Waiting for Munin 2.0 - Native SSH transport

In the munin architecture, the munin-master has to connect to the munin-node via a very simple protocol and plain TCP.

This has several advantages :

Very simple to manage & install
Optional SSL since 1.4 enabling secure communications
Quite simple firewall rules.

It has also some disadvantages :

A new listening service means a wider exposure
The SSL option might add some administrative overhead (certificates management, ...)
A native protocol isn't always covered by all firewall solutions
Some organisations only authorize a few protocols to simplify audits (ex: only SSH & HTTPS)

Native SSH

Theses down points may be solved by encapsulation over SSH, but it can be a tedious task to maintain if the number of hosts increases.

Therefore 2.0 introduces the concept of a native SSH transport. Its usage is dead simple : replace the address with an ssh:// URL-like one.

The node still has to be modified to communicate with stdin/stdout instead of a network socket. For now, only pmmn and munin-async are able to provide such a node.

Configuration

The URL is quite self-explanatory as shown in the example below :

[old-style-host]
    address host.example.com

[new-style-host]
    address ssh://munin-node-user@host.example.com/path/to/stdio-enabled-node --params

Installation notes

Authentication should be done without password but via SSH keys. The connection is from munin-user@host-munin to munin-node-user@remote-node.

If you use munin-async, the user on the remote node might only be a readonly one, since it only needs to read spooled data. This implies that you use --spoolfetch and not --vectorfetch that updates the spool repository.

Upcoming HTTP(S) transport in 3.0

And the sweetest part is that since all the work has been done for adding another transport, adding a CGI-based HTTP transport one is possible (and therefore done) for 3.0.

Comments

1. On Wednesday, 6 April 2011, 19:21 by Tenzer

Hi, I just want to let you know that the sample SSH address you have in this post will not work. You should leave out the colon (:) from the string, otherwise the perl URI module will not be able to parse the hostname corretly, and this leaves Munin trying to connect to "host.example.com:" which is not a valid hostname.

I have submitted a patch which enables you to specify the port number of the remote SSH server on this ticket: http://munin-monitoring.org/ticket/...

Otherwise good job on the blog, I couldn't really find much other information on how to set this up :)

2. On Thursday, 7 April 2011, 13:40 by Steve Schnepp

Thanks for your remark : I edited the post to have a correct code example. I also integrated (r4153) the patch you posted in trunk.

3. On Saturday, 16 July 2011, 00:42 by Matt Kaufman

Perfect! I wasn't too familiar with munin's internal communication and didn't know if I could use it like this.....

I was actually just going to use netcat myself too, to do it. Hehe! However, I hadn't gotten to checking its messagings internally yet. Yay!

Personal Workflow Blog