Open bijwaard opened 1 year ago
Looks like the creation of /var/run/influxd folder is in the /etc/init.d/influxd start script, but it is not reached during startup for some reason. When I move it up just to the beginning of the script, just after the USER and GROUP are initialized:
USER=influxdb
GROUP=influxdb
# pid file for the daemon
pidfile=/var/run/influxdb/influxd.pid
piddir=$(dirname $pidfile)
if [ ! -d "$piddir" ]; then
mkdir -p $piddir
chown $USER:$GROUP $piddir
fi
The socket file is now created when running /etc/init.d/influxd start, but still the timeout is exceeded since the startup test only verifies the HTTP socket, not the unix socket:
% sudo /etc/init.d/influxdb start
Starting influxdb (via systemctl): influxdb.serviceJob for influxdb.service failed because a timeout was exceeded.
See "systemctl status influxdb.service" and "journalctl -xe" for details.
% systemctl status influxd
● influxdb.service - InfluxDB is an open-source, distributed, time series datab>
Loaded: loaded (/lib/systemd/system/influxdb.service; enabled; vendor pres>
Active: active (running) since Mon 2023-09-25 08:40:41 UTC; 24s ago
Docs: https://docs.influxdata.com/influxdb/
Process: 23700 ExecStart=/usr/lib/influxdb/scripts/influxd-systemd-start.sh>
Main PID: 23701 (influxd)
Tasks: 10 (limit: 999)
Memory: 124.0M
CPU: 9.286s
CGroup: /system.slice/influxdb.service
└─23701 /usr/bin/influxd -config /etc/influxdb/influxdb.conf
Unfortunately, when running systemctl start influxd, this does not work properly. The creation of the /var/lib/influxd folder needs to be configured in a systemd way in /etc/systemd/system/influxd.service, using the RuntimeDirectory:
[Service]
User=influxdb
Group=influxdb
LimitNOFILE=65536
EnvironmentFile=-/etc/default/influxdb
ExecStart=/usr/lib/influxdb/scripts/influxd-systemd-start.sh
KillMode=control-group
Restart=on-failure
Type=forking
PIDFile=/var/lib/influxdb/influxd.pid
RuntimeDirectory=influxdb
I guess the PIDFile should preferably also be in the /var/run/influxdb folder (see also #22564), since else it couild still be in /var/lib/influxd after a (forced) reboot.
Unfortunately, the service is killed since the timeout is exceeded, need to fix startup check for that.
It seems to work with the following change to /usr/lib/influxdb/scripts/influxd-systemd-start.sh that tests for the availability of the socket file:
socket="/var/run/influxdb/influxdb.sock"
while [ ! -S $socket ] || [ "${result:0:2}" != "20" -a "${result:0:2}" != "40" ]; do
attempts=$(($attempts+1))
echo "InfluxDB API unavailable after $attempts attempts..."
sleep 1
result=$(curl -k -s -o /dev/null $url -w %{http_code})
done
echo "InfluxDB started"
Alternatively, the health could be checked on the unix socket with:
% curl --unix-socket /var/run/influxdb/influxdb.sock -k -s -o /dev/null http://localhost/health -w %{http_code}
200%
Steps to reproduce: List the minimal actions needed to reproduce the behavior.
Expected behavior: I expected influxdb to start with and listening to the socket I expected the socket to be opened r/w for user and group, not r/w for others.
Actual behavior: The unix server socket could not be initialized, since /var/run is not writable by the influxdb user for security reasons. The rest of influxdb functionally also stops, the the startup-wrapper keeps retrying to connect. When a socket is opened, it is opened r/w for user, group and others. It would be more secure to disable write for others, so the access to the socket can be controlled by assigning influxdb users to /etc/group.
Normal practice is to use a subfolder in /var/run, e.g. /var/run/influxdb and have that owned by user:group influxdb:influxdb as part of the startup wrapper (systemd or init.d)
When I configure to use this folder, the socket is opened with r/w for others which gives all local users access to the socket:
The /var/run/influxdb.sock appears to be in the default configuration as well as in the code
Environment info:
uname -srm
and copy the output hereinfluxd version
and copy the output hereOn Ubuntu:
Config: Copy any non-default config values here or attach the full config as a gist or file.
influxdb.conf, defaults start with #
Logs: