From 3cf7362f383d2cfa705c3897f6199087c5ddb033 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 15 Mar 2015 12:27:18 +0100 Subject: exchange connections munin plugin tor_connections started blocking and I wasn't able to find the root cause for it nor an updated version of the plugin. This also blocked munin itself, which had the issue that the node disappeared within munin. Based on https://lists.torproject.org/pipermail/tor-talk/2006-June/010486.html it seems to more or less match the open filedescriptors and hence we monitor rather this than rely on a unmanageable plugin. The only drawback is that this must run as root, as non-root users can't read the filedescriptors from proc. --- files/munin/tor_connections | 162 -------------------------------------------- files/munin/tor_openfds | 32 +++++++++ 2 files changed, 32 insertions(+), 162 deletions(-) delete mode 100755 files/munin/tor_connections create mode 100644 files/munin/tor_openfds (limited to 'files') diff --git a/files/munin/tor_connections b/files/munin/tor_connections deleted file mode 100755 index c1d0a92..0000000 --- a/files/munin/tor_connections +++ /dev/null @@ -1,162 +0,0 @@ -#!/usr/bin/perl -w -# -# Munin plugin to monitor Tor -# -# Author: Ge van Geldorp -# -# Parameters understood: -# -# host - Change which host to graph (default localhost) -# port - Change which port to connect to (default 9051) -# password - Plain-text control channel password (see torrc -# HashedControlPassword parameter) -# cookiefile - Name of the file containing the control channel cookie -# (see torrc CookieAuthentication parameter) -# -# Using HashedControlPassword authentication has the problem that you must -# include the plain-text password in the munin config file. To have any -# effect, that file shouldn't be world-readable. -# If you're using CookieAuthentication, you should run this plugin as a user -# which has read access to the tor datafiles. Also note that bugs in versions -# upto and including 0.1.1.20 prevent CookieAuthentication from working. -# -# Usage: place in /etc/munin/node.d/ (or link it there using ln -s) -# -# Parameters understood: -# config (required) -# autoconf (optional - used by munin-config) -# -# -# Magic markers - optional - used by installation scripts and -# munin-config: -# -#%# family=contrib -#%# capabilities=autoconf - -use strict; -use IO::Socket::INET; - -# Config -our $address = $ENV{host} || "localhost"; # Default: localhost -our $port = $ENV{port} || 9051; # Default: 9051 - -# Don't edit below this line - -sub Authenticate -{ - my ($socket) = @_; - my $authline = "AUTHENTICATE"; - if (defined($ENV{cookiefile})) { - if (open(COOKIE, "<$ENV{cookiefile}")) { - binmode COOKIE; - my $cookie; - $authline .= " "; - while (read(COOKIE, $cookie, 32)) { - foreach my $byte (unpack "C*", $cookie) { - $authline .= sprintf "%02x", $byte; - } - } - close COOKIE; - } - } elsif (defined($ENV{password})) { - $authline .= ' "' . $ENV{password} . '"'; - } - print $socket "$authline\r\n"; - my $replyline = <$socket>; - if (substr($replyline, 0, 1) != '2') { - $replyline =~ s/\s*$//; - return "Failed to authenticate: $replyline"; - } - - return; -} - -if ($ARGV[0] and $ARGV[0] eq "autoconf") { - # Try to connect to the daemon - my $socket = IO::Socket::INET->new("$address:$port") - or my $failed = 1; - - if ($failed) { - print "no (failed to connect to $address port $port)\n"; - exit 1; - } - - my $msg = Authenticate($socket); - if (defined($msg)) { - print $socket "QUIT\r\n"; - close($socket); - print "no ($msg)\n"; - exit 1; - } - - print $socket "QUIT\r\n"; - close($socket); - print "yes\n"; - exit 0; -} - -my %connections = ("new", 0, - "launched", 0, - "connected", 0, - "failed", 0, - "closed", 0); - -if ($ARGV[0] and $ARGV[0] eq "config") { - print "graph_title Connections\n"; - print "graph_args -l 0 --base 1000\n"; - print "graph_vlabel connections\n"; - print "graph_category Tor\n"; - print "graph_period second\n"; - print "graph_info This graph shows the number of Tor OR connections.\n"; - - foreach my $status (keys %connections) { - print "$status.label $status\n"; - print "$status.type GAUGE\n"; - print "$status.max 50000\n"; - print "$status.min 0\n"; - } - - exit 0; -} - -my $socket = IO::Socket::INET->new("$address:$port") - or die("Couldn't connect to $address port $port: $!"); - -my $msg = Authenticate($socket); -if (defined($msg)) { - print $socket "QUIT\r\n"; - close($socket); - die "$msg\n"; -} - -print $socket "GETINFO orconn-status\r\n"; -my $replyline = <$socket>; -if (substr($replyline, 0, 1) != '2') { - print $socket "QUIT\r\n"; - close($socket); - $replyline =~ s/\s*$//; - die "Failed to get orconn-status info: $replyline\n"; -} - -while (! (($replyline = <$socket>) =~ /^\.\s*$/)) { - my @reply = split(/\s+/, $replyline); - $connections{lc($reply[1])}++; -} -$replyline = <$socket>; -if (substr($replyline, 0, 1) != '2') { - print $socket "QUIT\r\n"; - close($socket); - $replyline =~ s/\s*$//; - die "Failed to authenticate: $replyline\n"; -} - -print $socket "QUIT\r\n"; -close($socket); - -while (my ($status, $count) = each(%connections)) { - print "$status.value $count\n"; -} - -exit 0; - -# vim:syntax=perl diff --git a/files/munin/tor_openfds b/files/munin/tor_openfds new file mode 100644 index 0000000..69f63bc --- /dev/null +++ b/files/munin/tor_openfds @@ -0,0 +1,32 @@ +#!/usr/bin/perl -w +# https://lists.torproject.org/pipermail/tor-talk/2006-June/010486.html + +use strict; + +# Script to monitor the amount of FDs used by +# the Tor process (var/run/tor/tor.pid) + +if ($ARGV[0] and $ARGV[0] =~ /^\s*config\s*$/i) +{ + print "graph_title Open file descriptors for Tor\n"; + print "graph_args --base 1000 -l 0\n"; + print "graph_vlabel open FDs\n"; + print "graph_category network\n"; + print "count.label TorFDs\n"; + exit 0; +} + +open (PID, "/var/run/tor/tor.pid") or exit 1; +my $pid = ; +close PID; +chomp $pid; + +$pid =~ /^[0-9]+$/ or exit 1; + +opendir (FDS, "/proc/$pid/fd") or exit 1; +my @fds = readdir(FDS); +closedir FDS; + +my $count = scalar @fds - 2; + +print "count.value $count\n"; -- cgit v1.2.3 From 4bad7d07bdefaa88df8b80a9b8bf31119e1449d3 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 15 Mar 2015 15:10:09 +0100 Subject: have them all in the same category --- files/munin/tor_openfds | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'files') diff --git a/files/munin/tor_openfds b/files/munin/tor_openfds index 69f63bc..dbf57cd 100644 --- a/files/munin/tor_openfds +++ b/files/munin/tor_openfds @@ -11,7 +11,7 @@ if ($ARGV[0] and $ARGV[0] =~ /^\s*config\s*$/i) print "graph_title Open file descriptors for Tor\n"; print "graph_args --base 1000 -l 0\n"; print "graph_vlabel open FDs\n"; - print "graph_category network\n"; + print "graph_category Tor\n"; print "count.label TorFDs\n"; exit 0; } -- cgit v1.2.3 From fb0fbe06f9c2d3c0428f9129fe67eb2c4aef8f7f Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 1 Dec 2016 11:31:01 +0100 Subject: make it work if there is no pidfile --- files/munin/tor_openfds | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'files') diff --git a/files/munin/tor_openfds b/files/munin/tor_openfds index dbf57cd..9c14852 100644 --- a/files/munin/tor_openfds +++ b/files/munin/tor_openfds @@ -16,9 +16,15 @@ if ($ARGV[0] and $ARGV[0] =~ /^\s*config\s*$/i) exit 0; } -open (PID, "/var/run/tor/tor.pid") or exit 1; -my $pid = ; -close PID; +my $pidfile = "/var/run/tor/tor.pid"; +my $pid = ''; +if (-e $pidfile) { + open (PID, $pidfile) or exit 1; + $pid = ; + close PID; +} else { + $pid = `pidof tor`; +} chomp $pid; $pid =~ /^[0-9]+$/ or exit 1; -- cgit v1.2.3 From a126312584199726a90c3dd7144abba48a8bd1b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Louis-Philippe=20V=C3=A9ronneau?= Date: Tue, 19 Jun 2018 12:49:49 -0400 Subject: remove polipo support --- files/polipo/polipo.conf | 164 ----------------------------------------------- 1 file changed, 164 deletions(-) delete mode 100644 files/polipo/polipo.conf (limited to 'files') diff --git a/files/polipo/polipo.conf b/files/polipo/polipo.conf deleted file mode 100644 index 12b10c4..0000000 --- a/files/polipo/polipo.conf +++ /dev/null @@ -1,164 +0,0 @@ -# Polipo Configuration from https://svn.torproject.org/svn/torbrowser/trunk/build-scripts/config/polipo.conf -# Managed by puppet. - -### Basic configuration -### ******************* - -# Uncomment one of these if you want to allow remote clients to -# connect: - -# proxyAddress = "::0" # both IPv4 and IPv6 -# proxyAddress = "0.0.0.0" # IPv4 only - -proxyAddress = "127.0.0.1" -proxyPort = 8118 - -# If you do that, you'll want to restrict the set of hosts allowed to -# connect: - -# allowedClients = "127.0.0.1, 134.157.168.57" -# allowedClients = "127.0.0.1, 134.157.168.0/24" - -allowedClients = 127.0.0.1 -allowedPorts = 1-65535 - -# Uncomment this if you want your Polipo to identify itself by -# something else than the host name: - -proxyName = "localhost" - -# Uncomment this if there's only one user using this instance of Polipo: - -cacheIsShared = false - -# Uncomment this if you want to use a parent proxy: - -# parentProxy = "squid.example.org:3128" - -# Uncomment this if you want to use a parent SOCKS proxy: - -socksParentProxy = "localhost:9050" -socksProxyType = socks5 - - -### Memory -### ****** - -# Uncomment this if you want Polipo to use a ridiculously small amount -# of memory (a hundred C-64 worth or so): - -# chunkHighMark = 819200 -# objectHighMark = 128 - -# Uncomment this if you've got plenty of memory: - -# chunkHighMark = 50331648 -# objectHighMark = 16384 - -chunkHighMark = 67108864 - -### On-disk data -### ************ - -# Uncomment this if you want to disable the on-disk cache: - -diskCacheRoot = "" - -# Uncomment this if you want to put the on-disk cache in a -# non-standard location: - -# diskCacheRoot = "~/.polipo-cache/" - -# Uncomment this if you want to disable the local web server: - -localDocumentRoot = "" - -# Uncomment this if you want to enable the pages under /polipo/index? -# and /polipo/servers?. This is a serious privacy leak if your proxy -# is shared. - -# disableIndexing = false -# disableServersList = false - -disableLocalInterface = true -disableConfiguration = true - -### Domain Name System -### ****************** - -# Uncomment this if you want to contact IPv4 hosts only (and make DNS -# queries somewhat faster): -# -# dnsQueryIPv6 = no - -# Uncomment this if you want Polipo to prefer IPv4 to IPv6 for -# double-stack hosts: -# -# dnsQueryIPv6 = reluctantly - -# Uncomment this to disable Polipo's DNS resolver and use the system's -# default resolver instead. If you do that, Polipo will freeze during -# every DNS query: - -dnsUseGethostbyname = yes - - -### HTTP -### **** - -# Uncomment this if you want to enable detection of proxy loops. -# This will cause your hostname (or whatever you put into proxyName -# above) to be included in every request: - -disableVia = true - -# Uncomment this if you want to slightly reduce the amount of -# information that you leak about yourself: - -# censoredHeaders = from, accept-language -# censorReferer = maybe - -censoredHeaders = from,accept-language,x-pad,link -censorReferer = maybe - -# Uncomment this if you're paranoid. This will break a lot of sites, -# though: - -# censoredHeaders = set-cookie, cookie, cookie2, from, accept-language -# censorReferer = true - -# Uncomment this if you want to use Poor Man's Multiplexing; increase -# the sizes if you're on a fast line. They should each amount to a few -# seconds' worth of transfer; if pmmSize is small, you'll want -# pmmFirstSize to be larger. - -# Note that PMM is somewhat unreliable. - -# pmmFirstSize = 16384 -# pmmSize = 8192 - -# Uncomment this if your user-agent does something reasonable with -# Warning headers (most don't): - -# relaxTransparency = maybe - -# Uncomment this if you never want to revalidate instances for which -# data is available (this is not a good idea): - -# relaxTransparency = yes - -# Uncomment this if you have no network: - -# proxyOffline = yes - -# Uncomment this if you want to avoid revalidating instances with a -# Vary header (this is not a good idea): - -# mindlesslyCacheVary = true - -# Suggestions from Incognito configuration -maxConnectionAge = 5m -maxConnectionRequests = 120 -serverMaxSlots = 8 -serverSlots = 2 -tunnelAllowedPorts = 1-65535 -- cgit v1.2.3