From patchwork Tue Mar 30 15:28:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Robin Roevens X-Patchwork-Id: 4003 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4F8tft2hjmz3ws3 for ; Tue, 30 Mar 2021 15:29:58 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4F8tfs6r52z1dd; Tue, 30 Mar 2021 15:29:57 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4F8tfs6PVnz2xmX; Tue, 30 Mar 2021 15:29:57 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4F8tfr5ZMDz2xSG for ; Tue, 30 Mar 2021 15:29:56 +0000 (UTC) Received: from knopi.disroot.org (knopi.disroot.org [178.21.23.139]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPS id 4F8tfr20qpz1WQ for ; Tue, 30 Mar 2021 15:29:56 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 1ABEE50D0D for ; Tue, 30 Mar 2021 17:29:56 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r8Z_CF5DdNdO for ; Tue, 30 Mar 2021 17:29:53 +0200 (CEST) Received: from amaterasu.sicho.home ([192.168.0.1] helo=chojin.sicho.home) by filekeeper.sicho.home with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1lRGJ2-00046g-Qk; Tue, 30 Mar 2021 17:29:24 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1617118193; bh=1Rze+lBdTZxe3Bj02J28YUT60G5UHdB3Fwrl06GLKIY=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=Bxyo+o5bEF22DmIfpI1a1KUl8FmwrtogRtaUiN+jtXSPCg6L0FfI8zjnykZ51rXiK yOxHE7pJCzSe/0bxs0izWDvt8NOjetEIwGR/OPjdNkAlKCyLTIJ52Utiy8XpQ2sCml GjjiZ1Fbdx9YYM3fMiJ40mVenDE9KsgQCUdxPjwl9OOSwxIoJr8BlJrF/DPu741nXd Cmx5huCcBkvsVaT9vir8oshtPO2/+xr5lC0l2DnUpTBfJG5rKBI5B2Uj5WXhJewuZg HNPB22pcGsNyt7pzsuiaZruaE/XuRY7JnA9lftZqwGyJJgDZAhC7XfDom9Z+lhUoqX 61IkRtZinkQ+A== From: Robin Roevens To: development@lists.ipfire.org Subject: [PATCH 4/4] zabbix_agentd: Add IPFire specific userparameters Date: Tue, 30 Mar 2021 17:28:30 +0200 Message-Id: <20210330152830.2859-5-robin.roevens@disroot.org> In-Reply-To: <20210330152830.2859-1-robin.roevens@disroot.org> References: <20210330152830.2859-1-robin.roevens@disroot.org> Mime-Version: 1.0 X-filekeeper-MailScanner-ID: 1lRGJ2-00046g-Qk X-filekeeper-MailScanner: Found to be clean X-filekeeper-MailScanner-From: robin.roevens@disroot.org X-filekeeper-MailScanner-Watermark: 1617722969.45833@bAfM9HfI2DmzUH0bA3fV9w ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=Bxyo+o5b; dmarc=pass (policy=quarantine) header.from=disroot.org; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1617118196; a=rsa-sha256; cv=none; b=LOoFI5Rk++/RAnG8bPTWt6xORa62Do6H1G2ssIctJkqhkqkNkzvbJWL4uYjioMr3ogc9Ms 5NFq+jBGwFceoHLZHw6JZP2T3/PEGqoP6QLgB9mUKnkVByJnsZFkl0w955eBPsTHVC5uHz qvIHmK+WzmvkofPYKYBusobOp3wG59Xfp9NJ/KtlbqLHElYP1D8uMW9LUrtYcbdtuNLsWu ngSo0//CM91pMWq7VyH8r29eR+e5NYSjNYkELka3LZ8e4ucgq+zF4mCW2+XobPPZyZi/VF loZXxeKE7+ogRKfn4bP/kdAlVaCMp8CeM+KUKwTk9svz2C/i1BPPmLQ+pWq4Yw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1617118196; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=gk/h/aSI0eX9QiK5SoTeXHZhMVwe47EeXi0W0Jlvs2U=; b=VLKGPIa36qJJVVjuKU6Os4bM64J/TnoNf3uj6owxnCQ8MBHTeRoGaDRUDnehVuonrWnD5V rcOEpnjJDDwTYMJpzI52t78+9LIKdPQyaZ99x8k+8X7VvtuT+STp1XHr8N0+4o+IvxX2cF 1N83KVHS+EeAlD5MRxbGCKF6u5/Ki9gi5RLrMzn+q2EcdZtdsnComkrkoE2EdSjfHN2W6n abWXFZdH1IIRFFWuFhU5BS9ilhXRdclHrhnUTt5lgryPgtgELF77p6r+fbyZ4GhzGdvqxl 6ddvTEfS147JGmp30Catw41kt5bs/OWcLmxx9IBUROE1LtjMPOIRZqSZQlQ+uw== Authentication-Results: mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=Bxyo+o5b; dmarc=pass (policy=quarantine) header.from=disroot.org; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org X-Rspamd-Server: mail01.haj.ipfire.org X-Spamd-Result: default: False [-2.50 / 11.00]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[disroot.org:s=mail]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+a:c]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; REPLY(-4.00)[]; BROKEN_CONTENT_TYPE(1.50)[]; R_MISSING_CHARSET(2.50)[]; RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[]; IP_REPUTATION_HAM(-0.01)[asn: 50673(0.00), country: NL(-0.01), ip: 178.21.23.139(0.00)]; DKIM_TRACE(0.00)[disroot.org:+]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; DMARC_POLICY_ALLOW(-0.50)[disroot.org,quarantine]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL]; BAYES_HAM(-2.98)[99.93%] X-Rspamd-Queue-Id: 4F8tfr20qpz1WQ X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Provide IPFire specific items for the Zabbix server to monitor: - Networking stats: - ipfire.net.gateway.pingtime: Internet Line Quality - ipfire.net.gateway.ping: Internet connection - ipfire.net.fw.hits[*]: Firewall hits - IPFire service states: - ipfire.services: JSON formatted state of all IPFire services using new ipfire_services.pl script. Users can install the IPFire 2 Zabbix template-set provided here: https://share.zabbix.com/network-appliances/ipfire-2 to monitor these metrics. Or create their own template. Signed-off-by: Robin Roevens --- config/rootfiles/packages/zabbix_agentd | 3 + config/zabbix_agentd/ipfire_services.pl | 221 ++++++++++++++++++ config/zabbix_agentd/sudoers | 2 +- .../template_module_ipfire_network_stats.conf | 4 + .../template_module_ipfire_services.conf | 2 + lfs/zabbix_agentd | 8 +- src/paks/zabbix_agentd/install.sh | 5 + src/paks/zabbix_agentd/uninstall.sh | 2 + 8 files changed, 245 insertions(+), 2 deletions(-) create mode 100755 config/zabbix_agentd/ipfire_services.pl create mode 100644 config/zabbix_agentd/template_module_ipfire_network_stats.conf create mode 100644 config/zabbix_agentd/template_module_ipfire_services.conf diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd index 6945c5ef7..aa3f1846b 100644 --- a/config/rootfiles/packages/zabbix_agentd +++ b/config/rootfiles/packages/zabbix_agentd @@ -3,9 +3,12 @@ etc/rc.d/init.d/zabbix_agentd etc/sudoers.d/zabbix.ipfirenew #etc/zabbix_agentd #etc/zabbix_agentd/scripts +etc/zabbix_agentd/scripts/ipfire_services.pl.ipfirenew etc/zabbix_agentd/zabbix_agentd.conf.ipfirenew #etc/zabbix_agentd/zabbix_agentd.d etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfire.conf.ipfirenew +etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_network_stats.conf.ipfirenew +etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_services.conf.ipfirenew usr/bin/zabbix_get usr/bin/zabbix_sender #usr/lib/modules diff --git a/config/zabbix_agentd/ipfire_services.pl b/config/zabbix_agentd/ipfire_services.pl new file mode 100755 index 000000000..dbf8aec56 --- /dev/null +++ b/config/zabbix_agentd/ipfire_services.pl @@ -0,0 +1,221 @@ +#!/usr/bin/perl +############################################################################### +# ipfire_services.pl - Retrieves available IPFire services information and +# return this as a JSON array suitable for easy processing +# by Zabbix server +# +# Author: robin.roevens (at) disroot.org +# Version: 1.0 +# +# Based on: services.cgi by IPFire Team +# Copyright (C) 2007-2021 IPFire Team +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +############################################################################### + +use strict; + +# enable only the following on debugging purpose +# use warnings; + +# Maps a nice printable name to the changing part of the pid file, which +# is also the name of the program +my %servicenames =( + 'DHCP Server' => 'dhcpd', + 'Web Server' => 'httpd', + 'CRON Server' => 'fcron', + 'DNS Proxy Server' => 'unbound', + 'Logging Server' => 'syslogd', + 'Kernel Logging Server' => 'klogd', + 'NTP Server' => 'ntpd', + 'Secure Shell Server' => 'sshd', + 'VPN' => 'charon', + 'Web Proxy' => 'squid', + 'Intrusion Detection System' => 'suricata', + 'OpenVPN' => 'openvpn' +); + +# Hash to overwrite the process name of a process if it differs from the launch command. +my %overwrite_exename_hash = ( + "suricata" => "Suricata-Main" +); + +my $first = 1; + +print "["; + +# Built-in services +my $key = ''; +foreach $key (sort keys %servicenames){ + print "," if not $first; + $first = 0; + + print "{"; + print "\"service\":\"$key\","; + + my $shortname = $servicenames{$key}; + print &servicestats($shortname); + + print "}"; +} + +# Generate list of installed addon pak's +my @pak = `find /opt/pakfire/db/installed/meta-* 2>/dev/null | cut -d"-" -f2`; +foreach (@pak){ + chomp($_); + + # Check which of the paks are services + my @svc = `find /etc/init.d/$_ 2>/dev/null | cut -d"/" -f4`; + foreach (@svc){ + # blacklist some packages + # + # alsa has trouble with the volume saving and was not really stopped + # mdadm should not stopped with webif because this could crash the system + # + chomp($_); + if ( $_ eq 'squid' ) { + next; + } + if ( ($_ ne "alsa") && ($_ ne "mdadm") ) { + print ","; + print "{"; + + print "\"service\":\"Addon: $_\","; + print "\"servicename\":\"$_\","; + + my $onboot = isautorun($_); + print "\"onboot\":$onboot,"; + + print &addonservicestats($_); + + print "}"; + } + } +} + +print "]"; + +sub servicestats{ + my $cmd = $_[0]; + my $status = "\"servicename\":\"$cmd\",\"state\":\"0\""; + my $pid = ''; + my $testcmd = ''; + my $exename; + my $memory; + + + $cmd =~ /(^[a-z]+)/; + + # Check if the exename needs to be overwritten. + # This happens if the expected process name string + # differs from the real one. This may happened if + # a service uses multiple processes or threads. + if (exists($overwrite_exename_hash{$cmd})) { + # Grab the string which will be reported by + # the process from the corresponding hash. + $exename = $overwrite_exename_hash{$1}; + } else { + # Directly expect the launched command as + # process name. + $exename = $1; + } + + if (open(FILE, "/var/run/${cmd}.pid")){ + $pid = ; chomp $pid; + close FILE; + if (open(FILE, "/proc/${pid}/status")){ + while (){ + if (/^Name:\W+(.*)/) { + $testcmd = $1; + } + } + close FILE; + } + if (open(FILE, "/proc/${pid}/status")) { + while () { + my ($key, $val) = split(":", $_, 2); + if ($key eq 'VmRSS') { + $val =~ /\s*([0-9]*)\s+kB/; + # Convert kB to B + $memory = $1*1024; + last; + } + } + close(FILE); + } + if ($testcmd =~ /$exename/){ + $status = "\"servicename\":\"$cmd\",\"state\":1,\"pid\":$pid,\"memory\":$memory"; + } + } + return $status; +} + +sub isautorun{ + my $cmd = $_[0]; + my $status = "0"; + my $init = `find /etc/rc.d/rc3.d/S??${cmd} 2>/dev/null`; + chomp ($init); + if ($init ne ''){ + $status = "1"; + } + $init = `find /etc/rc.d/rc3.d/off/S??${cmd} 2>/dev/null`; + chomp ($init); + if ($init ne ''){ + $status = "0"; + } + + return $status; +} + +sub addonservicestats{ + my $cmd = $_[0]; + my $status = "0"; + my $pid = ''; + my $testcmd = ''; + my $exename; + my @memory = (0); + + $testcmd = `sudo /usr/local/bin/addonctrl $_ status 2>/dev/null`; + + if ( $testcmd =~ /is\ running/ && $testcmd !~ /is\ not\ running/){ + $status = "\"state\":1"; + + $testcmd =~ s/.* //gi; + $testcmd =~ s/[a-z_]//gi; + $testcmd =~ s/\[[0-1]\;[0-9]+//gi; + $testcmd =~ s/[\(\)\.]//gi; + $testcmd =~ s/ //gi; + $testcmd =~ s///gi; + + my @pid = split(/\s/,$testcmd); + $status .=",\"pid\":\"$pid[0]\""; + + my $memory = 0; + + foreach (@pid){ + chomp($_); + if (open(FILE, "/proc/$_/statm")){ + my $temp = ; + @memory = split(/ /,$temp); + } + $memory+=$memory[0]; + } + $memory*=1024; + $status .=",\"memory\":$memory"; + }else{ + $status = "\"state\":0"; + } + return $status; +} diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers index 1b362a4fd..340bb8e66 100644 --- a/config/zabbix_agentd/sudoers +++ b/config/zabbix_agentd/sudoers @@ -14,4 +14,4 @@ # Append / edit the following list of commands to fit your needs: # Defaults:zabbix !requiretty -zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status +zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/local/bin/addonctrl, /sbin/iptables, /usr/sbin/fping diff --git a/config/zabbix_agentd/template_module_ipfire_network_stats.conf b/config/zabbix_agentd/template_module_ipfire_network_stats.conf new file mode 100644 index 000000000..f1658ed07 --- /dev/null +++ b/config/zabbix_agentd/template_module_ipfire_network_stats.conf @@ -0,0 +1,4 @@ +### Parameters for monitoring IPFire network statistics +UserParameter=ipfire.net.gateway.pingtime,sudo /usr/sbin/fping -c 3 gateway 2>&1 | tail -n 1 | awk '{print $NF}' | cut -d '/' -f2 +UserParameter=ipfire.net.gateway.ping,sudo /usr/sbin/fping -q -r 3 gateway; [ ! $? ]; echo $? +UserParameter=ipfire.net.fw.hits[*],sudo /sbin/iptables -vnxL $1 | grep "\/\* $2 \*\/" | awk '{ print $$2 }'; diff --git a/config/zabbix_agentd/template_module_ipfire_services.conf b/config/zabbix_agentd/template_module_ipfire_services.conf new file mode 100644 index 000000000..5f95218e3 --- /dev/null +++ b/config/zabbix_agentd/template_module_ipfire_services.conf @@ -0,0 +1,2 @@ +### Parameter for monitoring IPFire services +UserParameter=ipfire.services,/etc/zabbix_agentd/scripts/ipfire_services.pl diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index badfde3ae..1debfeeb0 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = zabbix_agentd PAK_VER = 5 -DEPS = +DEPS = "fping" ############################################################################### # Top-level Rules @@ -97,6 +97,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) /etc/zabbix_agentd/zabbix_agentd.conf.ipfirenew install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/template_app_pakfire.conf \ /etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfire.conf.ipfirenew + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/template_module_ipfire_network_stats.conf \ + /etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_network_stats.conf.ipfirenew + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/template_module_ipfire_services.conf \ + /etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_services.conf.ipfirenew + install -v -m 755 $(DIR_SRC)/config/zabbix_agentd/ipfire_services.pl \ + /etc/zabbix_agentd/scripts/ipfire_services.pl.ipfirenew # Create directory for additional agent modules -mkdir -pv /usr/lib/zabbix diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/install.sh index 4248a7ec1..ced915c81 100644 --- a/src/paks/zabbix_agentd/install.sh +++ b/src/paks/zabbix_agentd/install.sh @@ -66,8 +66,13 @@ restore_backup ${NAME} # Put zabbix configfiles in place setup_configfile /etc/zabbix_agentd/zabbix_agentd.conf setup_configfile /etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfire.conf +setup_configfile /etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_network_stats.conf +setup_configfile /etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_services.conf setup_configfile /etc/sudoers.d/zabbix +# Overwrite script if it exists as user should not modify it but it is included in backup +mv /etc/zabbix_agentd/scripts/ipfire_services.pl.ipfirenew /etc/zabbix_agentd/scripts/ipfire_services.pl + if $review_required; then echo "WARNING: New versions of some configfile(s) where provided as .ipfirenew-files." echo " They may need manual review in order to take advantage of new features" diff --git a/src/paks/zabbix_agentd/uninstall.sh b/src/paks/zabbix_agentd/uninstall.sh index 7a13880c5..ccbc8f7cf 100644 --- a/src/paks/zabbix_agentd/uninstall.sh +++ b/src/paks/zabbix_agentd/uninstall.sh @@ -26,6 +26,8 @@ stop_service ${NAME} # Remove .ipfirenew files in advance so they won't be included in backup rm -rfv /etc/zabbix_agentd/*.ipfirenew /etc/zabbix_agentd/*/*.ipfirenew +# Remove script-file as it should not have been modified by user +rm -fv /etc/zabbix_agentd/scripts/ipfire_services.pl make_backup ${NAME} remove_files