[collectd] Can't run collectd as unprivileged user in network mode

Ruben Kerkhof ruben at rubenkerkhof.com
Fri Dec 14 14:50:56 CET 2018


On Fri, Dec 14, 2018 at 2:45 PM George <izghitu at gmail.com> wrote:
>
> Hi,
>

Hi George,

> I am trying to configure collectd to run as a central server for other collectd clients and to LISTEN for incoming requests. I need it to run as an unprivileged user but it fails with the following errors:
> [metrics at office ~]$ collectd -C /etc/collectd.conf  -f
> [2018-12-14 05:31:16] plugin_load: plugin "logfile" successfully loaded.
> [2018-12-14 05:31:16] logfile: invalid loglevel [debug] defaulting to 'info'
> [2018-12-14 05:31:16] plugin_load: plugin "network" successfully loaded.
> [2018-12-14 05:31:16] plugin_load: plugin "rrdtool" successfully loaded.
> [2018-12-14 05:31:16] network plugin: setsockopt (bind-if): Operation not permitted
> [2018-12-14 05:31:16] network plugin: network_config_add_listen: sockent_server_listen failed.
> [2018-12-14 05:31:16] set_thread_name("rrdtool queue"): Permission denied
> [2018-12-14 05:31:16] set_thread_name("writer#0"): Permission denied
> [2018-12-14 05:31:16] set_thread_name("writer#1"): Permission denied
> [2018-12-14 05:31:16] set_thread_name("writer#2"): Permission denied
> [2018-12-14 05:31:16] set_thread_name("writer#3"): Permission denied
> [2018-12-14 05:31:16] set_thread_name("writer#4"): Permission denied
> [2018-12-14 05:31:16] Initialization complete, entering read-loop.
> ^C[2018-12-14 05:31:17] Exiting normally.
> [2018-12-14 05:31:17] collectd: Stopping 5 write threads.
> [2018-12-14 05:31:17] rrdtool plugin: Shutting down the queue thread.
>
> The OS is CentOS 7. The collectd version is the latest. The /var/lib/collectd, /usr/lib/collectd, /etc/collectd.conf and /etc/collectd.passwd files/folders are owned by the metrics user and the network plugin settings are below:
> <Plugin "network">
>         <Listen "HIDDEN" "25826">
>                 SecurityLevel "Sign"
>                 AuthFile "/etc/collectd.passwd"
>                 Interface "enp1s0f0"
>         </Listen>
> </Plugin>
>
> I tried the setcap command like this:
> setcap 'cap_net_bind_service=+epi' /usr/sbin/collectd

Collectd itself doesn't drop capabilities, systemd does this when you
let it start collectd, so this shouldn't be needed.
>
> but it did not help.
> Please help. Thanks in advance.

Just a guess, but is SELinux enabled? Any AVC's in your audit logs?

>
>
> _______________________________________________
> collectd mailing list
> collectd at verplant.org
> https://mailman.verplant.org/listinfo/collectd

Kind regards,

Ruben Kerkhof



More information about the collectd mailing list