On Tue, Dec 27, 2005 at 12:14:17AM +0100, Sylwester S. Biernacki wrote:
> I know that I can write my own scripts which can open ie. http port on
> backend machine and in case of webhost down script can execute pfctl
> -t webhosts -T delete IP_OF_NOT_WORKING_WEBHOST. But that's not
> 'professional' solution.
>
> Perfect solution would be to have one daemon which connects to
> services on backoffice machines and polls them and if any service
> stop working this daemon sends command to PF to remove IP from table
> of available machines.
>
> I've done my homework and read archive of this list and googled for
> some time and saw hand-made solutions only.
>
> Do you know or does anyone have plans to realize such 'perfect' solution?
I'm not sure why you seem to consider a solution unprofessional simply
because it is hand-made or involves shell scripts. Is that because you
consider yourself able to write shell scripts, but not expertly, while
you wouldn't even try to write in another programming language?
All good software is hand-made, if there are any automatically generated
programs at all, they are only as good as their generating program,
which was hand-made in the first place. Even the most shiny, expensive,
and shrink-wrapped software package you can buy consists of hand-written
code.
There's a serious profession[1] of people writing shell scripts, and it
would be silly to assume that any program is less professional because
it is implemented in shell script instead of, say, C.
Quoting from [2]
pro·fes·sion·al (adj.)
1.
1. Of, relating to, engaged in, or suitable for a profession
2. Conforming to the standards of a profession
2. Engaging in a given activity as a source of livelihood or as a
career
3. Performed by persons receiving pay
4. Having or showing great skill; expert
None of these definitions would exclude a shell script from being a
'professional solution' to this particular problem. Or any other
problem, in general, assuming the script was expertly written and
performed conforming to the standards of the profession.
Now take a look at one example of a suggested solution, which I assume
you have already seen while searching:
http://marc.theaimsgroup.com/?l=openbsd-pf&m=106883416904625&w=2
If you're going to hire (according to the second and third definition
above) a programmer to write a C daemon doing something similar, you'll
have to provide precise specs that define what the program is supposed
to do. So, what should it do compared to the example script above? How
is the script not perfect, what other properties should the C program
have? Besides hiding implementation details from the non-technical reader
(who might not understand C source code but can read a script), who
might (possibly falsely) assume it does more things in a more clever way.
If it is more complex monitoring code you need, it's probably simpler to
extend a monitoring tool (like, say, nagios[3]) to do pf table
modifications, than re-implementing monitoring rules in an additional
daemon. If the monitoring code only needs to be as simple as "fetch a
test file through HTTP", again, why (and how) is the example script above
not completely sufficient?
Daniel
[1] Usually called 'system administrator', see
http://www.sage.org/pubs/8_jobs/core.mm
[2] http://dictionary.reference.com/search?q=professional
[3] http://www.nagios.org/
