[Shinken-devel] DMZ management : passives connexions for pollers (and soon reactionners)

Thu, 10 Feb 2011 08:00:35 -0800 

Hi all,

I just make the passive connexions feature for the pollers. The idea is very
simple : when you got DMZ network, you should avoid connexions from the DMZ
to the LAN. And with the current way of working, there was a problem for
this.

If you tag hosts/services with a DMZ poller_tag you can have :

You got :
Arbiter (lan) ----> send conf ---> poller (DMZ)                :OK
Scheduler (lan)   <------- get checks/push results       <---- poller  (DMZ)
   : not OK

The only solution was to add a DMZ realm, and put a scheduler in the DMZ
too. But it can be a problem if you got parents/dependencies relations
between elements in the LAN and the DMZ (bad cutting for realm, arbiter bail
out).

That why passive connexions for pollers is an interesting feature. If you
set :
define poller{
   poller_name    dmz-poler
   poller_tags      DMZ
   passive           1
}

Then the connexions will be :
Arbiter (lan) ----> send conf ---> poller (DMZ)                :OK
Scheduler (lan)   -------> push check/ get results ----> poller  (DMZ)    :
OK     :)

It will impact this poller only of course, the scheduler will still answer
to the other pollers as the classic way.

I'll made some network diagrams to show this on the wiki. I think this
passive thing is only useful for DMZ networks, but now everyone got one, so
I think a lot of network admins will be happy :)

The code need a big factorization/cleaning pass and a good test case (I
think a end to end one can be good here). Reactionners should also got such
feature soon, because the poller/reactionner way of working is the same.



Jean

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Shinken-devel mailing list
Shinken-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shinken-devel

Reply via email to