kookie
/
nomicon
1
0
Fork 0
Code Issues Projects Releases 1 Activity

nixos/netdata: cgroup-network: don't use AmbientCapabilities

Browse Source
wip/little-gl
Izorkin 3 years ago
parent 9622485d70
commit 58497175be
No known key found for this signature in database
GPG Key ID: 1436C1B3F3679F09
2 changed files with 14 additions and 3 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 15
      nixos/modules/services/monitoring/netdata.nix
  2. 2
      pkgs/tools/system/netdata/default.nix

15
nixos/modules/services/monitoring/netdata.nix
Unescape View File

@ -8,6 +8,7 @@ let
wrappedPlugins = pkgs.runCommand "wrapped-plugins" { preferLocalBuild = true; } ''
mkdir -p $out/libexec/netdata/plugins.d
ln -s /run/wrappers/bin/apps.plugin $out/libexec/netdata/plugins.d/apps.plugin
ln -s /run/wrappers/bin/cgroup-network $out/libexec/netdata/plugins.d/cgroup-network
ln -s /run/wrappers/bin/freeipmi.plugin $out/libexec/netdata/plugins.d/freeipmi.plugin
ln -s /run/wrappers/bin/perf.plugin $out/libexec/netdata/plugins.d/perf.plugin
ln -s /run/wrappers/bin/slabinfo.plugin $out/libexec/netdata/plugins.d/slabinfo.plugin
@ -26,6 +27,9 @@ let
"web files owner" = "root";
"web files group" = "root";
};
"plugin:cgroups" = {
"script to get cgroup network interfaces" = "${wrappedPlugins}/libexec/netdata/plugins.d/cgroup-network";
};
};
mkConfig = generators.toINI {} (recursiveUpdate localConfig cfg.config);
configFile = pkgs.writeText "netdata.conf" (if cfg.configText != null then cfg.configText else mkConfig);
@ -183,9 +187,6 @@ in {
ConfigurationDirectory = "netdata";
ConfigurationDirectoryMode = "0755";
# Capabilities
AmbientCapabilities = [
"CAP_SETUID" # is required for cgroups and cgroups-network plugins
];
CapabilityBoundingSet = [
"CAP_DAC_OVERRIDE" # is required for freeipmi and slabinfo plugins
"CAP_DAC_READ_SEARCH" # is required for apps plugin
@ -217,6 +218,14 @@ in {
permissions = "u+rx,g+rx,o-rwx";
};
security.wrappers."cgroup-network" = {
source = "${cfg.package}/libexec/netdata/plugins.d/cgroup-network.org";
capabilities = "cap_setuid+ep";
owner = cfg.user;
group = cfg.group;
permissions = "u+rx,g+rx,o-rwx";
};
security.wrappers."freeipmi.plugin" = {
source = "${cfg.package}/libexec/netdata/plugins.d/freeipmi.plugin.org";
capabilities = "cap_dac_override,cap_fowner+ep";

2
pkgs/tools/system/netdata/default.nix
Unescape View File

@ -56,6 +56,8 @@ in stdenv.mkDerivation rec {
# rename this plugin so netdata will look for setuid wrapper
mv $out/libexec/netdata/plugins.d/apps.plugin \
$out/libexec/netdata/plugins.d/apps.plugin.org
mv $out/libexec/netdata/plugins.d/cgroup-network \
$out/libexec/netdata/plugins.d/cgroup-network.org
mv $out/libexec/netdata/plugins.d/perf.plugin \
$out/libexec/netdata/plugins.d/perf.plugin.org
mv $out/libexec/netdata/plugins.d/slabinfo.plugin \

Write Preview
Loading…
Cancel
Save