Adding upstream version 1.44.3.upstream/1.44.3upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

6 files changed, 570 insertions, 0 deletions

diff --git a/collectors/charts.d.plugin/libreswan/Makefile.inc b/collectors/charts.d.plugin/libreswan/Makefile.inc
new file mode 100644
index 00000000..af767d0d
--- /dev/null
+++ b/collectors/charts.d.plugin/libreswan/Makefile.inc
@@ -0,0 +1,13 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# THIS IS NOT A COMPLETE Makefile
+# IT IS INCLUDED BY ITS PARENT'S Makefile.am
+# IT IS REQUIRED TO REFERENCE ALL FILES RELATIVE TO THE PARENT
+
+# install these files
+dist_charts_DATA       += libreswan/libreswan.chart.sh
+dist_chartsconfig_DATA += libreswan/libreswan.conf
+
+# do not install these files, but include them in the distribution
+dist_noinst_DATA       += libreswan/README.md libreswan/Makefile.inc
+
diff --git a/collectors/charts.d.plugin/libreswan/README.md b/collectors/charts.d.plugin/libreswan/README.md
new file mode 120000
index 00000000..1416d959
--- /dev/null
+++ b/collectors/charts.d.plugin/libreswan/README.md
@@ -0,0 +1 @@
+integrations/libreswan.md
\ No newline at end of file
diff --git a/collectors/charts.d.plugin/libreswan/integrations/libreswan.md b/collectors/charts.d.plugin/libreswan/integrations/libreswan.md
new file mode 100644
index 00000000..bd1eec64
--- /dev/null
+++ b/collectors/charts.d.plugin/libreswan/integrations/libreswan.md
@@ -0,0 +1,194 @@
+<!--startmeta
+custom_edit_url: "https://github.com/netdata/netdata/edit/master/collectors/charts.d.plugin/libreswan/README.md"
+meta_yaml: "https://github.com/netdata/netdata/edit/master/collectors/charts.d.plugin/libreswan/metadata.yaml"
+sidebar_label: "Libreswan"
+learn_status: "Published"
+learn_rel_path: "Data Collection/VPNs"
+most_popular: False
+message: "DO NOT EDIT THIS FILE DIRECTLY, IT IS GENERATED BY THE COLLECTOR'S metadata.yaml FILE"
+endmeta-->
+
+# Libreswan
+
+
+<img src="https://netdata.cloud/img/libreswan.png" width="150"/>
+
+
+Plugin: charts.d.plugin
+Module: libreswan
+
+<img src="https://img.shields.io/badge/maintained%20by-Netdata-%2300ab44" />
+
+## Overview
+
+Monitor Libreswan performance for optimal IPsec VPN operations. Improve your VPN operations with Netdata''s real-time metrics and built-in alerts.
+
+The collector uses the `ipsec` command to collect the information it needs.
+
+This collector is supported on all platforms.
+
+This collector supports collecting metrics from multiple instances of this integration, including remote instances.
+
+
+### Default Behavior
+
+#### Auto-Detection
+
+This integration doesn't support auto-detection.
+
+#### Limits
+
+The default configuration for this integration does not impose any limits on data collection.
+
+#### Performance Impact
+
+The default configuration for this integration is not expected to impose a significant performance impact on the system.
+
+
+## Metrics
+
+Metrics grouped by *scope*.
+
+The scope defines the instance that the metric belongs to. An instance is uniquely identified by a set of labels.
+
+
+
+### Per IPSEC tunnel
+
+Metrics related to IPSEC tunnels. Each tunnel provides its own set of the following metrics.
+
+This scope has no labels.
+
+Metrics:
+
+| Metric | Dimensions | Unit |
+|:------|:----------|:----|
+| libreswan.net | in, out | kilobits/s |
+| libreswan.uptime | uptime | seconds |
+
+
+
+## Alerts
+
+There are no alerts configured by default for this integration.
+
+
+## Setup
+
+### Prerequisites
+
+#### Install charts.d plugin
+
+If [using our official native DEB/RPM packages](https://github.com/netdata/netdata/blob/master/packaging/installer/UPDATE.md#determine-which-installation-method-you-used), make sure `netdata-plugin-chartsd` is installed.
+
+
+#### Permissions to execute `ipsec`
+
+The plugin executes 2 commands to collect all the information it needs:
+
+```sh
+ipsec whack --status
+ipsec whack --trafficstatus
+```
+
+The first command is used to extract the currently established tunnels, their IDs and their names.
+The second command is used to extract the current uptime and traffic.
+
+Most probably user `netdata` will not be able to query libreswan, so the `ipsec` commands will be denied.
+The plugin attempts to run `ipsec` as `sudo ipsec ...`, to get access to libreswan statistics.
+
+To allow user `netdata` execute `sudo ipsec ...`, create the file `/etc/sudoers.d/netdata` with this content:
+
+```
+netdata ALL = (root) NOPASSWD: /sbin/ipsec whack --status
+netdata ALL = (root) NOPASSWD: /sbin/ipsec whack --trafficstatus
+```
+
+Make sure the path `/sbin/ipsec` matches your setup (execute `which ipsec` to find the right path).
+
+
+
+### Configuration
+
+#### File
+
+The configuration file name for this integration is `charts.d/libreswan.conf`.
+
+
+You can edit the configuration file using the `edit-config` script from the
+Netdata [config directory](https://github.com/netdata/netdata/blob/master/docs/configure/nodes.md#the-netdata-config-directory).
+
+```bash
+cd /etc/netdata 2>/dev/null || cd /opt/netdata/etc/netdata
+sudo ./edit-config charts.d/libreswan.conf
+```
+#### Options
+
+The config file is sourced by the charts.d plugin. It's a standard bash file.
+
+The following collapsed table contains all the options that can be configured for the libreswan collector.
+
+
+<details><summary>Config options</summary>
+
+| Name | Description | Default | Required |
+|:----|:-----------|:-------|:--------:|
+| libreswan_update_every | The data collection frequency. If unset, will inherit the netdata update frequency. | 1 | no |
+| libreswan_priority | The charts priority on the dashboard | 90000 | no |
+| libreswan_retries | The number of retries to do in case of failure before disabling the collector. | 10 | no |
+| libreswan_sudo | Whether to run `ipsec` with `sudo` or not. | 1 | no |
+
+</details>
+
+#### Examples
+
+##### Run `ipsec` without sudo
+
+Run the `ipsec` utility without sudo
+
+```yaml
+# the data collection frequency
+# if unset, will inherit the netdata update frequency
+#libreswan_update_every=1
+
+# the charts priority on the dashboard
+#libreswan_priority=90000
+
+# the number of retries to do in case of failure
+# before disabling the module
+#libreswan_retries=10
+
+# set to 1, to run ipsec with sudo (the default)
+# set to 0, to run ipsec without sudo
+libreswan_sudo=0
+
+```
+
+
+## Troubleshooting
+
+### Debug Mode
+
+To troubleshoot issues with the `libreswan` collector, run the `charts.d.plugin` with the debug option enabled. The output
+should give you clues as to why the collector isn't working.
+
+- Navigate to the `plugins.d` directory, usually at `/usr/libexec/netdata/plugins.d/`. If that's not the case on
+  your system, open `netdata.conf` and look for the `plugins` setting under `[directories]`.
+
+  ```bash
+  cd /usr/libexec/netdata/plugins.d/
+  ```
+
+- Switch to the `netdata` user.
+
+  ```bash
+  sudo -u netdata -s
+  ```
+
+- Run the `charts.d.plugin` to debug the collector:
+
+  ```bash
+  ./charts.d.plugin debug 1 libreswan
+  ```
+
+
diff --git a/collectors/charts.d.plugin/libreswan/libreswan.chart.sh b/collectors/charts.d.plugin/libreswan/libreswan.chart.sh
new file mode 100644
index 00000000..d526f7a9
--- /dev/null
+++ b/collectors/charts.d.plugin/libreswan/libreswan.chart.sh
@@ -0,0 +1,187 @@
+# shellcheck shell=bash disable=SC1117
+# no need for shebang - this file is loaded from charts.d.plugin
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# netdata
+# real-time performance and health monitoring, done right!
+# (C) 2018 Costa Tsaousis <costa@tsaousis.gr>
+#
+
+# _update_every is a special variable - it holds the number of seconds
+# between the calls of the _update() function
+libreswan_update_every=1
+
+# the priority is used to sort the charts on the dashboard
+# 1 = the first chart
+libreswan_priority=90000
+
+# set to 1, to run ipsec with sudo
+libreswan_sudo=1
+
+# global variables to store our collected data
+
+# [TUNNELID] = TUNNELNAME
+# here we track the *latest* established tunnels
+# as detected by: ipsec whack --status
+declare -A libreswan_connected_tunnels=()
+
+# [TUNNELID] = VALUE
+# here we track values of all established tunnels (not only the latest)
+# as detected by: ipsec whack --trafficstatus
+declare -A libreswan_traffic_in=()
+declare -A libreswan_traffic_out=()
+declare -A libreswan_established_add_time=()
+
+# [TUNNELNAME] = CHARTID
+# here we remember CHARTIDs of all tunnels
+# we need this to avoid converting tunnel names to chart IDs on every iteration
+declare -A libreswan_tunnel_charts=()
+
+is_able_sudo_ipsec() {
+  if ! sudo -n -l "${IPSEC_CMD}" whack --status > /dev/null 2>&1; then
+    return 1
+  fi
+  if ! sudo -n -l "${IPSEC_CMD}" whack --trafficstatus > /dev/null 2>&1; then
+    return 1
+  fi
+  return 0
+}
+
+# run the ipsec command
+libreswan_ipsec() {
+  if [ ${libreswan_sudo} -ne 0 ]; then
+    sudo -n "${IPSEC_CMD}" "${@}"
+    return $?
+  else
+    "${IPSEC_CMD}" "${@}"
+    return $?
+  fi
+}
+
+# fetch latest values - fill the arrays
+libreswan_get() {
+  # do all the work to collect / calculate the values
+  # for each dimension
+
+  # empty the variables
+  libreswan_traffic_in=()
+  libreswan_traffic_out=()
+  libreswan_established_add_time=()
+  libreswan_connected_tunnels=()
+
+  # convert the ipsec command output to a shell script
+  # and source it to get the values
+  # shellcheck disable=SC1090
+  source <(
+    {
+      libreswan_ipsec whack --status
+      libreswan_ipsec whack --trafficstatus
+    } | sed -n \
+      -e "s|[0-9]\+ #\([0-9]\+\): \"\(.*\)\".*IPsec SA established.*newest IPSEC.*|libreswan_connected_tunnels[\"\1\"]=\"\2\"|p" \
+      -e "s|[0-9]\+ #\([0-9]\+\): \"\(.*\)\",\{0,1\}.* add_time=\([0-9]\+\),.* inBytes=\([0-9]\+\),.* outBytes=\([0-9]\+\).*|libreswan_traffic_in[\"\1\"]=\"\4\"; libreswan_traffic_out[\"\1\"]=\"\5\"; libreswan_established_add_time[\"\1\"]=\"\3\";|p"
+  ) || return 1
+
+  # check we got some data
+  [ ${#libreswan_connected_tunnels[@]} -eq 0 ] && return 1
+
+  return 0
+}
+
+# _check is called once, to find out if this chart should be enabled or not
+libreswan_check() {
+  # this should return:
+  #  - 0 to enable the chart
+  #  - 1 to disable the chart
+
+  require_cmd ipsec || return 1
+
+  # make sure it is libreswan
+  # shellcheck disable=SC2143
+  if [ -z "$(ipsec --version | grep -i libreswan)" ]; then
+    error "ipsec command is not Libreswan. Disabling Libreswan plugin."
+    return 1
+  fi
+
+  if [ ${libreswan_sudo} -ne 0 ] && ! is_able_sudo_ipsec; then
+    error "not enough permissions to execute ipsec with sudo. Disabling Libreswan plugin."
+    return 1
+  fi
+
+  # check that we can collect data
+  libreswan_get || return 1
+
+  return 0
+}
+
+# create the charts for an ipsec tunnel
+libreswan_create_one() {
+  local n="${1}" name
+
+  name="${libreswan_connected_tunnels[${n}]}"
+
+  [ -n "${libreswan_tunnel_charts[${name}]}" ] && return 0
+
+  libreswan_tunnel_charts[${name}]="$(fixid "${name}")"
+
+  cat << EOF
+CHART libreswan.${libreswan_tunnel_charts[${name}]}_net '${name}_net' "LibreSWAN Tunnel ${name} Traffic" "kilobits/s" "${name}" libreswan.net area $((libreswan_priority)) $libreswan_update_every '' '' 'libreswan'
+DIMENSION in '' incremental 8 1000
+DIMENSION out '' incremental -8 1000
+CHART libreswan.${libreswan_tunnel_charts[${name}]}_uptime '${name}_uptime' "LibreSWAN Tunnel ${name} Uptime" "seconds" "${name}" libreswan.uptime line $((libreswan_priority + 1)) $libreswan_update_every '' '' 'libreswan'
+DIMENSION uptime '' absolute 1 1
+EOF
+
+  return 0
+
+}
+
+# _create is called once, to create the charts
+libreswan_create() {
+  local n
+  for n in "${!libreswan_connected_tunnels[@]}"; do
+    libreswan_create_one "${n}"
+  done
+  return 0
+}
+
+libreswan_now=$(date +%s)
+
+# send the values to netdata for an ipsec tunnel
+libreswan_update_one() {
+  local n="${1}" microseconds="${2}" name id uptime
+
+  name="${libreswan_connected_tunnels[${n}]}"
+  id="${libreswan_tunnel_charts[${name}]}"
+
+  [ -z "${id}" ] && libreswan_create_one "${name}"
+
+  uptime=$((libreswan_now - libreswan_established_add_time[${n}]))
+  [ ${uptime} -lt 0 ] && uptime=0
+
+  # write the result of the work.
+  cat << VALUESEOF
+BEGIN libreswan.${id}_net ${microseconds}
+SET in = ${libreswan_traffic_in[${n}]}
+SET out = ${libreswan_traffic_out[${n}]}
+END
+BEGIN libreswan.${id}_uptime ${microseconds}
+SET uptime = ${uptime}
+END
+VALUESEOF
+}
+
+# _update is called continuously, to collect the values
+libreswan_update() {
+  # the first argument to this function is the microseconds since last update
+  # pass this parameter to the BEGIN statement (see below).
+
+  libreswan_get || return 1
+  libreswan_now=$(date +%s)
+
+  local n
+  for n in "${!libreswan_connected_tunnels[@]}"; do
+    libreswan_update_one "${n}" "${@}"
+  done
+
+  return 0
+}
diff --git a/collectors/charts.d.plugin/libreswan/libreswan.conf b/collectors/charts.d.plugin/libreswan/libreswan.conf
new file mode 100644
index 00000000..9b3ee77b
--- /dev/null
+++ b/collectors/charts.d.plugin/libreswan/libreswan.conf
@@ -0,0 +1,29 @@
+# no need for shebang - this file is loaded from charts.d.plugin
+
+# netdata
+# real-time performance and health monitoring, done right!
+# (C) 2018 Costa Tsaousis <costa@tsaousis.gr>
+# GPL v3+
+#
+
+# the data collection frequency
+# if unset, will inherit the netdata update frequency
+#libreswan_update_every=1
+
+# the charts priority on the dashboard
+#libreswan_priority=90000
+
+# the number of retries to do in case of failure
+# before disabling the module
+#libreswan_retries=10
+
+# set to 1, to run ipsec with sudo (the default)
+# set to 0, to run ipsec without sudo
+#libreswan_sudo=1
+
+# TO ALLOW NETDATA RUN ipsec AS ROOT
+# CREATE THE FILE: /etc/sudoers.d/netdata
+# WITH THESE 2 LINES (uncommented of course):
+#
+# netdata ALL = (root) NOPASSWD: /sbin/ipsec whack --status
+# netdata ALL = (root) NOPASSWD: /sbin/ipsec whack --trafficstatus
diff --git a/collectors/charts.d.plugin/libreswan/metadata.yaml b/collectors/charts.d.plugin/libreswan/metadata.yaml
new file mode 100644
index 00000000..77cb2545
--- /dev/null
+++ b/collectors/charts.d.plugin/libreswan/metadata.yaml
@@ -0,0 +1,146 @@
+plugin_name: charts.d.plugin
+modules:
+  - meta:
+      plugin_name: charts.d.plugin
+      module_name: libreswan
+      monitored_instance:
+        name: Libreswan
+        link: "https://libreswan.org/"
+        categories:
+          - data-collection.vpns
+        icon_filename: "libreswan.png"
+      related_resources:
+        integrations:
+          list: []
+      info_provided_to_referring_integrations:
+        description: ""
+      keywords:
+        - vpn
+        - libreswan
+        - network
+        - ipsec
+      most_popular: false
+    overview:
+      data_collection:
+        metrics_description: "Monitor Libreswan performance for optimal IPsec VPN operations. Improve your VPN operations with Netdata''s real-time metrics and built-in alerts."
+        method_description: "The collector uses the `ipsec` command to collect the information it needs."
+      supported_platforms:
+        include: []
+        exclude: []
+      multi_instance: true
+      additional_permissions:
+        description: ""
+      default_behavior:
+        auto_detection:
+          description: ""
+        limits:
+          description: ""
+        performance_impact:
+          description: ""
+    setup:
+      prerequisites:
+        list:
+          - title: "Install charts.d plugin"
+            description: |
+              If [using our official native DEB/RPM packages](https://github.com/netdata/netdata/blob/master/packaging/installer/UPDATE.md#determine-which-installation-method-you-used), make sure `netdata-plugin-chartsd` is installed.
+          - title: "Permissions to execute `ipsec`"
+            description: |
+              The plugin executes 2 commands to collect all the information it needs:
+              
+              ```sh
+              ipsec whack --status
+              ipsec whack --trafficstatus
+              ```
+              
+              The first command is used to extract the currently established tunnels, their IDs and their names.
+              The second command is used to extract the current uptime and traffic.
+              
+              Most probably user `netdata` will not be able to query libreswan, so the `ipsec` commands will be denied.
+              The plugin attempts to run `ipsec` as `sudo ipsec ...`, to get access to libreswan statistics.
+              
+              To allow user `netdata` execute `sudo ipsec ...`, create the file `/etc/sudoers.d/netdata` with this content:
+              
+              ```
+              netdata ALL = (root) NOPASSWD: /sbin/ipsec whack --status
+              netdata ALL = (root) NOPASSWD: /sbin/ipsec whack --trafficstatus
+              ```
+              
+              Make sure the path `/sbin/ipsec` matches your setup (execute `which ipsec` to find the right path).
+      configuration:
+        file:
+          name: charts.d/libreswan.conf
+        options:
+          description: |
+            The config file is sourced by the charts.d plugin. It's a standard bash file.
+            
+            The following collapsed table contains all the options that can be configured for the libreswan collector.
+          folding:
+            title: "Config options"
+            enabled: true
+          list:
+            - name: libreswan_update_every
+              description: The data collection frequency. If unset, will inherit the netdata update frequency.
+              default_value: 1
+              required: false
+            - name: libreswan_priority
+              description: The charts priority on the dashboard
+              default_value: 90000
+              required: false
+            - name: libreswan_retries
+              description: The number of retries to do in case of failure before disabling the collector.
+              default_value: 10
+              required: false
+            - name: libreswan_sudo
+              description: Whether to run `ipsec` with `sudo` or not.
+              default_value: 1
+              required: false
+        examples:
+          folding:
+            enabled: false
+            title: "Config"
+          list:
+            - name: Run `ipsec` without sudo
+              description: Run the `ipsec` utility without sudo
+              config: |
+                # the data collection frequency
+                # if unset, will inherit the netdata update frequency
+                #libreswan_update_every=1
+                
+                # the charts priority on the dashboard
+                #libreswan_priority=90000
+                
+                # the number of retries to do in case of failure
+                # before disabling the module
+                #libreswan_retries=10
+                
+                # set to 1, to run ipsec with sudo (the default)
+                # set to 0, to run ipsec without sudo
+                libreswan_sudo=0
+    troubleshooting:
+      problems:
+        list: []
+    alerts: []
+    metrics:
+      folding:
+        title: Metrics
+        enabled: false
+      description: ""
+      availability: []
+      scopes:
+        - name: IPSEC tunnel
+          description: "Metrics related to IPSEC tunnels. Each tunnel provides its own set of the following metrics."
+          labels: []
+          metrics:
+            - name: libreswan.net
+              description: LibreSWAN Tunnel ${name} Traffic
+              unit: "kilobits/s"
+              chart_type: area
+              dimensions:
+                - name: in
+                - name: out
+            - name: libreswan.uptime
+              description: LibreSWAN Tunnel ${name} Uptime
+              unit: "seconds"
+              chart_type: line
+              dimensions:
+                - name: uptime