collectd: Run collectd in privileged container
Installing packages with `rpm-ostree` is somewhat problematic. Notably, if a new package needs an update of an already-installed package (e.g. shared library), the new package cannot be installed until a new version of CoreOS is published with the updated dependency. In order for collectd to be effective, the container it runs in has to have most isolation features disabled. Most importantly, the PID, UTS, and network namespaces need to be shared with the host, so that *collectd* can "see" the actual values. Additionally, the default SELinux policy for containerized processes denies practically all of the instrumentation syscalls *collectd* needs, so it needs to run in the unconfined `spc_t` domain. Finally, the `/run` directory needs to be shared with the host, so *collectd* can communicate with various daemons via UNIX sockets.master
parent
ebdf587de1
commit
4048e5cc0a
|
|
@ -0,0 +1,21 @@
|
||||||
|
# vim: set ft=systemd :
|
||||||
|
[Unit]
|
||||||
|
Description=Collectd statistics daemon
|
||||||
|
After=network.target
|
||||||
|
Wants=network.target
|
||||||
|
|
||||||
|
[Container]
|
||||||
|
Image=git.pyrocufflink.net/containerimages/collectd:latest
|
||||||
|
Volume=/etc/collectd.d:/etc/collectd.d:ro
|
||||||
|
Volume=/run:/run:rw
|
||||||
|
Tmpfs=/tmp
|
||||||
|
Network=host
|
||||||
|
SecurityLabelDisable=true
|
||||||
|
PodmanArgs=--privileged
|
||||||
|
PodmanArgs=--ipc=host
|
||||||
|
PodmanArgs=--uts=host
|
||||||
|
PodmanArgs=--pid=host
|
||||||
|
PodmanArgs=--cgroupns=host
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
|
@ -1,22 +1,13 @@
|
||||||
variant: fcos
|
variant: fcos
|
||||||
version: 1.4.0
|
version: 1.4.0
|
||||||
|
|
||||||
ignition:
|
|
||||||
config:
|
|
||||||
merge:
|
|
||||||
- local: packages.yaml
|
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
files:
|
files:
|
||||||
- path: /etc/ignition/packages.d/collectd
|
- path: /etc/containers/systemd/collectd.container
|
||||||
mode: 0644
|
mode: 0644
|
||||||
contents:
|
contents:
|
||||||
inline: |
|
local: collectd.container
|
||||||
collectd
|
|
||||||
collectd-chrony
|
|
||||||
collectd-disk
|
|
||||||
collectd-sensors
|
|
||||||
collectd-write_prometheus
|
|
||||||
- path: /etc/collectd.d/df.conf
|
- path: /etc/collectd.d/df.conf
|
||||||
mode: 0644
|
mode: 0644
|
||||||
contents:
|
contents:
|
||||||
|
|
@ -27,6 +18,7 @@ storage:
|
||||||
FSType overlay
|
FSType overlay
|
||||||
IgnoreSelected true
|
IgnoreSelected true
|
||||||
</Plugin>
|
</Plugin>
|
||||||
|
|
||||||
- path: /etc/collectd.d/plugins.conf
|
- path: /etc/collectd.d/plugins.conf
|
||||||
mode: 0644
|
mode: 0644
|
||||||
contents:
|
contents:
|
||||||
|
|
@ -50,8 +42,3 @@ storage:
|
||||||
<Plugin write_prometheus>
|
<Plugin write_prometheus>
|
||||||
Port 9103
|
Port 9103
|
||||||
</Plugin>
|
</Plugin>
|
||||||
|
|
||||||
systemd:
|
|
||||||
units:
|
|
||||||
- name: collectd.service
|
|
||||||
enabled: true
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue