procstat permission denied

[jcmartins]

Telegraf - Version 0.10.0

cat /var/log/telegraf/telegraf.log
2016/01/14 19:29:00 procstat, fd stats not available: NumFD error: open /proc/4564/fd: permission denied
2016/01/14 19:29:00 procstat, io stats not available: IOCounters error: open /proc/4564/io: permission denied

ps -aux | grep telegraf
telegraf 4788 0.0 0.1 319472 14660 pts/0 Sl 19:27 0:00 /usr/bin/telegraf -pidfile /var/run/telegraf/telegraf.pid -config /etc/telegraf/telegraf.conf -config-directory /etc/telegraf/telegraf.d

ls -la /proc/4564/
-dr-x------ 1 influxdb influxdb 0 Jan 14 19:23 /proc/4564/io/fd
-r-------- 1 influxdb influxdb 0 Jan 14 19:23 /proc/4564/io

How can you see we have different users and group.

tks
joao

[rossmcdonald]

I've run into this issue as well. The easiest solution is to run the Telegraf service as root, though I would only recommend doing that on test boxes as it can have pretty severe security implications. An alternative is to modify the /etc/init.d/influxdb service to make the /proc/<pid> directories group readable, and then add the telegraf user to the influxdb group.

[jcmartins]

Influxdata can be create a unique group to all softwares (influxdb, telgraf, kapacitor, etc)...

[ralidousti]

"netstat" input has the same issue (since telegarf is using lsof internally). Aside from running telegarf as root is there any other trick i can apply?

[sparrc]

@ralidousti You should be able to use setcap to grant telegraf permission to execute lsof. I'm not 100% sure the capability telegraf would need but you could try:

setcap cap_net_raw=+ep /usr/bin/telegraf

or

setcap cap_net_bind_service=+ep /usr/bin/telegraf

there's also cap_net_admin, but that has more security implications, (see http://man7.org/linux/man-pages/man7/capabilities.7.html)

[ralidousti]

Good thinking. Thank you.

[sparrc]

@ralidousti Did it solve your issue? Which of those capabilities did it?

[ralidousti]

@sparrc actually neither worked in this case (lsof) but the idea is neat. Currently I'm just running it as root.

[danielnelson]

In the current version you shouldn't get this warning anymore, however these fields will just not be included in the output.

The netstat lsof permission issue was fixed in #656

[danielnelson]

From man 5 proc:

         Permission  to  dereference  or  read (readlink(2)) the symbolic
         links in this directory is governed  by  a  ptrace  access  mode
         PTRACE_MODE_READ_FSCREDS check; see ptrace(2).

I tried to figure out how to configure this but was unsuccessful reading. Anyone know how to give a user or group these permissions?

[danielnelson]

I believe this issue was resolved, to the degree it can be, in Telegraf 1.3. Please open a new issue if there are remaining issues.