-/var/cache/netdata +ReadWriteDirectories=-/var/run + +[Install] +WantedBy=multi-user.target + + + |