Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Monitor awsarm through SSH #37

Merged
merged 1 commit into from
Dec 13, 2023
Merged

Monitor awsarm through SSH #37

merged 1 commit into from
Dec 13, 2023

Conversation

joinemm
Copy link
Collaborator

@joinemm joinemm commented Dec 12, 2023

sshified can be used to proxy prometheus metrics through ssh connection, meaning we do not have to open any ports to the world.

This PR adds a derivation to build sshified, a systemd service to run it, and the necessary ssh configuration to scrape metrics from awsarm.

Also added documentation that tells how to add new monitored targets, with either ssh or http authentication, though there are no more targets that are using http basic auth.

@joinemm joinemm requested review from henrirosten and a team December 12, 2023 14:25
henrirosten
henrirosten previously approved these changes Dec 13, 2023
View reviewed changes
Copy link
Collaborator

@henrirosten henrirosten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.
One item we possibly might want to simplify in a a follow-up PR:
I think we do not necessarily need the sshified but similar ssh tunnelling setup could be established using just ssh with option -L (or possibly -D). Or did you trial this already?

hosts/binarycache/configuration.nix Outdated Show resolved Hide resolved
@joinemm
Copy link
Collaborator Author

joinemm commented Dec 13, 2023

@henrirosten ssh -L works but the problem is we would have to keep the ssh tunnel open indefinitely, which is not very reliable. sshified on the other hand opens a new ssh connection for each request.

@joinemm joinemm requested a review from henrirosten December 13, 2023 09:21
tervis-unikie
tervis-unikie reviewed Dec 13, 2023
View reviewed changes
Copy link
Contributor

@tervis-unikie tervis-unikie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please make sure that the sshfied user on awsarm only has the permissions absolutely necessary for this to work.

docs/monitoring-server.md Show resolved Hide resolved
@joinemm
Copy link
Collaborator Author

joinemm commented Dec 13, 2023

@tervis-unikie sshified user has whatever is default permissions when using adduser. Should something be restricted?

@tervis-unikie
Copy link
Contributor

@tervis-unikie sshified user has whatever is default permissions when using adduser. Should something be restricted?

Then the user can do whatever a normal user can do, which for the purpose of sshfied is excessive.
This account could be set into a limited chroot environment for example.
But anyway, this is not a matter of this PR, just noting this...

@joinemm joinemm merged commit 0ff3df8 into main Dec 13, 2023
1 check passed
@joinemm joinemm deleted the metrics-basic-auth branch December 13, 2023 10:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tervis-unikie tervis-unikie tervis-unikie left review comments

@henrirosten henrirosten henrirosten approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@joinemm @tervis-unikie @henrirosten