https://humdi.net/vnstat/CHANGES
* enable tests
* add hardening options from upstream's
example service
* fix "documentation" setting in service:
either needs to be `unitConfig.Documentation`
(uppercase) or lowercase but not within unitConfig.
This makes sure that when a user hasn't set a Prometheus option it
won't show up in the prometheus.yml configuration file. This results
in smaller and easier to understand configuration files.
We previously filtered out the `_module` attribute in a NixOS
configuration by filtering it using the option's `apply` function.
This meant that every option that had a submodule type needed to have
this apply function. Adding this function is easy to forget thus this
mechanism is error prone.
We now recursively filter out the `_module` attributes at the place we
construct the Prometheus configuration file. Since we now do the filtering
centrally we don't have to do it per option making it less prone to errors.
This results in a smaller prometheus.yml config file.
It also allows us to use the same options for both prometheus-1 and
prometheus-2 since the new options for prometheus-2 default to null
and will be filtered out if they are not set.
This results in a simpler service unit which doesn't first have to
start a shell:
> cat /nix/store/s95nsr8zbkblklanqpkiap49mkwbaq45-unit-alertmanager.service/alertmanager.service
...
ExecStart=/nix/store/4g784lwcy7kp69hg0z2hfwkhjp2914lr-alertmanager-0.16.2-bin/bin/alertmanager \
--config.file /nix/store/p2c7fyi2jkkwq04z2flk84q4wyj2ggry-checked-config \
--web.listen-address [::1]:9093 \
--log.level warn
...
As the configuration for the exporters and alertmanager is unchanged
between the two major versions this patch tries to minimize
duplication while at the same time as there's no upgrade path from 1.x
to 2.x, it allows running the two services in parallel. See also #56037
https://github.com/golang/go/issues/9334 describes how net.Listen (as used by Alertmanager):
* listens on 127.0.0.1 if the listenAddress is "localhost"
* listens on all interfaces if the listenAddress is ""
munin_update relies on a stats file that exists, but isn't found in the
default location on NixOS; the appropriate plugin configuration is
added.
munin_stats relies on munin-cron writing a logfile, which the NixOS
build of munin does not. (This is probably fixable in the munin package,
but I don't have time to dig into that right now.)
This permits custom styling of the generated HTML without needing to
build your own Munin package from source. Also comes with an example
that works as a passable dark theme for Munin.
extraAutoPlugins lets you list plugins and plugin directories to be
autoconfigured, and extraPlugins lets you enable plugins on a one-by-one
basis. This can be used to enable plugins from contrib (although you'll
need to download and check out contrib yourself, then point these
options at it), or plugins you've written yourself.
munin-graph is hardcoded to use DejaVu Mono for the graph legends; if it
can't find it, there's no guarantee it finds a monospaced font at all,
and if it can't find a monospaced font the legends come out badly
misformatted.
This is just a set of globs to remove from the active plugins directory
after autoconfiguration is complete.
I also removed the hard-coded disabling of "diskstats", since it seems
to work just fine now.
Since this module was written, Munin has moved their documentation from
munin-monitoring.org/wiki to guide.munin-monitoring.org. Most of the
links were broken, and the ones that weren't went to "please use the new
site" pages.
New option `extraPluginPaths' that allows users to supply additional
paths for netdata plugins. Very useful for when you want to use
custom collection scripts.
`collectd' might fail because of a failure in any of numerous plugins.
For example `virt' plugin sometimes fails if `collectd' is started before `libvirtd'
Instead of setting User/Group only when DynamicUser is disabled, the
previous version of the code set it only when it was enabled. This
caused services with DynamicUser enabled to actually run as nobody, and
services without DynamicUser enabled to run as root.
Regression from fbb7e0c82f.
This commit adds an assertion that checks that either `configFile` or
`configuration` is configured for alertmanager. The alertmanager config
can not be an empty attributeset. The check executed with `amtool` fails
before the service even has the chance to start. We should probably not
allow a broken alertmanager configuration anyway.
This also introduces a test for alertmanager configuration that piggy
backs on the existing prometheus tests.
Otherwise netdata will not find python modules.
To make sure netdata still pick up our setuid version of apps.plugin
we rename the original executable.
By using types.lines for 'config', we can specify monit configurations
in lots of modules and they can all be automatically combined together
with newlines. This is desireable because different modules might want
to each specify the small monitoring task specific to their service.
This commit also updates the module to use current idioms.
With `promtool` we can check the validity of a configuration before
deploying it. This avoids situations where you would end up with a
broken monitoring system without noticing it - since the monitoring
broke down. :-)
as using /var/run now emits a warning by systemd's tmpfiles.d.
As /var/run is already a symlink to /run, this can't break anything, and
data does not need to be migrated.
Previously it was only possible to use very simple Riemann config.
For more complicated scenarios you need a directory of clojure
files and the config file that riemann starts with should be in this
directory.
Introduces an option `services.datadog-agent.extraIntegrations` that
can be set to include additional Datadog agent integrations from the
integrations-core repository.
Documentation and an example is provided with the change.
Relates to NixOS/nixpkgs#40399
Refactors the datadog-agent (i.e. V6) module to let users configure
arbitrary checks, not just a limited set, without having to resort to
linking the files manually and updating the systemd unit.
Checks are now configured via a `services.datadog-agent.checks` option
which takes an attribute set in which the keys refer directly to
Datadog check names, and the values are attribute sets representing
Datadog's configuration structure.
With this mechanism users can configure arbitrary integrations, for
example for the `ntp`-check, simply by saying:
services.datadog-agent.checks.ntp = {
init_config = null;
# ... other check configuration options as per Datadog
# documentation
};
The previous check-specific configuration options for non-default
checks have been removed. Disk & network check configuration options
have been kept rather than making them a `default`-value of the
`checks`-option because they will be overridden by user-configurations
in that case.
Relates to NixOS/nixpkgs#40399.
The web_access.patch would no longer apply.
It disabled a check that required the static files
for the web UI to be owned by the user the daemon runs as
(not root, so it doesn't work well with nix).
Besides updating netdata, this commit removes that patch,
changes the netdata service config to set the "web files owner/group"
option to "root" and adds a test that checks that the web UI is being served.
This allows the web files to be owned by root without patching.
Use nixos-fw chain instead of INPUT so that the rules don't keep
stacking everytime the firewall is reloaded.
This also adds a comment to each rule about the associated exporter.
Fixes#30891
* Upgrade `graphite-web`, `carbon` and `whisper` from 1.0.2 -> 1.1.3.
* Replaced the deprecated `pythonPackages.graphite_influxdb` with
`pythonPackages.influxgraph.`
* Renamed `pythonPackages.graphite_web` to `pythonPackages.graphite-web`
to be consistent with the Python package name.
* Replaced the unmaintained `pythonPackages.graphite_pager` with
`pythonPackages.graphitepager`
* Moved all new packages from `python-packages.nix` to
`pkgs/development/python-modules`
The Datadog agent requires `gohai` to be available on its `$PATH` in
order to collect certain metrics.
It would previously start up and collect certain types of metrics, but
log errors related to the missing gohai binary.
This commit configures the systemd-unit to make gohai available at
runtime.
This fixes#39810.
- prometheus exporters are now configured with
`services.prometheus.exporters.<name>`
- the exporters are now defined by attribute sets
from which the options for each exporter are generated
- most of the exporter definitions are used unchanged,
except for some changes that should't have any impact
on the functionality.
Alertmanager 0.13.0 doesn't support single dash long options, so '-config.file'
for example is parsed as '-c', which leads to the service not starting.
apps.plugin requires capabilities for full process monitoring. with
1.9.0, netdata allows multiple directories to search for plugins and the
setuid directory can be specified here.
the module is backwards compatible with older configs. a test is
included that verifies data gathering for the elevated privileges. one
additional attribute is added to make configuration more generic than
including configuration in string form.
These packages will be placed into an environment using
`backendsToPackages`. This function explicitly maps backends to
`pkgs.nodePackages.${type}` unless it's a builtin. This ensures that only
valid backends that work on NixOS are used (if not, the build already
breaks at evaluation time).
The log will be redirected to `stdout` to be able to watch the entire
output using `journalctl`.
Configuration parameters for the backends need to be set using
`services.statsd.extraConfig` as each backend has its own options and
all of them shouldn't be validated and checked explicitly and manually.
The munin-node service used wrapProgram to inject environment variables.
This doesn't work because munin plugins depend on argv[0], which is
overwritten when the executable is a script with a shebang line (example
below).
This commit removes the wrappers and instead passes the required
environment variables to munin-node.
Eliminating the wrappers resulted in some broken plugins, e.g., meminfo
and hddtemp_smartctl. That was fixed with the per-plugin configuration.
Example:
The plugin if_eth0 is a symlink to /.../plugins/if_, which uses $0
to determine that it should monitor traffic on the eth0 interface.
if_ is a wrapped program, and runs `exec -a "$0" .if_-wrapped`
.if_-wrapped has a "#!/nix/.../bash" line, which results in bash
changing $0, and as a result the plugin thinks my interface
is called "-wrapped".
The behaviour have changed again. Listed collectors are now enabled in
addition to the default one.
Also run as DynmicUser instead of user nobody as the exporter doesn't need
any state.
* prometheus-collectd-exporter service: init module
Supports JSON and binary (optional) protocol
of collectd.
* nixos/prometheus-collectd-exporter: submodule is not needed for collectdBinary
"Builder called die: Cannot wrap
/nix/store/XXX-munin-available-plugins/plugin.sh because it is not an
executable file"
[Bjørn: Keep DRY, quote "$file".]
* removed pid-file support, it is needless to run collectd as systemd service
* removed static user id, as all the files reowned on the service start
* added ambient capabilities for ping and smart (hdd health) functions
While systemd suggests using the pre-defined graphical-session user
target, I found that this interface is difficult to use. Additionally,
no other major distribution, even in their unstable versions, currently
use this mechanism.
The window or desktop manager is supposed to run in a systemd user service
which activates graphical-session.target and the user services that are
binding to this target. The issue is that we can't elegantly pass the
xsession environment to the window manager session, in particular
whereas the PassEnvironment option does work for DISPLAY, it for some
mysterious reason won't for PATH.
This commit implements a new graphical user target that works just like
default.target. Services which should be run in a graphical session just
need to declare wantedBy graphical.target. The graphical target will be
activated in the xsession before executing the window or display manager.
Fixes#17858.
to /etc/dd-agent/conf.d by default, and make sure
/etc/dd-agent/conf.d is used.
Before NixOS 17.03, we were using dd-agent 5.5.X which
used configuration from /etc/dd-agent/conf.d
In NixOS 17.03 the default conf.d location is first used relative,
meaning that $out/agent/conf.d was used without NixOS overrides.
This change implements similar functionality as PR #25288, without
breaking backwards compatibility.
(cherry picked from commit 77c85b0ecbc1070d7adff31b339bede92e4193fa)
Adds services.longview.{apiKeyFile,mysqlPasswordFile} options as
alternatives to apiKey and mysqlPassword, which still work, but are
deprecated with a warning message.
Related to #24288.
The reason being less mental overhead when reading upstream
documentation. Examples can be pasted right into the configuration
instead of translating to Nix attrset first.
The current default value of listenAddress = null blows up:
$ nixos-rebuild build
error: cannot coerce null to a string, at
.../nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix:97:16
With listenAddress = "" we use the same default as upstream and there is
no blow up :-)
...by providing a default value of "no labels" (an empty attrset).
Without this change we get
$ nixos-rebuild test -I nixpkgs=.
building Nix...
building the system configuration...
error: The option `services.prometheus.scrapeConfigs.[definition 1-entry 1].static_configs.[definition 1-entry 1].labels' is used but not defined.
which is unneeded, because labels _are_ optional.
The structured options are incomplete compared to upstream and I think
it will be a maintenance burden to try to keep up. Instead, provide an
option for the raw config file contents (prometheus.yml).
The collectd service runs as an unprivileged user by default, so it does
not leak more information to its data directory than any user can obtain
elsewhere by other means.
If people are running it as root and are worried about information leak,
we can add collectd group and set perms to 750.
CC @offlinehacker.
Fixes#21198.