summaryrefslogtreecommitdiffstats
path: root/system/netdata.service.in
diff options
context:
space:
mode:
Diffstat (limited to 'system/netdata.service.in')
-rw-r--r--system/netdata.service.in35
1 files changed, 32 insertions, 3 deletions
diff --git a/system/netdata.service.in b/system/netdata.service.in
index dd0ee3cc..1947b15d 100644
--- a/system/netdata.service.in
+++ b/system/netdata.service.in
@@ -12,16 +12,16 @@ Group=netdata
RuntimeDirectory=netdata
RuntimeDirectoryMode=0775
PIDFile=@localstatedir_POST@/run/netdata/netdata.pid
-ExecStart=@sbindir_POST@/netdata -P @localstatedir_POST@/run/netdata/netdata.pid -D -W set global 'process scheduling policy' 'keep' -W set global 'OOM score' 'keep'
+ExecStart=@sbindir_POST@/netdata -P @localstatedir_POST@/run/netdata/netdata.pid -D
ExecStartPre=/bin/mkdir -p @localstatedir_POST@/cache/netdata
ExecStartPre=/bin/chown -R netdata:netdata @localstatedir_POST@/cache/netdata
ExecStartPre=/bin/mkdir -p @localstatedir_POST@/run/netdata
ExecStartPre=/bin/chown -R netdata:netdata @localstatedir_POST@/run/netdata
-#ExecStopPost=/bin/rm @localstatedir_POST@/run/netdata/netdata.pid
+ExecStopPost=@pluginsdir_POST@/reset_netdata_trace.sh
PermissionsStartOnly=true
# saving a big db on slow disks may need some time
-TimeoutStopSec=60
+TimeoutStopSec=150
# restart netdata if it crashes
Restart=on-failure
@@ -44,5 +44,34 @@ CPUSchedulingPolicy=idle
# For scheduling policy 'other' and 'batch', this sets the lowest niceness of netdata (-20 highest to 19 lowest).
#Nice=0
+# Capabilities
+# is required for freeipmi and slabinfo plugins
+CapabilityBoundingSet=CAP_DAC_OVERRIDE
+# is required for apps plugin
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH
+# is required for freeipmi plugin
+CapabilityBoundingSet=CAP_FOWNER
+# is required for apps, perf and slabinfo plugins
+CapabilityBoundingSet=CAP_SETPCAP
+# is required for perf plugin
+CapabilityBoundingSet=CAP_SYS_ADMIN
+# is required for apps plugin
+CapabilityBoundingSet=CAP_SYS_PTRACE
+# is required for ebpf plugin
+CapabilityBoundingSet=CAP_SYS_RESOURCE
+# is required for fping app
+CapabilityBoundingSet=CAP_NET_RAW
+# is required for cgroups plugin
+CapabilityBoundingSet=CAP_SYS_CHROOT
+
+# Sandboxing
+ProtectSystem=full
+ProtectHome=read-only
+# PrivateTmp break netdatacli functionality. See - https://github.com/netdata/netdata/issues/7587
+#PrivateTmp=true
+ProtectControlGroups=true
+# We whitelist this because it's the standard location to listen on a UNIX socket.
+ReadWriteDirectories=/run/netdata
+
[Install]
WantedBy=multi-user.target