Document permission setup for powerdns_recursor (#6231)

plugins/inputs/powerdns_recursor/README.md

@@ -1,139 +1,163 @@
 # PowerDNS Recursor Input Plugin
 
-The powerdns recursor plugin gathers metrics about PowerDNS Recursor using unix socket.
+The `powerdns_recursor` plugin gathers metrics about PowerDNS Recursor using
+the unix controlsocket.
 
-### Configuration:
+### Configuration
 
-```
+```toml
-# Read metrics from one or many PowerDNS recursors
 [[inputs.powerdns_recursor]]
-  ## An array of sockets to gather stats about.
+  ## Path to the Recursor control socket.
-  ## Specify a path to unix socket.
-  ##
-  ## If no servers are specified, then '/var/run/pdns_recursor.controlsocket' is used as the path.
   unix_sockets = ["/var/run/pdns_recursor.controlsocket"]
 
-  ## Socket for Receive
+  ## Directory to create receive socket.  This default is likely not writable,
+  ## please reference the full plugin documentation for a recommended setup.
   # socket_dir = "/var/run/"
-  ## Socket permissions
+  ## Socket permissions for the receive socket.
   # socket_mode = "0666"
 ```
 
-### Measurements & Fields:
+#### Permissions
+
+Telegraf will need read/write access to the control socket and to the
+`socket_dir`.  PowerDNS will need to be able to write to the `socket_dir`.
+
+The setup described below was tested on a Debian Stretch system and may need
+adapted for other systems.
+
+First change permissions on the controlsocket in the PowerDNS recursor
+configuration, usually in `/etc/powerdns/recursor.conf`:
+```
+socket-mode = 660
+```
+
+Then place the `telegraf` user into the `pdns` group:
+```
+usermod telegraf -a -G pdns
+```
+
+Since `telegraf` cannot write to to the default `/var/run` socket directory,
+create a subdirectory and adjust permissions for this directory so that both
+users can access it.
+```sh
+$ mkdir /var/run/pdns
+$ chown root:pdns /var/run/pdns
+$ chmod 770 /var/run/pdns
+```
+
+### Metrics
 
 - powerdns_recursor
- - all-outqueries
+  - tags:
- - answers-slow
+    - server
- - answers0-1
+  - fields:
- - answers1-10
+    - all-outqueries
- - answers10-100
+    - answers-slow
- - answers100-1000
+    - answers0-1
- - auth-zone-queries
+    - answers1-10
- - auth4-answers-slow
+    - answers10-100
- - auth4-answers0-1
+    - answers100-1000
- - auth4-answers1-10
+    - auth-zone-queries
- - auth4-answers10-100
+    - auth4-answers-slow
- - auth4-answers100-1000
+    - auth4-answers0-1
- - auth6-answers-slow
+    - auth4-answers1-10
- - auth6-answers0-1
+    - auth4-answers10-100
- - auth6-answers1-10
+    - auth4-answers100-1000
- - auth6-answers10-100
+    - auth6-answers-slow
- - auth6-answers100-1000
+    - auth6-answers0-1
- - cache-entries
+    - auth6-answers1-10
- - cache-hits
+    - auth6-answers10-100
- - cache-misses
+    - auth6-answers100-1000
- - case-mismatches
+    - cache-entries
- - chain-resends
+    - cache-hits
- - client-parse-errors
+    - cache-misses
- - concurrent-queries
+    - case-mismatches
- - dlg-only-drops
+    - chain-resends
- - dnssec-queries
+    - client-parse-errors
- - dnssec-result-bogus
+    - concurrent-queries
- - dnssec-result-indeterminate
+    - dlg-only-drops
- - dnssec-result-insecure
+    - dnssec-queries
- - dnssec-result-nta
+    - dnssec-result-bogus
- - dnssec-result-secure
+    - dnssec-result-indeterminate
- - dnssec-validations
+    - dnssec-result-insecure
- - dont-outqueries
+    - dnssec-result-nta
- - ecs-queries
+    - dnssec-result-secure
- - ecs-responses
+    - dnssec-validations
- - edns-ping-matches
+    - dont-outqueries
- - edns-ping-mismatches
+    - ecs-queries
- - failed-host-entries
+    - ecs-responses
- - fd-usage
+    - edns-ping-matches
- - ignored-packets
+    - edns-ping-mismatches
- - ipv6-outqueries
+    - failed-host-entries
- - ipv6-questions
+    - fd-usage
- - malloc-bytes
+    - ignored-packets
- - max-cache-entries
+    - ipv6-outqueries
- - max-mthread-stack
+    - ipv6-questions
- - max-packetcache-entries
+    - malloc-bytes
- - negcache-entries
+    - max-cache-entries
- - no-packet-error
+    - max-mthread-stack
- - noedns-outqueries
+    - max-packetcache-entries
- - noerror-answers
+    - negcache-entries
- - noping-outqueries
+    - no-packet-error
- - nsset-invalidations
+    - noedns-outqueries
- - nsspeeds-entries
+    - noerror-answers
- - nxdomain-answers
+    - noping-outqueries
- - outgoing-timeouts
+    - nsset-invalidations
- - outgoing4-timeouts
+    - nsspeeds-entries
- - outgoing6-timeouts
+    - nxdomain-answers
- - over-capacity-drops
+    - outgoing-timeouts
- - packetcache-entries
+    - outgoing4-timeouts
- - packetcache-hits
+    - outgoing6-timeouts
- - packetcache-misses
+    - over-capacity-drops
- - policy-drops
+    - packetcache-entries
- - policy-result-custom
+    - packetcache-hits
- - policy-result-drop
+    - packetcache-misses
- - policy-result-noaction
+    - policy-drops
- - policy-result-nodata
+    - policy-result-custom
- - policy-result-nxdomain
+    - policy-result-drop
- - policy-result-truncate
+    - policy-result-noaction
- - qa-latency
+    - policy-result-nodata
- - query-pipe-full-drops
+    - policy-result-nxdomain
- - questions
+    - policy-result-truncate
- - real-memory-usage
+    - qa-latency
- - resource-limits
+    - query-pipe-full-drops
- - security-status
+    - questions
- - server-parse-errors
+    - real-memory-usage
- - servfail-answers
+    - resource-limits
- - spoof-prevents
+    - security-status
- - sys-msec
+    - server-parse-errors
- - tcp-client-overflow
+    - servfail-answers
- - tcp-clients
+    - spoof-prevents
- - tcp-outqueries
+    - sys-msec
- - tcp-questions
+    - tcp-client-overflow
- - throttle-entries
+    - tcp-clients
- - throttled-out
+    - tcp-outqueries
- - throttled-outqueries
+    - tcp-questions
- - too-old-drops
+    - throttle-entries
- - udp-in-errors
+    - throttled-out
- - udp-noport-errors
+    - throttled-outqueries
- - udp-recvbuf-errors
+    - too-old-drops
- - udp-sndbuf-errors
+    - udp-in-errors
- - unauthorized-tcp
+    - udp-noport-errors
- - unauthorized-udp
+    - udp-recvbuf-errors
- - unexpected-packets
+    - udp-sndbuf-errors
- - unreachables
+    - unauthorized-tcp
- - uptime
+    - unauthorized-udp
- - user-msec
+    - unexpected-packets
- - x-our-latency
+    - unreachables
- - x-ourtime-slow
+    - uptime
- - x-ourtime0-1
+    - user-msec
- - x-ourtime1-2
+    - x-our-latency
- - x-ourtime16-32
+    - x-ourtime-slow
- - x-ourtime2-4
+    - x-ourtime0-1
- - x-ourtime4-8
+    - x-ourtime1-2
- - x-ourtime8-16
+    - x-ourtime16-32
+    - x-ourtime2-4
+    - x-ourtime4-8
+    - x-ourtime8-16
 
-### Tags:
+### Example Output
-
-- tags: `server=socket`
-
-### Example Output:
 
 ```
-$ ./telegraf --config telegraf.conf --input-filter powerdns_recursor --test
+powerdns_recursor,server=/var/run/pdns_recursor.controlsocket all-outqueries=3631810i,answers-slow=36863i,answers0-1=179612i,answers1-10=1223305i,answers10-100=1252199i,answers100-1000=408357i,auth-zone-queries=4i,auth4-answers-slow=44758i,auth4-answers0-1=59721i,auth4-answers1-10=1766787i,auth4-answers10-100=1329638i,auth4-answers100-1000=430372i,auth6-answers-slow=0i,auth6-answers0-1=0i,auth6-answers1-10=0i,auth6-answers10-100=0i,auth6-answers100-1000=0i,cache-entries=296689i,cache-hits=150654i,cache-misses=2949682i,case-mismatches=0i,chain-resends=420004i,client-parse-errors=0i,concurrent-queries=0i,dlg-only-drops=0i,dnssec-queries=152970i,dnssec-result-bogus=0i,dnssec-result-indeterminate=0i,dnssec-result-insecure=0i,dnssec-result-nta=0i,dnssec-result-secure=47i,dnssec-validations=47i,dont-outqueries=62i,ecs-queries=0i,ecs-responses=0i,edns-ping-matches=0i,edns-ping-mismatches=0i,failed-host-entries=21i,fd-usage=32i,ignored-packets=0i,ipv6-outqueries=0i,ipv6-questions=0i,malloc-bytes=0i,max-cache-entries=1000000i,max-mthread-stack=33747i,max-packetcache-entries=500000i,negcache-entries=100019i,no-packet-error=0i,noedns-outqueries=73341i,noerror-answers=25453808i,noping-outqueries=0i,nsset-invalidations=2398i,nsspeeds-entries=3966i,nxdomain-answers=3341302i,outgoing-timeouts=44384i,outgoing4-timeouts=44384i,outgoing6-timeouts=0i,over-capacity-drops=0i,packetcache-entries=78258i,packetcache-hits=25999027i,packetcache-misses=3100179i,policy-drops=0i,policy-result-custom=0i,policy-result-drop=0i,policy-result-noaction=3100336i,policy-result-nodata=0i,policy-result-nxdomain=0i,policy-result-truncate=0i,qa-latency=6553i,query-pipe-full-drops=0i,questions=29099363i,real-memory-usage=280494080i,resource-limits=0i,security-status=1i,server-parse-errors=0i,servfail-answers=304253i,spoof-prevents=0i,sys-msec=1312600i,tcp-client-overflow=0i,tcp-clients=0i,tcp-outqueries=116i,tcp-questions=133i,throttle-entries=21i,throttled-out=13296i,throttled-outqueries=13296i,too-old-drops=2i,udp-in-errors=4i,udp-noport-errors=2918i,udp-recvbuf-errors=0i,udp-sndbuf-errors=0i,unauthorized-tcp=0i,unauthorized-udp=0i,unexpected-packets=0i,unreachables=1708i,uptime=167482i,user-msec=1282640i,x-our-latency=19i,x-ourtime-slow=642i,x-ourtime0-1=3095566i,x-ourtime1-2=3401i,x-ourtime16-32=201i,x-ourtime2-4=304i,x-ourtime4-8=198i,x-ourtime8-16=24i 1533903879000000000
-> powerdns_recursor,server=/var/run/pdns_recursor.controlsocket all-outqueries=3631810i,answers-slow=36863i,answers0-1=179612i,answers1-10=1223305i,answers10-100=1252199i,answers100-1000=408357i,auth-zone-queries=4i,auth4-answers-slow=44758i,auth4-answers0-1=59721i,auth4-answers1-10=1766787i,auth4-answers10-100=1329638i,auth4-answers100-1000=430372i,auth6-answers-slow=0i,auth6-answers0-1=0i,auth6-answers1-10=0i,auth6-answers10-100=0i,auth6-answers100-1000=0i,cache-entries=296689i,cache-hits=150654i,cache-misses=2949682i,case-mismatches=0i,chain-resends=420004i,client-parse-errors=0i,concurrent-queries=0i,dlg-only-drops=0i,dnssec-queries=152970i,dnssec-result-bogus=0i,dnssec-result-indeterminate=0i,dnssec-result-insecure=0i,dnssec-result-nta=0i,dnssec-result-secure=47i,dnssec-validations=47i,dont-outqueries=62i,ecs-queries=0i,ecs-responses=0i,edns-ping-matches=0i,edns-ping-mismatches=0i,failed-host-entries=21i,fd-usage=32i,ignored-packets=0i,ipv6-outqueries=0i,ipv6-questions=0i,malloc-bytes=0i,max-cache-entries=1000000i,max-mthread-stack=33747i,max-packetcache-entries=500000i,negcache-entries=100019i,no-packet-error=0i,noedns-outqueries=73341i,noerror-answers=25453808i,noping-outqueries=0i,nsset-invalidations=2398i,nsspeeds-entries=3966i,nxdomain-answers=3341302i,outgoing-timeouts=44384i,outgoing4-timeouts=44384i,outgoing6-timeouts=0i,over-capacity-drops=0i,packetcache-entries=78258i,packetcache-hits=25999027i,packetcache-misses=3100179i,policy-drops=0i,policy-result-custom=0i,policy-result-drop=0i,policy-result-noaction=3100336i,policy-result-nodata=0i,policy-result-nxdomain=0i,policy-result-truncate=0i,qa-latency=6553i,query-pipe-full-drops=0i,questions=29099363i,real-memory-usage=280494080i,resource-limits=0i,security-status=1i,server-parse-errors=0i,servfail-answers=304253i,spoof-prevents=0i,sys-msec=1312600i,tcp-client-overflow=0i,tcp-clients=0i,tcp-outqueries=116i,tcp-questions=133i,throttle-entries=21i,throttled-out=13296i,throttled-outqueries=13296i,too-old-drops=2i,udp-in-errors=4i,udp-noport-errors=2918i,udp-recvbuf-errors=0i,udp-sndbuf-errors=0i,unauthorized-tcp=0i,unauthorized-udp=0i,unexpected-packets=0i,unreachables=1708i,uptime=167482i,user-msec=1282640i,x-our-latency=19i,x-ourtime-slow=642i,x-ourtime0-1=3095566i,x-ourtime1-2=3401i,x-ourtime16-32=201i,x-ourtime2-4=304i,x-ourtime4-8=198i,x-ourtime8-16=24i 1533903879000000000
 ```

plugins/inputs/powerdns_recursor/powerdns_recursor.go

@@ -27,14 +27,14 @@ type PowerdnsRecursor struct {
 var defaultTimeout = 5 * time.Second
 
 var sampleConfig = `
-  ## An array of sockets to gather stats about.
+  ## Path to the Recursor control socket.
-  ## Specify a path to unix socket.
   unix_sockets = ["/var/run/pdns_recursor.controlsocket"]
 
-  ## Socket for Receive
+  ## Directory to create receive socket.  This default is likely not writable,
-  #socket_dir = "/var/run/"
+  ## please reference the full plugin documentation for a recommended setup.
-  ## Socket permissions
+  # socket_dir = "/var/run/"
-  #socket_mode = "0666"
+  ## Socket permissions for the receive socket.
+  # socket_mode = "0666"
 `
 
 func (p *PowerdnsRecursor) SampleConfig() string {