Building a jumphost using the Zabbix API and Python

A lot of organizations have a jumphost to access servers, switches, and their other equipment from a host. A jumphost generally has all the firewall rules needed to access everything important. Now if we keep our monitoring up to date, we should have every single host in there as well.

My friend, ex-colleague, and fellow Zabbix geek, Yadvir Singh, had the amazing idea to create a Python script to export all Zabbix hosts with their IPs to the /etc/hosts file on another Linux host. Let’s see how we can build a jumphost just like his.

Getting ready

We are going to need a new host for this recipe with Linux installed and ready. We’ll call this host lar-book-jump. We will also need our Zabbix server, for which I’ll use lar-book-centos.

Also, it is important to navigate to Yadvir on his GitHub account, drop him a follow, and star his repository if you too think this is a cool script: https://github.com/cheatas/zabbix_scripts.

Important note

Setting up this script will override your /etc/hosts file every time the script is executed. Only use this script when you understand what it’s doing, make sure you use an empty host for this lab, and check the default /etc/hosts settings.

How to do it…

  1. If you haven’t already created an API user, then know that we are going to need a new user for API calls, but to create that we need a user group first. Click the blue Create user group button.
  2. Now let’s create the following User group:
    Figure 9.9 – Zabbix Administration | Users group, create user group page, API users for jumphost

    Figure 9.9 – Zabbix Administration | Users group, create user group page, API users for jumphost

  3. Now let’s click on Permissions to fill out some more information before saving.
  4. Click on the white Select button and select all the user groups available in your Zabbix server. Then press the blue Select button.
  5. Click on Read-write and then press the underlined Add button. It should now look like this:
    Figure 9.10 – Zabbix Administration | Users group, create user group permissions page, API users for jumphost

    Figure 9.10 – Zabbix Administration | Users group, create user group permissions page, API users for jumphost

  6. Notice how it says All groups with Read-write permissions. Now, you can click the blue Add button at the bottom of the page.
  7. Next up, go to Administration | Users and click on Create user. We’ll create the following user:
    Figure 9.11 – Zabbix Administration | Users, create user page, API user for jumphost

    Figure 9.11 – Zabbix Administration | Users, create user page, API user for jumphost

  8. In general, you should always create a secure password for a production environment. For this lab environment, I’ll just be using the password password though.
  9. Let’s edit the Permissions tab for the API user as well. Add the following:
    Figure 9.12 – Zabbix Administration | Users, create user Permissions page, API user for jumphost

    Figure 9.12 – Zabbix Administration | Users, create user Permissions page, API user for jumphost

  10. Click on the blue Add button at the bottom of the page to finish creating this user.
  11. Install Python 3 on the host CLI with the following command:

    For RHEL-based systems:

    dnf install python3

    For Debian-based systems:

    apt-get install python3
  12. Python pip should’ve been installed with this package by default as well. If not, issue the following command:

    For RHEL-based systems:

    dnf install python3-pip

    For Debian-based systems:

    apt-get install python3-pip
  13. Now let’s install our dependencies using Python pip. We’ll need these dependencies as they’ll be used in the script:
    pip3 install requests
  14. First things first, log in to our new Linux host, lar-book-jump, and download Yadvir’s script to your Linux host with the following command:
    wget https://raw.githubusercontent.com/cheatas/zabbix_scripts/main/host_pull_zabbix.py
  15. If you can’t use wget from your host, you can download the script at the following URL: https://github.com/cheatas/zabbix_scripts/blob/main/host_pull_zabbix.py.
  16. As a backup, we also provide this script in the Packt repository. You may download this version at https://github.com/PacktPublishing/Zabbix-5-Network-Monitoring-Cookbook/blob/master/chapter9/host_pull_zabbix.py.
  17. Now let’s edit the script by executing the following command:
    vim host_pull_zabbix.py
  18. We will need to request our API token and change the following lines to match your Zabbix configuration, with zabbix_url being the Zabbix frontend URL of your installation, and zabbix_username and zabbix_password being the values of the user we just created:
    zabbix_url = 'http://10.16.16.152/zabbix/api_jsonrpc.php?'
    zabbix_username = "API"
    zabbix_password = "password"
  19. We also need to uncomment the following line at the end of the file by removing # from the beginning of the following line like this:
    print(get_api_token(zabbix_url))
  20. Now execute the script with the following command:
    python3 host_pull_zabbix.py
  21. This will return a token like this:
    Figure 9.13 – Token returned after execution

    Figure 9.13 – Token returned after execution

  22. Copy this token and edit the file again with the following command:
    vim host_pull_zabbix.py
  23. Paste the API token that was printed between the double quotes at api_token = "". It will look like this:
    Figure 9.14 – Token filled in our script

    Figure 9.14 – Token filled in our script

  24. Then re-comment the following line by placing a # before the following line:
    #print(get_api_token(zabbix_url))
  25. We also need to uncomment the following lines:
    zabbix_hosts = get_hosts(api_token,zabbix_url)
    generate_host_file(zabbix_hosts,"/etc/hosts")
  26. The end of the script should now look like this:
    Figure 9.15 – End of the script after receiving the API token and with commenting removed

    Figure 9.15 – End of the script after receiving the API token and with commenting removed

  27. We can now remove the zabbix_password entry from our file.
  28. Last but not least, make sure to comment and uncomment the right lines for your Linux distro. It will look like this:

    Debian-based:

    Figure 9.16 – Print to file for Debian-based systems

    Figure 9.16 – Print to file for Debian-based systems

    For RHEL-based systems:

    Figure 9.17 – Print to file for RHEL-based systems

    Figure 9.17 – Print to file for RHEL-based systems

  29. That’s all there is to do, so we can now execute the script again and start using it. Let’s execute the script as follows:
    python3 host_pull_zabbix.py
  30. Test whether it worked by looking at the host file with the following command:
    cat /etc/hosts

    This should give us an output like that in the following screenshot:

    Figure 9.18 – /etc/hosts filled with our script information

    Figure 9.18 – /etc/hosts filled with our script information

  31. We can now try to SSH directly to the name of a host, instead of having to use the IP, by issuing the following command:
    ssh lar-book-agent_passive
  32. We can also use it to find hosts from the file with the following command:
    cat /etc/hosts | grep agent
  33. Let’s do one more thing. We want this script to be as up to date as possible. So, let’s add a cronjob. Issue the following command to add a cronjob:
    crontab -e
  34. Then add the following line, making sure to fill in the right script location for your setup:
    */15 * * * * $(which python3) /home/host_pull_zabbix.py >> ~/cron.log 2>&1

That’s it – we will now have an up-to-date /etc/hosts file all the time with our new Python script and Zabbix.

How it works

If your organization uses Zabbix as the main monitoring system, you now have the skills and knowledge to create an organized, reliably up-to-date, and easy-to-use jumphost. Jumphosts are super useful when set up correctly, but it’s important to keep them clean so that they are easy to update.

By using this script, we only add Python 3 and a simple script as a requirement to the server, but the end result is a jumphost that knows about all hosts in the environment.

If you’ve followed along with the previous Using the Zabbix API for extending functionality recipe, then you might notice that it works in roughly the same way. We can see in the following diagram how we utilize the script:

Figure 9.19 – Jumphost using script functionality diagram

Figure 9.19 – Jumphost using script functionality diagram

In step 0.1 of the preceding diagram, our script requests an API token, which we receive in step 0.2 by printing it to the CLI. We edit our script (as we did in step 22) to use the token instead of the username and password for security. This step is not repeated in the process, which is why these are step 0.1 and step 0.2. Every time the script is executed from now on, it will start at step 1.

Important note

In Zabbix 6, we might see the ability to configure API keys in the Zabbix frontend. This would eliminate the need to script the API key retrieval and improve security. At the time of writing, though, this feature is on the Zabbix development team’s idea board. So, I’m not making any promises.

The requested API token will not expire unless user auto-logout is configured. At this time it is actually recommended to configure this options. If we don’t do this we might end up with a lot of active sessions, causing a slow frontend.

After editing, our script will start at step 1 of the preceding diagram to request data with an API call. We receive this data in step 2. In the script, we add our default values and then write all the hostnames and IP addresses to the /etc/hosts file.

Now, because a Linux host uses the /etc/hosts file for hostname-to-IP translation, we can use the real names of servers in Zabbix to SSH to the hosts. This makes it easier for us to use the jumphost, as we can use the same name as the hostname we know from the Zabbix frontend.

Related Articles

How to add swap space on Ubuntu 21.04 Operating System

How to add swap space on Ubuntu 21.04 Operating System

The swap space is a unique space on the disk that is used by the system when Physical RAM is full. When a Linux machine runout the RAM it use swap space to move inactive pages from RAM. Swap space can be created into Linux system in two ways, one we can create a...

read more

Lorem ipsum dolor sit amet consectetur

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

1 × three =