Re: bsnmp module for monitoring jails: bsnmp-jails
Hi, Just to elaborate Bjoern's opinion - * traffic monitoring per ip/flow might not be of interest to jails only and I believe it belongs to a separate module * in terms of jail resource monitoring (and limits) I believe the direction to go is using jtune (Cris Jones'es SoC 2006 patch) even if we have to live with #ifdef JTUNE inside bsnmp_jails until it hits the tree (which I hope it will at one point) * the module badly needs to list the IP addresses of a jail - which I believe should be done in a separate table - e.g indexed by jail id and IP address - the question here is how to handle IPv4 vs IPv6 - separate tables or a common table adding a InetAddress column as index - the latter will not work with bsnmptools until they're fixed to support it; I am also guessing we need a RowStatus column so that one can assign IP addresses to a jail via SNMP Furthermore - * there is no way to create or destroy a jail via snmp-jail - jailEntry is missing a RowStatus column maybe? * I am missing a column for the jail's root * jailname, number of IPv4, IPv6'es in terms of jails in CURRENT? * SNMP equivalents for the controls under security.jail sysctl MIB? * I don't like the fact the the module includes pre-generated jails_oid.h, jails_tree.h and jails_tree.c - we have a bsd.snmpmod.mk for this, which puts all files in place (e.g MIB, def) I can try summing up my ideas in a MIB and publishing it for discussion these days but unfotunatelly I don't have the time to do any coding on this right now. One last thought, we certainly want a bsnmp_jails (the notation so far is to use underscore in the name) module as part of base but it should cover as wide as usage scenarios of jail(8) as possible. cheers, Shteryana P.P. Please keep me in the CC list as I am not subscribed to (this) list ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: bsnmp module for monitoring jails: bsnmp-jails
Bjoern A. Zeeb wrote: > I see a few problems with the module (and I haven't investigated a lot > yet): Hi. BTW, thanks for the work you've put into jails on HEAD. Really looking forward to that. The bsnmp-jails module certainly could be improved a lot. As my clients migrate to newer versions of FreeBSD, that would happen naturally. Or if anyone interested wants to participate, please do. I'm open to better ideas, code and implementations. bsnmp-jails was born out of necessity. Some answers to your points below, but this doesn't mean that I don't think they're valid. > - the entire pcap stuff in there Yes, at first glance not the most efficient. It'd be awesome if there were kernel counters for this. But the big benefit to using pcap is that allows us to exclude certain traffic (see jailNetworkFilter config) such as local site traffic, from the counters. > This is all going to break on the assumption that jails do use things > exlusively. For example there can be 10 jails all sharing the same IP. > There can be jails all sharing the same fs, nullfs mounts, ... Certainly. Jails can be configured in a multitude of ways. Obviously, one can even use them as a chroot. I don't think bsnmp-jails makes sense for every possible use of jail(2). The module doesn't follow mounts when calculating disks and files. In the future I'm thinking of moving to ZFS for my jails, one fs per jail, and that'd make it far quicker and easier to calculate disks and file usage. That is, if the top level path of a jail is a mount point, then bsnmp-jail could just use info straight from that mount point instead of walking the tree inefficiently. > And to my understanding the cpu usage reported is at best a snapshot > guess but no clean statics value. I'm centainly no expert at this, however I've thought that the CPU usage is one of the more accurate parts of bsnmp-jail. It monitors ki_childtime + ki_runtime for all the processes. In addition when a process that has a parent outside the jail exits (ie: a daemon restarting), it keeps track of that process's ki_childtime + ki_runtime and keeps it in the counters. The above opens a small window of time when CPU usage may be missed. The time between the last monitoring cycle (3 seconds by default) and the when a daemon process exits, may be missed. In reality this happens very rarely and the CPU statistics have been usable. > I admit that those things (apart from traffic which really belongs > elsewhere) can become interesting with resource limit patches where we > get get proper values from elsewhere w/o having to do guess-math. Yes, it goes without saying, that kernel counters for CPU usage on the xprison structure then that'd make things far simpler and more accurate. > - no support for jails in HEAD (and soon in 7) So far only two versions of xprison structure are supported. The original single IP, and those patches that have been floating around. But it'd be easy to add support for the new jails. > - does the MIB list the IP address(es)? Nope, but it could be done easily, given the need. > - private copies of xprison structures Not sure I understand what you mean here. bsnmp-jail tracks jails by hostname, not by jid, since those are volatile. It also has to do strange gymnastics to get around the 'phantom jail' effect on FreeBSD 6.x (and other versions?) where a jail hangs around in the kernel due to TCP TIME_WAIT. > I have the feeling that this will need a bit of polishing and > separation of things... Yup certainly, and it's my hope that it will become more useful over time. Thanks for your advice. Cheers, Stef ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: bsnmp module for monitoring jails: bsnmp-jails
On Wed, 21 Jan 2009, Miroslav Lachman wrote: Hi, Stef wrote: Miroslav Lachman wrote: Stef wrote: I've released a bsnmp module for monitoring jails via SNMP. Stuff like network traffic, disk space, CPU utilization etc... FreeBSD port attached, available here: http://memberwebs.com/stef/software/bsnmp-jails/ Thank you for your announcement and your work! I will test it as soon as possible. Is there some limitation of FreeBSD version (6.x / 7.x / 8.x; i386 / amd64) or is it compatible with "all"? I hope it's compatible with all of the above. If you find problems with later OS's or other architectures, I'd be happy to help find the problems, or include patches. When it was initially developed, 6.3 was the latest stable release of FreeBSD. It's been deployed on a dozen production 6.3-RELEASE i386 servers (each with lots of jails). I added link to your website on http://wiki.freebsd.org/Jails Do you plan to submit PR with port? Let me know if you submit it, so I can update the wiki page. I see a few problems with the module (and I haven't investigated a lot yet): - the entire pcap stuff in there - the inode and cpu usage stuff in there This is all going to break on the assumption that jails do use things exlusively. For example there can be 10 jails all sharing the same IP. There can be jails all sharing the same fs, nullfs mounts, ... And to my understanding the cpu usage reported is at best a snapshot guess but no clean statics value. I admit that those things (apart from traffic which really belongs elsewhere) can become interesting with resource limit patches where we get get proper values from elsewhere w/o having to do guess-math. - no support for jails in HEAD (and soon in 7) - does the MIB list the IP address(es)? - private copies of xprison structures - ... I have the feeling that this will need a bit of polishing and separation of things... I hope Shteryana may join in here ... -- Bjoern A. Zeeb The greatest risk is not taking one. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: bsnmp module for monitoring jails: bsnmp-jails
Stef wrote: Miroslav Lachman wrote: Stef wrote: I've released a bsnmp module for monitoring jails via SNMP. Stuff like network traffic, disk space, CPU utilization etc... FreeBSD port attached, available here: http://memberwebs.com/stef/software/bsnmp-jails/ Thank you for your announcement and your work! I will test it as soon as possible. Is there some limitation of FreeBSD version (6.x / 7.x / 8.x; i386 / amd64) or is it compatible with "all"? I hope it's compatible with all of the above. If you find problems with later OS's or other architectures, I'd be happy to help find the problems, or include patches. When it was initially developed, 6.3 was the latest stable release of FreeBSD. It's been deployed on a dozen production 6.3-RELEASE i386 servers (each with lots of jails). I added link to your website on http://wiki.freebsd.org/Jails Do you plan to submit PR with port? Let me know if you submit it, so I can update the wiki page. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"