From: Marc Fournier Date: Thu, 21 Jan 2016 17:39:51 +0000 (+0100) Subject: systemd.collectd.service: improve systemd & capabilities explanations X-Git-Tag: collectd-5.5.1~4^2 X-Git-Url: https://git.verplant.org/?a=commitdiff_plain;h=03989ac202e052b39e4b43967a091d49576d3c23;p=collectd.git systemd.collectd.service: improve systemd & capabilities explanations Fixes #1444 --- diff --git a/contrib/systemd.collectd.service b/contrib/systemd.collectd.service index 0e758e40..c7806fed 100644 --- a/contrib/systemd.collectd.service +++ b/contrib/systemd.collectd.service @@ -10,12 +10,22 @@ EnvironmentFile=-/etc/default/collectd ProtectSystem=full ProtectHome=true -# drop all capabilities: -CapabilityBoundingSet= -# use this instead if you use the dns or ping plugin -#CapabilityBoundingSet=CAP_NET_RAW -# turn this on if you use the iptables next to the dns or ping plugin +# A few plugins won't work without some privileges, which you'll have to +# specify using the CapabilityBoundingSet directive below. +# +# Here's a (incomplete) list of the plugins known capability requirements: +# ceph CAP_DAC_OVERRIDE +# dns CAP_NET_RAW +# exec CAP_SETUID CAP_SETGID +# iptables CAP_NET_ADMIN +# ping CAP_NET_RAW +# turbostat CAP_SYS_RAWIO +# +# Example, if you use the iptables plugin alongside the dns or ping plugin: #CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN +# +# By default, drop all capabilities: +CapabilityBoundingSet= NoNewPrivileges=true