From 4048e5cc0ade387e272ed0b3d9d14e68d79d6b37 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Tue, 3 Oct 2023 15:33:20 -0500
Subject: [PATCH] collectd: Run collectd in privileged container

Installing packages with `rpm-ostree` is somewhat problematic.  Notably,
if a new package needs an update of an already-installed package (e.g.
shared library), the new package cannot be installed until a new version
of CoreOS is published with the updated dependency.

In order for collectd to be effective, the container it runs in has to
have most isolation features disabled.  Most importantly, the PID, UTS,
and network namespaces need to be shared with the host, so that
*collectd* can "see" the actual values.  Additionally, the default
SELinux policy for containerized processes denies practically all of the
instrumentation syscalls *collectd* needs, so it needs to run in the
unconfined `spc_t` domain.  Finally, the `/run` directory needs to be
shared with the host, so *collectd* can communicate with various daemons
via UNIX sockets.
---
 collectd.container | 21 +++++++++++++++++++++
 collectd.yaml      | 21 ++++-----------------
 2 files changed, 25 insertions(+), 17 deletions(-)
 create mode 100644 collectd.container

diff --git a/collectd.container b/collectd.container
new file mode 100644
index 0000000..e257c45
--- /dev/null
+++ b/collectd.container
@@ -0,0 +1,21 @@
+# vim: set ft=systemd :
+[Unit]
+Description=Collectd statistics daemon
+After=network.target
+Wants=network.target
+
+[Container]
+Image=git.pyrocufflink.net/containerimages/collectd:latest
+Volume=/etc/collectd.d:/etc/collectd.d:ro
+Volume=/run:/run:rw
+Tmpfs=/tmp
+Network=host
+SecurityLabelDisable=true
+PodmanArgs=--privileged
+PodmanArgs=--ipc=host
+PodmanArgs=--uts=host
+PodmanArgs=--pid=host
+PodmanArgs=--cgroupns=host
+
+[Install]
+WantedBy=multi-user.target
diff --git a/collectd.yaml b/collectd.yaml
index 8ed3177..4c3cbd6 100644
--- a/collectd.yaml
+++ b/collectd.yaml
@@ -1,22 +1,13 @@
 variant: fcos
 version: 1.4.0
 
-ignition:
-  config:
-    merge:
-    - local: packages.yaml
-
 storage:
   files:
-  - path: /etc/ignition/packages.d/collectd
+  - path: /etc/containers/systemd/collectd.container
     mode: 0644
     contents:
-      inline: |
-        collectd
-        collectd-chrony
-        collectd-disk
-        collectd-sensors
-        collectd-write_prometheus
+      local: collectd.container
+
   - path: /etc/collectd.d/df.conf
     mode: 0644
     contents:
@@ -27,6 +18,7 @@ storage:
             FSType overlay
             IgnoreSelected true
         </Plugin>
+
   - path: /etc/collectd.d/plugins.conf
     mode: 0644
     contents:
@@ -50,8 +42,3 @@ storage:
         <Plugin write_prometheus>
             Port 9103
         </Plugin>
-
-systemd:
-  units:
-  - name: collectd.service
-    enabled: true