Closed mattbillenstein closed 7 years ago
I want to run a process that collects logs and forwards those to another process -- typically these would run on different boxes, but for development and testing, they run on the same one.
For such use cases, we should add another configuration parameter to allow it. It can't be allowed in default.
Why not allow it by default?
So to make a more compelling argument -- many server daemons have a set of ports, data directories, or lock files that they create as a process of running. But as long as you configure those to be different, there's nothing in the source code to keep you from running two instances of the same program on the same machine. AFAICT, there's no reason to do it in fluentd, but I may be wrong.
SSL certificates should be verified with hostname/FQDN of destinations, by clients. It's a starting point of this discussion.
But there's many hard things about it especially in private data centers & development environments, because we often connect to servers by using just IP addresses or alias names. So I added parameters like hostlabel
and self_hostname
. It controls names to be used in verification steps.
The important thing is that using hostlabel
is for exceptional cases. Basically speaking, SSL certificates should be verified with hostname which is used in connect(2)
.
If we turned it possible to use same hostname in source and destination, it makes possible to configure all in/out_secure_forward nodes with just a "hostname" value (and someone may write blog posts to recommend to do it "for ease to use"). It spoils whole SSL verification mechanism. This is the reason not to allow it (using same hostname in src/dst) in default.
ssl hostname verification seems like a separate issue -- like, you can still do it whether the src/dst hosts are different or not -- and I don't see it as particularly confusing either way.
That being said, if you'd like to put this check behind a flag, I guess that's better than disallowing it entirely, but I don't really see the need for another option -- there are quite a few of them already.
I think the proposed topology is sensible (fluentd -> fluentd on the same box) for keeping production and testing environments the same -- and it's not something fluentd disallows, so I'm not sure there's any reason for this plugin to impose such a restriction.
Why do you want to do such change?