Sensors access denied for prometheus node-exporter

renat2017 · November 29, 2023, 11:31am

Our Prometheus node-exporter is generating the following errors (stripped out common lines):

That’s how lines look like

apparmor="DENIED" operation="open" profile="snap.<redacted>.node-exporter" name="/sys/devices/platform/coretemp.0/hwmon/hwmon2/temp1_crit" pid=some-pid comm="node_exporter" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

The list of all paths:

name="/sys/devices/platform/coretemp.0/hwmon/hwmon2/temp1_crit"
name="/sys/devices/platform/coretemp.0/hwmon/hwmon2/temp1_crit_alarm"
name="/sys/devices/platform/coretemp.0/hwmon/hwmon2/temp1_input"
name="/sys/devices/system/clocksource/clocksource0/available_clocksource"
name="/sys/devices/virtual/powercap/intel-rapl/intel-rapl:0/intel-rapl:0:0/name"
name="/sys/devices/virtual/powercap/intel-rapl/intel-rapl:0/intel-rapl:0:1/name"
name="/sys/devices/virtual/powercap/intel-rapl/intel-rapl:0/intel-rapl:0:2/name"
name="/sys/devices/virtual/powercap/intel-rapl/intel-rapl:0/name"
name="/sys/devices/virtual/thermal/thermal_zone0/hwmon0/name"
name="/sys/devices/virtual/thermal/thermal_zone0/hwmon0/temp1_crit"
name="/sys/devices/virtual/thermal/thermal_zone0/hwmon0/temp1_input"
name="/sys/devices/virtual/thermal/thermal_zone0/temp"
name="/sys/devices/virtual/thermal/thermal_zone0/type"
name="/sys/devices/virtual/thermal/thermal_zone1/hwmon1/name"
name="/sys/devices/virtual/thermal/thermal_zone1/hwmon1/temp1_input"
name="/sys/devices/virtual/thermal/thermal_zone1/temp"

Could you please suggest how I enable access to those files (I need read-only access)?

ogra · November 29, 2023, 11:44am

does snappy-debug make any suggestion if you run it alongside ?

renat2017 · November 30, 2023, 8:34am

Thanks for you suggestion, @ogra

In general - it suggests the following

Suggestions:

adjust program to not access ‘/sys/devices/virtual/thermal/thermal_zone1/temp’
adjust program to not access ‘/sys/devices/virtual/thermal/thermal_zone[0-9]*/temp’

Full output:

https://pastebin.ubuntu.com/p/F9DXHtvXCY/

ogra · November 30, 2023, 10:00am

hmm, interesting, i’d have expected it to point you to something like hardware-observe:

# files in /sys pertaining to hardware (eg, 'lspci -A linux-sysfs')
/sys/{block,bus,class,devices,firmware}/{,**} r,

… this should theoretically cover the path above … could you try to add it ?

renat2017 · December 7, 2023, 10:08am

Thanks, @ogra, it worked!