From patchwork Wed Apr 7 20:44:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Robin Roevens X-Patchwork-Id: 4124 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4FFxJr0QXKz44QV for ; Wed, 7 Apr 2021 20:46:52 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4FFxJq5ZlPz275; Wed, 7 Apr 2021 20:46:51 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4FFxJq4kjFz2xkF; Wed, 7 Apr 2021 20:46:51 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4FFxJp0qPHz2xkF for ; Wed, 7 Apr 2021 20:46:50 +0000 (UTC) Received: from knopi.disroot.org (knopi.disroot.org [178.21.23.139]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPS id 4FFxJn2LXRz20N for ; Wed, 7 Apr 2021 20:46:49 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 1836250D81 for ; Wed, 7 Apr 2021 22:46:49 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with UTF8SMTP id C6kCAiglLFWd for ; Wed, 7 Apr 2021 22:46:46 +0200 (CEST) Received: from amaterasu.sicho.home ([192.168.0.1] helo=chojin.sicho.home) by filekeeper.sicho.home with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1lUF3e-0003Zi-Hf; Wed, 07 Apr 2021 22:45:50 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1617828379; bh=3wgeQ0q81BWrGmieVy7OaM+57ckktqnxPs/Z0P5+WBo=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=c1s6oIWQActBAYXtl+NXIEHxX1kKYu1dd8IpqPOyLHhBWHK3kzB7FkU+MFR6ggXuU 4mjovo8fVfID/KwQOW/JBTrdxpPOueo1FTYVf1OzzYa5kOx8VJQOMaeGYWjzbSXtyc 2VZf+SuAwEybIC1DkXVcVqSVIDEY8rxnmsoEs4dAQq0lwjUSmeWqnTWohGXT7JmCX5 OE0RjbvdzxSwnWVe7Pqcw9zxgZs+7uy2W8sBMrwYGeccLIiYZzH/lcQkt4FbpDbISO qicCozxM7hnoJgTzO+XYBL5PgMRvid/J7+baGJIeOS67zgMqM7L+jUQGCrGycZmsru xbBG8ydQ9oueQ== From: Robin Roevens To: development@lists.ipfire.org Subject: [PATCH 4/4] [V2] zabbix_agentd: Add IPFire specific userparameters Date: Wed, 7 Apr 2021 22:44:56 +0200 Message-Id: <20210407204455.450-5-robin.roevens@disroot.org> In-Reply-To: <20210407204455.450-1-robin.roevens@disroot.org> References: <20210407204455.450-1-robin.roevens@disroot.org> Mime-Version: 1.0 X-filekeeper-MailScanner-ID: 1lUF3e-0003Zi-Hf X-filekeeper-MailScanner: Found to be clean X-filekeeper-MailScanner-From: robin.roevens@disroot.org X-filekeeper-MailScanner-Watermark: 1618433155.33763@HGZbqhkR1R86naRSXYS97Q ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1617828409; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=vxgY13AQ+cbZK6X4Q9/hva0higK8VA0YLT4lPV6GFHI=; b=aZYkhuhudARlty6Vyd4tprN1DXF2ODvy8nCrTJNBxgosSqQg8s2tNqUqFuNJVgeSs+SNE1 c/IQd+XwosocyeyK7xZLRT041wKD1nXnoUlLRz4KVnsqvOwWL3G+n/8adqUgkvOa8g5cvg Z0ovVubZgcYLEJcKCSU2vEtxU+jsqFz2Gbrao3T1ZnYTzr1tRFZulnZOQNkY+VCoSGCrpz QIM0m9JE5KrKEBwaHB9S29+G5llk2kzK033bvR5pub/Zq892hXnckwg2aZQybmhUlJEHV/ vow48n18qWDQSZJnx2aKcjZeDbFSoCx2Zj8uhnwTAenRfVF2aJl+t2eJT7XpZg== ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1617828409; a=rsa-sha256; cv=none; b=qg2i8ULnNBekYnl3N6q3AABHKjK6CQJx0zpVAxzfEmFBSgJ+eBlK2igAUf+xNliFDLI4Qu UKsYVoL0xdHCRHm0cuIFJ3FE+DpipE0oRHZjDPwsxng9rT9FX1wR4DoJx48YDq9mN/gjMi sOSPN/eTFcqqE9nCJ70L9wB/u/L+rSsaBZkTuFl5GpIADZaaK0bURKoNesTmeKJaC2Y3yj oQBIwMzfaIe0OIwK+hrsChI9V5HU0fzbTmdOlp8KalCA5LA9oNQ43goqzn0QykUI2/NtUX deGtVvLiwNMzIqATZMQJSnLiFMVkKGCWEVphHHtfMojl4l54iIMUFSqog/r/4A== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=c1s6oIWQ; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org X-Rspamd-Queue-Id: 4FFxJn2LXRz20N Authentication-Results: mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=c1s6oIWQ; dmarc=pass (policy=quarantine) header.from=disroot.org; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org X-Rspamd-Server: mail01.haj.ipfire.org X-Spamd-Result: default: False [-4.76 / 11.00]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[disroot.org:s=mail]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+a:c]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; REPLY(-4.00)[]; BROKEN_CONTENT_TYPE(1.50)[]; R_MISSING_CHARSET(2.50)[]; RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[]; IP_REPUTATION_HAM(-2.26)[asn: 50673(-0.32), country: NL(-0.01), ip: 178.21.23.139(-0.80)]; DKIM_TRACE(0.00)[disroot.org:+]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; DMARC_POLICY_ALLOW(-0.50)[disroot.org,quarantine]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL]; BAYES_HAM(-3.00)[99.99%] X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Provide IPFire specific items for the Zabbix server to monitor: - Networking stats: - ipfire.net.gateway.pingtime: Internet Line Quality - ipfire.net.gateway.ping: Internet connection - ipfire.net.fw.hits[*]: Firewall hits - IPFire service states: - ipfire.services: JSON formatted state of all IPFire services using new ipfire_services.pl script. Users can install the IPFire 2 Zabbix template-set provided here: https://share.zabbix.com/network-appliances/ipfire-2 to monitor these metrics. Or create their own template. Signed-off-by: Robin Roevens --- config/rootfiles/packages/zabbix_agentd | 3 + config/zabbix_agentd/ipfire_services.pl | 221 ++++++++++++++++++ config/zabbix_agentd/sudoers | 2 +- .../template_module_ipfire_network_stats.conf | 4 + .../template_module_ipfire_services.conf | 2 + lfs/zabbix_agentd | 8 +- src/paks/zabbix_agentd/install.sh | 5 + src/paks/zabbix_agentd/uninstall.sh | 2 + 8 files changed, 245 insertions(+), 2 deletions(-) create mode 100755 config/zabbix_agentd/ipfire_services.pl create mode 100644 config/zabbix_agentd/template_module_ipfire_network_stats.conf create mode 100644 config/zabbix_agentd/template_module_ipfire_services.conf diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd index 6945c5ef7..aa3f1846b 100644 --- a/config/rootfiles/packages/zabbix_agentd +++ b/config/rootfiles/packages/zabbix_agentd @@ -3,9 +3,12 @@ etc/rc.d/init.d/zabbix_agentd etc/sudoers.d/zabbix.ipfirenew #etc/zabbix_agentd #etc/zabbix_agentd/scripts +etc/zabbix_agentd/scripts/ipfire_services.pl.ipfirenew etc/zabbix_agentd/zabbix_agentd.conf.ipfirenew #etc/zabbix_agentd/zabbix_agentd.d etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfire.conf.ipfirenew +etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_network_stats.conf.ipfirenew +etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_services.conf.ipfirenew usr/bin/zabbix_get usr/bin/zabbix_sender #usr/lib/modules diff --git a/config/zabbix_agentd/ipfire_services.pl b/config/zabbix_agentd/ipfire_services.pl new file mode 100755 index 000000000..dbf8aec56 --- /dev/null +++ b/config/zabbix_agentd/ipfire_services.pl @@ -0,0 +1,221 @@ +#!/usr/bin/perl +############################################################################### +# ipfire_services.pl - Retrieves available IPFire services information and +# return this as a JSON array suitable for easy processing +# by Zabbix server +# +# Author: robin.roevens (at) disroot.org +# Version: 1.0 +# +# Based on: services.cgi by IPFire Team +# Copyright (C) 2007-2021 IPFire Team +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +############################################################################### + +use strict; + +# enable only the following on debugging purpose +# use warnings; + +# Maps a nice printable name to the changing part of the pid file, which +# is also the name of the program +my %servicenames =( + 'DHCP Server' => 'dhcpd', + 'Web Server' => 'httpd', + 'CRON Server' => 'fcron', + 'DNS Proxy Server' => 'unbound', + 'Logging Server' => 'syslogd', + 'Kernel Logging Server' => 'klogd', + 'NTP Server' => 'ntpd', + 'Secure Shell Server' => 'sshd', + 'VPN' => 'charon', + 'Web Proxy' => 'squid', + 'Intrusion Detection System' => 'suricata', + 'OpenVPN' => 'openvpn' +); + +# Hash to overwrite the process name of a process if it differs from the launch command. +my %overwrite_exename_hash = ( + "suricata" => "Suricata-Main" +); + +my $first = 1; + +print "["; + +# Built-in services +my $key = ''; +foreach $key (sort keys %servicenames){ + print "," if not $first; + $first = 0; + + print "{"; + print "\"service\":\"$key\","; + + my $shortname = $servicenames{$key}; + print &servicestats($shortname); + + print "}"; +} + +# Generate list of installed addon pak's +my @pak = `find /opt/pakfire/db/installed/meta-* 2>/dev/null | cut -d"-" -f2`; +foreach (@pak){ + chomp($_); + + # Check which of the paks are services + my @svc = `find /etc/init.d/$_ 2>/dev/null | cut -d"/" -f4`; + foreach (@svc){ + # blacklist some packages + # + # alsa has trouble with the volume saving and was not really stopped + # mdadm should not stopped with webif because this could crash the system + # + chomp($_); + if ( $_ eq 'squid' ) { + next; + } + if ( ($_ ne "alsa") && ($_ ne "mdadm") ) { + print ","; + print "{"; + + print "\"service\":\"Addon: $_\","; + print "\"servicename\":\"$_\","; + + my $onboot = isautorun($_); + print "\"onboot\":$onboot,"; + + print &addonservicestats($_); + + print "}"; + } + } +} + +print "]"; + +sub servicestats{ + my $cmd = $_[0]; + my $status = "\"servicename\":\"$cmd\",\"state\":\"0\""; + my $pid = ''; + my $testcmd = ''; + my $exename; + my $memory; + + + $cmd =~ /(^[a-z]+)/; + + # Check if the exename needs to be overwritten. + # This happens if the expected process name string + # differs from the real one. This may happened if + # a service uses multiple processes or threads. + if (exists($overwrite_exename_hash{$cmd})) { + # Grab the string which will be reported by + # the process from the corresponding hash. + $exename = $overwrite_exename_hash{$1}; + } else { + # Directly expect the launched command as + # process name. + $exename = $1; + } + + if (open(FILE, "/var/run/${cmd}.pid")){ + $pid = ; chomp $pid; + close FILE; + if (open(FILE, "/proc/${pid}/status")){ + while (){ + if (/^Name:\W+(.*)/) { + $testcmd = $1; + } + } + close FILE; + } + if (open(FILE, "/proc/${pid}/status")) { + while () { + my ($key, $val) = split(":", $_, 2); + if ($key eq 'VmRSS') { + $val =~ /\s*([0-9]*)\s+kB/; + # Convert kB to B + $memory = $1*1024; + last; + } + } + close(FILE); + } + if ($testcmd =~ /$exename/){ + $status = "\"servicename\":\"$cmd\",\"state\":1,\"pid\":$pid,\"memory\":$memory"; + } + } + return $status; +} + +sub isautorun{ + my $cmd = $_[0]; + my $status = "0"; + my $init = `find /etc/rc.d/rc3.d/S??${cmd} 2>/dev/null`; + chomp ($init); + if ($init ne ''){ + $status = "1"; + } + $init = `find /etc/rc.d/rc3.d/off/S??${cmd} 2>/dev/null`; + chomp ($init); + if ($init ne ''){ + $status = "0"; + } + + return $status; +} + +sub addonservicestats{ + my $cmd = $_[0]; + my $status = "0"; + my $pid = ''; + my $testcmd = ''; + my $exename; + my @memory = (0); + + $testcmd = `sudo /usr/local/bin/addonctrl $_ status 2>/dev/null`; + + if ( $testcmd =~ /is\ running/ && $testcmd !~ /is\ not\ running/){ + $status = "\"state\":1"; + + $testcmd =~ s/.* //gi; + $testcmd =~ s/[a-z_]//gi; + $testcmd =~ s/\[[0-1]\;[0-9]+//gi; + $testcmd =~ s/[\(\)\.]//gi; + $testcmd =~ s/ //gi; + $testcmd =~ s///gi; + + my @pid = split(/\s/,$testcmd); + $status .=",\"pid\":\"$pid[0]\""; + + my $memory = 0; + + foreach (@pid){ + chomp($_); + if (open(FILE, "/proc/$_/statm")){ + my $temp = ; + @memory = split(/ /,$temp); + } + $memory+=$memory[0]; + } + $memory*=1024; + $status .=",\"memory\":$memory"; + }else{ + $status = "\"state\":0"; + } + return $status; +} diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers index 1b362a4fd..340bb8e66 100644 --- a/config/zabbix_agentd/sudoers +++ b/config/zabbix_agentd/sudoers @@ -14,4 +14,4 @@ # Append / edit the following list of commands to fit your needs: # Defaults:zabbix !requiretty -zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status +zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/local/bin/addonctrl, /sbin/iptables, /usr/sbin/fping diff --git a/config/zabbix_agentd/template_module_ipfire_network_stats.conf b/config/zabbix_agentd/template_module_ipfire_network_stats.conf new file mode 100644 index 000000000..f1658ed07 --- /dev/null +++ b/config/zabbix_agentd/template_module_ipfire_network_stats.conf @@ -0,0 +1,4 @@ +### Parameters for monitoring IPFire network statistics +UserParameter=ipfire.net.gateway.pingtime,sudo /usr/sbin/fping -c 3 gateway 2>&1 | tail -n 1 | awk '{print $NF}' | cut -d '/' -f2 +UserParameter=ipfire.net.gateway.ping,sudo /usr/sbin/fping -q -r 3 gateway; [ ! $? ]; echo $? +UserParameter=ipfire.net.fw.hits[*],sudo /sbin/iptables -vnxL $1 | grep "\/\* $2 \*\/" | awk '{ print $$2 }'; diff --git a/config/zabbix_agentd/template_module_ipfire_services.conf b/config/zabbix_agentd/template_module_ipfire_services.conf new file mode 100644 index 000000000..5f95218e3 --- /dev/null +++ b/config/zabbix_agentd/template_module_ipfire_services.conf @@ -0,0 +1,2 @@ +### Parameter for monitoring IPFire services +UserParameter=ipfire.services,/etc/zabbix_agentd/scripts/ipfire_services.pl diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index 73e08d20a..c0d28d51f 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = zabbix_agentd PAK_VER = 5 -DEPS = +DEPS = "fping" ############################################################################### # Top-level Rules @@ -97,6 +97,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) /etc/zabbix_agentd/zabbix_agentd.conf.ipfirenew install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/template_app_pakfire.conf \ /etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfire.conf.ipfirenew + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/template_module_ipfire_network_stats.conf \ + /etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_network_stats.conf.ipfirenew + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/template_module_ipfire_services.conf \ + /etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_services.conf.ipfirenew + install -v -m 755 $(DIR_SRC)/config/zabbix_agentd/ipfire_services.pl \ + /etc/zabbix_agentd/scripts/ipfire_services.pl.ipfirenew # Create directory for additional agent modules -mkdir -pv /usr/lib/zabbix diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/install.sh index 4248a7ec1..ced915c81 100644 --- a/src/paks/zabbix_agentd/install.sh +++ b/src/paks/zabbix_agentd/install.sh @@ -66,8 +66,13 @@ restore_backup ${NAME} # Put zabbix configfiles in place setup_configfile /etc/zabbix_agentd/zabbix_agentd.conf setup_configfile /etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfire.conf +setup_configfile /etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_network_stats.conf +setup_configfile /etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_services.conf setup_configfile /etc/sudoers.d/zabbix +# Overwrite script if it exists as user should not modify it but it is included in backup +mv /etc/zabbix_agentd/scripts/ipfire_services.pl.ipfirenew /etc/zabbix_agentd/scripts/ipfire_services.pl + if $review_required; then echo "WARNING: New versions of some configfile(s) where provided as .ipfirenew-files." echo " They may need manual review in order to take advantage of new features" diff --git a/src/paks/zabbix_agentd/uninstall.sh b/src/paks/zabbix_agentd/uninstall.sh index 7a13880c5..ccbc8f7cf 100644 --- a/src/paks/zabbix_agentd/uninstall.sh +++ b/src/paks/zabbix_agentd/uninstall.sh @@ -26,6 +26,8 @@ stop_service ${NAME} # Remove .ipfirenew files in advance so they won't be included in backup rm -rfv /etc/zabbix_agentd/*.ipfirenew /etc/zabbix_agentd/*/*.ipfirenew +# Remove script-file as it should not have been modified by user +rm -fv /etc/zabbix_agentd/scripts/ipfire_services.pl make_backup ${NAME} remove_files