From 060a47e1e45cd09849d20e72b465405ac4ef8c1a Mon Sep 17 00:00:00 2001 From: DDoSolitary Date: Sat, 5 Aug 2023 17:52:52 +0800 Subject: [PATCH] netdata: set NETDATA_PIPENAME to /run/netdata/ipc Netdata creates its control socket at /tmp/netdata-ipc by default, which is insecure and actually inaccessible with systemd's PrivateTmp enabled. Originally we patched its source code to move the socket to /run/netdata/ipc. However, it was removed due to incompatibility when upgrading to v1.41.0: 1d2a2dc7d0396495e2bb3878dc62eab620425c85 Fortunately, this new version of netdata adds support for setting the location of the control socket via the environment variable NETDATA_PIPENAME. So let's set it for the netdata service and the command line utility so that they can communicate properly. --- nixos/modules/services/monitoring/netdata.nix | 1 + nixos/tests/netdata.nix | 5 ++++- pkgs/tools/system/netdata/default.nix | 1 + pkgs/tools/system/netdata/ipc-socket-in-run.patch | 13 ------------- 4 files changed, 6 insertions(+), 14 deletions(-) delete mode 100644 pkgs/tools/system/netdata/ipc-socket-in-run.patch diff --git a/nixos/modules/services/monitoring/netdata.nix b/nixos/modules/services/monitoring/netdata.nix index 89a842023c88..239a285b20d5 100644 --- a/nixos/modules/services/monitoring/netdata.nix +++ b/nixos/modules/services/monitoring/netdata.nix @@ -216,6 +216,7 @@ in { PYTHONPATH = "${cfg.package}/libexec/netdata/python.d/python_modules"; } // lib.optionalAttrs (!cfg.enableAnalyticsReporting) { DO_NOT_TRACK = "1"; + NETDATA_PIPENAME = "/run/netdata/ipc"; }; restartTriggers = [ config.environment.etc."netdata/netdata.conf".source diff --git a/nixos/tests/netdata.nix b/nixos/tests/netdata.nix index aea67c29d0d4..c5f7294f79ab 100644 --- a/nixos/tests/netdata.nix +++ b/nixos/tests/netdata.nix @@ -10,7 +10,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { netdata = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ curl jq ]; + environment.systemPackages = with pkgs; [ curl jq netdata ]; services.netdata.enable = true; }; }; @@ -34,5 +34,8 @@ import ./make-test-python.nix ({ pkgs, ...} : { filter = '[.data[range(10)][.labels | indices("root")[0]]] | add | . > 0' cmd = f"curl -s {url} | jq -e '{filter}'" netdata.wait_until_succeeds(cmd) + + # check if the control socket is available + netdata.succeed("sudo netdatacli ping") ''; }) diff --git a/pkgs/tools/system/netdata/default.nix b/pkgs/tools/system/netdata/default.nix index 6c89a3d2e559..c99151299eac 100644 --- a/pkgs/tools/system/netdata/default.nix +++ b/pkgs/tools/system/netdata/default.nix @@ -103,6 +103,7 @@ stdenv.mkDerivation rec { postFixup = '' wrapProgram $out/bin/netdata-claim.sh --prefix PATH : ${lib.makeBinPath [ openssl ]} wrapProgram $out/libexec/netdata/plugins.d/cgroup-network-helper.sh --prefix PATH : ${lib.makeBinPath [ bash ]} + wrapProgram $out/bin/netdatacli --set NETDATA_PIPENAME /run/netdata/ipc ''; enableParallelBuild = true; diff --git a/pkgs/tools/system/netdata/ipc-socket-in-run.patch b/pkgs/tools/system/netdata/ipc-socket-in-run.patch deleted file mode 100644 index a117955af095..000000000000 --- a/pkgs/tools/system/netdata/ipc-socket-in-run.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/daemon/commands.h b/daemon/commands.h -index bd4aabfe1cbe4..ce7eb3c730228 100644 ---- a/daemon/commands.h -+++ b/daemon/commands.h -@@ -6,7 +6,7 @@ - #ifdef _WIN32 - # define PIPENAME "\\\\?\\pipe\\netdata-cli" - #else --# define PIPENAME "/tmp/netdata-ipc" -+# define PIPENAME "/run/netdata/ipc" - #endif - - #define MAX_COMMAND_LENGTH 4096