1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
|
=encoding utf8
=head1 NAME
munin-node.conf - Munin-node configuration file
=head1 DESCRIPTION
F<munin-node.conf> is the configuration file for C<munin-node>, the agent that
Munin fetches data from.
The format is dictated by the use of C<Net::Server>. A look at C<perldoc
Net::Server> will give a list of options that the file supports by using the
module. This page mainly covers the Munin-specific extensions.
The following options are of special interest:
=over 5
=item B<< allow RE >>
IP based access list is implemented through this. The statement may be
repeated many times. It's important to note that it's actually a
regular expression after the keyword so to allow localhost it must be
written like this:
allow ^127\.0\.0\.1$
=item B<< cidr_allow NETWORK/MASK >>
An alternative to C<allow RE>. This allows the access list to be specified in
CIDR format. For instance, C<cidr_allow 192.0.2.0/24> would allow connections
from any IP from 192.0.2.1 to 192.0.2.254.
And C<cidr_allow 127.0.0.1/32> is the equivalent to the example above. Note
that the netmask B<must> be provided, even though it's just C</32>.
This option requires that the C<Net::CIDR> Perl module be installed.
=item B<< host IP >>
The IP number of the interface munin-node should listen on. By
default munin-node listens to all interfaces. To make munin-node
listen only on the localhost interface - making it unavailable from
the network do this:
host 127.0.0.1
=back
=head2 Additional options:
=over 5
=item B<< host_name <host> >>
If set, overrides the hostname munin-node uses in its
'hello'-negotiation with munin. A "telnet localhost 4949" will show the
hostname munin-node is currently using. If munin-node and the main munin
installation do not agree on the hostname, munin will skip all the
plugins of the machine in question.
=item B<< paranoia <yes|no|true|false|on|off|1|0> >>
If set, checks permissions of plugin files, and only tries to run files
owned by root. Default on.
=item B<< ignore_file <regex> >>
Files matching E<lt>regexE<gt> in the node.d/ and node-conf.d/
directories will be overlooked.
=item B<tls> <value>
Can have four values. C<paranoid>, C<enabled>, C<auto>, and
C<disabled>. C<Paranoid> and C<enabled> require a TLS connection,
while C<disabled> will not attempt one at all.
The current default is C<disabled> because C<auto> is broken. C<Auto>
causes bad interaction between munin-update and munin-node if the node
is unprepared to go to TLS.
If you see data dropouts (gaps in graphs) please try to disable TLS.
=item B<tls_verify_certificate> <value>
This directive can be C<yes> or C<no>. It determines if the remote
certificate needs to be signed by a CA that is known locally. Default
is C<no>.
=item B<tls_private_key> <value>
This directive sets the location of the private key to be used for
TLS. Default is @@CONFDIR@@/munin-node.pem. The private key and
certificate can be stored in the same file.
=item B<tls_certificate> <value>
This directive sets the location of the TLS certificate to be used for
TLS. Default is @@CONFDIR@@/munin-node.pem. The private key and
certificate can be stored in the same file.
=item B<tls_ca_certificate> <value>
This directive sets the CA certificate to be used to verify the node's
certificate, if tls_verify_certificate is set to C<yes>. Default is
@@CONFDIR@@/cacert.pem.
=item B<tls_verify_depth> <value>
This directive sets how many signings up a chain of signatures TLS is
willing to go to reach a known, trusted CA when verifying a
certificate. Default is C<5>.
=item B<tls_match> <value>
This directive, if defined, searches a dump of the certificate provided by the
remote host for the given regex. The dump of the certificate is two lines of
the form:
Subject Name: /C=c/ST=st/L=l/O=o/OU=ou/CN=cn/emailAddress=email
Issuer Name: /C=c/ST=st/O=o/OU=ou/CN=cn/emailAddress=email
So, for example, one could match the subject distinguished name by the directive:
tls_match Subject Name: /C=c/ST=st/L=l/O=o/OU=ou/CN=cn/emailAddress=email
Note that the fields are dumped in the order they appear in the certificate.
It's best to view the dump of the certificate by running munin-update in debug
mode and reviewing the logs.
Unfortunately, due to the limited functionality of the SSL module in use, it is
not possible to provide finer-grained filtering. By default this value is not
defined.
=back
=head1 EXAMPLE
A pretty normal configuration file:
log_level 4
log_file /var/log/munin/munin-node.log
port 4949
pid_file /var/run/munin-node.pid
background 1
setsid 1
host *
user root
group root
setsid yes
ignore_file \.bak$
ignore_file \.rpm(save|new)$
ignore_file ^README$
allow ^127\.0\.0\.1$
ignore_file \.dpkg-(old|new)$
ignore_file \.rpm(save|new)$
See the documentation or Munin homepage
L<http://munin-monitoring.org/> for more info.
=head1 AUTHORS
Jimmy Olsen.
=head1 COPYRIGHT
Copyright (C) 2002-2006 Audun Ytterdal, Jimmy Olsen, Dagfin Ilmari
Mansker, Nicolai Langfeldt
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
This program is released under the GNU General Public License
=cut
|
