JS7 JobScheduler

Space shortcuts

Page tree

Introduction

The JS7 Controller and Agent offer JS7 - Metrics for ongoing monitoring.

Metrics can be integrated with Prometheus and can be visualized from JS7 - Dashboards with Grafana.

  • Integration includes to allow Prometheus scraping telemetry data from the /metrics endpoint offered by Controller and Agents.
  • While this suggests a straighforward proceeding, users should consider the fact that connections from a less secure network zone in which Prometheus is operated are allowed access to JS7 products. Users who regard the approach a security risk should consider using JS7 - Metrics with OpenTelemetry which allows sending telemetry data from JS7 products to an Open Telemetry server that can be configured to feed Prometheus with related data.

FEATURE AVAILABILITY STARTING FROM RELEASE 2.8.1

Controller and Agent Configuration

The Controller and Agent offer the /metrics endpoint that can be used by Prometheus.

Access to the /metrics endpoint is ruled by the ReadMetrics permission that can be added to the

  • Controller's <controller-data>/config/private.conf file.
  • Agent's <agent-data>/config/private.conf file.

Example for ReadMetrics permission in private.conf configuration file
js7 {
    auth {
        users {
            Prometheus {
                permissions = [ ReadMetrics ]
                # distinguished-names = [
                #     "DNQ=SOS CA, CN=prometheus.sos, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                # ]
                password="plain:secret"            }
        }
    }
}


Explanations:

  • Line 4: Specifies the account name used in this example: Prometheus. The name has to be specified when Prometheus will access the /metrics endpoint.
  • Line 5: Assigns the account the ReadMetrics permission.
  • Line 9: Specifies password authentication from one of the following ways:

    • Plain text password:

      password="plain:secret"

    • Hashed password:

      password="sha512:bd2b1aaf7ef4f09be9f52ce2d8d599674d81aa9d6a4421696dc4d93dd0619d682ce56b4d64a9ef097761ced99e0f67265b5f76085e5b0ee7ca4696b2ad6fe2b2"

      The hash can be created from the command like like this:

       echo -n "secret" | openssl dgst -sha512
  • Line 6 to 8: Alternatively to password authentication users can apply mutual HTTP authentication. The Distinguished Name of one or more Client Authentication Certificates used by Prometheus instances is specified:
    • Except for whitespace between attributes the precise sequence and values as available from the certificate's subject have to match the property value.
    • Note that the common name (CN) element in the distinguished name has to match the fully qualified domain name (FQDN) of the Prometheus instance's host.

    • The following command can be used to read the distinguished name from a certificate file:

      Example for OpenSSL command to read a certificate's distinguished name
      # read distinguished name from the a Prometheus instance's certificate file (.crt)
openssl x509 -in prometheus.crt -noout -nameopt RFC2253 -subject

# output is returned with a prefix "subject= " or similar that is not part of the distinguished name
# subject= DNQ=SOS CA,CN=prometheus.sos,OU=IT,O=SOS,L=Berlin,ST=Berlin,C=DE

Prometheus Configuration

The following entries should be added to the prometheus.yml configuration file:

Example of prometheus.yml configuration file
scrape_configs:
  - job_name: 'JS7-TST'
    scheme: http
    basic_auth:
      username: 'Prometheus'
      password: 'secret'
    # tls_config:
    #   ca_file: "/var/opt/prometheus/private/CA.crt"
    #   cert_file: "/var/opt/prometheus/private/prometheus.crt"
    #   key_file: "/var/opt/prometheus/private/prometheus.key"
    static_configs:
      - targets:
        - js7-tst-primary-controller:5444
        - js7-tst-secondary-controller:5544
        - js7-tst-primary-agent:6445
        - js7-tst-secondary-agent:6545
    relabel_configs:
      - source_labels: [__address__]
        # Provide $host with the hostname only (strip "js7-" and port number)
        regex: '(js7-)?(.*):.*'
        target_label: host
        replacement: '$2'


Explanations:

  • Line 2: Creates a job name for the JS7 scheduling environment.
  • Line 3: The example makes use of HTTP.
  • Line 4-6: For HTTP the account and password must be specified as configured with the Controller's/Agent's private.conf file, see above.
  • Line 7-10: If HTTPS is used, then mutual TLS authentication applies. Prometheus holds the CA Certificate file and the Client Authentication key & certificate files.
  • Line 11-16: The targets are specified from the host and port by which the related Controller and Agent are accessible to Prometheus.
  • Line 17-22: Optionally the host target label is reconfigured to hold the hostname from the target without js7- prefix and without port specification. This simplifies use of the host attribute with Grafana dashboards.

Resources


  • No labels