setcapはsystemdのパーミッションを壊します
collectdバージョン5.8にSMARTプラグインユーティリティを追加
i/Oデータを収集するための権限がないことに関する警告を受け取ります。
Nov 9 13:27:40 db07 collectd[35127]: smart plugin: Running collectd as root,
but the CAP_SYS_RAWIO capability is missing. The plugin's read function will
probably fail. Is your init system dropping capabilities?
collectdでこの機能を許可するsetcap:
root@foo# setcap cap_sys_rawio=ep /usr/sbin/collectd
パーミッションが追加された後、systemdはプロセスを開始できません:
Nov 9 13:27:26 db07 systemd[34172]: Failed at step EXEC spawning /usr/sbin/collectd: Operation not permitted
Nov 9 13:27:26 db07 systemd[1]: collectd.service: main process exited, code=exited, status=203/EXEC
Nov 9 13:27:26 db07 systemd[1]: Unit collectd.service entered failed state.
Nov 9 13:27:26 db07 systemd[1]: collectd.service failed.
Nov 9 13:27:27 db07 systemd[1]: collectd.service holdoff time over, scheduling restart.
Nov 9 13:27:27 db07 systemd[34174]: Failed at step EXEC spawning /usr/sbin/collectd: Operation not permitted
このフラグを追加してsystemdを実行できない理由は何ですか?
編集:提案ごとにsystemctl collectd.service構成を追加します:
[root@Host ~]# systemctl cat collectd.service
# /usr/lib/systemd/system/collectd.service
[Unit]
Description=Collectd statistics daemon
Documentation=man:collectd(1) man:collectd.conf(5)
After=local-fs.target network-online.target
Requires=local-fs.target network-online.target
[Service]
ExecStart=/usr/sbin/collectd
EnvironmentFile=-/etc/sysconfig/collectd
EnvironmentFile=-/etc/default/collectd
ProtectSystem=full
ProtectHome=true
# A few plugins won't work without some privileges, which you'll have to
# specify using the CapabilityBoundingSet directive below.
#
# Here's a (incomplete) list of the plugins known capability requirements:
# ceph CAP_DAC_OVERRIDE
# dns CAP_NET_RAW
# exec CAP_SETUID CAP_SETGID
# intel_rdt CAP_SYS_RAWIO
# intel_pmu CAP_SYS_ADMIN
# iptables CAP_NET_ADMIN
# ping CAP_NET_RAW
# smart CAP_SYS_RAWIO
# turbostat CAP_SYS_RAWIO
#
# Example, if you use the iptables plugin alongside the dns or ping plugin:
#CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
#
# By default, drop all capabilities:
CapabilityBoundingSet=
# Tell systemd it will receive a notification from collectd over its control
# socket once the daemon is ready. See systemd.service(5) for more details.
Type=notify
# Restart the collectd daemon when it fails.
Restart=on-failure
[Install]
WantedBy=multi-user.target
# /etc/systemd/system/collectd.service.d/override.conf
CapabilityBoundingSet=CAP_SYS_RAWIO
Systemdを使用して機能を追加してみてください。
systemctl edit collectd
次に、次の行を[サービス]セクションに追加します。
CapabilityBoundingSet=CAP_SYS_RAWIO