pull request deines Codes

README.md

@@ -1,35 +1,70 @@
 # Ansible Playbook for setting up Check_MK agent on pfSense
 
-Automatically installs the Check_MK agent on a pfSense firewall.
-Adds ipmi, libstatgrab (for amd64) and an update check
 
-based off 'the' pfSense forum post (https://forum.pfsense.org/index.php?topic=111517.0#top) with some cleanups. We also use /opt but with a more FHS-compliant
- vendor-path structure putting things under ```/opt/check_mk```. 
+## What it does
 
+Automatically installs the __Check_MK__ agent on a __pfSense__ firewall.
 
+The Playbook is based of 'the' pfSense forum post (https://forum.pfsense.org/index.php?topic=111517.0#top) with some cleanups. We also use /opt but with a more FHS-compliant.
+
+It also sets up a few extras: 
+
+* <ins>IPMI</ins> - interesting for achieving monitoring of the hardware sensors, and allows to use the hardware watchdog for less-than-rock-solid firewalls
+* <ins>pfSense updates</ins> - alerts with warning status if you need to update your firewall (also from forum or somewhere else, could not identify the source)
+* <ins>libstatgrab</ins> - needed for monitoring network devices (a amd64 package is included)
+* <ins>squidclient</ins> - Squid client check
+
+
+We adjusted the paths from the forum entry to a FHS-compliant structure including vendor path. That means we put things under ```/opt/check_mk```. 
 
 
-## Notes
 
-### Setup
+
+
+## Setup
 
 you need to initially install python27 i.e. using:
-```ansible -m shell -a "pkg install python27" myfirewillhostname```
+```ansible -m shell -a "pkg install python27" my-firewall-hostname```
 
 you'll also need a firewall rule to allow connecting to port 6556! :-)
 
+We set up ignore rules for some services
+
+* NIC parameters for __lagg/vlan__
+* Whole Interfaces like __ix__
+
+
+## Notes
+
+### filter reload
+
+in our experiene you will have to run a "filter reload" once after installing the playbook.  
+so far, we've not found a _reliable_ fix for that.
+
+
+### no python2 interpreter symlink in 2.4.4 and up.
+
+Newer versions seem to not have a "default" python2. you can either change the setting in your inventory from
+'python2' to 'python2.7' or create a symlink.
+
 ### Connections
 
-A connection using sshpass (-k) turned out to be extremely flaky.
-You are very much advised to store a key for connecting with Ansible.
+Once the connection using sshpass (-k) turned out to be extremely flaky.
+IF that happens, you are advised to store a key for connecting with Ansible.
 
 We normally also prefer to connect via SSH for Check_MK, that part is your choice. You can just disable the xinetd listener in that case.
-That's using ```disable = yes``` in ./roles/check_mk-pfsense/files/check_mk.inet
+That's using ```disable = yes``` in ```./roles/check_mk-pfsense/files/check_mk.inet```
 
 ### IPMI
 
 Time constraints resulted in generally adding IPMI. It has no adverse effect on systems that do not support it, but of course a more granular support would be nicer.
 
 
 ### The path
-/opt/MK would be correct, but we can't do that
+/opt/MK would be correct, but we can't do that :-)
+
+
+## Contributions
+
+Please, go ahead, there's still many things that could be improved for pfSense monitoring.
+Let us know about missing docs, too.

hosts

@@ -1,3 +1,3 @@
 [firewalls]
-pfSense0.domain.tld ansible_ssh_host=192.168.201.1 ansible_python_interpreter=/usr/local/bin/python2 ansible_ssh_user=root
-pfSense1.domain.tld ansible_ssh_host=192.168.201.2 ansible_python_interpreter=/usr/local/bin/python2 ansible_ssh_user=root
+pfSense0.domain.tld ansible_ssh_host=192.168.201.1 ansible_python_interpreter=/usr/local/bin/python3.7 ansible_ssh_user=root
+pfSense1.domain.tld ansible_ssh_host=192.168.201.2 ansible_python_interpreter=/usr/local/bin/python3.7 ansible_ssh_user=root

roles/check_mk-pfsense/files/mk_haproxy

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+if [ -r /var/run/haproxy.stat ]; then
+        echo "<<<haproxy:sep(44)>>>"
+        echo "show stat" | socat unix-connect:/var/run/haproxy.stat stdio
+fi

roles/check_mk-pfsense/files/patch-inc-php.sh

@@ -1,34 +1,52 @@
 #!/bin/sh
 
+# script that patches pfSense to include an external (persistent) xinetd config directory
+# the config directory is only used for Check_MK agent in TCP mode (optionally with caching agent)
+# based off forum post https://forum.pfsense.org/index.php?topic=111517.0 
+
 
 TMPFILE=/etc/inc/filter.inc.temp
 SRCFILE=/etc/inc/filter.inc
 
 
 edit_missing_include() {
-    awk '/Close file handle/{print "        fwrite($xinetd_fd, \"includedir /opt/etc/xinetd.d\");"}1' \
+    echo "config replaced"
+    awk '/Close file handle/{print "        fwrite($xinetd_fd, \"includedir /opt/check_mk/etc/xinetd.d\");"}1' \
         $SRCFILE > $TMPFILE
     return $?
 }
 
 
+patch_config() {
+    # if the file has the path as mentioned on forums
+    echo "config replaced"
+    if grep -q -E "includedir.*/opt/etc/xinetd.d" $SRCFILE ; then
+        sed -i "" 's%/opt/etc/xinetd.d.*%/opt/check_mk/etc/xinetd.d");%' $SRCFILE
+        exit 0
+    fi
+
+}
+
+
 replace_config() {
+    echo "config replaced"
     mv $TMPFILE $SRCFILE
     return $?
 }
 
-# if the file is already valid
-if grep -q -E "includedir.*/opt/check_mk/etc/xinetd.d" $SRCFILE ; then
-    exit 0
-fi
-# if the file has the path as mentioned on forums
-if grep -q -E "includedir.*/opt/etc/xinetd.d" $SRCFILE ; then
-    sed -i "" /opt/etc/xinetd.d /opt/check_mk/etc/xinetd.d $SRCFILE
-    exit 0
-fi
 
-# finally, if nothing was there, patch it
-edit_missing_include &&
-replace_config
+main() {
+    # if the file is already valid
+    if grep -q -E "includedir /opt/check_mk/etc/xinetd.d" $SRCFILE ; then
+        exit 0
+    fi
+    patch_config
+    # finally, if nothing was there, patch it
+    edit_missing_include &&
+    replace_config
+    return $?
+}
+
 
+main
 exit $?

roles/check_mk-pfsense/files/squidclient

@@ -0,0 +1,6 @@
+#!/usr/local/bin/bash
+
+if type squidclient > /dev/null 2>&1 ; then
+   echo "<<<check_squid>>>"
+   timeout 10 squidclient -h 127.0.0.1 -p 3128 -T2 mgr:5min | grep =
+fi

roles/check_mk-pfsense/handlers/main.yml

@@ -7,3 +7,6 @@
 
 - name: install libstatgrab
   command: pkg add /opt/check_mk/libstatgrab-0.91.txz
+
+- name: reload filters
+  command: /etc/rc.filter_configure

roles/check_mk-pfsense/tasks/main.yml

@@ -1,4 +1,3 @@
-
 ---
 
 # losely after https://forum.pfsense.org/index.php?topic=111517.0
@@ -13,12 +12,18 @@
   with_items: ['/opt/check_mk/bin', '/opt/check_mk/etc/xinetd.d' ]
 - name: extension dirs
   file: path={{ item }} state=directory
-  with_items: ['/opt/check_mk/lib/plugins', '/opt/check_mk/lib/local/3600', '/opt/check_mk/lib/plugins/3600' ]
+  with_items: ['/opt/check_mk/lib/local/3600', '/opt/check_mk/lib/plugins/3600' ]
 
 
 # plugin fuer updates mit 3600 subdir
 - name: update checker
-  copy: src=pfsense-updates.php dest=/opt/check_mk/lib/local/3600 mode=0755 owner=root group=wheel
+  copy: src=pfsense-updates.php dest=/opt/check_mk/lib/local/3600/pfsense-updates.php mode=0755 owner=root group=wheel
+
+- name: squidclient checker
+  copy: src=squidclient dest=/opt/check_mk/lib/plugins/squidclient mode=0755 owner=root group=wheel
+
+- name: haproxy checker
+  copy: src=mk_haproxy dest=/opt/check_mk/lib/plugins/mk_haproxy mode=0755 owner=root group=wheel
 
 # ipmitool
 - name: ipmi support software
@@ -48,13 +53,18 @@
   copy: src=libstatgrab-0.91.txz dest=/opt/check_mk/libstatgrab-0.91.txz mode=0755 owner=root group=wheel
   notify: install libstatgrab
 
-
 - name: xinetd config
   copy: src=check_mk.inet   dest=/opt/check_mk/etc/xinetd.d/check_mk mode=0755 owner=root group=wheel
-  
+
 # patchen der filter.inc datei automatisieren?
-#- name: persistent xinetd config path helper script
-#  copy: src=patch-inc-php.sh dest=/opt/check_mk/bin/patch-inc-php.sh mode=0755 owner=root group=wheel
+- name: persistent xinetd config path helper script
+  copy: src=patch-inc-php.sh dest=/opt/check_mk/bin/patch-inc-php.sh mode=0755 owner=root group=wheel
 
 - name: persistent xinetd config check
-  script: patch-inc-php.sh
+  command: /opt/check_mk/bin/patch-inc-php.sh
+  register: patch_result
+  changed_when: "patch_result.stdout == 'config replaced'"
+  notify: reload filters
+
+#- name: persistent xinetd config check
+#  script: patch-inc-php.sh