collectd: Run collectd in privileged container
Installing packages with `rpm-ostree` is somewhat problematic. Notably, if a new package needs an update of an already-installed package (e.g. shared library), the new package cannot be installed until a new version of CoreOS is published with the updated dependency. In order for collectd to be effective, the container it runs in has to have most isolation features disabled. Most importantly, the PID, UTS, and network namespaces need to be shared with the host, so that *collectd* can "see" the actual values. Additionally, the default SELinux policy for containerized processes denies practically all of the instrumentation syscalls *collectd* needs, so it needs to run in the unconfined `spc_t` domain. Finally, the `/run` directory needs to be shared with the host, so *collectd* can communicate with various daemons via UNIX sockets.
This commit is contained in:
21
collectd.container
Normal file
21
collectd.container
Normal file
@@ -0,0 +1,21 @@
|
||||
# vim: set ft=systemd :
|
||||
[Unit]
|
||||
Description=Collectd statistics daemon
|
||||
After=network.target
|
||||
Wants=network.target
|
||||
|
||||
[Container]
|
||||
Image=git.pyrocufflink.net/containerimages/collectd:latest
|
||||
Volume=/etc/collectd.d:/etc/collectd.d:ro
|
||||
Volume=/run:/run:rw
|
||||
Tmpfs=/tmp
|
||||
Network=host
|
||||
SecurityLabelDisable=true
|
||||
PodmanArgs=--privileged
|
||||
PodmanArgs=--ipc=host
|
||||
PodmanArgs=--uts=host
|
||||
PodmanArgs=--pid=host
|
||||
PodmanArgs=--cgroupns=host
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -1,22 +1,13 @@
|
||||
variant: fcos
|
||||
version: 1.4.0
|
||||
|
||||
ignition:
|
||||
config:
|
||||
merge:
|
||||
- local: packages.yaml
|
||||
|
||||
storage:
|
||||
files:
|
||||
- path: /etc/ignition/packages.d/collectd
|
||||
- path: /etc/containers/systemd/collectd.container
|
||||
mode: 0644
|
||||
contents:
|
||||
inline: |
|
||||
collectd
|
||||
collectd-chrony
|
||||
collectd-disk
|
||||
collectd-sensors
|
||||
collectd-write_prometheus
|
||||
local: collectd.container
|
||||
|
||||
- path: /etc/collectd.d/df.conf
|
||||
mode: 0644
|
||||
contents:
|
||||
@@ -27,6 +18,7 @@ storage:
|
||||
FSType overlay
|
||||
IgnoreSelected true
|
||||
</Plugin>
|
||||
|
||||
- path: /etc/collectd.d/plugins.conf
|
||||
mode: 0644
|
||||
contents:
|
||||
@@ -50,8 +42,3 @@ storage:
|
||||
<Plugin write_prometheus>
|
||||
Port 9103
|
||||
</Plugin>
|
||||
|
||||
systemd:
|
||||
units:
|
||||
- name: collectd.service
|
||||
enabled: true
|
||||
|
||||
Reference in New Issue
Block a user