How to run command on Zabbix agents? - sysadmin

I want to run a command on Zabbix agents:
Some simple unix commands, to obtain our reporting data.
When there is some processing required on the agent side.
There seem to be a variety approaches being talked about. So how to execute such commands on a Zabbix agent?

Run commands from the server directly from a new item.
First, set: EnableRemoteCommands=1 in the agent conf file (for all of your agents). To enable this feature.
Create a new item. A field on the "new item" page says 'key'. Enter:
system.run[command]
As the 'key' string. Where command is the command you want to be downloaded and run on the agent. Here is an example:
system.run[sysctl dev.cpu.0.temperature | cut -d ' ' -f 2 | tr -d C]
Perhaps you need to run something substantially more complex that is too long to fit in there? Then you will need to make a custom script. Put your custom scripts on a local webserver, or somewhere on the web.
Then you might set the item's key to:
system.run[ command -v script && script || wget script_url -O /path/to/script && script]
To fetch and download the missing script to the agent the first time it's executed. However that is a rather crude hack. Not very elegant.
A better way is to go to "Administration" --> "Scripts" in the menu. From there, you can create a new script to use in an item which may be configured to run on any of your agents.
Make a special custom item to re-run your script periodically (like a cron job). The job of the special script item is to update the agent with a collection of your other needed custom scripts.
Of course you could just write all of your custom scripts directly into zabbix's MYSQL database. And it is very tempting to do that. But be aware that then they'd be lost and vulnerable if your zabbix database ever gets fried or corrupted / lost. Zabbix databases always have a habit of growing large, unwieldy and out-of-control. So don't do that. Storing them separately somewhere else and under version control (git or subversion).
Once that's all sorted, we can finally go ahead and create further custom items to run your custom scripts. Again using:
system.run[script]
as the item's key just as before. Where 'script' is the command (plus any arguments), to execute your custom script locally on the agent.

Define the user parameter at the client (where zabbix agent is
located) at /etc/zabbix/zabbix_agentd.conf
The key should be
unique. I am using lsof as an example: UserParameter=open_file,lsof | wc -l
Restart the agent: service zabbix-agent restart
Test if the key is working using zabbix_get utility. To do that from the zabbix server, invoke the following: /usr/local/bin/zabbix_get -s <HOST/IP of the zabbix agent> -k open_file (It should return a number in this case)
Create an item with the key at the zabbix server at the template
level (the return type should be correctly defined, otherwise zabbix
will not accept it):
Type: Zabbix Agent (Active)
Key: open_file
Type of Information: Numeric (unsigned)
Data Type: decimal
You may create a graph using the item to monitor the value at
regular interval.
Here is the official documentation.

Related

Automating Zope5 Database Pack

I tried asking on the Plone forums but no one had any good responses.
I am running Zope5, no ZeoServer, no Plone, with Apache as a frontend proxy.
In the old Zope2 there was a script called zodb-pack that could pack the database from the command line. This is no longer included with Zope5 and I am searching for a way to pack the db from the command line.
Also, Apache is setup for client certificate authentication, so I cannot do something like:
curl -X POST https://username:password#zope.domain.com
I also don't want to hardcode that type of curl statement because of the need to include the username and password.
My Zope is running in a Docker container, so I thought about doing something like:
source /zope5/bin/activate
python scriptname
with a python script along the lines of
from ZODB.DB import DB
from ZODB.config import databaseFromString
from transaction import commit
db = databaseFromString("<zodb_config>")
storage = db.storage
storage.pack(None, referencesf)
but I'm not sure that's the correct way to do this. Basically I just want my bash script that automates the backups for the server to pack the Zope DB before backing it up, but I need a command line command to do so.
I cannot use any solution that requires me to modify how Zope runs, nor requires me to stop Zope to perform the pack.
Of course I can manually go to the ZMI's Control Panel and click Pack, but like I said, I was trying to automate it so it could run in off peak hours.

Testing if user created in AD can be logged into on a VM

I am a QA automation engineer and in the web app I test there's a feature that creates Active Directory users.
My tools are - Selenium (Java), RemoteWebDriver, Selenium Grid (Docker)
I was trying to find ways to validate this process and came to a stop - this field (AD) is new
to me and I need to find a way to make sure the user was created and can be logged into in the
network.
I was trying to find a way to do this and came up with 2 options, where the first one is the least
preferred way:
Make a request (API? 3rd side tool?) to get the relevant user(s).
The issue:
A user created and registered in the AD doesn't necessarily mean that the client can log into it (at least by the way I understood how AD works), and so it loses the most important consequence of the feature.
Use a VM, get the AD user information (username + password: possible) and try to log into the VM using those details.
The issue:
I haven't came across a tool that does it, the closest thing is Robot class or WinAppDriver.
WinAppDriver seems like the best solution as of now although I don't know how to make the login process work since it's the process starts before the desktop is open and I don't know how to locate the username and password field, so I figured using Robot class seems like the simplest solution, if it works on a VM that is, which as of now doesn't seem like it does.
So, before advancing on learning how to use WinAppDriver with my current automation, I'd like and appreciate your opinions about the matter or if you have simpler solutions.
Thank you very much for reading!
• We can check whether a user is created successfully or not and if that user can log in to the AD domain or not by executing a script as below. It is a powershell script that auto logs in through remote desktop protocol in the other domain joined VM from an Azure domain joined VM that checks whether the recently created user can login or not.
Powershell script : -
cmdkey /list | ForEach-Object{if($_ -like "*target=TERMSRV/*"){cmdkey /del:($_ -replace " ","" -replace "Target:","")}}
echo "Connecting to 192.168.1.100"
$Server="192.168.1.100"
$User="Administrator"
$Password="AdminPassword"
cmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password
mstsc /v:$Server
• In the above script, replace the ‘$user’ value by the user principal name of the newly created user, i.e., ‘$User=”testdemo#example.com”’ and the ‘$Password’ value by the password set for that user. Also, ensure that you replace and enter the correct IP address of the domain controller/AD server. Also, ensure that before executing the above powershell script, execute the below commands in an elevated (administrator privileges) powershell console.
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
Lastly, please ensure that while creating the user, the option ‘User must change password at next logon’, ‘Account is Disabled’, ‘Password never expires’ and ‘User cannot change password’ are unchecked and not selected.
• Also, you can use the below command line script for logging in to the domain joined Azure VM through RDP protocol. In the below command, replace the ‘username’ and ‘password’ with the username and password of the user created recently to log in to the Azure VM with this command line script. Also, replace the ‘TERMSRC’ with the hostname of the server system or the domain joined VM where the specified UNC path is located and replace the ‘some_unc_path’ with the actual path UNC path of the shared directory folder. Please execute the below command through elevated (administrator privileges) command prompt.
Command script: -
c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nolog -command cmdkey /generic:TERMSRC/some_unc_path /user:username /pass:pa$$word; mstsc /v:some_unc_path

How to set up SSH keyphrase caching with GnuPG Agent in NixOS?

I'm using NixOS (unstable channel, at the moment) remotely, via SSH, so no graphical environment. I often push and pull Git repositories, and re-typing the passphrase for SSH keys gets old quick, so I'm trying to set up an agent to cache the passphrase.
With the latest releases, using GnuPG Agent with SSH support seems to be the recommended choice. I enabled the agent by uncommenting the following lines in configuration.nix:
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryFlavor = "gnome3";
};
Does the choice of pinentryFlavor matter here? I'm imagining that SSH asks the keys by its own prompt, and caches them using the agent, but a confirmation would be nice. As I said, I'm not using graphical interface.
The main question: it doesn't seem work by just by enabling agent from the configuration.nix. Something else clearly needs to be done, but I'm unable to find any documentation about how to properly enable the agent in NixOS.
The global configuration.nix sets up configuration at /etc/bashrc to call gpg-connect-agent when bash is started and /etc/set-environment to set the SSH_AUTH_SOCK environment variable. It also adds systemwide per-user systemd units at /etc/systemd/user/gpg-agent* that run per-user GnuPG key agents.
Finally, you must be sure to add the key to the agent using the ssh-add command; it isn't added automatically when SSH prompts the key passphrase.
This should be enough to make GnuPG agent work with SSH. The choice of pinentryFlavor shouldn't also have effect when used over terminal. Turns out you should set pinentryFlavor to curses when using over terminal. If you don't do that, the agent throws an error when re-authenticating.
(I'm not sure why I encountered various error conditions when I first enabled GnupPG. It works now with the default settings. It's possible that the systemd service wasn't properly started.)

How to perform a command in a shell on remote server immediately after deploying some code from intellij idea?

I have a web server running on a virtual machine and I need some actions (e.g. "service apache2 reload") to be performed there automatically after I'll deploy my code from Idea
Automatically -- no way AFAIK.
https://youtrack.jetbrains.com/issue/WI-3344 -- watch this ticket (star/vote/comment) to get notified on any progress.
You may also watch related tickets:
https://youtrack.jetbrains.com/issue/WI-23938
https://youtrack.jetbrains.com/issue/WI-3239
The only manual solutions I may suggest right now are:
either keep SSH console opened (IDE has it built-in) and execute such command manually once deployed
or create "Remote SSH External Tools" entry that will do such job (connect and issue specified command) manually after deployment (once created you can assign custom shortcut to it so it can be run more easier).
In both cases -- check this manual.

OSX: "Window Server: failed setting the front application to My App"

I am launching a launchAgent from a post install script using the following command:
su -l $LOGGED_IN_USER -c "/bin/launchctl load /Library/LaunchAgents/com.myApp.mac.agent.plist"
The agent displays a status item (NSStatusItem) with a couple of menu options. One of them has a settings option. Clicking this will open an NSWindow, with few NSTextFields. At times, though this window is the top most, whatever I type goes to the underlying app. I am unable to type anything into the text field. Whenever this happens, I notice the following log in the console:
WindowServer[97]: [cps/setfront] Failed setting the front application to MyApp, psn 0x0-0xb20b2, securitySessionID=0x186c5, err=-600
This is not a consistent behaviour. Any idea why this log comes? And is there any work around for this? Is it ok to launch the agent using su -l?
I don't know exactly why you're getting that error and behavior. I recommend reading Technical Note TN2083: Daemons and Agents. It explains in detail the various facets of the execution context of a process and how that affects what a process can do. That includes whether or not a process can connect to the Window Server.
For what it's worth, error -600 is procNotFound, whose description is "no eligible process with specified descriptor". It seems that the Window Server is not able to find a process with the given process serial number (PSN) in the given security session.
I would not use -l in your sudo command. A user's login scripts can do all sorts of crazy things and you don't those done by your installer. However, I don't believe that's related to the main problem.