2021年9月26日 星期日

LibreNMS平均CPU使用率監控功能

  最近有一個需求是要去CPU的監控,但使用的方式為 

processors.processor_usage >= processor_perc_warn

這個方式去監控是依據每一顆CPU去做監控的.如果該主機有 8 顆CPU,

其中有 1 顆 超過告警值 即會發出告警,但其它 7 顆可能沒那麼重的 loading .

這種方式的監控似乎不是那麼合理.理想的情境應是依 這 8 顆的平均值去做告警才是.

在 官方 https://docs.librenms.org/Alerting/Rules/ 的 Advanced 處,

有看到一個 SQL 語法.


SELECT *,AVG(processors.processor_usage) as cpu_avg FROM devices,processors WHERE (devices.device_id = ? AND devices.device_id = processors.device_id) AND (devices.status = 1 && (devices.disabled = 0 && devices.ignore = 0)) = 1 HAVING AVG(processors.processor_usage) > 10


後來試一下真的可以用.

壓測方式

[root@librenms CPULoadGenerator]# python3.6 -m cpu_load_generator -l 0.8 -d 600 -c -1

使用工具

https://pypi.org/project/cpu-load-generator/


Project description


CPU Load Generator


This package allows to generate a fixed CPU load for a finite time period. 

The script takes in input the desired CPU load, the duration of the experiment 

and the CPU core or all cores on which the load has to be generated.


Python versions This master branch refers to Python versions 3.x


Dependencies Installment of psutil is required 

(it is already set as dependency in the setup.py)


Install psutil:


pip install psutil

Other dependencies for unit tests and linters:


pip install mock pytest flake8 tox

Usage To generate 20% of load on core 0 for 20 seconds run:


python -m cpu_load_generator -l 0.2 -d 20 -c 0

To generate 50% of load on all logical cores for 20 seconds run:


python -m cpu_load_generator -l 0.5 -d 20 -c -1

There is an option to run CPU load based on profile file. An exemplary profile 

is under load_profiles/default_profile.json. In order to run generator based on

a profile issue the following command:


python -m cpu_load_generator -p <path_to_profile_json>

To use the package features from python code:


Install the package from PyPi by issuing the following command:


python -m pip instal cpu-load-generator

To use its features from your code:


from cpu_load_generator import load_single_core, load_all_cores, from_profile


load_single_core(core_num=0, duration_s=20, target_load=0.4)  # generate load on single core (0)

load_all_cores(duration_s=30, target_load=0.2)  # generates load on all cores

from_profile(path_to_profile_json=r"c:\profiles\profile1.json")


DEMO














2021年9月25日 星期六

LibreNMS 外掛 Service 監控功能

源自 Nagios Plugins - Services 

https://docs.librenms.org/Extensions/Services/

Demo




















Setting

======================================================


Service


{{ $alert->title }}

@if ($alert->faults)

@foreach ($alert->faults as $key => $value) {{ $value['service_desc'] }} - {{ $value['service_type'] }}

{{ $value['service_message'] }}

@endforeach

@endif


Error=========

Service: {{ $value['service_name'] }} {{ $value['service_type'] }}

=============

=========================================================

Other

SELECT * FROM devices,services WHERE (devices.device_id = ? AND devices.device_id = services.device_id) AND services.service_status != 0 AND (devices.status = 1 && (devices.disabled = 0 && devices.ignore = 0)) = 1

 

2021年7月28日 星期三

L2TP over IPsec VPN on VyOS / Vyatta


VPN Topology (Client to Site VPN)


L2TP  Client  <--> Firewall<---> Internet<---->Firewall<--->VyOS-L2TP-Server



VyOS Setting 


 vyos@vyos:~$ show configuration commands

set interfaces ethernet eth0 address '10.1.1.254/24'

set interfaces ethernet eth0 duplex 'auto'

set interfaces ethernet eth0 hw-id '00:0d:30:bb:72:57'

set interfaces ethernet eth0 smp-affinity 'auto'

set interfaces ethernet eth0 speed 'auto'

set interfaces loopback lo

set nat source rule 110 outbound-interface 'eth0'

set nat source rule 110 source address '192.168.1.0/24'

set nat source rule 110 translation address 'masquerade'

set protocols static route 0.0.0.0/0 next-hop 10.1.1.1

set service ssh port '22'

set system config-management commit-revisions '100'

set system console device ttyS0 speed '9600'

set system host-name 'vyos'

set system login user vyos authentication encrypted-password ''

set system login user vyos authentication plaintext-password ''

set system login user vyos level 'admin'

set system name-server '168.95.1.1'

set system ntp server clock.hinet.net

set system syslog global facility all level 'info'

set system syslog global facility protocols level 'debug'

set system time-zone 'Asia/Taipei'

set vpn ipsec esp-group l2tp compression 'disable'

set vpn ipsec esp-group l2tp lifetime '3600'

set vpn ipsec esp-group l2tp mode 'tunnel'

set vpn ipsec esp-group l2tp pfs 'dh-group2'

set vpn ipsec esp-group l2tp proposal 1 encryption 'aes128'

set vpn ipsec esp-group l2tp proposal 1 hash 'sha1'

set vpn ipsec ike-group l2tp close-action 'none'

set vpn ipsec ike-group l2tp ikev2-reauth 'no'

set vpn ipsec ike-group l2tp key-exchange 'ikev2'

set vpn ipsec ike-group l2tp lifetime '3600'

set vpn ipsec ike-group l2tp proposal 1 dh-group '2'

set vpn ipsec ike-group l2tp proposal 1 encryption 'aes128'

set vpn ipsec ike-group l2tp proposal 1 hash 'sha1'

set vpn ipsec ipsec-interfaces interface 'eth0'

set vpn ipsec logging log-level '1'

set vpn ipsec logging log-modes 'any'

set vpn ipsec nat-networks allowed-network 0.0.0.0/0

set vpn ipsec nat-traversal 'enable'

set vpn l2tp remote-access authentication local-users username VPNUser1 password 'User1Password'

set vpn l2tp remote-access authentication local-users username VPNUser2 password 'User2Password'

set vpn l2tp remote-access authentication mode 'local'

set vpn l2tp remote-access client-ip-pool start '192.168.1.50'

set vpn l2tp remote-access client-ip-pool stop '192.168.1.100'

set vpn l2tp remote-access dns-servers server-1 '8.8.8.8'

set vpn l2tp remote-access idle '1800'

set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'

set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'L2TP-PASSWORD'

set vpn l2tp remote-access ipsec-settings ike-lifetime '3600'

set vpn l2tp remote-access ipsec-settings lifetime '3600'

set vpn l2tp remote-access mtu '1492'

set vpn l2tp remote-access outside-address '0.0.0.0'

vyos@vyos:~$


=================================================


vyos@vyos:~$  show vpn debug

Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.195-amd64-vyos, x86_64):

  uptime: 25 minutes, since Jul 29 01:13:44 2021

  malloc: sbrk 2973696, mmap 0, used 813120, free 2160576

  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1

  loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1

  rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp 

 dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac 

 hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici 

 updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls 

 eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire 

 led addrblock counters

Listening IP addresses:

  10.1.1.254

Connections:

remote-access:  0.0.0.0...%any  IKEv1, dpddelay=15s

remote-access:   local:  [10.1.1.254] uses pre-shared key authentication

remote-access:   remote: uses pre-shared key authentication

remote-access:   child:  dynamic[0/l2f] === dynamic TRANSPORT, dpdaction=clear

Security Associations (1 up, 0 connecting):

remote-access[1]: ESTABLISHED 11 minutes ago, 10.1.1.254[10.1.1.254]...114.35.xxx.xxx[192.168.1.51]

remote-access[1]: IKEv1 SPIs: 6e74c683a4e351d3_i 0cc2f51574ea4e80_r*, rekeying disabled

remote-access[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

remote-access{1}:  INSTALLED, TRANSPORT, reqid 1, ESP in UDP SPIs: cc8f0e29_i ce27b6dd_o

remote-access{1}:  3DES_CBC/HMAC_SHA1_96, 438878 bytes_i, 420717 bytes_o (1724 pkts, 14s ago), rekeying disabled

remote-access{1}:   10.1.1.254/32[udp/l2f] === 114.35.xxx.xxx/32[udp/l2f]


=================================================

Reference

https://docs.vyos.io/en/latest/configuration/vpn/l2tp.html

https://support.vyos.io/en/kb/articles/l2tp-over-ipsec-vpn-2

https://brezular.com/2019/06/01/l2tp-ipsec-remote-access-vpn-on-vyos/


===========================================


Firewall Policy Rule  (https://support.vyos.io/en/kb/articles/l2tp-over-ipsec-vpn-2)


UDP port 500 (IKE)

IP protocol number 50 (ESP)

UDP port 1701 for IPsec

As well as the below to allow NAT-traversal 


(when NAT is detected by the VPN client, ESP is encapsulated in UDP for NAT-traversal):


UDP port 4500 (NAT-T)



=============================================

Debug CLI

vyos@vyos:~$  show vpn ipsec state

vyos@vyos:~$  show vpn ipsec status

vyos@vyos:~$  show vpn debug

vyos@vyos:~$  show log vpn all

vyos@vyos:~$  show vpn remote-access


======================================

Other

configure-l2tp-ipsec-server-behind-nat-t-device (Windows)

https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/configure-l2tp-ipsec-server-behind-nat-t-device


Set AssumeUDPEncapsulationContextOnSendRule registry key


To create and configure the AssumeUDPEncapsulationContextOnSendRule registry value, follow these steps:


1.Log on to the Windows Vista client computer as a user who is a member of the Administrators group.


2.Select Start > All Programs > Accessories > Run, type regedit, and then select OK. If the 


User Account Control dialog box is displayed on the screen and prompts you to elevate your 

administrator token, select Continue.


3. Locate and then select the following registry subkey:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent


=======================================================


 Note


You can also apply the AssumeUDPEncapsulationContextOnSendRule DWORD value to a 

Microsoft Windows XP Service Pack 2 (SP2)-based VPN client computer. To do so, 

locate and then select the 


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec registry subkey.


======================================================


4. On the Edit menu, point to New, and then select DWORD (32-bit) Value.


5. Type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.


6. Right-click AssumeUDPEncapsulationContextOnSendRule, and then select Modify.


7. In the Value Data box, type one of the following values:


0.

It's the default value. When it's set to 0, Windows can't establish security 

associations with servers located behind NAT devices.


1.

When it's set to 1, Windows can establish security associations with 

servers that are located behind NAT devices.


2.

When it's set to 2, Windows can establish security associations when 

both the server and VPN client computer 

        (Windows Vista or Windows Server 2008-based) 

are behind NAT devices.


8. Select OK, and then exit Registry Editor.


9. Restart the computer.

========================================


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]

"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002

2021年6月20日 星期日

使用 Container 去 Build VyOS ISO 小筆記

 前導文件:

vyos [ vyatta ]

http://xrcd2.blogspot.tw/2014/09/vyos-vyatta.html

VyOS OpenVpn Plugin OTP ( SOP )

http://xrcd2.blogspot.tw/2015/03/vyos-openvpn-plugin-otp-sop.html

VyOS+OpenVPN+MFA

http://xrcd2.blogspot.tw/2016/09/vyosopenvpnmfa.html

使用 Debian 8.9 去 Build VyOS ISO 小筆記

http://xrcd2.blogspot.com/2017/10/debian-89-build-vyos-iso.html


LAB

yum -y install yum-utils device-mapper-persistent-data lvm2 git wget

yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

yum -y install docker-ce docker-ce-cli containerd.io

systemctl start docker

systemctl enable docker


git clone -b crux --single-branch https://github.com/vyos/vyos-build

cd vyos-build

docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build:crux bash


./configure --architecture amd64 --build-by "xrcd2@OOXX.com" --build-type release --version 1.2.7

make iso












參考文件

https://docs.docker.com/engine/install/centos/

https://docs.vyos.io/en/latest/contributing/build-vyos.html

https://www.blog.slow-fire.net/2021/04/09/vyos%E3%82%B3%E3%83%B3%E3%83%91%E3%82%A4%E3%83%AB-1-2-7/

https://qiita.com/s64s_y/items/f2b32f4ba257fbab9358