public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #33331 from cransom/netdata-module

Browse Source 
netdata service: fix permissions for apps.plugin
This commit is contained in:
Jörg Thalheim 2018-01-19 23:19:29 +00:00 committed by GitHub
commit dfa6a81a31
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 76 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
nixos/modules/services/monitoring/netdata.nix
View File

@ -5,18 +5,25 @@ with lib;
let let
cfg = config.services.netdata; cfg = config.services.netdata;
configFile = pkgs.writeText "netdata.conf" cfg.configText; wrappedPlugins = pkgs.runCommand "wrapped-plugins" {} ''
mkdir -p $out/libexec/netdata/plugins.d
ln -s /run/wrappers/bin/apps.plugin $out/libexec/netdata/plugins.d/apps.plugin
'';
localConfig = {
global = {
"plugins directory" = "${wrappedPlugins}/libexec/netdata/plugins.d ${pkgs.netdata}/libexec/netdata/plugins.d";
};
};
mkConfig = generators.toINI {} (recursiveUpdate localConfig cfg.config);
configFile = pkgs.writeText "netdata.conf" (if cfg.configText != null then cfg.configText else mkConfig);
defaultUser = "netdata"; defaultUser = "netdata";
in { in {
options = { options = {
services.netdata = { services.netdata = {
enable = mkOption { enable = mkEnableOption "netdata";
default = false;
type = types.bool;
description = "Whether to enable netdata monitoring.";
};
user = mkOption { user = mkOption {
type = types.str; type = types.str;
@ -31,9 +38,9 @@ in {
}; };
configText = mkOption { configText = mkOption {
type = types.lines; type = types.nullOr types.lines;
default = ""; description = "Verbatim netdata.conf, cannot be combined with config.";
description = "netdata.conf configuration."; default = null;
example = '' example = ''
[global] [global]
debug log = syslog debug log = syslog
@ -42,11 +49,29 @@ in {
''; '';
}; };
config = mkOption {
type = types.attrsOf types.attrs;
default = {};
description = "netdata.conf configuration as nix attributes. cannot be combined with configText.";
example = literalExample ''
global = {
"debug log" = "syslog";
"access log" = "syslog";
"error log" = "syslog";
};
'';
};
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
assertions =
[ { assertion = cfg.config != {} -> cfg.configText == null ;
message = "Cannot specify both config and configText";
}
];
systemd.services.netdata = { systemd.services.netdata = {
path = with pkgs; [ gawk curl ];
description = "Real time performance monitoring"; description = "Real time performance monitoring";
after = [ "network.target" ]; after = [ "network.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -66,6 +91,15 @@ in {
}; };
}; };
security.wrappers."apps.plugin" = {
source = "${pkgs.netdata}/libexec/netdata/plugins.d/apps.plugin";
capabilities = "cap_dac_read_search,cap_sys_ptrace+ep";
owner = cfg.user;
group = cfg.group;
permissions = "u+rx,g+rx,o-rwx";
};
users.extraUsers = optional (cfg.user == defaultUser) { users.extraUsers = optional (cfg.user == defaultUser) {
name = defaultUser; name = defaultUser;
}; };

1
nixos/release.nix
View File

@ -304,6 +304,7 @@ in rec {
tests.nat.firewall = callTest tests/nat.nix { withFirewall = true; }; tests.nat.firewall = callTest tests/nat.nix { withFirewall = true; };
tests.nat.firewall-conntrack = callTest tests/nat.nix { withFirewall = true; withConntrackHelpers = true; }; tests.nat.firewall-conntrack = callTest tests/nat.nix { withFirewall = true; withConntrackHelpers = true; };
tests.nat.standalone = callTest tests/nat.nix { withFirewall = false; }; tests.nat.standalone = callTest tests/nat.nix { withFirewall = false; };
tests.netdata = callTest tests/netdata.nix { };
tests.networking.networkd = callSubTests tests/networking.nix { networkd = true; }; tests.networking.networkd = callSubTests tests/networking.nix { networkd = true; };
tests.networking.scripted = callSubTests tests/networking.nix { networkd = false; }; tests.networking.scripted = callSubTests tests/networking.nix { networkd = false; };
# TODO: put in networking.nix after the test becomes more complete # TODO: put in networking.nix after the test becomes more complete

31
nixos/tests/netdata.nix Normal file
View File

@ -0,0 +1,31 @@
# This test runs netdata and checks for data via apps.plugin
import ./make-test.nix ({ pkgs, ...} : {
name = "netdata";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ cransom ];
};
nodes = {
netdata =
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [ curl jq ];
services.netdata.enable = true;
};
};
testScript = ''
startAll;
$netdata->waitForUnit("netdata.service");
# check if netdata can read disk ops for root owned processes.
# if > 0, successful. verifies both netdata working and
# apps.plugin has elevated capabilities.
my $cmd = <<'CMD';
curl -s http://localhost:19999/api/v1/data\?chart=users.pwrites | \
jq -e '[.data[range(10)][.labels | indices("root")[0]]] | add | . > 0'
CMD
$netdata->waitUntilSucceeds($cmd);
'';
})