Prometheus Blackbox Exporter Charm

Merge ~vultaire/charm-prometheus-blackbox-exporter:allow-icmp into charm-prometheus-blackbox-exporter:master

  1. Git
  2. lp:~vultaire/charm-prometheus-blackbox-exporter
  3. allow-icmp
  4. Merge into master
Proposed by Paul Goins
Status: Work in progress
Proposed branch: ~vultaire/charm-prometheus-blackbox-exporter:allow-icmp
Merge into: charm-prometheus-blackbox-exporter:master
Diff against target: 65 lines (+28/-1)
2 files modified
src/config.yaml (+14/-0)
src/reactive/prometheus_blackbox_exporter.py (+14/-1)
Reviewer Review Type Date Requested Status
BootStack Reviewers Pending
Review via email: mp+427330@code.launchpad.net

Commit message

Added allow_icmp option

Description of the change

This MR requires the merge of a related change for the prometheus-blackbox-exporter snap: https://code.launchpad.net/~vultaire/prometheus-blackbox-exporter-snap/+git/prometheus-blackbox-exporter-snap/+merge/427328

Once the above MR is merged, *and* a new snap is released, then this MR will be ready for testing and review.

----

Regarding the actual updates:

1. The snap required an update to allow for pinging. Default AppArmor rules forbid this, but if we connect the snap to the network-control interface, this is allowed.

2. Per upstream docs for the exporter [1], the exporter either requires a setcap rule to be run to allow for pinging, or an appropriate sysctl setting to allow for it. Setcap runs counter to snap design principles and is not supported, so the sysctl setting appears to be appropriate for this.

Note that the new setting is presently one-directional. I feel like this may be adequate.

If we do want to make this a bidirectional setting, here's how we may be able to do it:

* We may be able to revert the sysctl setting; the best method I can think of is to remove the file we create, manually reset the sysctl rule to a conservative value (e.g. "1 0" to globally disable the setting), and then run "sysctl --system" to reload all sysctl files on disk, including any other files which may provide a valid value for it. It's not the cleanest way, but it may effectively work.

* layer-snap doesn't presently provide a disconnect function to break the snap connection to the network-control slot; we could instead use a subprocess call.

To post a comment you must log in.

Unmerged commits

f566a97... by Paul Goins

Added allow_icmp option

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/src/config.yaml b/src/config.yaml
index 2f5db13..4104fc3 100644
--- a/src/config.yaml
+++ b/src/config.yaml
@@ -5,6 +5,20 @@ options:
5 description: |5 description: |
6 If install_method is set to "snap" this option controlls channel name.6 If install_method is set to "snap" this option controlls channel name.
7 Supported values are: "stable", "candidate", "beta" and "edge"7 Supported values are: "stable", "candidate", "beta" and "edge"
8 allow_icmp:
9 default: False
10 type: boolean
11 description: |
12 If enabled, this will allow use of ICMP by the blackbox exporter.
13 Without this, probing via ICMP will fail.
14
15 This is not enabled by default because it requires relaxing several
16 security restrictions - specifically, connecting the network-control
17 plug of the blackbox exporter snap, in addition to setting the
18 net.ipv4.ping_group_range sysctl setting to allow for general use of
19 ICMP Echo packets.
20
21 This setting cannot be disabled once enabled.
8 nagios_context:22 nagios_context:
9 default: "juju"23 default: "juju"
10 type: string24 type: string
diff --git a/src/reactive/prometheus_blackbox_exporter.py b/src/reactive/prometheus_blackbox_exporter.py
index 8058f56..a7e3595 100644
--- a/src/reactive/prometheus_blackbox_exporter.py
+++ b/src/reactive/prometheus_blackbox_exporter.py
@@ -7,7 +7,7 @@ from pathlib import Path
7from zipfile import BadZipFile, ZipFile7from zipfile import BadZipFile, ZipFile
88
9from charmhelpers.contrib.charmsupport import nrpe9from charmhelpers.contrib.charmsupport import nrpe
10from charmhelpers.core import hookenv, host10from charmhelpers.core import hookenv, host, sysctl
11from charmhelpers.core.templating import render11from charmhelpers.core.templating import render
1212
13from charms.layer import snap13from charms.layer import snap
@@ -32,6 +32,7 @@ SVC_NAME = "snap.prometheus-blackbox-exporter.daemon"
32PORT_DEF = 911532PORT_DEF = 9115
33BLACKBOX_EXPORTER_YML_TMPL = "blackbox.yaml.j2"33BLACKBOX_EXPORTER_YML_TMPL = "blackbox.yaml.j2"
34CONF_FILE_PATH = "/var/snap/prometheus-blackbox-exporter/current/blackbox.yml"34CONF_FILE_PATH = "/var/snap/prometheus-blackbox-exporter/current/blackbox.yml"
35SYSCTL_FILE_PATH = "/etc/sysctl.d/90-charm-prometheus-blackbox-exporter.conf"
3536
3637
37def templates_changed(tmpl_list):38def templates_changed(tmpl_list):
@@ -58,6 +59,18 @@ def upgrade():
58 set_state("blackbox-exporter.do-restart")59 set_state("blackbox-exporter.do-restart")
5960
6061
62@when("config.changed.allow_icmp")
63@when_not("blackbox-exporter.icmp_configured")
64def enable_icmp():
65 """Update system to allow blackbox exporter to use ICMP."""
66 config = hookenv.config()
67 if config.get("allow_icmp", False):
68 snap.connect("prometheus-blackbox-exporter:network-control", ":network-control")
69 sysctl.create({"net.ipv4.ping_group_range": "0 2147483647"}, SYSCTL_FILE_PATH)
70 set_state("blackbox-exporter.icmp_configured")
71 # Note: Disabling this setting is not presently supported by the charm.
72
73
61def get_modules():74def get_modules():
62 """Load the modules."""75 """Load the modules."""
63 config = hookenv.config()76 config = hookenv.config()

Subscribers

People subscribed via source and target branches

to all changes: