Telegraf - the ability to execute process within vrf

Telegraf
1

For the VyOS project (latest release is based on debian 11) i try to execute telegraf process within specific VRF. This is done via the systemd using the service specification below:

[Unit]
Description=The plugin-driven server agent for reporting metrics into InfluxDB
Documentation=GitHub - influxdata/telegraf: The plugin-driven server agent for collecting & reporting metrics.
After=network.target
[Service]
EnvironmentFile=-/etc/default/telegraf
User=telegraf
ExecStart=ip vrf exec oam /usr/bin/telegraf -config /run/telegraf/vyos-telegraf.conf -config-directory /etc/telegraf/telegraf.d $TELEGRAF_OPTS
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartForceExitStatus=SIGPIPE
KillMode=control-group
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_CHOWN CAP_LEASE
[Install]
WantedBy=multi-user.target

I see some permissions are missing because the service exits with error:

Aug 19 14:13:50 ip[4307]: mkdir failed for /sys/fs/cgroup/system.slice/vyos-telegraf.service/vrf: Permission denied
Aug 19 14:13:50 ip[4307]: Failed to setup vrf cgroup2 directory

I tried to analyze the systemd service with
systemd-analyze --no-pager security vyos-telegraf.service
and could not find any inconsistencies. What can be wrong with that?
systemd-analyze.txt (9.6 KB)

2

Hi,

As you have diverged from the default systemd service file greatly, you probably will get a better answer asking the VyOS community what is causing the permission error.

mkdir failed for /sys/fs/cgroup/system.slice/vyos-telegraf.service/vrf: Permission denied

Given the error message I would go look and see what permissions are on those files and see why mkdir failed.

3

Thank you for the suggestions. I just hoped that someone here has had similar experience running telegraf within vrf or net name space which is quite the same.
As the VyOS is based on Debian 11 this is probably my next step to seek debian communiy and especially systemd resources.
The permissions in the directory do not allow mkdir for non-root users (755 root:root). But i think the key factors here are the parameters within CapabilityBoundingSet of service definition. I can be wrong, so still checking.