![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
diff --git a/doc/rrdcached.txt b/doc/rrdcached.txt
index fdacd186880328a23acaf738bed73492233e0f1e..34262a0f475c8f13e49c90d7d2830d470e4ac6f0 100644 (file)
--- a/doc/rrdcached.txt
+++ b/doc/rrdcached.txt
rrdcached - Data caching daemon for rrdtool
S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- r\brr\brd\bdc\bca\bac\bch\bhe\bed\bd [-\b-P\bP _\bp_\be_\br_\bm_\bi_\bs_\bs_\bi_\bo_\bn_\bs] [-\b-l\bl _\ba_\bd_\bd_\br_\be_\bs_\bs] [-\b-w\bw _\bt_\bi_\bm_\be_\bo_\bu_\bt] [-\b-z\bz _\bd_\be_\bl_\ba_\by]
- [-\b-f\bf _\bt_\bi_\bm_\be_\bo_\bu_\bt] [-\b-p\bp _\bp_\bi_\bd_\b__\bf_\bi_\bl_\be] [-\b-t\bt _\bw_\br_\bi_\bt_\be_\b__\bt_\bh_\br_\be_\ba_\bd_\bs] [-\b-j\bj _\bj_\bo_\bu_\br_\bn_\ba_\bl_\b__\bd_\bi_\br] [-F]
- [-g] [-\b-b\bb _\bb_\ba_\bs_\be_\b__\bd_\bi_\br [-\b-B\bB]]
+ r\brr\brd\bdc\bca\bac\bch\bhe\bed\bd [-\b-P\bP _\bp_\be_\br_\bm_\bi_\bs_\bs_\bi_\bo_\bn_\bs] [-\b-l\bl _\ba_\bd_\bd_\br_\be_\bs_\bs] [-\b-s\bs _\bg_\br_\bo_\bu_\bp] [-\b-w\bw _\bt_\bi_\bm_\be_\bo_\bu_\bt]
+ [-\b-z\bz _\bd_\be_\bl_\ba_\by] [-\b-f\bf _\bt_\bi_\bm_\be_\bo_\bu_\bt] [-\b-p\bp _\bp_\bi_\bd_\b__\bf_\bi_\bl_\be] [-\b-t\bt _\bw_\br_\bi_\bt_\be_\b__\bt_\bh_\br_\be_\ba_\bd_\bs]
+ [-\b-j\bj _\bj_\bo_\bu_\br_\bn_\ba_\bl_\b__\bd_\bi_\br] [-F] [-g] [-\b-b\bb _\bb_\ba_\bs_\be_\b__\bd_\bi_\br [-\b-B\bB]]
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
r\brr\brd\bdc\bca\bac\bch\bhe\bed\bd is a daemon that receives updates to existing RRD files,
The daemon was written with big setups in mind. Those setups usually
run into IO related problems sooner or later for reasons that are
- beyond the scope of this document. Check the wiki at the RRDTool
+ beyond the scope of this document. Check the wiki at the RRDtool
homepage for details. Also check "SECURITY CONSIDERATIONS" below before
using this daemon! A detailed description of how the daemon operates
can be found in the "HOW IT WORKS" section below.
on that socket. If _\ba_\bd_\bd_\br_\be_\bs_\bs begins with "unix:", everything
following that prefix is interpreted as the path to a UNIX domain
socket. Otherwise the address or node name are resolved using
- getaddrinfo.
+ "getaddrinfo()".
For network sockets, a port may be specified by using the form
"[\b[_\ba_\bd_\bd_\br_\be_\bs_\bs]\b]:\b:_\bp_\bo_\br_\bt_\b". If the address is an IPv4 address or a fully
qualified domain name (i. e. the address contains at least one dot
(".")), the square brackets can be omitted, resulting in the
- (simpler) "_\ba_\bd_\bd_\br_\be_\bs_\bs:\b:_\bp_\bo_\br_\bt_\b" pattern. The default port is 4\b42\b22\b21\b17\b7/\b/u\bud\bdp\bp. If
+ (simpler) "_\ba_\bd_\bd_\br_\be_\bs_\bs:\b:_\bp_\bo_\br_\bt_\b" pattern. The default port is 4\b42\b22\b21\b17\b7/\b/t\btc\bcp\bp. If
you specify a network socket, it is mandatory to read the "SECURITY
CONSIDERATIONS" section.
If the -\b-l\bl option is not specified the default address,
"unix:/tmp/rrdcached.sock", will be used.
+ -\b-s\bs _\bg_\br_\bo_\bu_\bp_\b__\bn_\ba_\bm_\be|_\bg_\bi_\bd
+ Set the group permissions of a UNIX domain socket. The option
+ accepts either a numeric group id or group name. That group will
+ then have both read and write permissions (the socket will have
+ file permissions 0750) for the socket and, therefore, is able to
+ send commands to the daemon. This may be useful in cases where you
+ cannot easily run all RRD processes with the same user privileges
+ (e.g. graph generating CGI scripts that typically run in the
+ permission context of the web server).
+
+ This option affects the _\bf_\bo_\bl_\bl_\bo_\bw_\bi_\bn_\bg UNIX socket addresses (the
+ following -\b-l\bl options) or the default socket (if no -\b-l\bl options have
+ been specified), i.e., you may specify different settings for
+ different sockets.
+
+ The default is not to change ownership or permissions of the socket
+ and, thus, use the system default.
+
+ -\b-m\bm _\bm_\bo_\bd_\be
+ Set the file permissions of a UNIX domain socket. The option
+ accepts an octal number representing the bit pattern for the mode
+ (see _\bc_\bh_\bm_\bo_\bd(1) for details).
+
+ Please note that not all systems honor this setting. On Linux,
+ read/write permissions are required to connect to a UNIX socket.
+ However, many BSD-derived systems ignore permissions for UNIX
+ sockets. See _\bu_\bn_\bi_\bx(7) for details.
+
+ This option affects the _\bf_\bo_\bl_\bl_\bo_\bw_\bi_\bn_\bg UNIX socket addresses (the
+ following -\b-l\bl options) or the default socket (if no -\b-l\bl options have
+ been specified), i.e., you may specify different settings for
+ different sockets.
+
+ The default is not to change ownership or permissions of the socket
+ and, thus, use the system default.
+
-\b-P\bP _\bc_\bo_\bm_\bm_\ba_\bn_\bd[,_\bc_\bo_\bm_\bm_\ba_\bn_\bd[,...]]
Specifies the commands accepted via a network socket. This allows
administrators of _\bR_\bR_\bD_\bC_\ba_\bc_\bh_\be_\bD to control the actions accepted from
rrdcached -P FLUSH,PENDING $MORE_ARGUMENTS
- The -\b-P\bP option effects the _\bf_\bo_\bl_\bl_\bo_\bw_\bi_\bn_\bg socket addresses (the following
- -\b-l\bl options). In the following example, only the IPv4 network socket
+ The -\b-P\bP option affects the _\bf_\bo_\bl_\bl_\bo_\bw_\bi_\bn_\bg socket addresses (the following
+ -\b-l\bl options) or the default socket (if no -\b-l\bl options have been
+ specified). In the following example, only the IPv4 network socket
(address 10.0.0.1) will be restricted to the "FLUSH" and "PENDING"
commands:
A complete list of available commands can be found in the section
"Valid Commands" below. There are two minor special exceptions:
- · The "HELP" and "QUIT" commands are always allowed.
+ · The "HELP" and "QUIT" commands are always allowed.
- · If the "BATCH" command is accepted, the .\b. command will
+ · If the "BATCH" command is accepted, the .\b. command will
automatically be accepted, too.
Please also read "SECURITY CONSIDERATIONS" below.
@@ -173,16 +210,25 @@ A\bAF\bFF\bFE\bEC\bCT\bTE\bED\bD R\bRR\bRD\bDT\bTO\bOO\bOL\bL C\bCO\bOM\bMM\bMA\bAN\bND\bDS\bS
command line argument -\b--\b-d\bda\bae\bem\bmo\bon\bn or the environment variable
R\bRR\bRD\bDC\bCA\bAC\bCH\bHE\bED\bD_\b_A\bAD\bDD\bDR\bRE\bES\bSS\bS:
- d\bdu\bum\bmp\bp
- f\bfe\bet\btc\bch\bh
- f\bfl\blu\bus\bsh\bh
- g\bgr\bra\bap\bph\bh
- g\bgr\bra\bap\bph\bhv\bv
- i\bin\bnf\bfo\bo
- l\bla\bas\bst\bt
- l\bla\bas\bst\btu\bup\bpd\bda\bat\bte\be
- u\bup\bpd\bda\bat\bte\be
- x\bxp\bpo\bor\brt\bt
+ · dump
+
+ · fetch
+
+ · flush
+
+ · graph
+
+ · graphv
+
+ · info
+
+ · last
+
+ · lastupdate
+
+ · update
+
+ · xport
The u\bup\bpd\bda\bat\bte\be command can send values to the daemon instead of writing
them to the disk itself. All other commands can send a F\bFL\bLU\bUS\bSH\bH command
When appending a value to a tree node, it is checked whether it's time
to write the values to disk. Values are written to disk if
"now() - First >= timeout", where "timeout" is the timeout specified
- using the -\b-w\bw option, see OPTIONS. If the values are "old enough" they
+ using the -\b-w\bw option, see "OPTIONS". If the values are "old enough" they
will be enqueued in the "update queue", i. e. they will be appended to
the linked list shown below. Because the tree nodes and the elements
of the linked list are the same data structures in memory, any update
The above diagram demonstrates:
- · Files/values are stored in a (balanced) tree.
+ · Files/values are stored in a (balanced) tree.
- · Tree nodes and entries in the update queue are the same data
+ · Tree nodes and entries in the update queue are the same data
structure.
- · The local time ("First") and the time specified in updates ("Time")
+ · The local time ("First") and the time specified in updates ("Time")
may differ.
- · Timed out values are inserted at the "tail".
+ · Timed out values are inserted at the "tail".
- · Explicitly flushed values are inserted at the "head".
+ · Explicitly flushed values are inserted at the "head".
- · ASCII art rocks.
+ · ASCII art rocks.
S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY C\bCO\bON\bNS\bSI\bID\bDE\bER\bRA\bAT\bTI\bIO\bON\bNS\bS
A\bAu\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bti\bio\bon\bn
- There is no authentication.
+ If your rrdtool installation was built without libwrap there is no form
+ of authentication for clients connecting to the rrdcache daemon!
- The client/server protocol does not yet have any authentication
- mechanism. It is likely that authentication and encryption will be
- added in a future version, but for the time being it is the
- administrator's responsibility to secure the traffic from/to the
- daemon!
+ If your rrdtool installation was built with libwrap then you can use
+ hosts_access to restrict client access to the rrdcache daemon
+ (rrdcached). For more information on how to use hosts_access to
+ restrict access to the rrdcache daemon you should read the
+ _\bh_\bo_\bs_\bt_\bs_\b__\ba_\bc_\bc_\be_\bs_\bs(5) man pages.
- It is highly recommended to install a packet filter or similar
+ It is still highly recommended to install a packet filter or similar
mechanism to prevent unauthorized connections. Unless you have a
dedicated VLAN or VPN for this, using network sockets is probably a bad
idea!
@@ -322,11 +369,11 @@ S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY C\bCO\bON\bNS\bSI\bID\bDE\bER\bRA\bAT\bTI\bIO\bON\bNS\bS
the future, your files will be messed up good!
C\bCo\bon\bnc\bcl\blu\bus\bsi\bio\bon\bn
- · Security is the job of the administrator.
+ · Security is the job of the administrator.
- · We recommend to allow write access via UNIX domain sockets only.
+ · We recommend to allow write access via UNIX domain sockets only.
- · You have been warned.
+ · You have been warned.
P\bPR\bRO\bOT\bTO\bOC\bCO\bOL\bL
The daemon communicates with clients using a line based ASCII protocol
rrdtool, rrdgraph
A\bAU\bUT\bTH\bHO\bOR\bR
- r\brr\brd\bdc\bca\bac\bch\bhe\bed\bd and this manual page have been written by Florian Forster
- <octo at verplant.org>.
+ Florian Forster <octo at verplant.org>
+
+ Both r\brr\brd\bdc\bca\bac\bch\bhe\bed\bd and this manual page have been written by Florian.
C\bCO\bON\bNT\bTR\bRI\bIB\bBU\bUT\bTO\bOR\bRS\bS
kevin brintnall <kbrint@rufus.net>
-1.3.999 2009-09-24 RRDCACHED(1)
+1.4.7 2011-03-15 RRDCACHED(1)