dovecot: new Munin plugins, fix old_stats config

CHANGELOG.md

@@ -16,6 +16,8 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * userlogrotate: rotate also php.log.
 * nagios-nrpe: add a NRPE check-local command with completion.
 * policy_pam: New role allowing to manage password policy with pam_pwquality & pam_pwhistory
+* dovecot: fix old_stats plugin for Dovecot 2.3.
+* dovecot: add Munin plugins dovecot1 and dovecot_stats (patched)
 
 ### Changed
 
@@ -34,6 +36,8 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Removed
 
+* dovecot: remove Munin plugin dovecot (not working)
+
 ### Security
 
 ## [23.04] 2023-04-23

dovecot/README.md

@@ -2,6 +2,8 @@
 
 Installation and basic configuration of dovecot
 
+Do not use this role to update Dovecot 2.2 to 2.3.
+
 ## Tasks
 
 Minimal configuration is in `tasks/main.yml`
@@ -9,3 +11,14 @@ Minimal configuration is in `tasks/main.yml`
 ## Available variables
 
 The full list of variables (with default values) can be found in `defaults/main.yml`.
+
+## Munin plugins
+
+### dovecot_stats_
+
+Note : This is an Evolix patched version.
+
+This plugin can be installed only when installin a server, because it needs Dovevcot plugin stats (Dovecot 2.2) or old_stats (Dovecot 2.3), which previously were not activated by default.
+
+To skip this plugin installation, use "--skip-tags dovecot_stats_".
+

dovecot/files/munin_config

@@ -1,2 +0,0 @@
-[dovecot]
-group adm

dovecot/files/munin_plugin

@@ -1,128 +0,0 @@
-#! /bin/bash
-#
-# Munin Plugin
-# to count logins to your dovecot mailserver
-#
-# Created by Dominik Schulz <lkml@ds.gauner.org>
-# http://developer.gauner.org/munin/
-# Contributions by:
-# - Stephane Enten <tuf@delyth.net>
-# - Steve Schnepp <steve.schnepp@pwkf.org>
-# - pcy <pcy@ulyssis.org> (make 'Connected Users' DERIVE, check existence of logfile in autoconf)
-#
-# Parameters understood:
-#
-#	config		(required)
-#	autoconf 	(optional - used by munin-config)
-#
-# Config variables:
-#
-#       logfile        - Where to find the syslog file
-#
-# Add the following line to a file in /etc/munin/plugin-conf.d:
-# 	env.logfile /var/log/your/logfile.log
-#
-# Magic markers (optional - used by munin-config and installation scripts):
-#
-#%# family=auto
-#%# capabilities=autoconf
-
-######################
-# Configuration
-######################
-EXPR_BIN=/usr/bin/expr
-LOGFILE=${logfile:-/var/log/mail.log}
-######################
-
-if [ "$1" = "autoconf" ]; then
-	[ -f "$LOGFILE" ] && echo yes || echo "no (logfile $LOGFILE not found)"
-	exit 0
-fi
-
-if [ "$1" = "config" ]; then
-	echo 'graph_title Dovecot Logins'
-	echo 'graph_category mail'
-	echo 'graph_args --base 1000 -l 0'
-	echo 'graph_vlabel Login Counters'
-
-	for t in Total TLS SSL IMAP POP3
-	do
-		field=$(echo $t | tr '[:upper:]' '[:lower:]')
-		echo "login_$field.label $t Logins"
-		echo "login_$field.type DERIVE"
-		echo "login_$field.min 0"
-	done
-
-	echo 'connected.label Connected Users'
-	echo "connected.type DERIVE"
-
-	exit 0
-fi
-
-######################
-# Total Logins
-######################
-echo -en "login_total.value "
-VALUE=$(egrep -c '[dovecot]?.*Login' $LOGFILE)
-if [ ! -z "$VALUE" ]; then
-	echo "$VALUE"
-else
-	echo "0"
-fi
-echo -n
-######################
-# Connected Users
-######################
-DISCONNECTS=$(egrep -c '[dovecot]?.*Disconnected' $LOGFILE)
-CONNECTS=$(egrep -c '[dovecot]?.*Login' $LOGFILE)
-VALUE=$($EXPR_BIN $CONNECTS - $DISCONNECTS)
-if [ -z "$VALUE" ] || [ "$VALUE" -lt 0 ]; then
-	VALUE=0
-fi
-echo -en "connected.value "
-echo $VALUE
-echo -n
-######################
-# TLS Logins
-######################
-echo -en "login_tls.value "
-VALUE=$(egrep -c '[dovecot]?.*Login.*TLS' $LOGFILE)
-if [ ! -z "$VALUE" ]; then
-	echo "$VALUE"
-else
-	echo "0"
-fi
-echo -n
-######################
-# SSL Logins
-######################
-echo -en "login_ssl.value "
-VALUE=$(egrep -c '[dovecot]?.*Login.*SSL' $LOGFILE)
-if [ ! -z "$VALUE" ]; then
-	echo "$VALUE"
-else
-	echo "0"
-fi
-echo -n
-######################
-# IMAP Logins
-######################
-echo -en "login_imap.value "
-VALUE=$(egrep -c '[dovecot]?.*imap.*Login' $LOGFILE)
-if [ ! -z "$VALUE" ]; then
-	echo "$VALUE"
-else
-	echo "0"
-fi
-echo -n
-######################
-# POP3 Logins
-######################
-echo -en "login_pop3.value "
-VALUE=$(egrep -c '[dovecot]?.*pop3.*Login' $LOGFILE)
-if [ ! -z "$VALUE" ]; then
-	echo "$VALUE"
-else
-	echo "0"
-fi
-echo -n

dovecot/files/munin_plugin_dovecot1

@@ -0,0 +1,242 @@
+#!/usr/bin/perl
+
+#%# family=auto
+#%# capabilities=autoconf
+
+use Munin::Plugin;
+
+$pos   = undef;
+$connected = 0;
+$connectedimap = 0;
+$connectedpop3 = 0;
+$connections = 0;
+$connectionsimap = 0;
+$connectionspop3 = 0;
+$login = 0;
+$pop3login = 0;
+$imaplogin = 0;
+$tls = 0;
+$ssl = 0;
+$aborted = 0;
+
+($dirname = $0) =~ s/[^\/]+$//;
+
+$dovelogfile = 0 ;
+
+$logfile = $ENV{'LOGFILE'} || '/var/log/mail.log';
+
+if ( $logfile =~ /dovecot/ ) {
+ $dovelogfile = 1 ;
+}
+
+# Use an overridden $PATH for all external programs if needed
+$DOVEADM = "doveadm";
+
+if ( $ARGV[0] and $ARGV[0] eq "autoconf" ) {
+
+  if (! -x $DOVEADM) {
+    print "no (no doveadm)\n";
+    exit(0);
+  }
+
+  if (! -f $logfile) {
+    print "no (logfile $logfile does not exist)\n";
+    exit(0);
+  }
+
+  if (-r "$logfile") {
+    print "yes\n";
+    exit 0;
+  } else {
+    print "no (logfile not readable)\n";
+  }
+  exit 0;
+}
+
+if (-f "$logfile.0") {
+  $rotlogfile = $logfile . ".0";
+} elsif (-f "$logfile.1") {
+  $rotlogfile = $logfile . ".1";
+} elsif (-f "$logfile.01") {
+  $rotlogfile = $logfile . ".01";
+} else {
+  $rotlogfile = $logfile . ".0";
+}
+
+if ( $ARGV[0] and $ARGV[0] eq "config" ) {
+  print "multigraph dovecot_connections\n";
+  print "graph_title Dovecot connections\n";
+  print "graph_args --base 1000 -l 0 --no-gridfit --slope-mode\n";
+  print "graph_vlabel connections\n";
+  print "graph_category mail\n";
+  print "connections.label Connections open\n";
+  print "connections.type GAUGE\n";
+  print "connections.draw LINE1\n";
+  print "connections.min 0\n";
+  print "connectionsimap.label IMAP\n";
+  print "connectionsimap.type GAUGE\n";
+  print "connectionsimap.draw AREA\n";
+  print "connectionsimap.min 0\n";
+  print "connectionspop3.label POP3\n";
+  print "connectionspop3.type GAUGE\n";
+  print "connectionspop3.draw STACK\n";
+  print "connectionspop3.min 0\n";
+
+  print "multigraph dovecot_connected\n";
+  print "graph_title Dovecot connected users\n";
+  print "graph_args --base 1000 -l 0 --no-gridfit --slope-mode\n";
+  print "graph_vlabel connections\n";
+  print "graph_category mail\n";
+  print "connected.label Connected users\n";
+  print "connected.type GAUGE\n";
+  print "connected.draw LINE1\n";
+  print "connected.min 0\n";
+  print "connectedimap.label IMAP\n";
+  print "connectedimap.type GAUGE\n";
+  print "connectedimap.draw AREA\n";
+  print "connectedimap.min 0\n";
+  print "connectedpop3.label POP3\n";
+  print "connectedpop3.type GAUGE\n";
+  print "connectedpop3.draw STACK\n";
+  print "connectedpop3.min 0\n";
+
+  print "multigraph dovecot_logins\n";
+  print "graph_title Dovecot logins\n";
+  print "graph_args --base 1000 -l 0 --no-gridfit --slope-mode\n";
+  print "graph_vlabel logins/5 minute\n";
+  print "graph_category mail\n";
+  print "login.label Logins\n";
+  print "login.type GAUGE\n";
+  print "login.draw LINE1\n";
+  print "login.min 0\n";
+  print "imaplogin.label IMAP logins\n";
+  print "imaplogin.type GAUGE\n";
+  print "imaplogin.draw LINE1\n";
+  print "imaplogin.min 0\n";
+  print "pop3login.label POP3 logins\n";
+  print "pop3login.type GAUGE\n";
+  print "pop3login.draw LINE1\n";
+  print "pop3login.min 0\n";
+  print "tls.label TLS\n";
+  print "tls.type GAUGE\n";
+  print "tls.draw LINE1\n";
+  print "tls.min 0\n";
+  print "ssl.label SSL\n";
+  print "ssl.type GAUGE\n";
+  print "ssl.draw LINE1\n";
+  print "ssl.min 0\n";
+  print "aborted.label Aborted logins\n";
+  print "aborted.type GAUGE\n";
+  print "aborted.draw LINE1\n";
+  print "aborted.min 0\n";
+  exit 0;
+}
+
+if (! -f $logfile and ! -f $rotlogfile) {
+  print "multigraph dovecot_connections\n";
+  print "connections.value U";
+  print "connectionsimap.value U";
+  print "connectionspop3.value U";
+  print "multigraph dovecot_connected\n";
+  print "connected.value U\n";
+  print "connectedimap.value U\n";
+  print "connectedpop3.value U\n";
+  print "multigraph dovecot_logins\n";
+  print "login.value U\n";
+  print "pop3login.value U\n";
+  print "imaplogin.value U\n";
+  print "tls.value U\n";
+  print "ssl.value U\n";
+  print "aborted.value U\n";
+
+  exit 0;
+}
+
+# dit kan beter maar twee calls zijn toch nodig also we niet zelf aggegreren
+#  suggestie: doveadm who -1  | awk '{print $1" "$2" "$4}' | sort | uniq -c
+$connectedimap   = `$DOVEADM -f flow who    | grep imap | wc -l`;
+$connectedpop3   = `$DOVEADM -f flow who    | grep pop3 | wc -l`;
+$connectionsimap = `$DOVEADM -f flow who -1 | grep imap | wc -l`;
+$connectionspop3 = `$DOVEADM -f flow who -1 | grep pop3 | wc -l`;
+
+#trim
+$connectedimap   =~ s/\s+$//;
+$connectedpop3   =~ s/\s+$//;
+$connectionsimap =~ s/\s+$//;
+$connectionspop3 =~ s/\s+$//;
+
+$connected   = $connectedimap   + $connectedpop3;
+$connections = $connectionsimap + $connectionspop3;
+
+my ($pos) = restore_state();
+
+$startsize = (stat $logfile)[7];
+
+if (!defined $pos) {
+  # Initial run.
+  $pos = $startsize;
+}
+
+if ($startsize < $pos) {
+  # Log rotated
+  parseDovecotfile ($rotlogfile, $pos, (stat $rotlogfile)[7]);
+  $pos = 0;
+}
+
+parseDovecotfile ($logfile, $pos, $startsize);
+$pos = $startsize;
+
+save_state($pos);
+
+print "multigraph dovecot_connections\n";
+print "connections.value $connections\n";
+print "connectionsimap.value $connectionsimap\n";
+print "connectionspop3.value $connectionspop3\n";
+print "multigraph dovecot_connected\n";
+print "connected.value $connected\n";
+print "connectedimap.value $connectedimap\n";
+print "connectedpop3.value $connectedpop3\n";
+print "multigraph dovecot_logins\n";
+print "login.value $login\n";
+print "pop3login.value $pop3login\n";
+print "imaplogin.value $imaplogin\n";
+print "tls.value $tls\n";
+print "ssl.value $ssl\n";
+print "aborted.value $aborted\n";
+
+
+sub parseDovecotfile {
+  my ($fname, $start, $stop) = @_;
+  open (logf, $fname) or exit 3;
+  seek (logf, $start, 0) or exit 2;
+
+  while (tell (logf) < $stop) {
+    my $line =<logf>;
+    chomp ($line);
+
+    if ( $dovelogfile == 0 and $line !~ m/dovecot/) { next; }
+    else {
+     if ($line =~ m/Aborted/) {
+       $aborted++;
+
+     } elsif ($line =~ m/Login:/) {
+       $login++;
+
+       if (     $line =~ m/TLS/) {
+         $tls++;
+       } elsif ($line =~ m/SSL/) {
+         $ssl++;
+       }
+
+       if (     $line =~ m/pop3-login:/) {
+         $pop3login++;
+       } elsif ($line =~ m/imap-login:/) {
+         $imaplogin++;
+       }
+     }
+    }
+  }
+  close(logf);
+}
+
+# vim:syntax=perl

dovecot/files/munin_plugin_dovecot_stats_

@@ -0,0 +1,158 @@
+#!/bin/bash
+: <<=cut
+
+=head1 NAME
+
+dovecot_stats_ - Munin plugin to display statistics for the dovecot mail server
+
+=head1 CONFIGURATION
+
+This plugin must be run with permissions to run "doveadm". That usually means root, but to test, run the following as any user:
+
+  doveadm who
+
+If you get a permission denied message, check the permissions on the socket mentioned in the error line.
+
+=head1 MAGIC MARKERS
+
+   #%# family=contrib
+   #%# capability=autoconf suggest
+
+=head1 AUTHOR
+
+Paul Saunders <darac+munin@darac.org.uk>
+
+=cut
+
+. $MUNIN_LIBDIR/plugins/plugin.sh
+is_multigraph
+
+if [[ "$1" == "autoconf" ]]; then
+    if [[ -x /usr/bin/doveadm ]]; then
+        echo yes
+    else
+        echo no
+    fi
+    exit 0
+fi
+
+# Dovecot 2.3 changes the stas format, but we can still access the older version with "doveadm oldstats".
+dovecot_version=$(/usr/sbin/dovecot --version | awk '{print $1}')
+
+verlte() {
+    [ "$1" = "$2" ] && return 1 || [  "$2" = "`echo -e "$1\n$2" | sort -V | head -n1`" ]
+}
+
+verlt() {
+    [ "$1" = "$2" ] && return 1 || verlte $2 $1
+}
+
+# The stats command is "stats" unless the version is NOT less than 2.3, in which case it's "oldstats".
+stats_command="stats"
+verlt $dovecot_version 2.3 || stats_command="oldstats"
+
+
+if [[ "$1" == "suggest" ]]; then
+    doveadm $stats_command dump domain|awk 'NR!=1 {print $1}'
+    exit 0
+fi
+
+domain=$(basename $0)
+domain=${domain#dovecot_stats_}
+
+if [[ -z $domain ]]; then
+   exit 1
+fi
+
+if [[ "$1" == "config" ]]; then
+    cat <<EOF
+multigraph dovecot_cpu_${domain//\./_}
+graph_title Dovecot CPU Usage for $domain
+graph_vlabel Seconds
+graph_category mail
+user_cpu.label User CPU
+user_cpu.type DERIVE
+user_cpu.min 0
+user_cpu.cdef user_cpu,1000000,/
+sys_cpu.label System CPU
+sys_cpu.type DERIVE
+sys_cpu.min 0
+sys_cpu.cdef sys_cpu,1000000,/
+
+multigraph dovecot_system_${domain//\./_}
+graph_title Dovecot System Usage for $domain
+graph_category mail
+min_faults.label Minor page faults
+min_faults.type DERIVE
+min_faults.min 0
+maj_faults.label Major page faults
+maj_faults.type DERIVE
+maj_faults.min 0
+vol_cs.label Voluntary context switches
+vol_cs.type DERIVE
+vol_cs.min 0
+invol_cs.label Involuntary context switches
+invol_cs.type DERIVE
+invol_cs.min 0
+read_count.label read() syscalls
+read_count.type DERIVE
+read_count.min 0
+write_count.label write() syscalls
+write_count.type DERIVE
+write_count.min 0
+
+multigraph dovecot_mail_${domain//\./_}
+graph_title Dovecot Mail Access for $domain
+graph_category mail
+num_logins.label Logins
+num_logins.type DERIVE
+num_logins.min 0
+num_cmds.label Commands
+num_cmds.type DERIVE
+num_cmds.min 0
+mail_lookup_path.label Path Lookups
+mail_lookup_path.type DERIVE
+mail_lookup_path.min 0
+mail_lookup_attr.label Attr lookups
+mail_lookup_attr.type DERIVE
+mail_lookup_attr.min 0
+mail_read_count.label Messages read
+mail_read_count.type DERIVE
+mail_read_count.min 0
+mail_cache_hits.label Cache hits
+mail_cache_hits.type DERIVE
+mail_cache_hits.min 0
+EOF
+    exit 0
+fi
+
+# Added by Will
+if [ "${domain}" = "global" ]; then
+    args="global"
+else
+    args="domain domain=$domain"
+fi
+
+# Fetch data
+# Gawk script cadged from http://awk.info/?JanisP
+doveadm $stats_command dump $args | gawk -F\\t -v cols="user_cpu sys_cpu min_faults maj_faults vol_cs invol_cs read_count write_count num_logins num_cmds mail_lookup_path mail_lookup_attr mail_read_count mail_cache_hits " -v domain=${domain//\./_} '
+    BEGIN {
+        n=split(cols,col," ")
+        for (i=1; i<=n; i++) s[col[i]]=i
+    }
+    NR==1 {
+        for (f=1;f<=NF; f++)
+            if ($f in s) c[s[$f]]=f
+        next
+    }
+    { for (f=1; f<=n; f++) {
+        if (col[f] == "user_cpu") printf ("\nmultigraph dovecot_cpu_%s\n", domain)
+        if (col[f] == "min_faults") printf ("\nmultigraph dovecot_system_%s\n", domain)
+        if (col[f] == "num_logins") printf ("\nmultigraph dovecot_mail_%s\n", domain)
+        if (col[f] == "user_cpu" || col[f] == "sys_cpu")
+            printf("%s.value %d\n",col[f],$c[f] * 1000000)
+        else
+            printf("%s.value %d\n",col[f],$c[f])
+      }
+    }
+'

dovecot/handlers/main.yml

@@ -14,3 +14,7 @@
     name: log2mail
     state: restarted
 
+- name: restart munin-node
+  ansible.builtin.systemd:
+    name: munin-node
+    state: restarted

dovecot/tasks/munin.yml

@@ -8,16 +8,75 @@
 
 - name: Munin plugins are present and configured
   block:
-    - name: Install munin plugin
-      ansible.builtin.copy:
-        src: munin_plugin
-        dest: /etc/munin/plugins/dovecot
+
+    - name: Disable dovecot plugin
+      ansible.builtin.file:
+        path: /etc/munin/plugins/dovecot
+        state: absent
+
+    - name: Remove dovecot plugin conf
+      ansible.builtin.file:
+        path: /etc/munin/plugin-conf.d/dovecot
+        state: absent
+
+    - name: "Remount /usr if needed"
+      ansible.builtin.include_role:
+        name: remount-usr
+
+    - name: Ensures /usr/local/lib/munin/plugins/ dir exists
+      ansible.builtin.file:
+        path: "/usr/local/lib/munin/plugins/"
+        state: directory
         mode: "0755"
 
-    - name: Install munin config
+    - name: Install dovecot1 plugin
+      # Original from https://github.com/munin-monitoring/contrib/blob/master/plugins/dovecot/dovecot1
       ansible.builtin.copy:
-        src: munin_config
-        dest: /etc/munin/plugin-conf.d/dovecot
-        mode: "0644"
+        src: munin_plugin_dovecot1
+        dest: /usr/local/lib/munin/plugins/dovecot1
+        mode: "0755"
+
+    - name: Install dovecot_stats_ plugin
+      # Modified from https://github.com/munin-monitoring/contrib/blob/master/plugins/dovecot/dovecot_stats_
+      ansible.builtin.copy:
+        src: munin_plugin_dovecot_stats_
+        dest: /usr/local/lib/munin/plugins/dovecot_stats_
+        mode: "0755"
+      tags: dovecot_stats_
+
+    - name: Sections dovecot1 and dovecot_stats_ are in /etc/munin/plugin-conf.d/zzz-evolinux
+      ansible.builtin.lineinfile:
+        path: /etc/munin/plugin-conf.d/zzz-evolinux
+        regex: '\[{{ item }}\]'
+        line: '[{{ item }}]'
+        create: yes
+        mode: '0644'
+      loop: ['dovecot1', 'dovecot_stats_*']
+      notify: restart munin-node
+
+    - name: User root is set for plugins in /etc/munin/plugin-conf.d/zzz-evolinux
+      ansible.builtin.lineinfile:
+        path: /etc/munin/plugin-conf.d/zzz-evolinux
+        regex: '^[[:blank:]]*user root[[:blank:]]*$'
+        insertafter: '\[{{ item }}\]'
+        line: 'user root'
+      loop: ['dovecot1', 'dovecot_stats_*']
+      notify: restart munin-node
+
+    - name: Enable dovecot1 plugin
+      ansible.builtin.file:
+        src: "/usr/local/lib/munin/plugins/dovecot1"
+        dest: "/etc/munin/plugins/dovecot1"
+        state: link
+      when: not ansible_check_mode
+
+    - name: Enable wildcard dovecot_stats_ plugin for all domains
+      ansible.builtin.file:
+        src: "/usr/local/lib/munin/plugins/dovecot_stats_"
+        dest: "/etc/munin/plugins/dovecot_stats_global"
+        state: link
+      when: not ansible_check_mode
+      tags: dovecot_stats_
 
   when: munin_node_plugins_config.stat.exists
+

dovecot/templates/z-evolinux-defaults.conf.j2

@@ -1,5 +1,8 @@
 # {{ ansible_managed }}
 
+# Plugins list (must be before filters {} that modify it)
+mail_plugins = $mail_plugins old_stats
+
 # Autorise les mécanismes PLAIN/LOGIN même sans SSL/TLS
 disable_plaintext_auth = no
 auth_mechanisms = plain login
@@ -36,14 +39,26 @@ service login {
 mail_max_userip_connections = 42
 
 # Configuration pour stats dovecot
-service stats {
-    unix_listener stats-reader {
+protocol imap {
+  mail_plugins = $mail_plugins imap_old_stats
+}
+plugin {
+  old_stats_refresh = 30 secs
+  old_stats_track_cmds = yes
+}
+service old-stats {
+    fifo_listener old-stats-mail {
+        user = vmail
+        group = vmail
+        mode = 0660
+    }
+    unix_listener old-stats-reader {
         user = vmail
         group = vmail
         mode = 0660
     }
 
-    unix_listener stats-writer {
+    unix_listener old-stats-writer {
         user = vmail
         group = vmail
         mode = 0660