Hi Thomas,
The simplest thing i may recommend is to check it all working outside a
container - this way you can easily isolate whether the issue is somehow
related to the container (config or interaction of pmacctd with the
container) or with the pmacct config itself.
Paolo
On 6/5/22 06:05, Thomas Eckert wrote:
Hi everyone,
pmacct starter here, trying to get pmacctd working inside of a container
to listen to the (container's) host's traffic. I suppose this is a, if
not the, standard use case for pmacctd in a container. So I'm sure it
works in principle but I'm doing something wrong.
Command for starting the container:
docker run \
--privileged --network=host \
--name pmacctd \
-v /tmp/pmacctd.conf:/etc/pmacct/pmacctd.conf:ro \
-v /tmp/pcap-itf.conf:/etc/pmacct/pcap-itf.conf:ro \
-v /tmp//captures:/var/pmacct/captures:rw pmacctd-debug \
pmacct/pmacctd:latest
Contents of pmacctd.conf:
daemonize: false
snaplen: 1000
pcap_interfaces_map: /etc/pmacct/pcap-itf.conf
aggregate: src_host, dst_host, src_port, dst_port, proto, class
plugins: print
print_output: json
print_output_file: /var/pmacct/captures/capture-%Y%m%d_%H%M.txt
print_output_file_append: true
print_history: 1m
print_history_roundoff: m
print_refresh_time: 5
pcap-itf.conf contains all interfaces of the host (as per netstat -i) in
the form
ifname=eno2
One line each, no other keys/values other than ifname.
Possibly important note: There's a VPN (openconnect) constantly running
on the host. The VPN's interface is listed in netstat -i and, as such,
included in pcap-itf.conf.
Starting the container yields this output:
INFO ( default/core ): Promiscuous Mode Accounting Daemon, pmacctd
1.7.7-git (20211107-0 (ef37a415))
INFO ( default/core ): '--enable-mysql' '--enable-pgsql'
'--enable-sqlite3' '--enable-kafka' '--enable-geoipv2'
'--enable-jansson' '--enable-rabbitmq' '--enable-nflog' '--enable-ndpi'
'--enable-zmq' '--enable-avro' '--enable-serdes' '--enable-redis'
'--enable-gnutls' 'AVRO_CFLAGS=-I/usr/local/avro/include'
'AVRO_LIBS=-L/usr/local/avro/lib -lavro' '--enable-l2'
'--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins'
'--enable-st-bins'
INFO ( default/core ): Reading configuration file
'/etc/pmacct/pmacctd.conf'.
INFO ( default/core ): [/etc/pmacct/pcap-itf.conf] (re)loading map.
INFO ( default/core ): [/etc/pmacct/pcap-itf.conf] map successfully
(re)loaded.
INFO ( default_print/print ): cache entries=16411 base cache
memory=67875896 bytes
INFO ( default_print/print ): JSON: setting object handlers.
INFO ( default_print/print ): *** Purging cache - START (PID: 7) ***
INFO ( default_print/print ): *** Purging cache - END (PID: 7, QN:
0/0, ET: X) ***
Now, the problem is there are no files showing up in the 'captures'
directory at all.
I tried these things (as well as combinations thereof) to try to
understand what's going on:
* change the time related settings in pmacct.conf: to dump data
more/less often - also waited (increasingly) long, at times up to 20 minutes
* change 'snaplen' in pmacct.conf up & down - just to make sure I'm not
running into buffering problems (just guessing, haven't read pmacct/d
sources)
* change pcap-itf.conf to contain all interfaces or only the (host's)
LAN + VPN interfaces (removing all others like docker's internal 'docker0')
* check permission settings of the 'captures' directory - this should be
fine because a simple "touch /var/pmacct/captures/foobar" works and the
file does exist as observed in the directory on the host itself
* run the container _not_ in host-sniffing mode, so just inside its own
network-bubble, then cause traffic against it and observe it writing
data to the 'captures' directory - works!
Because I started to doubt my own sanity I asked one of our Docker/K8S
experts to check my docker setup and he found no problem looking over
it, including via "docker inspect pmacct". So I'm fairly sure my mistake
is somewhere in the configuration of pmacctd but I cannot figure out
what is. Would someone please point it out to me ?
Regards & Thanks,
Thomas
PS: It's been almost 10 years since I've posted to a mailing list.
Please forgive any conventions/best-practices missteps.
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists