Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

node_exporter can not access persistent volume mounts #1271

Closed
juris opened this issue Jan 11, 2021 · 2 comments
Closed

node_exporter can not access persistent volume mounts #1271

juris opened this issue Jan 11, 2021 · 2 comments
Assignees
@arnaldo2792
Labels
type/bug Something isn't working

Comments

@juris
Copy link

juris commented Jan 11, 2021

Image I'm using:
AMI ID: ami-0c1942e28f6bfa4bd
bottlerocket-aws-k8s-1.18-x86_64-v1.0.4-cef8dbd2

What I expected to happen:
node_exporter should be able to access /local/var/lib/kubelet to get mountpoint stats

What actually happened:
Can not scrape metrics with node_exporter (version 1.0.1) due to:

msg="Error on statfs() system call" rootfs=/host/root/var/lib/kubelet/pods/3d764d0f-7867-41d9-93e7-0306d01f82d4/volume-subpaths/graylog-data-01/graylog/0 err="permission denied"

Looks like due to strict permissions (drwxr-x---) on /local/var/lib/kubelet and /local/var/lib/kubelet/pods node_exporter can not properly scrape such metrics as node_filesystem_avail_bytes

Running node_exporter as root helps though. But runnig containers as root user is not the right thing to do, isn't it?

How to reproduce the problem:
Create workload with persistent volume, launch node_exporter to get available_bytes metric for this volume.
@jhaynes jhaynes added the status/needs-triage Pending triage or re-evaluation label Jan 11, 2021
@gregdek gregdek added priority/p0 type/bug Something isn't working and removed status/needs-triage Pending triage or re-evaluation labels Jan 14, 2021
@arnaldo2792
Copy link
Contributor

Hi @juris , thanks for the issue!

As you mentioned, the /var/lib/kubelet directory is protected. It contains sensitive information such as kubelet credentials and certificates. If a workload needs access to that sensitive material, it’s appropriate to raise its access level to reflect that.

If you don’t need to get filesystem metrics about that directory, you could use the node_exporter’s collector.filesystem.ignored-mount-points option and pass /var/lib/kubelet. They already ignore some directories like /var/lib/docker by default.

containers:
  - name: node-exporter
    image: quay.io/prometheus/node-exporter:latest
    args:
      - --path.rootfs=/host-root
      - --log.level=debug
      - --collector.disable-defaults
      - --collector.filesystem
      - --collector.filesystem.ignored-mount-points=var/lib/kubelet

@juris
Copy link
Author

juris commented Jan 26, 2021

In fact, I do not need fs metrics for exactly this this directory. I need to monitor PV usage, and all the persistent volumes are mounted under /var/lib/kubelet. So there are no other options until there is EBS CSI a release with this PR.

@juris juris closed this as completed Jan 26, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arnaldo2792 arnaldo2792

Labels
type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gregdek @jhaynes @juris @arnaldo2792