diff options
| author | Pierre Bourdon <delroth@gmail.com> | 2022-09-06 02:10:47 +0200 |
|---|---|---|
| committer | Pierre Bourdon <delroth@gmail.com> | 2022-09-06 02:10:47 +0200 |
| commit | bfe73f95430a71daf1d2fdf1ae6832f2a4db0f35 (patch) | |
| tree | 0b8c3558c1db51127e7f33b756ce30729d72a861 /nixos | |
| parent | 76daf3b9daa76829294c213d2f66ff266da79555 (diff) | |
| download | nixlib-bfe73f95430a71daf1d2fdf1ae6832f2a4db0f35.tar nixlib-bfe73f95430a71daf1d2fdf1ae6832f2a4db0f35.tar.gz nixlib-bfe73f95430a71daf1d2fdf1ae6832f2a4db0f35.tar.bz2 nixlib-bfe73f95430a71daf1d2fdf1ae6832f2a4db0f35.tar.lz nixlib-bfe73f95430a71daf1d2fdf1ae6832f2a4db0f35.tar.xz nixlib-bfe73f95430a71daf1d2fdf1ae6832f2a4db0f35.tar.zst nixlib-bfe73f95430a71daf1d2fdf1ae6832f2a4db0f35.zip | |
nixos/grafana: loosen systemd syscall sandboxing
Allow @resources syscalls in the grafana.service unit. While Grafana itself does not need them, some plugins (incl. first party) crash if they fail to setrlimit. This was first seen with the official grafana Clickhouse datasource plugin. The @resources syscalls set is fairly harmess anyway.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/monitoring/grafana.nix | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index d72aaf0464ed..dd99fa3ddccd 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -792,7 +792,7 @@ in { SystemCallArchitectures = "native"; # Upstream grafana is not setting SystemCallFilter for compatibility # reasons, see https://github.com/grafana/grafana/pull/40176 - SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + SystemCallFilter = [ "@system-service" "~@privileged" ]; UMask = "0027"; }; preStart = '' |