mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-26 05:02:18 +00:00
Code Issues Releases Activity
90a5f89045
freebsd-ports/net-mgmt/netmond/files/README.port.eng
Rong-En Fan 35bd14c7a1 - Add a PIPE method (see README for details) 
- Use USE_RC_SUBR for rc scripts
- Use SUB_FILES to simplify
- Update pkg-descr

PR:		ports/105564
Submitted by:	Viktor Fomichev <vfom at narod.ru> (maintainer)
2006-11-29 13:29:09 +00:00

247 lines
8.1 KiB
Plaintext
Raw Blame History

netmond-2.2-b6-port
This document describe additions & changes relatively original
netmon-2.2-b6 source code.
##################################################################
SrcAddress patch
##################################################################
Sometimes you need explisitly set source IP address for packets
ejected to some host from multihoming (or multialiasing) host.
For example:
- you need to check host accessability via predefined route, not
matching default route for this host.
- remote host can have "strange" configured packet filters so only
specific IP addresses accepted.
- traffic priority settings exits somethere on trace to host.
This may impact network managenment traffic while
some channels overloaded.
Added directive "SrcAddress" in global context and in object contest.
In global context this directive explisitly set source IP address for all
objects when source IP not defined inside this object definition.
If no directive specified, default source address 0.0.0.0 assigned.
Inside object definition this directive set source IP address for this
object only. All IP packets ejected to this host have this source address.
When nowhere directive specified, the programm behave like before
patch applying.
Example:
SrcAddress "192.168.2.1"
Object "somehost" {
Address "192.168.1.2"
SrcAddress "192.168.1.1"
....................
}
Flaws:
No preliminary IP address validity check applied. So until first packet processed
you can't to know IP address mistaken.
NetState server can't report source IP addresses for objects.
##################################################################
UID-GID-ChRoot Patch
##################################################################
For save methods PIPE or FILE in some cases need to fork daugther process.
Usally, "netmond" working under "root" privrleges, so daugther processes
will have "root" privrleges too. This is unsecure.
Directives "UserName" "GroupName" "ChrootDir" added in global context.
When used this directives, before daugther process launching
(after 'fork' but before 'exec') "chroot" syscall performed for specified
directory ( if no direcive - no "chroot") and process GID, UID changes.
By default, no chroot performed, UserName = netmon, GroupName = netmon.
Example:
UserName "nobody"
GroupName "nogroup"
ChRootDir "/var/netmon"
However you can set UserName=root GroupName=wheel if needed.
##################################################################
NetState BindAddress Patch
##################################################################
Sometimes you need explicitly set IP address to bind for NetState
server.
Directive "BindAddress" added in "Port" context.
Example:
Port 3333 {
BindAddress "192.168.1.1"
............
}
Or:
NetState {
Port 3333
BindAddress "192.168.1.1"
}
By default, NetState expect incoming TCP connection on all local
addresses.
##################################################################
Trap Patch
##################################################################
Sometimes you need explicitly set IP Address to accept incoming SNMP
traps on.
Direcive "TrapBindAddress" added in global context.
Example:
TrapBindAddress "192.168.1.1"
By default, trap collector expect incoming SNMP traps on all local
addresses.
##################################################################
PID-file all the time is written to /var/run/netmond.pid
##################################################################
Possibility added to use russian letters in NetState requests and
regular expressions.
##################################################################
Object multiple states
##################################################################
With this patch applied, the object have more states: UP DEGRADED WARNING DOWN NONE.
(before was only UP DOWN NONE states)
Object falls to DOWN state when ALL object checking "Methods" fall.
DEGRADED state mean that some object "Methods" fall, but some finished successfully.
WARNING state mean, that any slave subobject (interface, service, BGP peer, ENVMON, etc.)
are not in UP|NORMAL|ESTABLISHED state.
##################################################################
Method WHEN
##################################################################
Like in saving method WHEN, you can define logical expression, format
for resulting string and timeout. If logical expression would evaluated
as TRUE all the times during timeout, this method falls. As a result, variable
'OBJECT!methodname' became eqiual to evaluated resulting string.
The object falls to DEGRADED state.
Example:
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
Method "CPU_alarm" {
When "$LoadAve > 20" 300 "Attention! LoadAve too much! ($LoadAve)"
}
The main goal of this method - to change (sub)object state when performance
thresholds exceeded.
Attention! Variables used here have to be mined by other methods.
##################################################################
Method PIPE
##################################################################
Work like TCP checking method. But instead of tcp port for remote host,
you have to define 'programm' name. This programm executed locally.
You can use CHAT script statements, like in TCP method.
From inside the 'programm' chat messages arrive on STDIN, and
the results have to be written to STDOUT.
On startup, programm supplied by argument string, defined in method
call statement. Additionally, environment variables OBJECT_NAME, OBJECT_ADDRESS
are preset. If explicitly defined in config file, variables
OBJECT_SRC_ADDRESS, OBJECT_DATADIR are preset two.
Example:
.....................
Method "CheckSSL" {
Pipe "/usr/local/bin/check_ssl.pl"
Timeout 3
ChatScript {
Expect "verify"
Send "GET /\n\r\n\r"
Expect "<HTML>"
}
}
................
/usr/local/bin/check_ssl.pl:
#!/usr/bin/perl
#
$addr = $ENV{"OBJECT_ADDRESS"};
if ($ARGV[0] ) {
$port = $ARGV[0];
} else {
$port ="443";
}
$SIG{TERM} = sub {
close PRGR;
close PRGW;
close STDIN;
close STDOUT;
kill $main::pid;
exit(0);
};
use FileHandle;
use IPC::Open2;
$main::pid=open2(PRGR,PRGW,"/usr/bin/openssl s_client -quiet -ssl3 -connect $addr:$port");
$_=<STDIN>;
print PRGW $_; while (<PRGR>){
print $_;
}
close STDOUT;
exit 0;
Every time checking interval elapsed only ONE 'programm' launch retry take place.
When chat messges exchnage finished, pipe socket closed, and 'programm' notified
by SIGTERM signal.
The goal of this method - to check complex services, while simple TCP
method can not be used and impossible to use RSH or other text based
protocols on remote side.
The 'programm' launches with privileges defined globally
with directives UserName GroupName. If directive ChRootDir defined,
chroot to this directory take place before run.
##################################################################
Interfce index number limit expanded up to INT_MAX. So, for MS Windows
servers you can write
Interface 65539 { }
Thanks to Artemiy Kropachev <kropachev(sobaka)rdu.kirov.ru>
##################################################################
Default config file = /usr/local/etc/netmond.conf
Reference in New Issue View Git Blame Copy Permalink