在 centos7 上安装了 grafana-enterprise-8.3.3,然后修改了 /etc/grafana/grafana.ini 里面关于 log -> /home/log/grafana 和 grafana data -> /home/grafana, 然后启动 grafana (systemctl start grafana-server),结果 grafana 启动失败,提示错误信息如下:
Failed to start grafana. error: failed to create log directory "/home/log/grafana": mkdir /home/log: permission denied
从 systemctl status grafana-server
返回的错误信息来看,应该是文件权限的问题导致的,就执行了一下
chown -R grafana:grafana /home/grafana
chown -R grafana:grafana /home/log/grafana
然后重启 grafana, 结果仍然提示上面的错误。手动执行 grafana-server -config=/etc/grafana/grafana.ini -homepath=/usr/share/grafan
则每问题,应该还是权限的问题。然后就仔细看了 /usr/lib/systemd/system/grafana-server.service
,发现 grafana-server.service
里面有这样的配置:
User=grafana
Group=grafana
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=full
关键是这个 ProtectHome=true
, 这个配置使得 systemd 在运行该 service 时,不允许对 /home
目录写入数据,将 ProtectHome=true
注释掉,然后重启 grafana-server.service 即可。
grafana github上对于该问题的解释,说是该配置遵循的是 systemd-analyse security
的建议,从 grafana v8.2.1 开始 grafana-server.service
做了相应的一些限制配置。
以下内容来自: https://github.com/grafana/grafana/pull/38109
Yes, these are recommendations from systemd-analyse security tool. Some notes:
Only Debian systemd unit was setting UMask (9e21a08), I also apply this to rpm.
I enable ProtectHome because I believe Grafana should never look in /home/.
I set ProtectSystem to full which make /usr/, /etc/ and /boot/ read-only. Setting it to strict might introduce regressions in Grafana as I believe there is a need to write in /var/ and it is not trivial to list all authorized folders.
I enable ProtectKernel* because I don't want Grafana to collect information about the kernel.
NoNewPrivileges, LockPersonality and RestrictSUIDSGID (and maybe others) might introduce regressions if Grafana needs to call a setuid/setgid executable. For example if Grafana needs to call sendmail then it will fail with these options enabled.
RestrictAddressFamilies is restricted to IPv4/IPv6 and Unix sockets as Grafana is a web server that might also talk to local sockets.
PrivateUsers is going to create a new user namespace, which might introduce regressions. Maybe we can keep it disabled in a first time. For example it is impossible to make Grafana server listen on port 80 with this option as the CAP_NET_BIND_SERVICE capability will not work.
These parameters help to reduce the attack surface of an attacker that would have managed to get a RCE exploit in Grafana.