<div dir="ltr">On 5 July 2013 07:44, Ralph Mitchell <span dir="ltr"><<a href="mailto:ralphmitchell@gmail.com" target="_blank">ralphmitchell@gmail.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><div>You should be very careful about how you validate this kind of automation. The client should probably do some kind of verification, and use canned scripts rather than just running any command handed to it.</div>
</div></div></blockquote><div><br></div><div>Yes. With ssh, authorized_keys can force a particular command to run, rather than let an attacker dictate what gets executed.</div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr"><div><div> For example:<br>
<br></div><div>xymon adds to client-local.cfg for server1: restartapache:`date+%s`<br></div></div></div></blockquote><div><br></div><div>This is ingenious. However it should be noted that it can take quite some time for changes in client-local.cfg to be actioned on the client. Expect a 10-15 minute delay between the change to client-local.cfg and when the cron task picks it up - and that's if it runs every minute.</div>
<div><br></div><div>It would be more responsive for the client cron task to just query the status from the server every minute, and act accordingly. Something like:</div><div><br></div><div>#!/usr/lib/xymon/client/bin/xymoncmd /bin/sh</div>
<div><div>$XYMON $XYMSRV "query $MACHINE.http" | grep ^green >/dev/null || sudo service httpd restart</div></div><div><div>$XYMON $XYMSRV "query $MACHINE.smtp" | grep ^green >/dev/null || sudo service postfix restart</div>
</div><div><br></div><div>This kind of automated restart can get you into a bit of trouble, so should be used with caution. The last thing you want is a stack of run-away tasks that end up consuming all memory and CPU resources. A change to make this a manually-triggered process might be for the client cron task to look for a disabled/acknowledged status using xymondboard, and detect when a special keyword (eg "!!RESTART!!") is entered into the disable/ack message. Something like this:</div>
<div><br></div><div><div>#!/usr/lib/xymon/client/bin/xymoncmd /bin/sh</div><div>RESPONSE=`$XYMON $XYMSRV "xymondboard host=$MACHINE test=http color=blue fields=lastchange,dismsg" | grep '!!RESTART!!' | cut -d"|" -f1`</div>
<div>[ `expr 0$RESPONSE + 60` -gt `date +%s` ] && sudo service httpd restart</div><div><br></div><div>This gets the status time for the host and test, but only if it's blue (disabled) and only if it contains the '!!RESTART!!' keyword. The status time is compared to the current time and if within 60 seconds, runs the restart command.</div>
<div><br></div><div>J</div></div><div><br></div></div></div></div>