conntrack_exporter

Author: hanazuki

gen/k8s/prom/nat-6x.yml

@@ -0,0 +1,44 @@
+include_cookbook 'ruby'
+package 'git'
+
+directory '/opt/conntrack_exporter' do
+  owner 'root'
+  group 'root'
+  mode '0755'
+end
+
+remote_file '/opt/conntrack_exporter/Gemfile' do
+  owner 'root'
+  group 'root'
+  mode '0644'
+end
+
+remote_file '/opt/conntrack_exporter/Gemfile.lock' do
+  owner 'root'
+  group 'root'
+  mode '0644'
+end
+
+execute 'bundle install' do
+  cwd '/opt/conntrack_exporter'
+  command <<EOF
+set -e
+bundle config set --local deployment true
+bundle install
+(ruby -v && cat Gemfile.lock) | sha256sum >.bundle/hash
+EOF
+  not_if '(ruby -v && cat Gemfile.lock) | sha256sum -c .bundle/hash'
+  notifies :restart, 'service[conntrack_exporter]'
+end
+
+remote_file '/etc/systemd/system/conntrack_exporter.service' do
+  owner 'root'
+  group 'root'
+  mode '0644'
+  notifies :run, 'execute[systemctl daemon-reload]', :immediately
+  notifies :restart, 'service[conntrack_exporter]'
+end
+
+service 'conntrack_exporter' do
+  action [:enable, :start]
+end

itamae/cookbooks/conntrack-exporter/default.rb

@@ -0,0 +1,20 @@
+[Unit]
+Description=Export conntrack metrics
+Documentation=https://github.com/hanazuki/conntrack_exporter
+
+[Service]
+Type=exec
+WorkingDirectory=/opt/conntrack_exporter
+ExecStart=/usr/bin/bundle exec conntrack_exporter -b tcp://0.0.0.0:9466
+
+DynamicUser=yes
+User=conntrack_exporter
+CapabilityBoundingSet=CAP_NET_ADMIN
+AmbientCapabilities=CAP_NET_ADMIN
+LogsDirectory=conntrack_exporter
+ProtectHome=yes
+ProtectProc=invisible
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=multi-user.target

itamae/cookbooks/conntrack-exporter/files/etc/systemd/system/conntrack_exporter.service

@@ -0,0 +1,10 @@
+source 'https://rubygems.org'
+
+git 'https://github.com/hanazuki/conntrack_exporter' do
+  gem 'conntrack_exporter'
+end
+
+git 'https://github.com/hanazuki/nl' do
+  gem 'ynl'
+  gem 'nl'
+end

itamae/cookbooks/conntrack-exporter/files/opt/conntrack_exporter/Gemfile

@@ -0,0 +1,61 @@
+GIT
+  remote: https://github.com/hanazuki/conntrack_exporter
+  revision: 564d365f2fed04ac94ea15ac6c375950ad64db19
+  specs:
+    conntrack_exporter (0.1.0)
+      prometheus-client
+      puma
+      sinatra
+      ynl
+
+GIT
+  remote: https://github.com/hanazuki/nl
+  revision: f22660cb976b024e56fd7664219c437b32444e55
+  specs:
+    nl (0.1.0)
+    ynl (0.1.0)
+      nl (= 0.1.0)
+      yaml
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    base64 (0.2.0)
+    logger (1.7.0)
+    mustermann (3.0.3)
+      ruby2_keywords (~> 0.0.1)
+    nio4r (2.7.4)
+    prometheus-client (4.2.4)
+      base64
+    puma (6.6.0)
+      nio4r (~> 2.0)
+    rack (3.1.13)
+    rack-protection (4.1.1)
+      base64 (>= 0.1.0)
+      logger (>= 1.6.0)
+      rack (>= 3.0.0, < 4)
+    rack-session (2.1.0)
+      base64 (>= 0.1.0)
+      rack (>= 3.0.0)
+    ruby2_keywords (0.0.5)
+    sinatra (4.1.1)
+      logger (>= 1.6.0)
+      mustermann (~> 3.0)
+      rack (>= 3.0.0, < 4)
+      rack-protection (= 4.1.1)
+      rack-session (>= 2.0.0, < 3)
+      tilt (~> 2.0)
+    tilt (2.6.0)
+    yaml (0.4.0)
+
+PLATFORMS
+  ruby
+  x86_64-linux
+
+DEPENDENCIES
+  conntrack_exporter!
+  nl!
+  ynl!
+
+BUNDLED WITH
+   2.6.2

itamae/cookbooks/conntrack-exporter/files/opt/conntrack_exporter/Gemfile.lock

@@ -16,6 +16,7 @@
 include_cookbook 'xtables'
 include_cookbook 'xlat'
 include_cookbook 'bird'
+include_cookbook 'conntrack-exporter'
 
 package 'conntrack'
 

itamae/roles/plat/default.rb

@@ -71,7 +71,7 @@ table inet plat {
     ip6 nexthdr icmpv6 accept
 
     ip saddr { 10.33.0.0/23, 10.33.128.0/18 } tcp dport { ssh } accept
-    ip saddr { 10.33.128.0/18 } tcp dport { 9100, 9324 } accept
+    ip saddr { 10.33.128.0/18 } tcp dport { 9100, 9324, 9466 } accept
     ip6 saddr { 2001:df0:8500:ca00::/64, 2001:df0:8500:caa0::/64, 2406:da14:dfe:c000::/56 } tcp dport { ssh } accept
 
     ip saddr 10.33.22.0/24 tcp dport { bgp } accept

itamae/roles/plat/templates/etc/nftables/plat.conf

@@ -11,6 +11,10 @@ local jobs = [
     port:: 9324,
     metadata+: { name: 'nat-6x-bird' },
   },
+  {
+    port:: 9466,
+    metadata+: { name: 'nat-6x-conntrack' },
+  },
 ];
 [
   {