Reviewed-by: Adolf Belka On 28/02/2024 19:58, Robin Roevens wrote: > - Adds Zabbix Agent userparameters `ipfire.ovpn.clientcert` and `ipfire.ovpn.cacert` for the agent to get details about openvpn client, server and ca certificates. > - Moves all `ipfire.ovpn.*` userparameters to a separate config file `userparameter_ovpn.conf` to enable users to selectively disable openvpn items when not needed > - Includes `ipfire_certificate_detail.sh` script in sudoers for Zabbix Agent as it needs root permission to read openvpn certificate details. > - Adapts lfs install script to install new script and configfile > - Adds new script and configfile to rootfiles > --- > config/rootfiles/packages/zabbix_agentd | 3 +++ > config/zabbix_agentd/sudoers | 1 + > config/zabbix_agentd/userparameter_ipfire.conf | 8 +------- > config/zabbix_agentd/userparameter_ovpn.conf | 13 +++++++++++++ > lfs/zabbix_agentd | 7 +++++++ > 5 files changed, 25 insertions(+), 7 deletions(-) > create mode 100644 config/zabbix_agentd/userparameter_ovpn.conf > > diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd > index 729a47ac6..8e10cb4c8 100644 > --- a/config/rootfiles/packages/zabbix_agentd > +++ b/config/rootfiles/packages/zabbix_agentd > @@ -20,3 +20,6 @@ var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf > var/ipfire/zabbix_agentd/userparameters > var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf > var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf > +var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf > +var/ipfire/zabbix_agentd/scripts > +var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh > diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers > index d93ec5d55..138c75635 100644 > --- a/config/zabbix_agentd/sudoers > +++ b/config/zabbix_agentd/sudoers > @@ -9,3 +9,4 @@ > # > Defaults:zabbix !requiretty > zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/sbin/fping, /usr/local/bin/getipstat, /bin/cat /var/run/ovpnserver.log > +zabbix ALL=(ALL) NOPASSWD: /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh > diff --git a/config/zabbix_agentd/userparameter_ipfire.conf b/config/zabbix_agentd/userparameter_ipfire.conf > index ba0c6c2ca..d2d0c8307 100644 > --- a/config/zabbix_agentd/userparameter_ipfire.conf > +++ b/config/zabbix_agentd/userparameter_ipfire.conf > @@ -9,10 +9,4 @@ UserParameter=ipfire.net.fw.hits.raw,sudo /usr/local/bin/getipstat -xf | grep "/ > # Number of currently Active DHCP leases > UserParameter=ipfire.dhcpd.clients,grep -s -E 'lease|bind' /var/state/dhcp/dhcpd.leases | sed ':a;/{$/{N;s/\n//;ba}' | grep "state active" | wc -l > # Number of Captive Portal clients > -UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients > -# Discovery of configured ovpn clients > -UserParameter=ipfire.ovpn.clients.discovery,cat /var/ipfire/ovpn/ovpnconfig 2>/dev/null | awk -F',' 'BEGIN { ORS = ""; print "[" } { printf "%s{\"{#NAME}\":\"%s\",\"{#COMMONNAME}\":\"%s\",\"{#STATE}\":\"%s\",\"{#REMARK}\":\"%s\",\"{#TYPE}\":\"%s\"}", separator, $3, $4, $2, $27, $5; separator = ","; } END { print "]" }' > -# Get OpenVPN status report > -UserParameter=ipfire.ovpn.statusreport.get,sudo cat /var/run/ovpnserver.log 2>/dev/null | awk -F"," 'function unixtime(t) { gsub(/[-:]/," ",t); return mktime(t) } BEGIN { ORS = ""; print "{" } /^Updated,.+/ { printf "\"timestamp\":%s,\"clients\":[",unixtime($2) } /^.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,[0-9]+,[0-9]+,.+/ { if ($1 != "Common Name") { printf "%s{\"common_name\":\"%s\",\"real_address\":\"%s\",\"bytes_in\":\"%s\",\"bytes_out\":\"%s\",\"connected_since\":\"%s\"}", separator, $1, $2, $3, $4, unixtime($5); separator = ","; } } /^ROUTING TABLE/ { print "],\"routing_table\":["; separator = "" } /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,.+/ { if ($1 != "Virtual Address") { printf "%s{\"common_name\":\"%s\",\"virtual_address\":\"%s\",\"real_address\":\"%s\",\"last_ref\":\"%s\"}", separator, $2, $1, $3, unixtime($4); separator = "," } } END { print "]}" }' > -# Allow item key to be called with (unused) parameters. This allows the #SINGLETON method of discovering this item only when openvpn service is active > -Alias=ipfire.ovpn.statusreport.get[]:ipfire.ovpn.statusreport.get > \ No newline at end of file > +UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients > \ No newline at end of file > diff --git a/config/zabbix_agentd/userparameter_ovpn.conf b/config/zabbix_agentd/userparameter_ovpn.conf > new file mode 100644 > index 000000000..a7a6d8535 > --- /dev/null > +++ b/config/zabbix_agentd/userparameter_ovpn.conf > @@ -0,0 +1,13 @@ > +# Parameters for monitoring IPFire OpenVPN specific metrics > +# > +# Discovery of configured ovpn clients > +UserParameter=ipfire.ovpn.clients.discovery,cat /var/ipfire/ovpn/ovpnconfig 2>/dev/null | awk -F',' 'BEGIN { ORS = ""; print "[" } { printf "%s{\"{#NAME}\":\"%s\",\"{#COMMONNAME}\":\"%s\",\"{#STATE}\":\"%s\",\"{#REMARK}\":\"%s\",\"{#TYPE}\":\"%s\"}", separator, $3, $4, $2, $27, $5; separator = ","; } END { print "]" }' > +# Get OpenVPN status report > +UserParameter=ipfire.ovpn.statusreport.get,sudo cat /var/run/ovpnserver.log 2>/dev/null | awk -F"," 'function unixtime(t) { gsub(/[-:]/," ",t); return mktime(t) } BEGIN { ORS = ""; print "{" } /^Updated,.+/ { printf "\"timestamp\":%s,\"clients\":[",unixtime($2) } /^.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,[0-9]+,[0-9]+,.+/ { if ($1 != "Common Name") { printf "%s{\"common_name\":\"%s\",\"real_address\":\"%s\",\"bytes_in\":\"%s\",\"bytes_out\":\"%s\",\"connected_since\":\"%s\"}", separator, $1, $2, $3, $4, unixtime($5); separator = ","; } } /^ROUTING TABLE/ { print "],\"routing_table\":["; separator = "" } /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,.+/ { if ($1 != "Virtual Address") { printf "%s{\"common_name\":\"%s\",\"virtual_address\":\"%s\",\"real_address\":\"%s\",\"last_ref\":\"%s\"}", separator, $2, $1, $3, unixtime($4); separator = "," } } END { print "]}" }' > +# Get OpenVPN client certificate details > +UserParameter=ipfire.ovpn.clientcert[*],sudo /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh /var/ipfire/ovpn/ca/cacert.pem /var/ipfire/ovpn/certs/$1cert.pem > +UserParameter=ipfire.ovpn.cacert,sudo /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh /var/ipfire/ovpn/ca/cacert.pem /var/ipfire/ovpn/ca/cacert.pem > + > +# Allow item key to be called with (unused) parameters. This allows the #SINGLETON method of discovering this item only when openvpn service is active > +Alias=ipfire.ovpn.statusreport.get[]:ipfire.ovpn.statusreport.get > +Alias=ipfire.ovpn.cacert[]:ipfire.ovpn.cacert > \ No newline at end of file > diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd > index 65e111d2f..5f274c309 100644 > --- a/lfs/zabbix_agentd > +++ b/lfs/zabbix_agentd > @@ -110,6 +110,13 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > /var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf > install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ipfire.conf \ > /var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf > + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ovpn.conf \ > + /var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf > + > + # Install IPFire-specific Zabbix Agent scripts > + -mkdir -pv /var/ipfire/zabbix_agentd/scripts > + install -v -m 755 $(DIR_SRC)/config/zabbix_agentd/ipfire_certificate_detail.sh \ > + /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh > > # Create directory for additional agent modules > -mkdir -pv /usr/lib/zabbix