[Reconnoiter-users] How to access the REST interface

Rui Lopes rgl at ruilopes.com
Thu Mar 18 06:40:04 EDT 2010


Humm, I don't see any error message about missing certificates on the
console. I'm running noitd as noitd -dD, and this is what I see:

Processed 1 includes
Found 29 /noit/logs//log stanzas
Found 1 outlets for log 'error'
Processed 1 includes
Found 1 acl stanzas
Module selfcheck successfully loaded.
ping_icmp: send buffer set to 1802240
Module ping_icmp successfully loaded.
Module snmp successfully loaded.
Module ssh2 successfully loaded.
Module varnish successfully loaded.
Module http successfully loaded.
Module resmon successfully loaded.
Module smtp successfully loaded.
Compiling filterset 'default'
Prepending allow into default
loaded uuid: f7cea020-f19d-11dd-85a6-cb6d3a2207dc
loaded uuid: 1b4e28ba-2fa1-11d2-883f-b9b761bde3fb
loaded uuid: 1cddb2a8-76ff-11dd-83c8-f75cb8b93bd9
Found 4 /noit/listeners//listener stanzas
noit_listener(/tmp/noit, 0, 1, 5, noit_console, (nil))
noit_listener(*, 32322, 1, 5, noit_console, (nil))
noit_listener(*, 32323, 1, 5, noit_console, (nil))
noit_listener(*, 43191, 1, 5, control_dispatch, (nil))
127.0.0.1`ssh2 <- [beb4c69d877c140d10a92dd469f90113]
127.0.0.1`ssh2 -> [available:good]
127.0.0.1`selfcheck <- [ok]
127.0.0.1`selfcheck -> [available:good]
127.0.0.1`ssh2 <- [beb4c69d877c140d10a92dd469f90113]
127.0.0.1`selfcheck <- [ok]
127.0.0.1`ping_icmp <- [cnt=5,avail=40,min=0.0001,max=0.0001,avg=0.0001]
127.0.0.1`ping_icmp -> [available:bad]
127.0.0.1`ssh2 <- [beb4c69d877c140d10a92dd469f90113]
127.0.0.1`selfcheck <- [ok]
127.0.0.1`ping_icmp <- [cnt=5,avail=40,min=0.0000,max=0.0000,avg=0.0000]
127.0.0.1`ssh2 <- [beb4c69d877c140d10a92dd469f90113]
127.0.0.1`selfcheck <- [ok]
127.0.0.1`ping_icmp <- [cnt=5,avail=40,min=0.0000,max=0.0000,avg=0.0000]
127.0.0.1`ssh2 <- [beb4c69d877c140d10a92dd469f90113]


This is inside the (default, except the exact paths) noitd.conf file:

  <listeners>
    <sslconfig>
      <optional_no_ca>false</optional_no_ca>
      <certificate_file>/home/rgl/projects/reconnoiter/ROOT/etc/noit.crtXXX</certificate_file>
      <key_file>/home/rgl/projects/reconnoiter/ROOT/etc/noit.keyXXX</key_file>
      <ca_chain>/home/rgl/projects/reconnoiter/ROOT/etc/ca.crtXXX</ca_chain>
    </sslconfig>

NB: I've added "XXX" in the file names.


Thanks!

Best regards,
Rui Lopes

On Wed, Mar 17, 2010 at 3:12 PM, Theo Schlossnagle <jesus at omniti.com> wrote:
> I believe it does.  It should be in the output on the console or in the log files.
>
> Make install should not copy those certs... You need to create your own.  Those are all snake-oil certs.
>
> On Mar 17, 2010, at 11:00 AM, Rui Lopes wrote:
>
>> Ah, that was it. make install didn't copy the SSL key and certificate
>> files into the installed etc directory. Copying them (noit.crt,
>> noit.key and ca.crt) manually from the test directory works fine now.
>>
>> Maybe noitd should complain about missing key/certificate files?
>>
>> Thanks!
>>
>> Best regards,
>> Rui Lopes
>>
>> On Wed, Mar 17, 2010 at 2:23 PM, Theo Schlossnagle <jesus at omniti.com> wrote:
>>> It sounds like perhaps noitd doesn't have its certs setup right.  The PKI configuration across all these things must be complete and correct or they will not trust each other.
>>>
>>> All the certs must be signed by a CA that is listed in the configured ca chain in each component.  If you run make in trunk, it will configure a whole bunch of test certs in the test directory and produce a test-noit.conf that _should_ work.  This shouldn't be used for production, of course, but it should provide a good working example.
>>>
>>> On Mar 17, 2010, at 10:20 AM, Rui Lopes wrote:
>>>
>>>> Hi,
>>>>
>>>> I'm just running noitd. Just to be sure, here's netstat output:
>>>>
>>>> tcp        0      0 0.0.0.0:43191           0.0.0.0:*
>>>> LISTEN      6099/noitd
>>>> tcp        0      0 0.0.0.0:32322           0.0.0.0:*
>>>> LISTEN      6099/noitd
>>>> tcp        0      0 0.0.0.0:32323           0.0.0.0:*
>>>> LISTEN      6099/noitd
>>>> raw        0      0 0.0.0.0:1               0.0.0.0:*               7
>>>>         6099/noitd
>>>> raw6       0      0 :::1                    :::*                    7
>>>>         6099/noitd
>>>> unix  2      [ ACC ]     STREAM     LISTENING     22455    6099/noitd
>>>>        /tmp/noit
>>>>
>>>> Thanks for the flags tip! I didn't notice the --insecure/-k flag.
>>>> Though, please note that noitd just drops the connection (the SSL
>>>> handshake is not even started); the actual error as displayed by curl
>>>> is:
>>>>
>>>> curl: (35) Unknown SSL protocol error in connection to localhost:43191
>>>>
>>>> Any idea how to troubleshoot this? or what might be wrong?
>>>>
>>>> BTW, I'm running noitd as: sudo noitd -dD
>>>>
>>>> Best regards,
>>>> Rui Lopes
>>>>
>>>> On Wed, Mar 17, 2010 at 2:04 PM, Theo Schlossnagle <jesus at omniti.com> wrote:
>>>>> By default stratcon and noit both use 43191 -- they should be run on separate machines.  So, if you are running both, you could be connecting to stratcon which doesn't understand that REST call.
>>>>>
>>>>> Don't turn off SSL.  And help yourself a little with more flags to curl: -k and -D-
>>>>> That should avoid the unknown CA chain and give you the HTTP headers sent back which will tell you more.
>>>>>
>>>>> On Mar 17, 2010, at 8:43 AM, Rui Lopes wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> How can we access the REST interface?
>>>>>>
>>>>>>> From the docs [0], this should be something like:
>>>>>>
>>>>>>  curl --cert test/client.crt --key test/client.key
>>>>>> https://localhost:43191/checks/show/f7cea020-f19d-11dd-85a6-cb6d3a2207dc
>>>>>>
>>>>>> But for some reason that fails. I've also tried to use netcat (nc
>>>>>> localhost 43191), but the connection is immediately disconnected; I've
>>>>>> tried to disable SSL by modifying:
>>>>>>
>>>>>>  <listener type="control_dispatch" address="*" port="43191" ssl="off">
>>>>>>
>>>>>> I can now connect using netcat, but if I try to issue the HTTP
>>>>>> request, it does not work.
>>>>>>
>>>>>> Any idea how to make it work?
>>>>>>
>>>>>> BTW, I'm using todays trunk version. And I'm using the default noitd
>>>>>> configuration, except the checks section, which is:
>>>>>>
>>>>>> <checks max_initial_stutter="30000" filterset="default">
>>>>>>    <local timeout="4000" period="5000" target="127.0.0.1">
>>>>>>        <check uuid="f7cea020-f19d-11dd-85a6-cb6d3a2207dc" module="selfcheck"/>
>>>>>>        <check uuid="1b4e28ba-2fa1-11d2-883f-b9b761bde3fb" module="ping_icmp"/>
>>>>>>        <check uuid="1cddb2a8-76ff-11dd-83c8-f75cb8b93bd9" module="ssh2"/>
>>>>>>    </local>
>>>>>> </checks>
>>>>>>
>>>>>> TIA!
>>>>>>
>>>>>> Best regards,
>>>>>> Rui Lopes
>>>>>>
>>>>>> [0] https://labs.omniti.com/docs/reconnoiter/noitd.wire.protocol.html#id322454



More information about the Reconnoiter-users mailing list