Hi Paolo,
Thanks for the hint, I gave it a try. I'm observing the exact same behavior
between running pmacct in a container & directly on my host in all cases.
Tested with
* official docker image: 281904b7afd6
* official ubuntu 21.10 package: pmacct/impish,now 1.7.6-2 amd64
I *think* the problem is with the interfaces' ifindex parameter when using
the pcap_interfaces_map config key - everything works fine (capture files
are printed) when instead using the pcap_interface key. Whenever I do not
specify the 'ifindex' in the file specified as value for the
pcap_interfaces_map config key, I do not observe capture files being
printed. Vice versa, if I do specify the 'ifindex' parameter, then capture
files are printed.
In fact, if I do specify 'ifindex' for all interfaces listed when I run
"netstat -i", then pmacctd throws errors for my br-* & enx interfaces -
which it does not do when I omit 'ifindex' - almost as if it only then
realizes that it is supposed to access those interfaces at all. This
assumption is also based on the fact that I do see log lines such as these
INFO ( default/core ): Reading configuration file
'/etc/pmacct/pmacctd.conf'.
INFO ( default/core ): [/etc/pmacct/pcap-itf.conf] (re)loading map.
INFO ( default/core ): [/etc/pmacct/pcap-itf.conf] map successfully
(re)loaded.
INFO ( default/core ): [docker0,1872541466] link type is: 1 <=
INFO ( default/core ): [eno2,3698069186] link type is: 1 <=
INFO ( default/core ): [lo,2529615826] link type is: 1 <=
INFO ( default/core ): [tun0,3990258693] link type is: 12 <=
when specifying 'ifname' whereas the marked (<=) lines are missing whenever
I do not.
Reading through the config key documentation some more, I found the config
key pcap_ifindex. Interestingly enough, using it does not yield any
difference in results - neither for value "sys" nor for value "hash" -
irrespective of all other settings I played around with.
Assuming in pmacctd.conf the config key pcap_interfaces_map is used, then
this is what I speculate is effectively happening:
* pmacctd ignores config key pcap_ifindex
* instead, it expects 'ifindex' to be set in the interface mapping file for
each line
* each line where 'ifindex' is not set is ignored
* if 'ifindex' is missing on all lines, this results in a
"no-interface-being-listened-on" case without any warning/error
Summary: seems like 'ifname' is a mandatory parameter in the interface
mapping file whereas the documentation says "pmacctd: mandatory keys:
ifname."
My understanding of the documentation for above-mentioned config keys is
that the behavior I'm observing is not as intended (e.g. 'ifindex'
effectively being required, pcap_ifindex effectively being ignored) . So
I'm either making a mistake, e.g. in my config files, misunderstanding the
documentation or I'm encountering a bug - which I find difficult to believe
given how trivial my setup is.
Any Suggestions ?
Regards & Thanks,
Thomas
On Sun, May 8, 2022 at 1:43 PM Paolo Lucente <pa...@pmacct.net> wrote:
>
> Hi Thomas,
>
> The simplest thing i may recommend is to check it all working outside a
> container - this way you can easily isolate whether the issue is somehow
> related to the container (config or interaction of pmacctd with the
> container) or with the pmacct config itself.
>
> Paolo
>
>
> On 6/5/22 06:05, Thomas Eckert wrote:
> > Hi everyone,
> >
> > pmacct starter here, trying to get pmacctd working inside of a container
> > to listen to the (container's) host's traffic. I suppose this is a, if
> > not the, standard use case for pmacctd in a container. So I'm sure it
> > works in principle but I'm doing something wrong.
> >
> > Command for starting the container:
> > docker run \
> > --privileged --network=host \
> > --name pmacctd \
> > -v /tmp/pmacctd.conf:/etc/pmacct/pmacctd.conf:ro \
> > -v /tmp/pcap-itf.conf:/etc/pmacct/pcap-itf.conf:ro \
> > -v /tmp//captures:/var/pmacct/captures:rw pmacctd-debug \
> > pmacct/pmacctd:latest
> >
> > Contents of pmacctd.conf:
> > daemonize: false
> > snaplen: 1000
> > pcap_interfaces_map: /etc/pmacct/pcap-itf.conf
> > aggregate: src_host, dst_host, src_port, dst_port, proto, class
> > plugins: print
> > print_output: json
> > print_output_file: /var/pmacct/captures/capture-%Y%m%d_%H%M.txt
> > print_output_file_append: true
> > print_history: 1m
> > print_history_roundoff: m
> > print_refresh_time: 5
> >
> > pcap-itf.conf contains all interfaces of the host (as per netstat -i) in
> > the form
> > ifname=eno2
> > One line each, no other keys/values other than ifname.
> > Possibly important note: There's a VPN (openconnect) constantly running
> > on the host. The VPN's interface is listed in netstat -i and, as such,
> > included in pcap-itf.conf.
> >
> > Starting the container yields this output:
> > INFO ( default/core ): Promiscuous Mode Accounting Daemon, pmacctd
> > 1.7.7-git (20211107-0 (ef37a415))
> > INFO ( default/core ): '--enable-mysql' '--enable-pgsql'
> > '--enable-sqlite3' '--enable-kafka' '--enable-geoipv2'
> > '--enable-jansson' '--enable-rabbitmq' '--enable-nflog' '--enable-ndpi'
> > '--enable-zmq' '--enable-avro' '--enable-serdes' '--enable-redis'
> > '--enable-gnutls' 'AVRO_CFLAGS=-I/usr/local/avro/include'
> > 'AVRO_LIBS=-L/usr/local/avro/lib -lavro' '--enable-l2'
> > '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins'
> > '--enable-st-bins'
> > INFO ( default/core ): Reading configuration file
> > '/etc/pmacct/pmacctd.conf'.
> > INFO ( default/core ): [/etc/pmacct/pcap-itf.conf] (re)loading map.
> > INFO ( default/core ): [/etc/pmacct/pcap-itf.conf] map successfully
> > (re)loaded.
> > INFO ( default_print/print ): cache entries=16411 base cache
> > memory=67875896 bytes
> > INFO ( default_print/print ): JSON: setting object handlers.
> > INFO ( default_print/print ): *** Purging cache - START (PID: 7) ***
> > INFO ( default_print/print ): *** Purging cache - END (PID: 7, QN:
> > 0/0, ET: X) ***
> >
> > Now, the problem is there are no files showing up in the 'captures'
> > directory at all.
> >
> > I tried these things (as well as combinations thereof) to try to
> > understand what's going on:
> > * change the time related settings in pmacct.conf: to dump data
> > more/less often - also waited (increasingly) long, at times up to 20
> minutes
> > * change 'snaplen' in pmacct.conf up & down - just to make sure I'm not
> > running into buffering problems (just guessing, haven't read pmacct/d
> > sources)
> > * change pcap-itf.conf to contain all interfaces or only the (host's)
> > LAN + VPN interfaces (removing all others like docker's internal
> 'docker0')
> > * check permission settings of the 'captures' directory - this should be
> > fine because a simple "touch /var/pmacct/captures/foobar" works and the
> > file does exist as observed in the directory on the host itself
> > * run the container _not_ in host-sniffing mode, so just inside its own
> > network-bubble, then cause traffic against it and observe it writing
> > data to the 'captures' directory - works!
> >
> > Because I started to doubt my own sanity I asked one of our Docker/K8S
> > experts to check my docker setup and he found no problem looking over
> > it, including via "docker inspect pmacct". So I'm fairly sure my mistake
> > is somewhere in the configuration of pmacctd but I cannot figure out
> > what is. Would someone please point it out to me ?
> >
> > Regards & Thanks,
> > Thomas
> >
> > PS: It's been almost 10 years since I've posted to a mailing list.
> > Please forgive any conventions/best-practices missteps.
> >
> >
> > _______________________________________________
> > pmacct-discussion mailing list
> > http://www.pmacct.net/#mailinglists
>
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
