From 8cd30b64e9e5646eeacecb9e201bcf6651e3f056 Mon Sep 17 00:00:00 2001 From: Amolith Date: Wed, 6 May 2026 12:24:01 -0600 Subject: [PATCH] munin: Mention ProtectHome --- skills/monitoring-with-munin/SKILL.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/skills/monitoring-with-munin/SKILL.md b/skills/monitoring-with-munin/SKILL.md index d167f5a4fabd6d49f06fb0c2bd6b0508151fef34..595e7efd9ebbada5ee7202727d82ab3ef0ef622a 100644 --- a/skills/monitoring-with-munin/SKILL.md +++ b/skills/monitoring-with-munin/SKILL.md @@ -170,10 +170,26 @@ munin-run config # test config output munin-run # test value output ``` -Note: on systems where munin-node runs with `ProtectHome=yes` (systemd), plugins running as non-root users cannot access `/home/`. Either run as `user root` or place data outside `/home/`. +Note: Debian's munin-node ships with `ProtectHome=yes` in systemd, which hides `/home/` from the entire process namespace regardless of user; `user root` in plugin-conf.d doesn't help. See [ProtectHome](#protecthome-and-home-access) for workarounds. After installing or removing plugins: `systemctl restart munin-node` +## ProtectHome and /home/ access + +`ProtectHome=yes` mounts `/home/`, `/root`, `/run/user` as empty tmpfs. No user can see through it. + +Fix with + +```bash +sudo mkdir -p /etc/systemd/system/munin-node.service.d +printf '[Service]\nProtectHome=read-only\n' | sudo tee /etc/systemd/system/munin-node.service.d/override.conf +sudo systemctl daemon-reload && sudo systemctl restart munin-node +``` + +Alternatives: `ProtectHome=tmpfs` + `BindReadOnlyPaths=` for selective exposure, or move data outside `/home/`. + +**Pitfall**: even with `ProtectHome=read-only`, a 750 home directory blocks the `munin` user from traversing the path. Use `user root` in plugin-conf.d for such cases. + ## Alerting Alerts are configured in `/etc/munin/munin.conf` on the master. A contact is a command that receives alert text on stdin.