Grafana-Agent: Permission Request

Hi,

This is my first time asking for a store request, so bear with me if it is a bit lacking. I’m currently in the process of snapping the grafana-agent. This will later be used as a foundation for a machine charm, similar to the current k8s charm.

To allow for node_exporter, ebpf and similar integrations to work, it needs some bespoke permissions. While I could have opted for a classic snap, I really think it makes sense for the snap to not get more permissions than it actually needs.

The permissions I’m requesting are:

  • network-bind
  • time-control
  • hardware-observe
  • mount-observe
  • network-observe
  • system-observe

All of these are needed to be able to fetch all of the telemetry we need to make this useful, as made clear by prior art through the existing strictly confined node_exporter snap. In addition, some paths not available in the system-observe plug is needed, which resulted in a bespoke plug telemetry:

  telemetry:
    interface: system-files
    read:
      - /var/log
      - /proc/mdstat
      - /proc/schedstat
      - /proc/sys/kernel/random

Likely this wasn’t the case back when the existing node_exporter charm was created, but as of now, node_exporter won’t be able to generate all metrics without it.

In addition to these permissions, I would like for the permissions to be auto-connected, as the software doesn’t make sense without them being present.

Link to the snap: https://snapcraft.io/grafana-agent

Thanks in advance, Simme

+1 from me for auto-connect of the following interfaces as these are required by the grafana-agent snap for it to operate as expected:

network-bind
time-control
hardware-observe
mount-observe
network-observe
system-observe

Regarding the requested system-files interface - can you be more specific? /var/log/ should be accessible via the log-observe inteface, and parts of /proc/sys/kernel/random are already in the base template for all snaps.

However, I don’t think either /proc/mdstat or /proc/schedstat are currently covered by any snapd interface - both of these seem like reasonable candidates to include in the existing system-observe interface so perhaps a PR to upstream snapd to includes these there would be a better option?

Makes total sense! I’ll switch to the log-observe one for /var/log. There were at least three /proc/sys/kernel/random ones I had issues with. I can try to narrow it down further. Published as revision 3.

Happy to do that and remove these additions once it’s out. Would it be possible to keep them like this until that eventually is the case? PR opened at https://github.com/snapcore/snapd/pull/12427

+1 from me as well for auto-connect time-control, hardware-observe, mount-observe, network-observe, system-observe to grafana-agent since those are clearly required for the snap to properly operate. +2 votes for, 0 votes against, granting the requested auto-connections. This is now live.

network-bind is auto-connected by default, so no voting is needed ;).

I see this PR has been merged. Are you ok with waiting for the next snapd release to include it? Or is this needed asap?

We still need to build out the charm, so I guess we can wait. If anything I’m a bit worried that these changes won’t make it back to all of the deployments of all of the releases we need to support.

1 Like

config-file is still required however. Thanks.

I see the required access is /etc/grafana-agent.yaml, can you please rename the iface reference to be etc-grafana-agent so it better represents the access granted? I am +1 for granting this access since grafana-agent is the clear owner of the directory. Can other @reviewers please vote?

+1 from me with the same stipulation as @emitorino.

@emitorino and others:

Revision 5 is now uploaded, containing the requested changes. I also took the liberty to make two other modifications:

  • Change the name of the /proc/sys/kernel/random plug from telemetry to proc-sys-kernel-random to better describe what it adds.
  • Add a content port named shared-logs, as discussed on MM, to allow other snaps to connect and share log files they want grafana-agent to tail.