Examples for ssh transport¶
Using the ssh transport for munin is a very powerful way to reach hard to reach nodes in a secure and well understood way.
Using SSH transport¶
For a host that you can only reach via ssh (because firewall, or because you don’t want to expose munin-node on the network, only to localhost) Munin can use SSH directly like this:
- address ssh://mail.site2.example.org -W localhost:4949
This makes munin use the ssh terminal connection as a network socket. The “address” line bunces the ssh terminal connection to the munin-node port on the remote host.
If you can reach the node via some bastion or bounce host a similar command can be used:
- address ssh://bastion.site2.example.org -W mail.site2.example.org:4949
This will make munin first ssh into bastion.site2.example.org, and then from there connect the munin-node port (4949) on mail.site2.example.org.
You will need to configure ssh to allow these connections.
Options for the ssh:// transport can be added to .ssh/config in the home directory of the munin user.
The available options are available with man ssh_config. Here are some examples.
SSH has the option of compressing the data transport. To add compression to all SSH connections:
Host * Compression yes
If you have a lot of nodes, you will reduce data traffic by spending more CPU time. See also the CompressionLevel setting from the ssh_config man page.
Connecting through a Proxy¶
By using the ProxyCommand SSH option, you can connect with ssh via a jump host, and reach munin-node instances which are not available directly from the munin master:
Host *.customer.example.com !proxy.customer.example.com ProxyCommand ssh -W %h:%p proxy.customer.example.com
This will make all connections to host ending with .customer.example.com, connect through proxy.customer.example.com, with an exemption for the proxy host itself.
Note: If you use Compression, try not to compress data twice. Disable compression for the proxied connections with Compression no.
Re-using SSH connections¶
If you connect to a host often, you can re-use the SSH connection instead. This is a good example to combine with the Connecting through a proxy and the Compression examples:
Host proxy.customer.example.com ControlMaster auto ControlPath /run/munin/ssh.%h_%p_%r ControlPersist 360 TCPKeepAlive yes ServerAliveInterval 60
This will keep a long-lived SSH connection open to proxy.customer.example.com, it will be re-used for all connections. The SSH options TCPKeepAlive and ServerAliveInterval are added to detect and restart a dropped connection on demand.