Replace promtail with Grafana Alloy

changelog.d/20241210_100556_PL-129625-replace-promtail-alloy_scriv.md

@@ -0,0 +1,23 @@
+<!--
+
+A new changelog entry.
+
+Delete placeholder items that do not apply. Empty sections will be removed
+automatically during release.
+
+Leave the XX.XX as is: this is a placeholder and will be automatically filled
+correctly during the release and helps when backporting over multiple platform
+branches.
+
+-->
+
+### Impact
+
+
+
+### NixOS XX.XX platform
+
+
+- platform: replace promtail with Grafana Alloy as the log shipping
+  client in resource groups where a Loki server is
+  available. (PL-129625)

nixos/platform/alloy.nix

@@ -0,0 +1,56 @@
+{ lib, config, ... }:
+
+let
+  enc = config.flyingcircus.enc;
+  fclib = config.fclib;
+
+  # XXX support multiple loki servers. unlike with promtail, it may be
+  # feasible to send logs to multiple loki instances with a single
+  # collector process.
+  lokiServer = fclib.findOneService "loki-collector";
+in
+{
+  config = lib.mkIf (!builtins.isNull lokiServer) {
+    services.alloy = {
+      enable = true;
+    };
+
+    # alloy configured though /etc/alloy/config.alloy. see
+    # services.alloy documentation for information about
+    # reload/restart handling.
+    environment.etc."alloy/config.alloy".text = ''
+      loki.write "fcio_rg_loki" {
+        endpoint {
+          url = "http://${lokiServer.address}:3100/loki/api/v1/push"
+        }
+
+        // there are server side limits to how many labels loki
+        // will accept on log lines. consider them a scarce
+        // resource and use them sparingly.
+        external_labels = {
+          resource_group = "${enc.parameters.resource_group}",
+          location = "${enc.parameters.location}",
+          hostname = "${config.networking.hostName}",
+        }
+      }
+
+      loki.relabel "fcio_journal" {
+        forward_to = []
+        rule {
+          source_labels = ["__journal__systemd_unit"]
+          target_label = "systemd_unit"
+        }
+        rule {
+          source_labels = ["__journal_syslog_identifier"]
+          target_label = "syslog_identifier"
+        }
+      }
+
+      loki.source.journal "fcio_journal" {
+        forward_to = [loki.write.fcio_rg_loki.receiver]
+        relabel_rules = loki.relabel.fcio_journal.rules
+        format_as_json = true  // match promtail config
+      }
+    '';
+  };
+}

nixos/platform/default.nix

@@ -21,6 +21,7 @@ in {
   imports = [
     ./acme.nix
     ./agent.nix
+    ./alloy.nix
     ./audit.nix
     ./auditbeat.nix
     ./beats.nix
@@ -34,7 +35,6 @@ in {
     ./monitoring.nix
     ./network.nix
     ./packages.nix
-    ./promtail.nix
     ./shell.nix
     ./static.nix
     ./syslog.nix

nixos/upstream_services/alloy.nix

@@ -0,0 +1,80 @@
+{ lib, pkgs, config, ... }:
+with lib;
+let
+  cfg = config.services.alloy;
+in
+{
+  meta = {
+    maintainers = with maintainers; [ flokli hbjydev ];
+  };
+
+  options.services.alloy = {
+    enable = mkEnableOption "Grafana Alloy";
+
+    package = mkPackageOption pkgs "grafana-alloy" { };
+
+    configPath = mkOption {
+      type = lib.types.path;
+      default = "/etc/alloy";
+      description = ''
+        Alloy configuration file/directory path.
+
+        We default to `/etc/alloy` here, and expect the user to configure a
+        configuration file via `environment.etc."alloy/config.alloy"`.
+
+        This allows config reload, contrary to specifying a store path.
+        A `reloadTrigger` for `config.alloy` is configured.
+
+        Other `*.alloy` files in the same directory (ignoring subdirs) are also
+        honored, but it's necessary to manually extend
+        `systemd.services.alloy.reloadTriggers` to enable config reload
+        during nixos-rebuild switch.
+
+        This can also point to another directory containing `*.alloy` files, or
+        a single Alloy file in the Nix store (at the cost of reload).
+
+        Component names must be unique across all Alloy configuration files, and
+        configuration blocks must not be repeated.
+
+        Alloy will continue to run if subsequent reloads of the configuration
+        file fail, potentially marking components as unhealthy depending on
+        the nature of the failure. When this happens, Alloy will continue
+        functioning in the last valid state.
+      '';
+    };
+
+    extraFlags = mkOption {
+      type = with lib.types; listOf str;
+      default = [ ];
+      example = [ "--server.http.listen-addr=127.0.0.1:12346" "--disable-reporting" ];
+      description = ''
+        Extra command-line flags passed to {command}`alloy run`.
+
+        See <https://grafana.com/docs/alloy/latest/reference/cli/run/>
+      '';
+    };
+  };
+
+
+  config = mkIf cfg.enable {
+    systemd.services.alloy = {
+      wantedBy = [ "multi-user.target" ];
+      reloadTriggers = [ config.environment.etc."alloy/config.alloy".source or null ];
+      serviceConfig = {
+        Restart = "always";
+        DynamicUser = true;
+        RestartSec = 2;
+        SupplementaryGroups = [
+          # allow to read the systemd journal for loki log forwarding
+          "systemd-journal"
+        ];
+        ExecStart = "${lib.getExe cfg.package} run ${cfg.configPath} ${escapeShellArgs cfg.extraFlags}";
+        ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
+        ConfigurationDirectory = "alloy";
+        StateDirectory = "alloy";
+        WorkingDirectory = "%S/alloy";
+        Type = "simple";
+      };
+    };
+  };
+}

nixos/upstream_services/default.nix

@@ -12,5 +12,7 @@ in {
   imports = with lib; [
     # from nixos-23.05
     ./opensearch
+    # from nixos-24.11
+    ./alloy.nix
   ];
 }

pkgs/grafana-alloy.nix

@@ -0,0 +1,132 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, fetchYarnDeps
+, buildGoModule
+, systemd
+, yarn
+, fixup-yarn-lock
+, nodejs
+, grafana-alloy
+, nixosTests
+, nix-update-script
+, installShellFiles
+, testers
+}:
+
+buildGoModule rec {
+  pname = "grafana-alloy";
+  version = "1.4.3";
+
+  src = fetchFromGitHub {
+    rev = "v${version}";
+    owner = "grafana";
+    repo = "alloy";
+    hash = "sha256-ISSmTdX/LgbreoGJry33xdOO9J98nh8SZBJwEFsFyvY=";
+  };
+
+  proxyVendor = true;
+  vendorHash = "sha256-O7x71Ghd8zI2Ns8Jj/Z5FWXKjyeHaPD8gyNmpwpIems=";
+
+  nativeBuildInputs = [ fixup-yarn-lock yarn nodejs installShellFiles ];
+
+  ldflags =
+    let
+      prefix = "github.com/grafana/alloy/internal/build";
+    in
+    [
+      "-s"
+      "-w"
+      # https://github.com/grafana/alloy/blob/3201389252d2c011bee15ace0c9f4cdbcb978f9f/Makefile#L110
+      "-X ${prefix}.Branch=v${version}"
+      "-X ${prefix}.Version=${version}"
+      "-X ${prefix}.Revision=v${version}"
+      "-X ${prefix}.BuildUser=nix"
+      "-X ${prefix}.BuildDate=1970-01-01T00:00:00Z"
+    ];
+
+  tags = [
+    "netgo"
+    "builtinassets"
+    "promtail_journal_enabled"
+  ];
+
+  subPackages = [
+    "."
+  ];
+
+  # Skip building the frontend in the goModules FOD
+  overrideModAttrs = (_: {
+    preBuild = null;
+  });
+
+  yarnOfflineCache = fetchYarnDeps {
+    yarnLock = "${src}/internal/web/ui/yarn.lock";
+    hash = "sha256-Q4IrOfCUlXM/5577Wk8UCIs76+XbuoHz7sIEJJTMKc4=";
+  };
+
+  preBuild = ''
+    pushd internal/web/ui
+
+    # Yarn wants a real home directory to write cache, config, etc to
+    export HOME=$NIX_BUILD_TOP/fake_home
+
+    fixup-yarn-lock yarn.lock
+    yarn config --offline set yarn-offline-mirror ${yarnOfflineCache}
+    yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive
+
+    patchShebangs node_modules/
+
+    yarn --offline build
+
+    popd
+  '';
+
+  # uses go-systemd, which uses libsystemd headers
+  # https://github.com/coreos/go-systemd/issues/351
+  NIX_CFLAGS_COMPILE = lib.optionals stdenv.hostPlatform.isLinux [ "-I${lib.getDev systemd}/include" ];
+
+  checkFlags = [
+    "-tags nonetwork" # disable network tests
+    "-tags nodocker" # disable docker tests
+  ];
+
+  # go-systemd uses libsystemd under the hood, which does dlopen(libsystemd) at
+  # runtime.
+  # Add to RUNPATH so it can be found.
+  postFixup = lib.optionalString stdenv.hostPlatform.isLinux ''
+    patchelf \
+      --set-rpath "${lib.makeLibraryPath [ (lib.getLib systemd) ]}:$(patchelf --print-rpath $out/bin/alloy)" \
+      $out/bin/alloy
+  '';
+
+  postInstall = ''
+    installShellCompletion --cmd alloy \
+      --bash <($out/bin/alloy completion bash) \
+      --fish <($out/bin/alloy completion fish) \
+      --zsh <($out/bin/alloy completion zsh)
+  '';
+
+  passthru = {
+    tests = {
+      inherit (nixosTests) alloy;
+      version = testers.testVersion {
+        version = "v${version}";
+        package = grafana-alloy;
+      };
+    };
+    updateScript = nix-update-script { };
+    # alias for nix-update to be able to find and update this attribute
+    offlineCache = yarnOfflineCache;
+  };
+
+  meta = with lib; {
+    description = "Open source OpenTelemetry Collector distribution with built-in Prometheus pipelines and support for metrics, logs, traces, and profiles";
+    mainProgram = "alloy";
+    license = licenses.asl20;
+    homepage = "https://grafana.com/oss/alloy";
+    changelog = "https://github.com/grafana/alloy/blob/${src.rev}/CHANGELOG.md";
+    maintainers = with maintainers; [ azahi flokli emilylange hbjydev ];
+    platforms = lib.platforms.unix;
+  };
+}

pkgs/overlay.nix

@@ -91,6 +91,8 @@ builtins.mapAttrs (_: patchPhps phpLogPermissionPatch) {
     meta = builtins.removeAttrs old.meta [ "knownVulnerabilites" ];
   });
 
+  grafana-alloy = super.callPackage ./grafana-alloy.nix { };
+
   innotop = super.callPackage ./percona/innotop.nix { };
 
   libmodsecurity = super.callPackage ./libmodsecurity { };