diff options
| author | Dima <dgoldin+github@protonmail.ch> | 2019-10-16 11:43:34 +0200 |
|---|---|---|
| committer | Dima <dgoldin+github@protonmail.ch> | 2019-10-18 02:03:02 +0200 |
| commit | b788467ec4612e6468dc060827927f3b1efa6cda (patch) | |
| tree | bda45ff75fb6a52ffcb1e35bc20702d268964204 | |
| parent | 3a440874c75a667432e4cd0934db5e06297e3533 (diff) | |
| download | nixpkgs-b788467ec4612e6468dc060827927f3b1efa6cda.tar nixpkgs-b788467ec4612e6468dc060827927f3b1efa6cda.tar.gz nixpkgs-b788467ec4612e6468dc060827927f3b1efa6cda.tar.bz2 nixpkgs-b788467ec4612e6468dc060827927f3b1efa6cda.tar.lz nixpkgs-b788467ec4612e6468dc060827927f3b1efa6cda.tar.xz nixpkgs-b788467ec4612e6468dc060827927f3b1efa6cda.tar.zst nixpkgs-b788467ec4612e6468dc060827927f3b1efa6cda.zip | |
prometheus-blackbox-exporter: fixing path issue
This fixes an issue with a recent addition of a config file check in c28ded36ef50cb80796c6bd946754abfb47ffa28. Previously it was possible to supply a path as a string to `configFile`. Now it will fail checking the config file during evaluation of the module due to sandboxing. A toggle to disable the check, more informative log messages and handling for various configFile values are added.
| -rw-r--r-- | nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix | 53 |
1 files changed, 43 insertions, 10 deletions
diff --git a/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix b/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix index ca4366121e1..8a90afa9984 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix @@ -3,16 +3,34 @@ with lib; let + logPrefix = "services.prometheus.exporter.blackbox"; cfg = config.services.prometheus.exporters.blackbox; - checkConfig = file: pkgs.runCommand "checked-blackbox-exporter.conf" { - preferLocalBuild = true; - buildInputs = [ pkgs.buildPackages.prometheus-blackbox-exporter ]; } '' - ln -s ${file} $out - blackbox_exporter --config.check --config.file $out - ''; -in -{ + # This ensures that we can deal with string paths, path types and + # store-path strings with context. + coerceConfigFile = file: + if (builtins.isPath file) || (lib.isStorePath file) then + file + else + (lib.warn '' + ${logPrefix}: configuration file "${file}" is being copied to the nix-store. + If you would like to avoid that, please set enableConfigCheck to false. + '' /. + file); + checkConfigLocation = file: + if lib.hasPrefix "/tmp/" file then + throw + "${logPrefix}: configuration file must not reside within /tmp - it won't be visible to the systemd service." + else + true; + checkConfig = file: + pkgs.runCommand "checked-blackbox-exporter.conf" { + preferLocalBuild = true; + buildInputs = [ pkgs.buildPackages.prometheus-blackbox-exporter ]; + } '' + ln -s ${coerceConfigFile file} $out + blackbox_exporter --config.check --config.file $out + ''; +in { port = 9115; extraOpts = { configFile = mkOption { @@ -21,14 +39,29 @@ in Path to configuration file. ''; }; + enableConfigCheck = mkOption { + type = types.bool; + default = true; + description = '' + Whether to run a correctness check for the configuration file. This depends + on the configuration file residing in the nix-store. Paths passed as string will + be copied to the store. + ''; + }; }; - serviceOpts = { + + serviceOpts = let + adjustedConfigFile = if cfg.enableConfigCheck then + checkConfig cfg.configFile + else + checkConfigLocation cfg.configFile; + in { serviceConfig = { AmbientCapabilities = [ "CAP_NET_RAW" ]; # for ping probes ExecStart = '' ${pkgs.prometheus-blackbox-exporter}/bin/blackbox_exporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ - --config.file ${checkConfig cfg.configFile} \ + --config.file ${adjustedConfigFile} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; |