[tor-bugs] #29682 [Internal Services/Tor Sysadmin Team]: remove traces munin-node everywhere
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Apr 1 20:49:21 UTC 2019
#29682: remove traces munin-node everywhere
-------------------------------------------------+-------------------------
Reporter: anarcat | Owner: anarcat
Type: defect | Status:
| assigned
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: #29681 | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by anarcat):
fun facts found while ripping that stuff out:
1. there is a DSA-specific munin package, with the following plugins:
* `spamassassin`: ham/spam/total counts, looks for `spamd:
((processing|checking) message|identified spam|clean message)`
in `mail.log`, could be replaced with
[https://github.com/google/mtail mtail]
* `postgres-wal-traffic_`: output of `psql -p "$port" --no-align
--command 'SELECT * FROM pg_current_xlog_insert_location()' --tuples-only
--quiet | tr -d /`, probably covered by the
[https://github.com/wrouesnel/postgres_exporter postgres exporter]
* `ksm_scans`: output of `/sys/kernel/mm/ksm/full_scans`, see
[https://www.kernel.org/doc/html/latest/admin-guide/mm/ksm.html KSM
docs]
* `ksm`: same, but with `pages_shared`, `_unshared`, `_volatile`,
`_sharing`, possibly covered by the node exporter, but hardly seems
critical in any case
* `vsftpd`: logtail of `/var/log/ftp/vsftpd.log` looking for
upload/download/login/delete/connexions, would require a custom mtail
plugin as well
* `bind`: logtail of `/var/log/daemon.log`, looking for queries
etc, easy replacement with the
[https://github.com/digitalocean/bind_exporter/ Prometheus
exporter]
* `apache_servers`: apache server-status, equivalent of the
apache exporter, already deployed
2. there's a packet counting script in `ferm` which seem to count per-IP
packet stats from iptables:
{{{
$munin_ips = split(regsubst($v4ips, '([^,]+)', 'ip_\1', 'G'), ',')
munin::check { $munin_ips:
script => "ip_";
}
if $v6ips {
$munin6_ips = split(regsubst($v6ips, '([^,]+)', 'ip_\1', 'G'),
',')
munin::check { $munin6_ips: script => 'ip_', }
}
}}}
i have just removed those, without a replacement.
3. hiding in the haproxy puppet module is another munin plugin. there is
also a [https://github.com/prometheus/haproxy_exporter prometheus exporter
for haproxy] which we can eventually deploy to replace this. in the
meantime, it was deleted
4. the VM image installer (`modules/roles/files/virt/tor-install-VM`) has
noises about setting up VM-specific plugins: `echo ' for i in
`/usr/local/sbin/vm_du_ suggest`; do ln -vsf /usr/local/sbin/vm_du_
/etc/munin/plugins/vm_du_$i; done'`. that file does not seem to be
deployed through Puppet, and consists of a script checking the disk space
of all VMs. It looks something like this on `kvm4` right now:
{{{
#!/bin/bash
# -*- sh -*-
MUNIN_LIBDIR=${MUNIN_LIBDIR:-/usr/share/munin}
. $MUNIN_LIBDIR/plugins/plugin.sh
BASE=/srv/vmstore
VM=${0##*vm_du_}
#VM=${VM//_/.}
case $1 in
autoconf)
if [[ -d "$BASE" ]]; then
echo yes
exit 0
else
echo "no ($BASE not found)"
exit 0
fi
;;
suggest)
if [[ -d "$BASE" ]]; then
find "$BASE" -mindepth 1 -maxdepth 1 -type d -a ! -name
lost+found -printf '%f\n' # | tr . _
fi
exit 0
;;
config)
echo "graph_title disk usage VM $VM"
echo 'graph_args --base 1024 --lower-limit 0'
echo 'graph_vlabel bytes'
echo 'graph_category disk'
echo 'graph_total Total'
find "$BASE/$VM" -mindepth 1 -maxdepth 1 -type f |
while read fn; do
label="${fn##*/}"
label=${label//./_}
name=${label//-/_}
echo "$name.label $label"
echo "$name.cdef $name,1024,*"
done
exit 0
;;
esac
find "$BASE/$VM" -mindepth 1 -maxdepth 1 -type f -printf '%f %k\n' |
while read fn du; do
fn=${fn//[.-]/_}
echo "$fn.value $du"
done
}}}
that is covered by #29816.
5. the munin-common package doesn't remove its own user/group by default
so I did that by hand. there's a possibility that some files are leftover
in /var or /etc, but I am ready to assume the consequence of a possible
UID reuse there to remove an extra account from all servers
6. normally, the package removal process should have removed all of
/etc/munin/plugins, but there are some leftovers sometimes, e.g. on `oo-
hetzner-03`:
{{{
diskstats fw_forwarded_local if_err_eth0 ip_38.229.72.27
ntp_kernel_err ntp_kernel_pll_off postfix_mailvolume threads
fw_conntrack fw_packets if_eth0 netstat
ntp_kernel_pll_freq postfix_mailqueue proc_pri users
}}}
Those are all symlinks to builtin plugins, so I think they can be
safely removed and have done so.
7. nagios was watching that munin was running everywhere in its static
configuration, I have removed that check as well
All those changes will take some time to propagate everywhere, which will
make Nagios noisy for a little while. Tomorrow, it will be possible to
remove remaining Munin code from Puppet entirely, assuming all nodes will
have run Puppet correctly.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29682#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list