Systemd unit

[jcaesar]

Problem

I'd like to run scaphandre on some plain old bare metal servers. Is there a systemd unit file somewhere I can use?

Solution

I'd think something like this?

[Unit]
Description=Scaphandre Prometheus
Wants=network.target
After=network.target

[Service]
# systemctl edit and add these if you want to further limit access
#IPAddressAllow=localhost
#IPAddressDeny=any

ExecStartPre=-+/usr/bin/modprobe intel_rapl_common
ExecStartPre=+/usr/bin/find /sys/devices/virtual/powercap -name energy_uj -exec chmod g+r -R {} + -exec chown root:powercap {} +
ExecStart=/usr/local/bin/scaphandre $SCAPHANDRE_ARGS
EnvironmentFile=/etc/conf.d/scaphandre

CapabilityBoundingSet=CAP_NET_BIND_SERVICE
DevicePolicy=closed
DynamicUser=yes
Group=powercap
IPAccounting=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
MemoryMax=100M
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SyslogIdentifier=scaphandre
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@debug
SystemCallFilter=~@keyring
SystemCallFilter=~@module
SystemCallFilter=~@mount
SystemCallFilter=~@obsolete
SystemCallFilter=~@privileged
SystemCallFilter=~@raw-io
SystemCallFilter=~@reboot
SystemCallFilter=~@resources
SystemCallFilter=~@swap
UMask=0777

[Install]
WantedBy=multi-user.target

[TheElectronWill]

AFAIK there is no "official" systemd unit file yet, we should build a good one as a community ^^

[jcaesar]

Somewhat more elaborate, but for the permission setup, one can also use:

• /usr/lib/modules-load.d/intel_rapl_common.conf

  intel_rapl_common
  

• /usr/lib/sysusers.d/powercap-group.conf

  g powercap -
  

• /usr/lib/udev/rules.d/20-energy_uj_owner.rules

  ENV{SUBSYSTEM}=="powercap", ACTION=="add|change", OWNER="root", PROGRAM+="/usr/bin/find /sys$env{DEVPATH} -name energy_uj -exec chmod g+r -R {} + -exec chown root:powercap {} +"
  

• /usr/lib/systemd/system/scaphandre.service.d/powercap.conf

  [Service]
  SupplementaryGroups=powercap
  # No need for Group= anymore
  

This is probably more suitable for distro installs.

(I do wonder why find is necessary in the udev rules, serverfault brought no answers.)

[bpetit]

Hi ! @jcaesar your first proposition of a service file works properly on ubuntu 22.04.2. I just had to change paths for modprobe and the config file (which makes me think we may need per-distro service files ?).

I'll give a try to what you proposed for permissions management as well. Thanks for that.

I'll also work on a RPM package soon so I'll have to validate this on redhat as well.

I'd love to hear your and @TheElectronWill 's thoughts about how we should organise this, maybe a contrib folder where one could propose working service file for other distributions through PRs ?

[jcaesar]

contrib sounds good to me. One other example I'm aware of is miniserve naming said folder packaging, which might be more likely to be picked up by maintainers.

[TheElectronWill]

packaging for packages, that sounds good :) contrib is a bit too vague IMO

Another thing to think about is testing: the packages should build properly on each platform, that's a good job for Github Actions, isn't it?

[bpetit]

packaging for packages, that sounds good :) contrib is a bit too vague IMO

Another thing to think about is testing: the packages should build properly on each platform, that's a good job for Github Actions, isn't it?

according to Github Actions doc virtual machine images for Github-hosted runners, are limited to ubuntu as a linux ditribution.

We may have to either deploy github actions self-hosted runners virtual machines with the distribution we want to support and target them in GA, or use awx and call jobs in GA to do the same (as done for the bare metal tests).

[TheElectronWill]

A docker environment (on ubuntu) should work here, no need for a self-hosted runner.

For example, there are github actions that build RPM packages thanks to a docker image:

https://github.com/marketplace/actions/rpm-build

[bpetit]

Great ! I'll give it a try. Thanks !

[bpetit]

Just added a packaging folder with two services files, one for ubuntu 22.04, one for redhat 9.

I guess what you proposed @jcaesar is better regarding security config, but maybe we could integrate those in the process of doing the full package for a distribution ?

[jcaesar]

Maybe. But I don't have an overview of how different distros handle adding system groups. sysusers.d might not be as universal as I think it is.