Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heartbeat service: init #27019

Merged
merged 1 commit into from
Jul 2, 2017
Merged

heartbeat service: init #27019

merged 1 commit into from
Jul 2, 2017
+74 −1

Conversation

fadenb
Copy link
Contributor

@fadenb fadenb commented Jul 1, 2017

Motivation for this change

This is basically a copy of the existing journalbeat service by @mbrgm allowing quick and easy setup of elastic heartbeat.

Things done
  • Tested using sandboxing
    (nix.useSandbox on NixOS,
    or option build-use-sandbox in nix.conf
    on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • Linux
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

Sorry, something went wrong.

@mention-bot
Copy link

@fadenb, thanks for your PR! By analyzing the history of the files in this pull request, we identified @peti, @edolstra and @bjornfor to be potential reviewers.

@FRidh
Copy link
Member

FRidh commented Jul 1, 2017

@fadenb Are you going to be the maintainer of this service?

@fadenb
Copy link
Contributor Author

fadenb commented Jul 1, 2017

As I plan to use it extensively: Yes :)

joachifm
joachifm reviewed Jul 1, 2017
View reviewed changes
nixos/modules/services/logging/heartbeat.nix Outdated
mkdir -p ${cfg.stateDir}/data
mkdir -p ${cfg.stateDir}/logs
'';
serviceConfig = {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the program implement its own privsep or does it end up running with full privileges?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@joachifm heartbeat documentation ( https://www.elastic.co/guide/en/beats/heartbeat/current/configuration-heartbeat-options.html#monitor-type ) states that root is required for icmp type monitors but it seems to be working fine with a "cap_net_raw+p" wrapper. I will change the PR accordingly

0xABAB
0xABAB reviewed Jul 1, 2017
View reviewed changes
nixos/modules/services/logging/heartbeat.nix Outdated
wantedBy = [ "multi-user.target" ];
preStart = ''
mkdir -p ${cfg.stateDir}/data
mkdir -p ${cfg.stateDir}/logs
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replace with this exact code: mkdir -p "${cfg.stateDir}"/{data,logs}

0xABAB
0xABAB reviewed Jul 1, 2017
View reviewed changes
nixos/modules/services/logging/heartbeat.nix Outdated
mkdir -p ${cfg.stateDir}/logs
'';
serviceConfig = {
ExecStart = "${pkgs.heartbeat}/bin/heartbeat -c ${heartbeatYml} -path.data ${cfg.stateDir}/data -path.logs ${cfg.stateDir}/logs";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quote your variables.

0xABAB
0xABAB suggested changes Jul 1, 2017
View reviewed changes
Copy link
Contributor

@0xABAB 0xABAB left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Address the security issues, if any, since it should probably run as user nobody and additionally fix everything I mentioned.

@fadenb fadenb force-pushed the heartbeat_service branch from f3cdbbb to c159646 Compare July 1, 2017 20:07
0xABAB
0xABAB reviewed Jul 1, 2017
View reviewed changes
nixos/modules/services/logging/heartbeat.nix Outdated
wantedBy = [ "multi-user.target" ];
preStart = ''
mkdir -p "${cfg.stateDir}"/{data,logs}
chown nobody "${cfg.stateDir}"/{data,logs}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also set the group explicitly.

@fadenb fadenb force-pushed the heartbeat_service branch from c159646 to 97cf66a Compare July 2, 2017 08:43
@fadenb fadenb force-pushed the heartbeat_service branch from 97cf66a to 97e8422 Compare July 2, 2017 08:46
@fadenb
Copy link
Contributor Author

fadenb commented Jul 2, 2017

@volth: I did not know about AmbientCapabilities before. Thanks!
@0xABAB: Your input is appreciated but I would ask you to try to formulate it less as commands/more friendly manner.

@0xABAB
Copy link
Contributor

0xABAB commented Jul 2, 2017

@fadenb Thanks for the feedback and your changes

@joachifm joachifm merged commit c0086b8 into NixOS:master Jul 2, 2017
@joachifm
Copy link
Contributor

joachifm commented Jul 2, 2017

Thank you

@fadenb fadenb deleted the heartbeat_service branch July 2, 2017 10:55
@dfithian dfithian mentioned this pull request Jul 18, 2022
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joachifm joachifm

@0xABAB 0xABAB

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@fadenb @mention-bot @FRidh @0xABAB @joachifm