diff --git a/roles/collectd/base/files/selinux/fi-collectd.mod b/roles/collectd/base/files/selinux/fi-collectd.mod index e349334f38..591c3685b8 100644 Binary files a/roles/collectd/base/files/selinux/fi-collectd.mod and b/roles/collectd/base/files/selinux/fi-collectd.mod differ diff --git a/roles/collectd/base/files/selinux/fi-collectd.pp b/roles/collectd/base/files/selinux/fi-collectd.pp index 72f1e69abf..c61021eb18 100644 Binary files a/roles/collectd/base/files/selinux/fi-collectd.pp and b/roles/collectd/base/files/selinux/fi-collectd.pp differ diff --git a/roles/collectd/base/files/selinux/fi-collectd.te b/roles/collectd/base/files/selinux/fi-collectd.te index 630d7fa6e4..248c2a3218 100644 --- a/roles/collectd/base/files/selinux/fi-collectd.te +++ b/roles/collectd/base/files/selinux/fi-collectd.te @@ -4,6 +4,8 @@ require { type shell_exec_t; type bin_t; type collectd_t; + type collectd_script_t; + type collectd_var_run_t; type configfs_t; type hostname_exec_t; type init_t; @@ -16,7 +18,7 @@ require { type initrc_t; type proc_net_t; - class capability { kill setuid dac_read_search sys_ptrace setgid dac_override }; + class capability { kill setuid dac_read_search sys_ptrace setgid dac_override chown }; class dir { getattr read }; class file { execute read write getattr execute_no_trans ioctl open }; class lnk_file read; @@ -42,3 +44,10 @@ allow collectd_t anon_inodefs_t:file { write read }; allow collectd_t initrc_t:unix_stream_socket connectto; allow collectd_t proc_net_t:lnk_file read; allow collectd_t self:netlink_generic_socket { create bind getattr }; +# allow chown for the unix socket +# https://bugzilla.redhat.com/show_bug.cgi?id=1304029#c9 +allow collectd_t self:capability chown; + +# Allow the CGI to request a flush of the RRDs through collectd's unix socket +#============= collectd_script_t ============== +allow collectd_script_t collectd_var_run_t:sock_file write; diff --git a/roles/collectd/server/files/collection.conf b/roles/collectd/server/files/collection.conf index 8ace02ded5..f82addab37 100644 --- a/roles/collectd/server/files/collection.conf +++ b/roles/collectd/server/files/collection.conf @@ -1,6 +1,6 @@ #DataDir "/var/lib/collectd/rrd" GraphWidth 400 -#UnixSockAddr "/var/run/collectd-unixsock" +UnixSockAddr "/var/run/collectd-unixsock" DataSources value DSName "value Bytes/s" diff --git a/roles/collectd/server/files/service.timeout.conf b/roles/collectd/server/files/service.timeout.conf new file mode 100644 index 0000000000..2259924df7 --- /dev/null +++ b/roles/collectd/server/files/service.timeout.conf @@ -0,0 +1,3 @@ +# Give collectd the time to flush data to rrd files on disk +[Service] +TimeoutStopSec=5m diff --git a/roles/collectd/server/files/unixsock.conf b/roles/collectd/server/files/unixsock.conf new file mode 100644 index 0000000000..6a275abb13 --- /dev/null +++ b/roles/collectd/server/files/unixsock.conf @@ -0,0 +1,7 @@ +LoadPlugin unixsock + + SocketFile "/var/run/collectd-unixsock" + SocketGroup "apache" + SocketPerms "0660" + DeleteSocket true + diff --git a/roles/collectd/server/tasks/main.yml b/roles/collectd/server/tasks/main.yml index af84619da1..2b273f40f4 100644 --- a/roles/collectd/server/tasks/main.yml +++ b/roles/collectd/server/tasks/main.yml @@ -50,6 +50,7 @@ loop: - rrdtool.conf - fmn.conf + - unixsock.conf notify: - restart collectd tags: @@ -85,3 +86,21 @@ tags: - config - collectd/server + +- name: create the service configuration directory + file: + path: /etc/systemd/system/collectd.service.d + type: directory + tags: + - config + - collectd/server + +- name: override the timeout for stopping collectd + copy: + src: service.timeout.conf + dest: /etc/systemd/system/collectd.service.d/timeout.conf + notify: + - reload systemd + tags: + - config + - collectd/server