diff --git a/doc/rrdcached.pod b/doc/rrdcached.pod
index 460899c0df22086c3a913e7d783006000af87947..7f9c2a1ab17c27424460d591b7dc08e064e5dfd8 100644 (file)
--- a/doc/rrdcached.pod
+++ b/doc/rrdcached.pod
B<rrdcached>
[B<-P>E<nbsp>I<permissions>]
[B<-l>E<nbsp>I<address>]
+[B<-s>E<nbsp>I<group>]
[B<-w>E<nbsp>I<timeout>]
[B<-z>E<nbsp>I<delay>]
[B<-f>E<nbsp>I<timeout>]
The daemon was written with big setups in mind. Those setups usually run into
IOE<nbsp>related problems sooner or later for reasons that are beyond the scope
-of this document. Check the wiki at the RRDTool homepage for details. Also
-check L<SECURITY CONSIDERATIONS> below before using this daemon! A detailed
-description of how the daemon operates can be found in the L<HOW IT WORKS>
+of this document. Check the wiki at the RRDtool homepage for details. Also
+check L</"SECURITY CONSIDERATIONS"> below before using this daemon! A detailed
+description of how the daemon operates can be found in the L</"HOW IT WORKS">
section below.
=head1 OPTIONS
Tells the daemon to bind to I<address> and accept incoming connections on that
socket. If I<address> begins with C<unix:>, everything following that prefix is
interpreted as the path to a UNIX domain socket. Otherwise the address or node
-name are resolved using L<getaddrinfo>.
+name are resolved using C<getaddrinfo()>.
For network sockets, a port may be specified by using the form
C<B<[>I<address>B<]:>I<port>>. If the address is an IPv4 address or a fully
qualified domain name (i.E<nbsp>e. the address contains at least one dot
(C<.>)), the square brackets can be omitted, resulting in the (simpler)
-C<I<address>B<:>I<port>> pattern. The default port is B<42217/udp>. If you
+C<I<address>B<:>I<port>> pattern. The default port is B<42217/tcp>. If you
specify a network socket, it is mandatory to read the
L</"SECURITY CONSIDERATIONS"> section.
If the B<-l> option is not specified the default address,
C<unix:/tmp/rrdcached.sock>, will be used.
+=item B<-s> I<group_name>|I<gid>
+
+Set the group permissions of a UNIX domain socket. The option accepts either
+a numeric group id or group name. That group will then have both read and write
+permissions (the socket will have file permissions 0750) for the socket and,
+therefore, is able to send commands to the daemon. This
+may be useful in cases where you cannot easily run all RRD processes with the same
+user privileges (e.g. graph generating CGI scripts that typically run in the
+permission context of the web server).
+
+This option affects the I<following> UNIX socket addresses (the following
+B<-l> options) or the default socket (if no B<-l> options have been
+specified), i.e., you may specify different settings for different
+sockets.
+
+The default is not to change ownership or permissions of the socket and, thus,
+use the system default.
+
+=item B<-m> I<mode>
+
+Set the file permissions of a UNIX domain socket. The option accepts an octal
+number representing the bit pattern for the mode (see L<chmod(1)> for
+details).
+
+Please note that not all systems honor this setting. On Linux, read/write
+permissions are required to connect to a UNIX socket. However, many
+BSD-derived systems ignore permissions for UNIX sockets. See L<unix(7)> for
+details.
+
+This option affects the I<following> UNIX socket addresses (the following
+B<-l> options) or the default socket (if no B<-l> options have been
+specified), i.e., you may specify different settings for different
+sockets.
+
+The default is not to change ownership or permissions of the socket and, thus,
+use the system default.
+
=item B<-P> I<command>[,I<command>[,...]]
Specifies the commands accepted via a network socket. This allows
rrdcached -P FLUSH,PENDING $MORE_ARGUMENTS
-The B<-P> option effects the I<following> socket addresses (the following B<-l>
-options). In the following example, only the IPv4 network socket (address
+The B<-P> option affects the I<following> socket addresses (the following B<-l>
+options) or the default socket (if no B<-l> options have been
+specified). In the following example, only the IPv4 network socket (address
C<10.0.0.1>) will be restricted to the C<FLUSH> and C<PENDING> commands:
rrdcached -l unix:/some/path -P FLUSH,PENDING -l 10.0.0.1
The following commands may be made aware of the B<rrdcached> using the command
line argument B<--daemon> or the environment variable B<RRDCACHED_ADDRESS>:
-=over 4
+=over
+
+=item *
+
+dump
+
+=item *
-=item B<dump>
+fetch
-=item B<fetch>
+=item *
+
+flush
+
+=item *
+
+graph
+
+=item *
+
+graphv
-=item B<flush>
+=item *
+
+info
+
+=item *
-=item B<graph>
+last
-=item B<graphv>
+=item *
-=item B<info>
+lastupdate
-=item B<last>
+=item *
-=item B<lastupdate>
+update
-=item B<update>
+=item *
-=item B<xport>
+xport
=back
are printed to C<STDERR>. One of the steps when starting up is to fork to the
background and closing C<STDERR> - after this writing directly to the user is
no longer possible. Once this has happened, the daemon will send log messages
-to the system logging daemon using L<syslog(3)>. The facility used is
+to the system logging daemon using syslog(3). The facility used is
C<LOG_DAEMON>.
=head1 HOW IT WORKS
When appending a value to a tree node, it is checked whether it's time to write
the values to disk. Values are written to disk if
S<C<now() - First E<gt>= timeout>>, where C<timeout> is the timeout specified
-using the B<-w> option, see L<OPTIONS>. If the values are "old enough" they
+using the B<-w> option, see L</OPTIONS>. If the values are "old enough" they
will be enqueued in the "update queue", i.E<nbsp>e. they will be appended to
the linked list shown below. Because the tree nodes and the elements of the
linked list are the same data structures in memory, any update to a file that
=head2 Authentication
-There is no authentication.
+If your rrdtool installation was built without libwrap there is no form of
+authentication for clients connecting to the rrdcache daemon!
-The client/server protocol does not yet have any authentication mechanism. It
-is likely that authentication and encryption will be added in a future version,
-but for the time being it is the administrator's responsibility to secure the
-traffic from/to the daemon!
+If your rrdtool installation was built with libwrap then you can use
+hosts_access to restrict client access to the rrdcache daemon (rrdcached). For more
+information on how to use hosts_access to restrict access to the rrdcache
+daemon you should read the hosts_access(5) man pages.
-It is highly recommended to install a packet filter or similar mechanism to
+It is still highly recommended to install a packet filter or similar mechanism to
prevent unauthorized connections. Unless you have a dedicated VLAN or VPN for
this, using network sockets is probably a bad idea!
The daemon communicates with clients using a line based ASCII protocol which is
easy to read and easy to type. This makes it easy for scripts to implement the
-protocol and possible for users to use L<telnet> to connect to the daemon
+protocol and possible for users to use telnet to connect to the daemon
and test stuff "by hand".
The protocol is line based, this means that each record consists of one or more
After the connection has been established, the client is expected to send a
"command". A command consists of the command keyword, possibly some arguments,
and a terminating newline character. For a list of commands, see
-L<Valid Commands> below.
+L</"Valid Commands"> below.
Example:
Returns a list of metrics which can be used to measure the daemons performance
and check its status. For a description of the values returned, see
-L<Performance Values> below.
+L</"Performance Values"> below.
The format in which the values are returned is similar to many other line based
protocols: Each value is printed on a separate line, each consisting of the
=item B<UPDATE> I<filename> I<values> [I<values> ...]
Adds more data to a filename. This is B<the> operation the daemon was designed
-for, so describing the mechanism again is unnecessary. Read L<HOW IT WORKS>
+for, so describing the mechanism again is unnecessary. Read L</"HOW IT WORKS">
above for a detailed explanation.
Note that rrdcached only accepts absolute timestamps in the update values.
=head1 AUTHOR
-B<rrdcached> and this manual page have been written by Florian Forster
-E<lt>octoE<nbsp>atE<nbsp>verplant.orgE<gt>.
+Florian Forster E<lt>octoE<nbsp>atE<nbsp>verplant.orgE<gt>
+
+Both B<rrdcached> and this manual page have been written by Florian.
=head1 CONTRIBUTORS