BB vs Hobbit: How to get rid of displaying the ps output? 🔗 link

Hi,

Found hobbit recently via its new Debian package[1].

  [1] http://packages.debian.org/hobbit

At work we're monitoring nearly 500 machines with BB. The BB server is
due to being replaced with a fresh setup on new hardware, not only
because of performance problems.

So the Debian hobbit package just came right and we would like to
switch from BB to hobbit because of performance _and_ features. :-)

Several of us are currently playing around with hobbit on our private
servers.  We especially love the apt and libs plugins. :-)

Now, after a week or two of using and exploring hobbit we noticed a
few things we liked better with BB. We were able to fix most of them
ourselves via templates and config files.

But there is one thing we wonder if it is configurable or a hardcoded
features in hobbit. We looked through the docs (web pages as well as
man pages), but didn't find a hint on this questions yet, so I
thought, I'll try the list. (The list archive didn't bring up anything
helpful yet. :-)

So here's the question:

Is there a possibility to _not_ show the whole ps output in the procs
details CGI? BB only showed the monitored processes. With hobbit this
page shows the whole ps output. IMHO this is a privacy issue -- even
with a passowrd protection for the CGI scripts -- since the output may
get saved permanently in the history. (I do not want to think about
what happens if the locally configured password protection is found to
not working correctly in a complex enterprise setup...)

In my personal case, the hobbit server runs on a server I share with
friends. Although I do trust them regarding the server, there's no
need for them being able to monitor e.g. which MP3s I'm listening to
at home or which games I play on the laptop. On dialup machines I just
can switch off the hobbit client while gaming or listening MP3s, but
that's no real solution.

On the job it's approximately the same problem, just in a bigger
scale. We monitor a few hundred managed workstations with BB, but we
don't want to keep the old BB client just because of this privacy
issue, especially since the hobbit client would gives us a lot of
advantages.

Thanks in advance for any hints on these issues.

P.S.: We're running the 4.2.0 version of hobbit as packaged by Debian
respectively Backports.org.

		Kind regards, Axel Beckert
-- 
Axel Beckert <user-96d9963fe797@xymon.invalid>       support: +41 44 633 2668
IT Support Group, HPR E 86.1              voice:   +41 44 633 4189
Departement Physik, ETH Zurich            fax:     +XX XX XXX XXXX
CH-8093 Zurich, Switzerland		  http://nic.phys.ethz.ch/

On Wed, Jan 23, 2008 at 11:12:00PM +0100, Axel Beckert wrote:

It can be done for all servers, by adding the "--no-ps-listing" option 
to the hobbitd_client command in hobbitlaunch.cfg . That should do it
for data from Hobbit clients.

That's interesting, I hadn't thought about that.

If your client reports data from the "top" utility, then a partial
ps-listing also appears in the "cpu" status column. This cannot be
turned off, currently. It sounds as if it might be a good idea to let
the --no-ps-listing option block this ps listing as well, although the
"top" display (at least on Linux - not sure about other platforms) only
shows the basic command, not commandline options.


Regards,
Henrik

Hi,

thanks for the prompt answer.

On Wed, Jan 23, 2008 at 11:47:02PM +0100, Henrik Stoerner wrote:

... which is our main concern. Just tried and it looks exactly as we
wanted it to look, thanks!

The data still goes unencypted over the net, but this is less
concerning in a switched and monitored network (as we have it at
work). For the home usage, I'll play around with some SSL tunneling
tools (crywrap, stunnel, etc.) and if that doesn't work out
I'll have a close look at OpenVPN. (Or is there already a SSL support
between client and server?)

We also disabled the listing of ESTABLISHED connections (we don't need
to monitor them) via adding a "-l" option to netstat in
/usr/lib/hobbit/client/bin/hobbitclient-*.sh. Would be nice (but
definitely not urgent), if this could be configurable on the
server-side, too. (A --no-established-ports-listing or
--list-only-listening-ports option in addition to the
--no-port-listing option of hobbitd_client would be cool.)

If your client reports data from the "top" utility,

Doesn't seem the case here anywhere. Even the Macs are said to do it
with ps although on our BB they do it with top (of which the parsing
seems to be very ugly... :-)

With BB neither.

Yeah.

Ack. And since the commandline options are mainly a concern to
privacy, top hasn't been seen as privacy issue here with the current
BB installation.

A little bit offtopic, but for those who would like to have a top
which shows the command line options, try htop[1][2]. It's also more
colorful, shows memory, swap and cpu usage as bar and as root it evens
shows cpu bars for each single processor (core). :-)

  [1] http://htop.sourceforge.net/
  [2] http://packages.debian.org/htop

	Kind regards and thanks for hobbit, Axel Beckert

-- 
Axel Beckert <user-96d9963fe797@xymon.invalid>       support: +41 44 633 2668
IT Support Group, HPR E 86.1              voice:   +41 44 633 4189
Departement Physik, ETH Zurich            fax:     +XX XX XXX XXXX
CH-8093 Zurich, Switzerland		  http://nic.phys.ethz.ch/