pull main (#320)

* fix IPv6 masking * Prometheus support (#316) * Add prometheus support * Add prometheus support * Add prometheus support * Add prometheus support * Add prometheus support --------- Co-authored-by: avigailo <avigailo@checkpoint.com> * Fix Watchdog restarts (#319) * don't exit * fix restarting agent * fix watchdog restarts * Waf tag (#317) * add waf-tag to openappsec * fix waf tag to openappsec --------- Co-authored-by: wiaamm <wiaamm@checkpoint.com> --------- Co-authored-by: Wills Ward <wward@warddevelopment.com> Co-authored-by: orianelou <126462046+orianelou@users.noreply.github.com> Co-authored-by: avigailo <avigailo@checkpoint.com> Co-authored-by: wiaam96 <142393189+wiaam96@users.noreply.github.com> Co-authored-by: wiaamm <wiaamm@checkpoint.com>
2025-09-30 11:44:29 +03:00 · 2025-06-11 15:18:17 +03:00
parent 6847c1faba
commit b02eb3d2e1
21 changed files with 771 additions and 19 deletions
--- a/nodes/CMakeLists.txt
+++ b/nodes/CMakeLists.txt
@@ -11,6 +11,7 @@ set(COMMON_LIBRARIES "-lngen_core;-lcompression_utils;-lssl;-lcrypto;-lz;-lboost
 include(packaging.cmake)

 add_subdirectory(orchestration)
+add_subdirectory(prometheus)
 add_subdirectory(agent_cache)
 add_subdirectory(http_transaction_handler)
 add_subdirectory(attachment_registration_manager)
--- a/nodes/orchestration/package/cp-nano-package-list
+++ b/nodes/orchestration/package/cp-nano-package-list
@@ -29,4 +29,5 @@ cpview_metric_provider="cpviewMetricProvider 8282"
 hello_world="hello_world"
 crowdsec_aux="crowdsecAux 8081"
 central_nginx_manager="centralNginxManager 7555"
+prometheus="prometheus 7465"
 # ## Please do not remove this comment - newline at end of file required.
--- a/nodes/orchestration/package/orchestration_package.sh
+++ b/nodes/orchestration/package/orchestration_package.sh
@@ -647,6 +647,9 @@ install_watchdog()
                echo "ExecStart=ip netns exec CTX0000${VS_ID} ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE}
            fi
            echo "Environment=\"FILESYSTEM_PATH=${FILESYSTEM_PATH}\"" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE}
+            if [ -n "${PROMETHEUS}" ] ; then
+                echo "Environment=\"PROMETHEUS=${PROMETHEUS}\"" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE}
+            fi

            cp_exec "systemctl daemon-reload"
            cp_exec "systemctl enable nano_agent"
--- a/nodes/prometheus/CMakeLists.txt
+++ b/nodes/prometheus/CMakeLists.txt
@@ -0,0 +1,30 @@
+add_subdirectory(package)
+
+add_executable(prometheus main.cc)
+
+target_link_libraries(prometheus
+    -Wl,--start-group
+    ${COMMON_LIBRARIES}
+
+    generic_rulebase
+    generic_rulebase_evaluators
+    ip_utilities
+    version
+    signal_handler
+
+	prometheus_comp
+	http_transaction_data
+    -Wl,--end-group
+)
+
+add_dependencies(prometheus ngen_core)
+
+install(TARGETS prometheus DESTINATION bin)
+install(TARGETS prometheus DESTINATION prometheus_service/bin)
+
+gen_package(
+	install-cp-nano-service-prometheus.sh
+	prometheus_service
+    ./install-cp-nano-prometheus.sh
+	Check Point Prometheus Agent Version ${PACKAGE_VERSION} Install Package
+)
--- a/nodes/prometheus/main.cc
+++ b/nodes/prometheus/main.cc
@@ -0,0 +1,15 @@
+#include "components_list.h"
+#include "prometheus_comp.h"
+
+int
+main(int argc, char **argv)
+{
+    NodeComponents<PrometheusComp> comps;
+
+    comps.registerGlobalValue<bool>("Is Rest primary routine", true);
+    comps.registerGlobalValue<uint>("Nano service API Port Primary", 7465);
+    comps.registerGlobalValue<uint>("Nano service API Port Alternative", 7466);
+    comps.registerGlobalValue<bool>("Nano service API Allow Get From External IP", true);
+
+    return comps.run("Prometheus Service", argc, argv);
+}
--- a/nodes/prometheus/package/CMakeLists.txt
+++ b/nodes/prometheus/package/CMakeLists.txt
@@ -0,0 +1,4 @@
+install(FILES install-cp-nano-prometheus.sh  DESTINATION prometheus_service/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
+install(FILES cp-nano-prometheus.cfg  DESTINATION prometheus_service/conf PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
+install(FILES cp-nano-prometheus-conf.json  DESTINATION prometheus_service/conf PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
+install(FILES cp-nano-prometheus-debug-conf.json  DESTINATION prometheus_service/conf PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
--- a/nodes/prometheus/package/cp-nano-prometheus-conf.json
+++ b/nodes/prometheus/package/cp-nano-prometheus-conf.json
@@ -0,0 +1,21 @@
+{
+    "connection": {
+        "Nano service API Port Primary": [
+            {
+                "value": 7465
+            }
+        ],
+        "Nano service API Port Alternative": [
+            {
+                "value": 7466
+            }
+        ]
+    },
+    "message": {
+        "Connection timeout": [
+            {
+                "value": 10000000
+            }
+        ]
+    }
+}
--- a/nodes/prometheus/package/cp-nano-prometheus-debug-conf.json
+++ b/nodes/prometheus/package/cp-nano-prometheus-debug-conf.json
@@ -0,0 +1,11 @@
+{
+    "Debug": [
+        {
+            "Streams": [
+                {
+                    "Output": "nano_agent/cp-nano-prometheus.dbg"
+                }
+            ]
+        }
+    ]
+}
--- a/nodes/prometheus/package/cp-nano-prometheus.cfg
+++ b/nodes/prometheus/package/cp-nano-prometheus.cfg
--- a/nodes/prometheus/package/install-cp-nano-prometheus.sh
+++ b/nodes/prometheus/package/install-cp-nano-prometheus.sh
@@ -0,0 +1,164 @@
+#!/bin/sh
+
+#Nano Service Details
+NANO_SERVICE_NAME="prometheus"
+NANO_SERVICE_BIN_NAME="cp-nano-prometheus"
+NANO_SERVICE_INSTALLATION_FOLDER="prometheus"
+ATTACHMENT_BIN_NAME="cp-nano-prometheus"
+
+#Installable Names
+CFG_FILE_NAME="cp-nano-prometheus.cfg"
+DBG_CONF_FILE_NAME="cp-nano-prometheus-debug-conf.json"
+SERVICE_CONF_FILE_NAME="cp-nano-prometheus-conf.json"
+NANO_SERVICE_BIN="prometheus"
+ATTACHMENT_BIN="prometheus_attachment"
+
+#Const variables
+FORCE_STDOUT=true
+INSTALLATION_TIME=$(date)
+CP_NANO_LOG_PATH="/var/log/nano_agent"
+CP_NANO_CONF_PATH="/etc/cp/conf"
+NANO_SERVICE_INSTALLATION_PATH="/etc/cp/${NANO_SERVICE_INSTALLATION_FOLDER}"
+NANO_SERVICE_BIN_PATH=${NANO_SERVICE_INSTALLATION_PATH}/${NANO_SERVICE_BIN_NAME}
+NANO_SERVICE_CFG_PATH=${NANO_SERVICE_BIN_PATH}.cfg
+ATTACHMENT_BIN_PATH=${NANO_SERVICE_INSTALLATION_PATH}/${ATTACHMENT_BIN_NAME}
+DBG_CONF_PATH=${CP_NANO_CONF_PATH}/${NANO_SERVICE_BIN_NAME}-debug-conf.json
+SERVICE_CONF_PATH=${CP_NANO_CONF_PATH}/${NANO_SERVICE_BIN_NAME}-conf.json
+DBG_FILE_PATH=${CP_NANO_LOG_PATH}/${NANO_SERVICE_BIN_NAME}.dbg
+INSTALLATION_LOG_FILE=${CP_NANO_LOG_PATH}/${NANO_SERVICE_BIN_NAME}-install.log
+
+mkdir -p ${CP_NANO_LOG_PATH}
+touch ${DBG_FILE_PATH}
+
+cp_print()
+{
+    var_text=$1
+    var_std_out=$2
+    touch $INSTALLATION_LOG_FILE
+    if [ -n "$var_std_out" ]; then
+        if [ "$var_std_out" = "true" ]; then
+            printf "%b\n" "$var_text"
+        fi
+    fi
+    printf "%b\n" "$var_text" >> $INSTALLATION_LOG_FILE
+}
+
+cp_exec()
+{
+    var_cmd=$1
+    var_std_out=$2
+    # Send exec output to RES
+    RES=$($var_cmd 2>&1)
+    if [ -n "$RES" ]; then
+        cp_print "$RES" "$var_std_out"
+    fi
+}
+
+set_configuration()
+{
+    cp_exec "cp -n conf/${DBG_CONF_FILE_NAME} $DBG_CONF_PATH"
+    cp_exec "/etc/cp/scripts/cpnano_debug --default --service prometheus"
+    cp_exec "cp -n conf/${SERVICE_CONF_FILE_NAME} $SERVICE_CONF_PATH"
+}
+
+run_installation()
+{
+    cp_print "Starting installation of Check Point ${NANO_SERVICE_NAME} Nano service [$INSTALLATION_TIME]\n" $FORCE_STDOUT
+    
+    cp_exec "/etc/cp/watchdog/cp-nano-watchdog --un-register ${ATTACHMENT_BIN_PATH}"
+    cp_exec "/etc/cp/watchdog/cp-nano-watchdog --un-register ${NANO_SERVICE_BIN_PATH}"
+    
+    att_path=$ATTACHMENT_BIN_PATH
+    cmd_pid_att=$(ps -eo pid,cmd,args | awk -v srv=${att_path} '{if($2 ~ srv || $3 ~ srv) print $1}')
+    srv_path=$NANO_SERVICE_BIN_NAME
+    cmd_pid_srv=$(ps -eo pid,cmd,args | awk -v srv=${srv_path} '{if($2 ~ srv || $3 ~ srv) print $1}')
+    
+    if [ -n "$cmd_pid_att"  ]; then
+        cp_print "Killing running instance(pid=$cmd_pid_att) of the prometheus attachment on installation"
+        kill -9 "$cmd_pid_att"
+    fi
+    if [ -n "$cmd_pid_srv"  ]; then
+        cp_print "Killing running instance(pid=$cmd_pid_srv) of the prometheus service on installation"
+        kill -9 "$cmd_pid_srv"
+    fi
+
+    cp_exec "mkdir -p ${NANO_SERVICE_INSTALLATION_PATH}"
+    cp_exec "cp -f bin/${NANO_SERVICE_BIN} ${NANO_SERVICE_BIN_PATH}"
+    cp_exec "chmod +x ${NANO_SERVICE_BIN_PATH}"
+    cp_exec "cp -f conf/${CFG_FILE_NAME} ${NANO_SERVICE_CFG_PATH}"
+    cp_exec "chmod 600 ${NANO_SERVICE_CFG_PATH}"
+
+    set_configuration
+
+    cp_exec "/etc/cp/watchdog/cp-nano-watchdog --register ${NANO_SERVICE_BIN_PATH}"
+    cp_exec "/etc/cp/watchdog/cp-nano-watchdog --register ${ATTACHMENT_BIN_PATH}"
+
+    cp_print "Installation completed successfully." $FORCE_STDOUT
+}
+
+usage()
+{
+    echo "Check Point: available flags are"
+    echo "--install           : install ${NANO_SERVICE_NAME} Nano Service"
+    echo "--uninstall         : remove ${NANO_SERVICE_NAME} Nano Service"
+    echo "--pre_install_test  : run Pre-installation test for ${NANO_SERVICE_NAME} Nano Service install package"
+    echo "--post_install_test : run Post-installation test for ${NANO_SERVICE_NAME} Nano Service install package"
+    exit 255
+}
+
+run_uninstall()
+{
+    cp_exec "/etc/cp/watchdog/cp-nano-watchdog --un-register ${ATTACHMENT_BIN_PATH}"
+    cp_exec "/etc/cp/watchdog/cp-nano-watchdog --un-register ${NANO_SERVICE_BIN_PATH}"
+
+    cp_exec "rm -rf ${NANO_SERVICE_INSTALLATION_PATH}"
+    cp_exec "rm -rf ${NANO_SERVICE_CONF_DIR}"
+}
+
+run_pre_install_test()
+{
+    cp_print "Starting Pre-installation test of Check Point ${NANO_SERVICE_NAME} Nano service installation package [$INSTALLATION_TIME]\n" $FORCE_STDOUT
+
+    cp_print "Successfully finished pre-installation test for Check Point ${NANO_SERVICE_NAME} Nano service installation package [$INSTALLATION_TIME]\n" $FORCE_STDOUT
+    exit 0
+}
+
+run_post_install_test()
+{
+    cp_print "Starting Post-installation test of Check Point ${NANO_SERVICE_NAME} Nano service installation package [$INSTALLATION_TIME]\n" $FORCE_STDOUT
+
+    if ! cat /etc/cp/watchdog/wd.services | grep -q ${NANO_SERVICE_BIN_PATH}; then
+    	    cp_print "Failed to register ${NANO_SERVICE_NAME} Nano service to the watchdog\n" $FORCE_STDOUT
+    	    exit 255
+    fi
+
+    cp_print "Successfully finished post-installation test for Check Point ${NANO_SERVICE_NAME} Nano service installation package [$INSTALLATION_TIME]\n" $FORCE_STDOUT
+    exit 0
+
+}
+
+run()
+{
+    if [ '--install' = "$1" ]; then
+        run_installation "${@}"
+    elif [ '--uninstall' = "$1" ]; then
+        run_uninstall
+    elif [ '--pre_install_test' = "$1" ]; then
+        run_pre_install_test
+    elif [ '--post_install_test' = "$1" ]; then
+        run_post_install_test
+    else
+        usage
+        exit 1
+    fi
+}
+
+if [ "$(id -u)" != "0" ]; then
+    echo "Administrative privileges required for this Package (use su or sudo)"
+    exit 1
+fi
+
+shift
+run "${@}"
+
+exit 0