From dc623ed9620635a08708d8e62dab252f7be7bcee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Fri, 2 Jun 2023 08:15:12 +0200
Subject: [PATCH] Collectd improvements
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Increase the service stop timeout to give collectd time to flush the
  values to RRD files on the disk. It currently takes ~1m30s, setting
  the timeout to 5m
- add the unix socket plugin and configure the CGI to make use of it to
  request a flush of the RRD values when a graph is generated
- add SELinux permissions to allow those two to talk to each other

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
---
 .../base/files/selinux/fi-collectd.mod        | Bin 4112 -> 4479 bytes
 .../base/files/selinux/fi-collectd.pp         | Bin 4128 -> 4495 bytes
 .../base/files/selinux/fi-collectd.te         |  11 +++++++++-
 roles/collectd/server/files/collection.conf   |   2 +-
 .../server/files/service.timeout.conf         |   3 +++
 roles/collectd/server/files/unixsock.conf     |   7 +++++++
 roles/collectd/server/tasks/main.yml          |  19 ++++++++++++++++++
 7 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 roles/collectd/server/files/service.timeout.conf
 create mode 100644 roles/collectd/server/files/unixsock.conf

diff --git a/roles/collectd/base/files/selinux/fi-collectd.mod b/roles/collectd/base/files/selinux/fi-collectd.mod
index e349334f388077a2a84b3c0e47e96686d248957f..591c3685b8f7ab0e7b07a4f571aee645f4305665 100644
GIT binary patch
delta 469
zcmX|7yGjF55S_cbci(xKh>E*l6tNL(#7AeM76u_&#KLL~t6)gThPawGKOhlKC01f%
zp&(dTScqSc!VeI^-Uxz)MdWTY#lRWn%$YOiEYq91J7svZY@D+o#)(KHBL6UG)}TvY
zu_O`wmx+?>U|LS{6cKUJjru{gdf<oq-btz9HI8dus1s2lVix6Prbg&mj<cjdiFzaO
zz1l(Og$Z#BZ}J?AN1RzD#f%8;DmkVLWR+{>&<lkt8_!CC#rjNc@F5~nL^m>UaO5}2
z^*><?CE3LeUu7xmscTqKU3~K!R5TY)>IOPm20wfq^SX<knMYTjz=yVu2gAjdehJrf
zU>Ub)nGRlzJl;(QOJ*J$mV*m3&$7s=<6@JwkW*(6SVdH<ZO(`&i#^rBl{$v5q@crX
zXqr&fQH&+gm2A9P3#^Avdl8%VFxvLmebbgC9_5TlIh_$Q|0S{>{P>sheLG%YX_3KT
K(*GWvMD7>7#(%B=

delta 333
zcmXAhKS;w+9E5+bNnT!G{;CuU2`IWax#-~5);csIPVP~QN<^Aa)8f{}v4Zp#$4W&J
z1cfecPEK9i9XdL=IJj3*hl7vrj+-o9FTPwcjS~?^kF`<A{aQ8=WpRl}ps#p^BtB1%
zql++U9iBz?Fcm~(WeuQgFm*~_ip}hdoTM4o!^Tk>rVbHlSX5V;Io+J9vrM1Tjap$m
zBO_`=X_#t6BzxK}Gcswn51L`K)%btNqp$dQ*EX4p4_?JH_i@6XFffZKNr6|@#h9;S
zWM;mGIo(HW)X-H0I(iYI*utmo<4xS6EEdqoKjKb!sLBBQc@GaVz>4%>7y-J{Lu>^2
rkse0e#Ms!wrR`#3R#*uYYnzpj@cH4u%H^1iduMt0?UWgIX4d`yp<G~$

diff --git a/roles/collectd/base/files/selinux/fi-collectd.pp b/roles/collectd/base/files/selinux/fi-collectd.pp
index 72f1e69abff402443075a1dc21cabee933ff1b12..c61021eb186475c67d53f9f4ab5c37979ad0763e 100644
GIT binary patch
delta 466
zcmX|7yGjF55S^R5_wM8FW@8i$?t%fqN(4bgu<-?&#s^pk7K>~G1|*4b)xttMOC_fk
zwG<VEH2#5wh4=+2`~VT`mAh(+fiujRGiT0q@qGC4lHo<UxMg)u5Rpkl@lO4yhC=4c
z%MsCkIoRU?CU{QdiAd;fAg=H3R^p@_9d0+H=0Pn=EF$t#W|>bjnW872WjT%fMzbDA
zwMr5tzP^P|KE|>sXU51gJ4IDvj#(P1YOR_?iFW1U%~)aHFH_i}hlmW_^>-cY$IWWv
zPgr4(hp32omPbP_U{!`N<votg5U+9>9kU1}7qMW4@Kvd058>Nf#IqeDvTiWy1PJU0
zTsQ&V?GnD60835@n<~JaQ)07NmxFqdonl>%;6!cUSgi?0M6+nf0Bu=laRVLUV!+g*
z7Rp|(#a(=;N%jrqO<~LJ!<AcTpShWgNJGXr?=5PP|I$HsAN-5BeU)8dy*hyI<o9)S
G{J9^E@q2Ut

delta 333
zcmXAhyGz4R9EE?kNp5a)^HLBC2`Cg-5$w>dRvj7#ALu9qEeZi?Lrtr=)c>I1ajf8D
zQE(_kbaZuda_Zvl&_!@?k<{V9$9E2=SG=AbTrrIk5yvg-U@rG<*+i7ZB_e@=;!VZP
z<K!?p4deFyQB)5TK}1&8;7%zsbxc2s&FqYvxYewOje{gi93s-Npw2UMyg5@RnLeg_
zwaR!#GHOIgm}o>~z}427%&gtnYlW?L<NqR$f#TysTV^gk`3hdSj}!ig)GT1b5O`Bv
zjCct{GxIeRbst?>Ltho>=>;^!D!z0d@8SlVVg|kZ1D=G3Z6iRO_wZr_C>tI;8K7@?
u=*r+idKhvOBe{c1+l6CQSp{3x8mr)(Pp7Gs%P||zPBHy;mKb&?7XJW#<6*A=

diff --git a/roles/collectd/base/files/selinux/fi-collectd.te b/roles/collectd/base/files/selinux/fi-collectd.te
index 630d7fa6e4..248c2a3218 100644
--- a/roles/collectd/base/files/selinux/fi-collectd.te
+++ b/roles/collectd/base/files/selinux/fi-collectd.te
@@ -4,6 +4,8 @@ require {
     type shell_exec_t;
     type bin_t;
     type collectd_t;
+    type collectd_script_t;
+    type collectd_var_run_t;
     type configfs_t;
     type hostname_exec_t;
     type init_t;
@@ -16,7 +18,7 @@ require {
     type initrc_t;
     type proc_net_t;
 
-    class capability { kill setuid dac_read_search sys_ptrace setgid dac_override };
+    class capability { kill setuid dac_read_search sys_ptrace setgid dac_override chown };
     class dir { getattr read };
     class file { execute read write getattr execute_no_trans ioctl open };
     class lnk_file read;
@@ -42,3 +44,10 @@ allow collectd_t anon_inodefs_t:file { write read };
 allow collectd_t initrc_t:unix_stream_socket connectto;
 allow collectd_t proc_net_t:lnk_file read;
 allow collectd_t self:netlink_generic_socket { create bind getattr };
+# allow chown for the unix socket
+# https://bugzilla.redhat.com/show_bug.cgi?id=1304029#c9
+allow collectd_t self:capability chown;
+
+# Allow the CGI to request a flush of the RRDs through collectd's unix socket
+#============= collectd_script_t ==============
+allow collectd_script_t collectd_var_run_t:sock_file write;
diff --git a/roles/collectd/server/files/collection.conf b/roles/collectd/server/files/collection.conf
index 8ace02ded5..f82addab37 100644
--- a/roles/collectd/server/files/collection.conf
+++ b/roles/collectd/server/files/collection.conf
@@ -1,6 +1,6 @@
 #DataDir "/var/lib/collectd/rrd"
 GraphWidth 400
-#UnixSockAddr "/var/run/collectd-unixsock"
+UnixSockAddr "/var/run/collectd-unixsock"
 <Type apache_bytes>
   DataSources value
   DSName "value Bytes/s"
diff --git a/roles/collectd/server/files/service.timeout.conf b/roles/collectd/server/files/service.timeout.conf
new file mode 100644
index 0000000000..2259924df7
--- /dev/null
+++ b/roles/collectd/server/files/service.timeout.conf
@@ -0,0 +1,3 @@
+# Give collectd the time to flush data to rrd files on disk
+[Service]
+TimeoutStopSec=5m
diff --git a/roles/collectd/server/files/unixsock.conf b/roles/collectd/server/files/unixsock.conf
new file mode 100644
index 0000000000..6a275abb13
--- /dev/null
+++ b/roles/collectd/server/files/unixsock.conf
@@ -0,0 +1,7 @@
+LoadPlugin unixsock
+<Plugin unixsock>
+        SocketFile "/var/run/collectd-unixsock"
+        SocketGroup "apache"
+        SocketPerms "0660"
+        DeleteSocket true
+</Plugin>
diff --git a/roles/collectd/server/tasks/main.yml b/roles/collectd/server/tasks/main.yml
index af84619da1..2b273f40f4 100644
--- a/roles/collectd/server/tasks/main.yml
+++ b/roles/collectd/server/tasks/main.yml
@@ -50,6 +50,7 @@
   loop:
   - rrdtool.conf
   - fmn.conf
+  - unixsock.conf
   notify:
   - restart collectd
   tags:
@@ -85,3 +86,21 @@
   tags:
   - config
   - collectd/server
+
+- name: create the service configuration directory
+  file:
+    path: /etc/systemd/system/collectd.service.d
+    type: directory
+  tags:
+  - config
+  - collectd/server
+
+- name: override the timeout for stopping collectd
+  copy:
+    src: service.timeout.conf
+    dest: /etc/systemd/system/collectd.service.d/timeout.conf
+  notify:
+  - reload systemd
+  tags:
+  - config
+  - collectd/server