-
Notifications
You must be signed in to change notification settings - Fork 2.7k
Expand file tree
/
Copy pathnode_exporter.service
More file actions
52 lines (50 loc) · 1.46 KB
/
node_exporter.service
File metadata and controls
52 lines (50 loc) · 1.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
[Unit]
Description=Node Exporter
Requires=node_exporter.socket
[Service]
User=node_exporter
# Fallback when environment file does not exist
Environment=OPTIONS=
EnvironmentFile=-/etc/sysconfig/node_exporter
ExecStart=/usr/sbin/node_exporter --web.systemd-socket $OPTIONS
ProtectClock=true
ProtectHome=read-only
ProtectSystem=true
NoNewPrivileges=true
MemoryDenyWriteExecute=true
CapabilityBoundingSet=~CAP_KILL
CapabilityBoundingSet=~CAP_SYS_MODULE
CapabilityBoundingSet=~CAP_SYS_BOOT
CapabilityBoundingSet=~CAP_SYSLOG
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND
CapabilityBoundingSet=~CAP_SYS_PTRACE
CapabilityBoundingSet=~CAP_SYS_ADMIN
CapabilityBoundingSet=~CAP_NET_ADMIN
CapabilityBoundingSet=~CAP_NET_BIND_SERVICE
CapabilityBoundingSet=~CAP_NET_RAW
CapabilityBoundingSet=~CAP_CHOWN
CapabilityBoundingSet=~CAP_SETFCAP
CapabilityBoundingSet=~CAP_SETUID
CapabilityBoundingSet=~CAP_SETGID
CapabilityBoundingSet=~CAP_SETPCAP
CapabilityBoundingSet=~CAP_FSETID
CapabilityBoundingSet=~CAP_NET_BROADCAST
CapabilityBoundingSet=~CAP_BPF
CapabilityBoundingSet=~CAP_SYS_RAWIO
CapabilityBoundingSet=~CAP_SYS_PACCT
ProtectHostname=true
SystemCallFilter=~@mount
SystemCallFilter=~@swap
SystemCallFilter=~@debug
SystemCallFilter=~@obsolete
SystemCallFilter=~@reboot
SystemCallFilter=~@module
SystemCallFilter=~@cpu-emulation
PrivateTmp=true
ProtectKernelLogs=true
ProtectKernelTunables=true
ProtectKernelModules=true
SystemCallArchitectures=native
RestrictSUIDSGID=true
[Install]
WantedBy=multi-user.target