Telegraf unauthorized access

naosone · January 25, 2024, 12:44am

Hi, I tried telegraf on VyOS 1.5-rolling-202401090834.
However, telegraf was not authenticated with influxdb.

I set up a influxdb’s access token “set service monitoring telegraf influxdb authentication token xxx”, but it is not reflected in “/var/telegraf/telegraf.conf”.

When I edit telegraf.conf directly and set the access token, I can post telemetry to a influxdb via “telegraf --config /run/telegraf/telegraf.conf --pid /run/telegraf/telegraf.pid”

How to do I fix it.

Viacheslav · January 25, 2024, 5:48am

Check systemd unit as token is used as env

github.com

vyos/vyos-1x/blob/d736a9b70ca897bdf1e0237b64ab5c7eb958b520/data/templates/telegraf/override.conf.j2#L12


      
          [Unit]
          After=
          After=vyos-router.service
          ConditionPathExists=/run/telegraf/telegraf.conf
          
          [Service]
          ExecStart=
          ExecStart={{ vrf_command }}/usr/bin/telegraf --config /run/telegraf/telegraf.conf --config-directory /etc/telegraf/telegraf.d --pidfile /run/telegraf/telegraf.pid
          PIDFile=/run/telegraf/telegraf.pid
          EnvironmentFile=
          Environment=INFLUX_TOKEN={{ influxdb.authentication.token }}
          CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN CAP_BPF CAP_DAC_OVERRIDE
          AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
          Restart=always
          RestartSec=10

That’s why you see only variable in the config due to security reason.
I e token = “$INFLUX_TOKEN”

Provide the full set of the commands to reproduce if it is still does not work and open a bug report

Most likely you are doing something wrong

naosone · January 26, 2024, 1:24am

Thank you for your reply.

my configure as follows:
set service monitoring telegraf influxdb authentication organization ‘xxxx’
set service monitoring telegraf influxdb authentication token ‘xxxxxxxxx’
set service monitoring telegraf influxdb bucket ‘xxxx’
set service monitoring telegraf influxdb port ‘8086’
set service monitoring telegraf influxdb url ‘https://192.168.xxx.xxxx’

–
grep TOKEN /var/run/telegraf/telegraf.conf
token = “$INFLUX_TOKEN”

but, $INFLUX_TOKEN not appear in /lib/systemd/system/telegraf.service

/lib/systemd/system/telegraf.service
[Unit]
Description=The plugin-driven server agent for reporting metrics into InfluxDB
Documentation=GitHub - influxdata/telegraf: The plugin-driven server agent for collecting & reporting metrics.
After=network.target

[Service]
EnvironmentFile=-/etc/default/telegraf
ExecStart=/usr/bin/telegraf --config /run/telegraf/vyos-telegraf.conf --config-directory /etc/telegraf/telegraf.d
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartForceExitStatus=SIGPIPE
KillMode=control-group

[Install]
WantedBy=multi-user.target

/etc/default/telegraf is empty.

so, I think $INFLUX_TOKEN is not define.

Viacheslav · January 26, 2024, 1:40am

/etc/default/telegraf is a wrong dir
/lib/systemd/system/telegraf.service the token is not placed here

You can find your token in cat /run/systemd/system/telegraf.service.d/10-override.conf

I don’t see any issue here
Check the logs

naosone · January 26, 2024, 2:20am

I find my token in /run/systemd/system/telegraf.service.d/10-override.conf.
Telegraf is working now!
Thank you.

system · February 25, 2024, 2:20am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Telegraf unauthorized access

[Install] WantedBy=multi-user.target

[Install]
WantedBy=multi-user.target