Free Idea: dnf Prometheus Exporter

This port is part of a series of “Free Ideas“, ideas for projects that came to my mind as being useful to me and in general, but for which I have no time, energy, or skills to work on. If you’re interested in implementing any of the Free Ideas from my blog, please be my guest! I’m also going to try something different this time around, and will write in more details about it at the end of this post, please keep reading!

Earlier this year I bit the bullet and decided to go back and maintain my own personal infrastructure presence in the form of vservers at Hetzner. I have tried quite a few other options to reduce my dependency on infrastructure I maintain personally, since I don’t like self-hosting, and because I’m afraid that it would just end up in a time sink of me spending more time administering the infrastructure than writing new software or blog posts for the public (or working on pictures for myself.)

As it happens, I’m also not the kind of person that ignores the cloud, and I indeed already attempted to use Google Cloud and Azure, as well as obviously WordPress.com and Netlify. But between costs (the cloud, being a computer someone else manages for you, is time-cheap but money-expensive, which is a tradeoff that gets old fast particularly for individuals), and maintenance headaches (among others, Netlify made it extremely difficult for me to deploy Autotools Mythbuster through them), it turns out to be a losing proposition anyway.

The level of maintenance required by most of this infra is still fairly minimal: with the exception of the blog, for which I decided to dedicate a separate vserver with the intention of having an easier time to snapshot and mirror if needed, the only real collected data is metrics: I set up Prometheus and Grafana to make sure I could get at least some basic notification if something went wrong, and I set up goaccess to at least maintain an eye if a spike of requests come through from particular scrapers. For at least that host, the worst that can happen if it dies is that I’ll have to create a new VPS, copy over the configuration from my local staging VM, and re-upload it. The toughest configuration is tarsnap, and it’s not tough at all.

Even with this safety (and a lot more than that for my blog’s host), I still feel uneasy to leave security updates pending on the base host for time that feels too long. There’s little to nothing that can uses untrusted sources, but I can’t help to always feel like I should be doing more about it. And since I already have a bunch of alerts set up with Prometheus and AlertManager (for things like database connections and errors and the like), I would like to have some monitoring and alerting on the updates present at the dnf level.

When I asked about this on Mastodon, I was pointed at a text-processing based exporter for yum (the older CentOS package manager.) Besides reminding me a lot of Munin, and in particular of the (nowadays passé) architecture of separately executable plugins, I’m put off by the fact that this exporter lacks the level of details I would desire: how many packages are pending updates at any one time, how many of those are security-relevant, is a restart necessary, and how much time passed since the last update.

While the execution model is more of a micro-optimization out of personal experience with the Munin architecture, the needs for details is coming out of practical needs. I definitely don’t want to be woken up in the middle of the night for a non-security update having been available for a day (not that anything in my personal infra is able to wake me up, that’s reserved for work) but on the other hand I do want to get a very clear and visible notification if a new security relevant update is available and I have put it off for half a day already! (Even better, but admittedly I have not done that yet, would be to keep one of the acrylic lamps flashing or changing color to remind me to pay attention.)

While for the time being this could be solved with a relatively simple cron script that just sends me an email, I would much prefer having this integrated with the rest of my alerts. After all, I’m now monitoring and alerting on three separate CentOS systems (one for static sites and monitoring, one for the blog and a couple of other dynamic applications likely coming up, and one that is only internally-reachable for Paperless, Calibre Web, and UniFi) with more possibly coming up if this infra keeps expanding, so having a way to collate alerts for the same cause (new security update) through Prometheus would definitely help me.

I briefly looked at the options, and it does look like CentOS provides a Python 3 library to interact with dnf, although they do not make it available on PyPI since it’s not generally-installable. Alternatively, there are C libraries that should be accessible from other languages like Go and Rust, so that all options are open to monitor this. Personally, I don’t care much how the thing is written as long as it can be put to COPR and installed on both aarch64 and x86-64. I just don’t really have the time, this moment, to go and build anything like this.

Trying Something Different

In the past, I have mostly thrown Free Ideas out and about and just hoped that someone would pick it up. I want to try something different, particularly for this one idea, but I could be convinced to try it for most of the older ones as well: I’m willing to pay someone to implement this.

Most of the Free Ideas I write about are the kind of time-saving projects that are not saving enough time for me to feel the push to go and execute on them, or that involve work that is either outside my area of expertise altogether or too close for comfort. But they are still good ideas, I believe.

Since I have stable income, and I’m not going any time soon to dedicate more of my free time for software development that is tedious to me in particular, I’m more than willing to give someone money to sort the problem — after all I do that often enough with proprietary solutions, doing that for Free Software development should be even better!

I also realize that, in many cases, a fair amount of money for the development is beyond the type of spend I can take without consulting my wife and making sure we’re not just going overboard. Which means it’s likely that for these projects to be doable, they would require more people to chip-in. I’d be happy to help manage a crowdfunding campaign to get this (and other) projects done, if you believe you have the skills to do it, so reach out to me!

Maybe another Free Idea could be setting up a Fiverr-style FLOSS commissioning website, where bounty ideas like these can be posted, with money provided or promised, for independent or younger FLOSS developers to pick up and work on. I’m sure I’m not the only well paid Big Tech employee that is going to be happy to fund FLOSS development, and who has more ideas than they’ve got time for!

Exit mobile version