5
0
mirror of git://git.proxmox.com/git/pve-docs.git synced 2025-01-18 06:03:46 +03:00
pve-docs/notifications.adoc
Thomas Lamprecht 90e74e8557 notification: source style fixes
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2024-11-11 22:30:44 +01:00

465 lines
17 KiB
Plaintext

[[chapter_notifications]]
Notifications
=============
ifndef::manvolnum[]
:pve-toplevel:
endif::manvolnum[]
Overview
--------
[thumbnail="screenshot/gui-datacenter-notification-overview.png"]
* {pve} emits xref:notification_events[Notification Events] in case of
storage replication failures, node fencing, finished/failed backups
and other events.
These events are handled by the notification system. A notification
event has metadata, for example a timestamp, a severity level,
a type, and other optional metadata fields.
* xref:notification_matchers[Notification Matchers] route a notification
event to one or more notification targets. A matcher can have match
rules to selectively route based on the metadata of a notification event.
* xref:notification_targets[Notification Targets] are a destination to
which a notification event is routed to by a matcher.
There are multiple types of target, mail-based (Sendmail and SMTP)
and Gotify.
Backup jobs have a configurable xref:notification_mode[Notification Mode].
It allows you to choose between the notification system and a legacy mode
for sending notification emails. The legacy mode is equivalent to the
way notifications were handled before {pve} 8.1.
The notification system can be configured in the GUI under
Datacenter → Notifications. The configuration is stored in
`/etc/pve/notifications.cfg` and `/etc/pve/priv/notifications.cfg` -
the latter contains sensitive configuration options such as
passwords or authentication tokens for notification targets and can
only be read by `root`.
[[notification_targets]]
Notification Targets
--------------------
{pve} offers multiple types of notification targets.
[[notification_targets_sendmail]]
Sendmail
~~~~~~~~
[thumbnail="screenshot/gui-datacenter-notification-sendmail.png"]
The sendmail binary is a program commonly found on Unix-like operating systems
that handles the sending of email messages.
It is a command-line utility that allows users and applications to send emails
directly from the command line or from within scripts.
The sendmail notification target uses the `sendmail` binary to send emails to a
list of configured users or email addresses. If a user is selected as a recipient,
the email address configured in user's settings will be used.
For the `root@pam` user, this is the email address entered during installation.
A user's email address can be configured in
`Datacenter → Permissions → Users`.
If a user has no associated email address, no email will be sent.
NOTE: In standard {pve} installations, the `sendmail` binary is provided by
Postfix. It may be necessary to configure Postfix so that it can deliver
mails correctly - for example by setting an external mail relay (smart host).
In case of failed delivery, check the system logs for messages logged by
the Postfix daemon.
The configuration for Sendmail target plugins has the following options:
* `mailto`: E-Mail address to which the notification shall be sent to. Can be
set multiple times to accommodate multiple recipients.
* `mailto-user`: Users to which emails shall be sent to. The user's email
address will be looked up in `users.cfg`. Can be set multiple times to
accommodate multiple recipients.
* `author`: Sets the author of the E-Mail. Defaults to `Proxmox VE`.
* `from-address`: Sets the from address of the E-Mail. If the parameter is not
set, the plugin will fall back to the `email_from` setting from
`datacenter.cfg`. If that is also not set, the plugin will default to
`root@$hostname`, where `$hostname` is the hostname of the node.
* `comment`: Comment for this target
The `From` header in the email will be set to `$author <$from-address>`.
Example configuration (`/etc/pve/notifications.cfg`):
----
sendmail: example
mailto-user root@pam
mailto-user admin@pve
mailto max@example.com
from-address pve1@example.com
comment Send to multiple users/addresses
----
[[notification_targets_smtp]]
SMTP
~~~~
[thumbnail="screenshot/gui-datacenter-notification-smtp.png"]
SMTP notification targets can send emails directly to an SMTP mail relay.
This target does not use the system's MTA to deliver emails.
Similar to sendmail targets, if a user is selected as a recipient, the user's configured
email address will be used.
NOTE: Unlike sendmail targets, SMTP targets do not have any queuing/retry mechanism
in case of a failed mail delivery.
The configuration for SMTP target plugins has the following options:
* `mailto`: E-Mail address to which the notification shall be sent to. Can be
set multiple times to accommodate multiple recipients.
* `mailto-user`: Users to which emails shall be sent to. The user's email
address will be looked up in `users.cfg`. Can be set multiple times to
accommodate multiple recipients.
* `author`: Sets the author of the E-Mail. Defaults to `Proxmox VE`.
* `from-address`: Sets the From-address of the email. SMTP relays might require
that this address is owned by the user in order to avoid spoofing.
The `From` header in the email will be set to `$author <$from-address>`.
* `username`: Username to use during authentication. If no username is set,
no authentication will be performed. The PLAIN and LOGIN authentication methods
are supported.
* `password`: Password to use when authenticating.
* `mode`: Sets the encryption mode (`insecure`, `starttls` or `tls`). Defaults
to `tls`.
* `server`: Address/IP of the SMTP relay
* `port`: The port to connect to. If not set, the used port
defaults to 25 (`insecure`), 465 (`tls`) or 587 (`starttls`), depending on the
value of `mode`.
* `comment`: Comment for this target
Example configuration (`/etc/pve/notifications.cfg`):
----
smtp: example
mailto-user root@pam
mailto-user admin@pve
mailto max@example.com
from-address pve1@example.com
username pve1
server mail.example.com
mode starttls
----
The matching entry in `/etc/pve/priv/notifications.cfg`, containing the
secret token:
----
smtp: example
password somepassword
----
[[notification_targets_gotify]]
Gotify
~~~~~~
[thumbnail="screenshot/gui-datacenter-notification-gotify.png"]
http://gotify.net[Gotify] is an open-source self-hosted notification server that
allows you to send and receive push notifications to various devices and
applications. It provides a simple API and web interface, making it easy to
integrate with different platforms and services.
The configuration for Gotify target plugins has the following options:
* `server`: The base URL of the Gotify server, e.g. `http://<ip>:8888`
* `token`: The authentication token. Tokens can be generated within the Gotify
web interface.
* `comment`: Comment for this target
NOTE: The Gotify target plugin will respect the HTTP proxy settings from the
xref:datacenter_configuration_file[datacenter configuration]
Example configuration (`/etc/pve/notifications.cfg`):
----
gotify: example
server http://gotify.example.com:8888
comment Send to multiple users/addresses
----
The matching entry in `/etc/pve/priv/notifications.cfg`, containing the
secret token:
----
gotify: example
token somesecrettoken
----
[[notification_targets_webhook]]
Webhook
~~~~~~~
Webhook notification targets perform HTTP requests to a configurable URL.
The following configuration options are available:
* `url`: The URL to which to perform the HTTP requests.
Supports templating to inject message contents, metadata and secrets.
* `method`: HTTP Method to use (POST/PUT/GET)
* `header`: Array of HTTP headers that should be set for the request.
Supports templating to inject message contents, metadata and secrets.
* `body`: HTTP body that should be sent.
Supports templating to inject message contents, metadata and secrets.
* `secret`: Array of secret key-value pairs. These will be stored in
a protected configuration file only readable by root. Secrets can be accessed
in body/header/URL templates via the `secrets` namespace.
* `comment`: Comment for this target.
For configuration options that support templating, the
https://handlebarsjs.com/[Handlebars] syntax can be used to
access the following properties:
* `{{ title }}`: The rendered notification title
* `{{ message }}`: The rendered notification body
* `{{ severity }}`: The severity of the notification (`info`, `notice`,
`warning`, `error`, `unknown`)
* `{{ timestamp }}`: The notification's timestamp as a UNIX epoch (in seconds).
* `{{ fields.<name> }}`: Sub-namespace for any metadata fields of the
notification. For instance, `fields.type` contains the notification type -
for all available fields refer to xref:notification_events[Notification Events].
* `{{ secrets.<name> }}`: Sub-namespace for secrets. For instance, a secret
named `token` is accessible via `secrets.token`.
For convenience, the following helpers are available:
* `{{ url-encode <value/property> }}`: URL-encode a property/literal.
* `{{ escape <value/property> }}`: Escape any control characters that cannot be
safely represented as a JSON string.
* `{{ json <value/property> }}`: Render a value as JSON. This can be useful to
pass a whole sub-namespace (e.g. `fields`) as a part of a JSON payload (e.g.
`{{ json fields }}`).
==== Examples
===== `ntfy.sh`
* Method: `POST`
* URL: `https://ntfy.sh/{{ secrets.channel }}`
* Headers:
** `Markdown`: `Yes`
* Body:
----
```
{{ message }}
```
----
* Secrets:
** `channel`: `<your ntfy.sh channel>`
===== Discord
* Method: `POST`
* URL: `https://discord.com/api/webhooks/{{ secrets.token }}`
* Headers:
** `Content-Type`: `application/json`
* Body:
----
{
"content": "``` {{ escape message }}```"
}
----
* Secrets:
** `token`: `<token>`
===== Slack
* Method: `POST`
* URL: `https://hooks.slack.com/services/{{ secrets.token }}`
* Headers:
** `Content-Type`: `application/json`
* Body:
----
{
"text": "``` {{escape message}}```",
"type": "mrkdwn"
}
----
* Secrets:
** `token`: `<token>`
[[notification_matchers]]
Notification Matchers
---------------------
[thumbnail="screenshot/gui-datacenter-notification-matcher.png"]
Notification matchers route notifications to notification targets based
on their matching rules. These rules can match certain properties of a
notification, such as the timestamp (`match-calendar`), the severity of
the notification (`match-severity`) or metadata fields (`match-field`).
If a notification is matched by a matcher, all targets configured for the
matcher will receive the notification.
An arbitrary number of matchers can be created, each with with their own
matching rules and targets to notify.
Every target is notified at most once for every notification, even if
the target is used in multiple matchers.
A matcher without any matching rules is always true; the configured targets
will always be notified.
----
matcher: always-matches
target admin
comment This matcher always matches
----
Matcher Options
~~~~~~~~~~~~~~~
* `target`: Determine which target should be notified if the matcher matches.
can be used multiple times to notify multiple targets.
* `invert-match`: Inverts the result of the whole matcher
* `mode`: Determines how the individual match rules are evaluated to compute
the result for the whole matcher. If set to `all`, all matching rules must
match. If set to `any`, at least one rule must match.
a matcher must be true. Defaults to `all`.
* `match-calendar`: Match the notification's timestamp against a schedule
* `match-field`: Match the notification's metadata fields
* `match-severity`: Match the notification's severity
* `comment`: Comment for this matcher
[[notification_matchers_calendar]]
Calendar Matching Rules
~~~~~~~~~~~~~~~~~~~~~~~
A calendar matcher matches the time when a notification is sent against a
configurable schedule.
* `match-calendar 8-12`
* `match-calendar 8:00-15:30`
* `match-calendar mon-fri 9:00-17:00`
* `match-calendar sun,tue-wed,fri 9-17`
[[notification_matchers_field]]
Field Matching Rules
~~~~~~~~~~~~~~~~~~~~
Notifications have a selection of metadata fields that can be matched.
When using `exact` as a matching mode, a `,` can be used as a separator.
The matching rule then matches if the metadata field has *any* of the specified
values.
* `match-field exact:type=vzdump` Only match notifications about backups.
* `match-field exact:type=replication,fencing` Match `replication` and `fencing` notifications.
* `match-field regex:hostname=^.+\.example\.com$` Match the hostname of
the node.
If a matched metadata field does not exist, the notification will not be
matched.
For instance, a `match-field regex:hostname=.*` directive will only match
notifications that have an arbitrary `hostname` metadata field, but will
not match if the field does not exist.
[[notification_matchers_severity]]
Severity Matching Rules
~~~~~~~~~~~~~~~~~~~~~~~
A notification has a associated severity that can be matched.
* `match-severity error`: Only match errors
* `match-severity warning,error`: Match warnings and error
The following severities are in use:
`info`, `notice`, `warning`, `error`, `unknown`.
Examples
~~~~~~~~
----
matcher: workday
match-calendar mon-fri 9-17
target admin
comment Notify admins during working hours
matcher: night-and-weekend
match-calendar mon-fri 9-17
invert-match true
target on-call-admins
comment Separate target for non-working hours
----
----
matcher: backup-failures
match-field exact:type=vzdump
match-severity error
target backup-admins
comment Send notifications about backup failures to one group of admins
matcher: cluster-failures
match-field exact:type=replication,fencing
target cluster-admins
comment Send cluster-related notifications to other group of admins
----
[[notification_events]]
Notification Events
-------------------
[width="100%",options="header"]
|===========================================================================
| Event | `type` | Severity | Metadata fields (in addition to `type`)
| System updates available |`package-updates` | `info` | `hostname`
| Cluster node fenced |`fencing` | `error` | `hostname`
| Storage replication job failed |`replication` | `error` | `hostname`, `job-id`
| Backup succeeded |`vzdump` | `info` | `hostname`, `job-id` (only for backup jobs)
| Backup failed |`vzdump` | `error` | `hostname`, `job-id` (only for backup jobs)
| Mail for root |`system-mail` | `unknown`| `hostname`
|===========================================================================
[width="100%",options="header"]
|=======================================================================
| Field name | Description
| `type` | Type of the notification
| `hostname` | Hostname, without domain (e.g. `pve1`)
| `job-id` | Job ID
|=======================================================================
NOTE: Backup job notifications only have `job-id` set if the backup job
was executed automatically based on its schedule, but not if it was triggered
manually by the 'Run now' button in the UI.
System Mail Forwarding
---------------------
Certain local system daemons, such as `smartd`, generate notification emails
that are initially directed to the local `root` user. {pve} will
feed these mails into the notification system as a notification of
type `system-mail` and with severity `unknown`.
When the email is forwarded to a sendmail target, the mail's content and headers
are forwarded as-is. For all other targets,
the system tries to extract both a subject line and the main text body
from the email content. In instances where emails solely consist of HTML
content, they will be transformed into plain text format during this process.
Permissions
-----------
To modify/view the configuration for notification targets,
the `Mapping.Modify/Mapping.Audit` permissions are required for the
`/mapping/notifications` ACL node.
Testing a target requires `Mapping.Use`, `Mapping.Audit` or `Mapping.Modify`
permissions on `/mapping/notifications`
[[notification_mode]]
Notification Mode
-----------------
A backup job configuration has the `notification-mode`
option which can have one of three values.
* `auto`: Use the `legacy-sendmail` mode if no email address is entered in the
`mailto`/`Send email to` field. If no email address is entered,
the `notification-system` mode is used.
* `legacy-sendmail`: Send notification emails via the system's `sendmail` command.
The notification system will be bypassed and any configured
targets/matchers will be ignored.
This mode is equivalent to the notification behavior for version before
{pve} 8.1 .
* `notification-system`: Use the new, flexible notification system.
If the `notification-mode` option is not set, {pve} will default
to `auto`.
The `legacy-sendmail` mode might be removed in a later release of
{pve}.