prometheus-smartctl-exporter: fix nvme scanning #205165
Conversation
github-actions
bot
added
6.topic: nixos
ofborg
bot
added
10.rebuild-darwin: 0
|
@mweinelt hi, do you still think we need it? thanks |
|
Do we know what causes disk block devices to be created with group set to Why isn't this change to udev rules something we'd want to happen always, regardless of whether anyone's using |
|
The group assignment comes from udev rule maintained by systemd upstream, see https://github.com/systemd/systemd/blob/0cf2dcf15402c60498165dbd3f14536766c05051/rules.d/50-udev-default.rules.in#L74. We should probably create an issue an ask whether it would be fine to add nvme char devices into the disk group as well. |
Yes, we need this, but I'm very unhappy about the placement we're apparently being forced into. cc @WilliButz |
|
I've created an upstream issue in systemd about the inconsistent permissions: systemd/systemd#26009 |
Actually, it's unclear for me what causes that file to have effect. It's not present in |
|
Given the upstream reaction we'd probably want to move this into a separate group, that encapsulates raw disk access, e.g. |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
|
What's your plan on dealing with this? It doesn't seem to me that systemd-udevd's built-in rules are likely to change anytime soon (or maybe ever). |
| @@ -183,6 +183,9 @@ let | |||
| "ip46tables -A nixos-fw ${conf.firewallFilter} " | |||
| "-m comment --comment ${name}-exporter -j nixos-fw-accept" | |||
| ]); | |||
| services.udev.extraRules = mkIf ("${name}" == "smartctl") '' | |||
| SUBSYSTEM=="nvme", KERNEL=="nvme[0-9]*", GROUP="disk" | |||
There was a problem hiding this comment.
I would be fine with a dedicated rawio group here. The disk group already offers something else.
There was a problem hiding this comment.
As an afterthought, it doesn't feel good to create a generic group rawio when configuring smartctl-exporter. I'll push a commit in a moment with it.
There was a problem hiding this comment.
I'm not convinced that disk is different, and I think that rawio would be misleading. TTBOMK the only interesting thing offered by top-level devices (as opposed to namespace devices, which are group disk) is creation and management of namespaces. I don't think that's "raw I/O" by any stretch. (Note that namespace devices do offer quering of smart status, but smartctl --scan will query the top-level ones. Arguably that's a sound choice, because smart status is per-device and not per-namespace)
There was a problem hiding this comment.
Should we just have a dedicated group like smartctl-exporter-nvme with granted permission created only if exporter is enabled? In that case, it'll be isolated to the problem we're solving here and it'll not mess with the generic groups.
There was a problem hiding this comment.
Well, we need to set (via an udev rule) the group owner on nvme devices to something. You can't set it to two different values (udev rules don't really support POSIX ACLs), so setting it to something smartctl-exporter-specific would conflict with anyone else trying to use this.
Given that, it might be useful to set this group unconditionally, so that people don't encounter very mysterious interactions between smartctl-exporter and rest of their configuration (either by it relying on what smartctl-exporter's setup does, or it being in conflict with that).
My own suggestion would be to, unconditionally, set this group to disk, but I expect many would disagree. I think that arguments against that stemming from different kinds of access have a very weak basis, for reasons I gave above.
There was a problem hiding this comment.
I'm just opposed to mixing it with disk, as that stems from a convention that systemd dictates. I'm also opposed to making the group smartctl-exporter specific, as the exporter shouldn't have a special claim on the resouce in question.
So we are just looking for a proper name. We could narrow it down to just this single use case and go with nvme and possibly some descriptive suffix.
There was a problem hiding this comment.
I think nvme is an okay name for it and having it in a separate group wouldn't hurt and will not imperceptibly add permissions to existing services/users using the disk group. We should have it outside of the exporter in that case and unconditional, right?
There was a problem hiding this comment.
Unfortunately, I wasn't able to find a good place for the nvme group creation yet. Maybe any suggestions? Thank you.
There was a problem hiding this comment.
nixosRules in services/hardware/udev.nix possibly.
There was a problem hiding this comment.
Well, we need to set (via an udev rule) the group owner on nvme devices to something. You can't set it to two different values (udev rules don't really support POSIX ACLs), so setting it to something smartctl-exporter-specific would conflict with anyone else trying to use this.
#333961 uses a smartctl_exporter specific group and POSIX ACL in the udev rule. The result is we can keep the base/standard root:root ownership of the NVMe device nodes while simultaneously giving smartctl_exporter access. I think this is a pretty clean solution, withouth side effects (AFAICT).
As discussed a few times, it seems to be the only way to make smartctl work for NVMe devices and so enabling it when smartctl exporter is enabled. NixOS@12c26ac
Frostman
force-pushed
the
prometheus-smartctl-exporter-fix-nvme
branch
from
f387d2d to
ff1ba40
Compare
Frostman
force-pushed
the
prometheus-smartctl-exporter-fix-nvme
branch
from
ff1ba40 to
f7d9f11
Compare
|
Still relevant in 23.11, any progress? |
wegank
added
the
2.status: stale
wegank
added
the
2.status: merge conflict
stale
bot
removed
the
2.status: stale
| users.groups = (mkIf (conf.group == "${name}-exporter" && !enableDynamicUser) { | ||
| "${name}-exporter" = {}; | ||
| }); | ||
| users.groups."${name}-exporter" = (mkIf (conf.group == "${name}-exporter" && !enableDynamicUser) {}); |
There was a problem hiding this comment.
| users.groups."${name}-exporter" = (mkIf (conf.group == "${name}-exporter" && !enableDynamicUser) {}); | |
| users.groups."${name}-exporter" = mkIf (conf.group == "${name}-exporter" && !enableDynamicUser) {}; |
|
Adding that this worked for me but I did it by using the |
wegank
added
the
2.status: stale
stale
bot
removed
2.status: stale
As discussed a few times, it seems to be the only way to make smartctl work for NVMe devices and so enabling it when smartctl exporter is enabled.
12c26ac
It's independent of #205123 and compatible with both versions
Not the most elegant way to handle it, would be happy to learn a better way
P.S. I've tested it multiple time in a VM and it seems to be working correctly
Description of changes
Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)nixos/doc/manual/md-to-db.shto update generated release notes