From: Pieter Lexis Date: Wed, 14 Nov 2018 18:43:34 +0000 (+0100) Subject: dnsdist: expose secpoll status in metrics X-Git-Tag: auth-4.2.0-alpha1~30^2~1 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f29758cc7c717bf2b46d718a3e21458c69a68380;p=pdns dnsdist: expose secpoll status in metrics The status is now exposed in SNMP, carbon and prometheus. --- diff --git a/pdns/dnsdist-snmp.cc b/pdns/dnsdist-snmp.cc index f04445183..9eadeb250 100644 --- a/pdns/dnsdist-snmp.cc +++ b/pdns/dnsdist-snmp.cc @@ -47,6 +47,7 @@ static const oid fdUsageOID[] = { DNSDIST_STATS_OID, 34 }; static const oid dynBlockedOID[] = { DNSDIST_STATS_OID, 35 }; static const oid dynBlockedNMGSizeOID[] = { DNSDIST_STATS_OID, 36 }; static const oid ruleServFailOID[] = { DNSDIST_STATS_OID, 37 }; +static const oid securityStatusOID[] = { DNSDIST_STATS_OID, 38 }; static std::unordered_map s_statsMap; @@ -580,6 +581,7 @@ DNSDistSNMPAgent::DNSDistSNMPAgent(const std::string& name, const std::string& m registerGauge64Stat("cpuSysMSec", cpuSysMSecOID, OID_LENGTH(cpuSysMSecOID), &getCPUTimeSystem); registerGauge64Stat("fdUsage", fdUsageOID, OID_LENGTH(fdUsageOID), &getOpenFileDescriptors); registerGauge64Stat("dynBlockedNMGSize", dynBlockedNMGSizeOID, OID_LENGTH(dynBlockedNMGSizeOID), [](const std::string&) { return g_dynblockNMG.getLocal()->size(); }); + registerGauge64Stat("securityStatus", securityStatusOID, OID_LENGTH(securityStatusOID), [](const std::string&) { return g_stats.securityStatus.load(); }); netsnmp_table_registration_info* table_info = SNMP_MALLOC_TYPEDEF(netsnmp_table_registration_info); diff --git a/pdns/dnsdist.hh b/pdns/dnsdist.hh index 6bbb878b2..bd23e1a26 100644 --- a/pdns/dnsdist.hh +++ b/pdns/dnsdist.hh @@ -227,10 +227,11 @@ struct DNSDistStats stat_t cacheHits{0}; stat_t cacheMisses{0}; stat_t latency0_1{0}, latency1_10{0}, latency10_50{0}, latency50_100{0}, latency100_1000{0}, latencySlow{0}; + stat_t securityStatus{0}; double latencyAvg100{0}, latencyAvg1000{0}, latencyAvg10000{0}, latencyAvg1000000{0}; typedef std::function statfunction_t; - typedef boost::variant entry_t; + typedef boost::variant entry_t; std::vector> entries{ {"responses", &responses}, {"servfail-responses", &servfailResponses}, @@ -267,7 +268,8 @@ struct DNSDistStats {"cpu-sys-msec", getCPUTimeSystem}, {"fd-usage", getOpenFileDescriptors}, {"dyn-blocked", &dynBlocked}, - {"dyn-block-nmg-size", [](const std::string&) { return g_dynblockNMG.getLocal()->size(); }} + {"dyn-block-nmg-size", [](const std::string&) { return g_dynblockNMG.getLocal()->size(); }}, + {"security-status", &securityStatus} }; }; @@ -357,6 +359,7 @@ struct MetricDefinitionStorage { { "fd-usage", MetricDefinition(PrometheusMetricType::gauge, "Number of currently used file descriptors")}, { "dyn-blocked", MetricDefinition(PrometheusMetricType::counter, "Number of queries dropped because of a dynamic block")}, { "dyn-block-nmg-size", MetricDefinition(PrometheusMetricType::gauge, "Number of dynamic blocks entries") }, + { "security-status", MetricDefinition(PrometheusMetricType::gauge, "Security status of this software. 0=unknown, 1=OK, 2=upgrade recommended, 3=upgrade mandatory") }, }; }; diff --git a/pdns/dnsdistdist/DNSDIST-MIB.txt b/pdns/dnsdistdist/DNSDIST-MIB.txt index fdc3e5d80..9d1f50269 100644 --- a/pdns/dnsdistdist/DNSDIST-MIB.txt +++ b/pdns/dnsdistdist/DNSDIST-MIB.txt @@ -326,6 +326,14 @@ ruleServFail OBJECT-TYPE "Number of ServFail responses returned because of a rule" ::= { stats 37 } +securityStatus OBJECT-TYPE + SYNTAX CounterBasedGauge64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Security status of this software. 0=unknown, 1=OK, 2=upgrade recommended, 3=upgrade mandatory" + ::= { stats 38 } + backendStatTable OBJECT-TYPE SYNTAX SEQUENCE OF BackendStatEntry MAX-ACCESS not-accessible @@ -670,6 +678,7 @@ dnsdistGroup OBJECT-GROUP fdUsage, dynBlocked, dynBlockNMGSize, + securityStatus, backendName, backendLatency, backendWeight, diff --git a/pdns/dnsdistdist/dnsdist-secpoll.cc b/pdns/dnsdistdist/dnsdist-secpoll.cc index 5a156cb83..259739ed6 100644 --- a/pdns/dnsdistdist/dnsdist-secpoll.cc +++ b/pdns/dnsdistdist/dnsdist-secpoll.cc @@ -220,6 +220,7 @@ void doSecPoll(const std::string& suffix) errlog("PowerDNS DNSDist Security Update Mandatory: %s", securityMessage); } + g_stats.securityStatus = securityStatus; g_secPollDone = true; return; } diff --git a/pdns/dnsdistdist/docs/statistics.rst b/pdns/dnsdistdist/docs/statistics.rst index 7344afd7d..a56e9e0fa 100644 --- a/pdns/dnsdistdist/docs/statistics.rst +++ b/pdns/dnsdistdist/docs/statistics.rst @@ -153,6 +153,17 @@ rule-servfail ------------- Number of ServFail answers returned because of a rule. +security-status +--------------- +.. versionadded:: 1.3.4 + +The security status of :program:`dnsdist`. This is regularly polled. + + * 0 = Unknown status or unreleased version + * 1 = OK + * 2 = Upgrade recommended + * 3 = Upgrade required (most likely because there is a known security issue) + self-answered ------------- Number of self-answered responses. diff --git a/regression-tests.dnsdist/test_API.py b/regression-tests.dnsdist/test_API.py index 64bbeeaa8..00578a3e7 100644 --- a/regression-tests.dnsdist/test_API.py +++ b/regression-tests.dnsdist/test_API.py @@ -233,7 +233,7 @@ class TestAPIBasics(DNSDistTest): 'latency-avg1000000', 'uptime', 'real-memory-usage', 'noncompliant-queries', 'noncompliant-responses', 'rdqueries', 'empty-queries', 'cache-hits', 'cache-misses', 'cpu-user-msec', 'cpu-sys-msec', 'fd-usage', 'dyn-blocked', - 'dyn-block-nmg-size', 'rule-servfail'] + 'dyn-block-nmg-size', 'rule-servfail', 'security-status'] for key in expected: self.assertIn(key, values)