[Xymon] SSLCert test dependency on HTTP?

Scot Kreienkamp Scot.Kreienkamp at la-z-boy.com
Mon Mar 28 22:41:36 CEST 2016


HTTP exhibits the same behavior.  I don't have any other purple tests to try this on.


Scot Kreienkamp  | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 |  Office: 734-384-6403 |  |  Mobile: 7349151444 | Email: Scot.Kreienkamp at la-z-boy.com
-----Original Message-----
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Scot Kreienkamp
Sent: Monday, March 28, 2016 4:13 PM
To: J.C. Cleaver; Josh Luthman
Cc: Xymon Mailing List
Subject: Re: [Xymon] SSLCert test dependency on HTTP?

JC,

I think I have found either a bug or at least an inconsistency related to this.  On three hosts that have SSLCert tests on them and are currently purple, when I query them with xymondboard I get green status back.




-----Original Message-----
From: J.C. Cleaver [mailto:cleaver at terabithia.org]
Sent: Thursday, March 24, 2016 9:00 PM
To: Scot Kreienkamp; Josh Luthman
Cc: Xymon Mailing List
Subject: RE: [Xymon] SSLCert test dependency on HTTP?



On Thu, March 24, 2016 6:06 am, Scot Kreienkamp wrote:
> As I said, I tried that and it didn’t seem to work.
>
> depends=(sslcert:lzbvidmpdoim2.na.lzb.hq/http)
>
> The server is lzbvidmpdoim2.na.lzb.hq, so if I have that constructed right
> I’ve told it that the sslcert test depends on the http test on itself.
> It hasn’t had any effect though.  As I recall, the depends is
> implemented in the network module so it may not be able to apply to the
> sslcert test.  I know Henrik had wanted to reimplement that higher up in
> the processing order so it could apply to any test.  Guess he didn’t get
> around to it.
>
> JC, can I make a feature request?  Reimplement depends so it can work for
> any test?
>
> Thanks.

'sslcert' is a little odd in that it's not really a normal test of its own
-- it's created if xymonnet does an SSL transaction, but not otherwise. So
if there's no valid https connection made (because the site is down) and
nothing else is being tested via SSL on the same host (eg, smtps, imaps,
ldaps, ...) then no sslcert test gets created at all. Hence the purple.
And, yes, since xymonnet is doing the depends calculation it doesn't even
get to that point.

I'll have to take a look at the xymonnet code, but I believe it might be
possible to default to a dummy sslcert record if we think we're doing an
SSL exchange (clear, most likely), which could solve this specific issue.


The broader question on 'depends' calculation in the core xymond is a bit
trickier. Well, that's not right. It's tricky to do without adversely
impacting performance by causing additional scans for incoming status
messages. It's unimportant in smaller installs but the math adds up in
larger ones.

Having dependency arbitrary dependency calculation done by the test
submitter reduces xymond's load back to linear scans, but it also prevents
depends from working as flexibly as it should, as you've seen.


There are some of the bits of logic that might be able to be consolidated
together, however. Having a host-level enable/disable option (instead of
test-level ones), and taking CONN_down = (red/purple->clear) logic to the
core (and perhaps allowing that test to be selectable on a per-host basis)
could get us close while still being efficient.


Regards,
-jc


This message is intended only for the individual or entity to which it is addressed.  It may contain privileged, confidential information which is exempt from disclosure under applicable laws.  If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information.  If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you.
_______________________________________________
Xymon mailing list
Xymon at xymon.com
http://lists.xymon.com/mailman/listinfo/xymon


More information about the Xymon mailing list