bundles/wireguard: one icinga2 check per peer
Some checks failed
bundlewrap/pipeline/head There was a failure building this commit
Some checks failed
bundlewrap/pipeline/head There was a failure building this commit
This commit is contained in:
parent
3ab39f9ede
commit
67d8293201
2 changed files with 44 additions and 52 deletions
|
@ -2,54 +2,35 @@
|
||||||
|
|
||||||
from datetime import datetime
|
from datetime import datetime
|
||||||
from subprocess import check_output
|
from subprocess import check_output
|
||||||
from sys import exit
|
from sys import argv, exit
|
||||||
|
|
||||||
|
INTERFACE = argv[1]
|
||||||
|
PUBKEY = argv[2]
|
||||||
|
|
||||||
|
NOW = datetime.timestamp(datetime.now())
|
||||||
|
|
||||||
# get wireguard interface names
|
|
||||||
try:
|
try:
|
||||||
interfaces = check_output(['wg', 'show', 'interfaces']).split()
|
result = check_output(['wg', 'show', INTERFACE, 'latest-handshakes']).decode('utf-8').splitlines()
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
print('UNKNOWN: ' + repr(e))
|
print('UNKNOWN: {}'.format(repr(e)))
|
||||||
exit(3)
|
exit(3)
|
||||||
|
|
||||||
if len(interfaces) == 0:
|
found_key = False
|
||||||
print('CRITICAL: no wireguard interfaces found!')
|
|
||||||
exit(0)
|
|
||||||
|
|
||||||
now = datetime.timestamp(datetime.now())
|
|
||||||
warn = set()
|
|
||||||
critical = set()
|
|
||||||
|
|
||||||
for interface in interfaces:
|
|
||||||
try:
|
|
||||||
result = check_output(['wg', 'show', interface, 'latest-handshakes']).decode('utf-8').split('\n')
|
|
||||||
except Exception as e:
|
|
||||||
critical.add('{}: {}'.format(interface, repr(e)))
|
|
||||||
continue
|
|
||||||
|
|
||||||
for line in result:
|
for line in result:
|
||||||
if len(line) == 0:
|
|
||||||
continue
|
|
||||||
|
|
||||||
pubkey, last_handshake = line.split()
|
pubkey, last_handshake = line.split()
|
||||||
overdue = now - int(last_handshake) - 120
|
|
||||||
|
|
||||||
if overdue > 15:
|
if pubkey == PUBKEY:
|
||||||
critical.add('{}: {} is more than 120 seconds late'.format(interface, pubkey))
|
overdue = NOW - int(last_handshake) - 120
|
||||||
elif overdue > 120:
|
|
||||||
warn.add('{}: {} is more than 15 seconds late'.format(interface, pubkey))
|
|
||||||
|
|
||||||
|
if overdue > 120:
|
||||||
for line in sorted(critical):
|
print('handshake is more than 120 seconds late!')
|
||||||
print(line)
|
|
||||||
|
|
||||||
for line in sorted(warn):
|
|
||||||
print(line)
|
|
||||||
|
|
||||||
|
|
||||||
if len(critical):
|
|
||||||
exit(2)
|
exit(2)
|
||||||
elif len(warn):
|
elif overdue > 15:
|
||||||
|
print('handshake is more than 15 seconds late.')
|
||||||
exit(1)
|
exit(1)
|
||||||
else:
|
else:
|
||||||
print('OK')
|
print('received handshake a couple seconds ago')
|
||||||
exit(0)
|
exit(0)
|
||||||
|
|
||||||
|
print('CRITICAL: {} not found in latest handshakes for {}'.format(PUBKEY, INTERFACE))
|
||||||
|
exit(2)
|
||||||
|
|
|
@ -12,15 +12,6 @@ defaults = {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
'icinga2_api': {
|
|
||||||
'wireguard': {
|
|
||||||
'services': {
|
|
||||||
'WIREGUARD CONNECTED': {
|
|
||||||
'command_on_monitored_host': 'sudo /usr/local/share/icinga/plugins/check_wireguard_connected',
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
'iptables': {
|
'iptables': {
|
||||||
'bundle_rules': {
|
'bundle_rules': {
|
||||||
'wireguard': [
|
'wireguard': [
|
||||||
|
@ -83,3 +74,23 @@ def get_my_wireguard_peers(metadata):
|
||||||
'peers': peers,
|
'peers': peers,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@metadata_reactor
|
||||||
|
def icinga2(metadata):
|
||||||
|
services = {}
|
||||||
|
|
||||||
|
for peer, config in metadata.get('wireguard/peers', {}).items():
|
||||||
|
services[f'WIREGUARD CONNECTION {peer}'] = {
|
||||||
|
'command_on_monitored_host': 'sudo /usr/local/share/icinga/plugins/check_wireguard_connected wg0 {}'.format(
|
||||||
|
config['pubkey'],
|
||||||
|
),
|
||||||
|
}
|
||||||
|
|
||||||
|
return {
|
||||||
|
'icinga2_api': {
|
||||||
|
'wireguard': {
|
||||||
|
'services': services,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue