Hardcode node-exporter username and group

[escalate]

Hello

In all cloudalchemy roles username and group are hard coded. In this role username and group are freely definable. Is there a reason for this? I think it should be the same style in all roles for convenient reasons. Either username and group are hard coded or freely definable. Do we have an opinion on this?

Greetings

[paulfantom]

I agree, this should be uniform. However this was introduced due to some features in node_exporter needing root permissions (more in https://github.com/cloudalchemy/ansible-node-exporter/pull/74) and as such it is necessary only in this role and not in others.

The ultimate goal for all cloudalchemy roles is to get rid of user management and use systemd dynamic users whenever possible (more on dynamic users at http://0pointer.net/blog/dynamic-users-with-systemd.html).

[escalate]

Thank you for the explanation. I will close this issue.

[paulfantom]

@SuperQ what is the current status of using root user for node_exporter? Is this still necessary for some collectors (mostly systemd one)? Were there some changes and we can now (or in near future) disable it here and force usage of unprivileged user?

I am asking because I found this PR: https://github.com/prometheus/node_exporter/pull/1587

[SuperQ]

There was only one sub-feature of the systemd collector that needed root. We have recently made that a hidden flag.

The intention of the node_exporter is that it doesn't need privileges.

[paulfantom]

Let's reopen this and remove support for changing user (and especially references to root user).

I think leaving *_system_user and *_system_group as internal variables living in vars/main.yml should be ok until all supported OSes use systemd 235 (version which provides dynamic users feature).

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.