Try Icinga 2 console in web browser

https://i2c.al2klimov.de

Sorry for the little bit long load time, I had to limit the CPU usage.

Same for the memory usage, so don’t wonder if you get this one:

… and of course the limit of concurrent sessions.

Feedback welcome!

2 Likes

Hi,

a little more information would be nice. What is the use case for this? I hope this is only a technical concept since currently there is zero authentication.

The web console loads and I can execute expressions.

Best regards
Michael

1 Like

Hi,

I’ve been inspired by the consoles Redis provides and thought: The same thing for the Icinga 2 console would be awesome.

Those consoles also don’t require any authentication. What’s the problem?

Best,
AK

Load it in Kubernetes, hook that up to Prometheus/Grafana, see if people start tipping containers over. Actually could be fun.

For me both the costs of a managed K8s and the time needed for adding K8s support to this are too high for a service I’m still evaluating the need of.

I don’t know what you mean by “tipping containers over”, but if it’s the thing I hope you don’t mean… don’t worry. I run the actual containers on a VM separated from production (DOCKER_HOST=tcp://...) and have enforced well calculated resource limits.

Hi,

<53> => 
null
<54> => var p = "/etc/*"
null
<55> => glob(p)
[ "/etc/adduser.conf", "/etc/aliases", "/etc/aliases.db", "/etc/bash.bashrc", "/etc/bindresvport.blacklist", "/etc/debconf.conf", "/etc/debian_version", "/etc/deluser.conf", "/etc/environment", "/etc/fstab", "/etc/gai.conf", "/etc/group", "/etc/group-", "/etc/gshadow", "/etc/gshadow-", "/etc/host.conf", "/etc/hostname", "/etc/hosts", "/etc/hosts.allow", "/etc/hosts.deny", "/etc/inputrc", "/etc/issue", "/etc/issue.net", "/etc/ld.so.cache", "/etc/ld.so.conf", "/etc/libaudit.conf", "/etc/localtime", "/etc/login.defs", "/etc/machine-id", "/etc/mailcap", "/etc/mailcap.order", "/etc/mime.types", "/etc/mke2fs.conf", "/etc/motd", "/etc/mtab", "/etc/networks", "/etc/nsswitch.conf", "/etc/os-release", "/etc/pam.conf", "/etc/passwd", "/etc/passwd-", "/etc/profile", "/etc/protocols", "/etc/resolv.conf", "/etc/rmt", "/etc/rpc", "/etc/securetty", "/etc/services", "/etc/shadow", "/etc/shadow-", "/etc/shells", "/etc/subgid", "/etc/subgid-", "/etc/subuid", "/etc/subuid-", "/etc/sysctl.conf", "/etc/timezone", "/etc/ucf.conf", "/etc/xattr.conf", "/etc/alternatives", "/etc/apt", "/etc/bash_completion.d", "/etc/cron.daily", "/etc/default", "/etc/dpkg", "/etc/gss", "/etc/icinga2", "/etc/init.d", "/etc/insserv.conf.d", "/etc/kernel", "/etc/ld.so.conf.d", "/etc/ldap", "/etc/logrotate.d", "/etc/mysql", "/etc/nagios-plugins", "/etc/network", "/etc/opt", "/etc/pam.d", "/etc/perl", "/etc/postfix", "/etc/ppp", "/etc/profile.d", "/etc/python2.7", "/etc/rc0.d", "/etc/rc1.d", "/etc/rc2.d", "/etc/rc3.d", "/etc/rc4.d", "/etc/rc5.d", "/etc/rc6.d", "/etc/rcS.d", "/etc/resolvconf", "/etc/rsyslog.d", "/etc/security", "/etc/selinux", "/etc/skel", "/etc/ssl", "/etc/sysconfig", "/etc/sysctl.d", "/etc/systemd", "/etc/terminfo", "/etc/ufw", "/etc/update-motd.d" ]
<56> => 

I think this information shouldn’t be publicly available.

But again where is the use case for this? I can’t really imagine where you want to go with this. As a technical demo somewhere to show the Icinga 2 console this is okay, but for example integrated into Icinga Web 2 or Director I consider this dangerous without authentication.

Best regards
Michael

I agree, as an other example, you can have additionnal information about the system and icinga setup in globals.System

ApplicationType = "IcingaApplication"
ApplicationVersion = "r2.12.0-1"
BuildCompilerName = "GNU"
BuildCompilerVersion = "8.3.0"
BuildHostName = "7d0bef593d60"
Configuration = {
        ApiBindHost = ""
        ApiBindPort = "5665"
        AttachDebugger = false
        CacheDir = "/var/cache/icinga2"
        Concurrency = 1.000000
        ConfigDir = "/etc/icinga2"
        DataDir = "/var/lib/icinga2"
        EventEngine = ""
        IncludeConfDir = "/usr/share/icinga2/include"
        InitRunDir = "/run/icinga2"
        LocalStateDir = "/var"
        LogDir = "/var/log/icinga2"
        ModAttrPath = "/var/lib/icinga2/modified-attributes.conf"
        ObjectsPath = "/var/cache/icinga2/icinga2.debug"
        PidPath = "/run/icinga2/icinga2.pid"
        PkgDataDir = "/usr/share/icinga2"
        PrefixDir = "/usr"
        ProgramData = ""
        RLimitFiles = 16384.000000
        RLimitProcesses = 16384.000000
        RLimitStack = 262144.000000
        RunAsGroup = "icinga"
        RunAsUser = "icinga"
        RunDir = "/run"
        SpoolDir = "/var/spool/icinga2"
        StatePath = "/var/lib/icinga2/icinga2.state"
        SysconfDir = "/etc"
        TlsHandshakeTimeout = 10.000000
        VarsPath = "/var/cache/icinga2/icinga2.vars"
        ZonesDir = "/etc/icinga2/zones.d"
        type = "Configuration"
}
[...]
PlatformArchitecture = "x86_64"
PlatformKernel = "Linux"
PlatformKernelVersion = "4.19.0-10-amd64"
PlatformName = "Debian GNU/Linux"
PlatformVersion = "10 (buster)"

A quick and dirty solution would be to make an apache reverse proxy to the page with a basic user/pass authentication, a much cleaner solution would be to force a login prompt in the console to use a ApiUser object with the right to connect to it for authentication but it may require some development on the icinga side.

EDIT : you can do something like this :
curl -s -k -u user:pass -H ‘Accept: application/json’ -X POST ‘https://localhost:5665/v1/console/execute-script?command=whateveryouwant
for the user/pass parameters, a js executed on browser side that makes a prompt and asks thoses parameters for furthers requests would work.

Aside this, this is a great and good idea !

1 Like

You’ve already answered yourself.

Oh, and I’d consider none of these info about the VM running the containers secret. Everything else is about the container itself – which is temporary.

Thoses are common informations, they are indeed not usually harmful from a security point of view, however, in a production environment, it’s quite probable icinga will instanciate vars that comes with hosts/services objects issued from a master/satellite (at least in my case), because for some checks, login/pass are required (sql user, snmpv3, etc ).

1 Like

Hi,

Nonetheless it would be useful to give this information in the first post.

Under the perspective to create a demo to show the console this may is true. In a production environment I would not want to have the console unauthenticated. With the collected information one could find out which software is also installed on the server and since he also know the distribution he also knows the version of the used software. This opens an attack windows which is not nesscary.

Best regards
Michael

Woops, i crashed an instance by making this :

<7> => glob_recursive("/","*.conf")
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Error while evaluating expression: Function call 'opendir' for file '//dev/fd/11' failed with error code 2, 'No such file or directory'
free(): double free detected in tcache 2
Caught SIGABRT.
Current time: 2020-08-19 11:41:47 +0000

critical/Application: Icinga 2 has terminated unexpectedly. Additional information can be found in '/var/log/icinga2/crash/report.1597837307.681472'

Connection to i2c.al2klimov.de closed.

Also, same behavior goes for directories where permissions are denied, like /root for example

Don’t worry. You’ve crashed only your instance.

Please could you open an issue? This is an upstream Icinga 2 problem.

@bsheqa What about hosting this by ourselves?

I could imagine this as part of a larger “Learn Icinga” online course for newcomers. Would that make sense?

Of course this would require much more around the CLI and I’m not sure if and when we could bring up resources to build it. But still, I think I like the idea.

What about linking to this from Language Reference - Icinga 2 / Library Reference - Icinga 2 ?

1 Like

@bsheqa b. u. m. p.

Not much more to add to what i previously said ~1 month ago.

If we think it can help users I’d be happy to host it on our infrastructure :+1:

1 Like

Both Someone (see likes) and me think this makes sense:

@nhilverling What’s your opinion?