From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Peeking at unbound statistics from WUI Date: Mon, 21 Jan 2019 11:38:51 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1545824914127473478==" List-Id: --===============1545824914127473478== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, Collecty can do this already. When we ping a host, we do this for more than just one round-trip. I think it= is 10. Then, we calculate standard deviation, packet loss and some other met= rics more. Hence the pink block around the line in the graph I linked. Collecty also has a dbus interface. A client connects to that and asks the da= emon to render an image with the given resolution, format, language, units an= d so on. Of course the start and end time can be specified. I don=E2=80=99t h= ave any UI to select this because I am really sh*t with frontend coding. But = we can even export the graphs as PDF :) -Michael > On 21 Jan 2019, at 11:35, Tom Rymes wrote: >=20 > While we are discussing useful statistics that would be nice to have, Smoke= ping would be a really nice thing to have, along with the ability to specify = a custom time window. Sometimes I want to see more than an hour, but less tha= n a day, etc. >=20 > Tom >=20 >> On Jan 21, 2019, at 6:03 AM, Michael Tremer = wrote: >>=20 >> Hey, >>=20 >>> On 20 Jan 2019, at 17:07, Rachid Groeneveld wrote: >>>=20 >>> Hi Bob and Michael, >>>=20 >>> Thanks for the responses. Since the below is missing information I will t= ry to recap and answer: >>>=20 >>>>> On 17 Jan 2019, at 20:15, Rachid Groeneveld wrote: >>>>>=20 >>>>> Hi all, >>>>>=20 >>>>> I'm fairly new to perl and cgi scripts, I can find most of it on the we= b, but I've been unable to solve this riddle. Is it possible to query the unb= ound statistics from a cgi script? I can't seem to figure out how to do this = without cron-ing a bash script and reading its output, I want them on-demand = when a page is requested. >>>>=20 >>>> That depends on what you need. >>>>=20 >>>> The CGI scripts can in theory run any shell command. Those commands will= be executed as an unprivileged user called =E2=80=9Cnobody=E2=80=9D so that = nobody else who gains access through a vulnerability in the web UI can change= the system configuration for which root permissions would be required. >>>>=20 >>>> For some special actions - for example reboot - we have special binaries= that can then gain root privileges and perform very specific actions only. >>>=20 >>> I think this is exactly the way it should work, I will read into those bi= naries and how to use 'em, thanks for the pointer. I don't have any desires t= o compromise security/safety in favor of reporting purposes. >>>=20 >>>>> I think it's a permission issue, as far as I've been able to assess the= webpages run under 'nobody' and unbound-control needs elevated rights to exe= cute a peek at the statistics. I'm using the following command to do so: =E2= =80=9Cunbound-control stats_noreset=E2=80=9D. That way I can query all the DN= S info I want (for reporting purposes), because I don't think unbound was com= piled with dnstap enabled. At least I haven't found anything to back that up,= that would eliminate the need for peeking at stats, because an up-to-date da= tabase can be built (async). I will further investigate dnstap in a later sta= ge. >>>>=20 >>>> Running that command fails as follows: >>>>=20 >>>> [root(a)ipfire ~]# sudo -u nobody unbound-control stats >>>> error: Error setting up SSL_CTX client cert >>>> /etc/unbound/unbound_control.pem: Permission denied >>>>=20 >>>> The certificate that unbound uses is only supposed to be read by root. >>>=20 >>> I figured as much, this only confirms the need to a specific binary to so= lve the issue. >>>=20 >>>>> Can someone point me in the right direction for peeking unbound statist= ics from perl/cgi scripts? I=E2=80=99ve tried sudo-ing (I=E2=80=99d rather no= t, for security reasons), separate bash scripts and qx/backticks, they all se= em to fail with exit code 256 which seems to be a permission problem. Running= anything from an SSH session obviously succeeds, because then I have all the= rights I need. >>>>=20 >>>> Depending how fit you are with C, you can build such a =E2=80=9Csetuid b= inary=E2=80=9D yourself. There is plenty of inspiration here: >>>>=20 >>>> https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dtree;f=3Dsrc/misc-progs;h= =3Da1a3f2c9ca75d8077a6f3d122b7a5e7ffaa71432;hb=3DHEAD >>>>=20 >>>> But since you have said that you are not a developer, this might be a li= ttle bit hard :) Let me know where I can help out. >>>=20 >>> I need to carefully read into this and see what it's all about and how I = should use it. To be continued =F0=9F=98=89 >>>=20 >>>> What are you building with all this? >>>>=20 >>>> Best, >>>> -Michael >>>=20 >>> I've been looking at PiHole and Firewalla and I like how those dashboards= are pleasing to the eye and wanted to achieve the same within IPFire. I thin= k it's quite possible and IPFire hosts way more functionality, so why not the= fancy dashboard? With that in mind I looked for info on the themes in IPF, I= found that someone - a few years ago - already created an admin dashboard, b= ut I never received responses to my communication attempts. So I thought, wha= t the heck, I'll just create the dashboard myself, but in order to actually -= have a dashboard - I need metrics. PiHole has an FTL implementation which in= cludes (parts of) Unbound and they're able to show quite a bit of interesting= information (see attachment, apologies for the size I had to google it). Fir= ewalla has the same, but is more tailored to SOHO and is managed through an a= pp. >>>=20 >>> TLDR; I want the dashboard to show metrics you can work with, like PiHole= does. The whole controlling DNS and traffic part is not yet part of the scop= e. I already queried the network info (I used parts of other cgi's), DNS is t= he next step and then firewall stats (blocked/dropped, maybe per country etc.) >>=20 >> Yes, they are quite pretty to look at. I am not entirely sure why people a= re so much in love with them because many dashboards out there (not talking a= bout anything specifically) do not transport much information. They just show= that the =E2=80=9Csystem is busy=E2=80=9D. I am not sure whether that is use= ful information or not. >>=20 >> IPFire doesn=E2=80=99t have a very pretty stats section, but it does the j= ob. The main job is to show what has happened over time. That is in recent hi= story like =E2=80=9Clast week=E2=80=9D or =E2=80=9Cyesterday=E2=80=9D so that= problems with the system can be spotted very easily; and showing trends over= time so that people can see if bandwidth usage has =E2=80=9Cdoubled=E2=80=9D= over a year or so. That would be information I care about. >>=20 >> We have a thing called collecty which is supposed to achieve that in IPFir= e 3. It collects various system statistics, but you can probably add unbound = and some other sources, too. It is written in Python which makes it easier to= extend - although it has a little C module to talk to hard drives. It potent= ially could be ported to IPFire 2.=20 >>=20 >> Maybe it is worth having a look at that. IPFire 2 right now has loads of d= ifferent scripts and tools that collect statistics. It would be nice to have = this all in the same place and use it where ever we want to present this data. >>=20 >> Here is the code: >>=20 >> https://git.ipfire.org/?p=3Doddments/collecty.git;a=3Dsummary >>=20 >> This is an example graph in SVG: >>=20 >> https://people.ipfire.org/~ms/graph.svg >>=20 >> Right now, there is no mechanism to get the raw data, but that is trivial = to add. We could store the last hour with a really high resolution to make JS= graphs looks nice, too. >>=20 >> -Michael >>=20 >>>=20 >>> Cheers! >>>=20 >>> -----Oorspronkelijk bericht----- >>> Van: Development Namens Bob Brew= er >>> Verzonden: zaterdag 19 januari 2019 11:44 >>> Aan: development(a)lists.ipfire.org >>> Onderwerp: Re: Peeking at unbound statistics from WUI >>>=20 >>> Michael Tremer wrote: >>>=20 >>>>> Can someone point me in the right direction for peeking unbound >>>>> statistics from perl/cgi scripts? I=E2=80=99ve tried sudo-ing (I=E2=80= =99d rather >>>>> not, for security reasons), separate bash scripts and qx/backticks, >>>>> they all seem to fail with exit code 256 which seems to be a permission= problem. >>>>> Running anything from an SSH session obviously succeeds, because then >>>>> I have all the rights I need. >>>>=20 >>>> Depending how fit you are with C, you can build such a =E2=80=9Csetuid b= inary=E2=80=9D >>>> yourself. There is plenty of inspiration here: >>>>=20 >>> I had the same problem when porting the IPCop Banish addon to IPFire beca= use the setuid binary program that was bundled with the original Banish addon= did not run on a lot of the hardware I was using for testing. >>>=20 >>> As a workaround I added my update command to /etc/sudoers as nobody ALL= =3DNOPASSWD: /your/command/here so it can be run from the cgi with sudo. >>>=20 >>> I suspect that this has security implications so use at your own risk. >>>=20 >>>> https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dtree;f=3Dsrc/misc-progs;h= =3Da1a >>>> 3f2c9ca75d8077a6f3d122b7a5e7ffaa71432;hb=3DHEAD >>>>=20 >>>> But since you have said that you are not a developer, this might be a >>>> little bit hard :) Let me know where I can help out. >>>>=20 >>>=20 >>> Thank you for the links Michael this should be the way I should go with B= anish. I'll see if get something compiled for my prog. >>>=20 >>> HTH >>>=20 >>> Rob >>>=20 >>> >>=20 --===============1545824914127473478==--