Comments (12)
The ping binary should not have suid set, but rather have appropriate capabilities:
$ getcap /bin/ping
/bin/ping = cap_net_raw+ep
Same goes for the exporter:
sudo setcap cap_net_raw+ep blackbox_exporter
With this setting the exporter will run properly without suid/uid=0 set.
from blackbox_exporter.
I'm hitting this problem as well. Can't use setcap within the container either.
from blackbox_exporter.
Can you guys try with the master
tag ?
The current latest
tag is based on alpine
and run with an unprivileged user golang
.
The current master
tag is based on busybox
and run as root.
from blackbox_exporter.
This seems like more of a Docker/security/systemd problem than one with the blackbox exporter. I'd suggest asking those communities how to get raw socket access.
0 means failure, in general for boolean metrics 0 is false and 1 is true.
from blackbox_exporter.
Is the golang program somehow dropping perms I wonder? Inside the container I can ping fine.
[root@rojak system]# docker exec -i -t blackboxprober sh
/bin $ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=58 time=2.023 ms
64 bytes from 8.8.8.8: seq=1 ttl=58 time=1.748 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
from blackbox_exporter.
ping is SUID, so it has root.
from blackbox_exporter.
can't the golang binary be setup to also have suid in the Dockerfile?
from blackbox_exporter.
So if we want to run this in Docker we should probably try to do the same thing in this exporter? AFAIK ping is suid, raises privs to open socket & then returns to non-suid to continue. Can we do the same?
from blackbox_exporter.
It's a bit more complicated as 1) we'd need to support dropping privs on all platforms with all the associated options and 2) we'd need to share the one open socket across all the scrapes.
from blackbox_exporter.
True but doable. Could be a "fun" challenge :)
from blackbox_exporter.
Working!
probe_success 1
Thanks!
from blackbox_exporter.
We've documented the requirements now.
from blackbox_exporter.
Related Issues (20)
- Inconsistent support of IPv6 literals HOT 3
- Feature request: probe to prometheus.io is not helpful, should make options or pulldowns HOT 2
- packaged deb version of blackbox_exporter
- Implement DHCP HOT 2
- Recent Probes List - add timestamp or log id as label and column for better identification
- Twistlock CVE's Found 1/24/23 HOT 2
- Cut a new release? HOT 1
- Same blackbox.yml to monitor different proxies
- source_ip_address option enhancement
- Incorrect State in Prometheus HOT 1
- RFE: Expose DNS prober metrics for the queried name and query type
- Blackbox ICMP probe getting failed for the servers which are pinging. HOT 2
- Allow setting fail_if_body_matches_regexp dynamically
- Feature request: DNS RRSIG signature validity time
- Inconsistent alerts triggered by the Prometheus alert manager
- unknown cipher: TLS_RSA_WITH_AES_128_CBC_SHA HOT 1
- TPC Prober only returns 0 values
- Probe fails with "target" as URL parameter in URL to probe.
- feature: param to not resolve target address
- feature request: please sign your releases HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from blackbox_exporter.