From 349303bbad8030763a62db83ca67dc1f4b86966e Mon Sep 17 00:00:00 2001 From: ldep30 Date: Mon, 26 Dec 2016 14:39:53 +0100 Subject: [PATCH 1/3] Update README.md --- plugins/inputs/iptables/README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/plugins/inputs/iptables/README.md b/plugins/inputs/iptables/README.md index f5ebd47808af6..a711f1d4e3a3a 100644 --- a/plugins/inputs/iptables/README.md +++ b/plugins/inputs/iptables/README.md @@ -30,11 +30,17 @@ You may edit your sudo configuration with the following: telegraf ALL=(root) NOPASSWD: /usr/bin/iptables -nvL * ``` +### Using IPtables lock feature + +Defining multiple instances of this plugin in telegraf.conf can lead to concurrent IPtables access resulting in "ERROR in input [inputs.iptables]: exit status 4" messages in telegraf.log and missing metrics. Setting 'use_lock = true' in the plugin configuration will run IPtables with the '-w' switch, allowing a lock usage to prevent this error. + ### Configuration: ```toml # use sudo to run iptables use_sudo = false + # run iptables with the lock option + use_lock = false # defines the table to monitor: table = "filter" # defines the chains to monitor: From c6ed82d8089b1aec49f823a5119104bf84b68017 Mon Sep 17 00:00:00 2001 From: ldep30 Date: Mon, 26 Dec 2016 14:40:35 +0100 Subject: [PATCH 2/3] Add lock support to the IPtables input plugin --- plugins/inputs/iptables/iptables.go | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/plugins/inputs/iptables/iptables.go b/plugins/inputs/iptables/iptables.go index 4ceb45230bea5..3cf600362fa1b 100644 --- a/plugins/inputs/iptables/iptables.go +++ b/plugins/inputs/iptables/iptables.go @@ -16,6 +16,7 @@ import ( // Iptables is a telegraf plugin to gather packets and bytes throughput from Linux's iptables packet filter. type Iptables struct { UseSudo bool + UseLock bool Table string Chains []string lister chainLister @@ -32,8 +33,11 @@ func (ipt *Iptables) SampleConfig() string { ## iptables require root access on most systems. ## Setting 'use_sudo' to true will make use of sudo to run iptables. ## Users must configure sudo to allow telegraf user to run iptables with no password. - ## iptables can be restricted to only list command "iptables -nvL" + ## iptables can be restricted to only list command "iptables -nvL" or "iptables -wnvl" if using 'use_lock = true' use_sudo = false + ## Setting 'use_lock' to true will run iptables with xtables lock support. + ## This option is useful to avoid iptables concurrency errors when running multiple instances of this plugin. + use_lock = false ## defines the table to monitor: table = "filter" ## defines the chains to monitor: @@ -75,7 +79,11 @@ func (ipt *Iptables) chainList(table, chain string) (string, error) { name = "sudo" args = append(args, iptablePath) } - args = append(args, "-nvL", chain, "-t", table, "-x") + iptablesBaseArgs := "-nvL" + if ipt.UseLock { + iptablesBaseArgs = "-wnvL" + } + args = append(args, iptablesBaseArgs, chain, "-t", table, "-x") c := exec.Command(name, args...) out, err := c.Output() return string(out), err From 526197f10a21f1ff2213ba7e01dd0c93b17b3a16 Mon Sep 17 00:00:00 2001 From: ldep30 Date: Thu, 26 Jan 2017 09:43:54 +0100 Subject: [PATCH 3/3] Update iptables.go Doc cleaning --- plugins/inputs/iptables/iptables.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/inputs/iptables/iptables.go b/plugins/inputs/iptables/iptables.go index 3cf600362fa1b..31b049d9f2820 100644 --- a/plugins/inputs/iptables/iptables.go +++ b/plugins/inputs/iptables/iptables.go @@ -33,10 +33,10 @@ func (ipt *Iptables) SampleConfig() string { ## iptables require root access on most systems. ## Setting 'use_sudo' to true will make use of sudo to run iptables. ## Users must configure sudo to allow telegraf user to run iptables with no password. - ## iptables can be restricted to only list command "iptables -nvL" or "iptables -wnvl" if using 'use_lock = true' + ## iptables can be restricted to only list command "iptables -nvL" use_sudo = false - ## Setting 'use_lock' to true will run iptables with xtables lock support. - ## This option is useful to avoid iptables concurrency errors when running multiple instances of this plugin. + ## Setting 'use_lock' to true runs iptables with the "-w" option. + ## Adjust your sudo settings appropriately if using this option ("iptables -wnvl") use_lock = false ## defines the table to monitor: table = "filter"