From 03989ac202e052b39e4b43967a091d49576d3c23 Mon Sep 17 00:00:00 2001
From: Marc Fournier <marc.fournier@camptocamp.com>
Date: Thu, 21 Jan 2016 18:39:51 +0100
Subject: [PATCH] systemd.collectd.service: improve systemd & capabilities
 explanations

Fixes #1444
---
 contrib/systemd.collectd.service | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/contrib/systemd.collectd.service b/contrib/systemd.collectd.service
index 0e758e40..c7806fed 100644
--- a/contrib/systemd.collectd.service
+++ b/contrib/systemd.collectd.service
@@ -10,12 +10,22 @@ EnvironmentFile=-/etc/default/collectd
 ProtectSystem=full
 ProtectHome=true
 
-# drop all capabilities:
-CapabilityBoundingSet=
-# use this instead if you use the dns or ping plugin
-#CapabilityBoundingSet=CAP_NET_RAW
-# turn this on if you use the iptables next to the dns or ping plugin
+# A few plugins won't work without some privileges, which you'll have to
+# specify using the CapabilityBoundingSet directive below.
+#
+# Here's a (incomplete) list of the plugins known capability requirements:
+#   ceph            CAP_DAC_OVERRIDE
+#   dns             CAP_NET_RAW
+#   exec            CAP_SETUID CAP_SETGID
+#   iptables        CAP_NET_ADMIN
+#   ping            CAP_NET_RAW
+#   turbostat       CAP_SYS_RAWIO
+#
+# Example, if you use the iptables plugin alongside the dns or ping plugin:
 #CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
+#
+# By default, drop all capabilities:
+CapabilityBoundingSet=
 
 NoNewPrivileges=true
 
-- 
2.11.0