munin-node.conf - Munin-node configuration file
munin-node.conf is the configuration file for
"munin-node", the agent that Munin fetches
data from.
The format is dictated by the use of
"Net::Server". A look at
"perldoc
Net::Server" will give a list of options that
the file supports by using the module. This page mainly covers the
Munin-specific extensions.
The following options are of special interest:
- allow RE
- IP based access list is implemented through this. The statement may be
repeated many times. It's important to note that it's actually a regular
expression after the keyword so to allow localhost it must be written like
this:
allow ^127\.0\.0\.1$
- cidr_allow
NETWORK/MASK
- An alternative to "allow RE". This
allows the access list to be specified in CIDR format. For instance,
"cidr_allow 192.0.2.0/24" would allow
connections from any IP from 192.0.2.1 to 192.0.2.254.
And "cidr_allow
127.0.0.1/32" is the equivalent to the example above. Note
that the netmask must be provided, even though it's just
"/32".
This option requires that the
"Net::CIDR" Perl module be
installed.
- host IP
- The IP number of the interface munin-node should listen on. By default
munin-node listens to all interfaces. To make munin-node listen only on
the localhost interface - making it unavailable from the network do this:
host 127.0.0.1
- host_name
<host>
- If set, overrides the hostname munin-node uses in its 'hello'-negotiation
with munin. A "telnet localhost 4949" will show the hostname
munin-node is currently using. If munin-node and the main munin
installation do not agree on the hostname, munin will skip all the plugins
of the machine in question.
- paranoia
<yes|no|true|false|on|off|1|0>
- If set, checks permissions of plugin files, and only tries to run files
owned by root. Default on.
- ignore_file
<regex>
- Files matching <regex> in the node.d/ and node-conf.d/ directories
will be overlooked.
- tls
<value>
- Can have four values. "paranoid",
"enabled",
"auto", and
"disabled".
"Paranoid" and
"enabled" require a TLS connection,
while "disabled" will not attempt one at
all.
The current default is
"disabled" because
"auto" is broken.
"Auto" causes bad interaction between
munin-update and munin-node if the node is unprepared to go to TLS.
If you see data dropouts (gaps in graphs) please try to
disable TLS.
- tls_verify_certificate
<value>
- This directive can be "yes" or
"no". It determines if the remote
certificate needs to be signed by a CA that is known locally. Default is
"no".
- tls_private_key
<value>
- This directive sets the location of the private key to be used for TLS.
Default is /etc/munin/munin-node.pem. The private key and certificate can
be stored in the same file.
- tls_certificate
<value>
- This directive sets the location of the TLS certificate to be used for
TLS. Default is /etc/munin/munin-node.pem. The private key and certificate
can be stored in the same file.
- tls_ca_certificate
<value>
- This directive sets the CA certificate to be used to verify the node's
certificate, if tls_verify_certificate is set to
"yes". Default is
/etc/munin/cacert.pem.
- tls_verify_depth
<value>
- This directive sets how many signings up a chain of signatures TLS is
willing to go to reach a known, trusted CA when verifying a certificate.
Default is 5.
- tls_match
<value>
- This directive, if defined, searches a dump of the certificate provided by
the remote host for the given regex. The dump of the certificate is two
lines of the form:
Subject Name: /C=c/ST=st/L=l/O=o/OU=ou/CN=cn/emailAddress=email
Issuer Name: /C=c/ST=st/O=o/OU=ou/CN=cn/emailAddress=email
So, for example, one could match the subject distinguished
name by the directive:
tls_match Subject Name: /C=c/ST=st/L=l/O=o/OU=ou/CN=cn/emailAddress=email
Note that the fields are dumped in the order they appear in
the certificate. It's best to view the dump of the certificate by
running munin-update in debug mode and reviewing the logs.
Unfortunately, due to the limited functionality of the SSL
module in use, it is not possible to provide finer-grained filtering. By
default this value is not defined.
A pretty normal configuration file:
log_level 4
log_file /var/log/munin/munin-node.log
port 4949
pid_file /var/run/munin-node.pid
background 1
setsid 1
host *
user root
group root
setsid yes
ignore_file \.bak$
ignore_file \.rpm(save|new)$
ignore_file ^README$
allow ^127\.0\.0\.1$
ignore_file \.dpkg-(old|new)$
ignore_file \.rpm(save|new)$
See the documentation or Munin homepage
<http://munin-monitoring.org/> for more info.
Copyright (C) 2002-2006 Audun Ytterdal, Jimmy Olsen, Dagfin Ilmari
MansXker, Nicolai Langfeldt
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
This program is released under the GNU General Public License