diff options
| author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2022-01-27 13:37:01 +0100 |
|---|---|---|
| committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2022-01-27 17:33:27 +0100 |
| commit | 12c26aca1fd55ab99f831bedc865a626eee39f80 (patch) | |
| tree | f41bc54638270a1099a8d331487d0a7db7e75998 /nixos/modules/services/monitoring | |
| parent | f860b289d4d7a45c38b7dbe8f74bf0d09d86f313 (diff) | |
| download | nixlib-12c26aca1fd55ab99f831bedc865a626eee39f80.tar nixlib-12c26aca1fd55ab99f831bedc865a626eee39f80.tar.gz nixlib-12c26aca1fd55ab99f831bedc865a626eee39f80.tar.bz2 nixlib-12c26aca1fd55ab99f831bedc865a626eee39f80.tar.lz nixlib-12c26aca1fd55ab99f831bedc865a626eee39f80.tar.xz nixlib-12c26aca1fd55ab99f831bedc865a626eee39f80.tar.zst nixlib-12c26aca1fd55ab99f831bedc865a626eee39f80.zip | |
prometheus.exporters.smartctl: Fix autodiscovery
When no devices are given the exporter tries to autodiscover available
disks. The previous DevicePolicy was however preventing the exporter
from accessing any device at all, since only explicitly mentioned ones
were allowed.
This commit adds an allow rule for several device classes that I could
find on my machines, that gets set when no devices are explicitly
configured.
There is an existing problem with nvme devices, that expose a character
device at `/dev/nvme0`, and a (namespaced) block device at
`/dev/nvme0n1`. The character device does not come with permissions that
we could give to the exporter without further impacting the hardening.
crw------- 1 root root 247, 0 27. Jan 03:10 /dev/nvme0
brw-rw---- 1 root disk 259, 0 27. Jan 03:10 /dev/nvme0n1
The autodiscovery only finds the character device, which the exporter
unfortunately does not have access to.
However a simple udev rule can be used to resolve this:
services.udev.extraRules = ''
SUBSYSTEM=="nvme", KERNEL=="nvme[0-9]*", GROUP="disk"
'';
Unfortunately I'm not fully aware of the security implications this
change carries and we should question upstream (systemd) why they did
not include such a rule.
The disk group has no members on any of my machines.
❯ getent group disk
disk:x:6:
Diffstat (limited to 'nixos/modules/services/monitoring')
| -rw-r--r-- | nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix b/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix index 437604748b3e..9e49601ce1a7 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix @@ -25,7 +25,8 @@ in { [ "/dev/sda", "/dev/nvme0n1" ]; ''; description = '' - Paths to disks that will be monitored. + Paths to the disks that will be monitored. Will autodiscover + all disks if none given. ''; }; maxInterval = mkOption { @@ -49,7 +50,15 @@ in { "CAP_SYS_ADMIN" ]; DevicePolicy = "closed"; - DeviceAllow = lib.mkForce cfg.devices; + DeviceAllow = lib.mkOverride 100 ( + if cfg.devices != [] then + cfg.devices + else [ + "block-blkext rw" + "block-sd rw" + "char-nvme rw" + ] + ); ExecStart = '' ${pkgs.prometheus-smartctl-exporter}/bin/smartctl_exporter -config ${configFile} ''; |