DLPX-96312 Removed curl and openssl

Author: dbshah12

debian/control

@@ -13,6 +13,6 @@ Standards-Version: 4.1.2
 
 Package: performance-diagnostics
 Architecture: any
-Depends: python3-bpfcc, python3-minimal, python3-psutil, telegraf, docker.io, influxdb2, curl, openssl
+Depends: python3-bpfcc, python3-minimal, python3-psutil, telegraf, docker.io, influxdb2
 Description: eBPF-based Performance Diagnostic Tools
   A collection of eBPF-based tools for diagnosing performance issues.

influxdb/delphix-influxdb-init

@@ -3,8 +3,9 @@
 # Copyright (c) 2026 by Delphix. All rights reserved.
 #
 # One-time InfluxDB initialization: creates org, bucket, admin token,
-# a read-only token for DCT Smart Proxy, and appends the
-# [[outputs.influxdb_v2]] stanza to /etc/telegraf/telegraf.base.
+# a read-only token for DCT Smart Proxy, and writes the
+# [[outputs.influxdb_v2]] stanza to /etc/telegraf/telegraf.outputs.influxdb,
+# which is included by delphix-telegraf-service when INFLUXDB_ENABLED flag exists.
 # Skips setup if InfluxDB is already initialized.
 #
 
@@ -100,10 +101,12 @@ if [[ -f "$INFLUXDB_SETUP_STATE_FILE" ]]; then
 		key="${line%%=*}"
 		value="${line#*=}"
 		case "$key" in
-			ADMIN_TOKEN)          ADMIN_TOKEN="$value" ;;
-			ORG_ID)               ORG_ID="$value" ;;
-			BUCKET_ID)            BUCKET_ID="$value" ;;
+			ADMIN_TOKEN)             ADMIN_TOKEN="$value" ;;
+			ORG_ID)                  ORG_ID="$value" ;;
+			BUCKET_ID)               BUCKET_ID="$value" ;;
 			INFLUXDB_ADMIN_PASSWORD) INFLUXDB_ADMIN_PASSWORD="$value" ;;
+			WRITE_TOKEN)             WRITE_TOKEN="$value" ;;
+			READ_TOKEN)              READ_TOKEN="$value" ;;
 		esac
 	done <"$INFLUXDB_SETUP_STATE_FILE"
 else
@@ -134,29 +137,41 @@ else
 	umask "$old_umask"
 fi
 
-#
-# Create a write-only token for Telegraf.
-#
-WRITE_TOKEN_RESPONSE=$(influx_post "/api/v2/authorizations" "{
-	\"orgID\": \"$ORG_ID\",
-	\"description\": \"telegraf-write-token\",
-	\"permissions\": [
-		{\"action\": \"write\", \"resource\": {\"type\": \"buckets\", \"id\": \"$BUCKET_ID\", \"orgID\": \"$ORG_ID\"}}
-	]
-}" "$ADMIN_TOKEN") || exit 1
-WRITE_TOKEN=$(json_field "$WRITE_TOKEN_RESPONSE" "['token']") || exit 1
+# Token creation is guarded so that on crash-resume (setup state exists but
+# meta file not yet written), we reuse already-created tokens rather than
+# creating orphaned duplicates in InfluxDB on each retry.
+WRITE_TOKEN="${WRITE_TOKEN:-}"
+READ_TOKEN="${READ_TOKEN:-}"
+
+#
+# Create a write-only token for Telegraf (skipped if already persisted in state).
+#
+if [[ -z "$WRITE_TOKEN" ]]; then
+	WRITE_TOKEN_RESPONSE=$(influx_post "/api/v2/authorizations" "{
+		\"orgID\": \"$ORG_ID\",
+		\"description\": \"telegraf-write-token\",
+		\"permissions\": [
+			{\"action\": \"write\", \"resource\": {\"type\": \"buckets\", \"id\": \"$BUCKET_ID\", \"orgID\": \"$ORG_ID\"}}
+		]
+	}" "$ADMIN_TOKEN") || exit 1
+	WRITE_TOKEN=$(json_field "$WRITE_TOKEN_RESPONSE" "['token']") || exit 1
+	printf 'WRITE_TOKEN=%s\n' "$WRITE_TOKEN" >>"$INFLUXDB_SETUP_STATE_FILE"
+fi
 
 #
-# Create a read-only token for DCT Smart Proxy.
+# Create a read-only token for DCT Smart Proxy (skipped if already persisted in state).
 #
-READ_TOKEN_RESPONSE=$(influx_post "/api/v2/authorizations" "{
-	\"orgID\": \"$ORG_ID\",
-	\"description\": \"dct-read-token\",
-	\"permissions\": [
-		{\"action\": \"read\", \"resource\": {\"type\": \"buckets\", \"id\": \"$BUCKET_ID\", \"orgID\": \"$ORG_ID\"}}
-	]
-}" "$ADMIN_TOKEN") || exit 1
-READ_TOKEN=$(json_field "$READ_TOKEN_RESPONSE" "['token']") || exit 1
+if [[ -z "$READ_TOKEN" ]]; then
+	READ_TOKEN_RESPONSE=$(influx_post "/api/v2/authorizations" "{
+		\"orgID\": \"$ORG_ID\",
+		\"description\": \"dct-read-token\",
+		\"permissions\": [
+			{\"action\": \"read\", \"resource\": {\"type\": \"buckets\", \"id\": \"$BUCKET_ID\", \"orgID\": \"$ORG_ID\"}}
+		]
+	}" "$ADMIN_TOKEN") || exit 1
+	READ_TOKEN=$(json_field "$READ_TOKEN_RESPONSE" "['token']") || exit 1
+	printf 'READ_TOKEN=%s\n' "$READ_TOKEN" >>"$INFLUXDB_SETUP_STATE_FILE"
+fi
 
 #
 # Write the [[outputs.influxdb_v2]] stanza to a dedicated telegraf output file

telegraf/delphix-telegraf-service

@@ -53,4 +53,7 @@ if influxdb_is_enabled && [[ -f $INFLUXDB_OUTPUT ]]; then
 	cat $INFLUXDB_OUTPUT >> $TELEGRAF_CONFIG
 fi
 
+# Restrict permissions so the InfluxDB write token is not world-readable.
+chmod 640 $TELEGRAF_CONFIG
+
 /usr/bin/telegraf -config $TELEGRAF_CONFIG