Telegraf: socket listener: needs a way to set socket permissions for unix/dgram sockets.
Relevant telegraf.conf:
System info:
Telegraf v1.4.0 (git: release-1.4 34b7a4c3611d1ede908ef275401544c34a4a3ba3)
Feature Request
being able to set socket permissions for socket_listener, will allow administrators to have various applications on the system write to the telegraf socket.
# Configuration for telegraf agent
[agent]
interval = "20s"
round_interval = true
metric_batch_size = 1000
metric_buffer_limit = 10000
collection_jitter = "5s"
flush_interval = "60s"
flush_jitter = "15s"
debug = false
quiet = false
omit_hostname = false
[[inputs.socket_listener]]
service_address = "unix:///run/telegraf-ops/telegraf.sock"
telegraf -conf=test.conf
james-lawrence
All 8 comments
See implementation discussion starting here: https://github.com/influxdata/telegraf/pull/3996#issuecomment-394164349
danielnelson
on 6 Jun 2018
@danielnelson I have a concern with what was proposed on #3996, namely that if it becomes mandatory in a future version (I.E. there's no way to disable it) then it will require that processes sending to the socket have the same group id as telegraf... this will be an issue for my usage, where processes send InfluxDB line protocol stats to the socket but these process need to be in a separate group from the telegraf process.
Do you know if the checks for SCM_CREDENTIALS will be able to be disabled via a config option? That would be ideal for me, as I could then rely on directory permissions for access control...
Edit: I'm starting to rethink my own approach here anyway... maybe I will just add the user that my application is running as to the telegraf group, since it lacks permissions on the socket file _anyway_
...Actually that also fails because under FreeBSD the socket is owned by wheel; so I'll probably need to make some script which chowns the files the way I want them anyway...
jgitlin-bt
on 10 Sep 2018
Do you know if the checks for SCM_CREDENTIALS will be able to be disabled via a config option? That would be ideal for me, as I could then rely on directory permissions for access control...
We can do this, I think we would only use SCM_CREDENTIALS if it is configured, and use directory permissions by default.
danielnelson
on 11 Sep 2018
Awesome, that sounds best to me. I'm running into a tangentially related issue where the freebsd pkg has the socket owned by telegraf:wheel and I'm working around that with a chown+chmod for now...
jgitlin-bt
on 11 Sep 2018
is there a way i can solve the permission problem while this feature is ready for a new release? chmod + chown works great but i want to keep the permissions after a service restart... the socket always has rwxr-xr-x telegraf telegraf as permissions after a restart... so a external service will lost the write access
jegj
on 18 Mar 2019
Not sure if it will work for you, but you could try setting setgid on the directory containing the socket and adjusting the umask to 002 for Telegraf so the file is group writable.
danielnelson
on 21 Mar 2019
Thanks for the answer @danielnelson but i have one more question :smile: How can i change the umask for telegraf ? i read that i need to add theumask 002 sentence at the beginning in the telegraf's deamon script... i tried adding the umask in /usr/lib/telegraf/scripts/init.sh without lucky. Also i found the file /usr/bin/telegraf( starts the deamon) but i was not able to edit it ... it's encoded or something like that but i cannot see or edit the content
jegj
on 21 Mar 2019
Depends on the init system you are using:
- sysvinit:
/etc/init.d/telegraf - systemd: depending on platform either
/usr/lib/systemd/system/telegraf.serviceor/usr/lib/systemd/system/telegraf.service
danielnelson
on 22 Mar 2019
Related issues
corentingi
路
3Comments
robert-gomes
路
3Comments
timhallinflux
路
3Comments
efficks
路
3Comments
Bregor
路
3Comments
Most helpful comment
We can do this, I think we would only use SCM_CREDENTIALS if it is configured, and use directory permissions by default.