From e7a1d738c9c95ff059fbaeff107d91a2e1742f8e Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 1 Mar 2011 21:56:22 +0100 Subject: add egd-management We can now run hosts with a key in the host mode, so it will provide entropy to other hosts. Furthermore we can define clients that will collect entropy from such a host. --- files/ekeyd.conf | 89 +++++++++++++++++++++++++++++++++++++++++++++ files/ekeyd.conf.daemon | 90 ++++++++++++++++++++++++++++++++++++++++++++++ manifests/base.pp | 13 ++++--- manifests/client.pp | 13 +++++++ manifests/client/base.pp | 3 ++ manifests/client/centos.pp | 7 ++++ manifests/egd.pp | 17 +++++++++ manifests/host.pp | 10 ++++++ manifests/host/base.pp | 15 ++++++++ manifests/host/centos.pp | 6 ++++ 10 files changed, 259 insertions(+), 4 deletions(-) create mode 100644 files/ekeyd.conf create mode 100644 files/ekeyd.conf.daemon create mode 100644 manifests/client.pp create mode 100644 manifests/client/base.pp create mode 100644 manifests/client/centos.pp create mode 100644 manifests/egd.pp create mode 100644 manifests/host.pp create mode 100644 manifests/host/base.pp create mode 100644 manifests/host/centos.pp diff --git a/files/ekeyd.conf b/files/ekeyd.conf new file mode 100644 index 0000000..76a36f1 --- /dev/null +++ b/files/ekeyd.conf @@ -0,0 +1,89 @@ +-- -*- Lua -*- + +-- Sample configuration file for ekeyd + +-- -----------------------------------------------[ General setup ]----- + +-- If you want a TCP control socket on 127.0.0.1 then uncomment this +-- command. +-- Please note that there is no protection on a TCP socket, anyone on +-- the box can connect to it and there is no authentication process. +-- TCPControlSocket "1234" + +-- The unix control socket is typically what we use +UnixControlSocket "/var/run/ekeyd.sock" + +-- The keyring contains the keys for the long-term rekey If you change +-- this location from the default then be aware that the +-- long-term-rekey tool may not work. +Keyring "/etc/entropykey/keyring" + +-- The daemon background operation may be supressed. In this mode the +-- daemon will run in the foreground and the controlling tty will not +-- be released. +-- Daemonise(false) + +-- -------------------------------------------------[ Output Mode ]----- + +-- Only one output mode is permitted to be active. Typically on Linux +-- that would be the kernel output mode, however instead you can opt +-- to use the EGD interface. Various other daemons then support taking +-- EGD interfaces and adding entropy to the kernel instead, allowing +-- multiple clients to retrieve entropy by various means. + +-- The SetOutputToKernel option places all the gathered entropy into +-- the kernel pool. The data placed into the kernel pool is +-- conservatively estimated to contain 7 shannons of entropy per byte +-- added. +-- Note that the data coming from the UDEKEY01 should have one Shannon +-- of entropy per bit so this value could quite safely be set to +-- 8. The default value only has the effect of reducing the rate +-- entropy is mixed into the kernel pool and no other adverse +-- affect. This default is selected as an conservative choice which is +-- generally preferable when dealing with random sources. +SetOutputToKernel(7) + +-- The daemon may support the EGD (Entropy Gathering Daemon) socket +-- protocol. There are two choice to create either a TCP or Unix +-- socket which speaks the EGD protocol. +-- Note that you cannot have kernel output *and* EGD output, they are +-- mutually exclusive. +-- The EGD protocol support assumes entropy coming off the ekeys is at +-- the level of 8 shannons per byte and this cannot be changed as it +-- is a limitation of the EGD protocol itself. The TCP socket can be +-- given an optional parameter to specify the IP address to bind to. +-- It will default to 127.0.0.1 if not specified. + +-- EGDTCPSocket(8888 --[[, "127.0.0.1" ]]) +-- EGDUnixSocket "/etc/entropy" + +-- EGDUnixSocket can optionally take an octal mode string and +-- username and group to chmod and chown the socket to. +-- If you do not wish to change the user or group, use empty strings. +-- You cannot change the user/group without also providing a mode string. +-- The default is to leave the user/group alone and set the socket to +-- mode 0600 +-- EGDUnixSocket("/etc/entropy", "0660", "root", "entropyusers") + +-- The SetOutputToFile option writes all gathered entropy to the named +-- file. No additional processing is performed. The output file must +-- exist before the daemon is run. This option is generally only +-- useful if the user wishes to gather data for subsequent testing. +-- Note as with all the other output options this may be the only +-- output selection and may not be used with either the kernel or EGD +-- output enabled. + +-- SetOutputToFile "/tmp/entropy" + +-- -----------------------------------------------[ Device Config ]----- + +-- Add entropy keys from /dev/entropykey where our default udev rules +-- will place symbolic links (on GNU/Linux operating systems). +AddEntropyKeys "/dev/entropykey" +-- Also add keys from /var/run/entropykeys where the UNIX domain socket +-- rules will place sockets if using them. +AddEntropyKeys "/var/run/entropykeys" +-- On OpenBSD/MirBSD you will probably need to use something like this +-- instead (match the device minor (here: 0) with the ucom(4) instance +-- your umodem(4) device attaches to): +-- AddEntropyKey "/dev/cuaU0" diff --git a/files/ekeyd.conf.daemon b/files/ekeyd.conf.daemon new file mode 100644 index 0000000..0b1bcb4 --- /dev/null +++ b/files/ekeyd.conf.daemon @@ -0,0 +1,90 @@ +-- -*- Lua -*- + +-- Sample configuration file for ekeyd + +-- -----------------------------------------------[ General setup ]----- + +-- If you want a TCP control socket on 127.0.0.1 then uncomment this +-- command. +-- Please note that there is no protection on a TCP socket, anyone on +-- the box can connect to it and there is no authentication process. +-- TCPControlSocket "1234" + +-- The unix control socket is typically what we use +UnixControlSocket "/var/run/ekeyd.sock" + +-- The keyring contains the keys for the long-term rekey If you change +-- this location from the default then be aware that the +-- long-term-rekey tool may not work. +Keyring "/etc/entropykey/keyring" + +-- The daemon background operation may be supressed. In this mode the +-- daemon will run in the foreground and the controlling tty will not +-- be released. +-- Daemonise(false) + +-- -------------------------------------------------[ Output Mode ]----- + +-- Only one output mode is permitted to be active. Typically on Linux +-- that would be the kernel output mode, however instead you can opt +-- to use the EGD interface. Various other daemons then support taking +-- EGD interfaces and adding entropy to the kernel instead, allowing +-- multiple clients to retrieve entropy by various means. + +-- The SetOutputToKernel option places all the gathered entropy into +-- the kernel pool. The data placed into the kernel pool is +-- conservatively estimated to contain 7 shannons of entropy per byte +-- added. +-- Note that the data coming from the UDEKEY01 should have one Shannon +-- of entropy per bit so this value could quite safely be set to +-- 8. The default value only has the effect of reducing the rate +-- entropy is mixed into the kernel pool and no other adverse +-- affect. This default is selected as an conservative choice which is +-- generally preferable when dealing with random sources. +-- SetOutputToKernel(7) + +-- The daemon may support the EGD (Entropy Gathering Daemon) socket +-- protocol. There are two choice to create either a TCP or Unix +-- socket which speaks the EGD protocol. +-- Note that you cannot have kernel output *and* EGD output, they are +-- mutually exclusive. +-- The EGD protocol support assumes entropy coming off the ekeys is at +-- the level of 8 shannons per byte and this cannot be changed as it +-- is a limitation of the EGD protocol itself. The TCP socket can be +-- given an optional parameter to specify the IP address to bind to. +-- It will default to 127.0.0.1 if not specified. + +-- EGDTCPSocket(8888 --[[, "127.0.0.1" ]]) +EGDTCPSocket(8888, "0.0.0.0") +-- EGDUnixSocket "/etc/entropy" + +-- EGDUnixSocket can optionally take an octal mode string and +-- username and group to chmod and chown the socket to. +-- If you do not wish to change the user or group, use empty strings. +-- You cannot change the user/group without also providing a mode string. +-- The default is to leave the user/group alone and set the socket to +-- mode 0600 +-- EGDUnixSocket("/etc/entropy", "0660", "root", "entropyusers") + +-- The SetOutputToFile option writes all gathered entropy to the named +-- file. No additional processing is performed. The output file must +-- exist before the daemon is run. This option is generally only +-- useful if the user wishes to gather data for subsequent testing. +-- Note as with all the other output options this may be the only +-- output selection and may not be used with either the kernel or EGD +-- output enabled. + +-- SetOutputToFile "/tmp/entropy" + +-- -----------------------------------------------[ Device Config ]----- + +-- Add entropy keys from /dev/entropykey where our default udev rules +-- will place symbolic links (on GNU/Linux operating systems). +AddEntropyKeys "/dev/entropykey" +-- Also add keys from /var/run/entropykeys where the UNIX domain socket +-- rules will place sockets if using them. +AddEntropyKeys "/var/run/entropykeys" +-- On OpenBSD/MirBSD you will probably need to use something like this +-- instead (match the device minor (here: 0) with the ucom(4) instance +-- your umodem(4) device attaches to): +-- AddEntropyKey "/dev/cuaU0" diff --git a/manifests/base.pp b/manifests/base.pp index e4d572d..24494f4 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -4,15 +4,20 @@ class ekeyd::base { ensure => installed, } + file{'/etc/entropykey/ekeyd.conf': + source => 'puppet:///modules/ekeyd/ekeyd.conf', + require => Package['ekeyd'], + notify => Service['ekeyd'], + owner => root, group => 0, mode => 0644; + } service{'ekeyd': ensure => running, enable => true, - require => Package['ekeyd'], } exec{'configure_ekey_key': - command => "ekey-rekey `ekeydctl list | grep \"/dev/entropykey\" | awk -F, '{ print \$5}'` ${ekey_masterkey}", - unless => "ekeydctl list | grep -q 'Running OK'", - require => Service['ekeyd'], + command => "ekey-rekey `ekeydctl list | grep \"/dev/entropykey\" | awk -F, '{ print \$5}'` ${ekey_masterkey}", + unless => "ekeydctl list | grep -q 'Running OK'", + require => Service['ekeyd'], } } diff --git a/manifests/client.pp b/manifests/client.pp new file mode 100644 index 0000000..89fd253 --- /dev/null +++ b/manifests/client.pp @@ -0,0 +1,13 @@ +class ekeyd::client { + if !$ekeyd_host { fail("\$ekeyd_host is not set for $fqdn") } + case $operatingsystem { + centos: { include ekeyd::client::centos } + default: { include ekeyd::client::base } + } + + if $use_shorewall { + class{'shorewall::rules::out::ekeyd': + ekeyd_host => $ekeyd_host, + } + } +} diff --git a/manifests/client/base.pp b/manifests/client/base.pp new file mode 100644 index 0000000..411b7ee --- /dev/null +++ b/manifests/client/base.pp @@ -0,0 +1,3 @@ +class ekeyd::client::base { + include ekeyd::egd +} diff --git a/manifests/client/centos.pp b/manifests/client/centos.pp new file mode 100644 index 0000000..b9328bb --- /dev/null +++ b/manifests/client/centos.pp @@ -0,0 +1,7 @@ +class ekeyd::client::centos inherits ekeyd::client::base { + file{'/etc/sysconfig/egd-linux': + content => "DAEMON_HOST=${ekeyd_host}\n", + notify => Service['egd-linux'], + owner => root, group => 0, mode => 0644; + } +} diff --git a/manifests/egd.pp b/manifests/egd.pp new file mode 100644 index 0000000..8a7da6f --- /dev/null +++ b/manifests/egd.pp @@ -0,0 +1,17 @@ +class ekeyd::egd { + package{'ekeyd-egd-linux': + ensure => present, + before => Service['egd-linux'], + } + + service{'egd-linux': + enable => true, + ensure => running, + } + + if $use_shorewall { + Service['egd-linux']{ + require => Service['shorewall'], + } + } +} diff --git a/manifests/host.pp b/manifests/host.pp new file mode 100644 index 0000000..6b8dd1a --- /dev/null +++ b/manifests/host.pp @@ -0,0 +1,10 @@ +class ekeyd::host inherits ekeyd { + case $operatingsystem { + centos: { include ekeyd::host::centos } + default: { include ekeyd::host::base } + } + + if $use_shorewall { + include shorewall::rules::ekeyd + } +} diff --git a/manifests/host/base.pp b/manifests/host/base.pp new file mode 100644 index 0000000..ec8525b --- /dev/null +++ b/manifests/host/base.pp @@ -0,0 +1,15 @@ +class ekeyd::host::base inherits ekeyd::base { + sysctl::value{'kernel.random.write_wakeup_threshold': + value => 1024 + } + + File['/etc/entropykey/ekeyd.conf']{ + source => 'puppet:///modules/ekeyd/ekeyd.conf.daemon', + } + + Service['ekeyd']{ + before => Service['egd-linux'], + } + + include ekeyd::egd +} diff --git a/manifests/host/centos.pp b/manifests/host/centos.pp new file mode 100644 index 0000000..d989d55 --- /dev/null +++ b/manifests/host/centos.pp @@ -0,0 +1,6 @@ +class ekeyd::host::centos inherits ekeyd::host::base { + file{'/etc/sysconfig/egd-linux': + ensure => 'absent', + notify => Service['egd-linux'], + } +} -- cgit v1.2.3 From bd9fa966f4bbd46693548a95d818adb3dc8ef3eb Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 1 Mar 2011 22:35:45 +0100 Subject: do host stuff and set key with parametrized classes, but work around a bug in puppet regarding parametrized classes --- manifests/base.pp | 2 +- manifests/host.pp | 10 ---------- manifests/init.pp | 17 +++++++++++++++-- 3 files changed, 16 insertions(+), 13 deletions(-) delete mode 100644 manifests/host.pp diff --git a/manifests/base.pp b/manifests/base.pp index 24494f4..94907ba 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -16,7 +16,7 @@ class ekeyd::base { } exec{'configure_ekey_key': - command => "ekey-rekey `ekeydctl list | grep \"/dev/entropykey\" | awk -F, '{ print \$5}'` ${ekey_masterkey}", + command => "ekey-rekey `ekeydctl list | grep \"/dev/entropykey\" | awk -F, '{ print \$5}'` ${ekeyd::ekey_masterkey}", unless => "ekeydctl list | grep -q 'Running OK'", require => Service['ekeyd'], } diff --git a/manifests/host.pp b/manifests/host.pp deleted file mode 100644 index 6b8dd1a..0000000 --- a/manifests/host.pp +++ /dev/null @@ -1,10 +0,0 @@ -class ekeyd::host inherits ekeyd { - case $operatingsystem { - centos: { include ekeyd::host::centos } - default: { include ekeyd::host::base } - } - - if $use_shorewall { - include shorewall::rules::ekeyd - } -} diff --git a/manifests/init.pp b/manifests/init.pp index 8ef05d2..83ee949 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,7 +1,20 @@ -class ekeyd { +class ekeyd( + $ekey_host = false, + $ekey_masterkey +){ if $ekeyd_key_present != 'true' { fail("Can't find an ekey key plugged into usb on ${fqdn}") } - if !$ekey_masterkey { fail("You need to define \$ekey_masterkey for ${fqdn}") } include ekeyd::base + + if $ekey_host { + case $operatingsystem { + centos: { include ekeyd::host::centos } + default: { include ekeyd::host::base } + } + + if $use_shorewall { + include shorewall::rules::ekeyd + } + } } -- cgit v1.2.3 From 56a1d47b3e72c2acf83894ea12a944c604b1c094 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 1 Mar 2011 22:40:43 +0100 Subject: also do the client with a parametrized class and cleanup/finish the host part --- manifests/base.pp | 4 ++-- manifests/client.pp | 5 +++-- manifests/client/centos.pp | 2 +- manifests/init.pp | 6 +++--- 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index 94907ba..34c1cb8 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -15,8 +15,8 @@ class ekeyd::base { enable => true, } - exec{'configure_ekey_key': - command => "ekey-rekey `ekeydctl list | grep \"/dev/entropykey\" | awk -F, '{ print \$5}'` ${ekeyd::ekey_masterkey}", + exec{'configure_ekeyd_key': + command => "ekey-rekey `ekeydctl list | grep \"/dev/entropykey\" | awk -F, '{ print \$5}'` ${ekeyd::ekeyd_masterkey}", unless => "ekeydctl list | grep -q 'Running OK'", require => Service['ekeyd'], } diff --git a/manifests/client.pp b/manifests/client.pp index 89fd253..e7df4c4 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,5 +1,6 @@ -class ekeyd::client { - if !$ekeyd_host { fail("\$ekeyd_host is not set for $fqdn") } +class ekeyd::client( + $ekeyd_host +) { case $operatingsystem { centos: { include ekeyd::client::centos } default: { include ekeyd::client::base } diff --git a/manifests/client/centos.pp b/manifests/client/centos.pp index b9328bb..2a9315a 100644 --- a/manifests/client/centos.pp +++ b/manifests/client/centos.pp @@ -1,6 +1,6 @@ class ekeyd::client::centos inherits ekeyd::client::base { file{'/etc/sysconfig/egd-linux': - content => "DAEMON_HOST=${ekeyd_host}\n", + content => "DAEMON_HOST=${ekeyd::ekeyd_host}\n", notify => Service['egd-linux'], owner => root, group => 0, mode => 0644; } diff --git a/manifests/init.pp b/manifests/init.pp index 83ee949..036ff82 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,13 +1,13 @@ class ekeyd( - $ekey_host = false, - $ekey_masterkey + $ekeyd_host = false, + $ekeyd_masterkey ){ if $ekeyd_key_present != 'true' { fail("Can't find an ekey key plugged into usb on ${fqdn}") } include ekeyd::base - if $ekey_host { + if $ekeyd_host { case $operatingsystem { centos: { include ekeyd::host::centos } default: { include ekeyd::host::base } -- cgit v1.2.3 From 9ab5f4e33884d59c1edcda28e305318f701ddcff Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 1 Mar 2011 23:02:20 +0100 Subject: add munin plugins --- files/munin/ekeyd_stat_ | 223 ++++++++++++++++++++++++++++++++++++++++++++++++ manifests/init.pp | 4 + manifests/munin.pp | 16 ++++ 3 files changed, 243 insertions(+) create mode 100755 files/munin/ekeyd_stat_ create mode 100644 manifests/munin.pp diff --git a/files/munin/ekeyd_stat_ b/files/munin/ekeyd_stat_ new file mode 100755 index 0000000..43a7c47 --- /dev/null +++ b/files/munin/ekeyd_stat_ @@ -0,0 +1,223 @@ +#!/usr/bin/perl -w +# +# Entropy Key statistic reporting plugin for munin +# +# use by soft linking the script to a ekey statistic +# for example ln -s /usr/share/munin/ekeyd_stat_ ekeyd_stat_KeyTemperatureC +# will give a graph of each entropy keys temperature in Celsius +# +# for example ln -s /usr/share/munin/ekeyd_stat_ ekeyd_stat_total_EntropyRate +# will give a graph of the total entropy rate from all keys in bits per second +# +# The plugin.conf.d/munin-node must have a stanza [ekeyd_*] with user root in +# it as the plugin requires root access to aquire the statistics +# +# Copyright 2009 Simtec Electronics +# +# For licence terms refer to the COPYING file. + +# Magic markers for munin +#%# family=auto +#%# capabilities=autoconf suggest + +use strict; + +use Socket; +use IO::Handle; + +my $control_sock = exists $ENV{controlsocket} ? $ENV{controlsocket} : '/var/run/ekeyd.sock'; + +# mappings to make output prettier +my %titles = ("KeyTemperatureC", "Temperature" ,"KeyTemperatureF", "Temperature", "KeyTemperatureK" , "Temperature" , "TotalEntropy", "Entropy Rate", "KeyVoltage", "Supply Voltage", "FipsFrameRate", "Fips Frame Rate", "EntropyRate", "Entropy Rate"); +my %graph_axis = ( "KeyTemperatureC", "Celsius", "KeyTemperatureF", "Fahrenheit", "KeyTemperatureK", "Kelvin" , "EntropyRate", "Bits per second" , "TotalEntropy", "Bytes per second" , "KeyVoltage", "Volts", "ConnectionTime", "Seconds", "FipsFrameRate", "Frames per second"); +my %graph_type = ( "TotalEntropy" , "DERIVE", "BytesRead" , "COUNTER", "BytesWritten" , "COUNTER", "ConnectionPackets" , "COUNTER" ); +my %graph_min = ( "TotalEntropy" , 0 ); + +sub ekeyd_connect { + my ($rendezvous) = @_; + my $line; + my $sock; + + socket($sock, PF_UNIX, SOCK_STREAM, 0) || die "socket: $!"; + connect($sock, sockaddr_un($rendezvous)) || die "connect: $!"; + + $line = <$sock>; + if ((!defined($line)) || ($line ne "PROTOCOL EKEYD/1\n")) { + die "Unrecognised EKEYD " . $line; + } + + return $sock; +} + +# issues a command to the ekeyd and retrieves the results +sub ekeyd_command { + my ($sock, $command, @params) = @_; + my @lines; + my $line; + my $pnum = scalar @params; + + if ($pnum > 0) { + my $pcnt = 0; + $command .= "("; + while ($pcnt < $pnum) { + $command = $command . "\"" . $params[$pcnt] . "\""; + $pcnt++; + if ($pcnt == $pnum) { + $command .= ")"; + } else { + $command .= ","; + } + } + } + + print $sock $command . "\n"; + $sock->flush; + + push @lines, $line while ((defined($line = <$sock>)) and $line ne "OK\n" and $line !~ "^ERROR.*"); + + chomp @lines; + + return @lines; +} + +# discover if plugin can actually be used on this system +if ( defined $ARGV[0] and $ARGV[0] eq "autoconf" ) { + if ($control_sock and -S $control_sock) { + print "yes\n"; + exit 0; + } else { + print "no (Control socket $control_sock not found)\n"; + exit 1; + } +} + +# suggest appropriate default links +if ( defined $ARGV[0] and $ARGV[0] eq "suggest" ) { + print "total_TotalEntropy\n"; + print "KeyTemperatureC\n"; + exit 0; +} + +# aquire the name of the statistic to monitor. +$0 =~ /ekeyd_stat_total_(.+)*$/; +my $statistic = $1; +my $total_flag = 1; +if (!defined($statistic)) { + $0 =~ /ekeyd_stat_(.+)*$/; + $statistic = $1; + $total_flag = 0; + if (!defined($statistic)) { + die "A statistic must be provided"; + } +} + +# connect to the ekeyd command socket +my $SOCKET = ekeyd_connect($control_sock); + +# find all the entropy keys attached +my @result = ekeyd_command($SOCKET, "ListEntropyKeys"); + +# remove header line +shift @result; + +if ( defined $ARGV[0] and $ARGV[0] eq "config" ) { + + # work out graph title + my $title; + if (defined $titles{$statistic}) { + $title = $titles{$statistic}; + } else { + $title = $statistic; + } + + if ($total_flag == 1) { + if (scalar(@result) < 2) { + print "graph_title Entropy Key " . $title . "\n"; + } else { + print "graph_title Entropy Key Combined " . $title . "\n"; + } + } else { + print "graph_title Entropy Key " . $title . "\n"; + } + + # label the axis as apropriate + if (defined $graph_axis{$statistic}) { + print "graph_vlabel " . $graph_axis{$statistic} . "\n"; + } + + print "graph_category sensors\n"; + + if ($total_flag == 1) { + if (scalar(@result) < 2) { + print "totstat.label $title\n"; + } else { + print "totstat.label Combined $title for " . scalar(@result) . " Entropy Keys\n"; + } + + # set the graph type + if (defined $graph_type{$statistic}) { + print "totstat.type " . $graph_type{$statistic} . "\n"; + } else { + print "totstat.type GAUGE\n"; + } + + #set the graph minimum + if (defined $graph_min{$statistic}) { + print "totstat.min " . $graph_min{$statistic} . "\n"; + } + } else { + # details for each key + foreach my $keyline (@result) { + my @elmnt = split(/\t/, $keyline); + my $name = $elmnt[5]; + $name =~ s,/,_,g; + print "stats" . $name . ".label " . $elmnt[5] . "\n"; + + # set the graph type + if (defined $graph_type{$statistic}) { + print "stats" . $name . ".type " . $graph_type{$statistic} . "\n"; + } else { + print "stats" . $name . ".type GAUGE\n"; + } + + #set the graph minimum + if (defined $graph_min{$statistic}) { + print "stats". $elmnt[5] . ".min " . $graph_min{$statistic} . "\n"; + } + } + } +} else { + my $total = 0; + foreach my $keyline (@result) { + + # split up the result line + my @elmnt = split(/\t/, $keyline); + + # get the status of the entropy key + my @stat_res = ekeyd_command($SOCKET, "StatEntropyKey", $elmnt[5]); + + my $tmp; + my %key_stats; + + foreach $tmp (@stat_res) { + my @keyval = split(/\t/, $tmp); + @keyval = split(/=/, $keyval[1]); + $key_stats{$keyval[0]} = $keyval[1]; + } + $total += $key_stats{$statistic}; + + if ($total_flag == 0) { + print "stats" . $elmnt[5] . ".value " . $key_stats{$statistic} . "\n"; + } + } + if ($total_flag == 1) { + if (scalar(@result) < 1) { + $total = "U"; + } + print "totstat.value " . $total . "\n"; + } +} + +close $SOCKET; + +exit 0; diff --git a/manifests/init.pp b/manifests/init.pp index 036ff82..204d877 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -17,4 +17,8 @@ class ekeyd( include shorewall::rules::ekeyd } } + + if $use_munin { + include ekeyd::munin + } } diff --git a/manifests/munin.pp b/manifests/munin.pp new file mode 100644 index 0000000..c2566f3 --- /dev/null +++ b/manifests/munin.pp @@ -0,0 +1,16 @@ +class ekeyd::munin { + munin::plugin::deploy{'ekeyd_stat_': + source => "ekeyd/munin/ekeyd_stat_" , + ensure => "absent", + } + munin::plugin{ + [ 'ekeyd_stat_total_EntropyRate', + 'ekeyd_stat_total_TotalEntropy', + 'ekeyd_stat_total_KeyVoltage', + 'ekeyd_stat_total_FipsFrameRate', + 'ekeyd_stat_KeyTemperatureC' ]: + require => Munin::Plugin::Deploy['ekeyd_stat_'], + ensure => 'ekeyd_stat_', + config => "'user root\nenv.controlsocket /var/run/ekeyd.sock", + } +} -- cgit v1.2.3 From 4519d4f176a47e2dc1798197de1d00eac577a3ab Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 1 Mar 2011 23:14:05 +0100 Subject: use correct variable --- manifests/client/centos.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/client/centos.pp b/manifests/client/centos.pp index 2a9315a..4be46d8 100644 --- a/manifests/client/centos.pp +++ b/manifests/client/centos.pp @@ -1,6 +1,6 @@ class ekeyd::client::centos inherits ekeyd::client::base { file{'/etc/sysconfig/egd-linux': - content => "DAEMON_HOST=${ekeyd::ekeyd_host}\n", + content => "DAEMON_HOST=${ekeyd::client::ekeyd_host}\n", notify => Service['egd-linux'], owner => root, group => 0, mode => 0644; } -- cgit v1.2.3 From d731a3c2420ab4c3aecfd5dc06d7cd5d5ba74aa1 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 1 Mar 2011 23:28:01 +0100 Subject: fix typo --- manifests/munin.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/munin.pp b/manifests/munin.pp index c2566f3..1ef1d2b 100644 --- a/manifests/munin.pp +++ b/manifests/munin.pp @@ -11,6 +11,6 @@ class ekeyd::munin { 'ekeyd_stat_KeyTemperatureC' ]: require => Munin::Plugin::Deploy['ekeyd_stat_'], ensure => 'ekeyd_stat_', - config => "'user root\nenv.controlsocket /var/run/ekeyd.sock", + config => "user root\nenv.controlsocket /var/run/ekeyd.sock", } } -- cgit v1.2.3 From 1f2a5d682485ea0cbdc9e13d865485face539012 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 2 Mar 2011 00:57:49 +0100 Subject: migrate to define usage --- manifests/client.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index e7df4c4..b965015 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,5 +1,6 @@ class ekeyd::client( - $ekeyd_host + $ekeyd_host, + $shorewall_zones = ['net'] ) { case $operatingsystem { centos: { include ekeyd::client::centos } @@ -7,7 +8,7 @@ class ekeyd::client( } if $use_shorewall { - class{'shorewall::rules::out::ekeyd': + shorewall::rules::out::ekeyd{$shorewall_zones: ekeyd_host => $ekeyd_host, } } -- cgit v1.2.3