[Bug 274194] sysutils/loki: New rc.d file for promtail

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274194

            Bug ID: 274194
           Summary: sysutils/loki: New rc.d file for promtail
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: turkay.eren@gmail.com
                CC: freebsd@funzi.org
             Flags: maintainer-feedback?(freebsd@funzi.org)
                CC: freebsd@funzi.org

Hello,

Thank you for packaging loki in bug #256030. I realized that loki and promtail
binaries are installed with the package but only loki has an rc.d script. For
most cases, when you install loki as a centralized log server, you only
configure and run promtail to read/send logs from other nodes.

I would love to take initiative on this issue and this will be my first
contribution to FreeBSD community. I can simply copy .in file for promtail and
send a patch but I wanted to make sure we discuss other considerations such as
default configuration file and user to run.


Default Files Provided by Grafana
=================================
On official release page, Grafana team provides pre-built binaries and
configuration files. For Debian/Ubuntu systems [0], the default configuration
file looks like this:


```
server:
  http_listen_port: 9080
  grpc_listen_port: 0

positions:
  filename: /tmp/positions.yaml

clients:
  - url: http://localhost:3100/loki/api/v1/push

scrape_configs:
- job_name: system
  static_configs:
  - targets:
      - localhost
    labels:
      job: varlogs
      __path__: /var/log/*log
```

Which I believe it's OK configuration file. When you run promtail, it will
start reading logs out of the box and you will be able to extend it. However,
the problem is that their systemd file runs with user `promtail`. As you can
guess, this user will not be able to read /var/log/. Whenever I installed
promtail, I always changed systemd service to run as root because I need logs
in /var/log/ along with application specific logs.

The application does not crash. You simply see a number of error messages in
promtail logs. But generating error messages after the installation is not a
good default behavior.

Also, `positions.yml` is too important to put into /tmp/. After a system
reboot, promtail will not be able to know which line it read last. So, putting
it into /usr/local/etc/promtail/ makes more sense.


[0]
https://github.com/grafana/loki/releases/download/v2.9.1/promtail_2.9.1_amd64.deb


Which User To Run On
====================
I do not see a problem with providing default configuration like above (with
fixes) and running log aggregator as root because you mostly want to run as
root. Usually, there are different users for different applications, each
writing to different directory, and you need to read all application logs,
label them, and send it.

However, if that causes a security concern within FreeBSD, we can simply
comment the example configuration file and put a note in there. Alternatively,
we can write a message after package install, reminding that `promtail_user`,
`promtail_group` is present.

The configuration file above is only an example, provided by official grafana
team. We are not bound to use it as-is, we can also think of adding additional
defaults based on user needs.

Thank you for your time reading the report.

Best,
Eren

-- 
You are receiving this mail because:
You are the assignee for the bug.