Hi,
I need to collect some data from semi-untrusted clients. I can only
allow them to publish a specified subset of data, e.g. a single plugin
but cannot be 100% sure what they _do_ publish.
Signing and encryption only protect from untrusted network, not
untrusted publishers. So I decided to extend collectd a bit. First, the
collectd network plugin may now listen on unix sockets too (via a rather
gross hack around getaddrinfo). The UnixSock plugin offers way too much
access for my use case. Second, I extended the metadata attached to the
collected values to contain the socket name on which a specific value
arrived. Third, I extended the regex match to allow metadata comparisons.
The end result is that I can now say something like this:
---------------------------------------------------
<Plugin network>
<Listen "/local" "/tmp/collectd.sock">
SocketPerms "666"
SocketGroup "1000"
DeleteSocket true
</Listen>
</Plugin>
<Chain "PreCache">
<Rule "example_filter">
<Match "regex">
Metadata "network:node" "^/local$"
Metadata "network:service" "^/tmp/collectd\.sock$"
</Match>
<Match "regex">
PluginInstance "^example_instance$"
Invert true
</Match>
Target "stop"
</Rule>
</Chain>
---------------------------------------------------
to restrict samples sent over /tmp/collectd.sock to a single plugin
instance (realistic filters and socket permissions would be slightly
different). The /local convention comes from Stevens' Unix Network
Programming, so I can't take neither blame nor credit for that ;)
If anybody is interested in these patches, feel free to grab them from
my github tree based on git://git.verplant.org/collectd.git#master:
https://github.com/gnosek/collectd/tree/network_unix_sockets
(it also contains an unrelated build fix related to libiptc). Comments
gladly accepted.
I'd send a github pull request but it seems the upstream github tree is
a bit outdated.
Best regards,
Grzegorz Nosek
_______________________________________________
collectd mailing list
[email protected]
http://mailman.verplant.org/listinfo/collectd
