Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Capabilities for alloy beyla.ebpf leads to prometheus.exporter.unix name=mountstats "Permission denied" #2535

Open
Nachtfalkeaw opened this issue Jan 24, 2025 · 2 comments
Open

Capabilities for alloy beyla.ebpf leads to prometheus.exporter.unix name=mountstats "Permission denied" #2535

Nachtfalkeaw opened this issue Jan 24, 2025 · 2 comments
Assignees
@rafaelroquetto
Labels
beyla bug Something isn't working

Comments

@Nachtfalkeaw
Copy link

What's wrong?

For beyla.ebpf in alloy 1.5.1 you need additional capabilities:

[root@hostname alloy]# getcap alloy
alloy cap_sys_ptrace,cap_sys_admin=ep

If these capabilities are configured alloy prints this error message of mountstats and Permission denied:

alloy[4059081]: ts=2025-01-24T22:51:46.737245178Z level=error msg="collector failed" component_path=/ component_id=prometheus.exporter.unix.node_exporter name=mountstats duration_seconds=7.99e-05 err="failed to parse mountstats: open /proc/4059081/mountstats: permission denied"

If I remove all capabilities from allo, rstart alloy service, then mountstats has no permission issues anymore.

my RHEL8 system:

[root@ hostname alloy]# uname -a
Linux hostname 4.18.0-553.27.1.el8_10.x86_64 #1 SMP Fri Oct 18 06:18:15 EDT 2024 x86_64 x86_64 x86_64 GNU/Linux
[root@hostname alloy]#

[root@hostname alloy]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.10 (Ootpa)
[root@hostname alloy]#

My alloy version:

[root@hostname alloy]# ./alloy -v
alloy, version v1.5.1 (branch: HEAD, revision: dc8a365f8)
  build user:       root@19aa8bb023d9
  build date:       2024-12-03T16:39:10Z
  go version:       go1.22.7
  platform:         linux/amd64
  tags:             netgo,builtinassets,promtail_journal_enabled
[root@hostname alloy]#

Steps to reproduce

set capabilities for alloy which are needed for beyla.ebpf
enable prometheus.exporter.unix mountstats metrics
restart alloy
run alloy not as root user but as a separate user "grafana" in group "grafana"

System information

Linux hostname 4.18.0-553.27.1.el8_10.x86_64 #1 SMP Fri Oct 18 06:18:15 EDT 2024 x86_64 x86_64 x86_64 GNU/Linux Red Hat Enterprise Linux release 8.10 (Ootpa)

Software version

Grafana Alloy 1.5.1

Configuration

[root@hostname alloy]# getcap alloy
alloy cap_sys_ptrace,cap_sys_admin=ep

Logs

alloy[4059081]: ts=2025-01-24T22:51:46.737245178Z level=error msg="collector failed" component_path=/ component_id=prometheus.exporter.unix.node_exporter name=mountstats duration_seconds=7.99e-05 err="failed to parse mountstats: open /proc/4059081/mountstats: permission denied"
@Nachtfalkeaw Nachtfalkeaw added the bug Something isn't working label Jan 24, 2025
@Nachtfalkeaw Nachtfalkeaw mentioned this issue Jan 25, 2025
Open
@Nachtfalkeaw Nachtfalkeaw changed the title Capabilities for alloy beyla.ebpf leads to prometheus.exporter.unix.node_exporter name=mountstats "Permission denied" Capabilities for alloy beyla.ebpf leads to prometheus.exporter.unix name=mountstats "Permission denied" Jan 26, 2025
@Nachtfalkeaw
Copy link
Author

@mariomac and @grcevski
another alloy + beyla + capabilities issue. maybe you may have a look, too if this is expected in beyla 2.x and can be better documented and tested that the capabilities needed for beyla.ebpf can be used by other alloy components.

@grcevski
Copy link

grcevski commented Feb 5, 2025

Yeah these are bugs, thanks for reporting them.

@grcevski grcevski added the beyla label Feb 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rafaelroquetto rafaelroquetto

Labels
beyla bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rafaelroquetto @Nachtfalkeaw @grcevski