Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prometheus <-> Prometheus Packet service discovery flaky #329

Closed
delroth opened this issue Jan 13, 2024 · 5 comments
Closed

Prometheus <-> Prometheus Packet service discovery flaky #329

delroth opened this issue Jan 13, 2024 · 5 comments

Comments

@delroth
Copy link
Contributor

delroth commented Jan 13, 2024

Likely due to systemd hardening blocking filesystem access, since the file is world-readable (and in fact: world-writable?!?!)

Jan 13 22:00:07 eris prometheus[1315182]: ts=2024-01-13T22:00:07.123Z caller=file.go:343 level=error component="discovery manager scrape" discovery=file config=packet_nodes msg="Error reading file" path=/var/lib/packet-sd/packet-sd.json err="open /var/lib/packet-sd/packet-sd.json: permission denied"
Jan 13 22:00:37 eris prometheus[1315182]: ts=2024-01-13T22:00:37.123Z caller=file.go:343 level=error component="discovery manager scrape" discovery=file config=packet_nodes msg="Error reading file" path=/var/lib/packet-sd/packet-sd.json err="open /var/lib/packet-sd/packet-sd.json: permission denied"
Jan 13 22:01:37 eris prometheus[1315182]: ts=2024-01-13T22:01:37.121Z caller=file.go:343 level=error component="discovery manager scrape" discovery=file config=packet_nodes msg="Error reading file" path=/var/lib/packet-sd/packet-sd.json err="open /var/lib/packet-sd/packet-sd.json: permission denied"
Jan 13 22:04:07 eris prometheus[1315182]: ts=2024-01-13T22:04:07.124Z caller=file.go:343 level=error component="discovery manager scrape" discovery=file config=packet_nodes msg="Error reading file" path=/var/lib/packet-sd/packet-sd.json err="open /var/lib/packet-sd/packet-sd.json: permission denied"
@mweinelt
Copy link
Member

I don't see a hardening option enabled that should prevent access. Nothing of the following worked:

  • disabling PrivateUsers=
  • disabling SystemCallFilter=
  • providing access through BindReadOnlyPaths=/var/lib/packet-sd

But I think it must be related to the runtime environment, since sudo -u prometheus cat /var/lib/packet-sd/packet-sd.json works.

Then I noticed that some processes seem to be able to read the file, and some don't.

[pid 1455844] openat(AT_FDCWD, "/var/lib/packet-sd/packet-sd.json", O_RDONLY|O_CLOEXEC) = 238
[pid 1455845] openat(AT_FDCWD, "/var/lib/packet-sd/packet-sd.json", O_RDONLY|O_CLOEXEC) = 238
[pid 1455836] openat(AT_FDCWD, "/var/lib/packet-sd/packet-sd.json", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)

Very confusing.

@delroth
Copy link
Contributor Author

delroth commented Jan 14, 2024

Tracked it down to packethost/prometheus-packet-sd#15

@delroth delroth changed the title Prometheus <-> Prometheus Packet service discovery not working Prometheus <-> Prometheus Packet service discovery flaky Jan 14, 2024
@delroth
Copy link
Contributor Author

delroth commented Jan 14, 2024

Renaming this bug to indicate this is less critical than I originally thought - this probably ends up making Prometheus miss some updates, but it's only a race condition that doesn't always get hit.

@mweinelt mweinelt mentioned this issue Jan 14, 2024
Merged
13 tasks
@mweinelt
Copy link
Member

Tried updating to the patched version, but now it chmods to 0600. I'm confused.

@mweinelt
Copy link
Member

mweinelt commented Feb 26, 2024
edited
Loading

The chmod is applied to the outfile, not the tempfile. Ouch.

packethost/prometheus-packet-sd#22
NixOS/nixpkgs#291463

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Infra operational issues
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mweinelt @delroth