telegraf
telegraf copied to clipboard
influxdata
input powerdns requires write access to socket directory - E! [inputs.powerdns] Error in plugin: dial unix /var/run/pdns/pdns.controlsocket: connect: permission denied
Hi!
The input powerdns seems to require write access to the socket directory in order to be able to read from the socket.
( https://github.com/influxdata/telegraf/blob/release-1.21/plugins/inputs/powerdns )
PowerDNS version 4.5
Error:
# sudo -u telegraf telegraf --config /etc/telegraf/telegraf.d/telegraf_pdns.conf --input-filter powerdns --test
2022-03-14T15:32:22Z I! Starting Telegraf 1.21.4
2022-03-14T15:32:22Z I! Loaded inputs: powerdns
2022-03-14T15:32:22Z I! Loaded aggregators:
2022-03-14T15:32:22Z I! Loaded processors:
2022-03-14T15:32:22Z W! Outputs are not used in testing mode!
2022-03-14T15:32:22Z I! Tags enabled: host=****
2022-03-14T15:32:22Z E! [inputs.powerdns] Error in plugin: dial unix /var/run/pdns/pdns.controlsocket: connect: permission denied
2022-03-14T15:32:22Z E! [telegraf] Error running agent: input plugins recorded 1 errors
telegraf config:
[[inputs.powerdns]]
## An array of sockets to gather stats about.
## Specify a path to unix socket.
unix_sockets = ["/var/run/pdns/pdns.controlsocket"]
Does not work:
# ls -all /var/run/pdns
total 0
drwxr-xr-x 2 pdns pdns 60 Mar 14 15:36 .
drwxr-xr-x 36 root root 1200 Mar 14 15:36 ..
srwxr-xr-x 1 pdns pdns 0 Mar 14 15:36 pdns.controlsocket
Does work:
# ls -all /var/run/pdns
total 0
drwxrwx--- 2 pdns pdns 60 Mar 14 15:36 .
drwxr-xr-x 36 root root 1200 Mar 14 15:36 ..
srwxr-xr-x 1 pdns pdns 0 Mar 14 15:36 pdns.controlsocket
With the same command then giving output:
# sudo -u telegraf telegraf --config /etc/telegraf/telegraf.d/telegraf_pdns.conf --input-filter powerdns --test
2022-03-14T15:33:03Z I! Starting Telegraf 1.21.4
2022-03-14T15:33:03Z I! Loaded inputs: powerdns
2022-03-14T15:33:03Z I! Loaded aggregators:
2022-03-14T15:33:03Z I! Loaded processors:
2022-03-14T15:33:03Z W! Outputs are not used in testing mode!
2022-03-14T15:33:03Z I! Tags enabled: host=****
> powerdns,host=****,server=/var/run/pdns/pdns.controlsocket backend-queries=0i,corrupt-packets=0i,cpu-iowait=440025i,cpu-steal=40964i,deferred-cache-inserts=0i,deferred-cache-lookup=0i,deferred-packetcache-inserts=0i,deferred-packetcache-lookup=0i,dnsupdate-answers=0i,dnsupdate-changes=0i,dnsupdate-queries=0i,dnsupdate-refused=0i,fd-usage=24i,incoming-notifications=0i,key-cache-size=0i,latency=0i,meta-cache-size=0i,noerror-packets=0i,nxdomain-packets=0i,open-tcp-connections=0i,overload-drops=0i,packetcache-hit=0i,packetcache-miss=0i,packetcache-size=0i,qsize-q=0i,query-cache-hit=0i,query-cache-miss=0i,query-cache-size=0i,rd-queries=0i,real-memory-usage=61353984i,recursing-answers=0i,recursing-questions=0i,recursion-unanswered=0i,ring-logmessages-capacity=10000i,ring-logmessages-size=4i,ring-noerror-queries-capacity=10000i,ring-noerror-queries-size=0i,ring-nxdomain-queries-capacity=10000i,ring-nxdomain-queries-size=0i,ring-queries-capacity=10000i,ring-queries-size=0i,ring-remotes-capacity=10000i,ring-remotes-corrupt-capacity=10000i,ring-remotes-corrupt-size=0i,ring-remotes-size=0i,ring-remotes-unauth-capacity=10000i,ring-remotes-unauth-size=0i,ring-servfail-queries-capacity=10000i,ring-servfail-queries-size=0i,ring-unauth-queries-capacity=10000i,ring-unauth-queries-size=0i,security-status=1i,servfail-packets=0i,signature-cache-size=0i,signatures=0i,sys-msec=220i,tcp-answers=0i,tcp-answers-bytes=0i,tcp-queries=0i,tcp4-answers=0i,tcp4-answers-bytes=0i,tcp4-queries=0i,tcp6-answers=0i,tcp6-answers-bytes=0i,tcp6-queries=0i,timedout-packets=0i,udp-answers=0i,udp-answers-bytes=0i,udp-do-queries=0i,udp-in-errors=0i,udp-noport-errors=3646i,udp-queries=0i,udp-recvbuf-errors=0i,udp-sndbuf-errors=0i,udp4-answers=0i,udp4-answers-bytes=0i,udp4-queries=0i,udp6-answers=0i,udp6-answers-bytes=0i,udp6-queries=0i,unauth-packets=0i,uptime=675i,user-msec=158i,xfr-queue=0i,zone-cache-hit=0i,zone-cache-miss=0i,zone-cache-size=5i 1647271984000000000
PowerDNS does not seem to support setting specific socket mode like PowerDNS Recursor, and after service restart the ownership of the directory is reset back to 755.
Am I doing something wrong or is it the plugin?
Thank you!
The readme specifies that the telegraf user will need to be added to the pdns group. Have you done that? If so can you run groups telegraf and ensure it is listed there?
Yes, the user telegraf has group pdns. This also corresponds to the working example above where the directory is group writeable, not world read nor write.
where the directory is group writeable,
This seems very odd, however in the PowerDNS Recursor README there are more details about the socket-mode in the powerdns settings. Is the socket-mode an option in PowerDNS and can it be set to 660?
I have not found any reference in the PowerDNS settings for socket-mode, only socket-dir. I tested the corresponding setting for PowerDNS as stated for the Recursor, socket-mode, but PowerDNS did not like this and refused to start. Was worth a shot...
Hello, the same issue with pdns 4.6.
# ls -all /var/run/pdns
total 0
drwxr-xr-x 2 pdns pdns 60 Jun 2 06:37 .
drwxr-xr-x 33 root root 1000 Jun 2 06:37 ..
srwxr-xr-x 1 pdns pdns 0 Jun 2 06:37 pdns.controlsocket
# sudo -u telegraf telegraf -config /etc/telegraf/telegraf.conf -config-directory /etc/telegraf/telegraf.d --test --input-filter powerdns
2022-06-02T06:38:11Z I! Starting Telegraf 1.20.3
2022-06-02T06:38:11Z E! [inputs.powerdns] Error in plugin: dial unix /var/run/pdns/pdns.controlsocket: connect: permission denied
2022-06-02T06:38:11Z E! [telegraf] Error running agent: input plugins recorded 1 errors
# groups telegraf
telegraf : telegraf pdns
Hey there,
I've got the same issue (pdns v4.3 and then upgraded to v4.5 and telegraf v1.23); The connect: permission denied error for the socket, is shown when I try to run the service with telegraf user; although I used usermod telegraf -a -G pdns!
I also tried to use socket_mode and socket_dir, but it sounds the pdns authoritative plugin doesn't support it and it couldn't start:
@ShamimShahraeini That error seems to come from telegraf, but not from pdns? Did you configure this correctly?
I have the same. PDNS 4.8.2-1 Debian 11.7. Only chmod g+w /var/run/pdns/pdns.controlsocket fix it temporary till pdns next restart. So I added to pdns.service line: ExecStartPost=/bin/chmod g+w /var/run/pdns/pdns.controlsocket
@powersj socket-mode only works with powerdns recursor, but don't exist in authoritative.
telegraf inputs.powerdns is about authoritative mode.
@aderumier,
If you have something that can aid users, then I would appreciate a new issue and not commenting on a closed one.
socket-mode only works with powerdns recursor, but don't exist in authoritative.
telegraf inputs.powerdns is about authoritative mode.
If that is true, then why does the plugin attempt to connect via the socket and even state the following in the readme:
The powerdns plugin gathers metrics about PowerDNS using unix socket.
Is this due to a change in powerdns? Or has this never worked.
@aderumier,
If you have something that can aid users, then I would appreciate a new issue and not commenting on a closed one.
socket-mode only works with powerdns recursor, but don't exist in authoritative. telegraf inputs.powerdns is about authoritative mode.
If that is true, then why does the plugin attempt to connect via the socket and even state the following in the readme:
The powerdns plugin gathers metrics about PowerDNS using unix socket.
Is this due to a change in powerdns? Or has this never worked.
Hi, it was working for me on powerdns 4.1 (on debian 10), the permissions on socket was ok for group.
on powerdns 4.8 (from powerdns repo on debian12), the group don't have write permissions.
and we can't change the permissions with socket-mode for authoritative powerdns. (this option is only valid with recursor powerdns)
The only working workaround for me is: "ExecStartPost=/bin/chmod g+w /var/run/pdns/pdns.controlsocket"
https://github.com/influxdata/telegraf/issues/10815#issuecomment-1727194404