diff options
author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2022-01-27 13:37:01 +0100 |
---|---|---|
committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2022-01-27 17:33:27 +0100 |
commit | 12c26aca1fd55ab99f831bedc865a626eee39f80 (patch) | |
tree | f41bc54638270a1099a8d331487d0a7db7e75998 /nixos/modules/services/monitoring | |
parent | f860b289d4d7a45c38b7dbe8f74bf0d09d86f313 (diff) | |
download | nixlib-12c26aca1fd55ab99f831bedc865a626eee39f80.tar nixlib-12c26aca1fd55ab99f831bedc865a626eee39f80.tar.gz nixlib-12c26aca1fd55ab99f831bedc865a626eee39f80.tar.bz2 nixlib-12c26aca1fd55ab99f831bedc865a626eee39f80.tar.lz nixlib-12c26aca1fd55ab99f831bedc865a626eee39f80.tar.xz nixlib-12c26aca1fd55ab99f831bedc865a626eee39f80.tar.zst nixlib-12c26aca1fd55ab99f831bedc865a626eee39f80.zip |
prometheus.exporters.smartctl: Fix autodiscovery
When no devices are given the exporter tries to autodiscover available disks. The previous DevicePolicy was however preventing the exporter from accessing any device at all, since only explicitly mentioned ones were allowed. This commit adds an allow rule for several device classes that I could find on my machines, that gets set when no devices are explicitly configured. There is an existing problem with nvme devices, that expose a character device at `/dev/nvme0`, and a (namespaced) block device at `/dev/nvme0n1`. The character device does not come with permissions that we could give to the exporter without further impacting the hardening. crw------- 1 root root 247, 0 27. Jan 03:10 /dev/nvme0 brw-rw---- 1 root disk 259, 0 27. Jan 03:10 /dev/nvme0n1 The autodiscovery only finds the character device, which the exporter unfortunately does not have access to. However a simple udev rule can be used to resolve this: services.udev.extraRules = '' SUBSYSTEM=="nvme", KERNEL=="nvme[0-9]*", GROUP="disk" ''; Unfortunately I'm not fully aware of the security implications this change carries and we should question upstream (systemd) why they did not include such a rule. The disk group has no members on any of my machines. ❯ getent group disk disk:x:6:
Diffstat (limited to 'nixos/modules/services/monitoring')
-rw-r--r-- | nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix b/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix index 437604748b3e..9e49601ce1a7 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix @@ -25,7 +25,8 @@ in { [ "/dev/sda", "/dev/nvme0n1" ]; ''; description = '' - Paths to disks that will be monitored. + Paths to the disks that will be monitored. Will autodiscover + all disks if none given. ''; }; maxInterval = mkOption { @@ -49,7 +50,15 @@ in { "CAP_SYS_ADMIN" ]; DevicePolicy = "closed"; - DeviceAllow = lib.mkForce cfg.devices; + DeviceAllow = lib.mkOverride 100 ( + if cfg.devices != [] then + cfg.devices + else [ + "block-blkext rw" + "block-sd rw" + "char-nvme rw" + ] + ); ExecStart = '' ${pkgs.prometheus-smartctl-exporter}/bin/smartctl_exporter -config ${configFile} ''; |