From b888c82085bbecde4e75c0de57a125be0a49964d Mon Sep 17 00:00:00 2001 From: Molly Miller Date: Mon, 9 Dec 2024 18:23:26 +0100 Subject: [PATCH 1/4] pkgs: add package for grafana-alloy to overlay Vendored from upstream commit: a03d51ad7ca1cea23c5f3f768e9747136620bb40 PL-129625 --- pkgs/grafana-alloy.nix | 132 +++++++++++++++++++++++++++++++++++++++++ pkgs/overlay.nix | 2 + 2 files changed, 134 insertions(+) create mode 100644 pkgs/grafana-alloy.nix diff --git a/pkgs/grafana-alloy.nix b/pkgs/grafana-alloy.nix new file mode 100644 index 000000000..9c8da6448 --- /dev/null +++ b/pkgs/grafana-alloy.nix @@ -0,0 +1,132 @@ +{ lib +, stdenv +, fetchFromGitHub +, fetchYarnDeps +, buildGoModule +, systemd +, yarn +, fixup-yarn-lock +, nodejs +, grafana-alloy +, nixosTests +, nix-update-script +, installShellFiles +, testers +}: + +buildGoModule rec { + pname = "grafana-alloy"; + version = "1.4.3"; + + src = fetchFromGitHub { + rev = "v${version}"; + owner = "grafana"; + repo = "alloy"; + hash = "sha256-ISSmTdX/LgbreoGJry33xdOO9J98nh8SZBJwEFsFyvY="; + }; + + proxyVendor = true; + vendorHash = "sha256-O7x71Ghd8zI2Ns8Jj/Z5FWXKjyeHaPD8gyNmpwpIems="; + + nativeBuildInputs = [ fixup-yarn-lock yarn nodejs installShellFiles ]; + + ldflags = + let + prefix = "github.com/grafana/alloy/internal/build"; + in + [ + "-s" + "-w" + # https://github.com/grafana/alloy/blob/3201389252d2c011bee15ace0c9f4cdbcb978f9f/Makefile#L110 + "-X ${prefix}.Branch=v${version}" + "-X ${prefix}.Version=${version}" + "-X ${prefix}.Revision=v${version}" + "-X ${prefix}.BuildUser=nix" + "-X ${prefix}.BuildDate=1970-01-01T00:00:00Z" + ]; + + tags = [ + "netgo" + "builtinassets" + "promtail_journal_enabled" + ]; + + subPackages = [ + "." + ]; + + # Skip building the frontend in the goModules FOD + overrideModAttrs = (_: { + preBuild = null; + }); + + yarnOfflineCache = fetchYarnDeps { + yarnLock = "${src}/internal/web/ui/yarn.lock"; + hash = "sha256-Q4IrOfCUlXM/5577Wk8UCIs76+XbuoHz7sIEJJTMKc4="; + }; + + preBuild = '' + pushd internal/web/ui + + # Yarn wants a real home directory to write cache, config, etc to + export HOME=$NIX_BUILD_TOP/fake_home + + fixup-yarn-lock yarn.lock + yarn config --offline set yarn-offline-mirror ${yarnOfflineCache} + yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive + + patchShebangs node_modules/ + + yarn --offline build + + popd + ''; + + # uses go-systemd, which uses libsystemd headers + # https://github.com/coreos/go-systemd/issues/351 + NIX_CFLAGS_COMPILE = lib.optionals stdenv.hostPlatform.isLinux [ "-I${lib.getDev systemd}/include" ]; + + checkFlags = [ + "-tags nonetwork" # disable network tests + "-tags nodocker" # disable docker tests + ]; + + # go-systemd uses libsystemd under the hood, which does dlopen(libsystemd) at + # runtime. + # Add to RUNPATH so it can be found. + postFixup = lib.optionalString stdenv.hostPlatform.isLinux '' + patchelf \ + --set-rpath "${lib.makeLibraryPath [ (lib.getLib systemd) ]}:$(patchelf --print-rpath $out/bin/alloy)" \ + $out/bin/alloy + ''; + + postInstall = '' + installShellCompletion --cmd alloy \ + --bash <($out/bin/alloy completion bash) \ + --fish <($out/bin/alloy completion fish) \ + --zsh <($out/bin/alloy completion zsh) + ''; + + passthru = { + tests = { + inherit (nixosTests) alloy; + version = testers.testVersion { + version = "v${version}"; + package = grafana-alloy; + }; + }; + updateScript = nix-update-script { }; + # alias for nix-update to be able to find and update this attribute + offlineCache = yarnOfflineCache; + }; + + meta = with lib; { + description = "Open source OpenTelemetry Collector distribution with built-in Prometheus pipelines and support for metrics, logs, traces, and profiles"; + mainProgram = "alloy"; + license = licenses.asl20; + homepage = "https://grafana.com/oss/alloy"; + changelog = "https://github.com/grafana/alloy/blob/${src.rev}/CHANGELOG.md"; + maintainers = with maintainers; [ azahi flokli emilylange hbjydev ]; + platforms = lib.platforms.unix; + }; +} diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix index 273a923ce..206b2a33a 100644 --- a/pkgs/overlay.nix +++ b/pkgs/overlay.nix @@ -91,6 +91,8 @@ builtins.mapAttrs (_: patchPhps phpLogPermissionPatch) { meta = builtins.removeAttrs old.meta [ "knownVulnerabilites" ]; }); + grafana-alloy = super.callPackage ./grafana-alloy.nix { }; + innotop = super.callPackage ./percona/innotop.nix { }; libmodsecurity = super.callPackage ./libmodsecurity { }; From 0ce0ee4a823665c0f531e4134021255acd392f37 Mon Sep 17 00:00:00 2001 From: Molly Miller Date: Mon, 9 Dec 2024 18:24:18 +0100 Subject: [PATCH 2/4] nixos: add service module for alloy Vendored from upstream commit: a03d51ad7ca1cea23c5f3f768e9747136620bb40 PL-129625 --- nixos/upstream_services/alloy.nix | 80 +++++++++++++++++++++++++++++ nixos/upstream_services/default.nix | 2 + 2 files changed, 82 insertions(+) create mode 100644 nixos/upstream_services/alloy.nix diff --git a/nixos/upstream_services/alloy.nix b/nixos/upstream_services/alloy.nix new file mode 100644 index 000000000..abe8fcd7e --- /dev/null +++ b/nixos/upstream_services/alloy.nix @@ -0,0 +1,80 @@ +{ lib, pkgs, config, ... }: +with lib; +let + cfg = config.services.alloy; +in +{ + meta = { + maintainers = with maintainers; [ flokli hbjydev ]; + }; + + options.services.alloy = { + enable = mkEnableOption "Grafana Alloy"; + + package = mkPackageOption pkgs "grafana-alloy" { }; + + configPath = mkOption { + type = lib.types.path; + default = "/etc/alloy"; + description = '' + Alloy configuration file/directory path. + + We default to `/etc/alloy` here, and expect the user to configure a + configuration file via `environment.etc."alloy/config.alloy"`. + + This allows config reload, contrary to specifying a store path. + A `reloadTrigger` for `config.alloy` is configured. + + Other `*.alloy` files in the same directory (ignoring subdirs) are also + honored, but it's necessary to manually extend + `systemd.services.alloy.reloadTriggers` to enable config reload + during nixos-rebuild switch. + + This can also point to another directory containing `*.alloy` files, or + a single Alloy file in the Nix store (at the cost of reload). + + Component names must be unique across all Alloy configuration files, and + configuration blocks must not be repeated. + + Alloy will continue to run if subsequent reloads of the configuration + file fail, potentially marking components as unhealthy depending on + the nature of the failure. When this happens, Alloy will continue + functioning in the last valid state. + ''; + }; + + extraFlags = mkOption { + type = with lib.types; listOf str; + default = [ ]; + example = [ "--server.http.listen-addr=127.0.0.1:12346" "--disable-reporting" ]; + description = '' + Extra command-line flags passed to {command}`alloy run`. + + See + ''; + }; + }; + + + config = mkIf cfg.enable { + systemd.services.alloy = { + wantedBy = [ "multi-user.target" ]; + reloadTriggers = [ config.environment.etc."alloy/config.alloy".source or null ]; + serviceConfig = { + Restart = "always"; + DynamicUser = true; + RestartSec = 2; + SupplementaryGroups = [ + # allow to read the systemd journal for loki log forwarding + "systemd-journal" + ]; + ExecStart = "${lib.getExe cfg.package} run ${cfg.configPath} ${escapeShellArgs cfg.extraFlags}"; + ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; + ConfigurationDirectory = "alloy"; + StateDirectory = "alloy"; + WorkingDirectory = "%S/alloy"; + Type = "simple"; + }; + }; + }; +} diff --git a/nixos/upstream_services/default.nix b/nixos/upstream_services/default.nix index 45f2f00d0..a30c0fb3b 100755 --- a/nixos/upstream_services/default.nix +++ b/nixos/upstream_services/default.nix @@ -12,5 +12,7 @@ in { imports = with lib; [ # from nixos-23.05 ./opensearch + # from nixos-24.11 + ./alloy.nix ]; } From e266518c77c7657124bc66539cdde91b706911a8 Mon Sep 17 00:00:00 2001 From: Molly Miller Date: Mon, 9 Dec 2024 18:25:05 +0100 Subject: [PATCH 3/4] nixos: replace promtail with alloy Promtail is considered feature complete, and Grafana Agent has reached end-of-life status, with Alloy as its designated successor. PL-129625 --- nixos/platform/alloy.nix | 56 +++++++++++++++++++++++++++++++++++++ nixos/platform/default.nix | 2 +- nixos/platform/promtail.nix | 51 --------------------------------- 3 files changed, 57 insertions(+), 52 deletions(-) create mode 100644 nixos/platform/alloy.nix delete mode 100644 nixos/platform/promtail.nix diff --git a/nixos/platform/alloy.nix b/nixos/platform/alloy.nix new file mode 100644 index 000000000..bc043ad6e --- /dev/null +++ b/nixos/platform/alloy.nix @@ -0,0 +1,56 @@ +{ lib, config, ... }: + +let + enc = config.flyingcircus.enc; + fclib = config.fclib; + + # XXX support multiple loki servers. unlike with promtail, it may be + # feasible to send logs to multiple loki instances with a single + # collector process. + lokiServer = fclib.findOneService "loki-collector"; +in +{ + config = lib.mkIf (!builtins.isNull lokiServer) { + services.alloy = { + enable = true; + }; + + # alloy configured though /etc/alloy/config.alloy. see + # services.alloy documentation for information about + # reload/restart handling. + environment.etc."alloy/config.alloy".text = '' + loki.write "fcio_rg_loki" { + endpoint { + url = "http://${lokiServer.address}:3100/loki/api/v1/push" + } + + // there are server side limits to how many labels loki + // will accept on log lines. consider them a scarce + // resource and use them sparingly. + external_labels = { + resource_group = "${enc.parameters.resource_group}", + location = "${enc.parameters.location}", + hostname = "${config.networking.hostName}", + } + } + + loki.relabel "fcio_journal" { + forward_to = [] + rule { + source_labels = ["__journal__systemd_unit"] + target_label = "systemd_unit" + } + rule { + source_labels = ["__journal_syslog_identifier"] + target_label = "syslog_identifier" + } + } + + loki.source.journal "fcio_journal" { + forward_to = [loki.write.fcio_rg_loki.receiver] + relabel_rules = loki.relabel.fcio_journal.rules + format_as_json = true // match promtail config + } + ''; + }; +} diff --git a/nixos/platform/default.nix b/nixos/platform/default.nix index 59fedfd7f..b8505aa66 100644 --- a/nixos/platform/default.nix +++ b/nixos/platform/default.nix @@ -21,6 +21,7 @@ in { imports = [ ./acme.nix ./agent.nix + ./alloy.nix ./audit.nix ./auditbeat.nix ./beats.nix @@ -34,7 +35,6 @@ in { ./monitoring.nix ./network.nix ./packages.nix - ./promtail.nix ./shell.nix ./static.nix ./syslog.nix diff --git a/nixos/platform/promtail.nix b/nixos/platform/promtail.nix deleted file mode 100644 index 1ea8e30f0..000000000 --- a/nixos/platform/promtail.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ lib, config, ... }: - -let - enc = config.flyingcircus.enc; - fclib = config.fclib; - - # XXX support multiple loki servers. the upstream docs note: "It is - # generally recommended to run multiple Promtail clients in parallel - # if you want to send to multiple remote Loki instances." - lokiServer = fclib.findOneService "loki-collector"; -in -{ - config = lib.mkIf (!builtins.isNull lokiServer) { - services.promtail = { - enable = true; - configuration = { - # don't expose the http and grpc api - server.disable = true; - - clients = [{ - url = "http://${lokiServer.address}:3100/loki/api/v1/push"; - }]; - - scrape_configs = [{ - job_name = "systemd-journal"; - journal = { - json = true; - # there are server side limits to how many labels loki - # will accept on log lines. consider them a scarce - # resource and use them sparingly. - labels = { - resource_group = enc.parameters.resource_group; - location = enc.parameters.location; - hostname = config.networking.hostName; - }; - }; - relabel_configs = [ - { - source_labels = [ "__journal__systemd_unit" ]; - target_label = "systemd_unit"; - } - { - source_labels = [ "__journal_syslog_identifier" ]; - target_label = "syslog_identifier"; - } - ]; - }]; - }; - }; - }; -} From eb15bb6e3bca25c42b7b14f25f42ecb360c09f06 Mon Sep 17 00:00:00 2001 From: Molly Miller Date: Tue, 10 Dec 2024 10:08:54 +0100 Subject: [PATCH 4/4] changelog: update --- ..._PL-129625-replace-promtail-alloy_scriv.md | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 changelog.d/20241210_100556_PL-129625-replace-promtail-alloy_scriv.md diff --git a/changelog.d/20241210_100556_PL-129625-replace-promtail-alloy_scriv.md b/changelog.d/20241210_100556_PL-129625-replace-promtail-alloy_scriv.md new file mode 100644 index 000000000..0b061ba62 --- /dev/null +++ b/changelog.d/20241210_100556_PL-129625-replace-promtail-alloy_scriv.md @@ -0,0 +1,23 @@ + + +### Impact + + + +### NixOS XX.XX platform + + +- platform: replace promtail with Grafana Alloy as the log shipping + client in resource groups where a Loki server is + available. (PL-129625)