search

tynany / junos_exporter

Prometheus Exporter for Junos Devices
MIT License
19 stars 8 forks source link

Improvement suggestion to use single ssh connection #26

Open Sparc0 opened 2 weeks ago

Sparc0 commented 2 weeks ago

Is there any reason to why enabled collector setups its own connection to a device instead of sharing one? Could e.g multiplexing be used and implemented.

The issue we got when we rolled out this exporter to ~2000+ devices was that it started to hammer our tacacs servers and it hammered our AD server and it caused login problems for our ops team. We have sorted out the issue between tacacs and AD now. Just wonder if this improvement could be done also or maybe its to complicated to implement or not even possible. 

Sep 13 06:47:18  <redacted> sshd[14381]: Accepted password for monuser from <redacted>port 58984 ssh2
Sep 13 06:47:18  <redacted>sshd[14380]: Accepted password for monuser from <redacted>port 58946 ssh2
Sep 13 06:47:18  <redacted>sshd[14383]: Accepted password for monuser from <redacted>port 58948 ssh2
Sep 13 06:47:18  <redacted>sshd[14385]: Accepted password for monuser from <redacted>port 58972 ssh2
Sep 13 06:47:18  <redacted>sshd[14384]: Accepted password for monuser  from <redacted>port 58980 ssh2
Sep 13 06:47:18  <redacted>sshd[14382]: Accepted password for monuser from <redacted>port 58958 ssh2
Sep 13 06:52:18  <redacted>sshd[14440]: Accepted password for monuser  from <redacted>port 55878 ssh2
Sep 13 06:52:18  <redacted>sshd[14438]: Accepted password for monuser from <redacted>port 55838 ssh2
Sep 13 06:52:18  <redacted> sshd[14442]: Accepted password for monuser from <redacted>port 55868 ssh2 
Sep 13 06:52:18  <redacted> sshd[14443]: Accepted password for monuser from <redacted>port 55882 ssh2
Sep 13 06:52:18  <redacted> sshd[14439]: Accepted password for monuser  from <redacted>port 55846 ssh2
Sep 13 06:52:18  <redacted>sshd[14441]: Accepted password for monuser  from <redacted>port 55848 ssh2
Sep 13 06:57:18  <redacted>sshd[14497]: Accepted password for monuser from <redacted>port 49150 ssh2
Sep 13 06:57:18  <redacted>sshd[14500]: Accepted password for monuser from <redacted> port 49166 ssh2
Sep 13 06:57:18  <redacted>sshd[14496]: Accepted password for monuser from <redacted>port 49168 ssh2
Sep 13 06:57:18  <redacted>sshd[14501]: Accepted password for monuser from <redacted>port 49178 ssh2
Sep 13 06:57:18  <redacted> sshd[14498]: Accepted password for monuser  from <redacted>port 49174 ssh2
Sep 13 06:57:18  <redacted>sshd[14499]: Accepted password for monuser from <redacted> port 49152 ssh2
tynany commented 2 weeks ago

This is by design to improve collection speed, as all collectors run in parallel. One solution is to create a read only user with SSH key based authentication. That way, TACACS won't be queried every time Junos Exporter scrapes the device.

That being said, it is possible to run the collectors in serial -- I will work on a feature to support this.