Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/prometheus-smartctl-exporter: fix NVMe scanning #333961

Merged
merged 1 commit into from
Sep 19, 2024

Conversation

bjornfor
Copy link
Contributor

Description of changes

smartctl_exporter already runs with SupplementaryGroups "disk", which
gives full access to SATA drives, but NVMe devices are owned by
root:root, resulting in no access:

[...] msg="Smartctl open device: /dev/nvme0 failed: Permission denied"

This patch introduces a "smartctl-exporter-nvme-access" supplementary
group, and an udev rule with setfacl to give the exporter access to NVMe
drives, without changing the base root:root ownership.

Fixes #210041

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Aug 11, 2024
@bjornfor
Copy link
Contributor Author

This patch differs from #205165 in that it doesn't change the root:root base ownership of the NVMe device, instead relying on POSIX ACLs and a supplementary group.

@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Aug 11, 2024
@bjornfor bjornfor added the backport release-24.05 Backport PR automatically label Sep 9, 2024
@bjornfor bjornfor requested a review from mweinelt September 9, 2024 20:44
Copy link
Contributor

@eduarrrd eduarrrd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, works as intended.

Less specific group name would be nice though.

nixos/modules/services/monitoring/prometheus/exporters.nix Outdated Show resolved Hide resolved
smartctl_exporter already runs with SupplementaryGroups "disk", which
gives full access to SATA drives, but NVMe devices are owned by
root:root, resulting in no access:

  [...] msg="Smartctl open device: /dev/nvme0 failed: Permission denied"

This patch introduces a "smartctl-exporter-access" supplementary
group, and an udev rule with setfacl to give the exporter access to NVMe
drives, without changing the base root:root ownership.

Fixes NixOS#210041
@bjornfor bjornfor force-pushed the nixos-smartctl-exporter-nvme-fix branch from 4c8d714 to bf28605 Compare September 12, 2024 06:21
@bjornfor
Copy link
Contributor Author

Ping. Let's merge?

@bjornfor bjornfor merged commit 86a6ef5 into NixOS:master Sep 19, 2024
23 checks passed
@bjornfor bjornfor deleted the nixos-smartctl-exporter-nvme-fix branch September 19, 2024 15:28
Copy link
Contributor

Successfully created backport PR for release-24.05:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 backport release-24.05 Backport PR automatically
Projects
None yet
Development

Successfully merging this pull request may close these issues.

smartctl_exporter ignores nvme devices by default
2 participants