Unverified Commit 060a47e1 authored by DDoSolitary's avatar DDoSolitary
Browse files

netdata: set NETDATA_PIPENAME to /run/netdata/ipc 

Netdata creates its control socket at /tmp/netdata-ipc by default, which
is insecure and actually inaccessible with systemd's PrivateTmp enabled.

Originally we patched its source code to move the socket to
/run/netdata/ipc. However, it was removed due to incompatibility when
upgrading to v1.41.0: 1d2a2dc7

Fortunately, this new version of netdata adds support for setting the
location of the control socket via the environment variable
NETDATA_PIPENAME. So let's set it for the netdata service and the
command line utility so that they can communicate properly.
parent aebee3ca

nixos/modules/services/monitoring/netdata.nix

+1 −0
Original line number Diff line number Diff line
@@ -216,6 +216,7 @@ in { 
        PYTHONPATH = "${cfg.package}/libexec/netdata/python.d/python_modules";

      } // lib.optionalAttrs (!cfg.enableAnalyticsReporting) {

        DO_NOT_TRACK = "1";

        NETDATA_PIPENAME = "/run/netdata/ipc";

      };

      restartTriggers = [

        config.environment.etc."netdata/netdata.conf".source

nixos/tests/netdata.nix

+4 −1
Original line number Diff line number Diff line
@@ -10,7 +10,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { 
    netdata =

      { pkgs, ... }:

        {

          environment.systemPackages = with pkgs; [ curl jq ];

          environment.systemPackages = with pkgs; [ curl jq netdata ];

          services.netdata.enable = true;

        };

    };
@@ -34,5 +34,8 @@ import ./make-test-python.nix ({ pkgs, ...} : { 
    filter = '[.data[range(10)][.labels | indices("root")[0]]] | add | . > 0'

    cmd = f"curl -s {url} | jq -e '{filter}'"

    netdata.wait_until_succeeds(cmd)



    # check if the control socket is available

    netdata.succeed("sudo netdatacli ping")

  '';

})

pkgs/tools/system/netdata/default.nix

+1 −0
Original line number Diff line number Diff line
@@ -103,6 +103,7 @@ stdenv.mkDerivation rec { 
  postFixup = ''

    wrapProgram $out/bin/netdata-claim.sh --prefix PATH : ${lib.makeBinPath [ openssl ]}

    wrapProgram $out/libexec/netdata/plugins.d/cgroup-network-helper.sh --prefix PATH : ${lib.makeBinPath [ bash ]}

    wrapProgram $out/bin/netdatacli --set NETDATA_PIPENAME /run/netdata/ipc

  '';



  enableParallelBuild = true;

pkgs/tools/system/netdata/ipc-socket-in-run.patch

deleted100644 → 0
+0 −13
Original line number Diff line number Diff line 
diff --git a/daemon/commands.h b/daemon/commands.h

index bd4aabfe1cbe4..ce7eb3c730228 100644

--- a/daemon/commands.h

+++ b/daemon/commands.h

@@ -6,7 +6,7 @@

 #ifdef _WIN32

 # define PIPENAME "\\\\?\\pipe\\netdata-cli"

 #else

-# define PIPENAME "/tmp/netdata-ipc"

+# define PIPENAME "/run/netdata/ipc"

 #endif

 

 #define MAX_COMMAND_LENGTH 4096