[Xymon] execute a command from server (browser) on a client

Ralph Mitchell ralphmitchell at gmail.com
Fri Jul 5 07:13:08 CEST 2013


On Jul 4, 2013 10:58 PM, "Jeremy Laidman" <jlaidman at rebel-it.com.au> wrote:
>
> On 5 July 2013 07:44, Ralph Mitchell <ralphmitchell at gmail.com> wrote:
>>
>> You should be very careful about how you validate this kind of
automation.  The client should probably do some kind of verification, and
use canned scripts rather than just running any command handed to it.
>
>
> Yes.  With ssh, authorized_keys can force a particular command to run,
rather than let an attacker dictate what gets executed.

I was thinking more of having restart scripts that vary from one machine to
another. E.g. on one server just restart apache, on another perhaps clear
cache and tmp files first. Xymon doesn't need to care about that.
>
>>
>>   For example:
>>
>> xymon adds to client-local.cfg for server1:   restartapache:`date+%s`
>
>
> This is ingenious.  However it should be noted that it can take quite
some time for changes in client-local.cfg to be actioned on the client.
 Expect a 10-15 minute delay between the change to client-local.cfg and
when the cron task picks it up - and that's if it runs every minute.

I already noted the delay. The action check script doesn't need to run from
cron every minute. It can be hung on the end of the xymonclient.sh, to
execute right after the local.cfg has been received when the client data
message has been sent.

> It would be more responsive for the client cron task to just query the
status from the server every minute, and act accordingly.  Something like:
>
> #!/usr/lib/xymon/client/bin/xymoncmd /bin/sh
> $XYMON $XYMSRV "query $MACHINE.http" | grep ^green >/dev/null || sudo
service httpd restart
> $XYMON $XYMSRV "query $MACHINE.smtp" | grep ^green >/dev/null || sudo
service postfix restart

I've swapped out the client's xymon binary with a script that delivers the
status report via secure https using curl posting to xymoncgimsg. I get
back the local.cfg, but I haven't tried a query like that, though.

>
> This kind of automated restart can get you into a bit of trouble, so
should be used with caution.  The last thing you want is a stack of
run-away tasks that end up consuming all memory and CPU resources.  A
change to make this a manually-triggered process might be for the client
cron task to look for a disabled/acknowledged status using xymondboard, and
detect when a special keyword (eg "!!RESTART!!") is entered into the
disable/ack message.  Something like this:
>

The original poster asked about getting the Xymon gui to initiate restarts.
I threw the in the timestamp as a way to limit multiple retries. When the
client sees the restart message it can query a CGI on the Xymon server to
see if the action still needs to be taken The CGI can look in Xymon and see
the current color. If its green, then the answer if no. If red, do the
restart, if blue, answer no because maybe the service is supposed to be
down.

I think there would be less traffic that way.

> #!/usr/lib/xymon/client/bin/xymoncmd /bin/sh
> RESPONSE=`$XYMON $XYMSRV "xymondboard host=$MACHINE test=http color=blue
fields=lastchange,dismsg" | grep '!!RESTART!!' | cut -d"|" -f1`
> [ `expr 0$RESPONSE + 60` -gt `date +%s` ] && sudo service httpd restart
>
> This gets the status time for the host and test, but only if it's blue
(disabled) and only if it contains the '!!RESTART!!' keyword.  The status
time is compared to the current time and if within 60 seconds, runs the
restart command.
>
> J
>

Ralph Mitchell
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20130705/a3ed4ea2/attachment.html>


More information about the Xymon mailing list