Prometheus Blackbox Exporter Charm

Merge ~vultaire/charm-prometheus-blackbox-exporter:allow-icmp into charm-prometheus-blackbox-exporter:master

  1. Git
  2. lp:~vultaire/charm-prometheus-blackbox-exporter
  3. allow-icmp
  4. Merge into master
Proposed by Paul Goins
Status: Work in progress
Proposed branch: ~vultaire/charm-prometheus-blackbox-exporter:allow-icmp
Merge into: charm-prometheus-blackbox-exporter:master
Diff against target: 65 lines (+28/-1)
2 files modified
src/config.yaml (+14/-0)
src/reactive/prometheus_blackbox_exporter.py (+14/-1)
Reviewer Review Type Date Requested Status
BootStack Reviewers Pending
Review via email: mp+427330@code.launchpad.net

Commit message

Added allow_icmp option

Description of the change

This MR requires the merge of a related change for the prometheus-blackbox-exporter snap: https://code.launchpad.net/~vultaire/prometheus-blackbox-exporter-snap/+git/prometheus-blackbox-exporter-snap/+merge/427328

Once the above MR is merged, *and* a new snap is released, then this MR will be ready for testing and review.

----

Regarding the actual updates:

1. The snap required an update to allow for pinging. Default AppArmor rules forbid this, but if we connect the snap to the network-control interface, this is allowed.

2. Per upstream docs for the exporter [1], the exporter either requires a setcap rule to be run to allow for pinging, or an appropriate sysctl setting to allow for it. Setcap runs counter to snap design principles and is not supported, so the sysctl setting appears to be appropriate for this.

Note that the new setting is presently one-directional. I feel like this may be adequate.

If we do want to make this a bidirectional setting, here's how we may be able to do it:

* We may be able to revert the sysctl setting; the best method I can think of is to remove the file we create, manually reset the sysctl rule to a conservative value (e.g. "1 0" to globally disable the setting), and then run "sysctl --system" to reload all sysctl files on disk, including any other files which may provide a valid value for it. It's not the cleanest way, but it may effectively work.

* layer-snap doesn't presently provide a disconnect function to break the snap connection to the network-control slot; we could instead use a subprocess call.

To post a comment you must log in.

Unmerged commits

f566a97... by Paul Goins

Added allow_icmp option

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/src/config.yaml b/src/config.yaml
2index 2f5db13..4104fc3 100644
3--- a/src/config.yaml
4+++ b/src/config.yaml
5@@ -5,6 +5,20 @@ options:
6 description: |
7 If install_method is set to "snap" this option controlls channel name.
8 Supported values are: "stable", "candidate", "beta" and "edge"
9+ allow_icmp:
10+ default: False
11+ type: boolean
12+ description: |
13+ If enabled, this will allow use of ICMP by the blackbox exporter.
14+ Without this, probing via ICMP will fail.
15+
16+ This is not enabled by default because it requires relaxing several
17+ security restrictions - specifically, connecting the network-control
18+ plug of the blackbox exporter snap, in addition to setting the
19+ net.ipv4.ping_group_range sysctl setting to allow for general use of
20+ ICMP Echo packets.
21+
22+ This setting cannot be disabled once enabled.
23 nagios_context:
24 default: "juju"
25 type: string
26diff --git a/src/reactive/prometheus_blackbox_exporter.py b/src/reactive/prometheus_blackbox_exporter.py
27index 8058f56..a7e3595 100644
28--- a/src/reactive/prometheus_blackbox_exporter.py
29+++ b/src/reactive/prometheus_blackbox_exporter.py
30@@ -7,7 +7,7 @@ from pathlib import Path
31 from zipfile import BadZipFile, ZipFile
32
33 from charmhelpers.contrib.charmsupport import nrpe
34-from charmhelpers.core import hookenv, host
35+from charmhelpers.core import hookenv, host, sysctl
36 from charmhelpers.core.templating import render
37
38 from charms.layer import snap
39@@ -32,6 +32,7 @@ SVC_NAME = "snap.prometheus-blackbox-exporter.daemon"
40 PORT_DEF = 9115
41 BLACKBOX_EXPORTER_YML_TMPL = "blackbox.yaml.j2"
42 CONF_FILE_PATH = "/var/snap/prometheus-blackbox-exporter/current/blackbox.yml"
43+SYSCTL_FILE_PATH = "/etc/sysctl.d/90-charm-prometheus-blackbox-exporter.conf"
44
45
46 def templates_changed(tmpl_list):
47@@ -58,6 +59,18 @@ def upgrade():
48 set_state("blackbox-exporter.do-restart")
49
50
51+@when("config.changed.allow_icmp")
52+@when_not("blackbox-exporter.icmp_configured")
53+def enable_icmp():
54+ """Update system to allow blackbox exporter to use ICMP."""
55+ config = hookenv.config()
56+ if config.get("allow_icmp", False):
57+ snap.connect("prometheus-blackbox-exporter:network-control", ":network-control")
58+ sysctl.create({"net.ipv4.ping_group_range": "0 2147483647"}, SYSCTL_FILE_PATH)
59+ set_state("blackbox-exporter.icmp_configured")
60+ # Note: Disabling this setting is not presently supported by the charm.
61+
62+
63 def get_modules():
64 """Load the modules."""
65 config = hookenv.config()

Subscribers

People subscribed via source and target branches

to all changes: