Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Collectd improvements

Browse source 
- Increase the service stop timeout to give collectd time to flush the
  values to RRD files on the disk. It currently takes ~1m30s, setting
  the timeout to 5m
- add the unix socket plugin and configure the CGI to make use of it to
  request a flush of the RRD values when a graph is generated
- add SELinux permissions to allow those two to talk to each other

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
This commit is contained in:
Aurélien Bompard 2023-06-02 08:15:12 +02:00
parent d2fe0e7df2
commit dc623ed962
No known key found for this signature in database
GPG key ID: 31584CFEB9BF64AD
7 changed files with 40 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
roles/collectd/base/files/selinux/fi-collectd.mod
View file

Binary file not shown.

BIN
roles/collectd/base/files/selinux/fi-collectd.pp
View file

Binary file not shown.

11
roles/collectd/base/files/selinux/fi-collectd.te
View file

@ -4,6 +4,8 @@ require {
type shell_exec_t; type shell_exec_t;
type bin_t; type bin_t;
type collectd_t; type collectd_t;
type collectd_script_t;
type collectd_var_run_t;
type configfs_t; type configfs_t;
type hostname_exec_t; type hostname_exec_t;
type init_t; type init_t;
@ -16,7 +18,7 @@ require {
type initrc_t; type initrc_t;
type proc_net_t; type proc_net_t;
class capability { kill setuid dac_read_search sys_ptrace setgid dac_override }; class capability { kill setuid dac_read_search sys_ptrace setgid dac_override chown };
class dir { getattr read }; class dir { getattr read };
class file { execute read write getattr execute_no_trans ioctl open }; class file { execute read write getattr execute_no_trans ioctl open };
class lnk_file read; class lnk_file read;
@ -42,3 +44,10 @@ allow collectd_t anon_inodefs_t:file { write read };
allow collectd_t initrc_t:unix_stream_socket connectto; allow collectd_t initrc_t:unix_stream_socket connectto;
allow collectd_t proc_net_t:lnk_file read; allow collectd_t proc_net_t:lnk_file read;
allow collectd_t self:netlink_generic_socket { create bind getattr }; allow collectd_t self:netlink_generic_socket { create bind getattr };
# allow chown for the unix socket
# https://bugzilla.redhat.com/show_bug.cgi?id=1304029#c9
allow collectd_t self:capability chown;
# Allow the CGI to request a flush of the RRDs through collectd's unix socket
#============= collectd_script_t ==============
allow collectd_script_t collectd_var_run_t:sock_file write;

2
roles/collectd/server/files/collection.conf
View file

@ -1,6 +1,6 @@
#DataDir "/var/lib/collectd/rrd" #DataDir "/var/lib/collectd/rrd"
GraphWidth 400 GraphWidth 400
#UnixSockAddr "/var/run/collectd-unixsock" UnixSockAddr "/var/run/collectd-unixsock"
<Type apache_bytes> <Type apache_bytes>
DataSources value DataSources value
DSName "value Bytes/s" DSName "value Bytes/s"

3
roles/collectd/server/files/service.timeout.conf Normal file
View file

@ -0,0 +1,3 @@
# Give collectd the time to flush data to rrd files on disk
[Service]
TimeoutStopSec=5m

7
roles/collectd/server/files/unixsock.conf Normal file
View file

@ -0,0 +1,7 @@
LoadPlugin unixsock
<Plugin unixsock>
SocketFile "/var/run/collectd-unixsock"
SocketGroup "apache"
SocketPerms "0660"
DeleteSocket true
</Plugin>

19
roles/collectd/server/tasks/main.yml
View file

@ -50,6 +50,7 @@
loop: loop:
- rrdtool.conf - rrdtool.conf
- fmn.conf - fmn.conf
- unixsock.conf
notify: notify:
- restart collectd - restart collectd
tags: tags:
@ -85,3 +86,21 @@
tags: tags:
- config - config
- collectd/server - collectd/server
- name: create the service configuration directory
file:
path: /etc/systemd/system/collectd.service.d
type: directory
tags:
- config
- collectd/server
- name: override the timeout for stopping collectd
copy:
src: service.timeout.conf
dest: /etc/systemd/system/collectd.service.d/timeout.conf
notify:
- reload systemd
tags:
- config
- collectd/server