prometheus-snap

prometheus process is running with root user unnecessarily

Bug #1909947 reported by Nobuto Murata
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
prometheus-snap
Fix Committed
Wishlist
James Simpson

Bug Description

At this moment, the snap installs a systemd unit file without specifying a user to run prometheus so root is used. It listens on port 9090 so it could be run as non-root user.

$ snap list prometheus
Name Version Rev Tracking Publisher Notes
prometheus 2.20.1 32 2/stable canonical-is-snaps -

$ ps aux | grep '/snap/prometheu[s]'
root 787517 0.0 0.0 4632 856 ? Ss 01:40 0:00 /bin/sh /snap/prometheus/32/bin/prometheus.wrapper
root 787554 2.2 18.9 939060 189472 ? SLl 01:40 0:01 /snap/prometheus/32/bin/prometheus --config.file=/var/snap/prometheus/32/prometheus.yml --storage.tsdb.path=/var/snap/prometheus/common

$ systemctl cat snap.prometheus.prometheus.service
# /etc/systemd/system/snap.prometheus.prometheus.service
[Unit]
# Auto-generated, DO NOT EDIT
Description=Service for snap application prometheus.prometheus
Requires=snap-prometheus-32.mount
Wants=network.target
After=snap-prometheus-32.mount network.target snapd.apparmor.service
X-Snappy=yes

[Service]
EnvironmentFile=-/etc/environment
ExecStart=/usr/bin/snap run prometheus
SyslogIdentifier=prometheus.prometheus
Restart=on-failure
WorkingDirectory=/var/snap/prometheus/32
TimeoutStopSec=900
Type=simple

[Install]
WantedBy=multi-user.target

James Simpson (jsimpso)
Changed in prometheus-snap:
status: New → Confirmed
importance: Undecided → Wishlist
assignee: nobody → James Simpson (jsimpso)
Revision history for this message
James Simpson (jsimpso) wrote :

Solution tested and proposed here: https://code.launchpad.net/~jsimpso/prometheus-snap/+git/prometheus-snap/+merge/428753

Revision history for this message
James Simpson (jsimpso) wrote :

The snap version published to "2/candidate" now includes rootless daemon.

Changed in prometheus-snap:
status: Confirmed → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.