diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..debd3c9 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + - package-ecosystem: "docker" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "weekly" diff --git a/.github/workflows/anchore-syft.yml b/.github/workflows/anchore-syft.yml new file mode 100644 index 0000000..f77377f --- /dev/null +++ b/.github/workflows/anchore-syft.yml @@ -0,0 +1,70 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, builds an image, performs a container image +# scan with Anchore's Syft tool, and uploads the results to the GitHub Dependency +# submission API. + +# For more information on the Anchore sbom-action usage +# and parameters, see https://github.com/anchore/sbom-action. For more +# information about the Anchore SBOM tool, Syft, see +# https://github.com/anchore/syft +name: Anchore Syft SBOM scan + +on: + workflow_dispatch: + workflow_run: + workflows: [ "Build my Nagios image and push to my registry" ] + types: [ completed ] + # push: + # tags: + # - "*.*.*" + +jobs: + Anchore-Build-Scan: + permissions: + contents: write # required to upload to the Dependency submission API + id-token: write + attestations: write + actions: read + runs-on: self-hosted + steps: + - name: Set the image version + id: vars + run: echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT + + - name: Scan the image and upload dependency results + uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a + with: + #image: macro.int.pgmac.net:5000/nagios:${{ inputs.tags || steps.vars.outputs.tag }} + path: ./ + format: cyclonedx-json + output-file: syft-sbom.json + artifact-name: syft-sbom.json + upload-artifact: true + dependency-snapshot: true + + - name: SHA256 hash the SBoM + id: sha256 + run: echo "SHA256=$(sha256sum syft-sbom.json | cut -d ' ' -f1)" >> $GITHUB_ENV + + - name: Attest the SBoM + uses: actions/attest-build-provenance@v1 + with: + subject-name: macro.int.pgmac.net:5000/Docker-Nagios/syft-sbom.json + subject-digest: sha256:${{ env.SHA256 }} + show-summary: true + push-to-registry: false + + - name: Upload SBoM to Dependency Track + uses: DependencyTrack/gh-upload-sbom@v3.1.0 + with: + serverHostname: 'dtrack.int.pgmac.net' + protocol: 'https' + apiKey: ${{ secrets.DT_APIKEY }} + projectName: Docker-Nagios + projectVersion: ${{ inputs.tags || steps.vars.outputs.tag }} + bomFilename: 'syft-sbom.json' + autoCreate: true diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml new file mode 100644 index 0000000..4f8be88 --- /dev/null +++ b/.github/workflows/docker-image.yml @@ -0,0 +1,117 @@ +name: Build my Nagios image and push to my registry + +on: + push: + tags: + - "*.*.*" + workflow_dispatch: +jobs: + build-n-push: + permissions: + id-token: write + attestations: write + actions: read + contents: write + runs-on: self-hosted + steps: + - uses: actions/checkout@v3 + + - name: Set the image version + id: vars + run: echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT + + - name: Build the Docker image + run: docker build . --file Dockerfile --tag macro.int.pgmac.net:5000/nagios:${{ inputs.tags || steps.vars.outputs.tag }} + + - name: Push to my internal registry + run: docker push macro.int.pgmac.net:5000/nagios:${{ inputs.tags || steps.vars.outputs.tag }} + + - name: Run Syft SBoM scan + uses: anchore/sbom-action@v0.17.8 + with: + image: macro.int.pgmac.net:5000/nagios:${{ inputs.tags || steps.vars.outputs.tag }} + format: cyclonedx-json + output-file: syft-sbom.json + artifact-name: syft-sbom.json + + - name: Upload SBoM to GitHub Artifact storage + uses: actions/upload-artifact@v4 + with: + name: syft-sbom.json + path: "syft-sbom.json" + retention-days: 2 + overwrite: true + + - name: SHA256 hash the SBoM + id: sha256 + run: echo "SHA256=$(sha256sum syft-sbom.json | cut -d ' ' -f1)" >> $GITHUB_ENV + + - name: Attest the SBoM + uses: actions/attest-build-provenance@v1 + with: + subject-name: macro.int.pgmac.net:5000/Docker-Nagios/syft-sbom.json + subject-digest: sha256:${{ env.SHA256 }} + show-summary: true + push-to-registry: false + + - name: Upload SBoM to Dependency Track + uses: DependencyTrack/gh-upload-sbom@v3.1.0 + with: + serverhostname: "dtrack.int.pgmac.net" + protocol: "https" + apikey: ${{ secrets.DT_APIKEY }} + project: ${{ secrets.DT_PROJECT_UUID }} + bomfilename: "syft-sbom.json" + autocreate: false + + - name: Exit code failure + if: failure() + run: | + echo "colour=danger" >> $GITHUB_ENV + echo "icon=🛑" >> $GITHUB_ENV + + - name: Exit code cancelled + if: cancelled() + run: | + echo "colour=warning" >> $GITHUB_ENV + echo "icon=⚠" >> $GITHUB_ENV + + - name: Exit code success + if: success() + run: | + echo "colour=good" >> $GITHUB_ENV + echo "icon=✅" >> $GITHUB_ENV + + - name: Send Slack message + uses: slackapi/slack-github-action@v1.23.0 + with: + payload: | + { + "channel": "builds", + "attachments": [ + { + "mrkdwn_in": ["text", "pretext"], + "fallback": ${{ toJSON(join(github.event.commits.*.message, '
') || ':point_right: Manually triggered') }}, + "color": "${{ env.colour || 'grey' }}", + "pretext": "${{ env.icon || '?' }} ${{ github.workflow }} (${{ github.ref_name }}) #${{ github.run_number }}", + "author_name": "${{ github.triggering_actor || github.actor }}", + "title": "${{ github.workflow }}", + "title_link": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", + "text": ${{ toJSON(join(github.event.commits.*.message, '\n') || ':point_right: Manually triggered') }} + }, + { + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "<${{ github.event.pull_request.html_url || github.event.head_commit.url || github.server_url }}|View commit>" + } + } + ] + } + ] + } + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml new file mode 100644 index 0000000..741daff --- /dev/null +++ b/.github/workflows/sbom.yml @@ -0,0 +1,18 @@ +name: Build a bill of materials ... and scan it + +on: + push: + branches: ["master"] + + workflow_dispatch: + +jobs: + sbom: + uses: pgmac-net/pg-actions/.github/workflows/sbom.yml@main + secrets: inherit + permissions: + attestations: write + contents: write + security-events: write + id-token: write + actions: read diff --git a/Dockerfile b/Dockerfile index e70f870..ff0dca6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:22.04 +FROM ubuntu:24.04 MAINTAINER Jason Rivers ENV NAGIOS_HOME /opt/nagios @@ -6,23 +6,25 @@ ENV NAGIOS_USER nagios ENV NAGIOS_GROUP nagios ENV NAGIOS_CMDUSER nagios ENV NAGIOS_CMDGROUP nagios -ENV NAGIOS_FQDN nagios.example.com +ENV NAGIOS_FQDN status.int.pgmac.net ENV NAGIOSADMIN_USER nagiosadmin ENV NAGIOSADMIN_PASS nagios ENV APACHE_RUN_USER nagios ENV APACHE_RUN_GROUP nagios -ENV NAGIOS_TIMEZONE UTC +ENV NAGIOS_TIMEZONE Australia/Brisbane ENV DEBIAN_FRONTEND noninteractive ENV NG_NAGIOS_CONFIG_FILE ${NAGIOS_HOME}/etc/nagios.cfg ENV NG_CGI_DIR ${NAGIOS_HOME}/sbin ENV NG_WWW_DIR ${NAGIOS_HOME}/share/nagiosgraph ENV NG_CGI_URL /cgi-bin -ENV NAGIOS_BRANCH nagios-4.5.0 -ENV NAGIOS_PLUGINS_BRANCH release-2.4.7 -ENV NRPE_BRANCH nrpe-4.1.0 -ENV NCPA_BRANCH v2.4.1 -ENV NSCA_BRANCH nsca-2.10.2 -ENV NAGIOSTV_VERSION 0.8.7 +ENV NAGIOS_BRANCH nagios-4.5.9 +ENV NAGIOS_PLUGINS_BRANCH release-2.4.12 +ENV NRPE_BRANCH nrpe-4.1.3 +ENV NCPA_BRANCH v3.1.2 +ENV NSCA_BRANCH nsca-2.10.3 +ENV NAGIOSTV_VERSION 0.9.2 +ENV MK_LIVESTATUS_VERSION 1.5.0p23 +ENV NAGVIS_VERSION 1.9.44 RUN echo postfix postfix/main_mailer_type string "'Internet Site'" | debconf-set-selections && \ @@ -41,6 +43,7 @@ RUN echo postfix postfix/main_mailer_type string "'Internet Site'" | debconf-set gettext \ git \ gperf \ + graphviz \ iputils-ping \ jq \ libapache2-mod-php \ @@ -48,6 +51,7 @@ RUN echo postfix postfix/main_mailer_type string "'Internet Site'" | debconf-set libcgi-pm-perl \ libcrypt-des-perl \ libcrypt-rijndael-perl \ + libcrypt-x509-perl \ libdbd-mysql-perl \ libdbd-pg-perl \ libdbi-dev \ @@ -59,7 +63,7 @@ RUN echo postfix postfix/main_mailer_type string "'Internet Site'" | debconf-set libjson-perl \ libldap2-dev \ libmonitoring-plugin-perl \ - libmysqlclient-dev \ + libmariadb-dev \ libnagios-object-perl \ libnet-snmp-perl \ libnet-snmp-perl \ @@ -68,17 +72,28 @@ RUN echo postfix postfix/main_mailer_type string "'Internet Site'" | debconf-set libpq-dev \ libradsec-dev \ libredis-perl \ + librrd-dev \ librrds-perl \ libssl-dev \ libswitch-perl \ + libtext-glob-perl \ libwww-perl \ m4 \ - netcat \ + netcat-openbsd \ parallel \ php-cli \ php-gd \ + php-json \ + php-mbstring \ + php-pdo \ + php-php-gettext \ + php-sqlite3 \ postfix \ + python3 \ + python3-venv \ + python3-paho-mqtt \ python3-pip \ + python3-pymssql \ python3-nagiosplugin \ rsync \ rsyslog \ @@ -87,8 +102,9 @@ RUN echo postfix postfix/main_mailer_type string "'Internet Site'" | debconf-set snmp \ snmpd \ snmp-mibs-downloader \ + sqlite3 \ unzip \ - python3 \ + xinetd \ && \ apt-get clean && rm -Rf /var/lib/apt/lists/* @@ -131,11 +147,11 @@ RUN cd /tmp git clone https://github.com/nagios-plugins/nagios-plugins.git -b $NAGIOS_PLUGINS_BRANCH && \ cd nagios-plugins && \ ./tools/setup && \ - ./configure \ - --prefix=${NAGIOS_HOME} \ - --with-ipv6 \ - --with-ping-command="/usr/bin/ping -n -U -W %d -c %d %s" \ - --with-ping6-command="/usr/bin/ping -6 -n -U -W %d -c %d %s" \ + ./configure \ + --prefix=${NAGIOS_HOME} \ + --with-ipv6 \ + --with-ping-command="/usr/bin/ping -n -U -W %d -c %d %s" \ + --with-ping6-command="/usr/bin/ping -6 -n -U -W %d -c %d %s" \ && \ make && \ make install && \ @@ -191,7 +207,7 @@ RUN cd /tmp && \ cd /tmp && rm -Rf nagiosgraph RUN cd /opt && \ - pip install pymssql paho-mqtt pymssql && \ + pip install --break-system-packages pymssql paho-mqtt && \ git clone https://github.com/willixix/naglio-plugins.git WL-Nagios-Plugins && \ git clone https://github.com/JasonRivers/nagios-plugins.git JR-Nagios-Plugins && \ git clone https://github.com/justintime/nagios-plugins.git JE-Nagios-Plugins && \ @@ -217,6 +233,38 @@ RUN cd /tmp && \ tar xf nagiostv-${NAGIOSTV_VERSION}.tar.gz -C /opt/nagios/share/ && \ rm /tmp/nagiostv-${NAGIOSTV_VERSION}.tar.gz +RUN apt-get update && apt-get install -y libboost-all-dev +RUN cd /tmp && \ + wget https://macro.int.pgmac.net/mk-livestatus-${MK_LIVESTATUS_VERSION}.tar.gz && \ + tar zxf mk-livestatus-${MK_LIVESTATUS_VERSION}.tar.gz && \ + cd mk_livestatus && \ + ./configure --with-nagios4 && \ + make && \ + make install && \ + cd /tmp && rm -Rf mk_livestatus && \ + cd /tmp && rm -f mk-livestatus-${MK_LIVESTATUS_VERSION}.tar.gz +RUN echo "broker_module=/usr/local/lib/mk-livestatus/livestatus.o /usr/local/nagios/var/rw/live" >> ${NAGIOS_HOME}/etc/nagios.cfg + +# Installing nagvis +RUN cd /opt && \ + git clone --depth 1 --branch nagvis-${NAGVIS_VERSION} https://github.com/NagVis/nagvis.git nagvis && \ + cp nagvis/etc/nagvis.ini.php-sample nagvis/etc/nagvis.ini.php && \ + sed -ie 's%^socket=.*$%socket="/usr/local/nagios/var/rw/live"%' nagvis/etc/nagvis.ini.php && \ + cp nagvis/etc/apache2-nagvis.conf-sample /etc/apache2/conf-available/apache2-nagvis.conf && \ + sed -ie 's%@NAGIOS_PATH@%/opt/nagios%g' /etc/apache2/conf-available/apache2-nagvis.conf && \ + sed -ie 's%@NAGVIS_PATH@%/opt/nagvis/share%g' /etc/apache2/conf-available/apache2-nagvis.conf && \ + sed -ie 's%@NAGVIS_WEB@%/nagvis%g' /etc/apache2/conf-available/apache2-nagvis.conf && \ + sed -ie 's/#AuthName/AuthName/' /etc/apache2/conf-available/apache2-nagvis.conf && \ + sed -ie 's/#AuthType/AuthType/' /etc/apache2/conf-available/apache2-nagvis.conf && \ + sed -ie 's/#AuthUserFile/AuthUserFile/' /etc/apache2/conf-available/apache2-nagvis.conf && \ + sed -ie 's/#Require/Require/' /etc/apache2/conf-available/apache2-nagvis.conf && \ + mkdir -p /opt/nagvis/var/tmpl/compile/ && \ + mkdir -p /opt/nagvis/var/tmpl/cache/ && \ + a2enconf apache2-nagvis && \ + chown -R ${NAGIOS_USER}:${NAGIOS_GROUP} /opt/nagvis/ && \ + mkdir -p /usr/local/nagios/var/rw && \ + chown ${NAGIOS_USER}:${NAGIOS_GROUP} /usr/local/nagios/var/rw + RUN sed -i.bak 's/.*\=www\-data//g' /etc/apache2/envvars RUN export DOC_ROOT="DocumentRoot $(echo $NAGIOS_HOME/share)" && \ sed -i "s,DocumentRoot.*,$DOC_ROOT," /etc/apache2/sites-enabled/000-default.conf && \ @@ -250,10 +298,16 @@ RUN echo "use_timezone=${NAGIOS_TIMEZONE}" >> ${NAGIOS_HOME}/etc/nagios.cfg # Copy example config in-case the user has started with empty var or etc -RUN mkdir -p /orig/var && \ - mkdir -p /orig/etc && \ - cp -Rp ${NAGIOS_HOME}/var/* /orig/var/ && \ - cp -Rp ${NAGIOS_HOME}/etc/* /orig/etc/ +RUN mkdir -p /orig/var && \ + mkdir -p /orig/etc && \ + mkdir -p /orig/graph-etc && \ + mkdir -p /orig/graph-var && \ + mkdir -p /orig/xinetd.d && \ + cp -Rp ${NAGIOS_HOME}/var/* /orig/var/ && \ + cp -Rp ${NAGIOS_HOME}/etc/* /orig/etc/ && \ + cp -Rp /opt/nagiosgraph/etc/* /orig/graph-etc && \ + cp -Rp /opt/nagiosgraph/var/* /orig/graph-var && \ + cp -Rp /etc/xinetd.d/* /orig/xinetd.d/ ## Set the permissions for example config RUN find /opt/nagios/etc \! -user ${NAGIOS_USER} -exec chown ${NAGIOS_USER}:${NAGIOS_GROUP} '{}' + && \ @@ -268,8 +322,8 @@ RUN a2enmod session && \ RUN chmod +x /usr/local/bin/start_nagios && \ chmod +x /etc/sv/apache/run && \ chmod +x /etc/sv/nagios/run && \ - chmod +x /etc/sv/postfix/run && \ - chmod +x /etc/sv/rsyslog/run && \ + chmod +x /etc/sv/postfix/run && \ + chmod +x /etc/sv/rsyslog/run && \ chmod +x /opt/nagiosgraph/etc/fix-nagiosgraph-multiple-selection.sh RUN cd /opt/nagiosgraph/etc && \ @@ -278,7 +332,7 @@ RUN cd /opt/nagiosgraph/etc && \ RUN rm /opt/nagiosgraph/etc/fix-nagiosgraph-multiple-selection.sh # enable all runit services -RUN ln -s /etc/sv/* /etc/service +RUN ln -sf /etc/sv/* /etc/service # fix ping permissions for nagios user RUN chmod u+s /usr/bin/ping @@ -287,13 +341,13 @@ ENV APACHE_LOCK_DIR /var/run ENV APACHE_LOG_DIR /var/log/apache2 #Set ServerName and timezone for Apache -RUN echo "ServerName ${NAGIOS_FQDN}" > /etc/apache2/conf-available/servername.conf && \ - echo "PassEnv TZ" > /etc/apache2/conf-available/timezone.conf && \ +RUN echo "ServerName ${NAGIOS_FQDN}" > /etc/apache2/conf-available/servername.conf && \ + echo "PassEnv TZ" > /etc/apache2/conf-available/timezone.conf && \ ln -s /etc/apache2/conf-available/servername.conf /etc/apache2/conf-enabled/servername.conf && \ ln -s /etc/apache2/conf-available/timezone.conf /etc/apache2/conf-enabled/timezone.conf -EXPOSE 80 5667 +EXPOSE 80 5667 6557 -VOLUME "${NAGIOS_HOME}/var" "${NAGIOS_HOME}/etc" "/var/log/apache2" "/opt/Custom-Nagios-Plugins" "/opt/nagiosgraph/var" "/opt/nagiosgraph/etc" +VOLUME "${NAGIOS_HOME}/var" "${NAGIOS_HOME}/etc" "/var/log/apache2" "/opt/Custom-Nagios-Plugins" "/opt/nagiosgraph/var" "/opt/nagiosgraph/etc" "/opt/nagvis/var" "/opt/nagvis/etc" CMD [ "/usr/local/bin/start_nagios" ] diff --git a/README.md b/README.md index 4949389..fd7a8f9 100644 --- a/README.md +++ b/README.md @@ -4,15 +4,15 @@ Docker image for Nagios Build Status: [![Build Status](https://travis-ci.org/JasonRivers/Docker-Nagios.svg?branch=master)](https://travis-ci.org/JasonRivers/Docker-Nagios) -Nagios Core 4.4.14 running on Ubuntu 22.04 LTS with NagiosGraph & NRPE +Nagios Core 4.5.5 running on Ubuntu 22.04 LTS with NagiosGraph & NRPE | Product | Version | | ------- | ------- | -| Nagios Core | 4.5.0 | -| Nagios Plugins | 2.4.7 | -| NRPE | 4.1.0 | -| NCPA | 2.4.1 | -| NSCA | 2.10.2 | +| Nagios Core | 4.5.9 | +| Nagios Plugins | 2.4.12 | +| NRPE | 4.1.3 | +| NCPA | 3.1.2 | +| NSCA | 2.10.3 | ### Configurations Nagios Configuration lives in /opt/nagios/etc diff --git a/overlay/etc/sv/xinetd/run b/overlay/etc/sv/xinetd/run new file mode 100755 index 0000000..a0ab22e --- /dev/null +++ b/overlay/etc/sv/xinetd/run @@ -0,0 +1,3 @@ +#!/bin/bash + +exec /usr/sbin/xinetd -f /etc/xinetd.conf -dontfork diff --git a/overlay/etc/xinetd.d/livestatus b/overlay/etc/xinetd.d/livestatus new file mode 100644 index 0000000..085d2a0 --- /dev/null +++ b/overlay/etc/xinetd.d/livestatus @@ -0,0 +1,14 @@ +service livestatus +{ + type = UNLISTED + port = 6557 + socket_type = stream + protocol = tcp + wait = no + cps = 100 3 + flags = NODELAY + user = nagios + server = /usr/local/bin/unixcat + server_args = /usr/local/nagios/var/rw/live + disable = no +} diff --git a/overlay/opt/nagios/etc/nagios.cfg b/overlay/opt/nagios/etc/nagios.cfg index d0fdbc3..e5927c7 100644 --- a/overlay/opt/nagios/etc/nagios.cfg +++ b/overlay/opt/nagios/etc/nagios.cfg @@ -222,7 +222,7 @@ event_broker_options=-1 #broker_module=/somewhere/module1.o #broker_module=/somewhere/module2.o arg1 arg2=3 debug=0 - +broker_module=/usr/local/lib/mk-livestatus/livestatus.o /usr/local/nagios/var/rw/live event_broker_options=-1 # LOG ROTATION METHOD diff --git a/overlay/usr/local/bin/start_nagios b/overlay/usr/local/bin/start_nagios index 1c8c488..632fa9f 100755 --- a/overlay/usr/local/bin/start_nagios +++ b/overlay/usr/local/bin/start_nagios @@ -14,6 +14,25 @@ if [ -z "$(ls -A /opt/nagios/var)" ]; then cp -Rp /orig/var/* /opt/nagios/var/ fi +if [ -z "$(ls -A /opt/nagiosgraph/etc)" ]; then + echo "Started with empty /opt/nagiosgraph/etc, copying example data in-place" + cp -Rp /orig/graph-etc/* /opt/nagiosgraph/etc/ +fi + +if [ -z "$(ls -A /opt/nagiosgraph/var)" ]; then + echo "Started with empty /opt/nagiosgraph/var, copying example data in-place" + cp -Rp /orig/graph-var/* /opt/nagiosgraph/var/ +fi + +if [ -z "$(ls -A /etc/xinetd.d)" ]; then + echo "Started with empty xinetd config, copying example data in-place" + cp -Rp /orig/xinetd.d/* /etc/xinetd.d/ +fi + +# Cleanup unclean shutdown +[ -f /var/run/apache2/apache2.pid ] && rm /var/run/apache2/apache2.pid +[ -f /var/run/nsca.pid ] && rm /var/run/nsca.pid + if [ ! -f "${NAGIOS_HOME}/etc/htpasswd.users" ] ; then htpasswd -c -b -s "${NAGIOS_HOME}/etc/htpasswd.users" "${NAGIOSADMIN_USER}" "${NAGIOSADMIN_PASS}" chown -R ${NAGIOS_USER}.${NAGIOS_GROUP} "${NAGIOS_HOME}/etc/htpasswd.users" @@ -43,4 +62,3 @@ trap shutdown SIGTERM SIGHUP SIGINT wait "${RUNSVDIR}" shutdown -