diff options
| author | Joel Hans <joel@netdata.cloud> | 2020-06-12 09:42:58 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-06-12 09:42:58 -0700 |
| commit | 2c64795b7cc4e21a9382f863ae354b137b367b45 (patch) | |
| tree | b714798283617f51e4e97a328beae1e9fbf46b0e /docs/netdata-security.md | |
| parent | 68f1888227bac1602d8777742995e0276bf05510 (diff) | |
Change streaming terminology to parent/child in docs (#9312)
* Intial pass through docs
* Dash instead of slash
* To parent/child
* Child nodes
* Change diagrams
* Allowlist
* Fixes for Andrew
* Remove from build_external
* Change in proc
Diffstat (limited to 'docs/netdata-security.md')
| -rw-r--r-- | docs/netdata-security.md | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/docs/netdata-security.md b/docs/netdata-security.md index 36ee6d5e9d..97b9bae939 100644 --- a/docs/netdata-security.md +++ b/docs/netdata-security.md @@ -40,7 +40,10 @@ There are a few cases however that raw source data are only exposed to processes So, Netdata **plugins**, even those running with escalated capabilities or privileges, perform a **hard coded data collection job**. They do not accept commands from Netdata. The communication is strictly **unidirectional**: from the plugin towards the Netdata daemon. The original application data collected by each plugin do not leave the process they are collected, are not saved and are not transferred to the Netdata daemon. The communication from the plugins to the Netdata daemon includes only chart metadata and processed metric values. -Netdata slaves streaming metrics to upstream Netdata servers, use exactly the same protocol local plugins use. The raw data collected by the plugins of slave Netdata servers are **never leaving the host they are collected**. The only data appearing on the wire are chart metadata and metric values. This communication is also **unidirectional**: slave Netdata servers never accept commands from master Netdata servers. +Child nodes use the same protocol when streaming metrics to their parent nodes. The raw data collected by the plugins of +child Netdata servers are **never leaving the host they are collected**. The only data appearing on the wire are chart +metadata and metric values. This communication is also **unidirectional**: child nodes never accept commands from +parent Netdata servers. ## Netdata is read-only @@ -190,7 +193,10 @@ Of course, there are many more methods you could use to protect Netdata: - If you are always under a static IP, you can use the script given above to allow direct access to your Netdata servers without authentication, from all your static IPs. -- install all your Netdata in **headless data collector** mode, forwarding all metrics in real-time to a master Netdata server, which will be protected with authentication using an nginx server running locally at the master Netdata server. This requires more resources (you will need a bigger master Netdata server), but does not require any firewall changes, since all the slave Netdata servers will not be listening for incoming connections. +- install all your Netdata in **headless data collector** mode, forwarding all metrics in real-time to a parent + Netdata server, which will be protected with authentication using an nginx server running locally at the parent + Netdata server. This requires more resources (you will need a bigger parent Netdata server), but does not require + any firewall changes, since all the child Netdata servers will not be listening for incoming connections. ## Anonymous Statistics |