----- Original Message -----
>
> The impending default solution to this is the pmcd
> authenticated-connection mode, wherein a pcp client can forward user
> identity to pmcd, after which the pmda-linux code can setuid to that
> user temporarily to service proc requests. The new AF_UNIX pmcd
> transport will pass credentials automatically. That should handle
> users being able to monitor their own processes, or root monitoring
> everyone, without having to run pmcd itself as root.
>
> - FChE
>
> Ok, that sounds good. So I could run pmlogger as root and collect information
> for all processes when this is implemented?
You would need to allow pmlogger (which runs as "pcp" user) to authenticate as
"root" if you'd like to be able to query values (and record) all processes. How
that would be achieved would depend on the authentication mechanism used, which
is handled by SASL and configured outside of pmcd.
As a general rule, its not a good idea to record all processes ... and the maps
metric in particular is huge. There are better potential solutions, like having
a PMDA which tracks only processes of interest (custom PMDA), or the process(es)
of interest could be cgroup-controlled, and the cgroup metrics (in the
linux_proc
PMDA) could be extended with the maps information. Lot of "could be"s there -
this remains an area of on-going work and experimentation I think.
If you have an immediate need however, you can still install the Linux proc PMDA
(which runs as root, separate to pmcd) it is just not default-installed anymore
due to the information-exposure concern.
cheers.
--
Nathan
|