Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

systemd configuration prevents access to /proc/self/io #37

Open
zekker6 opened this issue Dec 14, 2022 · 2 comments
Open

systemd configuration prevents access to /proc/self/io #37

zekker6 opened this issue Dec 14, 2022 · 2 comments
Labels
bug Something isn't working

Comments

@zekker6
Copy link
Collaborator

zekker6 commented Dec 14, 2022

Current service configuration for systemd causes errors on attempt to read /proc/self/io.
At the same time other /proc/self/.. files can be accessed normally.

Temporary workaround can be to add:

CapabilityBoundingSet=CAP_DAC_READ_SEARCH
AmbientCapabilities=CAP_DAC_READ_SEARCH

Which will bypass permissions check and will make it succeed to read files.

It is needed to find a reason of this behaviour and fix that.
@zekker6 zekker6 added the bug Something isn't working label Dec 14, 2022
@proffust
Copy link 

Type=simple
Restart=always
NotifyAccess=none
RestartUSec=100ms
TimeoutStartUSec=1min 30s
TimeoutStopUSec=1min 30s
WatchdogUSec=0
WatchdogTimestamp=Wed 2022-12-14 21:43:15 MSK
WatchdogTimestampMonotonic=184008263288
StartLimitInterval=10000000
StartLimitBurst=5
StartLimitAction=none
FailureAction=none
PermissionsStartOnly=no
RootDirectoryStartOnly=no
RemainAfterExit=no
GuessMainPID=yes
MainPID=4744
ControlPID=0
FileDescriptorStoreMax=0
StatusErrno=0
Result=success
ExecMainStartTimestamp=Wed 2022-12-14 21:43:15 MSK
ExecMainStartTimestampMonotonic=184008263165
ExecMainExitTimestampMonotonic=0
ExecMainPID=4744
ExecMainCode=0
ExecMainStatus=0
ExecStart={ path=/usr/local/bin/vmalert-prod ; argv[]=/usr/local/bin/vmalert-prod --httpListenAddr=127.0.0.1:8880 --datasource.url=http://localhost:8428 --notifier.url=http://localhost:9093 --rule=/opt/vic-vmalert/* --evaluationInterval=30s --datasource.basicAuth.password=* --datasource.basicAuth.username=vmsingle --httpAuth.password=* --httpAuth.username=vmalert --remoteRead.basicAuth.password=* --remoteRead.basicAuth.username=vmsingle --remoteWrite.basicAuth.password=* --remoteWrite.basicAuth.username=vmsingle --notifier.basicAuth.password=* --notifier.basicAuth.username=alertmanager ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }
Slice=system.slice
ControlGroup=/system.slice/vic-vmalert.service
MemoryCurrent=15990784
TasksCurrent=18446744073709551615
Delegate=no
CPUAccounting=no
CPUShares=18446744073709551615
StartupCPUShares=18446744073709551615
CPUQuotaPerSecUSec=infinity
BlockIOAccounting=no
BlockIOWeight=18446744073709551615
StartupBlockIOWeight=18446744073709551615
MemoryAccounting=no
MemoryLimit=18446744073709551615
DevicePolicy=auto
TasksAccounting=no
TasksMax=18446744073709551615
UMask=0022
LimitCPU=18446744073709551615
LimitFSIZE=18446744073709551615
LimitDATA=18446744073709551615
LimitSTACK=18446744073709551615
LimitCORE=18446744073709551615
LimitRSS=18446744073709551615
LimitNOFILE=4096
LimitAS=18446744073709551615
LimitNPROC=1854
LimitMEMLOCK=65536
LimitLOCKS=18446744073709551615
LimitSIGPENDING=1854
LimitMSGQUEUE=819200
LimitNICE=0
LimitRTPRIO=0
LimitRTTIME=18446744073709551615
OOMScoreAdjust=0
Nice=0
IOScheduling=0
CPUSchedulingPolicy=0
CPUSchedulingPriority=0
TimerSlackNSec=50000
CPUSchedulingResetOnFork=no
NonBlocking=no
StandardInput=null
StandardOutput=journal
StandardError=inherit
TTYReset=no
TTYVHangup=no
TTYVTDisallocate=no
SyslogPriority=30
SyslogIdentifier=vic-vmalert
SyslogLevelPrefix=yes
SecureBits=0
CapabilityBoundingSet=18446744073709551615
AmbientCapabilities=0
User=vic_vm_alert
Group=vic_vm_alert
MountFlags=0
PrivateTmp=yes
PrivateNetwork=no
PrivateDevices=no
ProtectHome=yes
ProtectSystem=full
SameProcessGroup=no
IgnoreSIGPIPE=yes
NoNewPrivileges=yes
SystemCallErrorNumber=0
RuntimeDirectoryMode=0755
KillMode=control-group
KillSignal=15
SendSIGKILL=yes
SendSIGHUP=no
Id=vic-vmalert.service
Names=vic-vmalert.service
Requires=basic.target system.slice -.mount
WantedBy=multi-user.target
Conflicts=shutdown.target
Before=shutdown.target multi-user.target
After=basic.target -.mount tmp.mount system.slice systemd-journald.socket network.target
RequiresMountsFor=/var/tmp
Description=Description=VictoriaMetrics VMalert service
LoadState=loaded
ActiveState=active
SubState=running
FragmentPath=/etc/systemd/system/vic-vmalert.service
UnitFileState=enabled
UnitFilePreset=disabled
InactiveExitTimestamp=Wed 2022-12-14 21:43:15 MSK
InactiveExitTimestampMonotonic=184008263355
ActiveEnterTimestamp=Wed 2022-12-14 21:43:15 MSK
ActiveEnterTimestampMonotonic=184008263355
ActiveExitTimestamp=Wed 2022-12-14 21:43:15 MSK
ActiveExitTimestampMonotonic=184008254816
InactiveEnterTimestamp=Wed 2022-12-14 21:43:15 MSK
InactiveEnterTimestampMonotonic=184008258724
CanStart=yes
CanStop=yes
CanReload=no
CanIsolate=no
StopWhenUnneeded=no
RefuseManualStart=no
RefuseManualStop=no
AllowIsolate=no
DefaultDependencies=yes
OnFailureJobMode=replace
IgnoreOnIsolate=no
IgnoreOnSnapshot=no
NeedDaemonReload=no
JobTimeoutUSec=0
JobTimeoutAction=none
ConditionResult=yes
AssertResult=yes
ConditionTimestamp=Wed 2022-12-14 21:43:15 MSK
ConditionTimestampMonotonic=184008260712
AssertTimestamp=Wed 2022-12-14 21:43:15 MSK
AssertTimestampMonotonic=184008260712
Transient=no
CollectMode=inactive

@serrrios
Copy link

https://pastebin.com/CY1Hk3zZ
https://pastebin.com/ARidDLrW

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zekker6 @proffust @serrrios