paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-06 06:53:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

puppet: Use existing autossh tunnels as OpenSSH "master" sockets.

Browse Source 
A number of autossh connections are already left open for
port-forwarding Munin ports; autossh starts the connections and
ensures that they are automatically restarted if they are severed.

However, this represents a missed opportunity.  Nagios's monitoring
uses a large number of SSH connections to the remote hosts to run
commands on them; each of these connections requires doing a complete
SSH handshake and authentication, which can have non-trivial network
latency, particularly for hosts which may be located far away, in a
network topology sense (up to 1s for a no-op command!).

Use OpenSSH's ability to multiplex multiple connections over a single
socket, to reuse the already-established connection.  We leave an
explicit `ControlMaster no` in the general configuration, and not
`auto`, as we do not wish any of the short-lived Nagios connections to
get promoted to being a control socket if the autossh is not running
for some reason.

We enable protocol-level keepalives, to give a better chance of the
socket being kept open.
This commit is contained in:
Alex Vandiver
2022-11-01 15:04:16 -04:00
committed by Tim Abbott
parent e05a0dcf98
commit 42f84a8cc7
3 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
puppet/zulip_ops/files/nagios_ssh_config Normal file
View File

@@ -0,0 +1,6 @@
Host *
ControlMaster no
ControlPath /tmp/ssh-%C
ServerAliveInterval 30
ServerAliveCountMax 3

8
puppet/zulip_ops/manifests/profile/nagios.pp
View File

@@ -140,6 +140,14 @@ class zulip_ops::profile::nagios {
require => File['/var/lib/nagios'], require => File['/var/lib/nagios'],
} }
file { '/var/lib/nagios/.ssh/config':
ensure => file,
mode => '0644',
owner => 'nagios',
group => 'nagios',
source => 'puppet:///modules/zulip_ops/nagios_ssh_config',
}
# Disable apparmor for msmtp so it can read the above config file # Disable apparmor for msmtp so it can read the above config file
file { '/etc/apparmor.d/disable/usr.bin.msmtp': file { '/etc/apparmor.d/disable/usr.bin.msmtp':
ensure => link, ensure => link,

2
puppet/zulip_ops/templates/supervisor/conf.d/munin_tunnels.conf.erb
View File

@@ -5,7 +5,7 @@ i = 0
@hosts.each do |host| @hosts.each do |host|
-%> -%>
[program:munin-tunnel-<%= host %>] [program:munin-tunnel-<%= host %>]
command=autossh -N -M <%= 20000 + 2 * i %> -L <%= 5000 + i %>:localhost:4949 nagios@<%= host %><% unless host.include?(".") %>.<%= @default_host_domain %><% end %> command=autossh -N -M <%= 20000 + 2 * i %> -L <%= 5000 + i %>:localhost:4949 -o ControlMaster=yes nagios@<%= host %><% unless host.include?(".") %>.<%= @default_host_domain %><% end %>
priority=200 ; the relative start priority (default 999) priority=200 ; the relative start priority (default 999)
autostart=true ; start at supervisord start (default: true) autostart=true ; start at supervisord start (default: true)
autorestart=true ; whether/when to restart (default: unexpected) autorestart=true ; whether/when to restart (default: unexpected)