Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

prometheus-blackbox-exporter: coercing cfg to path #71243

Merged
merged 1 commit into from
Oct 18, 2019
Merged

prometheus-blackbox-exporter: coercing cfg to path #71243

merged 1 commit into from
Oct 18, 2019
+43 −10

Conversation

d-goldin
Copy link
Contributor

Motivation for this change

This fixes an issue with a recent addition of a config file
check in c28ded3.

Previously it was possible to supply a path as a string
to configFile. Now it will fail checking the config file
during evaluation of the module due to sandboxing.

When used with a path type it's working as intended.

There is a caveat with store-path paths, which can't be coerced
by prepending "/. +", so this case is handled explicitly.

View this as one possible suggestion. Alternatively we could also
just throw a sensible warning to save users time who might stumble
into this when upgrading to 19.09 with a previously working config.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @WilliButz

Sorry, something went wrong.

@ofborg ofborg bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Oct 16, 2019
@d-goldin
Copy link
Contributor Author

d-goldin commented Oct 16, 2019
edited
Loading

I'd like to add, that I'm a bit torn about this workaround, as it's not overly idiomatic and it might not be obvious to the user that the file that is actually being run against is a copy in the store.

This could also lead to confusion when modifying the original out-of-store config file and restarting the service manually. Maybe there is some nifty way to get symlinks added to the sandbox that I'm not aware of yet.

So maybe just throwing a meaningful error at the user is more straightforward overall.

@WilliButz
Copy link
Member

@d-goldin fIrst of all, thank you for reporting this issue 👍

I think that the main issue with silently adding the config to the nix store is when it's done in a scenario with basic auth credentials in the configuration, that should not happen without informing the user. Mentioning this in the option description and maybe even throwing a warning during eval would be enough for my taste.

Regarding the service reload on config change, where the config file is not copied to the store:
As I am not aware of any mechanism that solves this for us (restartTriggers would not pick up on changes here I guess) we might only be able to also mention that manual service restarts on config change are needed when using a config file outside the nix store. I would also prefer an automated solution here if there is any :)

I would therefore propose to do two things:

  • throw a warning when the config file is copied to the nix store and mentioning this behaviour in the option description for configFile with respect to any potential secrets and the need for rebuilding the system after config changes
  • add a switch to allow users to keep the specified configFile outside the nix store by disabling the check (e.g. enableConfigCheck with default true), mentioning the use case and the need for a manual service reload after config changes in its description

I'm happy to hear any suggestions on these proposed changes :)

@WilliButz WilliButz added the 9.needs: port to stable A PR needs a backport to the stable release. label Oct 16, 2019
@d-goldin
Copy link
Contributor Author

@WilliButz: Agreed on the silently adding, this was the main reason why I was not a fan.

Regarding config out of store and reloading - I dont think this necessarily needs to be solved, I just thought that it was a bit incosnsitent behaviour between the two ways passing the config there.

I agree with the suggestions as improvement over the current state. It might be possibly more ideal to be able to define the whole config in nix itself, but I'm not sure if it's worth the effort and it would also still come with the usual issue of secrets management.

I'll update this PR a bit later.

@d-goldin
Copy link
Contributor Author

I kept the commits separate for legibility. Will squash once reviewed.

@WilliButz
Copy link
Member

@GrahamcOfBorg test prometheus-exporters.blackbox

WilliButz
WilliButz approved these changes Oct 17, 2019
View reviewed changes
Copy link
Member

@WilliButz WilliButz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

failed on aarch64 because of the outdated nix version.
LGTM 🎉

@d-goldin
prometheus-blackbox-exporter: fixing path issue
b788467 
This fixes an issue with a recent addition of a config file
check in c28ded3.

Previously it was possible to supply a path as a string
to `configFile`. Now it will fail checking the config file
during evaluation of the module due to sandboxing.

A toggle to disable the check, more informative log messages
and handling for various configFile values are added.
@d-goldin d-goldin force-pushed the prometheus_blackbox_configfile branch from 48d0596 to b788467 Compare October 18, 2019 00:03
@WilliButz WilliButz merged commit 917b127 into NixOS:master Oct 18, 2019
@WilliButz
Copy link
Member

backported in 3ddf0b3

@WilliButz WilliButz removed the 9.needs: port to stable A PR needs a backport to the stable release. label Oct 18, 2019
@d-goldin d-goldin deleted the prometheus_blackbox_configfile branch October 18, 2019 07:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@WilliButz WilliButz

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@d-goldin @WilliButz