**Breaking change**: use mongosh instead of mongo binary

Author: m-erhardt

README.md

@@ -6,27 +6,32 @@
 ![Output of check_mongodb_size.py](docs/img/check_mongodb_size.png?raw=true "Output of check_mongodb_size.py")
 
 ## About
-* this repository contains a collection of Icinga / Nagios plugins to monitor a MongoDB database
-* tested with MongoDB 4.2, 4.4 and 5.0
-* Written for python3
-* Minimal dependencies (only required non-default library is `toml`)
+
+- this repository contains a collection of Icinga / Nagios plugins to monitor a MongoDB database
+- tested with MongoDB 4.2, 4.4 and 5.0
+- Written for python3
+- Minimal dependencies (only required non-default library is `toml`)
 
 ## Documentation
+
 * [check_mongodb_stats.py](docs/check_mongodb_stats.md)
 * [check_mongodb_dbsize.py](docs/check_mongodb_dbsize.md)
 
 ## Configuration
 
 #### Python setup
-  * Make sure python 3.x is installed on the machine
-  * Install `toml` library
-    * `pip3 install toml`
+
+- Make sure python 3.x is installed on the machine
+- Install `toml` library 
+  - `pip3 install toml`
 
 #### Configuring the database connection settings
-* For security reasons these plugins do not accept the connections parameters for the database as arguments
-* Instead the plugins reads the parametes from a hidden toml-formatted configuration file
-  * Default: `/etc/nagios/.mdbservice`, use `--credentialfile=/path/to/your/file`for a non-default location
-  * Ideally change the file owner and permissions of `.mdbservice` so that only the user executing the plugins can read the config file
+
+- For security reasons these plugins do not accept the connections parameters for the database as arguments
+- Instead the plugins reads the parametes from a hidden toml-formatted configuration file 
+  - Default: `/etc/nagios/.mdbservice`, use `--credentialfile=/path/to/your/file`for a non-default location
+  - Ideally change the file owner and permissions of `.mdbservice` so that only the user executing the plugins can read the config file
+
     ```toml
     [localhost]
     hostname="localhost"
@@ -35,19 +40,26 @@
     pw="secretpassword"
     authdb="admin"
     tls=true
+    tlscafile="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
     ```
 
 ##### Parameters
-* `[instancename]` : you can configure multiple connections within one `.mdbservice`-file. This config section name corresponds with the `--instance`-argument of the plugin
-* `hostname` : optional, defaults to `localhost`
-* `port` : optional, defaults to `27017`
-* `user` : optional
-* `pw` : optional
-* `authdb` : optional, defaults to `admin`
-* `tls` : `true`/`false`, defaults to `true`
+
+- `[instancename]` : you can configure multiple connections within one `.mdbservice`\-file. This config section name corresponds with the `--instance`\-argument of the plugin
+- `hostname` : optional, defaults to `localhost`
+- `port` : optional, defaults to `27017`
+- `user` : optional
+- `pw` : optional
+- `authdb` : optional, defaults to `admin`
+- `tls` : `true`/`false`, defaults to `true`
+- `tlscafile` : Path to cacerts file for TLS certificate validation
+- `tls_allow_invalid_hostnames` : `true`/`false`, connect to MongoDB via TLS even if the CommonName/SubjectAlternativeName of the Cert does not match our Servername. Defaults to `false`
+- `tls_allow_invalid_certificates`: `true`/`false`, connect to MongoDB via TLS even if the TLS-Certificate is invalid (i.e. expired). Defaults to `false`
 
 #### Configuring database use
-* Open a MongoDB DB shell, create a dedicated monitoring user and assign the `clusterMonitor` role
+
+- Open a MongoDB DB shell, create a dedicated monitoring user and assign the `clusterMonitor` role
+
   ```java
   use admin
   db.createUser(
@@ -60,4 +72,3 @@
       }
   )
   ```
-

check_mongodb_dbsize.py

@@ -15,11 +15,11 @@
 import sys
 import json
 from subprocess import run, PIPE
-from argparse import ArgumentParser
+from argparse import ArgumentParser, Namespace as Arguments
 from toml import load
 
 
-def get_args():
+def get_args() -> Arguments:
     """ Parse Arguments """
     parser = ArgumentParser(
                  description="Icinga/Nagios plugin which checks the size of a \
@@ -47,8 +47,8 @@ def get_args():
 
     miscopts = parser.add_argument_group('Miscellaneous options')
     miscopts.add_argument("--mongobin", required=False,
-                          help="Location of \"mongo\" binary", type=str, dest='mongoloc',
-                          default='/usr/bin/mongo')
+                          help="Location of \"mongosh\" binary", type=str, dest='mongoloc',
+                          default='/usr/bin/mongosh')
 
     args = parser.parse_args()
     return args
@@ -70,7 +70,7 @@ def exit_plugin(returncode: int, output: str, perfdata: str):
         sys.exit(0)
 
 
-def convert_bytes_to_pretty(raw_bytes: int):
+def convert_bytes_to_pretty(raw_bytes: int) -> str:
     """ converts raw bytes into human readable output """
     if raw_bytes >= 1099511627776:
         output = f'{ round(raw_bytes / 1024 **4, 2) }TiB'
@@ -85,11 +85,11 @@ def convert_bytes_to_pretty(raw_bytes: int):
     return output
 
 
-def query_db(args, creds: dict):
+def query_db(args, creds: dict) -> dict:
     """ query instance statistics from MongoDB """
 
     cmd = [args.mongoloc, f'{ creds["hostname"] }:{ creds["port"] }/{ args.db }',
-           "--quiet", "--eval", "JSON.stringify(db.stats())"]
+           "--quiet", "--eval", "EJSON.stringify(db.stats())"]
 
     if creds["user"] != "" and creds["pw"] != "":
         # Append parameters for authentification
@@ -100,10 +100,20 @@ def query_db(args, creds: dict):
         cmd.append('--authenticationDatabase')
         cmd.append(creds["authdb"])
 
+    # Append parameter for TLS connection
     if creds["tls"] is True:
-        # Append parameter for TLS connection
         cmd.append('--tls')
 
+    if creds.get("tlscafile") is not None:
+        cmd.append('--tlsCAFile')
+        cmd.append(f'{ creds["tlscafile"] }')
+
+    if creds["tls_allow_invalid_hostnames"] is True and creds["tls"] is True:
+        cmd.append('--tlsAllowInvalidHostnames')
+
+    if creds["tls_allow_invalid_certificates"] is True and creds["tls"] is True:
+        cmd.append('--tlsAllowInvalidCertificates')
+
     result = run(cmd, shell=False, check=False, stdout=PIPE, stderr=PIPE)
 
     # Check if command exited without error code
@@ -125,7 +135,7 @@ def query_db(args, creds: dict):
     return output
 
 
-def load_db_credentials(file: str, instance: str):
+def load_db_credentials(file: str, instance: str) -> dict:
     """ load MongoDB credentials from file """
 
     try:
@@ -152,6 +162,10 @@ def load_db_credentials(file: str, instance: str):
         creds["authdb"] = "admin"
     if creds.get("tls") is None:
         creds["tls"] = True
+    if creds.get("tls_allow_invalid_hostnames") is None:
+        creds["tls_allow_invalid_hostnames"] = False
+    if creds.get("tls_allow_invalid_certificates") is None:
+        creds["tls_allow_invalid_certificates"] = False
 
     return creds
 

check_mongodb_stats.py

@@ -16,11 +16,11 @@
 import json
 from datetime import timedelta
 from subprocess import run, PIPE
-from argparse import ArgumentParser
+from argparse import ArgumentParser, Namespace as Arguments
 from toml import load
 
 
-def get_args():
+def get_args() -> Arguments:
     """ Parse Arguments """
     parser = ArgumentParser(
                  description="Icinga/Nagios plugin which checks metrics of a \
@@ -34,8 +34,8 @@ def get_args():
                         dest='instance', default='localhost')
     miscopts = parser.add_argument_group('Miscellaneous options')
     miscopts.add_argument("--mongobin", required=False,
-                          help="Location of \"mongo\" binary", type=str, dest='mongoloc',
-                          default='/usr/bin/mongo')
+                          help="Location of \"mongosh\" binary", type=str, dest='mongoloc',
+                          default='/usr/bin/mongosh')
 
     args = parser.parse_args()
     return args
@@ -57,11 +57,11 @@ def exit_plugin(returncode: int, output: str, perfdata: str):
         sys.exit(0)
 
 
-def query_db(args, creds: dict):
+def query_db(args, creds: dict) -> dict:
     """ query instance statistics from MongoDB """
 
     cmd = [args.mongoloc, f'{ creds["hostname"] }:{ creds["port"] }',
-           "--quiet", "--eval", "JSON.stringify(db.serverStatus())"]
+           "--quiet", "--eval", "EJSON.stringify(db.serverStatus())"]
 
     if creds["user"] != "" and creds["pw"] != "":
         # Append parameters for authentification
@@ -72,10 +72,20 @@ def query_db(args, creds: dict):
         cmd.append('--authenticationDatabase')
         cmd.append(creds["authdb"])
 
+    # Append parameter for TLS connection
     if creds["tls"] is True:
-        # Append parameter for TLS connection
         cmd.append('--tls')
 
+    if creds.get("tlscafile") is not None:
+        cmd.append('--tlsCAFile')
+        cmd.append(f'{ creds["tlscafile"] }')
+
+    if creds["tls_allow_invalid_hostnames"] is True and creds["tls"] is True:
+        cmd.append('--tlsAllowInvalidHostnames')
+
+    if creds["tls_allow_invalid_certificates"] is True and creds["tls"] is True:
+        cmd.append('--tlsAllowInvalidCertificates')
+
     result = run(cmd, shell=False, check=False, stdout=PIPE, stderr=PIPE)
 
     # Check if command exited without error code
@@ -93,7 +103,7 @@ def query_db(args, creds: dict):
     return output
 
 
-def load_db_credentials(file: str, instance: str):
+def load_db_credentials(file: str, instance: str) -> dict:
     """ load MongoDB credentials from file """
 
     try:
@@ -120,6 +130,10 @@ def load_db_credentials(file: str, instance: str):
         creds["authdb"] = "admin"
     if creds.get("tls") is None:
         creds["tls"] = True
+    if creds.get("tls_allow_invalid_hostnames") is None:
+        creds["tls_allow_invalid_hostnames"] = False
+    if creds.get("tls_allow_invalid_certificates") is None:
+        creds["tls_allow_invalid_certificates"] = False
 
     return creds
 
@@ -146,9 +160,9 @@ def main():
         instance['conn_cur'] = int(stats['connections']['current'])
         instance['conn_avail'] = int(stats['connections']['available'])
         instance['conn_total'] = int(instance['conn_cur'] + instance['conn_avail'])
-        instance['byte_in'] = int(stats['network']['bytesIn']['$numberLong'])
-        instance['byte_out'] = int(stats['network']['bytesOut']['$numberLong'])
-        instance['transactions'] = int(stats['transactions']['totalCommitted']['$numberLong'])
+        instance['byte_in'] = int(stats['network']['bytesIn'])
+        instance['byte_out'] = int(stats['network']['bytesOut'])
+        instance['transactions'] = int(stats['transactions']['totalCommitted'])
         instance['mem_virt'] = int(stats['mem']['virtual'])
         instance['mem_resident'] = int(stats['mem']['resident'])
 

docs/check_mongodb_dbsize.md

@@ -4,8 +4,8 @@
 
 ## Usage
 ```
-usage: check_mongodb_dbsize.py [-h] --database DB [--wsize WSIZE] [--csize CSIZE] [--wobj WOBJ] [--cobj COBJ] [--credentialfile CREDFILE] [--instance INSTANCE]
-                               [--mongobin MONGOLOC]
+usage: check_mongodb_dbsize.py [-h] --database DB [--wsize WSIZE] [--csize CSIZE] [--wobj WOBJ] [--cobj COBJ] [--credentialfile CREDFILE]
+                               [--instance INSTANCE] [--mongobin MONGOLOC]
 
 Icinga/Nagios plugin which checks the size of a MongoDB database
 
@@ -25,7 +25,7 @@ Instance parameters:
   --instance INSTANCE   Use credentials for this instance
 
 Miscellaneous options:
-  --mongobin MONGOLOC   Location of "mongo" binary
+  --mongobin MONGOLOC   Location of "mongosh" binary
 ```
 
 ### Usage example
@@ -36,7 +36,7 @@ OK - Database "exampledb" contains: 6 Collections, 0 Views, 8011700 Objects, 19
 ```
 
 ### Parameters
-* `--credentialfile /path/to/.mdbservice` : specify a non-default location for your connection settings file (default: `/etc/nagios/.mdbservice`)
-* `--instance server01` : refers to the config section within the `.mdbservice` file (defaults to `localhost`)
-* `--mongobin /path/to/mongo` : use this parameter if your `mongo` binary is not located at `/usr/bin/mongo`
+- `--credentialfile /path/to/.mdbservice` : specify a non-default location for your connection settings file (default: `/etc/nagios/.mdbservice`)
+- `--instance server01` : refers to the config section within the `.mdbservice` file (defaults to `localhost`)
+- `--mongobin /path/to/mongosh` : use this parameter if your `mongosh` binary is not located at `/usr/bin/mongosh`
 

docs/check_mongodb_stats.md

@@ -17,7 +17,7 @@ Instance parameters:
   --instance INSTANCE   Use credentials for this instance
 
 Miscellaneous options:
-  --mongobin MONGOLOC   Location of "mongo" binary
+  --mongobin MONGOLOC   Location of "mongosh" binary
 ```
 
 ### Usage example
@@ -28,7 +28,7 @@ OK - MongoDB 4.2.20 is up for 15 days, 3:35:10 - Connections: 61, Memory: 7132Mi
 ```
 
 ### Parameters
-* `--credentialfile /path/to/.mdbservice` : specify a non-default location for your connection settings file (default: `/etc/nagios/.mdbservice`)
-* `--instance server01` : refers to the config section within the `.mdbservice` file (defaults to `localhost`)
-* `--mongobin /path/to/mongo` : use this parameter if your `mongo` binary is not located at `/usr/bin/mongo`
+- `--credentialfile /path/to/.mdbservice` : specify a non-default location for your connection settings file (default: `/etc/nagios/.mdbservice`)
+- `--instance server01` : refers to the config section within the `.mdbservice` file (defaults to `localhost`)
+- `--mongobin /path/to/mongosh` : use this parameter if your `mongosh` binary is not located at `/usr/bin/mongosh`