majst01
commented
1 year ago I think so, just try. Basically nftables-exporter just calls nft list ruleset
Closed Wunderharke closed 1 year ago
majst01
commented
1 year ago I think so, just try. Basically nftables-exporter just calls nft list ruleset
Wunderharke
commented
1 year ago I went with user ALL = NOPASSWD: /sbin/nft -j list ruleset in my sudoers file. Which is working well when tested by hand.
I am not great with Go, that why I can't really make a pull request myself. However, could you maybe add a config flag for (of defaulting to) using nft with sudo?
This way one could run this with read-only access to the nftables which may be desirable in some cases.
majst01
commented
1 year ago Why not running the nftables-exporter with sudo, putting sudo before a command inside a program is bad style
equinox0815
commented
1 year ago If you are using systemd you can also make it work using AmbientCapabilities=. I'm using the systemd unit below to make it work:
[Unit]
Description=Prometheus nftables exporter
[Service]
Restart=always
User=prometheus-exporter
ExecStart=/usr/bin/prometheus-nftables-exporter --config=/etc/prometheus/exporter/nftables/config.yml
AmbientCapabilities=CAP_NET_ADMIN
CapabilityBoundingSet=CAP_NET_ADMIN
DeviceAllow=/dev/null rw
DevicePolicy=strict
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
SystemCallArchitectures=native
[Install]
WantedBy=multi-user.targetBoth great answers thank you for your support! I managed to set a policy appropriate for my system.
I'd like to run this under a non-root user, and I am using SELinux. Is it sufficient to give CAP_NET_ADMIN permission?