Collectd improvements

- Increase the service stop timeout to give collectd time to flush the values to RRD files on the disk. It currently takes ~1m30s, setting the timeout to 5m - add the unix socket plugin and configure the CGI to make use of it to request a flush of the RRD values when a graph is generated - add SELinux permissions to allow those two to talk to each other Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2023-06-02 08:15:12 +02:00 · 2023-06-02 08:15:12 +02:00 · dc623ed962
commit dc623ed962
parent d2fe0e7df2
7 changed files with 40 additions and 2 deletions
--- a/roles/collectd/base/files/selinux/fi-collectd.mod
+++ b/roles/collectd/base/files/selinux/fi-collectd.mod
--- a/roles/collectd/base/files/selinux/fi-collectd.pp
+++ b/roles/collectd/base/files/selinux/fi-collectd.pp
--- a/roles/collectd/base/files/selinux/fi-collectd.te
+++ b/roles/collectd/base/files/selinux/fi-collectd.te
@ -4,6 +4,8 @@ require {
    type shell_exec_t;
    type bin_t;
    type collectd_t;
+    type collectd_script_t;
+    type collectd_var_run_t;
    type configfs_t;
    type hostname_exec_t;
    type init_t;
@ -16,7 +18,7 @@ require {
    type initrc_t;
    type proc_net_t;

-    class capability { kill setuid dac_read_search sys_ptrace setgid dac_override };
+    class capability { kill setuid dac_read_search sys_ptrace setgid dac_override chown };
    class dir { getattr read };
    class file { execute read write getattr execute_no_trans ioctl open };
    class lnk_file read;
@ -42,3 +44,10 @@ allow collectd_t anon_inodefs_t:file { write read };
 allow collectd_t initrc_t:unix_stream_socket connectto;
 allow collectd_t proc_net_t:lnk_file read;
 allow collectd_t self:netlink_generic_socket { create bind getattr };
+# allow chown for the unix socket
+# https://bugzilla.redhat.com/show_bug.cgi?id=1304029#c9
+allow collectd_t self:capability chown;
+
+# Allow the CGI to request a flush of the RRDs through collectd's unix socket
+#============= collectd_script_t ==============
+allow collectd_script_t collectd_var_run_t:sock_file write;
--- a/roles/collectd/server/files/collection.conf
+++ b/roles/collectd/server/files/collection.conf
@ -1,6 +1,6 @@
 #DataDir "/var/lib/collectd/rrd"
 GraphWidth 400
-#UnixSockAddr "/var/run/collectd-unixsock"
+UnixSockAddr "/var/run/collectd-unixsock"
 <Type apache_bytes>
  DataSources value
  DSName "value Bytes/s"
--- a/roles/collectd/server/files/service.timeout.conf
+++ b/roles/collectd/server/files/service.timeout.conf
@ -0,0 +1,3 @@
+# Give collectd the time to flush data to rrd files on disk
+[Service]
+TimeoutStopSec=5m
--- a/roles/collectd/server/files/unixsock.conf
+++ b/roles/collectd/server/files/unixsock.conf
@ -0,0 +1,7 @@
+LoadPlugin unixsock
+<Plugin unixsock>
+        SocketFile "/var/run/collectd-unixsock"
+        SocketGroup "apache"
+        SocketPerms "0660"
+        DeleteSocket true
+</Plugin>
--- a/roles/collectd/server/tasks/main.yml
+++ b/roles/collectd/server/tasks/main.yml
@ -50,6 +50,7 @@
  loop:
  - rrdtool.conf
  - fmn.conf
+  - unixsock.conf
  notify:
  - restart collectd
  tags:
@ -85,3 +86,21 @@
  tags:
  - config
  - collectd/server
+
+- name: create the service configuration directory
+  file:
+    path: /etc/systemd/system/collectd.service.d
+    type: directory
+  tags:
+  - config
+  - collectd/server
+
+- name: override the timeout for stopping collectd
+  copy:
+    src: service.timeout.conf
+    dest: /etc/systemd/system/collectd.service.d/timeout.conf
+  notify:
+  - reload systemd
+  tags:
+  - config
+  - collectd/server