I have a FON router which allow anyone to connect to Intenet via my network connection. I like the openess and idea behind FON but I do not want to get in trouble if someone do bad things and using my network connection.

One solution is to connect the FON accesspoint to a separate network segment and let all traffic from that network go through TOR, the onion router. 

Another feature is when I want to be anonymous on Internet I plugin my computer to that network segment.

Setup

I use OpenBSD as my firewall and the first step is to download, compile and configure TOR. I downloaded the tarball from https://www.torproject.org and used the normal procedure:

# wget https://www.torproject.org/dist/tor-0.2.2.35.tar.gz

# tar xzvf tor-0.2.2.35.tar.gz 

# cd tor-0.2.2.35                                                                                                                                                                

# ./configure&&make&&make install

Configure pf

I use a specific ethernet interface, fxp0, which will route all traffic into tor. 

--cut from /etc/pf.conf--

#Tor traffic

tor_if ="fxp0"

# Tor's TransPort

trans_port = "9040"

pass in quick on $tor_if inet proto udp to port domain rdr-to 127.0.0.1 port 5300 

pass in quick on $tor_if inet proto { tcp udp } to !($tor_if) rdr-to 127.0.0.1 port $trans_port

--end cut--

Configure tor

# cat /usr/local/etc/tor/torrc

VirtualAddrNetwork 10.192.0.0/10

AutomapHostsOnResolve 1

TransPort 9040

DNSPort 5300

Log notice syslog

#Log debug stderr

RunAsDaemon 1

Note: I know that best practice is to let the tor process run as non root user. That requires read access to /dev/pf and I did not bother to get it working.

Dhcpd config

I assume that a OpenBSD sysadmin knows how to setup dhcpd so I will just show the config addon I did to /etc/dhcpd.conf.

shared-network tor-net {

        option  domain-name "it-slav-tor-net";

        option  domain-name-servers 10.1.2.1;

        option  ntp-servers 10.1.2.1;

        subnet 10.1.2.0 netmask 255.255.255.0 {

                option routers 10.1.2.1;

                range 10.1.2.100 10.1.2.200;

        }

The ip-adress of the fxp0 interface is 10.1.2.1

Start tor

# /usr/local/bin/tor

Jan 10 20:52:48.880 [notice] Tor v0.2.2.35 (git-b04388f9e7546a9f). This is experimental software. Do not rely on it for strong anonymity. (Running on OpenBSD i386)

Jan 10 20:52:48.885 [warn] It's a little hard to tell, but you seem to have Libevent 1.4.0-beta header files, whereas you have linked against Libevent 1.4.14b-stable.  This will probably make Tor crash.

Jan 10 20:52:48.886 [notice] Initialized libevent version 1.4.14b-stable using method kqueue. Good.

Jan 10 20:52:48.886 [notice] Opening Socks listener on 127.0.0.1:9050

Jan 10 20:52:48.887 [notice] Opening Transparent pf/netfilter listener on 127.0.0.1:9040

Jan 10 20:52:48.887 [notice] Opening DNS listener on 127.0.0.1:5300

Final step

Plugin your fon router and enjoy!

Links

The hints to this article was found at:

•  https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy 

It really annoyed me that the iowait at the cpu on the Dom 0 system was approximatly 50% when the 4 virtual system was doing more or less nothing.

I showed my earlier blogpost about VM virtualization to our sysadmin at op5. He gave me a couple of more hints that really make a big difference, the best part is that they are real simple to implement.

I also noticed that I forgot some parts in the previous article that was obvius to me.

#1 use virtio drivers if possible

This is probably the single most important step to get the most out of the hardware.

When the virtual systems wants to communicate with the hardware it uses drivers, if the drivers are simulating hardware to give a service to the virtual operating system it adds alot of overhed. A simple example:

• The virtual system wants to access the disk
• The virtual system communicates via the driver to the hardware
• The hardware is not real hardware, it is emulated hardware in sofware 
• The software that emulates the hardware sends the I/O to the Dom 0 virtualization engine
• The Virtualization engine verifies that the access is ok, translate it to real hardware call via its driver
• The hardware do the operation and send the result back up via all the steps to the virtual operating system

All this transalations and software calls take alot of resources from the machine.

By using virtual drivers, so that there is no need to emulate hardware, many of the steps can be skipped or done with much less penalty. However not all operating system have virtio drivers.

#2 load the virtio modules in Dom 0

This is a real god hint I got from our sysadmin, load the virtual drivers in the Dom 0 system asweell. According to him, the virtual drivers in the Dom 0 and Dom U:s communicate and makes the I/O much more effective. I have not found any information about this at any place so I was sceptical but I tried it.

# modprobe virtio_balloon
# modprobe virtio_blk
# modprobe virtio_net
# modprobe virtio_pci

The virtual systems need to be rebooted as far as I know before the loaded drivers will have any effect.

At first no change at all, but after few hours I noticed that CPU idle raized and the iowait went from at least 50% down to below 5%.

A nice graph, created by op5 Monitor showing the difference:

I loaded the virtual drivers approximately 4 pm, and it took until 10 pm before the performance boost showed up.

The correct way of making sure that the drivers are loaded directly would be to remake the kernel but I'm lazy so I have just added the module load to /etc/rc.local

Conclusions

It is always important to monitor systems. When doing changes it is not possible know if the changes do have any impact if you do not monitor and follow up how and if the changes does anything.

My former statement that KVM is not mature is more true then I have thought. The knowledge how to tune and maintain KVM systems seems to be like black art where the knowledge is not documented and well spread. I have read the RedHat virtualization and I have not found anything about that the virtual drivers should be loaded on the Dom0 system.

If there is anyone out there that has some documentation or more hints, please send me the link or comment this blogpost.

Links:

• RedHat virtualization doc
• op5 Monitor that monitor and creates nice graphs
• check_cpu_stats Nagios plugin to monitor cpustat

As an it slave, I have the same problems as most datacenters:

• Running out of space because of more and more machines get into the datacenter
• Overheating
• Powerconsumption

Added to the "normal" datacenter problems, I also have to deal with:

• Wife acceptance
• Noice, my neighbours has complained about the noice outside my basement.

To address this issues I will run a consolidation project to get fewer machines by using virtualization. As virtualization engine, KVM is choosed.

This article will describe some pitfalls I run into and how I solved them.

KVM plattform

KVM seems to be the future for virtualization within the Linux area since Xen has done some mistakes.

As I have good experience of running CentOS and has KVM included I decided to use CentOS as the plattform for my virtualization.

Issues

Bridge network

To let the virtual boxes has full access to the network you need create a network bridge, it is rather straightforward and well documented so I will skip this part. I used the documentation on Red Hat customer support. Why KVM requires a bridge instead of a normal NIC is another question

Snapshots

One handy feature with virtualization is that the virtual systems can be one big fat file at the physical host, this gives the possibility to make full backups without turning the system down a.k.a snapshots.

However to get snapshot to work the filetype must be qcow2 and raw is the default format.

It is possible to convert from raw to qcow2 format by running the command:

qemu-img convert -f raw -O qcow2 <virtualhost>.img <virtualhost>.img.qcow2

Remember to turn of your virtual system by running:

virsh shutdown <virtualhost>

After the conversion:

virsh edit <virtualhost>

modify the type and path, i.e.

      <driver name='qemu' type='qcow2' cache='none'/>
      <source file='/var/lib/libvirt/images/web.img.qcow2'/>

Start your virtual system:

virsh start <virtualhost>

Take a snapshot with:

qemu-img snapshot -c <snapshotname> <virtualhost>.img.preallc.qcow2

To create a full image of your snapshot you need to compile a more resent version of qemu-img then shipped with CentOS 6.2, I download a later version and compiled it from here, i renamed the new to qemu.img2 and copied it to /usr/local/bin

qemu-img2 convert -p -f qcow2 -O qcow2 -s <snapshotname> <virtualhost>.img.preallc.qcow2 <targetpath>

Beware: This command can use all your resources and may affect all your virtual systems, use nice and ionice to prevent it.

Disk I/O

After installing just a few virtual system I noticed that my physical host got alot of I/O wait, it can be seen by using tools like top.

To monitor this I installed the nagios plugins:

• check disk io, can be found here
• check cpu stats, can be found here
• check_libvirt, developed by op5 and an Howto

However it seems like that though my virtual systems did more or less nothing they caused alot of disk I/O on the physical system.

I did some investigations and read quite many articles, fiddled and tested. The following is what worked for me in my setup.

#1 Change disk scheduler

The disk scheduler can be changed on runtime by modify the file:

/sys/block/sda/queue/scheduler

to see what scheduler you use now:

cat /sys/block/sda/queue/scheduler

Change sda to the device you have.

The scheduler that worked best for me is deadline

echo deadline > /sys/block/sda/queue/scheduler

#2 Mount with noatime

A feature in Unix and other Unixlike systems like Linux is that it normaly stores when a file is accessed. So one read always produce a write and if you are using raid like morroring this get worse, one reade always generate several writes. This creates alot of overhead for a feature soldom used.

So change /etc/fstab so it will mount the file systems with noatime.
An axample:

UUID=a290aa4b-635c-45fa-b144-1fbef90b3735 /                       ext4    defaults,noatime        1 1

#3 Preallocation disk images

A real boost that is hidden in the featureset and not shown in the virtualmachine gui is using preallocation disk images. They cannot be created from the GUI so I install the virtual machine, turn it of and convert it afterwards.

qemu-img convert -f qcow2 -O qcow2 -o preallocation=metadata <virtualhost>.img.qcow2 <virtualhost>.img.preallc.qcow2

Change the path to new image name by editing the virtual machine settings

virsh edit <virtualhost>

Conclusions

In my opinion it seems like KVM is still a little bit immature or at least the tools to handle it. Maybe it would be a good idea to have one linux distro focusing on beeing the best platform for virtualization.

I am convinced that I can get even more bang for the bucks out of my installation if I learn how to tweak it even more, so if you have any hints, do not hesitate to contact me. Preferably as a comment to this blogpost.

Referenses:

• op5 Monitor, a nagios based enterprise monitor tool to monitor my environment
• check_libvirt, a nagios plugin done by op5 to monitor KVM
• check_diskio, a nagios plugin to monitor disk I/O
• check_cpu_stats, a nagios plugin to monitor cpu usage rather detailed
• Another blogpost which helped me
• KVM performance improvements and optimizations – Red Hat presentation

It is real simple, just add to following to /etc/config/firewall:

#open ssh on wan interface
config rule               
        option src              wan
        option dest_port        22
        option target           ACCEPT    
        option proto            tcp 

And restart the firewall:

#/etc/init.d/firewall restart

I’m the happay owner of a Huawei E1750 modem and it is real easy to get it running in Ubuntu. This guide will probably work with many other 3G USB modems.

Just type from the command line:

sudo apt-get install usb-modeswitch

Plug in the modem

Go to the Network manager and enter your Mobile Broadband credentials and now it works!

Background

I was with my geekfriends at a ski resort and I managed to get an Internet connection using a cellphone. Of course I wanted to share it with my friends. As geeks we brought a switch and a couple of ethernetcables.

Solution

Using this script on a Ubuntu 9.10 I managed to share my connection:

sudo ifconfig eth0 10.8.16.1
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv4.conf.default.forwarding=1
sudo sysctl -w net.ipv4.conf.all.forwarding=1
sudo iptables -P FORWARD ACCEPT
sudo iptables --table nat -A POSTROUTING -o ppp0 -j MASQUERADE

Conmnect everymachine with the switch and the clients just needed to use a 10.0.0.0/8 network adress and add 10.8.16.1 as default gateway and it works!

After some Google search and reading of man pages I finally get it working.

My setup is a Nokia E52 and a IBM T60 laptop running Ubuntu 9.10. I have tested it with a Ericsson P1i and a Dell D630 aswell and I think the guidlines below will work with many other setups. One exception is probably iPhone

From a bash shell run:

peter@svarten:~$ sdptool search DUN
Inquiring ...
Searching for DUN on A8:7E:33:20:40:0F ...
Service Name: Dial-Up Networking
Service RecHandle: 0x10030
Service Class ID List:
  "Dialup Networking" (0x1103)
Protocol Descriptor List:
  "L2CAP" (0x0100)
  "RFCOMM" (0x0003)
    Channel: 5
Language Base Attr List:
  code_ISO639: 0x454e
  encoding:    0x6a
  base_offset: 0x100
Profile Descriptor List:
  "Dialup Networking" (0x1103)
    Version: 0x0100

peter@svarten:~$ sudo rfcomm connect 1 A8:7E:33:20:40:0F 5
[sudo] password for peter:
Connected /dev/rfcomm1 to A8:7E:33:20:40:0F on channel 5
Press CTRL-C for hangup

Now my phone asks if I accept the connection and I choose "yes".

And now the networkmanager has a new "Mobile Broadband connection". Just choose your operator and it will work.

I use MythTV quite frequently and noticed that it is instable when using sasc-ng as a decoder to decrypt encrypted DVB-T channels. So approximatly every third day the MythTVbackend server stops and need to be started again. I have wriiten an earlier article about howto monitor MythTV with Nagios or op5 Monitor so I get noticed that it has stopped. But I need to manually start it again. This article describe howto make Nagios or op5 Monitor to start a stopped MythTVbackend. It can be used for starting almost any service.

I have used the examples provided by Ethan at Nagios official documentation describing eventhandlers.

Normally it is not recommended to let a tool like Nagios or op5 Monitor start a service that has stopped, because it is probably a reason why the service has stopped and the correct procedure is to fix the root cause of the problem, not the symptom.

The MythTV backend runs on one machine called lala (after a character in Teletubbies) which is not the same as the Nagios or op5 Monitor server. I use nrpe to run the start script i.e.

 /etc/init.d/mythtv-backend start

There is several options here but I already setup the nrpe agent and it is simple to make Nagios or op5 Monitor to use nrpe to run a script.

Implementation

I used the script I found at Nagios documentation about eventhandlers as a base and modiied it slightly.

At my op5 Monitor machine

/opt/plugins/custom/restart-mythtv-lala.sh

#!/bin/sh
#
# Event handler script for restarting the mythTVbackend server on lala
#
# Note: This script will only restart the mythtvbackend if the service is
#       retried 2 times (in a "soft" state) or if the service somehow
#       manages to fall into a "hard" error state.
#

# What state is the mythbackend service in?
case "$1" in
OK)
	# The service just came back up, so don't do anything...
	;;
WARNING)
	# We don't really care about warning states, since the service is probably still running...
	;;
UNKNOWN)
	# We don't know what might be causing an unknown error, so don't do anything...
	;;
CRITICAL)
	# Aha!  The HTTP service appears to have a problem - perhaps we should restart the server...

	# Is this a "soft" or a "hard" state?
	case "$2" in

	# We're in a "soft" state, meaning that Nagios is in the middle of retrying the
	# check before it turns into a "hard" state and contacts get notified...
	SOFT)

		# What check attempt are we on?  We don't want to restart the web server on the first
		# check, because it may just be a fluke!
		case "$3" in

		# Wait until the check has been tried 3 times before restarting the web server.
		# If the check fails on the 4th time (after we restart the web server), the state
		# type will turn to "hard" and contacts will be notified of the problem.
		# Hopefully this will restart the web server successfully, so the 4th check will
		# result in a "soft" recovery.  If that happens no one gets notified because we
		# fixed the problem!
		2)
			echo "`date` Restarting mythtv service (2rd soft critical state)..." >> /tmp/mythtvstart
			# Call the init script to restart the mythbackend server
			#/etc/rc.d/init.d/httpd restart
			#date >> /tmp/mythtvstart
			/opt/plugins/check_nrpe -H lala -c start_mythtvbackend
			;;
			esac
		;;

	# The mythtvbackend service somehow managed to turn into a hard error without getting fixed.
	# It should have been restarted by the code above, but for some reason it didn't.
	# Let's give it one last try, shall we?
	# Note: Contacts have already been notified of a problem with the service at this
	# point (unless you disabled notifications for this service)
	HARD)
		echo "`date` Restarting mythtv service (hard state)..." >> /tmp/mythtvstart
		# Call the init script to restart the HTTPD server
		#/etc/rc.d/init.d/httpd restart
		#date >> /tmp/mythtvstart
		/opt/plugins/check_nrpe -H lala -c start_mythtvbackend
		;;
	esac
	;;
esac
exit 0

/opt/monitor/misccomands.cfg

# command 'restart-mythtv-lala'
define command{
    command_name                   restart-mythtv-lala
    command_line                   /opt/plugins/custom/start-mythtv-lala.sh $SERVICESTATE$ $SERVICESTATETYPE$ $SERVICEATTEMPT$
    }

/opt/monitor/etc/services.cfg

# service 'Mythbackend'
define service{
    use                            default-service
    host_name                      lala
    service_description            Mythbackend
    check_command                  check_tcp!6543
    servicegroups                  MythTV,it-slav
    event_handler                  restart-mythtv-lala!$SERVICESTATE$ $SERVICESTATETYPE$ $SERVICEATTEMPT$
    contact_groups                 it-slav_sms,it-slav_jabber,it_slav_mail
    }

At my mythbackend machine lala

/etc/nrpe.d/mycommands.cfg
command[start_mythtvbackend]=/usr/bin/sudo /etc/init.d/mythtv-backend start

/etc/sudoers
nobody ALL= (root) NOPASSWD:/etc/init.d/mythtv-backend start

Test

I stopped the mythtvbackend by running:

peter@lala:/etc/nrpe.d$ date
Mon Jun 15 20:40:55 CEST 2009
peter@lala:/etc/nrpe.d$ sudo /etc/init.d/mythtv-backend stop
 * Stopping MythTV server: mythbackend

And run

[root@op5 ~]# tail -f /tmp/mythtvstart
Mon Jun 15 20:47:09 CEST 2009 Restarting mythtv service (2rd soft critical state)...

YES it works!

Links:

• op5 Monitor a Nagios based supported enterprise Monitoring software.
• MythTV a free OpenSource Digital Video Recorder
• Nagios Open Source Monitoring

This is a typical log message in /var/log/authlog

Feb  9 20:15:49 pedro sshd[30934]: Failed password for root from 67.205.85.119 port 35603 ssh2
Feb  9 20:15:49 pedro sshd[2656]: Received disconnect from 67.205.85.119: 11: Bye Bye
Feb  9 20:15:51 pedro sshd[15299]: Failed password for root from 67.205.85.119 port 35753 ssh2
Feb  9 20:15:51 pedro sshd[15791]: Received disconnect from 67.205.85.119: 11: Bye Bye
Feb  9 20:15:53 pedro sshd[9043]: Failed password for root from 67.205.85.119 port 35882 ssh2
Feb  9 20:15:53 pedro sshd[31484]: Received disconnect from 67.205.85.119: 11: Bye Bye
Feb  9 20:15:54 pedro sshd[27717]: Failed password for root from 67.205.85.119 port 36030 ssh2
Feb  9 20:15:55 pedro sshd[30185]: Received disconnect from 67.205.85.119: 11: Bye Bye
Feb  9 20:15:56 pedro sshd[27718]: Failed password for root from 67.205.85.119 port 36164 ssh2
Feb  9 20:15:56 pedro sshd[28005]: Received disconnect from 67.205.85.119: 11: Bye Bye
Feb  9 20:15:58 pedro sshd[30648]: Failed password for root from 67.205.85.119 port 36314 ssh2
Feb  9 20:15:58 pedro sshd[21087]: Received disconnect from 67.205.85.119: 11: Bye Bye

Of course this is a script kiddie that tries to break into my firewall just because it answers on port 22 and it is annoying. One way of make it a little harder to break in is by let the packetfilter drop all packages that comes from an ip-address that did this.

This one way of doing it.

Create a pf blacklist /etc/pf.conf

–snipp–

table <ssh_blacklist> persist file "/var/pf/ssh_blacklist"
...

block in quick log on $ext_if from <ssh_blacklist> to any

–snipp–

Create a script that detects failed ssh breakin attempts and updates the blacklist

root@pedro:/var/log# cat /root/scripts/blockbadssh.sh
#!/bin/sh
logger "Check for bad ssh behavior"
PATH=/bin:/usr/bin
BL=/var/pf/ssh_blacklist
TEMPFILE=$(mktemp /tmp/bl_XXXXXX) || exit 1
TEMPFILE2=$(mktemp /tmp/bl2_XXXXXX) || exit 1

#cp $BL $TEMPFILE
grep "Invalid user" /var/log/authlog | awk '{print $10}' | sort | uniq > $TEMPFILE2
grep "Failed password for invalid" /var/log/authlog | awk '{print $13}' | sort | uniq  >> $TEMPFILE2
grep "Failed password for root" /var/log/authlog | awk '{print $11}' | sort | uniq  >> $TEMPFILE2

sort $TEMPFILE2 |uniq > $TEMPFILE
#echo "Nu är TEMPFILE"
#cat $TEMPFILE

#cat $BL >> $TEMPFILE
for i in `cat $TEMPFILE`
do
  grep $i $BL>/dev/null
  if [ "$?" == "1" ]
  then
    logger "Added $i to ssh-blacklist"
    echo "Added $i to ssh-blacklist"
  fi
done

cat $BL >> $TEMPFILE
sort $TEMPFILE | uniq > $BL

rm $TEMPFILE
rm $TEMPFILE2

/sbin/pfctl -t ssh_blacklist -Treplace -f $BL 2>&1 | grep -v "no changes"

Make it run every minute

root@pedro:/var/log# crontab -l 

*     *       *       *       *       /root/scripts/blockbadssh.sh

I know this is a dirty way of doing it and it is a good idea to have another pf rule that accept traffic from well known hosts so you do not get blocked because you failed a login.

In my case the backup script is started on another host then op5 Monitor or Nagios server, so I also will need a way of sending the data from the passive check over the network, the recommended way is to use nsca. Read the theory at http://nagios.sourceforge.net/docs/3_0/addons.html#nsca

In my op5 Monitor system the nsca daemon to recieve nsca information was installed so I only had to start it:

/etc/init.d/nsca start

This is the steps I did to install it on the client:

1. Download nsca from here.

2. Untar and compile nsca

3. Create a ncsa config file i.e. send_nsca.cfg

encryption_method=0

Now the data will be transmitted unencrypted over the network, this might not be what you want. Make sure that the corresponding nsca config file on the Nagios or op5 Monitor host has the same encryption method.

4. Create a passive check for testing.

# service 'Passive check test'

define service{

    use                            default-service

    host_name                      dull

    service_description            Passive check test

    check_command                  check_dummy!3 "No Data from passive check"

    max_check_attempts             1

    active_checks_enabled          0

    check_freshness                1

    freshness_threshold            300

    flap_detection_options         n

    contact_groups                 it-slav_mail,call_it-slav,it-slav_msn

    stalking_options               n

    }

Explanation:

The check_dummy command will be run if no passive check has been recieved within 5 minutes (300 seconds).

4. test

-First test, wait 5 minutes and your service "Passive check test" should be in status UNKNOWN

-Second test, create a file passive_file_test_critical (the separator is TAB):

dull    Passive check test      2       CRITICAL:test critical

run command:

send_nsca -H nagios_host  -c  send_nsca.cfg < passive_check_data_critical

and the status should change to CRITICAL

-Third test, create a file passive_check_data_ok (the separator is TAB):

dull    Passive check test      0       OK: test ok

Run the command

send_nsca -H  nagios_host -c  send_nsca.cfg < passive_check_data_ok

And the status should change to OK

Now you can set the status of a Nagios or op5 Monitor service by using commands that can be used in scripts. I will in a later article describe how I use it in my MySQL backup script.

Links:

• NSCA
• Nagios passive check theory
• op5 Monitor
• An article about monitor automysqlbackup with passive checks

Troubleshooting hint:

If it does not work, a good hint is to take a look into nagios.log

It is a shell script that has very modest requirements list:

• mysqldump, included in mysql client
• gzip or bzip2 if you want it compressed.
• mail if you want the status of the script to be emailed.

Features:

• Backup mutiple MySQL databases with one script. (Now able to backup ALL databases on a server easily. no longer need to specify each database seperately)
• Backup all databases to a single backup file or to a seperate directory and file for each database.
• Automatically compress the backup files to save disk space using either gzip or bzip2 compression.
• Can backup remote MySQL servers to a central server.
• Runs automatically using cron or can be run manually.
• Can e-mail the backup log to any specified e-mail address instead of “root”. (Great for hosted websites and databases).
• Can email the compressed database backup files to the specified email address.
• Can specify maximun size backup to email.
• Can be set to run PRE and POST backup commands.
• Choose which day of the week to run weekly backups.

Download it, modify some parameters and put in /etc/cron.daily and now your database is backuped.

The script looks in /etc/fstab and compares it with the file systems mounted. If anything is missing, return CRITICAL and the name of the missed mountpoint. The script does not check that some system file systems are mounted i.e. /proc

I have uploaded this script to nagios exchange.

#!/bin/sh
#By peter@it-slav.net
#GPLv2

RESULT=0
TMPFILE=`mktemp /tmp/mount.XXXXXXXXXX`
FSTABMOUNTS=`grep -e '^#' -v /etc/fstab|grep -v  tmpfs |grep -v devpts|grep -v sysfs|grep -v proc|grep -v swap| awk '{print $2}'`
for i in $FSTABMOUNTS
do
        mountpoint $i > /dev/null
        if [ $? != "0" ]
        then
                echo -n "$i " >>$TMPFILE
                RESULT=2
        fi

done
#echo $RESULT
if [ $RESULT != "0" ]
then
        echo "is not mounted" >> $TMPFILE
        echo -n "CRITICAL: "
        cat $TMPFILE
else
        echo "OK: All disks mounted"
fi
rm $TMPFILE
exit $RESULT

Links:

• check_mounts.sh at Nagiosexchange
• op5 Monitor
• My other blog about the problems when I did a kernel upgrade