diff options
Diffstat (limited to 'system/netdata.service.in')
| -rw-r--r-- | system/netdata.service.in | 35 |
1 files changed, 32 insertions, 3 deletions
diff --git a/system/netdata.service.in b/system/netdata.service.in index dd0ee3cca..1947b15d4 100644 --- a/system/netdata.service.in +++ b/system/netdata.service.in @@ -12,16 +12,16 @@ Group=netdata RuntimeDirectory=netdata RuntimeDirectoryMode=0775 PIDFile=@localstatedir_POST@/run/netdata/netdata.pid -ExecStart=@sbindir_POST@/netdata -P @localstatedir_POST@/run/netdata/netdata.pid -D -W set global 'process scheduling policy' 'keep' -W set global 'OOM score' 'keep' +ExecStart=@sbindir_POST@/netdata -P @localstatedir_POST@/run/netdata/netdata.pid -D ExecStartPre=/bin/mkdir -p @localstatedir_POST@/cache/netdata ExecStartPre=/bin/chown -R netdata:netdata @localstatedir_POST@/cache/netdata ExecStartPre=/bin/mkdir -p @localstatedir_POST@/run/netdata ExecStartPre=/bin/chown -R netdata:netdata @localstatedir_POST@/run/netdata -#ExecStopPost=/bin/rm @localstatedir_POST@/run/netdata/netdata.pid +ExecStopPost=@pluginsdir_POST@/reset_netdata_trace.sh PermissionsStartOnly=true # saving a big db on slow disks may need some time -TimeoutStopSec=60 +TimeoutStopSec=150 # restart netdata if it crashes Restart=on-failure @@ -44,5 +44,34 @@ CPUSchedulingPolicy=idle # For scheduling policy 'other' and 'batch', this sets the lowest niceness of netdata (-20 highest to 19 lowest). #Nice=0 +# Capabilities +# is required for freeipmi and slabinfo plugins +CapabilityBoundingSet=CAP_DAC_OVERRIDE +# is required for apps plugin +CapabilityBoundingSet=CAP_DAC_READ_SEARCH +# is required for freeipmi plugin +CapabilityBoundingSet=CAP_FOWNER +# is required for apps, perf and slabinfo plugins +CapabilityBoundingSet=CAP_SETPCAP +# is required for perf plugin +CapabilityBoundingSet=CAP_SYS_ADMIN +# is required for apps plugin +CapabilityBoundingSet=CAP_SYS_PTRACE +# is required for ebpf plugin +CapabilityBoundingSet=CAP_SYS_RESOURCE +# is required for fping app +CapabilityBoundingSet=CAP_NET_RAW +# is required for cgroups plugin +CapabilityBoundingSet=CAP_SYS_CHROOT + +# Sandboxing +ProtectSystem=full +ProtectHome=read-only +# PrivateTmp break netdatacli functionality. See - https://github.com/netdata/netdata/issues/7587 +#PrivateTmp=true +ProtectControlGroups=true +# We whitelist this because it's the standard location to listen on a UNIX socket. +ReadWriteDirectories=/run/netdata + [Install] WantedBy=multi-user.target |