From bf286053f9cab5255eea2166c3d52d42829e7899 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= Date: Sun, 11 Aug 2024 20:04:28 +0200 Subject: [PATCH] nixos/prometheus-smartctl-exporter: fix NVMe scanning smartctl_exporter already runs with SupplementaryGroups "disk", which gives full access to SATA drives, but NVMe devices are owned by root:root, resulting in no access: [...] msg="Smartctl open device: /dev/nvme0 failed: Permission denied" This patch introduces a "smartctl-exporter-access" supplementary group, and an udev rule with setfacl to give the exporter access to NVMe drives, without changing the base root:root ownership. Fixes https://github.com/NixOS/nixpkgs/issues/210041 --- .../services/monitoring/prometheus/exporters.nix | 14 +++++++++++--- .../monitoring/prometheus/exporters/smartctl.nix | 2 +- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index c698c9005aaf8..29a30e938e75a 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -236,9 +236,17 @@ let isSystemUser = true; inherit (conf) group; }); - users.groups = (mkIf (conf.group == "${name}-exporter" && !enableDynamicUser) { - "${name}-exporter" = {}; - }); + users.groups = mkMerge [ + (mkIf (conf.group == "${name}-exporter" && !enableDynamicUser) { + "${name}-exporter" = {}; + }) + (mkIf (name == "smartctl") { + "smartctl-exporter-access" = {}; + }) + ]; + services.udev.extraRules = mkIf (name == "smartctl") '' + ACTION=="add", SUBSYSTEM=="nvme", KERNEL=="nvme[0-9]*", RUN+="${pkgs.acl}/bin/setfacl -m g:smartctl-exporter-access:rw /dev/$kernel" + ''; networking.firewall.extraCommands = mkIf (conf.openFirewall && !nftables) (concatStrings [ "ip46tables -A nixos-fw ${conf.firewallFilter} " "-m comment --comment ${name}-exporter -j nixos-fw-accept" diff --git a/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix b/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix index e3dcc6126ff12..90adfe911a737 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix @@ -58,7 +58,7 @@ in PrivateDevices = lib.mkForce false; ProtectProc = "invisible"; ProcSubset = "pid"; - SupplementaryGroups = [ "disk" ]; + SupplementaryGroups = [ "disk" "smartctl-exporter-access" ]; SystemCallFilter = [ "@system-service" "~@privileged" ]; }; };