natrontech / pbs-exporter Goto Github PK

Test with Proxmox Backup Server 3.X (see Roadmap)

Hi

Exporter will set pbs_up = 0 when some datastore is being deleted
I think It does not make sense to set pbs_up = 0 because the proxmox backup server still working and can get other metrics.

I have created PR #7 to check datastore is being deleted.
I already check PBS API docs. It does seem not to have any paths to get its status.

Pbs-exporter authentication to PBS is based on Token access linked to a user.
Authentication credentials must be the same for all the endpoints.

As far as I know, there is no way to force the token value in PBS, instead it will be automatically generated by the user interface.

I found a way to force the token, writing directly inside the /etc/proxmox-backup/token.shadow but it seems not very straightforward.

Did I miss something ?

Support multiple endpoints with one exporter like the prometheus-pve-exporter.

- job_name: 'pbs-exporter'
  static_configs:
    - targets:
      - <target-ip-1>
      - <target-ip-2>
  metrics_path: /metrics
  params:
    module: [default]
  relabel_configs:
    - source_labels: [__address__]
      target_label: __param_target
    - source_labels: [__param_target]
      target_label: instance
    - target_label: __address__
      replacement: pbs-exporter:9101

deploy config as below

docker-compose.yaml
services:
pbs-exporter:
image: ghcr.io/natrontech/pbs-exporter:latest
container_name: pbs-exporter
restart: always
ports:
- "10019:10019"
environment:
- PBS_API_TOKEN=b975aa4f-2abf-49ac-bd7d-929530b0b8e5
- PBS_ENDPOINT=http://192.168.31.64:8007
- PBS_INSECURE=false

sudo docker logs pbs-exporter
2024/09/08 12:46:07 INFO: Starting PBS Exporter v0.6.1, commit e8c63cb, built at 2024-07-08T14:17:48+00:00
2024/09/08 12:46:07 INFO: Using fix connection endpoint: http://192.168.31.64:8007
2024/09/08 12:46:07 INFO: Listening on: :10019
2024/09/08 12:46:07 INFO: Metrics path: /metrics
2024/09/08 12:46:10 Get "https://192.168.31.64:8007": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, ::1, not 192.168.31.64
2024/09/08 12:46:11 Get "https://192.168.31.64:8007": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, ::1, not 192.168.31.64

Add attestation for the release artifacts according the SLSA build level 3 specification.

I propose to add support to dockerfile secrets for PBS_USERNAME, PBS_API_TOKEN_NAME and PBS_API_TOKEN.

Idea is to move secrets outside of docker-compose file for instance for security purpose.

As example a docker-compose file can be created like this:
proxmoxbackup:
image: ghcr.io/natrontech/pbs-exporter:0.1.5
container_name: proxmoxbackup
restart: always
secrets:
- proxmoxbackup-username
- proxmoxbackup-api-token-name
- proxmoxbackup-api-token
environment:
PBS_USERNAME_FILE: /run/secrets/proxmoxbackup-username
PBS_API_TOKEN_NAME_FILE: /run/secrets/proxmoxbackup-api-token-name
PBS_API_TOKEN_FILE: /run/secrets/proxmoxbackup-api-token

secrets:
proxmoxbackup-username:
file: "./.secrets/proxmoxbackup_username.secret"
proxmoxbackup-api-token-name:
file: "./.secrets/proxmoxbackup_api_token_name.secret"
proxmoxbackup-api-token:
file: "./.secrets/proxmoxbackup_api_token.secret"

All secrets are now stored in a folder .secrets.

Convention naming for secrets in docker is to add _FILE to regular environnement variable.
In our case we need to manage PBS_USERNAME_FILE, PBS_API_TOKEN_NAME_FILE and PBS_API_TOKEN_FILE env variables.

I just adapt the main.go to read the new env variable for the secret file name and read the first line from the file.

Sorry I cannot add a file here so I post a diff of main

diff --git a/main.go b/main.go
index 1e6686d..cd8cd88 100644
--- a/main.go
+++ b/main.go
@@ -1,6 +1,7 @@
package main

import (

• "bufio"
  "crypto/tls"
  "encoding/json"
  "flag"
  @@ -234,6 +235,24 @@ type Exporter struct {
  authorizationHeader string
  }

+func ReadSecretFile(secretfilename string) string {

• file, err := os.Open(secretfilename)
• // flag to check the file format
• if err != nil {

•   log.Fatal(err)
  

• }
• // Close the file
• defer func() {

•   if err = file.Close(); err != nil {
  

•   	log.Fatal(err)
  

•   }
  

• }()
• // Read the first line
• line := bufio.NewScanner(file)
• line.Scan()
• return line.Text()
  +}

func NewExporter(endpoint string, username string, apitoken string, apitokenname string) *Exporter {
return &Exporter{
endpoint: endpoint,
@@ -660,12 +679,24 @@ func main() {
}
if os.Getenv("PBS_USERNAME") != "" {
*username = os.Getenv("PBS_USERNAME")

• } else {

•   if os.Getenv("PBS_USERNAME_FILE") != "" {
  

•   	*username = ReadSecretFile(os.Getenv("PBS_USERNAME_FILE"))
  

•   }
  

  }
  if os.Getenv("PBS_API_TOKEN_NAME") != "" {
  *apitokenname = os.Getenv("PBS_API_TOKEN_NAME")
• } else {

•   if os.Getenv("PBS_API_TOKEN_NAME_FILE") != "" {
  

•   	*apitokenname = ReadSecretFile(os.Getenv("PBS_API_TOKEN_NAME_FILE"))
  

•   }
  

  }
  if os.Getenv("PBS_API_TOKEN") != "" {
  *apitoken = os.Getenv("PBS_API_TOKEN")
• } else {

•   if os.Getenv("PBS_API_TOKEN_FILE") != "" {
  

•   	*apitoken = ReadSecretFile(os.Getenv("PBS_API_TOKEN_FILE"))
  

•   }
  

  }
  if os.Getenv("PBS_TIMEOUT") != "" {
  *timeout = os.Getenv("PBS_TIMEOUT")

maybe pbs-exporter/grafana-dashboard/pbs-exporter.json have problem， could you take a test？

Would be great if you could export tape data.

Libraries
Media Pools
Number of tapes in each media pool
number of full tapes in each media pool
etc.