A lot of organizations have a jumphost to access servers, switches, and their other equipment from a host. A jumphost generally has all the firewall rules needed to access everything important. Now if we keep our monitoring up to date, we should have every single host in there as well.
My friend, ex-colleague, and fellow Zabbix geek, Yadvir Singh, had the amazing idea to create a Python script to export all Zabbix hosts with their IPs to the
/etc/hosts file on another Linux host. Let’s see how we can build a jumphost just like his.
We are going to need a new host for this recipe with Linux installed and ready. We’ll call this host
lar-book-jump. We will also need our Zabbix server, for which I’ll use
Also, it is important to navigate to Yadvir on his GitHub account, drop him a follow, and star his repository if you too think this is a cool script: https://github.com/cheatas/zabbix_scripts.
Setting up this script will override your
/etc/hosts file every time the script is executed. Only use this script when you understand what it’s doing, make sure you use an empty host for this lab, and check the default
How to do it…
- If you haven’t already created an API user, then know that we are going to need a new user for API calls, but to create that we need a user group first. Click the blue Create user group button.
- Now let’s create the following User group:
- Now let’s click on Permissions to fill out some more information before saving.
- Click on the white Select button and select all the user groups available in your Zabbix server. Then press the blue Select button.
- Click on Read-write and then press the underlined Add button. It should now look like this:
- Notice how it says All groups with Read-write permissions. Now, you can click the blue Add button at the bottom of the page.
- Next up, go to Administration | Users and click on Create user. We’ll create the following user:
- In general, you should always create a secure password for a production environment. For this lab environment, I’ll just be using the password
- Let’s edit the Permissions tab for the API user as well. Add the following:
- Click on the blue Add button at the bottom of the page to finish creating this user.
- Install Python 3 on the host CLI with the following command:
For RHEL-based systems:
dnf install python3
For Debian-based systems:
apt-get install python3
pipshould’ve been installed with this package by default as well. If not, issue the following command:
For RHEL-based systems:
dnf install python3-pip
For Debian-based systems:
apt-get install python3-pip
- Now let’s install our dependencies using Python
pip. We’ll need these dependencies as they’ll be used in the script:
pip3 install requests
- First things first, log in to our new Linux host,
lar-book-jump, and download Yadvir’s script to your Linux host with the following command:
- If you can’t use
wgetfrom your host, you can download the script at the following URL: https://github.com/cheatas/zabbix_scripts/blob/main/host_pull_zabbix.py.
- As a backup, we also provide this script in the Packt repository. You may download this version at https://github.com/PacktPublishing/Zabbix-5-Network-Monitoring-Cookbook/blob/master/chapter9/host_pull_zabbix.py.
- Now let’s edit the script by executing the following command:
- We will need to request our API token and change the following lines to match your Zabbix configuration, with
zabbix_urlbeing the Zabbix frontend URL of your installation, and
zabbix_passwordbeing the values of the user we just created:
zabbix_url = 'http://10.16.16.152/zabbix/api_jsonrpc.php?' zabbix_username = "API" zabbix_password = "password"
- We also need to uncomment the following line at the end of the file by removing
#from the beginning of the following line like this:
- Now execute the script with the following command:
- This will return a token like this:
- Copy this token and edit the file again with the following command:
- Paste the API token that was printed between the double quotes at
api_token = "". It will look like this:
- Then re-comment the following line by placing a
#before the following line:
- We also need to uncomment the following lines:
zabbix_hosts = get_hosts(api_token,zabbix_url) generate_host_file(zabbix_hosts,"/etc/hosts")
- The end of the script should now look like this:
- We can now remove the
zabbix_passwordentry from our file.
- Last but not least, make sure to comment and uncomment the right lines for your Linux distro. It will look like this:
For RHEL-based systems:
- That’s all there is to do, so we can now execute the script again and start using it. Let’s execute the script as follows:
- Test whether it worked by looking at the host file with the following command:
This should give us an output like that in the following screenshot:
- We can now try to SSH directly to the name of a host, instead of having to use the IP, by issuing the following command:
- We can also use it to find hosts from the file with the following command:
cat /etc/hosts | grep agent
- Let’s do one more thing. We want this script to be as up to date as possible. So, let’s add a cronjob. Issue the following command to add a cronjob:
- Then add the following line, making sure to fill in the right script location for your setup:
*/15 * * * * $(which python3) /home/host_pull_zabbix.py >> ~/cron.log 2>&1
That’s it – we will now have an up-to-date
/etc/hosts file all the time with our new Python script and Zabbix.
How it works
If your organization uses Zabbix as the main monitoring system, you now have the skills and knowledge to create an organized, reliably up-to-date, and easy-to-use jumphost. Jumphosts are super useful when set up correctly, but it’s important to keep them clean so that they are easy to update.
By using this script, we only add Python 3 and a simple script as a requirement to the server, but the end result is a jumphost that knows about all hosts in the environment.
If you’ve followed along with the previous Using the Zabbix API for extending functionality recipe, then you might notice that it works in roughly the same way. We can see in the following diagram how we utilize the script:
In step 0.1 of the preceding diagram, our script requests an API token, which we receive in step 0.2 by printing it to the CLI. We edit our script (as we did in step 22) to use the token instead of the username and password for security. This step is not repeated in the process, which is why these are step 0.1 and step 0.2. Every time the script is executed from now on, it will start at step 1.
In Zabbix 6, we might see the ability to configure API keys in the Zabbix frontend. This would eliminate the need to script the API key retrieval and improve security. At the time of writing, though, this feature is on the Zabbix development team’s idea board. So, I’m not making any promises.
The requested API token will not expire unless user auto-logout is configured. At this time it is actually recommended to configure this options. If we don’t do this we might end up with a lot of active sessions, causing a slow frontend.
After editing, our script will start at step 1 of the preceding diagram to request data with an API call. We receive this data in step 2. In the script, we add our default values and then write all the hostnames and IP addresses to the
Now, because a Linux host uses the
/etc/hosts file for hostname-to-IP translation, we can use the real names of servers in Zabbix to SSH to the hosts. This makes it easier for us to use the jumphost, as we can use the same name as the hostname we know from the Zabbix frontend.