Public bug reported:
The postinst for the prometheus-libvirt-exporter package adds the
prometheus user to the libvirt group, so that the libvirt-exporter
(which runs as the prometheus user) can access the libvirt api to expose
metrics.
This means any process running as the prometheus user may actually
access this API, which could be a security issue as it seems there is a
trend to run exporters as the prometheus user.
Systemd allows for an easy fix here by running the exporter with a
dynamic user id, by setting DynamicUser=true, and then giving it access
to the libvirt API through membership of the libvirt group using the
SupplementaryGroups= directive.
With that in place, the postinst will no longer need to add the prometheus user
to the libvirt group.
This fix is confirmed to work on our setup.
This is on:
ubuntu/noble
prometheus-libvirt-exporter=0.2.0-1ubuntu0.24.04.2
** Affects: prometheus-libvirt-exporter (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2100758
Title:
unnecessary group membership for prometheus user through prometheus-
libvirt-exporter
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/prometheus-libvirt-exporter/+bug/2100758/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
