Migrate NF conntrack check into ruby script (#72)

* migrated NF conntrack check into ruby script * conntract: add error handling * conntrack: add test * add rescue class, make test executable, add frozen literals back
sensu-plugins · Mar 17, 2018 · ebbf3bd · ebbf3bd
1 parent 64b5ab4
commit ebbf3bd
Show file tree

Hide file tree

Showing 5 changed files with 153 additions and 57 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,8 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 This CHANGELOG follows the format listed  [here](https://github.com/sensu-plugins/community/blob/master/HOW_WE_CHANGELOG.md)
 
 ## [Unreleased]
+### Changed
+- check-netfilter-conntrack.rb: ditch the associated shellscript and turned into pure Ruby.
 
 ## [3.0.0] - 2018-03-17
 ### Security

diff --git a/README.md b/README.md
@@ -9,6 +9,7 @@
 
 ## Files
  * bin/check-banner.rb
+ * bin/check-netfilter-conntrack.rb
  * bin/check-jsonwhois-domain-expiration.rb
  * bin/check-mtu.rb
  * bin/check-multicast-groups.rb

diff --git a/bin/check-netfilter-conntrack.rb b/bin/check-netfilter-conntrack.rb
@@ -1,7 +1,74 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
 
-bin_dir = File.expand_path(__dir__)
-shell_script_path = File.join(bin_dir, File.basename($PROGRAM_NAME, '.rb') + '.sh')
+#
+#   check-netfilter-conntrack
+#
+# DESCRIPTION:
+#   Check netfilter connection tracking table condition
+#
+# OUTPUT:
+#   plain text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: sensu-plugin
+#
+# USAGE:
+#   $ ./check-netfilter-conntrack.rb --warning 60 --critical 90
+#
+# NOTES:
+#   - If you need to check the conntrack table of a specific linux
+#     network namespace (e.g in a docker context), run this check as
+#     `nsenter --net=<file> check-netfilter-conntrack.rb` to use the
+#     network namespace which `<file>`'s descriptor indicates.
+#
+# LICENSE:
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#
 
-exec shell_script_path, *ARGV
+require 'sensu-plugin/check/cli'
+
+#
+# Check Netfilter connection tracking table condition
+#
+class CheckNetfilterConntrack < Sensu::Plugin::Check::CLI
+  option :warning,
+         description: 'Warn if conntrack table is filled more than PERC%',
+         short: '-w PERC',
+         long: '--warning PERC',
+         default: 80,
+         proc: proc(&:to_i)
+
+  option :critical,
+         description: 'Critical if conntrack table is filled more than PERC%',
+         short: '-c PERC',
+         long: '--critical PERC',
+         default: 90,
+         proc: proc(&:to_i)
+
+  def nf_conntrack_max
+    File.read('/proc/sys/net/netfilter/nf_conntrack_max').to_i
+  end
+
+  def nf_conntrack_count
+    File.read('/proc/sys/net/netfilter/nf_conntrack_count').to_i
+  end
+
+  def run
+    max = nf_conntrack_max
+    count = nf_conntrack_count
+    percentage = (count.to_f / max.to_f) * 100
+
+    message "Table is at #{percentage.round(1)}% (#{count}/#{max})"
+
+    critical if percentage >= config[:critical]
+    warning if percentage >= config[:warning]
+    ok
+  rescue StandardError
+    warning "Can't read conntrack information."
+  end
+end
diff --git a/bin/check-netfilter-conntrack.sh b/bin/check-netfilter-conntrack.sh
diff --git a/test/check-netfilter-conntrack_spec.rb b/test/check-netfilter-conntrack_spec.rb
@@ -0,0 +1,80 @@
+#!/usr/bin/env ruby
+#
+#   check-netfilter-conntrack_spec
+#
+# DESCRIPTION:
+#  rspec tests for netfilter-conntrack-mtu
+#
+# OUTPUT:
+#   RSpec testing output: passes and failures info
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   rspec
+#
+# USAGE:
+#   For Rspec Testing
+#
+# NOTES:
+#   For Rspec Testing
+#
+# LICENSE:
+#   Copyright 2018 Jan Kunzmann <jan-github@phobia.de>
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#
+
+require_relative '../bin/check-netfilter-conntrack'
+require_relative './spec_helper.rb'
+
+describe CheckNetfilterConntrack do
+  let(:checker) { described_class.new }
+  let(:checker_no_file) { described_class.new }
+  let(:exit_code) { nil }
+
+  before(:each) do
+    def checker.ok(*_args)
+      exit 0
+    end
+
+    def checker.warning(*_args)
+      exit 1
+    end
+
+    def checker.critical(*_args)
+      exit 2
+    end
+  end
+
+  [
+    [100, 0, 0, 'ok'],
+    [100, 79, 0, 'ok'],
+    [100, 80, 1, 'warn'],
+    [100, 89, 1, 'warn'],
+    [100, 90, 2, 'crit'],
+    [100, 100, 2, 'crit']
+  ].each do |testdata|
+    it "returns #{testdata[3]} for default thresholds" do
+      begin
+        allow(checker).to receive(:nf_conntrack_max).and_return testdata[0]
+        allow(checker).to receive(:nf_conntrack_count).and_return testdata[1]
+        checker.run
+      rescue SystemExit => e
+        exit_code = e.status
+      end
+      expect(exit_code).to eq testdata[2]
+    end
+  end
+
+  it 'returns warning if conntract sysctl files not found' do
+    begin
+      allow(checker).to receive(:nf_conntrack_max).and_raise Errno::ENOENT
+      checker.run
+    rescue SystemExit => e
+      exit_code = e.status
+    end
+    expect(exit_code).to eq 1
+  end
+end