nixos/promtail: fix access to journal

This commit is contained in:
Jörg Thalheim 2020-11-10 10:36:53 +01:00
parent 4c64fa224e
commit 31a0b5dff6
No known key found for this signature in database
GPG Key ID: 003F2096411B5F92
2 changed files with 6 additions and 0 deletions

View File

@ -6,10 +6,12 @@ let
echo '${builtins.toJSON conf}' | ${pkgs.buildPackages.jq}/bin/jq 'del(._module)' > $out
'';
allowSystemdJournal = cfg.configuration ? scrape_configs && lib.any (v: v ? journal) cfg.configuration.scrape_configs;
in {
options.services.promtail = with types; {
enable = mkEnableOption "the Promtail ingresser";
configuration = mkOption {
type = (pkgs.formats.json {}).type;
description = ''
@ -67,6 +69,8 @@ in {
RestrictRealtime = true;
MemoryDenyWriteExecute = true;
PrivateUsers = true;
SupplementaryGroups = lib.optional (allowSystemdJournal) "systemd-journal";
} // (optionalAttrs (!pkgs.stdenv.isAarch64) { # FIXME: figure out why this breaks on aarch64
SystemCallFilter = "@system-service";
});

View File

@ -45,6 +45,8 @@ import ./make-test-python.nix ({ lib, pkgs, ... }:
machine.wait_for_open_port(3100)
machine.wait_for_open_port(9080)
machine.succeed("echo 'Loki Ingestion Test' > /var/log/testlog")
# should not have access to journal unless specified
machine.fail("systemctl show --property=SupplementaryGroups promtail | grep -q systemd-journal")
machine.wait_until_succeeds(
"${pkgs.grafana-loki}/bin/logcli --addr='http://localhost:3100' query --no-labels '{job=\"varlogs\",filename=\"/var/log/testlog\"}' | grep -q 'Loki Ingestion Test'"
)