Monitoring Crypto Express Network API for Secure Execution Enclaves
The Prometheus Node Exporter is installed along with Crypto Express Network API for Secure Execution Enclaves. The Node Exporter exposes a wide variety of hardware and kernel related metrics, which can be scraped by Prometheus for monitoring.
Configuring the monitoring service
Preparing the parameters for authentication
Node Exporter does not perform authentication by default. To add a user, you must define a password. The following is an example of how you can generate a random password:
password=`openssl rand -base64 32`
passwordHashed=`echo ${password} | htpasswd -inBC 10 "" | tr -d ':\n'`
echo "Clear password to keep for Prometheus Server: ${password}"
Note: If you don't have the htpasswd
binary, you can install it on Debian or Ubuntu by running the apt-get install --no-install-recommends apache2-utils
command.
Save the "clear password" because you will need it later for verifying the metrics and configuring Prometheus.
Preparing the certificates for TLS encryption
Node Exporter doesn't encrypt communications by default and you can avoid it by configuring TLS encryption.
You can run a Prometheus instance served with TLS. You must generate the following certificates by using OpenSSL, or an analogous tool:
Filename | Description |
---|---|
tlsCertificate.crt |
an SSL certificate |
tlsCertificate.key |
an SSL key |
The following snippet is an example of how you can create the certificates:
# Create TLS certificate
cd /tmp
sudo openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
-keyout tlsCertificate.key \
-out tlsCertificate.crt \
-subj "/CN=`hostname`" \
-addext "subjectAltName = DNS:`hostname`"
Setting secure settings for CA monitoring
You can leverage the /api/com.ibm.crypto/camonitor:POST
API to set up secure settings for CA monitoring.
Step 2. Submit the request
curl -k -X POST -d@camon.json https://${dst_server_ip}/api/com.ibm.crypto/camonitor/ -H 'zACI-API: com.ibm.zaci.system/1.0' -H 'Content-type: application/vnd.ibm.zaci.payload+json;version=1.0' -H 'Accept: application/vnd.ibm.zaci.payload+json' -H "Authorization: Bearer ${auth_token}"
Notes: All password or certificate related parameters should be encoded by using BASE64. You can use the following commands to encode:
For password related parameters
echo -n ${passwordHashed} | base64
For certificate related parameters
base64 <certificate> -w 0
Verifying the metrics
You can verify that metrics are being exported by using the following commands:
curl -k -u ${username}:${password} https://<server-ip>:9100/metrics
The following is an example of the output:
# HELP go_gc_duration_seconds A summary of the GC invocation durations.
# TYPE go_gc_duration_seconds summary
go_gc_duration_seconds{quantile="0"} 3.8996e-05
go_gc_duration_seconds{quantile="0.25"} 4.5926e-05
go_gc_duration_seconds{quantile="0.5"} 5.846e-05
...
Checking different types of metrics
1. General collectors enabled by default
The Node Exporter exposes metrics that Prometheus can scrape, including a wide variety of system metrics further down in the output (prefixed with node_). For more information, see Enabled by default.
To view those metrics (along with help and type information), run the following command:
curl -k -u ${username}:${password} https://<server-ip>:9100/metrics | grep "node_"
The following snippet is an example of the output:
# HELP node_cpu_guest_seconds_total Seconds the CPUs spent in guests (VMs) for each mode.
# TYPE node_cpu_guest_seconds_total counter
node_cpu_guest_seconds_total{cpu="0",mode="nice"} 0
node_cpu_guest_seconds_total{cpu="0",mode="user"} 0
node_cpu_guest_seconds_total{cpu="1",mode="nice"} 0
node_cpu_guest_seconds_total{cpu="1",mode="user"} 0
...
Configuring the Prometheus Server
After checking out different metrics types, you can configure your Promemtheus server to scrape data from the Node Exporter. For more information, see Configuring your Prometheus instances.
The following is an example of configuring Prometheus to fetch data from the monitoring endpoint.
- job_name: 'example'
scrape_interval: 5s
static_configs:
- targets: ['${prom-ip}:9100']
scheme: https
basic_auth:
username: "${username}"
password: "${password}"
tls_config:
insecure_skip_verify: true
Exploring metrics
After integrating with Prometheus instance, you can explore metrics via the Prometheus expression browser by following guidance at Exploring Node Exporter metrics through the Prometheus expression browser.