[Reconnoiter-users] How to access the REST interface

Rui Lopes rgl at ruilopes.com
Thu Mar 18 08:42:06 EDT 2010


No errors are displayed on noitd when someone connects.

Best regards,
Rui Lopes

On Thu, Mar 18, 2010 at 12:28 PM, Theo Schlossnagle <jesus at omniti.com> wrote:
> The certificates don't get read until someone connects... you should get an error message when you attempt to connect.
>
> On Mar 18, 2010, at 6:40 AM, Rui Lopes wrote:
>
>> Humm, I don't see any error message about missing certificates on the
>> console. I'm running noitd as noitd -dD, and this is what I see:
>>
>> Processed 1 includes
>> Found 29 /noit/logs//log stanzas
>> Found 1 outlets for log 'error'
>> Processed 1 includes
>> Found 1 acl stanzas
>> Module selfcheck successfully loaded.
>> ping_icmp: send buffer set to 1802240
>> Module ping_icmp successfully loaded.
>> Module snmp successfully loaded.
>> Module ssh2 successfully loaded.
>> Module varnish successfully loaded.
>> Module http successfully loaded.
>> Module resmon successfully loaded.
>> Module smtp successfully loaded.
>> Compiling filterset 'default'
>> Prepending allow into default
>> loaded uuid: f7cea020-f19d-11dd-85a6-cb6d3a2207dc
>> loaded uuid: 1b4e28ba-2fa1-11d2-883f-b9b761bde3fb
>> loaded uuid: 1cddb2a8-76ff-11dd-83c8-f75cb8b93bd9
>> Found 4 /noit/listeners//listener stanzas
>> noit_listener(/tmp/noit, 0, 1, 5, noit_console, (nil))
>> noit_listener(*, 32322, 1, 5, noit_console, (nil))
>> noit_listener(*, 32323, 1, 5, noit_console, (nil))
>> noit_listener(*, 43191, 1, 5, control_dispatch, (nil))
>> 127.0.0.1`ssh2 <- [beb4c69d877c140d10a92dd469f90113]
>> 127.0.0.1`ssh2 -> [available:good]
>> 127.0.0.1`selfcheck <- [ok]
>> 127.0.0.1`selfcheck -> [available:good]
>> 127.0.0.1`ssh2 <- [beb4c69d877c140d10a92dd469f90113]
>> 127.0.0.1`selfcheck <- [ok]
>> 127.0.0.1`ping_icmp <- [cnt=5,avail=40,min=0.0001,max=0.0001,avg=0.0001]
>> 127.0.0.1`ping_icmp -> [available:bad]
>> 127.0.0.1`ssh2 <- [beb4c69d877c140d10a92dd469f90113]
>> 127.0.0.1`selfcheck <- [ok]
>> 127.0.0.1`ping_icmp <- [cnt=5,avail=40,min=0.0000,max=0.0000,avg=0.0000]
>> 127.0.0.1`ssh2 <- [beb4c69d877c140d10a92dd469f90113]
>> 127.0.0.1`selfcheck <- [ok]
>> 127.0.0.1`ping_icmp <- [cnt=5,avail=40,min=0.0000,max=0.0000,avg=0.0000]
>> 127.0.0.1`ssh2 <- [beb4c69d877c140d10a92dd469f90113]
>>
>>
>> This is inside the (default, except the exact paths) noitd.conf file:
>>
>>  <listeners>
>>    <sslconfig>
>>      <optional_no_ca>false</optional_no_ca>
>>      <certificate_file>/home/rgl/projects/reconnoiter/ROOT/etc/noit.crtXXX</certificate_file>
>>      <key_file>/home/rgl/projects/reconnoiter/ROOT/etc/noit.keyXXX</key_file>
>>      <ca_chain>/home/rgl/projects/reconnoiter/ROOT/etc/ca.crtXXX</ca_chain>
>>    </sslconfig>
>>
>> NB: I've added "XXX" in the file names.
>>
>>
>> Thanks!
>>
>> Best regards,
>> Rui Lopes
>>
>> On Wed, Mar 17, 2010 at 3:12 PM, Theo Schlossnagle <jesus at omniti.com> wrote:
>>> I believe it does.  It should be in the output on the console or in the log files.
>>>
>>> Make install should not copy those certs... You need to create your own.  Those are all snake-oil certs.
>>>
>>> On Mar 17, 2010, at 11:00 AM, Rui Lopes wrote:
>>>
>>>> Ah, that was it. make install didn't copy the SSL key and certificate
>>>> files into the installed etc directory. Copying them (noit.crt,
>>>> noit.key and ca.crt) manually from the test directory works fine now.
>>>>
>>>> Maybe noitd should complain about missing key/certificate files?
>>>>
>>>> Thanks!
>>>>
>>>> Best regards,
>>>> Rui Lopes
>>>>
>>>> On Wed, Mar 17, 2010 at 2:23 PM, Theo Schlossnagle <jesus at omniti.com> wrote:
>>>>> It sounds like perhaps noitd doesn't have its certs setup right.  The PKI configuration across all these things must be complete and correct or they will not trust each other.
>>>>>
>>>>> All the certs must be signed by a CA that is listed in the configured ca chain in each component.  If you run make in trunk, it will configure a whole bunch of test certs in the test directory and produce a test-noit.conf that _should_ work.  This shouldn't be used for production, of course, but it should provide a good working example.
>>>>>
>>>>> On Mar 17, 2010, at 10:20 AM, Rui Lopes wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I'm just running noitd. Just to be sure, here's netstat output:
>>>>>>
>>>>>> tcp        0      0 0.0.0.0:43191           0.0.0.0:*
>>>>>> LISTEN      6099/noitd
>>>>>> tcp        0      0 0.0.0.0:32322           0.0.0.0:*
>>>>>> LISTEN      6099/noitd
>>>>>> tcp        0      0 0.0.0.0:32323           0.0.0.0:*
>>>>>> LISTEN      6099/noitd
>>>>>> raw        0      0 0.0.0.0:1               0.0.0.0:*               7
>>>>>>         6099/noitd
>>>>>> raw6       0      0 :::1                    :::*                    7
>>>>>>         6099/noitd
>>>>>> unix  2      [ ACC ]     STREAM     LISTENING     22455    6099/noitd
>>>>>>        /tmp/noit
>>>>>>
>>>>>> Thanks for the flags tip! I didn't notice the --insecure/-k flag.
>>>>>> Though, please note that noitd just drops the connection (the SSL
>>>>>> handshake is not even started); the actual error as displayed by curl
>>>>>> is:
>>>>>>
>>>>>> curl: (35) Unknown SSL protocol error in connection to localhost:43191
>>>>>>
>>>>>> Any idea how to troubleshoot this? or what might be wrong?
>>>>>>
>>>>>> BTW, I'm running noitd as: sudo noitd -dD
>>>>>>
>>>>>> Best regards,
>>>>>> Rui Lopes
>>>>>>
>>>>>> On Wed, Mar 17, 2010 at 2:04 PM, Theo Schlossnagle <jesus at omniti.com> wrote:
>>>>>>> By default stratcon and noit both use 43191 -- they should be run on separate machines.  So, if you are running both, you could be connecting to stratcon which doesn't understand that REST call.
>>>>>>>
>>>>>>> Don't turn off SSL.  And help yourself a little with more flags to curl: -k and -D-
>>>>>>> That should avoid the unknown CA chain and give you the HTTP headers sent back which will tell you more.
>>>>>>>
>>>>>>> On Mar 17, 2010, at 8:43 AM, Rui Lopes wrote:
>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> How can we access the REST interface?
>>>>>>>>
>>>>>>>>> From the docs [0], this should be something like:
>>>>>>>>
>>>>>>>>  curl --cert test/client.crt --key test/client.key
>>>>>>>> https://localhost:43191/checks/show/f7cea020-f19d-11dd-85a6-cb6d3a2207dc
>>>>>>>>
>>>>>>>> But for some reason that fails. I've also tried to use netcat (nc
>>>>>>>> localhost 43191), but the connection is immediately disconnected; I've
>>>>>>>> tried to disable SSL by modifying:
>>>>>>>>
>>>>>>>>  <listener type="control_dispatch" address="*" port="43191" ssl="off">
>>>>>>>>
>>>>>>>> I can now connect using netcat, but if I try to issue the HTTP
>>>>>>>> request, it does not work.
>>>>>>>>
>>>>>>>> Any idea how to make it work?
>>>>>>>>
>>>>>>>> BTW, I'm using todays trunk version. And I'm using the default noitd
>>>>>>>> configuration, except the checks section, which is:
>>>>>>>>
>>>>>>>> <checks max_initial_stutter="30000" filterset="default">
>>>>>>>>    <local timeout="4000" period="5000" target="127.0.0.1">
>>>>>>>>        <check uuid="f7cea020-f19d-11dd-85a6-cb6d3a2207dc" module="selfcheck"/>
>>>>>>>>        <check uuid="1b4e28ba-2fa1-11d2-883f-b9b761bde3fb" module="ping_icmp"/>
>>>>>>>>        <check uuid="1cddb2a8-76ff-11dd-83c8-f75cb8b93bd9" module="ssh2"/>
>>>>>>>>    </local>
>>>>>>>> </checks>
>>>>>>>>
>>>>>>>> TIA!
>>>>>>>>
>>>>>>>> Best regards,
>>>>>>>> Rui Lopes
>>>>>>>>
>>>>>>>> [0] https://labs.omniti.com/docs/reconnoiter/noitd.wire.protocol.html#id322454
>
> --
> Theo Schlossnagle
> http://omniti.com/is/theo-schlossnagle
>
>
>
>
>
>



More information about the Reconnoiter-users mailing list