netdata 1.5 released - big update!
-
@scottalanmiller So none of your clients have site-to-site VPNs? Not for printers? Not for legacy applications? What's terrible about opening the port for the webUI to local machines? I could see forwarding the port to the open world to be questionable for security since this is such a new product.
-
@cgunzelman said in netdata 1.5 released - big update!:
@scottalanmiller So none of your clients have site-to-site VPNs? Not for printers? Not for legacy applications? What's terrible about opening the port for the webUI to local machines? I could see forwarding the port to the open world to be questionable for security since this is such a new product.
None use site to site for everything, which is what would be required. Some site to site would not solve the issue, only total site to site. And no, none have that.
Our customers specifically are even less likely to have it as VPNs are an extension of LAN security and we generally, but not always, move away from that. We very rarely implement it and more often than not remove it (slowly, over time as things are replaced.)
The only issue with opening the port on local machines is that you are investing in trusting your LAN. Your network design requires that the LAN be a trusted location, which it might be today, but it's technical debt based on that design. The issue that all of us commenting have, and all of our customers have, is that they don't have fully trusted LANs for their servers. They might have some or none, but none have full. Without full, this can be used on some servers, but rarely the important ones. Unless we build out a complex security infrastructure of our own to support it.
-
@cgunzelman said in netdata 1.5 released - big update!:
I could see forwarding the port to the open world to be questionable for security since this is such a new product.
There is no authentication, so even if the product was old and battle tested, it would still expose your data to the outside. Assuming I trust the product 100% to do what it is supposed to do, that still wouldn't work. And I'm not doubting the creators did an excellent job, I'm sure they did and it looks like an amazing product that just doesn't fit a need that I can imagine having today.
-
It's like a crazy awesome mouse trap, but none of us have mice
-
I've been using it to monitor a new firewall distribution that we have been testing for a few months now. It's great for real-time data collection, seeing everything in one neat package.
If you want authentication, use a mainstream webserver instead of the built-in. It says so right there in the wiki.
You may not have a need for it in the small business world (MSP I assume) but to others with specialized projects or need realtime monitoring on a simple and easy-to-read dashboard, it's perfect.
-
What I pointed out above is, what I believe, that every business I know requires in this kind of monitoring. Some may not need all of this, but these are the points that are important:
- Centralized viewing
- Security
- Data collection away from the source device
- Historical viewing
Outside of Wall St trading applications, where the overhead of this is likely out of the question, I don't know of anyone needing the level of detail here so the selling point seems empty. But it misses all four needs that they do have in the real world. It might be an amazing top replacement, but I already have top implemented and with full security built in. This does allow you to use DevOps tools and avoid logging in for top, so that's nice. But it introduces so many security complications that it's hard to see that that is offset by that one thing.
-
@cgunzelman said in netdata 1.5 released - big update!:
If you want authentication, use a mainstream webserver instead of the built-in. It says so right there in the wiki.
Sure, but we want a central, managed authentication system for all of the hosts. Implementing that security on hundreds of servers individually isn't practical or really safe. Someone quits, you have to manually update every server. Sure, if you are pushing that out with DevOps tools it is only so bad. Most companies aren't there yet, though.
-
@cgunzelman said in netdata 1.5 released - big update!:
You may not have a need for it in the small business world (MSP I assume) but to others with specialized projects or need realtime monitoring on a simple and easy-to-read dashboard, it's perfect.
I can see that, but seems very niche. I've worked in that world and tools like this would not have been easily allowed. What kinds of apps are you managing that do real time work? I had a tonne of that in financial trading, but only there.
-
If these users are installing the agent manually on thousands of machines, they are overworking themselves. Automation is the modern way of doing things.
I plan on monitoring routers with it. Routers that customer service reps will need to know the status of at the drop of a hat when dealing with customers relying on them for internet links.
-
@cgunzelman said in netdata 1.5 released - big update!:
I plan on monitoring routers with it. Routers that customer service reps will need to know the status of at the drop of a hat when dealing with customers relying on them for internet links.
That's a more interesting use case. Although "instant" view and real time are very different. Real time is that it is showing you what is happening as it happens. We already have instant views with other tools, Grafana for example. Real time does apply on routers, but humans can't really view packet load in real time, it's too fast. I assume that all of the routers are already on the Internet so the exposure is simple?
-
@scottalanmiller They have a management VLAN which customer service reps have access to.
-
@cgunzelman said in netdata 1.5 released - big update!:
@scottalanmiller They have a management VLAN which customer service reps have access to.
So it is external, but they VPN to the VLAN, then have one console per customer?
-
@hobbit666 you install it everywhere - it is a "smarter" agent.
-
@hobbit666 there is no multi-server overview. It is a real-time performance monitoring tool. Its purpose is to provide over the web real-time information about the metrics of each server. It is not a statistics tool.
-
@scottalanmiller if you need authentication you can run it behind another web server, like nginx or apache.
-
@scottalanmiller it is a completely different purpose. With all other monitoring solutions you get "statistics of past performance" and that's it.
With netdata you get real-time insights of everything happening in the system and its applications. And when I say everything I really mean it: everything.
My goal was not to design a prettier munin, nagios, zabbix, smokeping, etc. There are very nice tools (I really like them), but they completely fail to provide the right information.
Check for example this: https://github.com/firehol/netdata/wiki/Linux-console-tools%2C-fail-to-report-per-process-CPU-usage-properly - even top fails to properly report what is really happening in all cases.
So, netdata is a real-time performance monitoring system, similar to top, vmstat, iotop, systemd-cgtop, etc. Even if you need statistics of past performance, netdata can archive its metrics to graphite, opentstb, prometheus and the likes, so that you can visualize them with grafana (another excellent tool).
-
@scottalanmiller your browser does all the magic, not the servers. Each netdata is completely isolated to the rest. Only you (your browser) needs to have access to all of them. How you do this, it is your problem to figure out. You can use an authentication web server in proxy mode, setup a VPN, trust your static IP at firewall, tunnel it through ssh, etc
All these are your option. To understand the concept, let's assume netdata is a CGI. What would you do? Do the same.
-
Circling back this really doesn't work that much differently than Prometheus. Prometheus does give you a single view for everything but all nodes are exported on 9100 and the Prometheus server scrapes them all.
-
netdata and prometheus are quite different. They can actually cooperate: netdata exposes all its metrics in a prometheus compatible format, so that prometheus can use netdata as a data collector.
In general, prometheus is a time-series database with an embedded scraper. For sources it cannot scrape itself it uses other data collectors (including netdata).
netdata is a real-time performance monitoring. The detail and amount of information netdata provides is probably too much for prometheus. Also netdata is distributed (you install it everywhere), while prometheus is centralized.
There is no good and bad in these things. Different things for different needs.
So, use the solution that suits you best...
-
@ktsaou said in netdata 1.5 released - big update!:
netdata and prometheus are quite different. They can actually cooperate: netdata exposes all its metrics in a prometheus compatible format, so that prometheus can use netdata as a data collector.
In general, prometheus is a time-series database with an embedded scraper. For sources it cannot scrape itself it uses other data collectors (including netdata).
netdata is a real-time performance monitoring. The detail and amount of information netdata provides is probably too much for prometheus. Also netdata is distributed (you install it everywhere), while prometheus is centralized.
There is no good and bad in these things. Different things for different needs.
So, use the solution that suits you best...
Right. I didn't mean they were the same under the hood. I mean they are both "exposed" in the same way.