From 495222a840d3a09dbde029e60f83218c31575c97 Mon Sep 17 00:00:00 2001 From: WilliButz Date: Fri, 2 Aug 2019 15:10:27 +0200 Subject: [PATCH 1/5] nixos/prometheus-exporter: use separate user for each exporter Stop using nobody/nogroup by default and use seperate users for each exporter instead. --- .../services/monitoring/prometheus/exporters.nix | 16 ++++++++++++++-- .../monitoring/prometheus/exporters/dovecot.nix | 4 ++-- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index 15ec2e868b8..04aeb33878b 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -88,7 +88,7 @@ let }; user = mkOption { type = types.str; - default = "nobody"; + default = "${name}-exporter"; description = '' User name under which the ${name} exporter shall be run. Has no effect when is true. @@ -96,7 +96,7 @@ let }; group = mkOption { type = types.str; - default = "nobody"; + default = "${name}-exporter"; description = '' Group under which the ${name} exporter shall be run. Has no effect when is true. @@ -129,6 +129,18 @@ let mkExporterConf = { name, conf, serviceOpts }: mkIf conf.enable { warnings = conf.warnings or []; + users.users = (mkIf (conf.user == "${name}-exporter") { + "${name}-exporter" = { + description = '' + Prometheus ${name} exporter service user + ''; + isSystemUser = true; + inherit (conf) group; + }; + }); + users.groups = (mkIf (conf.group == "${name}-exporter") { + "${name}-exporter" = {}; + }); networking.firewall.extraCommands = mkIf conf.openFirewall (concatStrings [ "ip46tables -A nixos-fw ${conf.firewallFilter} " "-m comment --comment ${name}-exporter -j nixos-fw-accept" diff --git a/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix index 039242b730c..39c908fea57 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix @@ -39,8 +39,8 @@ in mail_plugins = $mail_plugins old_stats service old-stats { unix_listener old-stats { - user = nobody - group = nobody + user = dovecot-exporter + group = dovecot-exporter } } '''; From afd0dc17d6bbb9d5ee88e3bec56ec02e9a94c6f8 Mon Sep 17 00:00:00 2001 From: WilliButz Date: Fri, 2 Aug 2019 15:23:23 +0200 Subject: [PATCH 2/5] nixos/prometheus-exporters: use DynamicUser by default Only define seperate users and groups when necessary. --- .../services/monitoring/prometheus/exporters.nix | 10 +++++++--- .../services/monitoring/prometheus/exporters/bind.nix | 1 - .../monitoring/prometheus/exporters/blackbox.nix | 1 - .../monitoring/prometheus/exporters/collectd.nix | 1 - .../monitoring/prometheus/exporters/dnsmasq.nix | 1 - .../monitoring/prometheus/exporters/dovecot.nix | 1 + .../monitoring/prometheus/exporters/fritzbox.nix | 1 - .../services/monitoring/prometheus/exporters/json.nix | 1 - .../services/monitoring/prometheus/exporters/mail.nix | 1 + .../services/monitoring/prometheus/exporters/minio.nix | 1 - .../services/monitoring/prometheus/exporters/nginx.nix | 1 - .../services/monitoring/prometheus/exporters/node.nix | 1 + .../monitoring/prometheus/exporters/postfix.nix | 1 + .../monitoring/prometheus/exporters/postgres.nix | 1 + .../services/monitoring/prometheus/exporters/snmp.nix | 1 - .../monitoring/prometheus/exporters/surfboard.nix | 1 - .../services/monitoring/prometheus/exporters/tor.nix | 1 - .../services/monitoring/prometheus/exporters/unifi.nix | 1 - .../monitoring/prometheus/exporters/varnish.nix | 1 + .../monitoring/prometheus/exporters/wireguard.nix | 1 - nixos/tests/prometheus-exporters.nix | 9 ++++----- 21 files changed, 17 insertions(+), 21 deletions(-) diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index 04aeb33878b..2ab8910ff9d 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -127,9 +127,12 @@ let ); mkExporterConf = { name, conf, serviceOpts }: + let + enableDynamicUser = serviceOpts.serviceConfig.DynamicUser or true; + in mkIf conf.enable { warnings = conf.warnings or []; - users.users = (mkIf (conf.user == "${name}-exporter") { + users.users = (mkIf (conf.user == "${name}-exporter" && !enableDynamicUser) { "${name}-exporter" = { description = '' Prometheus ${name} exporter service user @@ -138,7 +141,7 @@ let inherit (conf) group; }; }); - users.groups = (mkIf (conf.group == "${name}-exporter") { + users.groups = (mkIf (conf.group == "${name}-exporter" && !enableDynamicUser) { "${name}-exporter" = {}; }); networking.firewall.extraCommands = mkIf conf.openFirewall (concatStrings [ @@ -151,7 +154,8 @@ let serviceConfig.Restart = mkDefault "always"; serviceConfig.PrivateTmp = mkDefault true; serviceConfig.WorkingDirectory = mkDefault /tmp; - } serviceOpts ] ++ optional (!(serviceOpts.serviceConfig.DynamicUser or false)) { + serviceConfig.DynamicUser = mkDefault enableDynamicUser; + } serviceOpts ] ++ optional (!enableDynamicUser) { serviceConfig.User = conf.user; serviceConfig.Group = conf.group; }); diff --git a/nixos/modules/services/monitoring/prometheus/exporters/bind.nix b/nixos/modules/services/monitoring/prometheus/exporters/bind.nix index 7bcd03e0706..972632b5a24 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/bind.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/bind.nix @@ -39,7 +39,6 @@ in }; serviceOpts = { serviceConfig = { - DynamicUser = true; ExecStart = '' ${pkgs.prometheus-bind-exporter}/bin/bind_exporter \ -web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix b/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix index bf78cb15ad9..f69b389760f 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix @@ -18,7 +18,6 @@ in serviceOpts = { serviceConfig = { AmbientCapabilities = [ "CAP_NET_RAW" ]; # for ping probes - DynamicUser = true; ExecStart = '' ${pkgs.prometheus-blackbox-exporter}/bin/blackbox_exporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix b/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix index 8c8ea08b5d4..1cc34641809 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix @@ -64,7 +64,6 @@ in '' else ""; in { serviceConfig = { - DynamicUser = true; ExecStart = '' ${pkgs.prometheus-collectd-exporter}/bin/collectd_exporter \ -log.format ${cfg.logFormat} \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/dnsmasq.nix b/nixos/modules/services/monitoring/prometheus/exporters/dnsmasq.nix index 1b2ab93b302..e9fa26cb1f5 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/dnsmasq.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/dnsmasq.nix @@ -26,7 +26,6 @@ in }; serviceOpts = { serviceConfig = { - DynamicUser = true; ExecStart = '' ${pkgs.prometheus-dnsmasq-exporter}/bin/dnsmasq_exporter \ --listen ${cfg.listenAddress}:${toString cfg.port} \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix index 39c908fea57..a01074758ff 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix @@ -59,6 +59,7 @@ in }; serviceOpts = { serviceConfig = { + DynamicUser = false; ExecStart = '' ${pkgs.prometheus-dovecot-exporter}/bin/dovecot_exporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/fritzbox.nix b/nixos/modules/services/monitoring/prometheus/exporters/fritzbox.nix index f2f7dcf06a8..9526597b8c9 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/fritzbox.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/fritzbox.nix @@ -26,7 +26,6 @@ in }; serviceOpts = { serviceConfig = { - DynamicUser = true; ExecStart = '' ${pkgs.prometheus-fritzbox-exporter}/bin/exporter \ -listen-address ${cfg.listenAddress}:${toString cfg.port} \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/json.nix b/nixos/modules/services/monitoring/prometheus/exporters/json.nix index c0b677f2f62..82a55bafc98 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/json.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/json.nix @@ -24,7 +24,6 @@ in }; serviceOpts = { serviceConfig = { - DynamicUser = true; ExecStart = '' ${pkgs.prometheus-json-exporter}/bin/prometheus-json-exporter \ --port ${toString cfg.port} \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/mail.nix b/nixos/modules/services/monitoring/prometheus/exporters/mail.nix index a1b46140d3e..7d8c6fb6140 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/mail.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/mail.nix @@ -143,6 +143,7 @@ in }; serviceOpts = { serviceConfig = { + DynamicUser = false; ExecStart = '' ${pkgs.prometheus-mail-exporter}/bin/mailexporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/minio.nix b/nixos/modules/services/monitoring/prometheus/exporters/minio.nix index 2ecc62b0d79..ab3e3d7d5d5 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/minio.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/minio.nix @@ -50,7 +50,6 @@ in }; serviceOpts = { serviceConfig = { - DynamicUser = true; ExecStart = '' ${pkgs.prometheus-minio-exporter}/bin/minio-exporter \ -web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/nginx.nix b/nixos/modules/services/monitoring/prometheus/exporters/nginx.nix index 7d819b04ada..554377df37b 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/nginx.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/nginx.nix @@ -34,7 +34,6 @@ in }; serviceOpts = { serviceConfig = { - DynamicUser = true; ExecStart = '' ${pkgs.prometheus-nginx-exporter}/bin/nginx-prometheus-exporter \ --nginx.scrape-uri '${cfg.scrapeUri}' \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/node.nix b/nixos/modules/services/monitoring/prometheus/exporters/node.nix index 2477e69ea26..7e394e8463e 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/node.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/node.nix @@ -27,6 +27,7 @@ in }; serviceOpts = { serviceConfig = { + DynamicUser = false; RuntimeDirectory = "prometheus-node-exporter"; ExecStart = '' ${pkgs.prometheus-node-exporter}/bin/node_exporter \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix b/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix index 963fa759256..f40819e826b 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix @@ -62,6 +62,7 @@ in }; serviceOpts = { serviceConfig = { + DynamicUser = false; ExecStart = '' ${pkgs.prometheus-postfix-exporter}/bin/postfix_exporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/postgres.nix b/nixos/modules/services/monitoring/prometheus/exporters/postgres.nix index e595d63ba32..1ece73a1159 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/postgres.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/postgres.nix @@ -34,6 +34,7 @@ in serviceOpts = { environment.DATA_SOURCE_NAME = cfg.dataSourceName; serviceConfig = { + DynamicUser = false; User = mkIf cfg.runAsLocalSuperUser (mkForce "postgres"); ExecStart = '' ${pkgs.prometheus-postgres-exporter}/bin/postgres_exporter \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix b/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix index 4361c3543ba..fe7ae8a8ac9 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix @@ -57,7 +57,6 @@ in else "${pkgs.writeText "snmp-eporter-conf.yml" (builtins.toJSON cfg.configuration)}"; in { serviceConfig = { - DynamicUser = true; ExecStart = '' ${pkgs.prometheus-snmp-exporter.bin}/bin/snmp_exporter \ --config.file=${configFile} \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/surfboard.nix b/nixos/modules/services/monitoring/prometheus/exporters/surfboard.nix index 197a0a949e0..81c5c70ed93 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/surfboard.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/surfboard.nix @@ -20,7 +20,6 @@ in description = "Prometheus exporter for surfboard cable modem"; unitConfig.Documentation = "https://github.com/ipstatic/surfboard_exporter"; serviceConfig = { - DynamicUser = true; ExecStart = '' ${pkgs.prometheus-surfboard-exporter}/bin/surfboard_exporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/tor.nix b/nixos/modules/services/monitoring/prometheus/exporters/tor.nix index 4a59e83fc2e..36c473677ef 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/tor.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/tor.nix @@ -26,7 +26,6 @@ in }; serviceOpts = { serviceConfig = { - DynamicUser = true; ExecStart = '' ${pkgs.prometheus-tor-exporter}/bin/prometheus-tor-exporter \ -b ${cfg.listenAddress} \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/unifi.nix b/nixos/modules/services/monitoring/prometheus/exporters/unifi.nix index 696c2fe3535..9aa0f1b85aa 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/unifi.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/unifi.nix @@ -51,7 +51,6 @@ in }; serviceOpts = { serviceConfig = { - DynamicUser = true; ExecStart = '' ${pkgs.prometheus-unifi-exporter}/bin/unifi_exporter \ -telemetry.addr ${cfg.listenAddress}:${toString cfg.port} \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix b/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix index f38221527b3..12153fa021e 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix @@ -69,6 +69,7 @@ in path = [ pkgs.varnish ]; serviceConfig = { RestartSec = mkDefault 1; + DynamicUser = false; ExecStart = '' ${pkgs.prometheus-varnish-exporter}/bin/prometheus_varnish_exporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix b/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix index 5aed4a3a966..2e6ff3e746e 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix @@ -47,7 +47,6 @@ in { path = [ pkgs.wireguard-tools ]; serviceConfig = { - DynamicUser = true; AmbientCapabilities = [ "CAP_NET_ADMIN" ]; }; }; diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index f25c93300bb..02d83f82f33 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -191,7 +191,6 @@ let mail = { exporterConfig = { enable = true; - user = "mailexporter"; configuration = { monitoringInterval = "2s"; mailCheckTimeout = "10s"; @@ -199,9 +198,9 @@ let name = "testserver"; server = "localhost"; port = 25; - from = "mailexporter@localhost"; - to = "mailexporter@localhost"; - detectionDir = "/var/spool/mail/mailexporter/new"; + from = "mail-exporter@localhost"; + to = "mail-exporter@localhost"; + detectionDir = "/var/spool/mail/mail-exporter/new"; } ]; }; }; @@ -211,7 +210,7 @@ let after = [ "postfix.service" ]; requires = [ "postfix.service" ]; preStart = '' - mkdir -p 0600 mailexporter/new + mkdir -p 0600 mail-exporter/new ''; serviceConfig = { ProtectHome = true; From 29d765e250760b14b1d3ceb70e949947ea5b91cb Mon Sep 17 00:00:00 2001 From: WilliButz Date: Fri, 2 Aug 2019 15:34:19 +0200 Subject: [PATCH 3/5] nixos/prometheus-wireguard-exporter: use ExecStart instead of script --- .../monitoring/prometheus/exporters/wireguard.nix | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix b/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix index 2e6ff3e746e..aee7cba2638 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix @@ -36,18 +36,17 @@ in { }; }; serviceOpts = { - script = '' - ${pkgs.prometheus-wireguard-exporter}/bin/prometheus_wireguard_exporter \ - -p ${toString cfg.port} \ - ${optionalString cfg.verbose "-v"} \ - ${optionalString cfg.singleSubnetPerField "-s"} \ - ${optionalString (cfg.wireguardConfig != null) "-n ${cfg.wireguardConfig}"} - ''; - path = [ pkgs.wireguard-tools ]; serviceConfig = { AmbientCapabilities = [ "CAP_NET_ADMIN" ]; + ExecStart = '' + ${pkgs.prometheus-wireguard-exporter}/bin/prometheus_wireguard_exporter \ + -p ${toString cfg.port} \ + ${optionalString cfg.verbose "-v"} \ + ${optionalString cfg.singleSubnetPerField "-s"} \ + ${optionalString (cfg.wireguardConfig != null) "-n ${cfg.wireguardConfig}"} + ''; }; }; } From 1ce989cce6d2ab5987e32e84f2b9f0627f99253a Mon Sep 17 00:00:00 2001 From: WilliButz Date: Fri, 2 Aug 2019 16:22:41 +0200 Subject: [PATCH 4/5] nixos/prometheus-exporters: update documentation --- nixos/modules/services/monitoring/prometheus/exporters.xml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/modules/services/monitoring/prometheus/exporters.xml b/nixos/modules/services/monitoring/prometheus/exporters.xml index f6cd1ef57d0..c2d4b05996a 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.xml +++ b/nixos/modules/services/monitoring/prometheus/exporters.xml @@ -159,8 +159,10 @@ in # `serviceOpts.script` and `serviceOpts.serviceConfig.ExecStart` # has to be specified here. This will be merged with the default # service confiuration. + # Note that by default 'DynamicUser' is 'true'. serviceOpts = { serviceConfig = { + DynamicUser = false; ExecStart = '' ${pkgs.prometheus-postfix-exporter}/bin/postfix_exporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ From 370370aa2c00a6d17465d33d4dedef7a24d906eb Mon Sep 17 00:00:00 2001 From: WilliButz Date: Fri, 2 Aug 2019 16:23:08 +0200 Subject: [PATCH 5/5] nixos/release-notes: add note about prometheus-exporters --- nixos/doc/manual/release-notes/rl-1909.xml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index 049d21d01b2..6f049005ab6 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -219,6 +219,13 @@ Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has been dropped. + + + By default, prometheus exporters are now run with DynamicUser enabled. + Exporters that need a real user, now run under a seperate user and group which follow the pattern <exporter-name>-exporter, instead of the previous default nobody and nogroup. + Only some exporters are affected by the latter, namely the exporters dovecot, node, postfix and varnish. + +