Merge branch 'unbound-monitoring' into 'master'

__unbound_exporter: prometheus exporter for unbound

See merge request ungleich-public/cdist-contrib!8
This commit is contained in:
fnux 2020-07-20 07:49:43 +02:00
commit c3a7e62953
15 changed files with 218 additions and 10 deletions

View file

@ -1,4 +1,6 @@
# cdist-contrib changes # cdist-contrib changes
* 2020-06-07: New type: __unbound_exporter (Timothée Floure)
* 2020-06-07: Extended type: wire remote control configuration for __unbond (Timothée Floure)
* 2020-06-03: New type: __unbound (Timothée Floure) * 2020-06-03: New type: __unbound (Timothée Floure)
* 2020-04-28: New type: __find_exec (Ander Punnar) * 2020-04-28: New type: __find_exec (Ander Punnar)

View file

@ -15,7 +15,7 @@ check () {
} }
check -path "*/explorer/*" check -path "*/explorer/*"
check -path "*/files/*" check -path "*/files/*.sh"
check -name manifest check -name manifest
check -name gencode-local check -name gencode-local
check -name gencode-remote check -name gencode-remote

View file

@ -857,14 +857,14 @@ python:
remote-control: remote-control:
# Enable remote control with unbound-control(8) here. # Enable remote control with unbound-control(8) here.
# set up the keys and certificates with unbound-control-setup. # set up the keys and certificates with unbound-control-setup.
# control-enable: no control-enable: $RC_ENABLE
# what interfaces are listened to for remote control. # what interfaces are listened to for remote control.
# give 0.0.0.0 and ::0 to listen to all interfaces. # give 0.0.0.0 and ::0 to listen to all interfaces.
# set to an absolute path to use a unix local name pipe, certificates # set to an absolute path to use a unix local name pipe, certificates
# are not used for that, so key and cert files need not be present. # are not used for that, so key and cert files need not be present.
# control-interface: 127.0.0.1 # control-interface: 127.0.0.1
# control-interface: ::1 control-interface: $RC_INTERFACE
# port number for remote control operations. # port number for remote control operations.
# control-port: 8953 # control-port: 8953
@ -874,16 +874,16 @@ remote-control:
# control-use-cert: "yes" # control-use-cert: "yes"
# unbound server key file. # unbound server key file.
# server-key-file: "/unbound_server.key" server-key-file: "$RC_SERVER_KEY_FILE"
# unbound server certificate file. # unbound server certificate file.
# server-cert-file: "/unbound_server.pem" server-cert-file: "$RC_SERVER_CERT_FILE"
# unbound-control key file. # unbound-control key file.
# control-key-file: "/unbound_control.key" control-key-file: "$RC_CONTROL_KEY_FILE"
# unbound-control certificate file. # unbound-control certificate file.
# control-cert-file: "/unbound_control.pem" control-cert-file: "$RC_CONTROL_CERT_FILE"
# Stub zones. # Stub zones.
# Create entries like below, to make all queries for 'example.com' and # Create entries like below, to make all queries for 'example.com' and

16
type/__unbound/gencode-remote Executable file
View file

@ -0,0 +1,16 @@
#!/bin/sh
UNBOUND_CERTS_DIR=/etc/unbound
if [ -f "$__object/parameter/enable_rc" ]; then
echo "unbound-control-setup -d $UNBOUND_CERTS_DIR"
echo "chown unbound:unbound $UNBOUND_CERTS_DIR/*.pem $UNBOUND_CERTS_DIR/*.key"
fi
cat << EOF
if pgrep unbound; then
service unbound reload
else
service unbounb start
fi
EOF

View file

@ -31,6 +31,9 @@ access_control
but localhost is refused by default), can be provided multiple times. The but localhost is refused by default), can be provided multiple times. The
format is described in unbound.conf(5). format is described in unbound.conf(5).
rc_interface
Address or path to socket used for remote control (see `--enable_control`. Defaults to `127.0.0.1`).
BOOLEAN PARAMETERS BOOLEAN PARAMETERS
------------------ ------------------
disable-ip4 disable-ip4
@ -41,6 +44,9 @@ disable-ip6
Do not answer or issue queries over IPv6. Cannot be used alongside the Do not answer or issue queries over IPv6. Cannot be used alongside the
`--disable-ip4` flag. `--disable-ip4` flag.
enable_rc
Enable remote control (see `unbound-control(8)`).
EXAMPLES EXAMPLES
-------- --------

View file

@ -49,6 +49,11 @@ if [ -f "$__object/parameter/access_control" ]; then
export ACCESS_CONTROLS export ACCESS_CONTROLS
fi fi
if [ -f "$__object/parameter/rc_interface" ]; then
RC_INTERFACE=$(cat "$__object/parameter/rc_interface")
export RC_INTERFACE
fi
# Boolean parameters: # Boolean parameters:
if [ -f "$__object/parameter/disable_ip4" ] && \ if [ -f "$__object/parameter/disable_ip4" ] && \
[ -f "$__object/parameter/disable_ip6" ]; then [ -f "$__object/parameter/disable_ip6" ]; then
@ -68,6 +73,18 @@ else
export DO_IP6='yes' export DO_IP6='yes'
fi fi
if [ -f "$__object/parameter/enable_rc" ]; then
export RC_ENABLE='yes'
else
export RC_ENABLE='no'
fi
# Certs for remote control:
export RC_SERVER_KEY_FILE='/etc/unbound/unbound_server.key'
export RC_SERVER_CERT_FILE='/etc/unbound/unbound_server.pem'
export RC_CONTROL_KEY_FILE='/etc/unbound/unbound_control.key'
export RC_CONTROL_CERT_FILE='/etc/unbound/unbound_control.pem'
# Generate and deploy configuration files. # Generate and deploy configuration files.
source_file="$__object/files/unbound.conf" source_file="$__object/files/unbound.conf"
target_file="/etc/unbound/unbound.conf" target_file="/etc/unbound/unbound.conf"
@ -78,6 +95,3 @@ require="__package/unbound" __file "$target_file" \
--source "$source_file" \ --source "$source_file" \
--owner root \ --owner root \
--mode 644 --mode 644
# Restart unbound server after reconfiguration.
require="__file/$target_file" __service unbound --action restart

View file

@ -1,2 +1,3 @@
disable_ip6 disable_ip6
disable_ip4 disable_ip4
enable_rc

View file

@ -0,0 +1 @@
127.0.0.1

View file

@ -0,0 +1 @@
rc_interface

View file

@ -0,0 +1,12 @@
#!/sbin/openrc-run
name=$RC_SVCNAME
command="/usr/local/bin/unbound_exporter"
command_args=""
command_user="unbound"
command_background="yes"
pidfile="/var/run/$RC_SVCNAME.pid"
depend() {
need unbound
}

View file

@ -0,0 +1,46 @@
#!/bin/sh -e
#
# 2020 Timothée Floure (timothee.floure@ungleich.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
upstream=https://github.com/wish/unbound_exporter/archive
version=$(cat "$__object/parameter/version")
release="unbound_exporter-$version"
cat << EOF
if command -v unbound_exporter
then
# already installed - ignoring.
echo "Nothing to do -"
else
# Initialize working directory
workdir=\$(mktemp -d)
cd \$workdir
# Download and extract sources for requested release.
curl -L $upstream/v$version.tar.gz --output $release.tar.gz
tar xf $release.tar.gz
# Build and install binary.
cd $release
go build
install -m755 unbound_exporter /usr/local/bin/
# Clean up!
rm -r \$workdir
fi
EOF

View file

@ -0,0 +1,63 @@
cdist-type__unbound_exporter(7)
===============================
NAME
----
cdist-type__unbound_exporter - A prometheus exporter for unbound
DESCRIPTION
-----------
Simple Prometheus metrics exporter for the Unbound DNS
resolver. It leverages the unbound remote control endpoint
and exposes metrics on port 9167.
REQUIRED PARAMETERS
-------------------
version
unbound_exporter release to be used.
OPTIONAL PARAMETERS
-------------------
None.
BOOLEAN PARAMETERS
------------------
None.
EXAMPLES
--------
.. code-block:: sh
__unbound \
--interface '::0' \
--forward_addr '2a0a:e5c0:2:1::5' \
--forward_addr '2a0a:e5c0:2:1::6' \
--access_control '::0/0 deny' \
--access_control '2a0a:e5c0::/29 allow' \
--access_control '2a09:2940::/29 allow' \
--disable_ip4 \
--enable_rc \
--rc_interface '::1'
__unbound_exporter --version 0.1.3
SEE ALSO
--------
:strong:`cdist-type__unbound(7)`
AUTHORS
-------
Timothée Floure <timothee.floure@ungleich.ch>
COPYING
-------
Copyright \(C) 2020 Timothée Floure. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -0,0 +1,45 @@
#!/bin/sh -e
#
# 2020 Timothée Floure (timothee.floure@ungleich.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
os=$(cat "$__global/explorer/os")
case "$os" in
alpine)
# Used in gencode-remote.
__package curl
__package tar
__package openssl
__package go
__package libc-dev
;;
*)
printf "Your operating system (%s) is currently not supported by this type (%s)\n" "$os" "${__type##*/}" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
;;
esac
__file /etc/init.d/unbound_exporter \
--source "$__type/files/openrc-service" \
--mode 755
require="__file/etc/init.d/unbound_exporter" __service unbound_exporter --action start
require="__file/etc/init.d/unbound_exporter" __start_on_boot unbound_exporter

View file

@ -0,0 +1 @@
version

View file