Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

netdata service: fix permissions for apps.plugin #33331

Merged
merged 1 commit into from
Jan 19, 2018
Merged

netdata service: fix permissions for apps.plugin #33331

merged 1 commit into from
Jan 19, 2018
+76 −10

Conversation

cransom
Copy link
Contributor

@cransom cransom commented Jan 2, 2018

apps.plugin requires capabilities for full process monitoring. with
1.9.0, netdata allows multiple directories to search for plugins and the
setuid directory can be specified here.

the module is backwards compatible with older configs. a test is
included that verifies data gathering for the elevated privileges. one
additional attribute is added to make configuration more generic than
including configuration in string form.

Motivation for this change

Allow full process/io monitoring via the apps plugin without running the netdata process as root nor allow access to elevated privilege binary to other users.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

Sorry, something went wrong.

@GrahamcOfBorg GrahamcOfBorg added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Jan 2, 2018
Mic92
Mic92 reviewed Jan 2, 2018
View reviewed changes
nixos/tests/netdata.nix Outdated

$netdata->waitForUnit("netdata.service");
#check if netdata can read disk ops for root owned processes. if > 0, successful. verifies both netdata working and apps.plugin has elevated capabilities.
$netdata->waitUntilSucceeds("curl -s http://localhost:19999/api/v1/data\?chart=users.pwrites | jq -e '[.data[range(10)][.labels | indices(\"root\")[0]]] | add | . > 0'") ;
Copy link
Member

@Mic92 Mic92 Jan 2, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please split this string across multiple lines for readability:

my $cmd = <<'CMD';
curl -s http://localhost:19999/api/v1/data\?chart=users.pwrites | \
   jq -e '[.data[range(10)][.labels | indices("root")[0]]] | add | . > 0'
CMD
$netdata->waitUntilSucceeds($cmd);

Mic92
Mic92 reviewed Jan 2, 2018
View reviewed changes
nixos/modules/services/monitoring/netdata.nix Outdated
configFile = pkgs.writeText "netdata.conf" cfg.configText;
localConfig = {
global = {
"plugins directory" = "/run/wrappers/bin ${pkgs.netdata}/libexec/netdata/plugins.d";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could including wrappers directory lead to executable being misclassified as netdata plugins and executed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Plugins for netdata must end with .plugin so the likely hood of conflicting with other apps in wrappers would be quite low.

If that's not enough guarantee, the configuration can be called out specifically to only enable the bundled plugins but version bumps for new features in netdata would require config updates from either the user or maintainer here which would cause some churn.

I think that netdata requiring a .plugin extension is enough to keep accidents from happening.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what do you think about the following solution?

╰─ % git diff
diff --git a/nixos/modules/services/monitoring/netdata.nix b/nixos/modules/services/monitoring/netdata.nix
index 5c78f5203e2..43edc7c5e08 100644
--- a/nixos/modules/services/monitoring/netdata.nix
+++ b/nixos/modules/services/monitoring/netdata.nix
@@ -4,9 +4,15 @@ with lib;
 let
   cfg = config.services.netdata;
+
+  wrappedPlugins = pkgs.runCommand "wrapped-plugins" {} ''
+    mkdir -p $out/libexec/netdata/plugins.d
+    ln -s /run/wrappers/bin/apps.plugin $out/libexec/netdata/plugins.d/apps.plugin
+  '';
+
   localConfig = {
     global = {
-      "plugins directory" =  "/run/wrappers/bin ${pkgs.netdata}/libexec/netdata/plugins.d";
+      "plugins directory" =  "${wrappedPlugins}/libexec/netdata/plugins.d ${pkgs.netdata}/libexec/netdata/plugins.d";
     };
   };
   mkConfig = generators.toINI {} (recursiveUpdate localConfig cfg.config);

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm ok with that. Are there no concerns about sym linking out of the store? I've been trying to avoid it even though the wrapper set up a few lines down will guarantee it's there.

netdata service: fix permissions for apps.plugin
f3cba4f 
apps.plugin requires capabilities for full process monitoring. with
1.9.0, netdata allows multiple directories to search for plugins and the
setuid directory can be specified here.

the module is backwards compatible with older configs. a test is
included that verifies data gathering for the elevated privileges. one
additional attribute is added to make configuration more generic than
including configuration in string form.
@cransom
Copy link
Contributor Author

cransom commented Jan 19, 2018

Is there anything else to address in this PR?

@Mic92
Copy link
Member

Mic92 commented Jan 19, 2018

@GrahamcOfBorg test netdata

GrahamcOfBorg
GrahamcOfBorg reviewed Jan 19, 2018
View reviewed changes
Copy link

@GrahamcOfBorg GrahamcOfBorg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Success for system: x86_64-linux

netdata: exit status 1
syncing
netdata: running command: sync
netdata: exit status 0
test script finished in 7.00s
cleaning up
killing netdata (pid 593)
vde_switch: EOF on stdin, cleaning up and exiting
vde_switch: Could not remove ctl dir '/tmp/nix-build-vm-test-run-netdata.drv-0/vde1.ctl': Directory not empty
/nix/store/xgr2mqxzrpa8wb113ykgzp0fn1769kyf-vm-test-run-netdata

@Mic92 Mic92 merged commit dfa6a81 into NixOS:master Jan 19, 2018
@Mic92
Copy link
Member

Mic92 commented Jan 19, 2018

Thanks!

@cransom cransom deleted the netdata-module branch January 20, 2018 19:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mic92 Mic92

@GrahamcOfBorg GrahamcOfBorg

Assignees
No one assigned
Labels
10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@cransom @Mic92 @GrahamcOfBorg