Pages

Thursday, March 19, 2020

vnstat file permissions

Today I had to install vnstat on a CentOS VM, which gave me a little headache. The CentOS release is the following:

# cat /etc/centos-release
CentOS Linux release 7.6.1810 (Core)

After installing vnstat via yum and playing a little with vnstat, I figured out that vnstat would not do what I want: monitor and log the network statistics for my network interface eno16777984. With this article I want to share what I experienced with vnstat on CentOS.

After all, the first thing I did was to stop the vnstat daemon:

# systemctl stop vnstat

Then I deleted all files which vnstat has created, and let vnstat create a new database for my network interface (the shown error can be ignored):

# vnstat -u -i eno16777984
Error: Unable to read database "/var/lib/vnstat/eno16777984": No such file or directory
Info: -> A new database has been created.

The next thing I checked was the file permissions for the database:

# ls -lah /var/lib/vnstat/
...
-rw-r--r--   1 root   root   2.8K Mar 18 15:50 eno16777984
...

And that was already the main problem, vnstat executed as root, will create the database with root permissions. But the vnstat daemon, started by systemd, will run with specific user permissions. This user is the vnstat user, who is not allowed to update the prior created database, which has root permissions. To solve this issue, I looked up the UID and GID for the vnstat user:

# getent passwd vnstat
vnstat:x:994:991:vnStat user:/var/lib/vnstat:/sbin/nologin

And updated the rights for the folder which stores the vnstat databases:

# chown -R 994:991 /var/lib/vnstat/

To make my life a little easier and since I had to monitor only one interface, I added the interface to the configuration file:

# vi /etc/vnstat.conf
...
Interface "eno16777984"
...

Then I updated the unit file for vnstat and added the --config parameter:

# vi /etc/systemd/system/multi-user.target.wants/vnstat.service
...
ExecStart=/usr/sbin/vnstatd -n --config /etc/vnstat.conf
...

Very interesting, the unit file also showed that vnstat is started in foreground, not in background as I suspected. To start with the new parameter, reload systemd:

# systemctl daemon-reload

Last thing, start vnstat again:

# systemctl start vnstat

After adjusting the file permissions and restarting the vnstat daemon, vnstat is finally able to update the database:

# ls -lah /var/lib/vnstat/
...
-rw-r--r--   1 vnstat vnstat 2.8K Mar 19 13:10 eno16777984
...
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)