node_exporter icon indicating copy to clipboard operation
node_exporter copied to clipboard

Published 20 hours ago verified publisher icon prometheus

Filesystem metric to report on encrypted mounts

Open aitorpazos opened this issue 2 years ago • 5 comments

Feature request

I´d like to have a metric about filesystems that reports whether the filesystem is encrypted or mounted on top of an encrypted block device. I would expect special devices to be excluded from this (ie: loop devices).

For example, for the following lsblk output:

$ lsblk -e 7
NAME                        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
nvme0n1                     259:0    0 953.9G  0 disk
├─nvme0n1p1                 259:1    0   512M  0 part  /boot/efi
├─nvme0n1p2                 259:2    0   732M  0 part  /boot
└─nvme0n1p3                 259:3    0 952.7G  0 part
  └─nvme0n1p3_crypt         253:0    0 952.6G  0 crypt
    ├─vgubuntu-root         253:1    0 930.4G  0 lvm   /
    └─vgubuntu-swap_1       253:2    0   976M  0 lvm   [SWAP]

I would expect / to be marked as encrypted, but neither /boot nor /boot/efi.

For filesystems like ZFS (or future Btrfs) with native encryption support this flag should also mark those mounts as encrypted when detected.

I would suggest introducing a new gauge metric node_filesystem_encrypted with the same tags as other node_filesystem_* metrics.

aitorpazos avatar Jun 06 '23 12:06 aitorpazos

I don't think we should do much interpretation to generate a encrypted-or-not metric but rather expose the necessary information as info metric. Maybe we can add the 'type' column from the lsblk output to node_disk_info? @SuperQ

discordianfish avatar Jun 09 '23 10:06 discordianfish

Yes, I think this would be better on node_disk_info.

SuperQ avatar Jun 09 '23 12:06 SuperQ

The type column would be useful indeed. Not sure how I would leverage that effectively in regards to monitoring/alerting if filesystems are encrypted or not. I see the following issues:

  • There is no easy way to link a mount to a parent node_disk_info time series, making it hard to actually know if a mount is encrypted.
  • It is common that some mount points are not encrypted (eg: /boot) but others need to be (eg: / or /home). The mount point is a common filtering property to monitor if it is encrypted or not. I don't know how that could be done even if node_disk_info exposes the type.
  • If the encryption happens at the filesystem level (eg: ZFS), node_disk_info wouldn't help.

aitorpazos avatar Jun 09 '23 14:06 aitorpazos

Hrm good point, node_disk_info is per disk not per partition. We should probably have node_filesystem_info with that type label. @aitorpazos @SuperQ wdyt?

discordianfish avatar Jun 15 '23 12:06 discordianfish

Yes, node_filesystem_info seems reasonable.

SuperQ avatar Jun 15 '23 12:06 SuperQ