systemd.collectd.service: improve systemd & capabilities explanations

[collectd.git] / contrib / systemd.collectd.service

diff --git a/contrib/systemd.collectd.service b/contrib/systemd.collectd.service
index b046192..c7806fe 100644 (file)
--- a/contrib/systemd.collectd.service
+++ b/contrib/systemd.collectd.service
@@ -5,19 +5,36 @@ Requires=local-fs.target network.target
 
 [Service]
 ExecStart=/usr/sbin/collectd
+EnvironmentFile=-/etc/sysconfig/collectd
+EnvironmentFile=-/etc/default/collectd
+ProtectSystem=full
+ProtectHome=true
+
+# A few plugins won't work without some privileges, which you'll have to
+# specify using the CapabilityBoundingSet directive below.
+#
+# Here's a (incomplete) list of the plugins known capability requirements:
+#   ceph            CAP_DAC_OVERRIDE
+#   dns             CAP_NET_RAW
+#   exec            CAP_SETUID CAP_SETGID
+#   iptables        CAP_NET_ADMIN
+#   ping            CAP_NET_RAW
+#   turbostat       CAP_SYS_RAWIO
+#
+# Example, if you use the iptables plugin alongside the dns or ping plugin:
+#CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
+#
+# By default, drop all capabilities:
+CapabilityBoundingSet=
+
+NoNewPrivileges=true
 
 # Tell systemd it will receive a notification from collectd over it's control
 # socket once the daemon is ready. See systemd.service(5) for more details.
 Type=notify
-NotifyAccess=main
 
 # Restart the collectd daemon after a 10 seconds delay, in case it crashes.
-Restart=always
-RestartSec=10
-
-# Send all console messages to syslog.
-StandardOutput=syslog
-StandardError=syslog
+Restart=on-failure
 
 [Install]
 WantedBy=multi-user.target