From b57819f650bc412f458a3b37620f557b5be7495a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 14 Mar 2012 12:45:59 -0400 Subject: add OutboundBindAddress, default set to $listen_address --- manifests/daemon.pp | 1 + templates/torrc.relay.erb | 3 +++ 2 files changed, 4 insertions(+) diff --git a/manifests/daemon.pp b/manifests/daemon.pp index 5f4e064..73014b3 100644 --- a/manifests/daemon.pp +++ b/manifests/daemon.pp @@ -100,6 +100,7 @@ class tor::daemon inherits tor { # relay definition define relay( $port = 0, $listen_addresses = [], + $outbound_bindaddress = $listen_address, $bandwidth_rate = 0, # KB/s, 0 for no limit. $bandwidth_burst = 0, # KB/s, 0 for no limit. $accounting_max = 0, # GB, 0 for no limit. diff --git a/templates/torrc.relay.erb b/templates/torrc.relay.erb index 4754859..72625d4 100644 --- a/templates/torrc.relay.erb +++ b/templates/torrc.relay.erb @@ -4,6 +4,9 @@ ORPort <%= port %> <%- for listen_address in listen_addresses -%> ORListenAddress <%= listen_address %> <%- end -%> +<%- for outbound_bindaddress in outbound_bindaddress -%> +OutboundBindAddress <%= outbound_bindaddress %> +<%- end -%> <%- if nickname != '' then -%> Nickname <%= nickname %> <%- end -%> -- cgit v1.2.3 From efbcd9bbbe5fe95ab0500b79633d69f22fc63359 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 14 Mar 2012 13:05:14 -0400 Subject: add ExitPolicyRejectPrivate option to exit_policy define --- manifests/daemon.pp | 1 + templates/torrc.exit_policy.erb | 3 +++ 2 files changed, 4 insertions(+) diff --git a/manifests/daemon.pp b/manifests/daemon.pp index 73014b3..173e565 100644 --- a/manifests/daemon.pp +++ b/manifests/daemon.pp @@ -174,6 +174,7 @@ class tor::daemon inherits tor { # exit policies define exit_policy( $accept = [], $reject = [], + $reject_private = 1, $ensure = present ) { concatenated_file_part { "07.exit_policy.${name}": diff --git a/templates/torrc.exit_policy.erb b/templates/torrc.exit_policy.erb index 4732ad6..92367c2 100644 --- a/templates/torrc.exit_policy.erb +++ b/templates/torrc.exit_policy.erb @@ -1,4 +1,7 @@ # exit policies: <%= name %> +<%- if reject_private != 1 then -%> +ExitPolicyRejectPrivate <%= reject_private %> +<%- end -%> <%- for policy in accept -%> ExitPolicy accept <%= policy %> <%- end -%> -- cgit v1.2.3 From 2a978f91fddb0b77ef260776bb920440a150e6d7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 14 Mar 2012 15:17:45 -0400 Subject: add missing munin plugins that should have been added when the munin.pp was created --- files/munin/tor_connections | 162 ++++++++++++++++++++++++++++++++++++++++++++ files/munin/tor_routers | 151 +++++++++++++++++++++++++++++++++++++++++ files/munin/tor_traffic | 154 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 467 insertions(+) create mode 100755 files/munin/tor_connections create mode 100755 files/munin/tor_routers create mode 100755 files/munin/tor_traffic diff --git a/files/munin/tor_connections b/files/munin/tor_connections new file mode 100755 index 0000000..c1d0a92 --- /dev/null +++ b/files/munin/tor_connections @@ -0,0 +1,162 @@ +#!/usr/bin/perl -w +# +# Munin plugin to monitor Tor +# +# Author: Ge van Geldorp +# +# Parameters understood: +# +# host - Change which host to graph (default localhost) +# port - Change which port to connect to (default 9051) +# password - Plain-text control channel password (see torrc +# HashedControlPassword parameter) +# cookiefile - Name of the file containing the control channel cookie +# (see torrc CookieAuthentication parameter) +# +# Using HashedControlPassword authentication has the problem that you must +# include the plain-text password in the munin config file. To have any +# effect, that file shouldn't be world-readable. +# If you're using CookieAuthentication, you should run this plugin as a user +# which has read access to the tor datafiles. Also note that bugs in versions +# upto and including 0.1.1.20 prevent CookieAuthentication from working. +# +# Usage: place in /etc/munin/node.d/ (or link it there using ln -s) +# +# Parameters understood: +# config (required) +# autoconf (optional - used by munin-config) +# +# +# Magic markers - optional - used by installation scripts and +# munin-config: +# +#%# family=contrib +#%# capabilities=autoconf + +use strict; +use IO::Socket::INET; + +# Config +our $address = $ENV{host} || "localhost"; # Default: localhost +our $port = $ENV{port} || 9051; # Default: 9051 + +# Don't edit below this line + +sub Authenticate +{ + my ($socket) = @_; + my $authline = "AUTHENTICATE"; + if (defined($ENV{cookiefile})) { + if (open(COOKIE, "<$ENV{cookiefile}")) { + binmode COOKIE; + my $cookie; + $authline .= " "; + while (read(COOKIE, $cookie, 32)) { + foreach my $byte (unpack "C*", $cookie) { + $authline .= sprintf "%02x", $byte; + } + } + close COOKIE; + } + } elsif (defined($ENV{password})) { + $authline .= ' "' . $ENV{password} . '"'; + } + print $socket "$authline\r\n"; + my $replyline = <$socket>; + if (substr($replyline, 0, 1) != '2') { + $replyline =~ s/\s*$//; + return "Failed to authenticate: $replyline"; + } + + return; +} + +if ($ARGV[0] and $ARGV[0] eq "autoconf") { + # Try to connect to the daemon + my $socket = IO::Socket::INET->new("$address:$port") + or my $failed = 1; + + if ($failed) { + print "no (failed to connect to $address port $port)\n"; + exit 1; + } + + my $msg = Authenticate($socket); + if (defined($msg)) { + print $socket "QUIT\r\n"; + close($socket); + print "no ($msg)\n"; + exit 1; + } + + print $socket "QUIT\r\n"; + close($socket); + print "yes\n"; + exit 0; +} + +my %connections = ("new", 0, + "launched", 0, + "connected", 0, + "failed", 0, + "closed", 0); + +if ($ARGV[0] and $ARGV[0] eq "config") { + print "graph_title Connections\n"; + print "graph_args -l 0 --base 1000\n"; + print "graph_vlabel connections\n"; + print "graph_category Tor\n"; + print "graph_period second\n"; + print "graph_info This graph shows the number of Tor OR connections.\n"; + + foreach my $status (keys %connections) { + print "$status.label $status\n"; + print "$status.type GAUGE\n"; + print "$status.max 50000\n"; + print "$status.min 0\n"; + } + + exit 0; +} + +my $socket = IO::Socket::INET->new("$address:$port") + or die("Couldn't connect to $address port $port: $!"); + +my $msg = Authenticate($socket); +if (defined($msg)) { + print $socket "QUIT\r\n"; + close($socket); + die "$msg\n"; +} + +print $socket "GETINFO orconn-status\r\n"; +my $replyline = <$socket>; +if (substr($replyline, 0, 1) != '2') { + print $socket "QUIT\r\n"; + close($socket); + $replyline =~ s/\s*$//; + die "Failed to get orconn-status info: $replyline\n"; +} + +while (! (($replyline = <$socket>) =~ /^\.\s*$/)) { + my @reply = split(/\s+/, $replyline); + $connections{lc($reply[1])}++; +} +$replyline = <$socket>; +if (substr($replyline, 0, 1) != '2') { + print $socket "QUIT\r\n"; + close($socket); + $replyline =~ s/\s*$//; + die "Failed to authenticate: $replyline\n"; +} + +print $socket "QUIT\r\n"; +close($socket); + +while (my ($status, $count) = each(%connections)) { + print "$status.value $count\n"; +} + +exit 0; + +# vim:syntax=perl diff --git a/files/munin/tor_routers b/files/munin/tor_routers new file mode 100755 index 0000000..b977f9a --- /dev/null +++ b/files/munin/tor_routers @@ -0,0 +1,151 @@ +#!/usr/bin/perl -w +# +# Munin plugin to monitor Tor routers +# +# Author: Ævar Arnfjörð Bjarmason , based on a plugin by Ge van Geldorp +# +# Parameters understood: +# +# host - Change which host to graph (default localhost) +# port - Change which port to connect to (default 9051) +# password - Plain-text control channel password (see torrc +# HashedControlPassword parameter) +# cookiefile - Name of the file containing the control channel cookie +# (see torrc CookieAuthentication parameter) +# +# Using HashedControlPassword authentication has the problem that you must +# include the plain-text password in the munin config file. To have any +# effect, that file shouldn't be world-readable. +# If you're using CookieAuthentication, you should run this plugin as a user +# which has read access to the tor datafiles. Also note that bugs in versions +# upto and including 0.1.1.20 prevent CookieAuthentication from working. +# +# Usage: place in /etc/munin/node.d/ (or link it there using ln -s) +# +# Parameters understood: +# config (required) +# autoconf (optional - used by munin-config) +# +# +# Magic markers - optional - used by installation scripts and +# munin-config: +# +#%# family=contrib +#%# capabilities=autoconf + +use strict; +use IO::Socket::INET; + +# Config +our $address = $ENV{host} || "localhost"; # Default: localhost +our $port = $ENV{port} || 9051; # Default: 9051 + +# Don't edit below this line + +sub Authenticate +{ + my ($socket) = @_; + my $authline = "AUTHENTICATE"; + if (defined($ENV{cookiefile})) { + if (open(COOKIE, "<$ENV{cookiefile}")) { + binmode COOKIE; + my $cookie; + $authline .= " "; + while (read(COOKIE, $cookie, 32)) { + foreach my $byte (unpack "C*", $cookie) { + $authline .= sprintf "%02x", $byte; + } + } + close COOKIE; + } + } elsif (defined($ENV{password})) { + $authline .= ' "' . $ENV{password} . '"'; + } + print $socket "$authline\r\n"; + my $replyline = <$socket>; + if (substr($replyline, 0, 1) != '2') { + $replyline =~ s/\s*$//; + return "Failed to authenticate: $replyline"; + } + + return; +} + +if ($ARGV[0] and $ARGV[0] eq "autoconf") { + # Try to connect to the daemon + my $socket = IO::Socket::INET->new("$address:$port") + or my $failed = 1; + + if ($failed) { + print "no (failed to connect to $address port $port)\n"; + exit 1; + } + + my $msg = Authenticate($socket); + if (defined($msg)) { + print $socket "QUIT\r\n"; + close($socket); + print "no ($msg)\n"; + exit 1; + } + + print $socket "QUIT\r\n"; + close($socket); + print "yes\n"; + exit 0; +} + +if ($ARGV[0] and $ARGV[0] eq "config") { + print "graph_title Routers\n"; + print "graph_args -l 0\n"; + print "graph_vlabel routers\n"; + print "graph_category Tor\n"; + print "graph_info This graph shows the number of known Tor ORs.\n"; + + print "ors.label routers\n"; + print "ors.type GAUGE\n"; + print "ors.info The number of known Tor ORs (onion routers)\n"; + + exit 0; +} + +my $socket = IO::Socket::INET->new("$address:$port") + or die("Couldn't connect to $address port $port: $!"); + +my $msg = Authenticate($socket); +if (defined($msg)) { + print $socket "QUIT\r\n"; + close($socket); + die "$msg\n"; +} + +print $socket "GETINFO ns/all\r\n"; +my $replyline = <$socket>; +if (substr($replyline, 0, 1) != '2') { + print $socket "QUIT\r\n"; + close($socket); + $replyline =~ s/\s*$//; + die "Failed to get orconn-status info: $replyline\n"; +} + +my $count; +while (! (($replyline = <$socket>) =~ /^\.\s*$/)) { + my @reply = split(/\s+/, $replyline); + $count++ if $reply[0] eq 'r'; +} +$replyline = <$socket>; +if (substr($replyline, 0, 1) != '2') { + print $socket "QUIT\r\n"; + close($socket); + $replyline =~ s/\s*$//; + die "Failed to authenticate: $replyline\n"; +} + +print $socket "QUIT\r\n"; +close($socket); + +print "ors.value $count\n"; + +exit 0; + +# vim:syntax=perl diff --git a/files/munin/tor_traffic b/files/munin/tor_traffic new file mode 100755 index 0000000..a72e7d7 --- /dev/null +++ b/files/munin/tor_traffic @@ -0,0 +1,154 @@ +#!/usr/bin/perl -w +# +# Munin plugin to monitor Tor traffic +# +# Author: Ge van Geldorp +# +# Parameters understood: +# +# host - Change which host to graph (default localhost) +# port - Change which port to connect to (default 9051) +# password - Plain-text control channel password (see torrc +# HashedControlPassword parameter) +# cookiefile - Name of the file containing the control channel cookie +# (see torrc CookieAuthentication parameter) +# +# Using HashedControlPassword authentication has the problem that you must +# include the plain-text password in the munin config file. To have any +# effect, that file shouldn't be world-readable. +# If you're using CookieAuthentication, you should run this plugin as a user +# which has read access to the tor datafiles. Also note that bugs in versions +# upto and including 0.1.1.20 prevent CookieAuthentication from working. +# +# Usage: place in /etc/munin/node.d/ (or link it there using ln -s) +# +# Parameters understood: +# config (required) +# autoconf (optional - used by munin-config) +# +# +# Magic markers - optional - used by installation scripts and +# munin-config: +# +#%# family=contrib +#%# capabilities=autoconf + +use strict; +use IO::Socket::INET; + +# Config +our $address = $ENV{host} || "localhost"; # Default: localhost +our $port = $ENV{port} || 9051; # Default: 9051 + +# Don't edit below this line + +sub Authenticate +{ + my ($socket) = @_; + my $authline = "AUTHENTICATE"; + if (defined($ENV{cookiefile})) { + if (open(COOKIE, "<$ENV{cookiefile}")) { + binmode COOKIE; + my $cookie; + $authline .= " "; + while (read(COOKIE, $cookie, 32)) { + foreach my $byte (unpack "C*", $cookie) { + $authline .= sprintf "%02x", $byte; + } + } + close COOKIE; + } + } elsif (defined($ENV{password})) { + $authline .= ' "' . $ENV{password} . '"'; + } + print $socket "$authline\r\n"; + my $replyline = <$socket>; + if (substr($replyline, 0, 1) != '2') { + $replyline =~ s/\s*$//; + return "Failed to authenticate: $replyline"; + } + + return; +} + +if ($ARGV[0] and $ARGV[0] eq "autoconf") { + # Try to connect to the daemon + my $socket = IO::Socket::INET->new("$address:$port") + or my $failed = 1; + + if ($failed) { + print "no (failed to connect to $address port $port)\n"; + exit 1; + } + + my $msg = Authenticate($socket); + if (defined($msg)) { + print $socket "QUIT\r\n"; + close($socket); + print "no ($msg)\n"; + exit 1; + } + + print $socket "QUIT\r\n"; + close($socket); + print "yes\n"; + exit 0; +} + +if ($ARGV[0] and $ARGV[0] eq "config") { + print "graph_title Traffic\n"; + print "graph_vlabel bytes per \${graph_period} read (-) / written (+)\n"; + print "graph_category Tor\n"; + print "graph_info This graph shows the bandwidth used by Tor.\n"; + + print "read.label byte/s\n"; + print "read.type GAUGE\n"; + print "read.graph no\n"; + print "read.max 10000000\n"; + print "write.label byte/s\n"; + print "write.type GAUGE\n"; + print "write.negative read\n"; + print "write.max 10000000\n"; + + exit 0; +} + +my $socket = IO::Socket::INET->new("$address:$port") + or die("Couldn't connect to $address port $port: $!"); + +my $msg = Authenticate($socket); +if (defined($msg)) { + print $socket "QUIT\r\n"; + close($socket); + die "$msg\n"; +} + +print $socket "SETEVENTS bw\r\n"; +my $replyline = <$socket>; +if (substr($replyline, 0, 1) != '2') { + print $socket "QUIT\r\n"; + close($socket); + $replyline =~ s/\s*$//; + die "Failed to get orconn-status info: $replyline\n"; +} + +$replyline = <$socket>; +if (substr($replyline, 0, 1) != '6') { + print $socket "QUIT\r\n"; + close($socket); + $replyline =~ s/\s*$//; + die "Failed to get bw: $replyline\n"; +} +my @reply = split(/\s+/, $replyline); + +print $socket "SETEVENTS\r\n"; +$replyline = <$socket>; +print $socket "QUIT\r\n"; +close($socket); + +print "read.value $reply[2]\n"; +print "write.value $reply[3]\n"; + +exit 0; + +# vim:syntax=perl -- cgit v1.2.3 From 8786a1e07dc1665409278c0f012a0a11a786cdf6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 14 Mar 2012 15:26:14 -0400 Subject: fix package name for tor-geoipdb --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 731e939..6f3c90c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -5,7 +5,7 @@ class tor { if !$tor_ensure_version { $tor_ensure_version = 'installed' } - package { [ "tor", "tor-geoip", "torsocks" ]: + package { [ "tor", "tor-geoipdb", "torsocks" ]: ensure => $tor_ensure_version, } -- cgit v1.2.3 From 44f4ba052ae9c02bc8923767885466c035fbb6ec Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 14 Mar 2012 15:27:17 -0400 Subject: enable different version ensure for torssocks, it doesn't share the same version number as tor and tor-geoipdb, so if you set $tor_ensure_version, you will have an error with torsocks --- manifests/init.pp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 6f3c90c..ca5f2b8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -4,11 +4,16 @@ import "daemon.pp" class tor { if !$tor_ensure_version { $tor_ensure_version = 'installed' } - + if !$torsocks_ensure_version { $torsocks_ensure_version = 'installed'} + package { [ "tor", "tor-geoipdb", "torsocks" ]: ensure => $tor_ensure_version, } + package { "torsocks": + ensure => $torsocks_ensure_version, + } + service { 'tor': ensure => running, enable => true, -- cgit v1.2.3 From a19e1cacb1d52287c35e96fdb37ad3a0ab8c0dd1 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 14 Mar 2012 15:29:35 -0400 Subject: outbound_bindaddress should be outbound_bindaddresses and $outbound_bindaddresses = $listen_addresses --- manifests/daemon.pp | 24 ++++++++++++------------ templates/torrc.relay.erb | 4 ++-- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/manifests/daemon.pp b/manifests/daemon.pp index 173e565..6d8c315 100644 --- a/manifests/daemon.pp +++ b/manifests/daemon.pp @@ -98,18 +98,18 @@ class tor::daemon inherits tor { } # relay definition - define relay( $port = 0, - $listen_addresses = [], - $outbound_bindaddress = $listen_address, - $bandwidth_rate = 0, # KB/s, 0 for no limit. - $bandwidth_burst = 0, # KB/s, 0 for no limit. - $accounting_max = 0, # GB, 0 for no limit. - $accounting_start = [], - $contact_info = '', - $my_family = '', # TODO: autofill with other relays - $address = "tor.${domain}", - $bridge_relay = 0, - $ensure = present ) { + define relay( $port = 0, + $listen_addresses = [], + $outbound_bindaddresses = $listen_addresses, + $bandwidth_rate = 0, # KB/s, 0 for no limit. + $bandwidth_burst = 0, # KB/s, 0 for no limit. + $accounting_max = 0, # GB, 0 for no limit. + $accounting_start = [], + $contact_info = '', + $my_family = '', # TODO: autofill with other relays + $address = "tor.${domain}", + $bridge_relay = 0, + $ensure = present ) { $nickname = $name concatenated_file_part { '03.relay': diff --git a/templates/torrc.relay.erb b/templates/torrc.relay.erb index 72625d4..1b2e082 100644 --- a/templates/torrc.relay.erb +++ b/templates/torrc.relay.erb @@ -4,8 +4,8 @@ ORPort <%= port %> <%- for listen_address in listen_addresses -%> ORListenAddress <%= listen_address %> <%- end -%> -<%- for outbound_bindaddress in outbound_bindaddress -%> -OutboundBindAddress <%= outbound_bindaddress %> +<%- for outbound_bindaddresses in outbound_bindaddresses -%> +OutboundBindAddress <%= outbound_bindaddresses %> <%- end -%> <%- if nickname != '' then -%> Nickname <%= nickname %> -- cgit v1.2.3 From 0ac3ccf2d9f79db6c791339813f0e0f3b24ce16e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 14 Mar 2012 15:33:28 -0400 Subject: fix duplicate definition of torssocks --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index ca5f2b8..ef2572e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -6,7 +6,7 @@ class tor { if !$tor_ensure_version { $tor_ensure_version = 'installed' } if !$torsocks_ensure_version { $torsocks_ensure_version = 'installed'} - package { [ "tor", "tor-geoipdb", "torsocks" ]: + package { [ "tor", "tor-geoipdb" ]: ensure => $tor_ensure_version, } -- cgit v1.2.3 From e1d9f793aa356982b017ed197e19f4cdbb84cb83 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 14 Mar 2012 15:35:52 -0400 Subject: fix torc.relay.erb outboundaddress/outboundaddresses confusion --- templates/torrc.relay.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/torrc.relay.erb b/templates/torrc.relay.erb index 1b2e082..2ab34bf 100644 --- a/templates/torrc.relay.erb +++ b/templates/torrc.relay.erb @@ -4,8 +4,8 @@ ORPort <%= port %> <%- for listen_address in listen_addresses -%> ORListenAddress <%= listen_address %> <%- end -%> -<%- for outbound_bindaddresses in outbound_bindaddresses -%> -OutboundBindAddress <%= outbound_bindaddresses %> +<%- for outbound_bindaddress in outbound_bindaddresses -%> +OutboundBindAddress <%= outbound_bindaddress %> <%- end -%> <%- if nickname != '' then -%> Nickname <%= nickname %> -- cgit v1.2.3