diff options
| -rwxr-xr-x | files/munin/tor_connections | 162 | ||||
| -rw-r--r-- | files/munin/tor_openfds | 32 | ||||
| -rw-r--r-- | lib/facter/tor_hidden_services.rb | 19 | ||||
| -rw-r--r-- | manifests/daemon/base.pp | 16 | ||||
| -rw-r--r-- | manifests/daemon/bridge.pp | 5 | ||||
| -rw-r--r-- | manifests/daemon/control.pp | 5 | ||||
| -rw-r--r-- | manifests/daemon/directory.pp | 5 | ||||
| -rw-r--r-- | manifests/daemon/dns.pp | 5 | ||||
| -rw-r--r-- | manifests/daemon/exit_policy.pp | 5 | ||||
| -rw-r--r-- | manifests/daemon/hidden_service.pp | 5 | ||||
| -rw-r--r-- | manifests/daemon/map_address.pp | 5 | ||||
| -rw-r--r-- | manifests/daemon/relay.pp | 5 | ||||
| -rw-r--r-- | manifests/daemon/snippet.pp | 5 | ||||
| -rw-r--r-- | manifests/daemon/socks.pp | 5 | ||||
| -rw-r--r-- | manifests/daemon/transparent.pp | 5 | ||||
| -rw-r--r-- | manifests/munin.pp | 5 | ||||
| -rw-r--r-- | templates/torrc.hidden_service.erb | 4 |
17 files changed, 71 insertions, 222 deletions
diff --git a/files/munin/tor_connections b/files/munin/tor_connections deleted file mode 100755 index c1d0a92..0000000 --- a/files/munin/tor_connections +++ /dev/null @@ -1,162 +0,0 @@ -#!/usr/bin/perl -w -# -# Munin plugin to monitor Tor -# -# Author: Ge van Geldorp <ge@gse.nl> -# -# Parameters understood: -# -# host - Change which host to graph (default localhost) -# port - Change which port to connect to (default 9051) -# password - Plain-text control channel password (see torrc -# HashedControlPassword parameter) -# cookiefile - Name of the file containing the control channel cookie -# (see torrc CookieAuthentication parameter) -# -# Using HashedControlPassword authentication has the problem that you must -# include the plain-text password in the munin config file. To have any -# effect, that file shouldn't be world-readable. -# If you're using CookieAuthentication, you should run this plugin as a user -# which has read access to the tor datafiles. Also note that bugs in versions -# upto and including 0.1.1.20 prevent CookieAuthentication from working. -# -# Usage: place in /etc/munin/node.d/ (or link it there using ln -s) -# -# Parameters understood: -# config (required) -# autoconf (optional - used by munin-config) -# -# -# Magic markers - optional - used by installation scripts and -# munin-config: -# -#%# family=contrib -#%# capabilities=autoconf - -use strict; -use IO::Socket::INET; - -# Config -our $address = $ENV{host} || "localhost"; # Default: localhost -our $port = $ENV{port} || 9051; # Default: 9051 - -# Don't edit below this line - -sub Authenticate -{ - my ($socket) = @_; - my $authline = "AUTHENTICATE"; - if (defined($ENV{cookiefile})) { - if (open(COOKIE, "<$ENV{cookiefile}")) { - binmode COOKIE; - my $cookie; - $authline .= " "; - while (read(COOKIE, $cookie, 32)) { - foreach my $byte (unpack "C*", $cookie) { - $authline .= sprintf "%02x", $byte; - } - } - close COOKIE; - } - } elsif (defined($ENV{password})) { - $authline .= ' "' . $ENV{password} . '"'; - } - print $socket "$authline\r\n"; - my $replyline = <$socket>; - if (substr($replyline, 0, 1) != '2') { - $replyline =~ s/\s*$//; - return "Failed to authenticate: $replyline"; - } - - return; -} - -if ($ARGV[0] and $ARGV[0] eq "autoconf") { - # Try to connect to the daemon - my $socket = IO::Socket::INET->new("$address:$port") - or my $failed = 1; - - if ($failed) { - print "no (failed to connect to $address port $port)\n"; - exit 1; - } - - my $msg = Authenticate($socket); - if (defined($msg)) { - print $socket "QUIT\r\n"; - close($socket); - print "no ($msg)\n"; - exit 1; - } - - print $socket "QUIT\r\n"; - close($socket); - print "yes\n"; - exit 0; -} - -my %connections = ("new", 0, - "launched", 0, - "connected", 0, - "failed", 0, - "closed", 0); - -if ($ARGV[0] and $ARGV[0] eq "config") { - print "graph_title Connections\n"; - print "graph_args -l 0 --base 1000\n"; - print "graph_vlabel connections\n"; - print "graph_category Tor\n"; - print "graph_period second\n"; - print "graph_info This graph shows the number of Tor OR connections.\n"; - - foreach my $status (keys %connections) { - print "$status.label $status\n"; - print "$status.type GAUGE\n"; - print "$status.max 50000\n"; - print "$status.min 0\n"; - } - - exit 0; -} - -my $socket = IO::Socket::INET->new("$address:$port") - or die("Couldn't connect to $address port $port: $!"); - -my $msg = Authenticate($socket); -if (defined($msg)) { - print $socket "QUIT\r\n"; - close($socket); - die "$msg\n"; -} - -print $socket "GETINFO orconn-status\r\n"; -my $replyline = <$socket>; -if (substr($replyline, 0, 1) != '2') { - print $socket "QUIT\r\n"; - close($socket); - $replyline =~ s/\s*$//; - die "Failed to get orconn-status info: $replyline\n"; -} - -while (! (($replyline = <$socket>) =~ /^\.\s*$/)) { - my @reply = split(/\s+/, $replyline); - $connections{lc($reply[1])}++; -} -$replyline = <$socket>; -if (substr($replyline, 0, 1) != '2') { - print $socket "QUIT\r\n"; - close($socket); - $replyline =~ s/\s*$//; - die "Failed to authenticate: $replyline\n"; -} - -print $socket "QUIT\r\n"; -close($socket); - -while (my ($status, $count) = each(%connections)) { - print "$status.value $count\n"; -} - -exit 0; - -# vim:syntax=perl diff --git a/files/munin/tor_openfds b/files/munin/tor_openfds new file mode 100644 index 0000000..dbf57cd --- /dev/null +++ b/files/munin/tor_openfds @@ -0,0 +1,32 @@ +#!/usr/bin/perl -w +# https://lists.torproject.org/pipermail/tor-talk/2006-June/010486.html + +use strict; + +# Script to monitor the amount of FDs used by +# the Tor process (var/run/tor/tor.pid) + +if ($ARGV[0] and $ARGV[0] =~ /^\s*config\s*$/i) +{ + print "graph_title Open file descriptors for Tor\n"; + print "graph_args --base 1000 -l 0\n"; + print "graph_vlabel open FDs\n"; + print "graph_category Tor\n"; + print "count.label TorFDs\n"; + exit 0; +} + +open (PID, "/var/run/tor/tor.pid") or exit 1; +my $pid = <PID>; +close PID; +chomp $pid; + +$pid =~ /^[0-9]+$/ or exit 1; + +opendir (FDS, "/proc/$pid/fd") or exit 1; +my @fds = readdir(FDS); +closedir FDS; + +my $count = scalar @fds - 2; + +print "count.value $count\n"; diff --git a/lib/facter/tor_hidden_services.rb b/lib/facter/tor_hidden_services.rb new file mode 100644 index 0000000..c2a6cca --- /dev/null +++ b/lib/facter/tor_hidden_services.rb @@ -0,0 +1,19 @@ +Facter.add(:tor_hidden_services) do + confine :kernel => "Linux" + setcode do + config_file = '/etc/tor/torrc' + if File.exists?(config_file) + dirs = File.read(config_file).split("\n").select{|l| + l =~ /^HiddenServiceDir/ + }.collect{|l| l.sub(/^HiddenServiceDir /,'') } + dirs.inject({}) { |res,d| + if File.exists?(h=File.join(d,'hostname')) + res[File.basename(d)] = File.read(h).chomp + end + res + } + else + {} + end + end +end diff --git a/manifests/daemon/base.pp b/manifests/daemon/base.pp index 63d7bc4..5db3e31 100644 --- a/manifests/daemon/base.pp +++ b/manifests/daemon/base.pp @@ -1,10 +1,7 @@ # extend basic tor things with a snippet based daemon configuration class tor::daemon::base inherits tor::base { - # packages, user, group - Service['tor'] { - subscribe => File[$tor::daemon::config_file], - } + # packages, user, group Package[ 'tor' ] { require => File[$tor::daemon::data_dir], } @@ -52,26 +49,21 @@ class tor::daemon::base inherits tor::base { mode => '0600', owner => 'debian-tor', group => 'debian-tor', + notify => Service['tor'], } # config file headers concat::fragment { '00.header': ensure => present, content => template('tor/torrc.header.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', - order => 00, + order => '00', target => $tor::daemon::config_file, } # global configurations concat::fragment { '01.global': content => template('tor/torrc.global.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', - order => 01, + order => '01', target => $tor::daemon::config_file, } } diff --git a/manifests/daemon/bridge.pp b/manifests/daemon/bridge.pp index 063f565..a9a21d4 100644 --- a/manifests/daemon/bridge.pp +++ b/manifests/daemon/bridge.pp @@ -8,10 +8,7 @@ define tor::daemon::bridge( concat::fragment { "10.bridge.${name}": ensure => $ensure, content => template('tor/torrc.bridge.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', - order => 10, + order => '10', target => $tor::daemon::config_file, } } diff --git a/manifests/daemon/control.pp b/manifests/daemon/control.pp index 0172656..5e81c65 100644 --- a/manifests/daemon/control.pp +++ b/manifests/daemon/control.pp @@ -18,10 +18,7 @@ define tor::daemon::control( concat::fragment { '04.control': ensure => $ensure, content => template('tor/torrc.control.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0600', - order => 04, + order => '04', target => $tor::daemon::config_file, } } diff --git a/manifests/daemon/directory.pp b/manifests/daemon/directory.pp index d877a86..8a90899 100644 --- a/manifests/daemon/directory.pp +++ b/manifests/daemon/directory.pp @@ -8,10 +8,7 @@ define tor::daemon::directory ( concat::fragment { '06.directory': ensure => $ensure, content => template('tor/torrc.directory.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', - order => 06, + order => '06', target => $tor::daemon::config_file, } diff --git a/manifests/daemon/dns.pp b/manifests/daemon/dns.pp index f3a7027..e8d4fc8 100644 --- a/manifests/daemon/dns.pp +++ b/manifests/daemon/dns.pp @@ -7,10 +7,7 @@ define tor::daemon::dns( concat::fragment { "08.dns.${name}": ensure => $ensure, content => template('tor/torrc.dns.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', - order => 08, + order => '08', target => $tor::daemon::config_file, } } diff --git a/manifests/daemon/exit_policy.pp b/manifests/daemon/exit_policy.pp index f459ece..5f4d3e8 100644 --- a/manifests/daemon/exit_policy.pp +++ b/manifests/daemon/exit_policy.pp @@ -8,10 +8,7 @@ define tor::daemon::exit_policy( concat::fragment { "07.exit_policy.${name}": ensure => $ensure, content => template('tor/torrc.exit_policy.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', - order => 07, + order => '07', target => $tor::daemon::config_file, } } diff --git a/manifests/daemon/hidden_service.pp b/manifests/daemon/hidden_service.pp index c827211..cf316b5 100644 --- a/manifests/daemon/hidden_service.pp +++ b/manifests/daemon/hidden_service.pp @@ -7,10 +7,7 @@ define tor::daemon::hidden_service( concat::fragment { "05.hidden_service.${name}": ensure => $ensure, content => template('tor/torrc.hidden_service.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', - order => 05, + order => '05', target => $tor::daemon::config_file, } } diff --git a/manifests/daemon/map_address.pp b/manifests/daemon/map_address.pp index cfbd3da..ac624a0 100644 --- a/manifests/daemon/map_address.pp +++ b/manifests/daemon/map_address.pp @@ -7,10 +7,7 @@ define tor::daemon::map_address( concat::fragment { "08.map_address.${name}": ensure => $ensure, content => template('tor/torrc.map_address.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', - order => 08, + order => '08', target => $tor::daemon::config_file, } } diff --git a/manifests/daemon/relay.pp b/manifests/daemon/relay.pp index ff52893..4fa303d 100644 --- a/manifests/daemon/relay.pp +++ b/manifests/daemon/relay.pp @@ -33,10 +33,7 @@ define tor::daemon::relay( concat::fragment { '03.relay': ensure => $ensure, content => template('tor/torrc.relay.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', - order => 03, + order => '03', target => $tor::daemon::config_file, } } diff --git a/manifests/daemon/snippet.pp b/manifests/daemon/snippet.pp index b9089b4..1f22d0c 100644 --- a/manifests/daemon/snippet.pp +++ b/manifests/daemon/snippet.pp @@ -6,10 +6,7 @@ define tor::daemon::snippet( concat::fragment { "99.snippet.${name}": ensure => $ensure, content => $content, - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', - order => 99, + order => '99', target => $tor::daemon::config_file, } } diff --git a/manifests/daemon/socks.pp b/manifests/daemon/socks.pp index 910461c..17ce40b 100644 --- a/manifests/daemon/socks.pp +++ b/manifests/daemon/socks.pp @@ -6,10 +6,7 @@ define tor::daemon::socks( concat::fragment { '02.socks': content => template('tor/torrc.socks.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', - order => 02, + order => '02', target => $tor::daemon::config_file, } } diff --git a/manifests/daemon/transparent.pp b/manifests/daemon/transparent.pp index 74fed4f..6ac7b44 100644 --- a/manifests/daemon/transparent.pp +++ b/manifests/daemon/transparent.pp @@ -7,10 +7,7 @@ define tor::daemon::transparent( concat::fragment { "09.transparent.${name}": ensure => $ensure, content => template('tor/torrc.transparent.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', - order => 09, + order => '09', target => $tor::daemon::config_file, } } diff --git a/manifests/munin.pp b/manifests/munin.pp index 4412337..ef71f57 100644 --- a/manifests/munin.pp +++ b/manifests/munin.pp @@ -11,8 +11,9 @@ class tor::munin { config => "user debian-tor\n env.cookiefile /var/run/tor/control.authcookie\n env.port 19051" } munin::plugin::deploy { - 'tor_connections': - source => 'tor/munin/tor_connections'; + 'tor_openfds': + config => 'user root', + source => 'tor/munin/tor_openfds'; 'tor_routers': source => 'tor/munin/tor_routers'; 'tor_traffic': diff --git a/templates/torrc.hidden_service.erb b/templates/torrc.hidden_service.erb index 4dec0b2..6a97351 100644 --- a/templates/torrc.hidden_service.erb +++ b/templates/torrc.hidden_service.erb @@ -1,6 +1,6 @@ # hidden service <%= @name %> HiddenServiceDir <%= @data_dir %>/<%= @name %> -<% @ports.each do |port| -%> -HiddenServicePort <%= port %> +<% Array(@ports).each do |port| -%> +HiddenServicePort <%= port =~ /^\d+$/ ? "#{port} 127.0.0.1:#{port}" : port %> <% end -%> |