Module: check_mk
Branch: master
Commit: d738e9f339af59b6939e92f0305eef4886c523b3
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=d738e9f339af59…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Jul 30 09:53:48 2014 +0200
#1068 livedump: Added optional check interval (detect staleness) / option to encrypt mails
Added a new option "-i" to livedump to make the check_interval of the hosts / services
configurable. When this is set the staleness detection on the destination system works.
Added option to use AES encrypted messages with livedump-mail-fetch. Added a short
documentation to the livedump README for details.
---
.werks/1068 | 12 +++++++
ChangeLog | 1 +
doc/treasures/livedump/README | 29 +++++++++++++++++
doc/treasures/livedump/livedump | 24 +++++++++++---
doc/treasures/livedump/livedump-mail-fetch | 48 ++++++++++++++++++++++++----
5 files changed, 103 insertions(+), 11 deletions(-)
diff --git a/.werks/1068 b/.werks/1068
new file mode 100644
index 0000000..8487e94
--- /dev/null
+++ b/.werks/1068
@@ -0,0 +1,12 @@
+Title: livedump: Added optional check interval (detect staleness) / option to encrypt mails
+Level: 1
+Component: checks
+Version: 1.2.5i6
+Date: 1406706675
+Class: feature
+
+Added a new option "-i" to livedump to make the check_interval of the hosts / services
+configurable. When this is set the staleness detection on the destination system works.
+
+Added option to use AES encrypted messages with livedump-mail-fetch. Added a short
+documentation to the livedump README for details.
diff --git a/ChangeLog b/ChangeLog
index 9316b4d..45698d8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,7 @@
Checks & Agents:
* 0185 knuerr_rms_humidity, knuerr_rms_temp: Two new Checks to Monitor the Temperature and the Humidity on Knürr RMS Devices
* 1065 heartbeat_crm / heartbeat_crm.resources: Rewrote checks / formalized parameters...
+ * 1068 livedump: Added optional check interval (detect staleness) / option to encrypt mails...
* 1051 FIX: tcp_conn_stats: fix missing performance data...
* 1142 FIX: winperf_ts_sessions: fix computation, check has never really worked
diff --git a/doc/treasures/livedump/README b/doc/treasures/livedump/README
index 3f478ab..eac5c43 100644
--- a/doc/treasures/livedump/README
+++ b/doc/treasures/livedump/README
@@ -67,3 +67,32 @@ Make sure that all columns are prefixed with host_ in these.
If you are using this is in conjunction with NSCA transport and do not
wish to transfer the templated configuration, you can use the filter
to only export services that have "obsess_over_service = 1" set.
+
+Encrypted Transport (E-Mail)
+----------------------------
+When you use mail to transport the output of livedump. For example with this
+command:
+
+livedump | mail -s "status" lm(a)mathias-kettner.de
+
+You can extend this mechanism to make the contents (not the whole message)
+be encrypted. This can be reached by different ways, we use an AES encryption
+with a preshared key here.
+
+First you need openssl on the sending site. Then you need a file which first line
+contains the preshared key which will be used to encrypt the data. Then you need
+to first send the livedump data to openssl to let it encrypt it and forward it to
+the mail command afterwards.
+
+livedump | openssl aes-256-cbc -a -kfile /path/to/my/preshared-key-file | mail -s "status" lm(a)mathias-kettner.de
+
+Please ensure that the permissions to the preshared key file are as limited as
+possible. Everyone who has access to an email and the key can decrypt it.
+
+This command should turn the mail contents in a block of cryptic characters when
+you take a look at the generated mail in your mail client.
+
+Now you need to configure the receiving side. We use the script "livedump-mail-fetch"
+here. To make it able to handle the encrypted message, you need to set the variable
+encrypt to hold your preshared key as string. All incoming mails will then be decrypted
+beforce being processed.
diff --git a/doc/treasures/livedump/livedump b/doc/treasures/livedump/livedump
index 8feb977..443b9a6 100755
--- a/doc/treasures/livedump/livedump
+++ b/doc/treasures/livedump/livedump
@@ -30,6 +30,10 @@ import os, sys, getopt, livestatus, tempfile, time
check_mk_version = '(inofficial)'
def dump_templates():
+ check_interval = ""
+ if opt_check_interval != None:
+ check_interval = "check_interval %d" % opt_check_interval
+
sys.stdout.write("""
define host {
name livedump-host
@@ -37,7 +41,7 @@ define host {
register 0
active_checks_enabled 0
passive_checks_enabled 1
-
+ %s
}
define service {
@@ -46,6 +50,7 @@ define service {
active_checks_enabled 0
passive_checks_enabled 1
check_period 0x0
+ %s
}
define command {
@@ -57,7 +62,7 @@ define timeperiod {
timeperiod_name 0x0
alias Never ever
}
-""")
+""" % (check_interval, check_interval))
def encode_row(row):
for key, val in row.items():
@@ -257,6 +262,12 @@ def usage():
This header is also used in service queries.
-S, --service-header H add header H to service queries (usually Filter: ...)
+ -i, --interval assume this check interval for hosts/services. This is
+ used in nagios config definition "check_interval".
+ Will be used for staleness checks on the server. This
+ option is only used when dumping the config together
+ with templates (-C -T).
+
-v, --verbose output debug information an stderr
--debug do not catch Python exceptions
@@ -277,11 +288,11 @@ def print_version():
# | Main entry point, getopt, etc. |
# '----------------------------------------------------------------------'
-short_options = 'hVvc:H:S:O:TCMG'
-long_options = [ "help", "version", "verbose", "debug", "socket=",
+short_options = 'hVvc:H:S:O:TCMGi:s:'
+long_options = [ "help", "version", "verbose", "debug", "socket=",
"host-header=", "host-only-header=", "service-header=",
"dump-templates", "config", "state", "mark-mode",
- "include-groups" ]
+ "include-groups", "interval" ]
opt_verbose = False
opt_debug = False
@@ -292,6 +303,7 @@ opt_host_only_headers = ""
opt_service_headers = ""
opt_dump_templates = False
opt_groups = False
+opt_check_interval = None
try:
opts, args = getopt.getopt(sys.argv[1:], short_options, long_options)
@@ -328,6 +340,8 @@ for o,a in opts:
opt_mark_mode = True
elif o in [ '-G', '--include-groups' ]:
opt_groups = True
+ elif o in [ '-i', '--interval' ]:
+ opt_check_interval = int(a)
# Main modes
try:
diff --git a/doc/treasures/livedump/livedump-mail-fetch b/doc/treasures/livedump/livedump-mail-fetch
index d3b8f7f..e88b89f 100755
--- a/doc/treasures/livedump/livedump-mail-fetch
+++ b/doc/treasures/livedump/livedump-mail-fetch
@@ -27,6 +27,15 @@ pop_pass = "secretpassword"
# By default the mail body is treated to be encoded as "quoted-printable".
# In the other case no decoding is not performed.
encoding = "quoted-printable"
+# By default the mails are not decrypted. If you configure a string here
+# it is assumed to be the preshared key to decrypt the AES encrypted mails.
+encrypt = None
+
+if encrypt:
+ from base64 import b64decode
+ from Crypto import Random
+ from Crypto.Hash import MD5
+ from Crypto.Cipher import AES
M = poplib.POP3_SSL(pop_server)
M.user(pop_user)
@@ -39,6 +48,27 @@ numMessages = len(M.list()[1])
status_mails = []
config_mails = []
+# This decrypts mail bodies generated with openssl. e.g. with this command:
+# openssl aes-256-cbc -a -kfile /path/to/my/preshared-key-file
+def decrypt(body):
+ encrypted = b64decode(body)
+ salt = encrypted[8:16]
+ data = encrypted[16:]
+
+ # Need 32 bytes for the key and 16 bytes for the IV
+ def openssl_kdf(req):
+ prev = ''
+ while req>0:
+ prev = MD5.new(prev+encrypt+salt).digest()
+ req -= 16
+ yield prev
+ mat = ''.join([ x for x in openssl_kdf(32+16) ])
+ key = mat[0:32]
+ iv = mat[32:48]
+
+ dec = AES.new(key, AES.MODE_CBC, iv)
+ return dec.decrypt(data)
+
pattern = re.compile(r"^Subject: (.*)")
for i in range(numMessages):
for header_lines in M.top(i + 1, 0)[1]:
@@ -59,10 +89,13 @@ if config_mails:
mail_index, ident = config_mails[-1]
code, mail, num = M.retr(mail_index)
body_start_index = mail.index('')
+ body = '\n'.join(mail[body_start_index:])
+
+ if encrypt:
+ body = decrypt(body)
+
if encoding == 'quoted-printable':
- body = quopri.decodestring('\n'.join(mail[body_start_index:]))
- else:
- body = '\n'.join(mail[body_start_index:])
+ body = quopri.decodestring(body)
file("%s/etc/nagios/conf.d/remote-%s.cfg" %
(omd_root, ident), "w").write(body)
@@ -71,10 +104,13 @@ if status_mails:
for index in status_mails:
code, mail, code = M.retr(index)
body_start_index = mail.index('')
+ body = '\n'.join(mail[body_start_index:])
+
+ if encrypt:
+ body = decrypt(body)
+
if encoding == 'quoted-printable':
- body = quopri.decodestring('\n'.join(mail[body_start_index:]))
- else:
- body = '\n'.join(mail[body_start_index:])
+ body = quopri.decodestring(body)
fd, path = tempfile.mkstemp('', 'c', "%s/tmp/nagios/checkresults" % omd_root)
os.write(fd, body)
Module: check_mk
Branch: master
Commit: 967caa6012f6194a317b0ca4c4095ac4b2cb957a
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=967caa6012f619…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jul 29 15:21:44 2014 +0200
#1067 FIX Fixed login problem in LDAP connector when no user filter specified
The 1.2.5i5 released introduced a bug which prevents user logins when the
LDAP configured does not has a LDAP user filter set. If you encounter this
problem either update to this release or set a user filter to prevent the
exception.
---
.werks/1067 | 12 ++++++++++++
ChangeLog | 1 +
web/plugins/userdb/ldap.py | 2 +-
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/.werks/1067 b/.werks/1067
new file mode 100644
index 0000000..0eb0eaf
--- /dev/null
+++ b/.werks/1067
@@ -0,0 +1,12 @@
+Title: Fixed login problem in LDAP connector when no user filter specified
+Level: 2
+Component: multisite
+Class: fix
+State: unknown
+Version: 1.2.5i6
+Date: 1406640020
+
+The 1.2.5i5 released introduced a bug which prevents user logins when the
+LDAP configured does not has a LDAP user filter set. If you encounter this
+problem either update to this release or set a user filter to prevent the
+exception.
diff --git a/ChangeLog b/ChangeLog
index 3e7cdc6..9316b4d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,6 +7,7 @@
Multisite:
* 1066 Implemented Dashboard Designer...
+ * 1067 FIX: Fixed login problem in LDAP connector when no user filter specified...
WATO:
* 1064 FIX: Fixed rare issue with WATO communication in distributed setups (different OS versions)...
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index 3cf8883..e4ec3e7 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -475,7 +475,7 @@ def ldap_get_user(username, no_escape = False):
result = ldap_search(
ldap_replace_macros(config.ldap_userspec['dn']),
'(&(%s=%s)%s)' % (ldap_user_id_attr(), ldap.filter.escape_filter_chars(username),
- config.ldap_userspec['filter']),
+ config.ldap_userspec.get('filter', '')),
[ldap_user_id_attr()],
)
Module: check_mk
Branch: master
Commit: e605b7f8fc92cd99d5e314ccd9d7d62115bab9e6
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=e605b7f8fc92cd…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jul 29 13:04:42 2014 +0200
#1066 Implemented Dashboard Designer
This change implements the long awaited Dashboard Designer. With this feature users
can edit existing dashboards, create new ones and provide their dashboards to other
users just like it can be done with the views.
Another nice feature is the formalized context we introduced for views and dashboards.
With this concept it is possible to create a host specific dashboard once and open
it for several different hosts. You can create a "Oracle Database dashboard" once
which can show you the state of a single database server. The name of the database
server (context: hostname) of your choice can be provided when accessing the dashboard
to "instanciate" such a dashboard.
Dashboards edited by users are saved in <tt>var/check_mk/web/USER/user_dashboards.mk</tt>
just like edited views are now saved in <tt>var/check_mk/web/USER/user_views.mk</tt>. The
views saved by a user before this release which are stored in <tt>var/check_mk/web/USER/views.mk</tt>
will be migrated automatically once the user edits it's first view. From this time the
new edited views will be read/written from/to the new file.
For details take a look at the <a href="/checkmk_multisite_dashboards.html">dashboard documentation</a>.
---
.werks/1066 | 25 +++++++++++++++++++++++++
ChangeLog | 3 +++
2 files changed, 28 insertions(+)
diff --git a/.werks/1066 b/.werks/1066
new file mode 100644
index 0000000..0682ef7
--- /dev/null
+++ b/.werks/1066
@@ -0,0 +1,25 @@
+Title: Implemented Dashboard Designer
+Level: 3
+Component: multisite
+Version: 1.2.5i6
+Date: 1406631300
+Class: feature
+
+This change implements the long awaited Dashboard Designer. With this feature users
+can edit existing dashboards, create new ones and provide their dashboards to other
+users just like it can be done with the views.
+
+Another nice feature is the formalized context we introduced for views and dashboards.
+With this concept it is possible to create a host specific dashboard once and open
+it for several different hosts. You can create a "Oracle Database dashboard" once
+which can show you the state of a single database server. The name of the database
+server (context: hostname) of your choice can be provided when accessing the dashboard
+to "instanciate" such a dashboard.
+
+Dashboards edited by users are saved in <tt>var/check_mk/web/USER/user_dashboards.mk</tt>
+just like edited views are now saved in <tt>var/check_mk/web/USER/user_views.mk</tt>. The
+views saved by a user before this release which are stored in <tt>var/check_mk/web/USER/views.mk</tt>
+will be migrated automatically once the user edits it's first view. From this time the
+new edited views will be read/written from/to the new file.
+
+For details take a look at the <a href="/checkmk_multisite_dashboards.html">dashboard documentation</a>.
diff --git a/ChangeLog b/ChangeLog
index bd20700..3e7cdc6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,9 @@
* 1051 FIX: tcp_conn_stats: fix missing performance data...
* 1142 FIX: winperf_ts_sessions: fix computation, check has never really worked
+ Multisite:
+ * 1066 Implemented Dashboard Designer...
+
WATO:
* 1064 FIX: Fixed rare issue with WATO communication in distributed setups (different OS versions)...
* 1089 FIX: Snapshot restore: fixed exception during exception handling......
Module: check_mk
Branch: master
Commit: b6ec6428f3d7954815abdce01737305ed20ec844
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=b6ec6428f3d795…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jul 29 11:36:44 2014 +0200
#1065 heartbeat_crm / heartbeat_crm.resources: Rewrote checks / formalized parameters
Both checks heartbeat_crm and heartbeat_crm.resources nailed down the resources / DC to
the node which held the resources / DC during inventory. This was not fitting most users
requirements and has been changed. By default the node currently holding the resources / DC
does not matter anymore as long as they are held by at least one node.
If you like to change this behaviour back to the old default, you need to configure the
inventory rule <tt>Heartbeat CRM Inventory</tt> and re-run an inventory on the affected
hosts.
Already inventorized checks should continue working as they did before. The change only
affects newly inventorized services.
Two new WATO rules <tt>Heartbeat CRM general status</tt> and <tt>Heartbeat CRM resource status</tt>
have been added to make the parameters of these checks configurable.
---
.werks/1065 | 21 ++++++
ChangeLog | 1 +
checkman/heartbeat_crm | 26 +++----
checkman/heartbeat_crm.resources | 12 +--
checks/heartbeat_crm | 137 ++++++++++++++++++++--------------
web/plugins/wato/check_parameters.py | 83 ++++++++++++++++++++
6 files changed, 201 insertions(+), 79 deletions(-)
Diff: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=b6ec6428f3…