summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--debian/netdata.dirs4
-rw-r--r--debian/netdata.lintian-overrides15
-rw-r--r--debian/netdata.service58
3 files changed, 77 insertions, 0 deletions
diff --git a/debian/netdata.dirs b/debian/netdata.dirs
new file mode 100644
index 000000000..0dfa79010
--- /dev/null
+++ b/debian/netdata.dirs
@@ -0,0 +1,4 @@
+etc/netdata
+var/cache/netdata
+var/log/netdata
+var/run
diff --git a/debian/netdata.lintian-overrides b/debian/netdata.lintian-overrides
new file mode 100644
index 000000000..a50a17531
--- /dev/null
+++ b/debian/netdata.lintian-overrides
@@ -0,0 +1,15 @@
+# See Debian policy 10.9. apps.plugin has extra capabilities, so don't let
+# normal users run it.
+netdata: non-standard-executable-perm usr/lib/*/netdata/plugins.d/apps.plugin 0754 != 0755
+
+
+# FontAwesome is at least in the fonts-font-awesome package, but this is
+# not available in wheezy. glyphicons-halflings-regular isn't currently in
+# a Debian package. Therefore don't complain about shipping them with netdata
+# for the time being.
+netdata: duplicate-font-file usr/share/netdata/fonts/*
+netdata: font-in-non-font-package usr/share/netdata/fonts/*
+
+# Files here are marked as conffiles so that local updates to the html files
+# isn't clobbered on upgrade.
+netdata: non-etc-file-marked-as-conffile var/lib/netdata/www/*
diff --git a/debian/netdata.service b/debian/netdata.service
new file mode 100644
index 000000000..de65617dc
--- /dev/null
+++ b/debian/netdata.service
@@ -0,0 +1,58 @@
+# netdata systemd target
+
+[Unit]
+Description=netdata - Real-time performance monitoring
+Documentation=man:netdata
+Documentation=file:///usr/share/doc/netdata/html/index.html
+Documentation=https://github.com/firehol/netdata
+After=network.target httpd.service squid.service nfs-server.service mysqld.service named.service postfix.service
+Wants=network-online.target
+ConditionPathExists=/etc/netdata/netdata.conf
+
+[Service]
+Type=forking
+#PIDFile=/run/netdata.pid
+PIDFile=/var/run/netdata/netdata.pid
+Environment="netdata_LOG_LOCATION=/var/log/netdata/log"
+ExecStart=/usr/sbin/netdata
+ExecReload=/usr/sbin/netdata reload
+#ExecStop=/bin/kill -SIGTERM $MAINPID
+ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry=TERM/5/KILL/5 --pidfile /run/netdata.pid
+#ExecStop=/bin/kill -SIGTERM $MAINPID
+TimeoutStopSec=30
+KillMode=mixed
+
+EnvironmentFile=-/etc/default/%p
+User=netdata
+PermissionsStartOnly=true
+Restart=on-abnormal
+RestartSec=2s
+LimitNOFILE=65536
+
+WorkingDirectory=/tmp
+User=root
+Group=root
+
+# Hardening
+# AppArmorProfile=system_netdata
+# CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN CAP_FOWNER
+NoNewPrivileges=yes
+#PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=full
+# TODO: restrict ReadOnlyDirectories
+ReadOnlyDirectories=/
+ReadWriteDirectories=-/proc
+ReadWriteDirectories=-/run
+ReadWriteDirectories=-/var/log/netdata
+ReadWriteDirectories=-/var
+ReadWriteDirectories=-/var/cache
+ReadWriteDirectories=-/var/cache/netdata
+ReadWriteDirectories=-/var/run
+
+[Install]
+WantedBy=multi-user.target
+
+
+