Jakub Klinkovský pushed to branch main at Arch Linux / Packaging / Packages / prometheus-smartctl-exporter
Commits: b8727762 by Markus Pesch at 2026-01-17T09:39:53+01:00 fix: execute systemd service as non-root user The patch introduces the sysuser `smartctl-exporter`. This was based on the prometheus-bind-exporter package. The new user is used as the executing user of the exporter. The permissions of `AmbientCapabilities` were not defined. As a result, the capabilities from `CapabilityBoundingSet` were not transferred to process forks, resulting in a permission denied error. With regard to NVMe disks, the process requires the `NVME_IOCTL_ADMIN_CMD` permission. However, this is not included in any capability except `CAP_SYS_ADMIN`. The configuration is therefore somewhat contradictory, as `SystemCallFilter=~@privileged` filters privileged capabilities. It needs to be clarified exactly which permissions the exporter requires. I think only the developers can clarify this. In any case, the patch ensures that the application can be started and executed as a systemd service. Signed-off-by: Markus Pesch <[email protected]> - - - - - 4 changed files: - .SRCINFO - PKGBUILD - prometheus-smartctl-exporter.service - + prometheus-smartctl-exporter.sysusers Changes: ===================================== .SRCINFO ===================================== @@ -13,8 +13,10 @@ pkgbase = prometheus-smartctl-exporter source = prometheus-smartctl-exporter-0.14.0.tar.gz::https://github.com/prometheus-community/smartctl_exporter/archive/refs/tags/v0.14.0.tar.gz source = prometheus-smartctl-exporter.conf source = prometheus-smartctl-exporter.service + source = prometheus-smartctl-exporter.sysusers b2sums = 93b5e0be2941303e3b1681d7e49c89f84c155e234a31ce9e8e80b8263718b1eb30c1443fc49f77e295fcee9f9d830e986889726c8c4d45d63e9abebbf03eaf3e b2sums = 8f90333769207a931453ef129c1cb91bfd5351d43df64826bc2fafe07b149028b156eb74ac5dfe4e5d990f39605b94e93d1b2598d4eca85ead06b0db5555c50c - b2sums = 124b6b6273e99e7e72d8a3a569ffe46efe07e0fa70fa5f6a3135f3b2ad6f49c9737e2d491a29adac292f95e8524b8f11cb2e4aad617ff0c26b4f50c819d767ac + b2sums = 6d252f7040ded57914e4ad455797aa298b14faec514dc3a5b8a420be81a19298f841a53efbd8a42ba0dea98ced546920aa7c3b9c09b86bfacf6b0f00ea209686 + b2sums = 93466afbae66c74fd4e1641a77a5a803d8c7f9ef689054d6d42da0db887f2bf1890a25fba9276c2d77f64633f55be68731d545af9e6d8f610b703f6f6af54f84 pkgname = prometheus-smartctl-exporter ===================================== PKGBUILD ===================================== @@ -13,12 +13,16 @@ makedepends=(go) backup=("etc/conf.d/$pkgname") # we cannot use LTO as otherwise we do not get reproducible package with full RELRO options=('!lto') -source=("$pkgname-$pkgver.tar.gz::$url/archive/refs/tags/v$pkgver.tar.gz" - "$pkgname.conf" - "$pkgname.service") +source=( + "$pkgname-$pkgver.tar.gz::$url/archive/refs/tags/v$pkgver.tar.gz" + "$pkgname.conf" + "$pkgname.service" + "$pkgname.sysusers" +) b2sums=('93b5e0be2941303e3b1681d7e49c89f84c155e234a31ce9e8e80b8263718b1eb30c1443fc49f77e295fcee9f9d830e986889726c8c4d45d63e9abebbf03eaf3e' '8f90333769207a931453ef129c1cb91bfd5351d43df64826bc2fafe07b149028b156eb74ac5dfe4e5d990f39605b94e93d1b2598d4eca85ead06b0db5555c50c' - '124b6b6273e99e7e72d8a3a569ffe46efe07e0fa70fa5f6a3135f3b2ad6f49c9737e2d491a29adac292f95e8524b8f11cb2e4aad617ff0c26b4f50c819d767ac') + '6d252f7040ded57914e4ad455797aa298b14faec514dc3a5b8a420be81a19298f841a53efbd8a42ba0dea98ced546920aa7c3b9c09b86bfacf6b0f00ea209686' + '93466afbae66c74fd4e1641a77a5a803d8c7f9ef689054d6d42da0db887f2bf1890a25fba9276c2d77f64633f55be68731d545af9e6d8f610b703f6f6af54f84') prepare() { cd "$_name-$pkgver" @@ -51,9 +55,10 @@ build() { } package() { - # systemd service + # systemd integration install -vDm 644 "$pkgname.service" -t "$pkgdir/usr/lib/systemd/system/" install -vDm 644 "$pkgname.conf" "$pkgdir/etc/conf.d/$pkgname" + install -vDm 644 "$pkgname.sysusers" "$pkgdir/usr/lib/sysusers.d/$pkgname.conf" cd "$_name-$pkgver" ===================================== prometheus-smartctl-exporter.service ===================================== @@ -7,8 +7,8 @@ ConditionVirtualization=false [Service] EnvironmentFile=-/etc/conf.d/prometheus-smartctl-exporter ExecStart=/usr/bin/prometheus-smartctl-exporter $SMARTCTL_EXPORTER_ARGS -User=root -Group=root +User=smartctl-exporter +Group=smartctl-exporter Restart=on-failure NoNewPrivileges=true @@ -33,8 +33,12 @@ MemoryDenyWriteExecute=true RestrictRealtime=true RestrictSUIDSGID=true RemoveIPC=true -CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SYS_RAWIO CAP_MKNOD -AmbientCapabilities= + +# CAP_SYS_ADMIN: Required by NVME_IOCTL_ADMIN_CMD to read NVMe SMART/Health Information +# CAP_DAC_READ_SEARCH: Required to search for disks +# CAP_SYS_RAWIO: Required to to read disk SMART/Health Information +AmbientCapabilities=CAP_SYS_ADMIN CAP_DAC_READ_SEARCH CAP_SYS_RAWIO +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_READ_SEARCH CAP_SYS_RAWIO SystemCallFilter=@system-service SystemCallFilter=~@privileged @resources ===================================== prometheus-smartctl-exporter.sysusers ===================================== @@ -0,0 +1 @@ +u! smartctl-exporter - "Prometheus smartctl exporter user" View it on GitLab: https://gitlab.archlinux.org/archlinux/packaging/packages/prometheus-smartctl-exporter/-/commit/b872776265474e9bd8b69ff128c002cf4b005f44 -- View it on GitLab: https://gitlab.archlinux.org/archlinux/packaging/packages/prometheus-smartctl-exporter/-/commit/b872776265474e9bd8b69ff128c002cf4b005f44 You're receiving this email because of your account on gitlab.archlinux.org.
