Merge branch 'unbound-monitoring' into 'master'

__unbound_exporter: prometheus exporter for unbound See merge request ungleich-public/cdist-contrib!8
2020-07-20 07:49:43 +02:00 · 2020-07-20 07:49:43 +02:00 · c3a7e62953
commit c3a7e62953
parent 10ccc77803 4ff703e6aa
15 changed files with 218 additions and 10 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,4 +1,6 @@
 # cdist-contrib changes
 * 2020-06-07: New type: __unbound_exporter (Timothée Floure)
 * 2020-06-07: Extended type: wire remote control configuration for __unbond (Timothée Floure)
 * 2020-06-03: New type: __unbound (Timothée Floure)
 * 2020-04-28: New type: __find_exec (Ander Punnar)
--- a/scripts/run-shellcheck.sh
+++ b/scripts/run-shellcheck.sh
@ -15,7 +15,7 @@ check () {
 }
 check -path "*/explorer/*"
-check -path "*/files/*"
+check -path "*/files/*.sh"
 check -name manifest
 check -name gencode-local
 check -name gencode-remote
--- a/type/__unbound/files/unbound.conf.sh
+++ b/type/__unbound/files/unbound.conf.sh
@ -857,14 +857,14 @@ python:
 remote-control:
 	# Enable remote control with unbound-control(8) here.
 	# set up the keys and certificates with unbound-control-setup.
-	# control-enable: no
+	control-enable: $RC_ENABLE
 	# what interfaces are listened to for remote control.
 	# give 0.0.0.0 and ::0 to listen to all interfaces.
 	# set to an absolute path to use a unix local name pipe, certificates
 	# are not used for that, so key and cert files need not be present.
 	# control-interface: 127.0.0.1
-	# control-interface: ::1
+	control-interface: $RC_INTERFACE
 	# port number for remote control operations.
 	# control-port: 8953
@ -874,16 +874,16 @@ remote-control:
 	# control-use-cert: "yes"
 	# unbound server key file.
-	# server-key-file: "/unbound_server.key"
+	server-key-file: "$RC_SERVER_KEY_FILE"
 	# unbound server certificate file.
-	# server-cert-file: "/unbound_server.pem"
+	server-cert-file: "$RC_SERVER_CERT_FILE"
 	# unbound-control key file.
-	# control-key-file: "/unbound_control.key"
+	control-key-file: "$RC_CONTROL_KEY_FILE"
 	# unbound-control certificate file.
-	# control-cert-file: "/unbound_control.pem"
+	control-cert-file: "$RC_CONTROL_CERT_FILE"
 # Stub zones.
 # Create entries like below, to make all queries for 'example.com' and
--- a/type/__unbound/gencode-remote
+++ b/type/__unbound/gencode-remote
@ -0,0 +1,16 @@
 #!/bin/sh
 UNBOUND_CERTS_DIR=/etc/unbound
 if [ -f "$__object/parameter/enable_rc" ]; then
 	echo "unbound-control-setup -d $UNBOUND_CERTS_DIR"
 	echo "chown unbound:unbound $UNBOUND_CERTS_DIR/*.pem $UNBOUND_CERTS_DIR/*.key"
 fi
 cat << EOF
 if pgrep unbound; then
 	service unbound reload
 else
 	service unbounb start
 fi
 EOF
--- a/type/__unbound/man.rst
+++ b/type/__unbound/man.rst
@ -31,6 +31,9 @@ access_control
  but localhost is refused by default), can be provided multiple times. The
  format is described in unbound.conf(5).
 rc_interface
  Address or path to socket used for remote control (see `--enable_control`. Defaults to `127.0.0.1`).
 BOOLEAN PARAMETERS
 ------------------
 disable-ip4
@ -41,6 +44,9 @@ disable-ip6
  Do not answer or issue queries over IPv6. Cannot be used alongside the
  `--disable-ip4` flag.
 enable_rc
  Enable remote control (see `unbound-control(8)`).
 EXAMPLES
 --------
--- a/type/__unbound/manifest
+++ b/type/__unbound/manifest
@ -49,6 +49,11 @@ if [ -f "$__object/parameter/access_control" ]; then
   export ACCESS_CONTROLS
 fi
 if [ -f "$__object/parameter/rc_interface" ]; then
   RC_INTERFACE=$(cat "$__object/parameter/rc_interface")
   export RC_INTERFACE
 fi
 # Boolean parameters:
 if [ -f "$__object/parameter/disable_ip4" ] && \
   [ -f "$__object/parameter/disable_ip6" ]; then
@ -68,6 +73,18 @@ else
    export DO_IP6='yes'
 fi
 if [ -f "$__object/parameter/enable_rc" ]; then
    export RC_ENABLE='yes'
 else
    export RC_ENABLE='no'
 fi
 # Certs for remote control:
 export RC_SERVER_KEY_FILE='/etc/unbound/unbound_server.key'
 export RC_SERVER_CERT_FILE='/etc/unbound/unbound_server.pem'
 export RC_CONTROL_KEY_FILE='/etc/unbound/unbound_control.key'
 export RC_CONTROL_CERT_FILE='/etc/unbound/unbound_control.pem'
 # Generate and deploy configuration files.
 source_file="$__object/files/unbound.conf"
 target_file="/etc/unbound/unbound.conf"
@ -78,6 +95,3 @@ require="__package/unbound" __file "$target_file" \
    --source "$source_file" \
    --owner root \
    --mode 644
 # Restart unbound server after reconfiguration.
 require="__file/$target_file" __service unbound --action restart
--- a/type/__unbound/parameter/boolean
+++ b/type/__unbound/parameter/boolean
@ -1,2 +1,3 @@
 disable_ip6
 disable_ip4
 enable_rc
--- a/type/__unbound/parameter/default/rc_interface
+++ b/type/__unbound/parameter/default/rc_interface
@ -0,0 +1 @@
 127.0.0.1
--- a/type/__unbound/parameter/optional
+++ b/type/__unbound/parameter/optional
@ -0,0 +1 @@
 rc_interface
--- a/type/__unbound_exporter/files/openrc-service
+++ b/type/__unbound_exporter/files/openrc-service
@ -0,0 +1,12 @@
 #!/sbin/openrc-run
 name=$RC_SVCNAME
 command="/usr/local/bin/unbound_exporter"
 command_args=""
 command_user="unbound"
 command_background="yes"
 pidfile="/var/run/$RC_SVCNAME.pid"
 depend() {
        need unbound
 }
--- a/type/__unbound_exporter/gencode-remote
+++ b/type/__unbound_exporter/gencode-remote
@ -0,0 +1,46 @@
 #!/bin/sh -e
 #
 # 2020 Timothée Floure (timothee.floure@ungleich.ch)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 upstream=https://github.com/wish/unbound_exporter/archive
 version=$(cat "$__object/parameter/version")
 release="unbound_exporter-$version"
 cat << EOF
 if command -v unbound_exporter
 then
    # already installed - ignoring.
    echo "Nothing to do -"
 else
    # Initialize working directory
    workdir=\$(mktemp -d)
    cd \$workdir
    # Download and extract sources for requested release.
    curl -L $upstream/v$version.tar.gz --output $release.tar.gz
    tar xf $release.tar.gz
    # Build and install binary.
    cd $release
    go build
    install -m755 unbound_exporter /usr/local/bin/
    # Clean up!
    rm -r \$workdir
 fi
 EOF
--- a/type/__unbound_exporter/man.rst
+++ b/type/__unbound_exporter/man.rst
@ -0,0 +1,63 @@
 cdist-type__unbound_exporter(7)
 ===============================
 NAME
 ----
 cdist-type__unbound_exporter - A prometheus exporter for unbound
 DESCRIPTION
 -----------
 Simple Prometheus metrics exporter for the Unbound DNS
 resolver. It leverages the unbound remote control endpoint
 and exposes metrics on port 9167.
 REQUIRED PARAMETERS
 -------------------
 version
  unbound_exporter release to be used.
 OPTIONAL PARAMETERS
 -------------------
 None.
 BOOLEAN PARAMETERS
 ------------------
 None.
 EXAMPLES
 --------
 .. code-block:: sh
    __unbound \
      --interface '::0' \
      --forward_addr '2a0a:e5c0:2:1::5' \
      --forward_addr '2a0a:e5c0:2:1::6' \
      --access_control '::0/0 deny' \
      --access_control '2a0a:e5c0::/29 allow' \
      --access_control '2a09:2940::/29 allow' \
      --disable_ip4 \
      --enable_rc \
      --rc_interface '::1'
    __unbound_exporter --version 0.1.3
 SEE ALSO
 --------
 :strong:`cdist-type__unbound(7)`
 AUTHORS
 -------
 Timothée Floure <timothee.floure@ungleich.ch>
 COPYING
 -------
 Copyright \(C) 2020 Timothée Floure. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/type/__unbound_exporter/manifest
+++ b/type/__unbound_exporter/manifest
@ -0,0 +1,45 @@
 #!/bin/sh -e
 #
 # 2020 Timothée Floure (timothee.floure@ungleich.ch)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 os=$(cat "$__global/explorer/os")
 case "$os" in
    alpine)
        # Used in gencode-remote.
        __package curl
        __package tar
        __package openssl
        __package go
        __package libc-dev
        ;;
    *)
        printf "Your operating system (%s) is currently not supported by this type (%s)\n" "$os" "${__type##*/}" >&2
        printf "Please contribute an implementation for it if you can.\n" >&2
        exit 1
        ;;
 esac
 __file /etc/init.d/unbound_exporter \
    --source "$__type/files/openrc-service" \
    --mode 755
 require="__file/etc/init.d/unbound_exporter" __service unbound_exporter --action start
 require="__file/etc/init.d/unbound_exporter" __start_on_boot unbound_exporter
--- a/type/__unbound_exporter/parameter/required
+++ b/type/__unbound_exporter/parameter/required
@ -0,0 +1 @@
 version
--- a/type/__unbound_exporter/singleton
+++ b/type/__unbound_exporter/singleton