[vmagent] skips gce_sd_config due to failure to read credentials location

[dstevensson]

vmagent skips gce_sd_config due to being unable to read credentials location required by the cloud sdk. The cloud SDK steps through multiple ways of accessing credentials, including checking the home directory of the user for a credentials file. Relevant error:

skipping gce_sd_config targets for job_name "gce" because of error: cannot get API config: cannot create oauth2 client for gce: google: error getting credentials using well-known file (/home/vic_vm_agent/.config/gcloud/application_default_credentials.json): open /home/vic_vm_agent/.config/gcloud/application_default_credentials.json): open /home/vic_vm_agent/.config/gcloud/application_default_credentials.json: permission denied

The problem lies not in the fact that the role doesn't create the home folder but rather that systemd sandboxing prevents the process from checking whether the file exists at all.

This exact problem has been discussed before in https://github.com/cloudalchemy/ansible-prometheus/issues/153 where the solution was to change ProtectHome=yes to ProtectHome=read-only in the systemd unit file. To support cases where a static credentials file is needed, setting it to read-only is most likely needed. If not, then we can probably get away with ProtectHome=tmpfs. More details on ProtectHome https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=

This is the line in question https://github.com/VictoriaMetrics/ansible-playbooks/blob/master/roles/vmagent/templates/vmagent.service.j2#L17

[zekker6]

Hi @dstevensson Added a parameter for vmagent to override ProtectHome at systemd unit. Could you please try to switch to read-only and verify if it helps?

[zekker6]

Closing as resolved for now, feel free to reopen if that won't help.