wiki:MuninConfigurationNetworkTLS
  This article refers to version 1.4 of Munin. TLS functionality is not available in Munin 1.2.

TLS setup

Attention: Content of this page should be moved to the Munin-Guide --> Visit the Guide now.

If your Munin installations resides in a hostile network environment, or if you just don't want anyone passing by with a network sniffer to know the CPU load of your Munin nodes, a quick solution is to enable Munin's built-in Transport Layer Security (TLS) support. Other tricks involve using SSH tunnels and key logins, methods "outside of" Munin.

My test setup consists of two servers, "Aquarium" and "Laudanum" (the Norwegian names of two of the Roman fortifications outside the village of Asterix the Gaul). Laudanum is a Munin master and Aquarium is a Munin slave.

Requirements

In order for this to work you need the Perl package Net::SSLEay available. If you are running Debian or Ubuntu this is available in the package libnet-ssleay-perl

Non-paranoid TLS setup

This first setup will only provide TLS encrypted communication, not a complete verification of certificate chains. This means that the communication will be encrypted, but that anyone with a certificate, even an invalid one, will be able to talk to the node.

First of all, you must create an x509 key and certificate pair. That is somewhat outside the scope of this howto (it should be inside the scope, if anyone is willing to include the needed openssl commands and commentary that would be good -janl), but these links explain it in detail. On my Debian system, I installed the ssl-cert package and created a dummy key/certificate pair, installed as ssl-cert-snakeoil.key and ssl-cert-snakeoil.pem. Both files are moved to Munin's configuration directory. Please note that the permissions on the key file must be restrictive, e.g. chmod 700.

On the Munin master

To make munin-update on Laudanum do TLS enabled requests, add the following to munin.conf:

tls enabled
tls_verify_certificate no
tls_private_key /etc/ssl/private/ssl-cert-snakeoil.key
tls_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem

And, believe it or not, that's actually it on the Munin-master side. If we run munin-update? now, we see that the traffic is now encrypted after the command STARTTLS has been issued.

On the Munin node

Even though we've now asked the Munin master to perform all its requests in TLS mode, but anyone can still request data from the Munin node in plain text. So how should we restrict that? Well, that's quite simple as well! Add the following lines to munin-node.conf, replacing the paths to the certificate and key as appropriate for your server. Don't forget to restart the munin-node process afterwards.

tls enabled
tls_verify_certificate no
tls_private_key /etc/ssl/private/ssl-cert-snakeoil.key
tls_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem

This will let munin-node accept TLS encrypted communication, but will not check the validity of the certificate presented.

Now, when we try to pump the Munin node for information without starting TLS, this is what happens:

laudanum:~# telnet 192.168.1.163 4949
Trying 192.168.1.163...
Connected to 192.168.1.163.
Escape character is '^]'.
# munin node at aquarium
list
# I require TLS. Closing.
Connection closed by foreign host.
laudanum:~# 

TLS configuration with complete certificate chain

If we switch to a stricter mode, munin-node will only accept update requests from a master presenting a certificate signed by the same CA as its own certificate.

For this setup, I used the tools provided with OpenSSL to create a CA (Certificate Authority) and one certificate per server signed by the same CA. Creating your own CA should be more that sufficient, unless you really want to spend money on certificates from a real CA. Remember that the "common name" of the server certificate must be the host's fully qualified domain name as it is known in DNS.

The TLS directives are the same on both master and node. This setup requires that both key/cert pairs are signed by the same CA, and the CA certificate must be distributed to each Munin node. Also note that the passphrase protection must be removed from the keys so that the munin-update? and munin-node processes won't require manual intervention every time they start.

On the Munin master

This extract is from munin.conf on the master, "Laudanum":

tls paranoid
tls_verify_certificate yes
tls_private_key /etc/opt/munin/laudanum.key.pem
tls_certificate /etc/opt/munin/laudanum.crt.pem
tls_ca_certificate /etc/opt/munin/cacert.pem
tls_verify_depth 5

On the Munin node

This extract is from munin-node.conf on the node, "Aquarium":

tls paranoid
tls_verify_certificate yes
tls_private_key /etc/opt/munin/aquarium.key.pem
tls_certificate /etc/opt/munin/aquarium.crt.pem
tls_ca_certificate /etc/opt/munin/cacert.pem
tls_verify_depth 5

What to expect in the logs

Note that log contents have been formatted for readability.

In munin-update.log (in versions above 1.4.4, the TLS lines only show up in debug mode):

Starting munin-update
Processing domain: aquarium
Processing node: aquarium
Processed node: aquarium (0.05 sec)
Processed domain: aquarium (0.05 sec)
[TLS] TLS enabled.
[TLS] Cipher `AES256-SHA'.
[TLS] client cert:
    Subject Name: /C=NO/ST=Oslo/O=Example/CN=aquarium.example.com/emailAddress=bjorn@example.com\n
    Issuer  Name: /C=NO/ST=Oslo/O=Example/CN=CA master/emailAddress=bjorn@example.com
Configured node: aquarium (0.07 sec)
Fetched node: aquarium (0.00 sec)
connection from aquarium -> aquarium (31405)
connection from aquarium -> aquarium (31405) closed
Munin-update finished (0.14 sec)

In munin-node.log, something like will show up (in versions above 1.4.4, the TLS lines only show up in debug mode):

CONNECT TCP Peer: "192.168.1.161:2104" Local: "192.168.1.163:4949"
TLS Notice: TLS enabled.
TLS Notice: Cipher `AES256-SHA'.
TLS Notice: client cert:
    Subject Name: /C=NO/ST=Oslo/O=Example/CN=laudanum.example.com/emailAddress=bjorn@example.com\n
    Issuer  Name: /C=NO/ST=Oslo/O=Example/CN=CA master/emailAddress=bjorn@example.com

Selective TLS

If you want to run munin-node on the Munin master server, you shouldn't need to enable TLS for that connection as one can usually trust localhost connections. Likewise, if some of the nodes are on a trusted network they probably won't need TLS. In Munin, TLS is enabled on a per node basis.

The node definitions in munin.conf on Laudanum looks like this, note tls disabled for localhost communication.

[Group;laudanum]
        address 127.0.0.1
        use_node_name yes
        tls disabled

[Group;aquarium]
        address 192.168.1.163
        use_node_name yes

From the source code, it seems you can even use different certificates for different hosts. This, however, has not been tested for the purpose of this article.

Last modified at 2016-10-15T16:11:04+02:00 Last modified on 2016-10-15T16:11:04+02:00