Krecik

Asynchronous, parallel external service checker (and reporter), using industry standard libraries: Curl, ngHTTP2 and OpenSSL.

Author:

Daniel (@dmilith) Dettlaff

Features:

• Asynchronous and multithreaded by default.

• JSON format used for both checks (input) and products (output).

• Uses OpenSSL 1.1.1a+ to provide "TLS-cert expiration check" functionality.

• HTTP2 used as default.

Software requirements:

• Rust >= 1.32.0
• Curl >= 7.x
• OpenSSL >= 1.1.1a
• NgHTTP2 >= 1.36.0
• Jq >= 1.5

Additional build requirements:

• Clang >= 6.x
• Make >= 3.x
• Perl >= 5.x
• POSIX compliant base-system (tested on systems: FreeBSD/ HardenedBSD/ Darwin and Linux)

Few words about design solutions…

… and especially about current state of linking with shared dynamic libraries by Cargo on LLVM-driven FreeBSD systems…

To make a long story short - Cargo on FreeBSD/ HardenedBSD/ Linux, doesn't set proper runtime path (RPATH/RUNPATH in binary header), when shared libraries are outside of standard /lib:/usr/lib:/usr/local/lib library paths.

There are two quick solutions for this problem - one is bad, one is ugly.

Bad solution is hacking LDLIBRARYPATH shell-env value - and this is considered to be unethical choice (but still… choice of the many…).

Ugly solution is ugly, but at least solves problem for development time…

NOTE: Krecik at current stage will use static linking by default. This means that each release will encapsulate exact versions of: Curl, OpenSSL and ngHTTP2 libraries - linked directly into krecik binary.

Caveats. Solutions for potential problems:

Krecik relies on fully featured build of Curl, which is available via Sofin binary-bundle: Curl_lib. To install prebuilt "Curl_lib" on supported system:

```bash myusername="${USER}" sudo mkdir "/Software" sudo chown "${myusername}" "/Software" cd "/Software" curl -O "http://software.verknowsys.com/binary/Darwin-10.11-x8664/Curllib-7.64.0-Darwin-10.11-x8664.txz" tar xfJ "Curllib-7.64.0-Darwin-10.11-x86_64.txz" --directory "/Software"

`` Prebuilt version ofCurl_lib` bundle is available for systems:

• Darwin-10.11.x

• Darwin-10.14.x

• HardenedBSD-11.x - NOTE Under HardenedBSD, binary-bundle file is NOT a tar file, but Lz4 compressed ZFS dataset of software bundle.

NOTE: Curl_lib binary-bundle provides all Krecik library requirements: CURL, OpenSSL, ngHTTP2, (IDN, SSH).

Development:

Build debug version:

Lazy developer mode (using cargo-watch + cargo-clippy, warnings: enabled, watch awaits for code change for first run):

bin/devel

Eager developer mode (using cargo-watch + cargo-clippy, warnings: enabled, watch compiles code immediately):

bin/devel dev

Build release version:

bin/build

Run:

Launch "dev" WebAPI server (NOTE: enables DEBUG logger level and makes cargo build process verbose):

bin/run dev

Launch "release" WebAPI server:

bin/run

Test:

NOTE: If one of servers mentioned above… is started, the script mentioned below will do additional round of built in tests over HTTP2-Check-API:

bin/test

Mapping remote configuration resources:

For now, the only defined remote resource type is: "PongoHost". To configure Pongo API resource, create file: checks/remotes/yourname.json with contents:

JSON { "url": "https://pongo-api.your.domain.tld/api/ping?token=your-secret-token", "only_vhost_contains": "services-domain.tld" }

NOTE: If "onlyvhostcontains" is "" - no domain filtering is applied (all defined hosts always accepted). If value is set, checker will limit processed checks to only URLs matching specified domain-name (or URL path fragment).

External JSON resources repositories support:

1. Create new repository with JSON files with definitions of your checks. Check file-format examples can be found in: checks/tests/*.json. Commit your checks.

2. Now in krecik repository do: cd krecik/checks.

3. Clone your checks-resource repository, here I called it "frontends": git clone git@github.com:my-company-id/krecik-frontends.git frontends.

4. Start krecik web-server in dev mode: bin/run dev (starts MUCH faster in dev mode).

5. Use provided WebAPI to perform checks. Examples below.

WebAPI usage examples

NOTE: early stage, details may change in future!

1. Perform all checks from local "frontends" resource: curl http://127.0.0.1:60666/check/execute/frontends

2. Perform only checks defined in a single check-file of local "frontends" resource: "your-name.json": curl http://127.0.0.1:60666/check/execute/frontends/your-name.json

3. Perform all checks provided by Pongo remote resource (requires valid mapper configuration per remote resource): curl http://127.0.0.1:60666/check/execute_remote/remotes

Build requirements for svdOS systems:

For svdOS (custom HardenedBSD x86_64) servers using Sofin:

Install build requirements with:

s i Openssl Rust Perl Make

then publish bundles settings to the environment with:

s env +Openssl +Rust +Perl +Make

After build bring back dynamic env setup with:

s env reset

Why "Krecik"?

It's been my favorite cartoon… It's a little tribute for mr Zdeněk Miler as well :)

License

• BSD

• MIT