X-Git-Url: https://git.octo.it/?a=blobdiff_plain;f=contrib%2Fsystemd.collectd.service;h=c7806feddd905e1bc18de179e81cadf7ca057fcb;hb=aedf67e69cbe93a6925fd1004a7c8b990aed4b0a;hp=0e758e40ef85a9fb6aba1c921da5a0f27c89a41d;hpb=ea3a86f0ff50f12650aae7eea033984a8ae0eba5;p=collectd.git

diff --git a/contrib/systemd.collectd.service b/contrib/systemd.collectd.service
index 0e758e40..c7806fed 100644
--- a/contrib/systemd.collectd.service
+++ b/contrib/systemd.collectd.service
@@ -10,12 +10,22 @@ EnvironmentFile=-/etc/default/collectd
 ProtectSystem=full
 ProtectHome=true
 
-# drop all capabilities:
-CapabilityBoundingSet=
-# use this instead if you use the dns or ping plugin
-#CapabilityBoundingSet=CAP_NET_RAW
-# turn this on if you use the iptables next to the dns or ping plugin
+# A few plugins won't work without some privileges, which you'll have to
+# specify using the CapabilityBoundingSet directive below.
+#
+# Here's a (incomplete) list of the plugins known capability requirements:
+#   ceph            CAP_DAC_OVERRIDE
+#   dns             CAP_NET_RAW
+#   exec            CAP_SETUID CAP_SETGID
+#   iptables        CAP_NET_ADMIN
+#   ping            CAP_NET_RAW
+#   turbostat       CAP_SYS_RAWIO
+#
+# Example, if you use the iptables plugin alongside the dns or ping plugin:
 #CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
+#
+# By default, drop all capabilities:
+CapabilityBoundingSet=
 
 NoNewPrivileges=true