Predefined check types reference¶
Infracheck comes by default with some standard checks, there is a list of them:
http¶
Performs a HTTP call using curl.
Example:
{
"type": "http",
"input": {
"url": "http://iwa-ait.org",
"expect_keyword": "iwa",
"not_expect_keyword": "Server error"
}
}
Parameters:
- url
- expect_keyword
- not_expect_keyword
rkd://¶
Infracheck can execute RiotKit-Do tasks. RKD is a task executor, similar to Makefile or Gradle. It’s essential feature is a possibility to load tasks from PyPI (Python packages).
Using RKD you can write a Python class, version and release it to PyPI with a list of dependencies, and install in any place with PIP. A packaged task can require extra dependencies you do not want always to install eg. MySQL, PostgreSQL, Redis or other clients you want to selectively install on your Infracheck instances.
More information on how to write RKD tasks: in RiotKit-Do’s documentation
{
"type": "rkd://rkd.standardlib.shell:sh",
"input": {
"-c": "ps aux |grep X11"
}
}
{
"type": "rkd://my_rkd_check:mysql:temporary-table-size-check",
"input": {
"--max": "100000",
"--host: "localhost",
"--port": 3306,
"--user": "infracheck",
"--password": "${TEMP_TABLE_SIZE_CHECK_PASSWORD}"
}
}
docker-health¶
Checks if containers are healthy.
Parameters:
- docker_env_name (it’s a prefix, to check only containers that names begins with this - idea of docker-compose)
port-open¶
Checks if the port is open.
Parameters:
- po_host
- po_port (in seconds)
- po_timeout (in seconds)
replication-running¶
Checks if the MySQL replication is in good state. Works with Docker only.
Parameters:
- container
- mysql_root_password
free-ram¶
Monitors RAM memory usage to notify that a maximum percent of memory was used.
Parameters:
- max_ram_percentage (in percents eg. 80)
domain-expiration¶
Check if the domain is close to expiration date or if it is already expired.
Notice: Multiple usage of this check can cause a “request limit exceeded” error to happen
Warning: Due to limits per IP on whois usage we recommend to strongly cache the health check ex. 1-2 days cache, and in case of checking multiple domains to use feature called “wait time” to sleep between checks, to not send too many requests a once
Parameters:
- domain (domain name)
- alert_days_before (number of days before expiration date to start alerting)
disk-space¶
Monitors disk space.
Parameters:
- min_req_space (in gigabytes)
- dir (path)
Example JSON:
{
"type": "disk-space",
"input": {
"dir": "/",
"min_req_space": "6"
}
}
ovh-expiration¶
Checks if a VPS is not expired. Grab credentials at https://api.ovh.com/createToken/index.cgi
Required privileges on OVH API: “GET /vps*”
Parameters:
- endpoint (ex. ovh-eu)
- app_key
- app_secret
- app_consumer_key
- service_name (ex. somevps.ovh.net)
- days_to_alert (ex. 30 for 30 days)
Example JSON:
{
"type": "ovh-expiration",
"input": {
"endpoint": "ovh-eu",
"app_key": "xyyyyyyyyyyyyzz",
"app_secret": "xyxyxyxyyxyxyxyxyxyxxyyxyxyxyxy",
"app_consumer_key": "xyxyyxyxyxyxyxyxyxyyxyxyxyxyxy",
"service_name": "vps12345678.ovh.net",
"days_to_alert": 5
}
}
ssh-fingerprint¶
Verifies if remote host fingerprint matches. Helps detecting man-in-the-middle and server takeover attacks.
Parameters:
- expected_fingerprint (example: zsp.net.pl ssh-rsa SOMESOMESOMESOMESOMEKEYHERE)
- method (default: rsa)
- host (example: zsp.net.pl)
- port (example: 22)
ssh-files-checksum¶
Calls remote process using SSH and expects: the listed files and checksums will be matching
Parameters:
- user (default: root)
- host
- port (default: 22)
- private_key
- password
- ssh_bin (default: ssh)
- sshpass_bin (default: sshpass)
- ssh_opts (example: -o StrictHostKeyChecking=no)
- known_hosts_file (default: ~/.ssh/known_hosts)
- command (default: uname -a)
- timeout: (default: 15, unit: seconds)
- method (default: sha256sum)
- expects (json dict, example: {“/usr/bin/bahub”: “d6e85b50756a08e24c1d46f07b68e288c9e7e565fd662a15baca214f576c34be”})
ssh-command¶
Calls remote process using SSH and expects: exit code, keywords in the output
Parameters:
- user (default: root)
- host
- port (default: 22)
- private_key
- password
- ssh_bin (default: ssh)
- sshpass_bin (default: sshpass)
- ssh_opts (example: -o StrictHostKeyChecking=no)
- known_hosts_file (default: ~/.ssh/known_hosts)
- command (default: uname -a)
- timeout: (default: 15, unit: seconds)
- expected_keywords (Keywords expected to be in stdout/stderr. Separated by “;”)
- unexpected_keywords (Keywords not expected to be present in stdout/stderr. Separated by “;”)
- expected_exit_code (default: 0)
reminder¶
Reminds about the recurring date. Example: To extend validity of your hosting account
Parameters:
- ref_date (example: 2019-05-01 for a 1th of May 2019)
- each (values: week; month; year, default: year)
- alert_days_before (default: 5, the health check will be red when there will be 5 days before)
load-average-auto¶
Checks if the load average is not more than 100%
Parameters:
- maximum_above (unit: processor cores, default: 0.5 - half of a core)
- timing (default: 15. The load average time: 1, 5, 15)
load-average¶
Checks if the load average is not below specified number
Parameters:
- max_load (unit: processor cores, example: 5.0, default: 1)
- timing (default: 15. The load average time: 1, 5, 15)
swap-usage-max-percent¶
Defines maximum percentage of allowed swap usage
Parameters:
- max_allowed_percentage (default: 0.0)
influxdb-query¶
Queries an InfluxDB database and compares results.
Parameters:
- host
- port (default: 8086)
- user
- password
- database
- query
- expected: A json serialized result (not pretty formatted)
Example of JSON serialized result for query ‘select value from cpu_load_short;’:
[
[
{"time": "2009-11-10T23:00:10Z", "value": 10.64},
{"time": "2009-11-10T23:00:20Z", "value": 20.64},
{"time": "2009-11-10T23:00:30Z", "value": 30.64},
{"time": "2009-11-10T23:00:40Z", "value": 40.64}
]
]
postgres¶
Uses pg_isready tool to verify if PostgreSQL is up and ready to connect.
Parameters:
- pg_host (hostname or socket path, defaults to “localhost” which will use local unix socket, use IP address eg. 127.0.0.1 to connect via tcp)
- pg_port (port, defaults to 5432)
- pg_db_name (database name to connect to, defaults to “postgres”)
- pg_user (username, defaults to “postgres”)
- pg_conn_timeout (defaults to 15 which means 15 seconds)
postgres-primary-streaming-status¶
Verifies if local PostgreSQL instance is currently serving WALs to a specified replica. The SQL command that is validated: select * from pg_stat_replication;
Parameters:
- pg_host (hostname or socket path, defaults to “localhost” which will use local unix socket, use IP address eg. 127.0.0.1 to connect via tcp)
- pg_port (port, defaults to 5432)
- pg_db_name (database name to connect to, defaults to “postgres”)
- pg_user (username, defaults to “postgres”)
- pg_password
- pg_conn_timeout (defaults to 15 which means 15 seconds)
- expected_status (defaults to “streaming”)
- expected_replication_user: Expected user that will be used for replication connection (defaults to “replication”)
postgres-replica-status¶
Checks if local PostgreSQL server acts as a replication server, by validating the list of active wal receivers. The SQL command that is validated: select * from pg_stat_wal_receiver;
Parameters:
- pg_host (hostname or socket path, defaults to “localhost” which will use local unix socket, use IP address eg. 127.0.0.1 to connect via tcp)
- pg_port (port, defaults to 5432)
- pg_db_name (database name to connect to, defaults to “postgres”)
- pg_user (username, defaults to “postgres”)
- pg_password
- pg_conn_timeout (defaults to 15 which means 15 seconds)
- expected_status (defaults to “streaming”)
- expected_replication_user: Expected user that will be used for replication connection (defaults to “replication”)
docker-container-log¶
Searches docker container logs for matching given regular expression.
Parameters:
- container: Docker container name
- regexp: Regular expression
- max_lines: Number of last lines to check (defaults to 5)
- since_seconds: Get only logs since this time (eg. last 5 minutes = 5 * 60 = 300) (defaults to 300)
- present: Boolean, if the string should be present in the output or not
smtp_credentials_check.py¶
Verifies connection, TLS certificate and credentials to a SMTP server by doing a ping + authorization try.
Parameters:
- smtp_host (example: bakunin.example.org)
- smtp_port (example: 25)
- smtp_user (example: noreply@example.org)
- smtp_password (example: bakunin-1936)
- smtp_encryption (example: starttls. Values: “”, “ssl”, “starttls”)
- smtp_timeout (default: 30, unit: seconds)
tls¶
TLS/SSL certificate expiration validation
Parameters:
- domain: TLS certificate domain for which the certificate was created
- host: IP address or DNS hostname from which the certificate should be downloaded (defaults to domain value)
- port: Port (defaults to 443)
- alert_days_before: Number of days before expiration date to start alerting (defaults to 3)
tls-docker-network¶
Automated TLS certificate verification for docker-based flows like docker-gen. Scans list of docker containers basing on a label or environment variable that contains a domain name.
Parameters:
- parameter_type: Label or environment variable
- parameter_name: Name of the label or environment variable
- alert_days_before: Number of days before expiration date to start alerting (defaults to 3)
- docker_host: (Optional) The URL to the Docker host.
- docker_tls_verify: (Optional) Verify the host against a CA certificate.
- docker_cert_path: (Optional) A path to a directory containing TLS certificates to use when connecting to the Docker host
- debug: (Optional) Debugging mode