diff options
| author | Guillaume DELVIT <guiguid@free.fr> | 2023-10-29 21:46:35 +0100 |
|---|---|---|
| committer | Guillaume D <guiguid@free.fr> | 2023-11-01 00:16:30 +0100 |
| commit | 043522789b997c51b9eb2de84add68896f917860 (patch) | |
| tree | cb70516e20800a6f0d3d7b4db7c26c7139eac28e /nixos/modules | |
| parent | 7d517bfb76d71fa662228f99fae536f86d602b38 (diff) | |
| download | nixlib-043522789b997c51b9eb2de84add68896f917860.tar nixlib-043522789b997c51b9eb2de84add68896f917860.tar.gz nixlib-043522789b997c51b9eb2de84add68896f917860.tar.bz2 nixlib-043522789b997c51b9eb2de84add68896f917860.tar.lz nixlib-043522789b997c51b9eb2de84add68896f917860.tar.xz nixlib-043522789b997c51b9eb2de84add68896f917860.tar.zst nixlib-043522789b997c51b9eb2de84add68896f917860.zip | |
nixos/services/netdata: add systemd-journald plugin as a privileged wrapper
https://learn.netdata.cloud/docs/logs/systemd-journal/
need acces to
Kernel Logs (dmesg):
Capability: CAP_SYSLOG
Description: This capability allows the program to read kernel logs using the dmesg command or by reading the /dev/kmsg file.
System Logs (e.g., /var/log/syslog):
Capability: CAP_DAC_READ_SEARCH
Description: This capability allows the program to read system logs located in directories such as /var/log/.
User Logs (e.g., /var/log/auth.log):
Capability: CAP_DAC_READ_SEARCH
Description: This capability allows the program to read user logs located in directories such as /var/log/.
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/services/monitoring/netdata.nix | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/nixos/modules/services/monitoring/netdata.nix b/nixos/modules/services/monitoring/netdata.nix index 3833418b5add..de0e044453ee 100644 --- a/nixos/modules/services/monitoring/netdata.nix +++ b/nixos/modules/services/monitoring/netdata.nix @@ -12,6 +12,7 @@ let ln -s /run/wrappers/bin/perf.plugin $out/libexec/netdata/plugins.d/perf.plugin ln -s /run/wrappers/bin/slabinfo.plugin $out/libexec/netdata/plugins.d/slabinfo.plugin ln -s /run/wrappers/bin/freeipmi.plugin $out/libexec/netdata/plugins.d/freeipmi.plugin + ln -s /run/wrappers/bin/systemd-journal.plugin $out/libexec/netdata/plugins.d/systemd-journal.plugin ''; plugins = [ @@ -254,7 +255,7 @@ in { # Capabilities CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" # is required for freeipmi and slabinfo plugins - "CAP_DAC_READ_SEARCH" # is required for apps plugin + "CAP_DAC_READ_SEARCH" # is required for apps and systemd-journal plugin "CAP_FOWNER" # is required for freeipmi plugin "CAP_SETPCAP" # is required for apps, perf and slabinfo plugins "CAP_SYS_ADMIN" # is required for perf plugin @@ -263,6 +264,7 @@ in { "CAP_NET_RAW" # is required for fping app "CAP_SYS_CHROOT" # is required for cgroups plugin "CAP_SETUID" # is required for cgroups and cgroups-network plugins + "CAP_SYSLOG" # is required for systemd-journal plugin ]; # Sandboxing ProtectSystem = "full"; @@ -318,6 +320,14 @@ in { permissions = "u+rx,g+x,o-rwx"; }; + "systemd-journal.plugin" = { + source = "${cfg.package}/libexec/netdata/plugins.d/systemd-journal.plugin.org"; + capabilities = "cap_dac_read_search,cap_syslog+ep"; + owner = cfg.user; + group = cfg.group; + permissions = "u+rx,g+x,o-rwx"; + }; + "slabinfo.plugin" = { source = "${cfg.package}/libexec/netdata/plugins.d/slabinfo.plugin.org"; capabilities = "cap_dac_override+ep"; |