edge-microvisor-toolkit/SPECS/platform-observability-agent/platform-observability-metrics.service at 64fdb5d4975a0344d853812ef455d7812e8724e8 · open-edge-platform/edge-microvisor-toolkit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
[Unit]
Description=Platform Observability Metrics Agent
Documentation=https://github.com/open-edge-platform/edge-node-agents/blob/main/platform-observability-agent/README.md

[Service]
Type=simple
AmbientCapabilities=CAP_SYS_RAWIO CAP_DAC_READ_SEARCH CAP_SYS_ADMIN
Environment="SF_OCSP_RESPONSE_CACHE_DIR=/opt/telegraf/"
EnvironmentFile=-/etc/sysconfig/telegraf
EnvironmentFile=-/etc/default/telegraf
ExecStart=/etc/edge-node/node/confs/platform-observability-metrics /usr/bin/telegraf --config /etc/telegraf/telegraf.d/poa-telegraf.conf
StandardOutput=null
StandardError=journal
RestartSec=60
Restart=on-failure
User=platform-observability-agent
Group=bm-agents
CPUQuota=20%
MemoryMax=256M

PrivateTmp=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
ProtectClock=yes
ProtectHostname=yes
ProtectKernelLogs=yes

CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE CAP_IPC_LOCK CAP_SYS_CHROOT CAP_BLOCK_SUSPEND CAP_LEASE
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TIME CAP_SYS_TTY_CONFIG
CapabilityBoundingSet=~CAP_WAKE_ALARM CAP_MAC_ADMIN CAP_MAC_OVERRIDE
CapabilityBoundingSet=~CAP_SETPCAP CAP_CHOWN CAP_NET_ADMIN
CapabilityBoundingSet=~CAP_CHOWN CAP_FSETID CAP_SETFCAP
CapabilityBoundingSet=~CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER
CapabilityBoundingSet=~CAP_KILL CAP_MKNOD CAP_BPF CAP_SYS_NICE CAP_SYS_RESOURCE
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE

[Install]
WantedBy=multi-user.target