-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
grafana.grafana.alloy role installs alloy binary under /etc/alloy/, which does not work on RHEL-based systems due to SELinux #194
Comments
Can you PR it up @hakong ? |
I can help with this @hakong @gardar as I'm looking to deploy alloy into production RHEL environments in the coming weeks using this ansible role and this will be an issue for me also. Alternatively, or in addition to, an SELinux policy could be created that allows the existing binary deployment method as an interim. |
@panfantastic If you want to quick-and-dirty this as an interim solution, rather than messing with selinux you can just use something like this. It's what I used and it worked fine. RPM package installs alloy in some bin folder and it works fine with SELinux OOTB. Note: I had an issue (at least on debian) that alloy would not start due to the /var/lib/alloy directory not existing and /etc/default/alloy not existing. The DEB package did not create them as far as I can remember. The RPM package worked fine.
|
Yes, we need to split the installs between redhat and debian. Thanks for your config, I'll try and get a PR together this weekend for this stuff unless you have something ready to go. |
@hakong Am I correct to say you were in a I've been trying to get the build environment tests used to do selinux like you get in rhel by default and have failed so far. RHEL is selinux by default, but the containers for rocky etc I'm trying to test with aren't :( I'm not sure how to submit a patch with molecule testing at this point! |
If you're seeking inspiration, perhaps aligning your PR with the |
@voidquark can you link me please? |
|
I took the opportunity to install it on a working selinux (enforcing) system and it installs fine so I think all that is needed is to split the install process between redhat clones and debian clones (sorry any suse clones, Gentoo knows how to do it on their own ;) ). |
Keeping an eye on this as the documentation for Grafana Agent says it's being deprecated for Alloy, and we run RHEL |
…tion and doesnt upset SELinux and grafana#194
…tion and doesnt upset SELinux and grafana#194
Binaries should be in binary folders on RHEL-based systems, so SELinux allows them to do binary-like things, like connecting to the internet 😄
The alloy binary will get an selinux label like
unconfined_u:object_r:etc_t:s0
when placed under /etc/alloy, which is not allowed to open tcp sockets:The RPM package installs alloy under /usr/bin/, which is correct.
The
grafana.grafana.alloy
role should use the package manager to install alloy. That would solve this issue:The text was updated successfully, but these errors were encountered: