1 问题描述

在 centos7 上安装了 grafana-enterprise-8.3.3，然后修改了 /etc/grafana/grafana.ini 里面关于 log -> /home/log/grafana 和 grafana data -> /home/grafana, 然后启动 grafana (systemctl start grafana-server)，结果 grafana 启动失败，提示错误信息如下：

Failed to start grafana. error: failed to create log directory "/home/log/grafana": mkdir /home/log: permission denied

2 问题定位和解决

从 systemctl status grafana-server 返回的错误信息来看，应该是文件权限的问题导致的，就执行了一下

chown -R grafana:grafana /home/grafana
chown -R grafana:grafana /home/log/grafana

然后重启 grafana， 结果仍然提示上面的错误。手动执行 grafana-server -config=/etc/grafana/grafana.ini -homepath=/usr/share/grafan 则每问题，应该还是权限的问题。然后就仔细看了 /usr/lib/systemd/system/grafana-server.service ,发现 grafana-server.service 里面有这样的配置：

User=grafana
Group=grafana

ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=full

关键是这个 ProtectHome=true, 这个配置使得 systemd 在运行该 service 时，不允许对 /home 目录写入数据，将 ProtectHome=true 注释掉，然后重启 grafana-server.service 即可。

grafana github上对于该问题的解释，说是该配置遵循的是 systemd-analyse security 的建议，从 grafana v8.2.1 开始 grafana-server.service 做了相应的一些限制配置。

以下内容来自： https://github.com/grafana/grafana/pull/38109

Yes, these are recommendations from systemd-analyse security tool. Some notes:

Only Debian systemd unit was setting UMask (9e21a08), I also apply this to rpm.
I enable ProtectHome because I believe Grafana should never look in /home/.
I set ProtectSystem to full which make /usr/, /etc/ and /boot/ read-only. Setting it to strict might introduce regressions in Grafana as I believe there is a need to write in /var/ and it is not trivial to list all authorized folders.
I enable ProtectKernel* because I don't want Grafana to collect information about the kernel.
NoNewPrivileges, LockPersonality and RestrictSUIDSGID (and maybe others) might introduce regressions if Grafana needs to call a setuid/setgid executable. For example if Grafana needs to call sendmail then it will fail with these options enabled.
RestrictAddressFamilies is restricted to IPv4/IPv6 and Unix sockets as Grafana is a web server that might also talk to local sockets.
PrivateUsers is going to create a new user namespace, which might introduce regressions. Maybe we can keep it disabled in a first time. For example it is impossible to make Grafana server listen on port 80 with this option as the CAP_NET_BIND_SERVICE capability will not work.
These parameters help to reduce the attack surface of an attacker that would have managed to get a RCE exploit in Grafana.

3 参考

• https://grafana.com/grafana/download?pg=get&plcmt=selfmanaged-box1-cta1
• https://github.com/grafana/grafana/pull/38109