summaryrefslogtreecommitdiffstats
path: root/system/systemd/netdata.service.in
diff options
context:
space:
mode:
Diffstat (limited to 'system/systemd/netdata.service.in')
-rw-r--r--system/systemd/netdata.service.in80
1 files changed, 80 insertions, 0 deletions
diff --git a/system/systemd/netdata.service.in b/system/systemd/netdata.service.in
new file mode 100644
index 000000000..25d95b2b8
--- /dev/null
+++ b/system/systemd/netdata.service.in
@@ -0,0 +1,80 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+[Unit]
+Description=Real time performance monitoring
+
+# append here other services you want netdata to wait for them to start
+After=network.target httpd.service squid.service nfs-server.service mysqld.service mysql.service named.service postfix.service chronyd.service
+
+[Service]
+Type=simple
+User=@netdata_user_POST@
+Group=netdata
+RuntimeDirectory=netdata
+RuntimeDirectoryMode=0775
+PIDFile=/run/netdata/netdata.pid
+ExecStart=@sbindir_POST@/netdata -P /run/netdata/netdata.pid -D
+ExecStartPre=/bin/mkdir -p @localstatedir_POST@/cache/netdata
+ExecStartPre=/bin/chown -R @netdata_user_POST@ @localstatedir_POST@/cache/netdata
+ExecStartPre=/bin/mkdir -p /run/netdata
+ExecStartPre=/bin/chown -R @netdata_user_POST@ /run/netdata
+PermissionsStartOnly=true
+
+# saving a big db on slow disks may need some time
+TimeoutStopSec=150
+
+# restart netdata if it crashes
+Restart=on-failure
+RestartSec=30
+
+# Valid policies: other (the system default) | batch | idle | fifo | rr
+# To give netdata the max priority, set CPUSchedulingPolicy=rr and CPUSchedulingPriority=99
+CPUSchedulingPolicy=batch
+
+# This sets the scheduling priority (for policies: rr and fifo).
+# Priority gets values 1 (lowest) to 99 (highest).
+#CPUSchedulingPriority=1
+
+# For scheduling policy 'other' and 'batch', this sets the lowest niceness of netdata (-20 highest to 19 lowest).
+Nice=0
+
+# Capabilities
+# is required for freeipmi and slabinfo plugins
+CapabilityBoundingSet=CAP_DAC_OVERRIDE
+# is required for apps plugin
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH
+# is required for freeipmi plugin
+CapabilityBoundingSet=CAP_FOWNER CAP_SYS_RAWIO
+# is required for apps, perf and slabinfo plugins
+CapabilityBoundingSet=CAP_SETPCAP
+# is required for perf plugin
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_PERFMON
+# is required for apps plugin
+CapabilityBoundingSet=CAP_SYS_PTRACE
+# is required for ebpf plugin
+CapabilityBoundingSet=CAP_SYS_RESOURCE
+# is required for go.d/ping app
+CapabilityBoundingSet=CAP_NET_RAW
+# is required for cgroups plugin
+CapabilityBoundingSet=CAP_SYS_CHROOT
+# is required for nfacct plugin (bandwidth accounting)
+CapabilityBoundingSet=CAP_NET_ADMIN
+# is required for plugins that use sudo
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID
+
+# Sandboxing
+ProtectSystem=full
+ProtectHome=read-only
+# PrivateTmp break netdatacli functionality. See - https://github.com/netdata/netdata/issues/7587
+#PrivateTmp=true
+ProtectControlGroups=on
+# We whitelist this because it's the standard location to listen on a UNIX socket.
+ReadWriteDirectories=/run/netdata
+# This is needed to make email-based alert deliver work if Postfix is the email provider on the system.
+ReadWriteDirectories=-/var/spool/postfix/maildrop
+# LXCFS directories (https://github.com/lxc/lxcfs#lxcfs)
+# If we don't set them explicitly, systemd mounts procfs from the host. See https://github.com/netdata/netdata/issues/14238.
+BindReadOnlyPaths=-/proc/cpuinfo -/proc/diskstats -/proc/loadavg -/proc/meminfo
+BindReadOnlyPaths=-/proc/stat -/proc/swaps -/proc/uptime -/proc/slabinfo
+
+[Install]
+WantedBy=multi-user.target