Hi
On Mon, 24 Apr 2023 03:01:03 +0200 Marc Lehmann <schm...@schmorp.de> wrote:
Please do NOT consider dool as replacement for dstat, but pcp instead.
Sorry but calling pcp a better drop-in replacement for dstat is a bit of
a stretch. On a fresh minimal installation of debian/testing pcp starts
several daemons which have several open TCP ports.
Just compare this:
without pcp:
<snip>
# pstree
systemd-+-agetty
|-cron
|-dbus-daemon
|-haveged
|-sshd---sshd---zsh---pstree
|-systemd---(sd-pam)
|-systemd-journal
|-systemd-logind
`-systemd-udevd
</snip>
with pcp (installed via `apt-get install dstat`):
<snip>
# pstree
systemd-+-agetty
|-cron
|-dbus-daemon
|-haveged
|-pmcd---pmdaroot-+-pmdakvm
| |-pmdalinux
| |-pmdaproc
| `-pmdaxfs
|-pmlogger
|-pmpause
|-sshd---sshd---zsh---pstree
|-systemd---(sd-pam)
|-systemd-journal
|-systemd-logind
`-systemd-udevd
</snip>
This is already quite some stuff that is running that most of the time i don't
need. Even more problemantic ist this:
without pcp:
<snip>
# ss -tulnp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
users:(("sshd",pid=672,fd=3))
tcp LISTEN 0 128 [::]:22 [::]:*
users:(("sshd",pid=672,fd=4))
</snip>
with pcp:
<snip>
# ss -tulnp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp LISTEN 0 5 0.0.0.0:4330 0.0.0.0:*
users:(("pmlogger",pid=2315,fd=7))
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
users:(("sshd",pid=672,fd=3))
tcp LISTEN 0 5 0.0.0.0:44321 0.0.0.0:*
users:(("pmcd",pid=1976,fd=0))
tcp LISTEN 0 5 [::]:4330 [::]:*
users:(("pmlogger",pid=2315,fd=8))
tcp LISTEN 0 128 [::]:22 [::]:*
users:(("sshd",pid=672,fd=4))
tcp LISTEN 0 5 [::]:44321 [::]:*
users:(("pmcd",pid=1976,fd=3))
</snip>
Why are all this ports open all the time? This is NOT what i would expect when
i install something that always has been a simple command-line python script.
Don't get me wrong there might be a good reason why pcp works this way - most
likely because it has a wider scope with different use-cases. But calling this
a drop-in replacement for a tool that only does stuff when i really need it and
is otherweise just taking up a little bit of disk-space is imho dangerous
because
it dramatically increases the remote attack-surface - at least in the default
install.
The reasons are not only that pcp seems to be much more actively maintained,
it is also vastly more compatible to dstat than dool. For example, dool uses
an unreadable color palette (e.g. black text on black background) by
default, and uses a very different default output format.
I haven't really used dool or pcp-dstat too much but at the momemt i have
a hard time understanding why i should worry about sligtly different output
coloring and ignore the potential security issues that come with long-running
daemons that, at least in the default install, are reachable from everywhere.
Again, there might be a good use-case for running pcp on your system. This is
not what i argue against. But at the moment, if i install the package `datat`
on debian testing, i get something i would never expect.
regards
christian
