From patchwork Tue Sep 10 21:12:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Robin Roevens X-Patchwork-Id: 8104 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X3H0R6Fyqz3wxl for ; Tue, 10 Sep 2024 21:29:43 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X3H0N6ZCwz19N; Tue, 10 Sep 2024 21:29:40 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X3H0N5Fwkz34Gd; Tue, 10 Sep 2024 21:29:40 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X3H0L2CLfz32ZV for ; Tue, 10 Sep 2024 21:29:38 +0000 (UTC) Received: from layka.disroot.org (layka.disroot.org [178.21.23.139]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPS id 4X3H0K1pZBz1GY for ; Tue, 10 Sep 2024 21:29:37 +0000 (UTC) Authentication-Results: mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=fDKzBTms; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=reject) header.from=disroot.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1726003777; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=JTRz/VPRwIt9lDWQGo6A0eD8BClh1Aq9tlfVwYeKpZM=; b=Mls4gygkKtxMu2e0m7bKnFbVep5iNhERkgUPV34PsIXvrcOQVvnJDhTKQZp20adRuNCE5D 4UVTRbY1ANIEJPS3+Aehnv2Dai+C2kjUq0hJDoj2R51Gae6OTaYdDeozQ8mKN1XGPDEoFi 2yKDih+Zd/dv50UsVG3K3KhpkwPm6gR9YnZRvt7P4pwXlD+3WsHD8SsLJvnixNn/hypBWb HA68NZztL80FNLu5vneqTwAjbfXLcj48FRfbBQ3KjW+4oDSYImNPRLYnAxohQmawisPsKB ABp0vA/QqbaVTIT/Flxup0wCxir6ooMuzspBUhlW+BmLQKZDGTfKg22OA6rIyA== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=fDKzBTms; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=reject) header.from=disroot.org ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1726003777; a=rsa-sha256; cv=none; b=kIeJO6jchtwKN0QsbiHl07FBoU1dMPx6GqyFqL/DerwsQBT4YGeAd5ndNx2pCNL8T0rik0 r5x9bLy572AJPmqjsv2jPC3tmFzWWmSe4CGXkvnxgXkbB5A2t4b6dWpZjTKCENOHsN/f2u YgoF7nkSIPz13KC5RXHmPK41FpXn8PGSFORAZaIpcFIxO4x7n6+o/wtab2JBiekHciPmUD myPCuiU3aTyCxvZZL4hStReFi3G0lwig4ofRdFxA6zRvwFus2u7sE9VzLgRUP4l6w27+du YnjES3LMlkCoGR9bDXeXvlWYuHBWk+eA1C0y4kV21pxwxPTux1ea0Lvcaewp8Q== Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id AEA3F4159B for ; Tue, 10 Sep 2024 23:29:36 +0200 (CEST) X-Virus-Scanned: SPAM Filter at disroot.org Received: from layka.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 52Zf5V4T4f01 for ; Tue, 10 Sep 2024 23:29:35 +0200 (CEST) From: Robin Roevens DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1726003775; bh=pQhLetjoU+K74eqazfuQD6YcJHs7tFrFArQzRNamZq8=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=fDKzBTmsk5TiD62gvwo3VXZ7kLchvMVwuhv/GKpyejJ/uvOFGMVYvthLB9fYAr1KV nA6OL14KPMmo/ZDJOtArj1V4Pg2RcDPsvjSQ/IfUH2dwP1pdZ5yws07dga4ZzjRFu2 QewTvqHEtZjfs/uWZ0kKfXm5/RsqPJwXO8UB13gyUydXn7V1PntlF7mPW30fJHcGiZ aM+j6Ylmt3RO5oYS5LrBcj0FQhqtKQbOYBja1GWRS+iAyezzveTPUklOAQ4Mrc0nAZ Xf/Tj4UFDgPnG/JmxgVnKfJmVUoqrG4bsWByAZu3C1aDv1gZemgU6tMaSKOUU0/oZM qp+bKuXKBkjew== To: development@lists.ipfire.org Subject: [PATCH] zabbix_agentd: Add IPFire services.get item Date: Tue, 10 Sep 2024 23:12:31 +0200 Message-ID: <20240910212924.1685603-2-robin.roevens@disroot.org> In-Reply-To: <20240910212924.1685603-1-robin.roevens@disroot.org> References: <20240910212924.1685603-1-robin.roevens@disroot.org> MIME-Version: 1.0 X-Rspamd-Action: no action X-Rspamd-Server: mail01.haj.ipfire.org X-Rspamd-Queue-Id: 4X3H0K1pZBz1GY X-Spamd-Result: default: False [-4.48 / 11.00]; BAYES_HAM(-3.00)[99.98%]; R_DKIM_ALLOW(-1.65)[disroot.org:s=mail]; SPF_REPUTATION_SPAM(1.39)[0.4633141931617]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-1.00)[-1.000]; DKIM_REPUTATION(-0.92)[-0.92274401002442]; DMARC_POLICY_ALLOW(-0.50)[disroot.org,reject]; R_MISSING_CHARSET(0.50)[]; R_SPF_ALLOW(-0.20)[+a:c]; MIME_GOOD(-0.10)[text/plain]; IP_REPUTATION_SPAM(0.02)[asn: 50673(0.00), country: NL(0.00), ip: 178.21.23.139(0.00)]; MX_GOOD(-0.01)[]; RCPT_COUNT_TWO(0.00)[2]; FUZZY_BLOCKED(0.00)[rspamd.com]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; TO_DN_SOME(0.00)[]; RECEIVED_HELO_LOCALHOST(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MISSING_XM_UA(0.00)[]; ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[disroot.org:+]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; FROM_HAS_DN(0.00)[] Message-ID-Hash: RNVUIH2JCO63FDBVYQ4CJ7PAUM2QRQAZ X-Message-ID-Hash: RNVUIH2JCO63FDBVYQ4CJ7PAUM2QRQAZ X-MailFrom: robin.roevens@disroot.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - Adds Zabbix Agent userparameter `ipfire.services.get` for the agent to get details about configured IPFire services (builtin and addon-services) - Includes `ipfire_services.pl` script in sudoers for Zabbix Agent as it needs root permission to call addonctrl for addon service states. - Adapts lfs install script to install new script - Adds new script to rootfiles --- config/rootfiles/packages/zabbix_agentd | 1 + config/zabbix_agentd/ipfire_services.pl | 212 ++++++++++++++++++ config/zabbix_agentd/sudoers | 1 + .../zabbix_agentd/userparameter_ipfire.conf | 4 +- lfs/zabbix_agentd | 2 + 5 files changed, 219 insertions(+), 1 deletion(-) create mode 100755 config/zabbix_agentd/ipfire_services.pl diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd index 8e10cb4c8..ffa66f307 100644 --- a/config/rootfiles/packages/zabbix_agentd +++ b/config/rootfiles/packages/zabbix_agentd @@ -23,3 +23,4 @@ var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf var/ipfire/zabbix_agentd/scripts var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh +var/ipfire/zabbix_agentd/scripts/ipfire_services.pl diff --git a/config/zabbix_agentd/ipfire_services.pl b/config/zabbix_agentd/ipfire_services.pl new file mode 100755 index 000000000..c3233f6c9 --- /dev/null +++ b/config/zabbix_agentd/ipfire_services.pl @@ -0,0 +1,212 @@ +#!/usr/bin/perl +############################################################################### +# ipfire_services.pl - Retrieves available IPFire services information and +# return this as a JSON array suitable for easy processing +# by Zabbix server +# +# Author: robin.roevens (at) disroot.org +# Version: 3.0 +# +# Copyright (C) 2007-2024 IPFire Team +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +############################################################################### + +use strict; + +# enable only the following on debugging purpose +# use warnings; + +# Load General functions +require "/var/ipfire/general-functions.pl"; + +# Load Pakfire functions +require "/opt/pakfire/lib/functions.pl"; + +my $first = 1; + +print "["; + +# Built-in services +my %services = ( + # DHCP Server + 'DHCP Server' => { + "process" => "dhcpd", + }, + + # Web Server + 'Web Server' => { + "process" => "httpd", + }, + + # Cron Server + 'CRON Server' => { + "process" => "fcron", + }, + + # DNS Proxy + 'DNS Proxy Server' => { + "process" => "unbound", + }, + + # Syslog + 'Logging Server' => { + "process" => "syslogd", + }, + + # Kernel Logger + 'Kernel Logging Server' => { + "process" => "klogd", + }, + + # Time Server + 'NTP Server' => { + "process" => "ntpd", + }, + + # SSH Server + 'Secure Shell Server' => { + "process" => "sshd", + }, + + # IPsec + 'VPN' => { + "process" => "charon", + }, + + # Web Proxy + 'Web Proxy' => { + "process" => "squid", + }, + + # IPS + 'Intrusion Prevention System' => { + "process" => "suricata", + "pidfile" => "/var/run/suricata.pid", + }, + + # OpenVPN Roadwarrior + 'OpenVPN Roadwarrior Server' => { + "process" => "openvpn", + "pidfile" => "/var/run/openvpn.pid", + } +); + +foreach my $service (sort keys %services){ + my %config = %{ $services{$service} }; + + my $pidfile = $config{"pidfile"}; + my $process = $config{"process"}; + + # Collect all pids + my @pids = (); + + # Read the PID file or go search... + if (defined $pidfile) { + @pids = &General::read_pids("${pidfile}"); + } else { + @pids = &General::find_pids("${process}"); + } + + # Not Running + my $status = "\"state\":\"0\""; + + # Running? + if (scalar @pids) { + # Get memory consumption + my $mem = &General::get_memory_consumption(@pids); + + $status = "\"state\":1,\"pids\":[" . join(',', @pids) . "],\"memory\":$mem"; + } + + print "," if not $first; + $first = 0; + + print "{"; + print "\"service\":\"$service\",\"servicename\":\"$process\",$status"; + print "}"; +} + +# Generate list of installed addon pak's +my %paklist = &Pakfire::dblist("installed"); + +foreach my $pak (keys %paklist) { + my %metadata = &Pakfire::getmetadata($pak, "installed"); + + # If addon contains services + if ("$metadata{'Services'}") { + foreach my $service (split(/ /, "$metadata{'Services'}")) { + print ","; + print "{"; + + print "\"service\":\"Addon: $metadata{'Name'}\","; + print "\"servicename\":\"$service\","; + + my $onboot = isautorun($pak, $service); + print "\"onboot\":$onboot,"; + + print &addonservicestats($pak, $service); + + print "}"; + } + } +} + +print "]"; + +sub isautorun() { + my ($pak, $service) = @_; + my @testcmd = &General::system_output("/usr/local/bin/addonctrl", "$pak", "boot-status", "$service"); + my $testcmd = @testcmd[0]; + my $status = 9; + + # Check if autorun for the given service is enabled. + if ( $testcmd =~ /enabled\ on\ boot/ ) { + $status = 1; + } elsif ( $testcmd =~ /disabled\ on\ boot/ ) { + $status = 0; + } + + # Return the status. + return $status; +} + +sub addonservicestats() { + my ($pak, $service) = @_; + my $testcmd = ''; + my $exename; + my @memory = (0); + + my @testcmd = &General::system_output("/usr/local/bin/addonctrl", "$pak", "status", "$service"); + my $testcmd = @testcmd[0]; + + my $status = "\"state\":0"; + if ( $testcmd =~ /is\ running/ && $testcmd !~ /is\ not\ running/){ + $testcmd =~ s/.* //gi; + $testcmd =~ s/[a-z_]//gi; + $testcmd =~ s/\[[0-1]\;[0-9]+//gi; + $testcmd =~ s/[\(\)\.]//gi; + $testcmd =~ s/ //gi; + $testcmd =~ s///gi; + + my @pids = split(/\s/,$testcmd); + + # Fetch the memory consumption + my $memory = &General::get_memory_consumption(@pids); + + $status = "\"state\":1,\"pids\":[" . join(',', @pids) . "],\"memory\":$memory"; + } + return $status; +} diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers index 138c75635..78e175980 100644 --- a/config/zabbix_agentd/sudoers +++ b/config/zabbix_agentd/sudoers @@ -10,3 +10,4 @@ Defaults:zabbix !requiretty zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/sbin/fping, /usr/local/bin/getipstat, /bin/cat /var/run/ovpnserver.log zabbix ALL=(ALL) NOPASSWD: /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh +zabbix ALL=(ALL) NOPASSWD: /var/ipfire/zabbix_agentd/scripts/ipfire_services.pl diff --git a/config/zabbix_agentd/userparameter_ipfire.conf b/config/zabbix_agentd/userparameter_ipfire.conf index d2d0c8307..cc0bd9f8e 100644 --- a/config/zabbix_agentd/userparameter_ipfire.conf +++ b/config/zabbix_agentd/userparameter_ipfire.conf @@ -9,4 +9,6 @@ UserParameter=ipfire.net.fw.hits.raw,sudo /usr/local/bin/getipstat -xf | grep "/ # Number of currently Active DHCP leases UserParameter=ipfire.dhcpd.clients,grep -s -E 'lease|bind' /var/state/dhcp/dhcpd.leases | sed ':a;/{$/{N;s/\n//;ba}' | grep "state active" | wc -l # Number of Captive Portal clients -UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients \ No newline at end of file +UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients +# Services list and state +UserParameter=ipfire.services.get,sudo /var/ipfire/zabbix_agentd/scripts/ipfire_services.pl \ No newline at end of file diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index 06956ad41..3e806c1da 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -117,6 +117,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) -mkdir -pv /var/ipfire/zabbix_agentd/scripts install -v -m 755 $(DIR_SRC)/config/zabbix_agentd/ipfire_certificate_detail.sh \ /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh + install -v -m 755 $(DIR_SRC)/config/zabbix_agentd/ipfire_services.pl \ + /var/ipfire/zabbix_agentd/scripts/ipfire_services.pl # Create directory for additional agent modules -mkdir -pv /usr/lib/zabbix