prometheus-blackbox-exporter: fixing path issue
This fixes an issue with a recent addition of a config file
check in c28ded36ef.
Previously it was possible to supply a path as a string
to `configFile`. Now it will fail checking the config file
during evaluation of the module due to sandboxing.
A toggle to disable the check, more informative log messages
and handling for various configFile values are added.
This commit is contained in:
Dima
parent
3a440874c7
commit
b788467ec4
1 changed files with 43 additions and 10 deletions
|
|
@ -3,16 +3,34 @@
|
||||||
with lib;
|
with lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
|
logPrefix = "services.prometheus.exporter.blackbox";
|
||||||
cfg = config.services.prometheus.exporters.blackbox;
|
cfg = config.services.prometheus.exporters.blackbox;
|
||||||
|
|
||||||
checkConfig = file: pkgs.runCommand "checked-blackbox-exporter.conf" {
|
# This ensures that we can deal with string paths, path types and
|
||||||
preferLocalBuild = true;
|
# store-path strings with context.
|
||||||
buildInputs = [ pkgs.buildPackages.prometheus-blackbox-exporter ]; } ''
|
coerceConfigFile = file:
|
||||||
ln -s ${file} $out
|
if (builtins.isPath file) || (lib.isStorePath file) then
|
||||||
blackbox_exporter --config.check --config.file $out
|
file
|
||||||
'';
|
else
|
||||||
in
|
(lib.warn ''
|
||||||
{
|
${logPrefix}: configuration file "${file}" is being copied to the nix-store.
|
||||||
|
If you would like to avoid that, please set enableConfigCheck to false.
|
||||||
|
'' /. + file);
|
||||||
|
checkConfigLocation = file:
|
||||||
|
if lib.hasPrefix "/tmp/" file then
|
||||||
|
throw
|
||||||
|
"${logPrefix}: configuration file must not reside within /tmp - it won't be visible to the systemd service."
|
||||||
|
else
|
||||||
|
true;
|
||||||
|
checkConfig = file:
|
||||||
|
pkgs.runCommand "checked-blackbox-exporter.conf" {
|
||||||
|
preferLocalBuild = true;
|
||||||
|
buildInputs = [ pkgs.buildPackages.prometheus-blackbox-exporter ];
|
||||||
|
} ''
|
||||||
|
ln -s ${coerceConfigFile file} $out
|
||||||
|
blackbox_exporter --config.check --config.file $out
|
||||||
|
'';
|
||||||
|
in {
|
||||||
port = 9115;
|
port = 9115;
|
||||||
extraOpts = {
|
extraOpts = {
|
||||||
configFile = mkOption {
|
configFile = mkOption {
|
||||||
|
|
@ -21,14 +39,29 @@ in
|
||||||
Path to configuration file.
|
Path to configuration file.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
enableConfigCheck = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
description = ''
|
||||||
|
Whether to run a correctness check for the configuration file. This depends
|
||||||
|
on the configuration file residing in the nix-store. Paths passed as string will
|
||||||
|
be copied to the store.
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
serviceOpts = {
|
|
||||||
|
serviceOpts = let
|
||||||
|
adjustedConfigFile = if cfg.enableConfigCheck then
|
||||||
|
checkConfig cfg.configFile
|
||||||
|
else
|
||||||
|
checkConfigLocation cfg.configFile;
|
||||||
|
in {
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
AmbientCapabilities = [ "CAP_NET_RAW" ]; # for ping probes
|
AmbientCapabilities = [ "CAP_NET_RAW" ]; # for ping probes
|
||||||
ExecStart = ''
|
ExecStart = ''
|
||||||
${pkgs.prometheus-blackbox-exporter}/bin/blackbox_exporter \
|
${pkgs.prometheus-blackbox-exporter}/bin/blackbox_exporter \
|
||||||
--web.listen-address ${cfg.listenAddress}:${toString cfg.port} \
|
--web.listen-address ${cfg.listenAddress}:${toString cfg.port} \
|
||||||
--config.file ${checkConfig cfg.configFile} \
|
--config.file ${adjustedConfigFile} \
|
||||||
${concatStringsSep " \\\n " cfg.extraFlags}
|
${concatStringsSep " \\\n " cfg.extraFlags}
|
||||||
'';
|
'';
|
||||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue