prometheus-snap

Merge ~jsimpso/prometheus-snap:master into prometheus-snap:master

  1. Git
  2. lp:~jsimpso/prometheus-snap
  3. master
  4. Merge into master
Proposed by James Simpson
Status: Merged
Approved by: James Simpson
Approved revision: bb4a970813d16caabef0d2957eb8d1fef2fc12dd
Merged at revision: 7a784c92e20418d81b1f66bcb7fa173b8bda7c40
Proposed branch: ~jsimpso/prometheus-snap:master
Merge into: prometheus-snap:master
Diff against target: 86 lines (+50/-5)
2 files modified
snap_config_wrapper (+44/-5)
snapcraft.yaml (+6/-0)
Reviewer Review Type Date Requested Status
Paul Collins lgtm Approve
prometheus-snap-developers Pending
Review via email: mp+428753@code.launchpad.net

Commit message

Run daemon as non-root user

To post a comment you must log in.
Revision history for this message
James Simpson (jsimpso) wrote :

ps output here showing that prometheus is now launched from the wrapper as "snap_daemon" rather than root:

jsimpso@kif:~$ sudo pgrep prometheus -a
1891 /bin/sh /snap/prometheus-alertmanager/50/bin/prometheus-alertmanager.wrapper
2062437 /bin/sh /snap/prometheus/x7/bin/prometheus.wrapper
2062642 /snap/prometheus/x7/bin/prometheus --config.file /var/snap/prometheus/x7/prometheus.yml --storage.tsdb.path=/var/snap/prometheus/common/tsdb
jsimpso@kif:~$ sudo ps aux | grep [2]062642
snap_da+ 2062642 0.1 0.2 938440 75548 ? Sl 11:17 0:00 /snap/prometheus/x7/bin/prometheus --config.file /var/snap/prometheus/x7/prometheus.yml --storage.tsdb.path=/var/snap/prometheus/common/tsdb

jsimpso@kif:~$ systemctl is-active snap.prometheus.prometheus.service
active

Revision history for this message
Paul Collins (pjdc) wrote :

I haven't done a snap_daemon migration like this myself, but LGTM if it works, except for the diff comment below.

review: Approve
Revision history for this message
Paul Collins (pjdc) :
review: Approve (lgtm)
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

This merge proposal is being monitored by mergebot. Change the status to Approved to merge.

Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

Unable to determine commit message from repository - please click "Set commit message" and enter the commit message manually.

Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

Change must be approved by a member of one of the following teams:
Setting status to needs review.

Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

Change must be approved by a member of one of the following teams:
Setting status to needs review.

Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

Change successfully merged at revision 7a784c92e20418d81b1f66bcb7fa173b8bda7c40

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/snap_config_wrapper b/snap_config_wrapper
2index 21cf64b..db8c5e6 100755
3--- a/snap_config_wrapper
4+++ b/snap_config_wrapper
5@@ -1,11 +1,50 @@
6 #!/bin/sh
7
8-test -e "${SNAP_DATA}/prometheus.yml" || cp "${SNAP}/etc/prometheus/prometheus.yml.example" "${SNAP_DATA}/prometheus.yml"
9-test -e "${SNAP_DATA}/daemon_arguments" || cp "${SNAP}/etc/prometheus/daemon_arguments.example" "${SNAP_DATA}/daemon_arguments"
10-test -d "${SNAP_DATA}/promreg" || mkdir "${SNAP_DATA}/promreg"
11+# Manage file ownership/permissions, allowing daemon to drop privileges
12+# https://snapcraft.io/docs/system-usernames
13+
14+SNAP_DATA_DIRS="promreg"
15+SNAP_DATA_FILES="prometheus.yml daemon_arguments"
16+SNAP_DB_DIR="${SNAP_COMMON}/tsdb"
17+
18+# Snaps can't manage ownership of SNAP_COMMON directly, so we'll move the DB
19+# to a subdir of SNAP_COMMON -- https://forum.snapcraft.io/t/system-usernames/13386/12
20+if [ ! -d "${SNAP_DB_DIR}" ]; then
21+ mkdir "${SNAP_DB_DIR}"
22+ # If we're making the dir for the first time, move any existing content into it
23+ find "${SNAP_COMMON}" -maxdepth 1 -mindepth 1 -not -name tsdb -exec mv -t "${SNAP_DB_DIR}" {} +
24+fi
25+chmod 775 "${SNAP_DB_DIR}"
26+find "${SNAP_DB_DIR}" -type d -exec chmod 775 {} \;
27+find "${SNAP_DB_DIR}" -type f -exec chmod 664 {} \;
28+chown -R snap_daemon: "${SNAP_DB_DIR}"
29+
30+for DIR in ${SNAP_DATA_DIRS}
31+do
32+ if [ ! -d "${SNAP_DATA}/${DIR}" ]; then
33+ mkdir "${SNAP_DATA}/${DIR}"
34+ fi
35+ chmod 775 "${SNAP_DATA}/${DIR}"
36+ find "${SNAP_DATA}/${DIR}" -type d -exec chmod 775 {} \;
37+ find "${SNAP_DATA}/${DIR}" -type f -exec chmod 664 {} \;
38+ chown -R snap_daemon: "${SNAP_DATA}/${DIR}"
39+done
40+
41+for FILE in ${SNAP_DATA_FILES}
42+do
43+ if [ ! -f "${SNAP_DATA}/${FILE}" ]; then
44+ cp "${SNAP}/etc/prometheus/${FILE}.example" "${SNAP_DATA}/${FILE}"
45+ fi
46+ chmod 664 "${SNAP_DATA}/${FILE}"
47+ chown snap_daemon: "${SNAP_DATA}/${FILE}"
48+done
49
50 ulimit -n 65536
51 . "${SNAP_DATA}"/daemon_arguments
52
53-COMMAND="${SNAP}/bin/prometheus ${ARGS} --config.file ${SNAP_DATA}/prometheus.yml --storage.tsdb.path=${SNAP_COMMON}"
54-eval "${COMMAND}"
55\ No newline at end of file
56+COMMAND="${SNAP}/bin/prometheus ${ARGS} --config.file ${SNAP_DATA}/prometheus.yml --storage.tsdb.path=${SNAP_COMMON}/tsdb"
57+# Drop privileges with setpriv and run as snap_daemon
58+# https://snapcraft.io/docs/system-usernames
59+DROP_PRIVS="${SNAP}/usr/bin/setpriv --clear-groups --reuid snap_daemon --regid snap_daemon --"
60+
61+exec ${DROP_PRIVS} ${COMMAND}
62\ No newline at end of file
63diff --git a/snapcraft.yaml b/snapcraft.yaml
64index 3d6ee02..f772004 100644
65--- a/snapcraft.yaml
66+++ b/snapcraft.yaml
67@@ -21,6 +21,9 @@ architectures:
68 # - build-on: ppc64el
69 # - build-on: s390x
70
71+system-usernames:
72+ snap_daemon: shared
73+
74 apps:
75 prometheus:
76 command: 'bin/prometheus.wrapper'
77@@ -55,6 +58,9 @@ parts:
78 cp -p "$SNAPCRAFT_PART_BUILD/promtool" "$SNAPCRAFT_PART_INSTALL/bin/"
79 cp -p "$SNAPCRAFT_PART_BUILD/prometheus" "$SNAPCRAFT_PART_INSTALL/bin/"
80 cp -p "$SNAPCRAFT_PART_SRC/documentation/examples/prometheus.yml" "$SNAPCRAFT_PART_INSTALL/etc/prometheus/prometheus.yml.example"
81+ # util-linux required to drop privileges
82+ # https://snapcraft.io/docs/system-usernames
83+ stage-packages: [util-linux]
84 snap-wrappers:
85 plugin: dump
86 source: .

Subscribers

People subscribed via source and target branches