fix(smart v0.1.17): smart_status optionnel + AmbientCapabilities CAP_SYS_ADMIN
- SmartJson.smart_status devient Option<SmartStatus> avec #[serde(default)] → parsing non-bloquant si le champ est absent (ex: NVME_IOCTL_ADMIN_CMD échoue) - Service: suppression NoNewPrivileges, ajout AmbientCapabilities=CAP_SYS_ADMIN → smartctl hérite la capability via execve (kernel ≥ 5.2) - Nettoyage logs debug (suppression dump JSON brut) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Gilles Soulier
Generated
+1
-1
@@ -248,7 +248,7 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "nanometrics-agent"
|
||||
version = "0.1.16"
|
||||
version = "0.1.17"
|
||||
dependencies = [
|
||||
"libc",
|
||||
"rumqttc",
|
||||
|
||||
+1
-1
@@ -1,6 +1,6 @@
|
||||
[package]
|
||||
name = "nanometrics-agent"
|
||||
version = "0.1.16"
|
||||
version = "0.1.17"
|
||||
edition = "2021"
|
||||
|
||||
[lib]
|
||||
|
||||
@@ -2,7 +2,8 @@ use serde::Deserialize;
|
||||
|
||||
#[derive(Deserialize)]
|
||||
struct SmartJson {
|
||||
smart_status: SmartStatus,
|
||||
#[serde(default)]
|
||||
smart_status: Option<SmartStatus>,
|
||||
temperature: Option<SmartTemp>,
|
||||
ata_smart_attributes: Option<SmartAttrs>,
|
||||
nvme_smart_health_information_log: Option<NvmeHealth>,
|
||||
@@ -78,7 +79,7 @@ pub fn parse_json(json: &str) -> Result<crate::payload::SmartMetrics, serde_json
|
||||
|
||||
Ok(crate::payload::SmartMetrics {
|
||||
device: String::new(),
|
||||
passed: s.smart_status.passed,
|
||||
passed: s.smart_status.as_ref().map(|s| s.passed).unwrap_or(false),
|
||||
temperature,
|
||||
reallocated_sectors: reallocated,
|
||||
power_on_hours: power_hours,
|
||||
@@ -125,12 +126,9 @@ pub fn collect() -> Option<Vec<crate::payload::SmartMetrics>> {
|
||||
Ok(o) => o,
|
||||
Err(e) => { eprintln!("[smart] erreur exec smartctl {}: {}", dev, e); continue }
|
||||
};
|
||||
eprintln!("[smart] smartctl {} → exit={}, stdout={} octets, stderr={} octets",
|
||||
dev, output.status, output.stdout.len(), output.stderr.len());
|
||||
let json = String::from_utf8_lossy(&output.stdout);
|
||||
match parse_json(&json) {
|
||||
Ok(metrics) => {
|
||||
eprintln!("[smart] {} parsé OK (passed={})", dev, metrics.passed);
|
||||
results.push(crate::payload::SmartMetrics {
|
||||
device: dev.trim_start_matches("/dev/").to_string(),
|
||||
..metrics
|
||||
@@ -138,9 +136,6 @@ pub fn collect() -> Option<Vec<crate::payload::SmartMetrics>> {
|
||||
}
|
||||
Err(e) => {
|
||||
eprintln!("[smart] {} parse JSON échoué: {}", dev, e);
|
||||
eprintln!("[smart] --- JSON BRUT BEGIN ({} octets) ---", json.len());
|
||||
eprintln!("{}", &*json);
|
||||
eprintln!("[smart] --- JSON BRUT END ---");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -17,7 +17,12 @@ ConfigurationDirectoryMode=0755
|
||||
ProtectSystem=strict
|
||||
ProtectHome=read-only
|
||||
PrivateTmp=yes
|
||||
NoNewPrivileges=yes
|
||||
# CAP_SYS_ADMIN est requis par le noyau pour NVME_IOCTL_ADMIN_CMD (lecture SMART NVMe).
|
||||
# NoNewPrivileges est retiré car il efface les ambient capabilities sur exec (noyau ≥ 5.2),
|
||||
# ce qui empêcherait smartctl enfant d'hériter la capability.
|
||||
# CapabilityBoundingSet borne à la seule cap nécessaire.
|
||||
CapabilityBoundingSet=CAP_SYS_ADMIN
|
||||
AmbientCapabilities=CAP_SYS_ADMIN
|
||||
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
||||
|
||||
|
||||
Reference in New Issue
Block a user