OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: BillySilver on April 24, 2018, 05:48:45 am
-
Trying to integrate some simple service status checks for a nagios server. I found a guide for configuring these for pfsense, but it revolves around the commandline utility pfSsh.php, which OPNsense apparently does not have.
I found the request for an alternative tool on GitHub (https://github.com/opnsense/core/issues/412 (https://github.com/opnsense/core/issues/412)), and i discovered 'configctl', but these don't cut it. When I try to do 'configctl openssh status', it tells me "Action not found", and indeed it is not found under /usr/local/opnsense/service/conf/actions.d.
But why not? What is so hard about having a simple 'service openssh status' command to check its status? How is the GUI checking the status of openssh behind the scenes, and how can I run that behind the scenes myself?
In the example here (https://forum.opnsense.org/index.php?topic=2085.0), apparently you can run 'configctl proxy status' and are supposed to get the status info, but for me it just says "Cannot 'status' squid. Set squid_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status'". There is no /etc/rd.conf file, but there is a /etc/rc.conf.d/squid/squid file that has squid_enable="NO", however.
So is the only way to do this to create an /etc/rc.conf.d/openssh.conf file with "enabled=YES" in it? This doesn't make sense, since openssh is already running at boot, so why does the commandline say it's not running?
Why is this so complicated??
-
Hi,
configctl will only work with MVC code base, not the legacy stuff from pfSense. So this is most of the plugins and some stuff in core. I'm not really sure why you are complaining about that why it's so hard to do X and Y. You want to use Nagios, the montioring tool which makes most of the work. ;)
So if I was you I'd use nrpe and check against the process name if running of not. This is really the easiest way to do and work with all UNIX systems, no matter if pfsense, OPNsense, Debian or whatever.
-
Underneath it all, it is simple.
# service openssh onestatus
openssh is running as pid 52248.
The issue is that everything else around it is too complex, over a decade of code history, migration efforts, different people with different tastes etc. and never enough time to make it perfect. :)
Cheers,
Franco
-
We have a number of nagios scripts checking everything from logs over config to CARP status/GW groups etc.
They are not in a state where there is much documentation outside of code comments, but they are Nagios compatible and use nrpe. If anyone is interested maybe they can be turned into something more.
-
We could create a nrpe plugin with predefined checks. Should be easy ...
-
We use Centreon frontend; here some quick screenshot of the output
-
More.
-
Long time ago i once had to configure a setup with Nagios+OPNsense, where nrpe2 was used + encryption to do NAGIOS checks on the OPNsense Firewall. If you want i can search in my Forum history and i may find something useful. :) I even made a post back then, because it was so hard to configure it so there is proof somewhere.
--> nrpe2 plugin is already existing... but not with predefined checks indeed. You have to "craft" them yourself.
-
Underneath it all, it is simple.
# service openssh onestatus
openssh is running as pid 52248.
When I run this, it tells me Cannot 'status' openssh. Set openssh_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status' but 1) there is no /etc/rc.conf (there is an /etc/rc.conf.d/ with what appear to be conf files), and 2) openssh must already be enabled on boot b/c it says its running in the GUI (and I'm ssh'ing to the firewall to run this command.
I've heard of NRPE, but I wanted to do agentless monitoring of my devices for the sake of centralization. But this post isn't supposed to be about nagios monitoring, it's supposed to be about why OPNsense services say one thing in CLI and another in GUI. And also why on every other Linux box running an OpenVPN server I can check its status with init.d/systemd but can't seem to do so on OPNsense...
-
And also why on every other Linux box running an OpenVPN server I can check its status with init.d/systemd but can't seem to do so on OPNsense...
Because underneat is a FreeBSD; it is not Linux.
Not sure how the gui does service checks; possibly through configd. Digging through the source should give you the command the gui uses. Alternatively you could do a good old ps aux | grep..
-
It's either looking for the daemon name or it knows the pid file, e.g.: https://github.com/opnsense/core/blob/master/src/etc/inc/plugins.inc.d/core.inc#L41
On "status" vs. "onestatus", the first one requires use of the FreeBSD rc subsystem, the second one doesn't.
Former projects did not include the rc subsystem use in their work, but we did. If you have the web proxy running it's:
# service squid status
So while we try to clean this up for all use, cleaning this up means:
a) possible breakage of perfectly fine features for no reason
b) less work done on new features
Over the years, people said that a) and b) are not their most favourite things of the project so we try to balance reworks and new features.
Cheers,
Franco
-
Because underneat is a FreeBSD; it is not Linux.
Oh, I had thought FreeBSD was just a flavor of Linux- no wonder...
And Franco - I understand your point. If it ain't broke, don't fix it. And thanks for the link to the source code, I think I can write a plugin that uses the pid file to help record service status.