puppet-collectd
puppet-collectd copied to clipboard
voxpupuli
Handle systemd capabilities for the user
Please check the following items before submitting an issue -- thank you!
Note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms. Contributor Code of Conduct.
- [x] There is no existing issue or PR that addresses this problem
Optional, but makes our lives much easier:
- [x] The issue affects the latest release of this module at the time of submission
For packages/systems that use systemd and restrictive permissions in the systemd unit file (such as those at http://pkg.ci.collectd.org/), I think the puppet module should automatically inject the proper capabilities when the appropriate plugins are included.
In the included plugins' classes, there would be a check for if $::service_provider == 'systemd', and if true, augeas calls would be made against the file to add capabilities if necessary.
In this case, I think it would be appropriate to add another top-level variable manage_capabilities = true, such that its automatic behaviour can be disabled.
I am currently doing this for the exec plugin in my profile for configuring collectd, so I would be able to submit a PR if it's determined to be a useful change.
Note that $::service_provider is only available in puppetlabs-stdlib >= 4.10.0, which would be quite a jump in required version. The other option is to add in a bunch of os-dependent checks in the params.
For context, here's the listing from the collectd systemd unit file that has the plugins that require changes to the systemd service file:
# A few plugins won't work without some privileges, which you'll have to
# specify using the CapabilityBoundingSet directive below.
#
# Here's a (incomplete) list of the plugins known capability requirements:
# ceph CAP_DAC_OVERRIDE
# dns CAP_NET_RAW
# exec CAP_SETUID CAP_SETGID
# iptables CAP_NET_ADMIN
# ping CAP_NET_RAW
# turbostat CAP_SYS_RAWIO
#
# Example, if you use the iptables plugin alongside the dns or ping plugin:
#CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
#
# By default, drop all capabilities:
CapabilityBoundingSet=
On systemd systems it's possible to override settings from the package supplied unit file by using Drop-ins:
cat /etc/systemd/system/collectd.service.d/capabilities.conf:
[Service]
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
This will override whatever statement is defined in the "main" unit file.
systemctl cat collectd:
# /usr/lib/systemd/system/collectd.service
[Unit]
Description=Collectd statistics daemon
Documentation=man:collectd(1) man:collectd.conf(5)
After=local-fs.target network-online.target
Requires=local-fs.target network-online.target
[Service]
ExecStart=/usr/sbin/collectd
EnvironmentFile=-/etc/sysconfig/collectd
EnvironmentFile=-/etc/default/collectd
ProtectSystem=full
ProtectHome=true
....
[Install]
WantedBy=multi-user.target
# /etc/systemd/system/collectd.service.d/capabilities.conf
[Service]
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
So it basically boils down to setting a directory and file managed by puppet and reloading systemd and then the collectd service for it to take effect.
No augeas needed :)
From https://www.freedesktop.org/software/systemd/man/systemd.unit.html:
...for drop-in files, if one wants to remove entries from a setting that is parsed as a list (and is not a dependency), ...one needs to first clear the list before re-adding all entries except the one that is to be removed
So if upstream already include a CapabilityBoundingSet setting, one might need to do
# /etc/systemd/system/collectd.service.d/capabilities.conf
[Service]
CapabilityBoundingSet=
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
instead
@juniorsysadmin Correct, however I think I stumbled upon a systemd bug regarding the capability of overriding CapabilityBoundingSet. Made a bugreport with Redhat to verify. https://bugzilla.redhat.com/show_bug.cgi?id=1409586
What version of systemd are you running?