netmond-2.2-b6-port This document describe additions & changes relatively original netmon-2.2-b6 source code. ################################################################## SrcAddress patch ################################################################## Sometimes you need explisitly set source IP address for packets ejected to some host from multihoming (or multialiasing) host. For example: - you need to check host accessability via predefined route, not matching default route for this host. - remote host can have "strange" configured packet filters so only specific IP addresses accepted. - traffic priority settings exits somethere on trace to host. This may impact network managenment traffic while some channels overloaded. Added directive "SrcAddress" in global context and in object contest. In global context this directive explisitly set source IP address for all objects when source IP not defined inside this object definition. If no directive specified, default source address 0.0.0.0 assigned. Inside object definition this directive set source IP address for this object only. All IP packets ejected to this host have this source address. When nowhere directive specified, the programm behave like before patch applying. Example: SrcAddress "192.168.2.1" Object "somehost" { Address "192.168.1.2" SrcAddress "192.168.1.1" .................... } Flaws: No preliminary IP address validity check applied. So until first packet processed you can't to know IP address mistaken. NetState server can't report source IP addresses for objects. ################################################################## UID-GID-ChRoot Patch ################################################################## For save methods PIPE or FILE in some cases need to fork daugther process. Usally, "netmond" working under "root" privrleges, so daugther processes will have "root" privrleges too. This is unsecure. Directives "UserName" "GroupName" "ChrootDir" added in global context. When used this directives, before daugther process launching (after 'fork' but before 'exec') "chroot" syscall performed for specified directory ( if no direcive - no "chroot") and process GID, UID changes. By default, no chroot performed, UserName = netmon, GroupName = netmon. Example: UserName "nobody" GroupName "nogroup" ChRootDir "/var/netmon" However you can set UserName=root GroupName=wheel if needed. ################################################################## NetState BindAddress Patch ################################################################## Sometimes you need explicitly set IP address to bind for NetState server. Directive "BindAddress" added in "Port" context. Example: Port 3333 { BindAddress "192.168.1.1" ............ } Or: NetState { Port 3333 BindAddress "192.168.1.1" } By default, NetState expect incoming TCP connection on all local addresses. ################################################################## Trap Patch ################################################################## Sometimes you need explicitly set IP Address to accept incoming SNMP traps on. Direcive "TrapBindAddress" added in global context. Example: TrapBindAddress "192.168.1.1" By default, trap collector expect incoming SNMP traps on all local addresses. ################################################################## PID-file all the time is written to /var/run/netmond.pid ################################################################## Possibility added to use russian letters in NetState requests and regular expressions. ################################################################## Object multiple states ################################################################## With this patch applied, the object have more states: UP DEGRADED WARNING DOWN NONE. (before was only UP DOWN NONE states) Object falls to DOWN state when ALL object checking "Methods" fall. DEGRADED state mean that some object "Methods" fall, but some finished successfully. WARNING state mean, that any slave subobject (interface, service, BGP peer, ENVMON, etc.) are not in UP|NORMAL|ESTABLISHED state. ################################################################## Method WHEN ################################################################## Like in saving method WHEN, you can define logical expression, format for resulting string and timeout. If logical expression would evaluated as TRUE all the times during timeout, this method falls. As a result, variable 'OBJECT!methodname' became eqiual to evaluated resulting string. The object falls to DEGRADED state. Example: Пример: Method "CPU_alarm" { When "$LoadAve > 20" 300 "Attention! LoadAve too much! ($LoadAve)" } The main goal of this method - to change (sub)object state when performance thresholds exceeded. Attention! Variables used here have to be mined by other methods. ################################################################## Method PIPE ################################################################## Work like TCP checking method. But instead of tcp port for remote host, you have to define 'programm' name. This programm executed locally. You can use CHAT script statements, like in TCP method. From inside the 'programm' chat messages arrive on STDIN, and the results have to be written to STDOUT. On startup, programm supplied by argument string, defined in method call statement. Additionally, environment variables OBJECT_NAME, OBJECT_ADDRESS are preset. If explicitly defined in config file, variables OBJECT_SRC_ADDRESS, OBJECT_DATADIR are preset two. Example: ..................... Method "CheckSSL" { Pipe "/usr/local/bin/check_ssl.pl" Timeout 3 ChatScript { Expect "verify" Send "GET /\n\r\n\r" Expect "" } } ................ /usr/local/bin/check_ssl.pl: #!/usr/bin/perl # $addr = $ENV{"OBJECT_ADDRESS"}; if ($ARGV[0] ) { $port = $ARGV[0]; } else { $port ="443"; } $SIG{TERM} = sub { close PRGR; close PRGW; close STDIN; close STDOUT; kill $main::pid; exit(0); }; use FileHandle; use IPC::Open2; $main::pid=open2(PRGR,PRGW,"/usr/bin/openssl s_client -quiet -ssl3 -connect $addr:$port"); $_=; print PRGW $_; while (){ print $_; } close STDOUT; exit 0; Every time checking interval elapsed only ONE 'programm' launch retry take place. When chat messges exchnage finished, pipe socket closed, and 'programm' notified by SIGTERM signal. The goal of this method - to check complex services, while simple TCP method can not be used and impossible to use RSH or other text based protocols on remote side. The 'programm' launches with privileges defined globally with directives UserName GroupName. If directive ChRootDir defined, chroot to this directory take place before run. ################################################################## Interfce index number limit expanded up to INT_MAX. So, for MS Windows servers you can write Interface 65539 { } Thanks to Artemiy Kropachev ################################################################## Default config file = /usr/local/etc/netmond.conf