Running ipsec exporter with unprivileged user

[gunhu]

Hello,

I would love to be able to run the ipsec prometheus exporter with unprivileged user:

• Detect if the exporter is running with root privileges and if it is keep the old behavior
• If not use sudo to get ipsec metrics

username ALL=(ALL) NOPASSWD: /usr/sbin/ipsec statusall *

Add this block to allow exporter user to retrieve metrics.

[gunhu]

Hi @dennisstritzke, any chance to get it upstream? :)

[dennisstritzke]

We should get this upstream! Thanks for pinging.

A few things I am thinking about though:

1. Rather than checking for user.Username to be equal to root, it might be more accurate to check user.Uid to be equal to 0 as the user id seems to be hardcoded in the kernel. This should be more robust.
2. Maybe it might be even better to check, if we would probe for permissions during application startup. More concisely, executing ipsec statusall mytunnel would indicate, if the current user is allowed / able to query the tunnel status. If this check fails, we would use sudo ipsec statusall mytunnel.
3. If we are doing point 2, we could also probe, if the sudo call succeeds and fail the exporter startup, if that check fails.

What do you think about that? Should move the exporter closer to a 1.0.0 release.

[gunhu]

1. Is fine for me.
2. / 3. I think we should introduce a flag to enable sudo or not. Because if the user isn't using sudo it will work OOTB and if sudo is enabled, the user probably know what he is doing.

Feel free to share your impressions @dennisstritzke and if it's ok for you I will start to refactor the PR.

[dennisstritzke]

Sounds good to me. Will be happy to receive a PR for this. 😊

[gunhu]

@dennisstritzke Hi, pushed and waiting for review :)

[dennisstritzke]

I created 6cd3829, which contains your work that I amended with a CHANGELOG entry and refactoring it for readability.

[dennisstritzke]

The change is included in the v0.4.0 release. @gunhu, thank you for your contribution.