binfalse
Monitoring of XOS devices
February 5th, 2016This week I developed some plugins for Nagios/Icinga to monitor network devices of the vendor Extreme Networks. All these plugins receive status information of, eg. switches, via SNMP.
The Basic: Check Mem, CPU, and Fans
Checking for available memory, for the device’s temperature, for the power supplies, and for fan states is quite straight forward. You just ask the switch for the values of a few OIDs, evaluate the answer, and tell Nagios/Icinga what to do.
The Simple Network Management Protocol (SNMP) is actually a very easy to use protocol. There is an SNMP server, such as a router or a switch, which exposes management data through the SNMP protocol. To access these data you just send an object identify (OID) to an SNMP server and receive the corresponding value. So called management information bases (MIB) can tell you what a certain OID stands for.
On the command line, for example, you could use snmpwalk
to iterate over an OID subtree to, e.g., obtain information about the memory on a device:
usr@srv $ snmpwalk -v 2c -c publicCommunityString switch.address.com 1.3.6.1.4.1.1916.1.32.2.2.1
1.3.6.1.4.1.1916.1.32.2.2.1.1.1 = Gauge32: 1
1.3.6.1.4.1.1916.1.32.2.2.1.2.1 = STRING: "262144"
1.3.6.1.4.1.1916.1.32.2.2.1.3.1 = STRING: "116268"
1.3.6.1.4.1.1916.1.32.2.2.1.4.1 = STRING: "7504"
1.3.6.1.4.1.1916.1.32.2.2.1.5.1 = STRING: "138372"
The OID 1.3.6.1.4.1.1916.1.32.2.2.1
addresses the memory information table of the SNMP provider at switch.address.com
.
The value at *.2.1
shows how much memory is installed, *.3.1
shows how much memory is free, *.4.1
shows how much is consumed by the system, and *.5.1
shows how much is consumed by user processes. Basic calculations tell us there are 262144/1024 = 256KB
in total and 100*116268/262144 = 44.35%
is free.
A bit more logic for a warning/critical switch and the plugin is done.
The Feature: Monitoring of the FDB
But I would probably not write about that basic stuff if there was not an extra feature! I implemented a script to also monitor the FDB. FDB is and abbreviation for forwarding databases: The switch maintains a forwarding database (FDB) of all MAC addresses received on all of its ports. It, for example, uses the information in this database to decide whether a frame should be forwarded or filtered. Each entry consists of
- the MAC address of the device behind the port
- the associated VLAN
- the age of the entry – depending on the configuration the entries age out of the table
- some flags – e.g. is the entry dynamic or static
- the port
The table may look like the following:
> show fdb
Mac Vlan Age Flags Port / Virtual Port List
------------------------------------------------------------------------------
01:23:45:67:89:ab worknet(0060) 0056 n m 9
01:23:42:67:89:ab mobnet(0040) 0001 n m 21
Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP,
x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B - Egress Blackhole,
b - Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T - VLAN translation,
D - drop packet, h - Hardware Aging, o - IEEE 802.1ah Backbone MAC,
S - Software Controlled Deletion, r - MSRP
As soon as the switch gets a frame on one port it learns the corresponding MAC address, port number, etc. into this table. So if a frame for this MAC address arrives it know where to send it to.
However, that content of a networking class.
All we need to know is that a switch can tell you which device which MAC address is is connected to which port.
And that’s the idea of check_extreme_fdb.pl
! It compares the entries of the FDB with some expected entries in an CSV file. The CSV is supposed to contain three coloumns:
mac,port,vlan
If a MAC address in the FDB matches the MAC address in the CSV file it checks the ports and vlans. If those do not match, it will raise an error.
For the CSV: Feel free to leave port or vlan empty if you do not care about this detail.
That means, if you just want to make sure that the device with the MAC 01:23:45:67:89:ab
is in vlan worknet
you add an entry such as:
01:23:45:67:89:ab,,worknet
Use -e <FILE>
to pass the CSV file containing expected entry to the program and call it like beckham:
perl -w check_extreme_fdb.pl -s <SWITCH> -C <COMMUNITY-STRING> -e <EXPECTED>
Here, SWITCH
being the switch’s address and COMMUNITY-STRING
beeing the SNMP “passphrase”. You may also want to add -w
to raise a warning if one of the entries in the CSV file wasn’t found in the FDB. To create a sample CSV file that matches the current FDB you can call it with --print
.
To get the script have a look at the check_extreme_fdb.pl
software page.
More Extreme Stuff
In addition there are some other scripts to monitor Extreme Networks devices:
Do I have a CD-RW?
January 6th, 2016You don’t know whether the CD drive on your machine is able to burn CDs? And too lazy to go off with your head under your table? Or you’re remote on the machine? Then that’s your command line:
$ cat /proc/sys/dev/cdrom/info
CD-ROM information, Id: cdrom.c 3.20 2003/12/17
drive name: sr0
drive speed: 32
drive # of slots: 1
Can close tray: 1
Can open tray: 1
Can lock tray: 1
Can change speed: 1
Can select disk: 0
Can read multisession: 1
Can read MCN: 1
Reports media changed: 1
Can play audio: 1
Can write CD-R: 1
Can write CD-RW: 1
Can read DVD: 1
Can write DVD-R: 1
Can write DVD-RAM: 1
Can read MRW: 1
Can write MRW: 1
Can write RAM: 1
Docker Jail for Skype
January 4th, 2016As I’m now permanently installed at our University (yeah!) I probably need to use skype more often than desired. However, I still try to avoid proprietary software, and skype is the worst of all. Skype is an
obfuscated malicious binary blob with network capabilities
as jvoisin beautifully put into words. I came in contact with skype multiple times and it was always a mess. Ok, but what are the options if I need skype? So far I’ve been using a virtual box if I needed to call somebody who insisted on using skype, but now that I’ll be using skype more often I need an alternative to running a second OS on my machine. My friend Tom meant to make a joke about using Docker and … TA-DAH! … Turns out it’s actually possible to jail a usable skype inside a Docker container! Guided by jvoisin’s article Running Skype in docker I created my own setup:
The Dockerfile
The Dockerfile
is available from the skype-on-docker project on GitHub. Just clone the project and change into the directory:
$ git clone https://github.com/binfalse/skype-on-docker.git
$ cd skype-on-docker
$ ls -l
total 12
-rw-r--r-- 1 martin martin 32 Jan 4 17:26 authorized_keys
-rw-r--r-- 1 martin martin 1144 Jan 4 17:26 Dockerfile
-rw-r--r-- 1 martin martin 729 Jan 4 17:26 README.md
The Docker image is based on a Debian:stable. It will install an OpenSSH server (it exposes 22
) and download the skype binaries. It will also install the authorized_keys
file in the home directories of root and the unprivileged user. Thus, to be able to connect to the container you need to copy your public SSH key into that file:
$ cat ~/.ssh/id_rsa.pub >> authorized_keys
Good so far? Ok, then go for it! Build a docker image:
$ docker build -t binfalse/skype .
This might take a while. Docker will execute the commands given in the Dockerfile
and create a new Docker image with the name binfalse/skype
. Feel free to choose a different name..
As soon as that’s finished you can instantiate and run a new container using:
$ docker run -d -p 127.0.0.1:55757:22 --name skype_container binfalse/skype
This will start the container as a daemon (-d
) with the name skype_container (--name skype_container
) and the host’s port 55757
mapped to the container’s port 22
(-p 127.0.0.1:55757:22
).
Give it a millisecond to come up and then you should be able to connect to that container via ssh. From that shell you should be able to start an configure skype:
$ ssh -X -p 55555 docker@127.0.0.1
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Jan 4 23:07:37 2016 from 172.17.42.1
$ skype
You can immediately go and do your chats and stuff, but you can also just configure skype. Do setup everything just like you want to find it when starting skype, for example tick the auto-login button to get rid of the login screen etc. As soon as that’s done, commit the changes to build a new image reflecting your preferences:
$ docker commit skype_container binfalse/deb-skype
Now you’ll have an image called binfalse/deb-skype
that contains a fully configured skype installation. Just kill the other container:
$ docker stop skype_container
$ docker rm skype_container
And now your typical workflow might look like:
docker run -d -p 127.0.0.1:55757:22 --name skype__ binfalse/deb-skype
sleep 1
ssh -X -p 55757 docker@127.0.0.1 skype && docker rm -f skype__
Feel free to cast it in a mould just as I did.
The script is also available from my apt repo, it’s name is bf-skype-on-docker
:
echo "deb http://apt.binfalse.de binfalse main" > /etc/apt/sources.list.d/binfalse.list
apt-get update && apt-get install bf-skype-on-docker
Getting into a new group
December 30th, 2015You know, … you just got this new floppy disk with very important material but you cannot access it because you’re not in the system’s floppy
group and, thus, you’re not allowed to access the floppy device. Solution is easy: add your current user to the floppy
group! Sounds easy, doesn’t it? The annoying thing is that those changes won’t take affect in the current session. You need to log out and log in again – quite annoying, especially if you’re into something with lots of windows and stuff. Just happened to me with docker again..
However, there are two methods to get into the new groups without the need to kill the current session:
- su yourself: let’s say your username is
myname
you just need tosu myname
to get a prompt with the new group memberships. - ssh localhost: that also gives you a new session with updated affiliations.
That way, you do not need to start a new session. However, you still need to start all applications/tools from that terminal - might be odd to those who are used to the gnome/kde menues.. :)
Supplemental material
Display group membership:
groups USERNAME
Add a new system group:
groupadd GROUPNAME
Add a user to a group:
useradd -G GROUPNAME USERNAME
CyanogenMod Updates and the firewall
November 3rd, 2015I’m running CyanogenMod on my phone and I have the firewall AFWall+ installed.
To update the list of available updates the application CM Updater need to be able to connect to the internet. It will contact a website from within the google empire and ask for available images.
In order to download a new image the application Media Storage, Download Manager, Downloads needs internet access, as this app is in charge of downloading the actual image file.
To be remembered.