diff options
| author | Izorkin <izorkin@elven.pw> | 2021-05-10 09:57:52 +0300 |
|---|---|---|
| committer | Izorkin <izorkin@elven.pw> | 2021-05-10 10:19:57 +0300 |
| commit | 58497175be8c3046186127064ec14fc62191282d (patch) | |
| tree | c3c74a4a6f6d3f8bf6eace7ed3daadb4ca349769 /nixos | |
| parent | 9622485d70a52f32a10972d0b913bfc99e6fe440 (diff) | |
| download | nixpkgs-58497175be8c3046186127064ec14fc62191282d.tar nixpkgs-58497175be8c3046186127064ec14fc62191282d.tar.gz nixpkgs-58497175be8c3046186127064ec14fc62191282d.tar.bz2 nixpkgs-58497175be8c3046186127064ec14fc62191282d.tar.lz nixpkgs-58497175be8c3046186127064ec14fc62191282d.tar.xz nixpkgs-58497175be8c3046186127064ec14fc62191282d.tar.zst nixpkgs-58497175be8c3046186127064ec14fc62191282d.zip | |
nixos/netdata: cgroup-network: don't use AmbientCapabilities
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/monitoring/netdata.nix | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/nixos/modules/services/monitoring/netdata.nix b/nixos/modules/services/monitoring/netdata.nix index c2ee1c0df7f..ae3bfcbbb97 100644 --- a/nixos/modules/services/monitoring/netdata.nix +++ b/nixos/modules/services/monitoring/netdata.nix @@ -8,6 +8,7 @@ let wrappedPlugins = pkgs.runCommand "wrapped-plugins" { preferLocalBuild = true; } '' mkdir -p $out/libexec/netdata/plugins.d ln -s /run/wrappers/bin/apps.plugin $out/libexec/netdata/plugins.d/apps.plugin + ln -s /run/wrappers/bin/cgroup-network $out/libexec/netdata/plugins.d/cgroup-network ln -s /run/wrappers/bin/freeipmi.plugin $out/libexec/netdata/plugins.d/freeipmi.plugin ln -s /run/wrappers/bin/perf.plugin $out/libexec/netdata/plugins.d/perf.plugin ln -s /run/wrappers/bin/slabinfo.plugin $out/libexec/netdata/plugins.d/slabinfo.plugin @@ -26,6 +27,9 @@ let "web files owner" = "root"; "web files group" = "root"; }; + "plugin:cgroups" = { + "script to get cgroup network interfaces" = "${wrappedPlugins}/libexec/netdata/plugins.d/cgroup-network"; + }; }; mkConfig = generators.toINI {} (recursiveUpdate localConfig cfg.config); configFile = pkgs.writeText "netdata.conf" (if cfg.configText != null then cfg.configText else mkConfig); @@ -183,9 +187,6 @@ in { ConfigurationDirectory = "netdata"; ConfigurationDirectoryMode = "0755"; # Capabilities - AmbientCapabilities = [ - "CAP_SETUID" # is required for cgroups and cgroups-network plugins - ]; CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" # is required for freeipmi and slabinfo plugins "CAP_DAC_READ_SEARCH" # is required for apps plugin @@ -217,6 +218,14 @@ in { permissions = "u+rx,g+rx,o-rwx"; }; + security.wrappers."cgroup-network" = { + source = "${cfg.package}/libexec/netdata/plugins.d/cgroup-network.org"; + capabilities = "cap_setuid+ep"; + owner = cfg.user; + group = cfg.group; + permissions = "u+rx,g+rx,o-rwx"; + }; + security.wrappers."freeipmi.plugin" = { source = "${cfg.package}/libexec/netdata/plugins.d/freeipmi.plugin.org"; capabilities = "cap_dac_override,cap_fowner+ep"; |