search

MindFlavor / prometheus_wireguard_exporter

A Prometheus exporter for WireGuard, written in Rust.
https://mindflavor.github.io/prometheus_wireguard_exporter
MIT License
493 stars 51 forks source link

prepend_sudo does not work as expected #57

Open bjoern-r opened 3 years ago

bjoern-r commented 3 years ago

i'm running the exporter as an unprivileged user monitoring and added a sudoers entry to allow execution of the wg tool by monitoring user without password. however the exporter just returns Permission denied (os error 13)

via shell it works as expected:

monitoring@hell:/tmp$ wg show
Unable to access interface wg0: Operation not permitted
monitoring@hell:/tmp$ sudo wg show 
interface: wg0                                                 
  public key: pZ...A=
  private key: (hidden)                       
  listening port: 51820

via prometheus_wireguard_exporter it fails

# sudo -u monitoring /usr/local/bin/prometheus_wireguard_exporter -a -l 10.192.123.1 -n /etc/wireguard/wg0.conf -i wg0 -v

a ==> wg0
[2021-04-05T16:48:33Z INFO  prometheus_wireguard_exporter] prometheus_wireguard_exporter v3.5.0 starting...
[2021-04-05T16:48:33Z INFO  prometheus_wireguard_exporter] using options: Options { verbose: true, prepend_sudo: true, separate_allowed_ips: false, extract_names_config_file: Some("/etc/wireguard/wg0.conf"), interfaces: Some(["wg0"]), export_remote_ip_and_port: false }
[2021-04-05T16:48:33Z INFO  prometheus_wireguard_exporter] starting exporter on http://10.192.123.1:9586/metrics
[2021-04-05T16:48:33Z INFO  prometheus_exporter_base] Listening on http://10.192.123.1:9586
[2021-04-05T16:48:37Z TRACE prometheus_exporter_base] serve_function:: req.uri() == /metrics, req.method() == GET
[2021-04-05T16:48:37Z TRACE prometheus_exporter_base] serve_function:: options == Options { verbose: true, prepend_sudo: true, separate_allowed_ips: false, extract_names_config_file: Some("/etc/wireguard/wg0.conf"), interfaces: Some(["wg0"]), export_remote_ip_and_port: false }
[2021-04-05T16:48:37Z WARN  prometheus_exporter_base] internal server error == Os { code: 13, kind: PermissionDenied, message: "Permission denied" }
zxyz commented 2 years ago

@bjoern-r is the user monitoring allowed to read /etc/wireguard/wg0.conf? This was my problem. You could try your above prometheus_wireguard_exporter command without the -n to verify this easily.

bjoern-r commented 2 years ago

thanks for pointing out. i will try it out when i have the chance..