munin-node.conf - Man Page

Munin-node configuration file

Description

munin-node.conf is the configuration file for munin-node, the agent that Munin fetches data from.

The format is dictated by the use of Net::Server. A look at perldoc Net::Server will give a list of options that the file supports by using the module.  This page mainly covers the Munin-specific extensions.

The following options are of special interest:

allow RE

IP based access list is implemented through this. The statement may be repeated many times.  It's important to note that it's actually a regular expression after the keyword so to allow localhost it must be written like this:

      allow ^127\.0\.0\.1$
cidr_allow NETWORK/MASK

An alternative to allow RE.  This allows the access list to be specified in CIDR format.  For instance, cidr_allow 192.0.2.0/24 would allow connections from any IP from 192.0.2.1 to 192.0.2.254.

And cidr_allow 127.0.0.1/32 is the equivalent to the example above.  Note that the netmask must be provided, even though it's just /32.

This option requires that the Net::CIDR Perl module be installed.

host IP

The IP number of the interface munin-node should listen on.  By default munin-node listens to all interfaces.  To make munin-node listen only on the localhost interface - making it unavailable from the network do this:

      host 127.0.0.1

Additional options

host_name <host>

If set, overrides the hostname munin-node uses in its 'hello'-negotiation with munin. A "telnet localhost 4949" will show the hostname munin-node is currently using. If munin-node and the main munin installation do not agree on the hostname, munin will skip all the plugins of the machine in question.

paranoia <yes|no|true|false|on|off|1|0>

If set, checks permissions of plugin files, and only tries to run files owned by root. Default on.

ignore_file <regex>

Files matching <regex> in the node.d/ and node-conf.d/ directories will be overlooked.

tls <value>

Can have four values. paranoid, enabled, auto, and disabled.  Paranoid and enabled require a TLS connection, while disabled will not attempt one at all.

The current default is disabled because auto is broken.  Auto causes bad interaction between munin-update and munin-node if the node is unprepared to go to TLS.

If you see data dropouts (gaps in graphs) please try to disable TLS.

tls_verify_certificate <value>

This directive can be yes or no.  It determines if the remote certificate needs to be signed by a CA that is known locally.  Default is no.

tls_private_key <value>

This directive sets the location of the private key to be used for TLS.  Default is /etc/munin/munin-node.pem.  The private key and certificate can be stored in the same file.

tls_certificate <value>

This directive sets the location of the TLS certificate to be used for TLS.  Default is /etc/munin/munin-node.pem.  The private key and certificate can be stored in the same file.

tls_ca_certificate <value>

This directive sets the CA certificate to be used to verify the node's certificate, if tls_verify_certificate is set to yes.  Default is /etc/munin/cacert.pem.

tls_verify_depth <value>

This directive sets how many signings up a chain of signatures TLS is willing to go to reach a known, trusted CA when verifying a certificate.  Default is 5.

tls_match <value>

This directive, if defined, searches a dump of the certificate provided by the remote host for the given regex.  The dump of the certificate is two lines of the form:

        Subject Name: /C=c/ST=st/L=l/O=o/OU=ou/CN=cn/emailAddress=email
        Issuer  Name: /C=c/ST=st/O=o/OU=ou/CN=cn/emailAddress=email

So, for example, one could match the subject distinguished name by the directive:

        tls_match Subject Name: /C=c/ST=st/L=l/O=o/OU=ou/CN=cn/emailAddress=email

Note that the fields are dumped in the order they appear in the certificate. It's best to view the dump of the certificate by running munin-update in debug mode and reviewing the logs.

Unfortunately, due to the limited functionality of the SSL module in use, it is not possible to provide finer-grained filtering.  By default this value is not defined.

Example

A pretty normal configuration file:

        log_level 4
        log_file /var/log/munin/munin-node.log
        port 4949
        pid_file /var/run/munin-node.pid
        background 1
        setsid 1

        host *
        user root
        group root
        setsid yes

        ignore_file \.bak$
        ignore_file \.rpm(save|new)$
        ignore_file ^README$

        allow ^127\.0\.0\.1$

        ignore_file \.dpkg-(old|new)$
        ignore_file \.rpm(save|new)$

See the documentation or Munin homepage <http://munin-monitoring.org/> for more info.

Authors

Jimmy Olsen.

Info

2024-01-25 2.0.75 Munin Documentation