Collectd built by OpenWrt is not supporting encryption. How is everyone collecting their stats?

christophe · August 7, 2022, 5:39pm

Hey everyone, so I'm running the Wlan for a cafe.

Everything is working out fairly well. For a closer look I wanted to use collectd to send data collected by the APs to a central instance, i.e. tx retries, tx failed, rx drop misc, tx/tx rate, aqm stats, airtime stats, etc.

Turns out collectd on OpenWrt still doesn't support encryption. I understand this is a community project and has been an issue for a while. https://github.com/openwrt/packages/issues/5458

I wonder how everyone else is sending stats to a remote destination in a privacy preserving manner?

# logread
collectd: plugin_load: plugin "network" successfully loaded.
collectd: network plugin: Option `SecurityLevel' is not allowed here.
collectd: network plugin: Option `Username' is not allowed here.
collectd: network plugin: Option `Password' is not allowed here.
 
# ldd /usr/sbin/collectd 
/lib/ld-musl-armhf.so.1 (0xb6f24000)
libz.so.1 => /usr/lib/libz.so.1 (0xb6f01000)
liblua.so.5.1.5 => /usr/lib/liblua.so.5.1.5 (0xb6ed1000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0xb6eb5000)
libc.so => /lib/ld-musl-armhf.so.1 (0xb6f24000)
 
OpenWrt 22.03.0-rc6
TP-Link Archer C2600 (and others)
Linux 5.10.134

Best,
Christophe

giuliomagnifico · August 7, 2022, 6:10pm

I’m using collectd-to-prometheus exporter, it exports to a prometheus server inside my LAN (to build Grafana stats) then it exports to a remote endpoint (encrypted). A bit tricky but it works…

hnyman · August 7, 2022, 6:17pm

Well, since January 2018 there has again been an option to enable encryption, but you have to compile the package with that option enabled by yourself.

The github issue that you linked was marked as solved in January 2018. The issue also contained a link to merged PR enabling encryption again.

christophe · August 7, 2022, 6:30pm

The OpenWrt project decided to not enable encryption by default. We aren't https://linuxfromscratch.org/

slh · August 7, 2022, 9:32pm

Well, some options are only available at built-time (even nicely exposed as a buildsystem config symbol) - either take it, or don't.

christophe · August 8, 2022, 11:32am

Sure. Are you running it this way?

Is anyone using Telegraf?

christophe · August 8, 2022, 6:01pm

@hnyman @slh are you using collectd encryption though buildroot? Please share some details.

hnyman · August 8, 2022, 6:07pm

What details?
Use menuconfig to select encryption for collectd and compile the collectd modules (and the needed libgcrypt library). Opkg install them.

OpenWrt is actually pretty size-conscious due to limited flash space in many routers, so quite many packages have a reduced functionality as the default set offered, while the build system enables the enthusiast user to compile a personal version with more features enabled. In that sense, we are for "building your own custom Linux system, entirely from source code"...

christophe · August 8, 2022, 6:09pm

I know that. My initial question was:

I wonder how everyone else is sending stats to a remote destination in a privacy preserving manner?

If this is not you, don't worry.

hnyman · August 8, 2022, 6:15pm

I don't

But as your statement preceding that sentence was wrong, I tried to point you to the right direction, that using encryption in collectd itself is possible.

The preceding sentence:

That issue was solved in Jan 2018 via PR 5468 re-enabling the optional encryption in collectd compilation. https://github.com/openwrt/packages/pull/5468
That requires you compiling the encryption enabled version, but is natively possible.

christophe · August 8, 2022, 6:24pm

My apologies, I didn't want to be rude. I had hopes of receiving real-life feedback. I am trying to find out what everyone is doing in 2022.

When it comes to what is technically possible, you are very right, and I'm aware of that.

christophe · August 9, 2022, 4:12pm

Collectd is missing from Ubuntu 22.04 currently. I wonder if it has a future. https://bugs.launchpad.net/ubuntu/+source/collectd/+bug/1971093