Run SMART disk monitor in LXD

David_Whyte · June 13, 2021, 11:33am

Hi,

I was hoping to spin up a container to run SMART disk monitoring within (via smartmontools).

When I run lsblk, I can see the devices, but I am unable to use them in the smartctl tool.

root@smartmon:~# lsblk 
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
loop0    7:0    0  55.4M  1 loop 
loop1    7:1    0  55.4M  1 loop 
loop2    7:2    0  31.1M  1 loop 
loop3    7:3    0  69.9M  1 loop 
loop4    7:4    0  32.1M  1 loop 
loop5    7:5    0  67.6M  1 loop 
sda      8:0    0 931.5G  0 disk 
├─sda1   8:1    0   512M  0 part 
└─sda2   8:2    0   931G  0 part 
sdb      8:16   0 931.5G  0 disk 
└─sdb1   8:17   0 465.7G  0 part 
sdc      8:32   0 931.5G  0 disk 
├─sdc1   8:33   0 931.5G  0 part 
└─sdc9   8:41   0     8M  0 part 
sdd      8:48   0 931.5G  0 disk 
└─sdd1   8:49   0 372.5G  0 part 
sde      8:64   0 931.5G  0 disk 
└─sde1   8:65   0 931.5G  0 part 
sdf      8:80   0   3.7T  0 disk 
└─sdf1   8:81   0   3.7T  0 part 
sdg      8:96   0   2.7T  0 disk 
├─sdg1   8:97   0     1K  0 part 
├─sdg5   8:101  0     2T  0 part 
└─sdg6   8:102  0    48G  0 part 
sr0     11:0    1  1024M  0 rom  
zd16   230:16   0   9.3G  0 disk 
zd32   230:32   0   9.3G  0 disk 
root@smartmon:~# smartctl -i /dev/sda
smartctl 7.1 2019-12-30 r5022 [x86_64-linux-5.4.0-73-generic] (local build)
Copyright (C) 2002-19, Bruce Allen, Christian Franke, www.smartmontools.org

Smartctl open device: /dev/sda failed: No such device

I assume this is because I am running an un-privileged container.

Is there a good way to enable this, without just running the container in privileged mode?

Cheers,
Whytey

stgraber · June 13, 2021, 4:52pm

For SMART access I believe you’d need to both add unix-block device entries to your container for every device in /dev/ that you want to access and then possibly still make the container privileged on top of that as SMART likely relies on privileged IOCTLs to do the job.

Overall, if you can instead do this from the host, I think it’d be preferable.

David_Whyte · June 15, 2021, 12:26pm

As always, thanks for the reply!

lamp38 · September 21, 2024, 6:04am

I’d like to revive this idea, using a privileged container on Incus.

Reason for it is there are OCI container images out there with smart tooling, database and a webpage ready to go. I’d like to just ‘start’ one of those and build upon those efforts.

I had a go at running the scrutiny OCI image with this config

architecture: x86_64
config:
  environment.HOME: /root
  environment.INFLUXD_CONFIG_PATH: /opt/scrutiny/influxdb
  environment.INFLUXVER: 2.2.0
  environment.PATH: /opt/scrutiny/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  environment.S6_SERVICES_READYTIME: "1000"
  environment.S6VER: 3.1.6.2
  environment.TERM: xterm
  image.architecture: x86_64
  image.description: ghcr.io/analogj/scrutiny (OCI)
  image.type: oci
  security.nesting: "true"
  security.privileged: "true"
  volatile.base_image: 10071f5ca458d6a2c1ada80e93deaccd14ecabcc5421201d03c4b687ae5c21c4
  volatile.cloud-init.instance-id: e33aa5b4-aa3a-42a6-9529-03719a677073
  volatile.container.oci: "true"
  volatile.eth0.host_name: veth5f2ddb59
  volatile.eth0.hwaddr: 00:16:3e:db:14:80
  volatile.eth0.name: eth0
  volatile.idmap.base: "0"
  volatile.idmap.current: '[]'
  volatile.idmap.next: '[]'
  volatile.last_state.idmap: '[]'
  volatile.last_state.power: RUNNING
  volatile.uuid: de1d775a-1960-4812-8245-9d7e22ba2fb9
  volatile.uuid.generation: de1d775a-1960-4812-8245-9d7e22ba2fb9
devices:
  eth0:
    network: br112
    type: nic
  root:
    path: /
    pool: zfsp1
    type: disk
  sda:
    source: /dev/sda
    type: unix-block
  sdb:
    source: /dev/sdb
    type: unix-block
ephemeral: true
profiles:
- default
stateful: false
description: ""

But inside the container I can’t get smartctl to work with the sda* devices:

root@scrutiny:~# ls -lah /dev/sd*
brw-rw---- 1 root root 8,  0 Sep 21 05:32 /dev/sda
brw-rw---- 1 root root 8, 16 Sep 21 05:32 /dev/sdb

root@scrutiny:~# smartctl -i /dev/sda -d ata
smartctl 7.3 2022-02-28 r5338 [x86_64-linux-6.9.12-zabbly+] (local build)
Copyright (C) 2002-22, Bruce Allen, Christian Franke, www.smartmontools.org

Read Device Identity failed: Permission denied

Are there any other security or capability settings that come to mind that I could try?

lamp38 · September 21, 2024, 6:40am

FWIW - I’ve been able to workaround running smartctl inside the privileged incus container.

The ‘scrutiny’ application that I want to use has a simple ‘collect metrics’ binary that I can invoke form the Host OS and point it back towards the container.
(this binary uses smartctl under the hood)

sudo /var/lib/incus/storage-pools/zfsp1/containers/scrutiny/rootfs/opt/scrutiny/bin/scrutiny-collector-metrics run --api-endpoint "http://10.98.112.139:8080"

(where 10.98.112.139 is the ipv4 address of the container)

I’d still be nice to understand how to make smartctl work inside a container. I think working this out could unlock some ideas with other OCI application containers.