BB vs Hobbit: How to get rid of displaying the ps output?
Hi,
Found hobbit recently via its new Debian package[1].
[1] http://packages.debian.org/hobbit
At work we're monitoring nearly 500 machines with BB. The BB server is due to being replaced with a fresh setup on new hardware, not only because of performance problems.
So the Debian hobbit package just came right and we would like to switch from BB to hobbit because of performance _and_ features. :-)
Several of us are currently playing around with hobbit on our private servers. We especially love the apt and libs plugins. :-)
Now, after a week or two of using and exploring hobbit we noticed a few things we liked better with BB. We were able to fix most of them ourselves via templates and config files.
But there is one thing we wonder if it is configurable or a hardcoded features in hobbit. We looked through the docs (web pages as well as man pages), but didn't find a hint on this questions yet, so I thought, I'll try the list. (The list archive didn't bring up anything helpful yet. :-)
So here's the question:
Is there a possibility to _not_ show the whole ps output in the procs details CGI? BB only showed the monitored processes. With hobbit this page shows the whole ps output. IMHO this is a privacy issue -- even with a passowrd protection for the CGI scripts -- since the output may get saved permanently in the history. (I do not want to think about what happens if the locally configured password protection is found to not working correctly in a complex enterprise setup...)
In my personal case, the hobbit server runs on a server I share with friends. Although I do trust them regarding the server, there's no need for them being able to monitor e.g. which MP3s I'm listening to at home or which games I play on the laptop. On dialup machines I just can switch off the hobbit client while gaming or listening MP3s, but that's no real solution.
On the job it's approximately the same problem, just in a bigger scale. We monitor a few hundred managed workstations with BB, but we don't want to keep the old BB client just because of this privacy issue, especially since the hobbit client would gives us a lot of advantages.
Thanks in advance for any hints on these issues.
P.S.: We're running the 4.2.0 version of hobbit as packaged by Debian respectively Backports.org.
Kind regards, Axel Beckert-- Axel Beckert <beckert at phys.ethz.ch> support: +41 44 633 2668 IT Support Group, HPR E 86.1 voice: +41 44 633 4189 Departement Physik, ETH Zurich fax: +41 44 633 1239 CH-8093 Zurich, Switzerland http://nic.phys.ethz.ch/
On Wed, Jan 23, 2008 at 11:12:00PM +0100, Axel Beckert wrote:
Is there a possibility to _not_ show the whole ps output in the procs details CGI? BB only showed the monitored processes. With hobbit this page shows the whole ps output.
It can be done for all servers, by adding the "--no-ps-listing" option to the hobbitd_client command in hobbitlaunch.cfg . That should do it for data from Hobbit clients.
IMHO this is a privacy issue -- even with a passowrd protection for the CGI scripts -- since the output may get saved permanently in the history.
That's interesting, I hadn't thought about that.
If your client reports data from the "top" utility, then a partial ps-listing also appears in the "cpu" status column. This cannot be turned off, currently. It sounds as if it might be a good idea to let the --no-ps-listing option block this ps listing as well, although the "top" display (at least on Linux - not sure about other platforms) only shows the basic command, not commandline options.
Regards, Henrik
Hi,
thanks for the prompt answer.
On Wed, Jan 23, 2008 at 11:47:02PM +0100, Henrik Stoerner wrote:
On Wed, Jan 23, 2008 at 11:12:00PM +0100, Axel Beckert wrote:
Is there a possibility to _not_ show the whole ps output in the procs details CGI? BB only showed the monitored processes. With hobbit this page shows the whole ps output.
It can be done for all servers, by adding the "--no-ps-listing" option to the hobbitd_client command in hobbitlaunch.cfg . That should do it for data from Hobbit clients.
... which is our main concern. Just tried and it looks exactly as we wanted it to look, thanks!
IMHO this is a privacy issue -- even with a passowrd protection for the CGI scripts -- since the output may get saved permanently in the history.
That's interesting, I hadn't thought about that.
The data still goes unencypted over the net, but this is less concerning in a switched and monitored network (as we have it at work). For the home usage, I'll play around with some SSL tunneling tools (crywrap, stunnel, etc.) and if that doesn't work out I'll have a close look at OpenVPN. (Or is there already a SSL support between client and server?)
We also disabled the listing of ESTABLISHED connections (we don't need to monitor them) via adding a "-l" option to netstat in /usr/lib/hobbit/client/bin/hobbitclient-*.sh. Would be nice (but definitely not urgent), if this could be configurable on the server-side, too. (A --no-established-ports-listing or --list-only-listening-ports option in addition to the --no-port-listing option of hobbitd_client would be cool.)
If your client reports data from the "top" utility,
Doesn't seem the case here anywhere. Even the Macs are said to do it with ps although on our BB they do it with top (of which the parsing seems to be very ugly... :-)
then a partial ps-listing also appears in the "cpu" status column. This cannot be turned off, currently.
With BB neither.
It sounds as if it might be a good idea to let the --no-ps-listing option block this ps listing as well,
Yeah.
although the "top" display (at least on Linux - not sure about other platforms) only shows the basic command, not commandline options.
Ack. And since the commandline options are mainly a concern to privacy, top hasn't been seen as privacy issue here with the current BB installation.
A little bit offtopic, but for those who would like to have a top which shows the command line options, try htop[1][2]. It's also more colorful, shows memory, swap and cpu usage as bar and as root it evens shows cpu bars for each single processor (core). :-)
[1] http://htop.sourceforge.net/ [2] http://packages.debian.org/htop
Kind regards and thanks for hobbit, Axel Beckert-- Axel Beckert <beckert at phys.ethz.ch> support: +41 44 633 2668 IT Support Group, HPR E 86.1 voice: +41 44 633 4189 Departement Physik, ETH Zurich fax: +41 44 633 1239 CH-8093 Zurich, Switzerland http://nic.phys.ethz.ch/
participants (2)
-
beckert@phys.ethz.ch
-
henrik@hswn.dk