On Tuesday, December 13, 2016 at 9:42:27 AM UTC-8, [email protected] wrote: > Hi, > > There are lots of cases where Telegraf can't read some system quantity or > other because it usually runs as an ordinary user (called telegraf). On some > systems /proc files may be inaccessible, and I'm sure pretty much everyone > has some files that are root-only that you might want to use the filestat > plugin on. > > There are some cases where a file is owned by (say) mysql, which likes to set > file permissions to 0600. In this case, no amount of group ownerships or > anything else is going to give the telegraf user access to the file, so the > only option is to run Telegraf as root (which lots of people are rightly > nervous about doing). > > So my question is... is it safe to run Telegraf as root (in production)? > > Assuming 'no' is the answer, is that because of specific plugins, or the > whole of Telegraf, or is it because it might actually be safe to run as root, > but hasn't been tested/verified as such? > > Looking forward to any clarification we can get on this. > > Cheers, > > ...Ralph
Generally speaking, any process you run as root, is at your own risk. In the case of telegraf, I could imagine the exec plugin being abused to run arbitrary scripts as root, for instance. Ideally you would run telegraf, or any process, with the minimal set of permissions required. If there are specific files that telegraf doesn't have adequate permissions to access, you should work with your systems administrator to figure out how to access that file without elevating the telegraf process to root permissions. The right way to do this is going to vary by operating system and probably also by distribution. -- Remember to include the version number! --- You received this message because you are subscribed to the Google Groups "InfluxData" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/influxdb. To view this discussion on the web visit https://groups.google.com/d/msgid/influxdb/9393d538-e13c-4b5d-9160-1fade8d44e3f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
