ExecStart=/usr/sbin/collectd
EnvironmentFile=-/etc/sysconfig/collectd
EnvironmentFile=-/etc/default/collectd
+ProtectSystem=full
+ProtectHome=true
+
+# drop all capabilities:
+CapabilityBoundingSet=
+# use this instead if you use the dns or ping plugin
+#CapabilityBoundingSet=CAP_NET_RAW
+# turn this on if you use the iptables next to the dns or ping plugin
+#CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
+
+NoNewPrivileges=true
# Tell systemd it will receive a notification from collectd over it's control
# socket once the daemon is ready. See systemd.service(5) for more details.
Type=notify
-NotifyAccess=main
# Restart the collectd daemon after a 10 seconds delay, in case it crashes.
-Restart=always
-RestartSec=10
-
-# Send all console messages to syslog.
-StandardOutput=syslog
-StandardError=syslog
+Restart=on-failure
[Install]
WantedBy=multi-user.target
unsetenv ("NOTIFY_SOCKET");
+#if defined(SOCK_CLOEXEC)
+ fd = socket (AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, /* protocol = */ 0);
+#else
fd = socket (AF_UNIX, SOCK_DGRAM, /* protocol = */ 0);
+#endif
if (fd < 0) {
char errbuf[1024];
ERROR ("creating UNIX socket failed: %s",
}
else
{
-#if KERNEL_LINUX
/* Linux abstract namespace socket: specify address as "\0foo", i.e.
* start with a null byte. Since null bytes have no special meaning in
* that case, we have to set su_size correctly to cover only the bytes
su_size = sizeof (sa_family_t) + strlen (notifysocket);
if (su_size > sizeof (su))
su_size = sizeof (su);
-#else
- ERROR ("Systemd socket uses Linux abstract namespace notation (\"%s\"), "
- "but I don't appear to be running on Linux.", notifysocket);
- return 0;
-#endif
}
if (sendto (fd, buffer, strlen (buffer), MSG_NOSIGNAL, (void *) &su, (socklen_t) su_size) < 0)
return 0;
}
+ unsetenv ("NOTIFY_SOCKET");
close(fd);
return 1;
}