[Xymon] SSLCert test dependency on HTTP?

J.C. Cleaver cleaver at terabithia.org
Fri Mar 25 02:00:02 CET 2016



On Thu, March 24, 2016 6:06 am, Scot Kreienkamp wrote:
> As I said, I tried that and it didn’t seem to work.
>
> depends=(sslcert:lzbvidmpdoim2.na.lzb.hq/http)
>
> The server is lzbvidmpdoim2.na.lzb.hq, so if I have that constructed right
> I’ve told it that the sslcert test depends on the http test on itself.
> It hasn’t had any effect though.  As I recall, the depends is
> implemented in the network module so it may not be able to apply to the
> sslcert test.  I know Henrik had wanted to reimplement that higher up in
> the processing order so it could apply to any test.  Guess he didn’t get
> around to it.
>
> JC, can I make a feature request?  Reimplement depends so it can work for
> any test?
>
> Thanks.

'sslcert' is a little odd in that it's not really a normal test of its own
-- it's created if xymonnet does an SSL transaction, but not otherwise. So
if there's no valid https connection made (because the site is down) and
nothing else is being tested via SSL on the same host (eg, smtps, imaps,
ldaps, ...) then no sslcert test gets created at all. Hence the purple.
And, yes, since xymonnet is doing the depends calculation it doesn't even
get to that point.

I'll have to take a look at the xymonnet code, but I believe it might be
possible to default to a dummy sslcert record if we think we're doing an
SSL exchange (clear, most likely), which could solve this specific issue.


The broader question on 'depends' calculation in the core xymond is a bit
trickier. Well, that's not right. It's tricky to do without adversely
impacting performance by causing additional scans for incoming status
messages. It's unimportant in smaller installs but the math adds up in
larger ones.

Having dependency arbitrary dependency calculation done by the test
submitter reduces xymond's load back to linear scans, but it also prevents
depends from working as flexibly as it should, as you've seen.


There are some of the bits of logic that might be able to be consolidated
together, however. Having a host-level enable/disable option (instead of
test-level ones), and taking CONN_down = (red/purple->clear) logic to the
core (and perhaps allowing that test to be selectable on a per-host basis)
could get us close while still being efficient.


Regards,
-jc




More information about the Xymon mailing list