Dustin C. Hatch
1cdd12454f
The default SELinux policy for *collectd* does not allow it all the necessary access for the way we use it. Notably, it cannot bind to the HTTP port to export Prometheus metrics, and it is not allowed to use netlink to read interface statistics. The latter is not a huge deal, as it can fall back to the legacy procfs interface, but the former is a nonstarter. Eventually, I should write an SELinux module with the correct permissions (and submit the changes upstream), but for now, we'll just make the `collectd_t` domain permissive.
82 lines
1.7 KiB
YAML
82 lines
1.7 KiB
YAML
variant: fcos
|
|
version: 1.4.0
|
|
|
|
ignition:
|
|
config:
|
|
merge:
|
|
- local: packages.yaml
|
|
|
|
storage:
|
|
files:
|
|
- path: /etc/ignition/packages.d/collectd
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
collectd
|
|
collectd-chrony
|
|
collectd-disk
|
|
collectd-sensors
|
|
collectd-write_prometheus
|
|
- path: /etc/collectd.d/df.conf
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
LoadPlugin df
|
|
|
|
<Plugin df>
|
|
FSType overlay
|
|
IgnoreSelected true
|
|
</Plugin>
|
|
- path: /etc/collectd.d/plugins.conf
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
LoadPlugin chrony
|
|
LoadPlugin cpufreq
|
|
LoadPlugin disk
|
|
LoadPlugin entropy
|
|
LoadPlugin processes
|
|
LoadPlugin swap
|
|
LoadPlugin tcpconns
|
|
LoadPlugin thermal
|
|
LoadPlugin uptime
|
|
|
|
- path: /etc/collectd.d/prometheus.conf
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
LoadPlugin write_prometheus
|
|
|
|
<Plugin write_prometheus>
|
|
Port 9103
|
|
</Plugin>
|
|
|
|
- path: /etc/selinux/collectdlocal.cil
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
(typepermissive collectd_t)
|
|
|
|
- path: /etc/systemd/system/semodule-collectdlocal.service
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
[Unit]
|
|
ConditionPathExists=/etc/selinux/collectdlocal.cil
|
|
Before=collectd.service
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=/usr/sbin/semodule -i /etc/selinux/collectdlocal.cil
|
|
ExecStartPost=/bin/rm -f /etc/selinux/collectdlocal.cil
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
|
|
systemd:
|
|
units:
|
|
- name: collectd.service
|
|
enabled: true
|
|
- name: semodule-collectdlocal.service
|
|
enabled: true
|