public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/netdata: cgroup-network: don't use AmbientCapabilities

Browse Source
This commit is contained in:
Izorkin 2021-05-10 09:57:52 +03:00
parent 9622485d70
commit 58497175be
No known key found for this signature in database
GPG Key ID: 1436C1B3F3679F09
2 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
nixos/modules/services/monitoring/netdata.nix
View File

@ -8,6 +8,7 @@ let
wrappedPlugins = pkgs.runCommand "wrapped-plugins" { preferLocalBuild = true; } '' wrappedPlugins = pkgs.runCommand "wrapped-plugins" { preferLocalBuild = true; } ''
mkdir -p $out/libexec/netdata/plugins.d mkdir -p $out/libexec/netdata/plugins.d
ln -s /run/wrappers/bin/apps.plugin $out/libexec/netdata/plugins.d/apps.plugin ln -s /run/wrappers/bin/apps.plugin $out/libexec/netdata/plugins.d/apps.plugin
ln -s /run/wrappers/bin/cgroup-network $out/libexec/netdata/plugins.d/cgroup-network
ln -s /run/wrappers/bin/freeipmi.plugin $out/libexec/netdata/plugins.d/freeipmi.plugin ln -s /run/wrappers/bin/freeipmi.plugin $out/libexec/netdata/plugins.d/freeipmi.plugin
ln -s /run/wrappers/bin/perf.plugin $out/libexec/netdata/plugins.d/perf.plugin ln -s /run/wrappers/bin/perf.plugin $out/libexec/netdata/plugins.d/perf.plugin
ln -s /run/wrappers/bin/slabinfo.plugin $out/libexec/netdata/plugins.d/slabinfo.plugin ln -s /run/wrappers/bin/slabinfo.plugin $out/libexec/netdata/plugins.d/slabinfo.plugin
@ -26,6 +27,9 @@ let
"web files owner" = "root"; "web files owner" = "root";
"web files group" = "root"; "web files group" = "root";
}; };
"plugin:cgroups" = {
"script to get cgroup network interfaces" = "${wrappedPlugins}/libexec/netdata/plugins.d/cgroup-network";
};
}; };
mkConfig = generators.toINI {} (recursiveUpdate localConfig cfg.config); mkConfig = generators.toINI {} (recursiveUpdate localConfig cfg.config);
configFile = pkgs.writeText "netdata.conf" (if cfg.configText != null then cfg.configText else mkConfig); configFile = pkgs.writeText "netdata.conf" (if cfg.configText != null then cfg.configText else mkConfig);
@ -183,9 +187,6 @@ in {
ConfigurationDirectory = "netdata"; ConfigurationDirectory = "netdata";
ConfigurationDirectoryMode = "0755"; ConfigurationDirectoryMode = "0755";
# Capabilities # Capabilities
AmbientCapabilities = [
"CAP_SETUID" # is required for cgroups and cgroups-network plugins
];
CapabilityBoundingSet = [ CapabilityBoundingSet = [
"CAP_DAC_OVERRIDE" # is required for freeipmi and slabinfo plugins "CAP_DAC_OVERRIDE" # is required for freeipmi and slabinfo plugins
"CAP_DAC_READ_SEARCH" # is required for apps plugin "CAP_DAC_READ_SEARCH" # is required for apps plugin
@ -217,6 +218,14 @@ in {
permissions = "u+rx,g+rx,o-rwx"; permissions = "u+rx,g+rx,o-rwx";
}; };
security.wrappers."cgroup-network" = {
source = "${cfg.package}/libexec/netdata/plugins.d/cgroup-network.org";
capabilities = "cap_setuid+ep";
owner = cfg.user;
group = cfg.group;
permissions = "u+rx,g+rx,o-rwx";
};
security.wrappers."freeipmi.plugin" = { security.wrappers."freeipmi.plugin" = {
source = "${cfg.package}/libexec/netdata/plugins.d/freeipmi.plugin.org"; source = "${cfg.package}/libexec/netdata/plugins.d/freeipmi.plugin.org";
capabilities = "cap_dac_override,cap_fowner+ep"; capabilities = "cap_dac_override,cap_fowner+ep";

2
pkgs/tools/system/netdata/default.nix
View File

@ -56,6 +56,8 @@ in stdenv.mkDerivation rec {
# rename this plugin so netdata will look for setuid wrapper # rename this plugin so netdata will look for setuid wrapper
mv $out/libexec/netdata/plugins.d/apps.plugin \ mv $out/libexec/netdata/plugins.d/apps.plugin \
$out/libexec/netdata/plugins.d/apps.plugin.org $out/libexec/netdata/plugins.d/apps.plugin.org
mv $out/libexec/netdata/plugins.d/cgroup-network \
$out/libexec/netdata/plugins.d/cgroup-network.org
mv $out/libexec/netdata/plugins.d/perf.plugin \ mv $out/libexec/netdata/plugins.d/perf.plugin \
$out/libexec/netdata/plugins.d/perf.plugin.org $out/libexec/netdata/plugins.d/perf.plugin.org
mv $out/libexec/netdata/plugins.d/slabinfo.plugin \ mv $out/libexec/netdata/plugins.d/slabinfo.plugin \