[Unit]
-Description=Linux real time system monitoring, done right
+Description=Real time performance monitoring
After=network.target httpd.service squid.service nfs-server.service mysqld.service named.service postfix.service
[Service]
-Type=forking
+Type=simple
WorkingDirectory=/tmp
User=netdata
Group=netdata
RuntimeDirectory=netdata
-PIDFile=@localstatedir_POST@/run/netdata/netdata.pid
-ExecStart=@sbindir_POST@/netdata -P @localstatedir_POST@/run/netdata/netdata.pid
+ExecStartPre=/bin/mkdir -p @localstatedir_POST@/run/netdata
+ExecStartPre=/bin/chown -R netdata:netdata @localstatedir_POST@/run/netdata
+ExecStartPre=/bin/chmod 0775 @localstatedir_POST@/run/netdata
+ExecStart=@sbindir_POST@/netdata -D -P @localstatedir_POST@/run/netdata/netdata.pid
+
+# -----------------------------------------------------------------------------
+# Stopping netdata
+
KillMode=mixed
KillSignal=SIGTERM
-TimeoutStopSec=30
-#Hardening
+# saving a big db on slow disks may need some time
+TimeoutStopSec=60
+
+# and disable SIGKILL - if sent during save, we will loose the db
+SendSIGKILL=no
+
+# -----------------------------------------------------------------------------
+# Hardening netdata
+
AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE
PrivateTmp=true
ProtectSystem=full
ProtectHome=read-only
-#NoNewPrivileges=true is implicitly set by the MemoryDenyWriteExecute=true
-MemoryDenyWriteExecute=true
+
+# is implicitly set by the MemoryDenyWriteExecute=true
+# NoNewPrivileges=true
+
+# Do not enable - it makes node.js plugins to crash
+# MemoryDenyWriteExecute=true
[Install]
WantedBy=multi-user.target