prometheus-blackbox-exporter: coercing cfg to path #71243
Conversation
|
I'd like to add, that I'm a bit torn about this workaround, as it's not overly idiomatic and it might not be obvious to the user that the file that is actually being run against is a copy in the store. This could also lead to confusion when modifying the original out-of-store config file and restarting the service manually. Maybe there is some nifty way to get symlinks added to the sandbox that I'm not aware of yet. So maybe just throwing a meaningful error at the user is more straightforward overall. |
|
@d-goldin fIrst of all, thank you for reporting this issue 👍 I think that the main issue with silently adding the config to the nix store is when it's done in a scenario with basic auth credentials in the configuration, that should not happen without informing the user. Mentioning this in the option description and maybe even throwing a warning during eval would be enough for my taste. Regarding the service reload on config change, where the config file is not copied to the store: I would therefore propose to do two things:
I'm happy to hear any suggestions on these proposed changes :) |
WilliButz
added
the
9.needs: port to stable
|
@WilliButz: Agreed on the silently adding, this was the main reason why I was not a fan. Regarding config out of store and reloading - I dont think this necessarily needs to be solved, I just thought that it was a bit incosnsitent behaviour between the two ways passing the config there. I agree with the suggestions as improvement over the current state. It might be possibly more ideal to be able to define the whole config in nix itself, but I'm not sure if it's worth the effort and it would also still come with the usual issue of secrets management. I'll update this PR a bit later. |
|
I kept the commits separate for legibility. Will squash once reviewed. |
|
@GrahamcOfBorg test prometheus-exporters.blackbox |
This fixes an issue with a recent addition of a config file check in c28ded3. Previously it was possible to supply a path as a string to `configFile`. Now it will fail checking the config file during evaluation of the module due to sandboxing. A toggle to disable the check, more informative log messages and handling for various configFile values are added.
d-goldin
force-pushed
the
prometheus_blackbox_configfile
branch
from
48d0596
to
b788467
Compare
|
backported in 3ddf0b3 |
WilliButz
removed
the
9.needs: port to stable
Motivation for this change
This fixes an issue with a recent addition of a config file
check in c28ded3.
Previously it was possible to supply a path as a string
to
configFile. Now it will fail checking the config fileduring evaluation of the module due to sandboxing.
When used with a path type it's working as intended.
There is a caveat with store-path paths, which can't be coerced
by prepending "/. +", so this case is handled explicitly.
View this as one possible suggestion. Alternatively we could also
just throw a sensible warning to save users time who might stumble
into this when upgrading to 19.09 with a previously working config.
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)Notify maintainers
cc @WilliButz