No LVM disk space usage on CentOS

[tech-mint]

Question summary

the lvm disk space usage isn't monitoring.

OS / Environment

CentOS 7.3

I did reviewed issue #3696 but couldn't understand anything

[thiagoftsm]

Hi @tech-mint ,

I saw the issue that you cited( #3696) and according to that issue, there was a problem with the permissions. The netdata user(the default is "netdata", but you can change it using the option "run as user" in the section [global] of netdata.conf.) did not have permission to access the volume. In the issue the user said us that the netdata was running in chroot(an isolated environment), so it could not access his lvm volume that was in the root of the operate system.

For we confirm that you are having the exact same problem, please can you do the following steps:

1. Is your Netdata running in a box(chroot,docker)?
2. Check the "run as user" in your netdata.conf to confirm that "netdata" is the user that runs your Netdata.
3. See the permission(user permission, group permission, other permission) to confirm that the user that Netdata uses can access the volume.

With your an answer and the next steps we can confirm that you have the exact same issue related in #3696.

[tech-mint]

I really appreciate your quick response and attention

the answer to your questions are as following:

1. I am running netdata on a cloud virtual machine
2. run as user = netdata
3. the lvm is created by root thus it's owned by root -> what do you recommend?

thanks

[thiagoftsm]

To be owner by root cannot be considered a problem, unless the other two other group of permissions does not allow the user netdata to access it.

You created the lvm as "root", so it is possible that the group root is also the owner of the group, you can check this running the following command:

$ ls -l / | grep VOLUME

, here I am assuming that your lvm is a directory called /VOLUME, please, change the directory in "ls" command and the "VOLUME" in the "grep" according to your virtual machine. An important thing that we must have in our mind, case the root is the group of the volume, you will follow in one of the following cases:

1 - root is group : It is not recommended the netdata to be part of the root group, to be more precise, it is not recommended that anybody except root to be in this group.
2 - the others permissions is not sufficient: Right now this is what I am thinking is happening, but it is necessary to take care with this too, because we do not need everybody reading or writing information in the volume.

Please, remember that everything that I am doing here are suppositions, no less important, I am trying to always bring the safety to the description, because we want netdata running and your data safe. We cannot split both.

There are more than 10 years that I am not working more as a network administrator, so considering this, what I can say for you now is until where I remember we can use /etc/fstab to set some information about users, another possible road is to take care about the permission for others.

In your netdata logs, do you have same error about access denied to the volume we are talking about?

Best regards!

[tech-mint]

i checked $ ls -l / | grep VOLUME as you said
here is the result
lrwxrwxrwx. 1 root root 7 Jul 6 08:23 /dev/vg/data-lvm -> ../dm-0

and the logs had nothing on lvm

thanks for your support

[thiagoftsm]

Hi @tech-mint , the first letter of the result("l") is showing us that you have a symbolic link to /dev/vg/dm-0, please, can you run the following command:

$ ls -l /dev/vg | grep dm-0

this will give us the permission on dm-0 that is your lvm device.

[tech-mint]

hi @thiagoftsm

here what it is:
brw-rw----. 1 root disk 252, 0 Jul 6 08:23 dm-0
thanks for your patience

[thiagoftsm]

Hi @tech-mint ,

Now it is completely clear the motive Netdata cannot give to you information, as you can see in this output, the dm-0 volume only allows the user root and users inside root group to read and write on the device. The last three characters are saying us that other users cannot do nothing in the device.

Best regards!

[tech-mint]

is it safe to add the netdata user to root group?

[thiagoftsm]

This is a very good question. In normal situation we avoid to add any user to the root group, because it would have great permissions, this won't affect only the LVM monitoring, but it can affect a lot of different places of the operate system. I did not work with this specific feature of netdata yet, but I can imagine that netdata only needs to read something from dm-0, no less important, according to Costa at #3696 the netdata only needs to read the volume . You know better than anybody your structure, so you can determine what I will say, case it is possible to give only the read permission on dm-0, it could fix the problems, but it is necessary to measure the impact of this in your security policy rules.

[cakrit]

Adding the netdata user to the root group is not a solution. Certain plugins run as root precisely to avoid doing that. @vlvkobal please check and see what's the problem with LVM.

[vlvkobal]

There are no special problems with LVM. Netdata uses statvfs(), which can't get filesystem statistics if there is no search access to the mount point. So, the workaround is to grant Netdata the search permission on the mount point.

We can rewrite the diskspace plugin and make it external with setuid set, as @cakrit mentioned in the previous comment. This task, I think, has a very low priority though. Or it is even an undesirable change. It's like to break a butterfly on a wheel. @Ferroin what do you think?

[Ferroin]

I don't think it's worth splitting out. Having an execute bit set on a directory is not actually that much of a security risk by itself, and it's not hard to restrict it to just the Netdata user using ACL's.