[ansible] Add packages
by Nicolas Chauvet
commit 86e0da39bb261bf896e99cd2a4514a7729516bf1
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jun 17 16:56:40 2020 +0200
Add packages
roles/packages3/bugz.fp.o/files/bugz.conf | 5 +
roles/packages3/bugz.fp.o/tasks/main.yml | 9 +
roles/packages3/web/files/distmappings.py | 41 ++++
.../packages3/web/files/fedmsg-hub-forward-compat | 9 +
roles/packages3/web/files/package_128x128.png | Bin 0 -> 12266 bytes
roles/packages3/web/files/packages-httpd.conf | 76 +++++++
roles/packages3/web/tasks/main.yml | 167 +++++++++++++++
roles/packages3/web/templates/fedoracommunity.py | 7 +
roles/packages3/web/templates/packages-app.ini.j2 | 226 ++++++++++++++++++++
9 files changed, 540 insertions(+), 0 deletions(-)
---
diff --git a/roles/packages3/bugz.fp.o/files/bugz.conf b/roles/packages3/bugz.fp.o/files/bugz.conf
new file mode 100644
index 0000000..bcd126c
--- /dev/null
+++ b/roles/packages3/bugz.fp.o/files/bugz.conf
@@ -0,0 +1,5 @@
+RewriteEngine On
+RewriteMap lowercase int:tolower
+
+RewriteRule ^/(.+) https://apps.rpmfusion.org/packages/$1/bugs/all [R,L]
+RewriteRule ^/$ https://bugzilla.rpmfusion.org/ [R,L]
diff --git a/roles/packages3/bugz.fp.o/tasks/main.yml b/roles/packages3/bugz.fp.o/tasks/main.yml
new file mode 100644
index 0000000..675232e
--- /dev/null
+++ b/roles/packages3/bugz.fp.o/tasks/main.yml
@@ -0,0 +1,9 @@
+- copy: >
+ src=bugz.conf dest=/etc/httpd/conf.d/{{website}}/bugz.conf
+ owner=root group=root mode=0644
+ notify:
+ - reload httpd
+ tags:
+ - packages
+ - packages/proxy
+ - packages/bugz.fp.o
diff --git a/roles/packages3/web/files/distmappings.py b/roles/packages3/web/files/distmappings.py
new file mode 100644
index 0000000..ebf4b30
--- /dev/null
+++ b/roles/packages3/web/files/distmappings.py
@@ -0,0 +1,41 @@
+# Global list of koji tags we care about
+tags = ({'name': 'Rawhide Free', 'tag': 'f33-free'},
+ {'name': 'Rawhide NonFree', 'tag': 'f33-nonfree'},
+
+ {'name': 'Fedora 32 Free', 'tag': 'f32-free-updates'},
+ {'name': 'Fedora 32 Free', 'tag': 'f32-free'},
+ {'name': 'Fedora 32 Free Testing', 'tag': 'f32-free-updates-testing'},
+
+ {'name': 'Fedora 32 NonFree', 'tag': 'f32-nonfree-updates'},
+ {'name': 'Fedora 32 NonFree', 'tag': 'f32-nonfree'},
+ {'name': 'Fedora 32 NonFree Testing', 'tag': 'f32-nonfree-updates-testing'},
+
+ {'name': 'Fedora 31 Free', 'tag': 'f31-free-updates'},
+ {'name': 'Fedora 31 Free', 'tag': 'f31-free'},
+ {'name': 'Fedora 31 Free Testing', 'tag': 'f31-free-updates-testing'},
+
+ {'name': 'Fedora 31 NonFree', 'tag': 'f31-nonfree-updates'},
+ {'name': 'Fedora 31 NonFree', 'tag': 'f31-nonfree'},
+ {'name': 'Fedora 31 NonFree Testing', 'tag': 'f31-nonfree-updates-testing'},
+
+
+ {'name': 'EPEL 8 Free', 'tag': 'el8-free'},
+ {'name': 'EPEL 8 Free Testing', 'tag': 'el8-free-testing'},
+ {'name': 'EPEL 8 NonFree', 'tag': 'el8-nonfree'},
+ {'name': 'EPEL 8 NonFree Testing', 'tag': 'el8-nonfree-testing'},
+
+ {'name': 'EPEL 7 Free', 'tag': 'el7-free'},
+ {'name': 'EPEL 7 Free Testing', 'tag': 'el7-free-testing'},
+ {'name': 'EPEL 7 NonFree', 'tag': 'el7-nonfree'},
+ {'name': 'EPEL 7 NonFree Testing', 'tag': 'el7-nonfree-testing'},
+
+ {'name': 'EPEL 6 Free', 'tag': 'el6-free'},
+ {'name': 'EPEL 6 Free Testing', 'tag': 'el6-free-testing'},
+ {'name': 'EPEL 6 NonFree', 'tag': 'el6-nonfree'},
+ {'name': 'EPEL 6 NonFree Testing', 'tag': 'el6-nonfree-testing'},
+
+ )
+
+tags_to_name_map = {}
+for t in tags:
+ tags_to_name_map[t['tag']] = t['name']
diff --git a/roles/packages3/web/files/fedmsg-hub-forward-compat b/roles/packages3/web/files/fedmsg-hub-forward-compat
new file mode 100644
index 0000000..239f620
--- /dev/null
+++ b/roles/packages3/web/files/fedmsg-hub-forward-compat
@@ -0,0 +1,9 @@
+#!/usr/bin/python
+__requires__ = ['fedmsg>=0.13.1', 'WebOb>=0.9.7', 'sqlalchemy>=0.7']
+import sys
+from pkg_resources import load_entry_point
+
+if __name__ == '__main__':
+ sys.exit(
+ load_entry_point('fedmsg', 'console_scripts', 'fedmsg-hub')()
+ )
diff --git a/roles/packages3/web/files/package_128x128.png b/roles/packages3/web/files/package_128x128.png
new file mode 100644
index 0000000..d566f36
Binary files /dev/null and b/roles/packages3/web/files/package_128x128.png differ
diff --git a/roles/packages3/web/files/packages-httpd.conf b/roles/packages3/web/files/packages-httpd.conf
new file mode 100644
index 0000000..14348c1
--- /dev/null
+++ b/roles/packages3/web/files/packages-httpd.conf
@@ -0,0 +1,76 @@
+LoadModule expires_module modules/mod_expires.so
+LoadModule headers_module modules/mod_headers.so
+LoadModule deflate_module modules/mod_deflate.so
+
+ExpiresActive On
+#ExpiresDefault "access plus 300 seconds"
+
+ErrorLog logs/fedoracommunity_error_log
+CustomLog logs/fedoracommunity_access_log combined
+
+AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css application/x-javascript
+
+# This caching may not necessarily be ideal, or even correct.
+# However, it was the only I could get firebug to show me 302's for
+# my ToscaWidget resources.
+<filesmatch ".(gif|jpe?g|png|css|js)$">
+ Header unset Cache-Control
+ Header unset Etag
+ Header add Cache-Control "max-age=2592000"
+ #ExpiresDefault A2592000
+</filesmatch>
+
+# we are deploying the packager app that is part of the new RPM Fusion Community
+Alias /packages/css /usr/share/fedoracommunity/public/css
+Alias /packages/javascript /usr/share/fedoracommunity/public/javascript
+Alias /packages/images/icons /var/cache/fedoracommunity/packages/icons
+Alias /packages/images /usr/share/fedoracommunity/public/images
+Alias /packages/_res /usr/share/fedoracommunity/public/toscawidgets/resources/
+
+Alias /packages/tw2/resources/tw2.jqplugins.ui/static /usr/lib/python2.7/site-packages/tw2/jqplugins/ui/static
+Alias /packages/tw2/resources/tw2.jquery/static /usr/lib/python2.7/site-packages/tw2/jquery/static
+Alias /packages/tw2/resources/fedoracommunity.connectors.widgets.widgets/static /usr/lib/python2.7/site-packages/fedoracommunity/connectors/widgets/static
+
+<Directory /usr/lib/python2.7/site-packages/tw2/jqplugins/ui/static>
+ Require all granted
+</Directory>
+
+<Directory /usr/lib/python2.7/site-packages/tw2/jquery/static>
+ Require all granted
+</Directory>
+
+<Directory /usr/lib/python2.7/site-packages/fedoracommunity/connectors/widgets/static>
+ Require all granted
+</Directory>
+
+# Temporarily disabled until we can figure out how to get the moksha
+# javascript resources pulled in with `python setup.py archive_tw_resources`
+#Alias /community/toscawidgets /usr/share/fedoracommunity/public/toscawidgets
+
+WSGIPythonEggs /var/cache/fedoracommunity/.python-eggs
+WSGIDaemonProcess fedoracommunity user=apache maximum-requests=50000 display-name=fedoracommunity processes=8 threads=4
+WSGISocketPrefix run/wsgi
+WSGIRestrictStdout Off
+WSGIRestrictSignal Off
+WSGIPythonOptimize 1
+
+WSGIScriptAlias /packages /usr/share/fedoracommunity/fedora-packages.wsgi
+
+<Directory /usr/share/fedoracommunity/>
+ Require all granted
+ WSGIProcessGroup fedoracommunity
+</Directory>
+
+<Directory /var/cache/fedoracommunity/git.fedoraproject.org>
+ Require all granted
+</Directory>
+
+<Directory /var/cache/fedoracommunity/packages/icons/>
+ # If someone tries to access an icon that doesn't exist,
+ # then send them to the default icon. This is used by
+ # fedmenu, which will request icons for packages that
+ # don't necessarily have them. The UI will look weird
+ # unless those get magically redirected to a nice default.
+ Require all granted
+ ErrorDocument 404 https://apps.rpmfusion.org/packages/images/icons/package_128x128.png
+</Directory>
diff --git a/roles/packages3/web/tasks/main.yml b/roles/packages3/web/tasks/main.yml
new file mode 100644
index 0000000..1e6d1ae
--- /dev/null
+++ b/roles/packages3/web/tasks/main.yml
@@ -0,0 +1,167 @@
+---
+#
+# Configuration for the fedora-packages webapp
+- name: install needed packages
+ package: name={{ item }} state=present
+ with_items:
+ - fedora-packages
+ - python-memcached
+ tags:
+ - packages
+ - packages/web
+
+- name: Create some directories
+ file:
+ path={{ item }}
+ state=directory
+ owner=apache
+ group=fedmsg
+ mode=775
+ with_items:
+ - /etc/fedoracommunity
+ - /var/cache/fedoracommunity # the gluster role usually creates this one
+ - /var/tmp/fedoracommunity
+ tags:
+ - packages
+ - packages/web
+
+- name: Create some more locked down directories
+ file: path={{ item }} state=directory owner=apache group=apache mode=700
+ with_items:
+ - /etc/pki/fedoracommunity
+ tags:
+ - packages
+ - packages/web
+
+- name: Copy over the app config
+ template: >
+ src=packages-app.ini.j2
+ dest=/etc/fedoracommunity/production.ini
+ owner=apache group=fedmsg mode=0440
+ notify:
+ - reload httpd
+ - restart fedmsg-hub
+ tags:
+ - packages
+ - packages/web
+
+- name: Copy over the httpd config
+ copy: >
+ src=packages-httpd.conf
+ dest=/etc/httpd/conf.d/fedora-packages.conf
+ owner=root group=root mode=644
+ notify:
+ - reload httpd
+ tags:
+ - packages
+ - packages/web
+
+- name: Copy over the fedmsg consumer config
+ template: >
+ src=fedoracommunity.py
+ dest=/etc/fedmsg.d/fedoracommunity.py
+ owner=root group=root mode=644
+ notify:
+ - restart fedmsg-hub
+ tags:
+ - packages
+ - packages/web
+
+- name: Copy over certs/public-keys, probably for talking with koji.
+ copy: >
+ src="{{private}}/files/packages/fedora-ca.cert"
+ dest="/etc/pki/fedoracommunity/{{item}}"
+ owner=apache
+ group=apache
+ mode=0644
+ with_items:
+ - fedora-server-ca.cert
+ - fedora-upload-ca.cert
+ tags:
+ - packages
+ - packages/web
+
+- name: permanently hotfix the distmappings file
+ copy: >
+ src=distmappings.py
+ dest="{{pythonsitelib}}/fedoracommunity/search/distmappings.py"
+ owner=root group=root mode=0644
+ notify:
+ - reload httpd
+ - restart fedmsg-hub
+ tags:
+ - packages
+ - packages/web
+ when: ansible_distribution_major_version|int < 7 and ansible_distribution == 'RedHat'
+
+# Here's the indexer stuff
+- name: Create cache structure
+ file: >
+ dest="/var/cache/fedoracommunity/{{item}}"
+ state=directory
+ owner=apache
+ group=fedmsg
+ mode=0775
+ with_items:
+ - packages
+ - rpm_cache
+ - git.fedoraproject.org
+ - packages/icons
+ - packages/xapian
+ - packages/xapian/search
+ - packages/tmp
+ - packages/tmp/icons
+ - packages/tmp/search
+ - packages/tmp/var
+ when: install_packages_indexer
+ tags:
+ - packages
+ - packages/web
+
+- name: Copy over the default icon
+ copy: >
+ src=package_128x128.png
+ dest=/var/cache/fedoracommunity/packages/icons/package_128x128.png
+ owner=root mode=644 setype=fusefs_t
+ when: install_packages_indexer
+ tags:
+ - packages
+ - packages/web
+ - icon
+
+- name: hotfix the fedmsg-hub executable to pick up forward compat packages
+ copy: src=fedmsg-hub-forward-compat dest=/usr/bin/fedmsg-hub
+ tags:
+ - packages
+ - packages/web
+ - hotfix
+ when: ansible_distribution_major_version|int < 7 and ansible_distribution == 'RedHat'
+
+# Lastly, here's some selinux stuff.
+- name: set some selinux booleans
+ seboolean: name={{item}} persistent=yes state=yes
+ with_items:
+ - httpd_tmp_exec
+ - httpd_can_network_memcache
+ - httpd_can_network_connect
+ - httpd_use_fusefs
+ - httpd_use_nfs
+ - httpd_execmem
+ tags:
+ - packages
+ - packages/web
+ - selinux
+
+- name: /var/cache/fedoracommunity/git.fedoraproject.org file contexts
+ sefcontext:
+ target: '/var/cache/fedoracommunity/git.fedoraproject.org(/.*)?'
+ setype: httpd_sys_rw_content_t
+ state: present
+
+- name: Build the database the first time. This takes a while
+ command: /usr/bin/fcomm-index-packages --index-db-dest=/var/cache/fedoracommunity/packages/xapian --icons-dest /var/cache/fedoracommunity/packages/icons --mdapi-url=https://apps{{env_suffix}}.fedoraproject.org/mdapi --icons-url=https://dl.fedoraproject.org/pub/alt/screenshots creates=/var/cache/fedoracommunity/packages/xapian/search/termlist.glass
+ tags:
+ - packages
+ - packages/web
+ - selinux
+ when: ansible_distribution_major_version|int > 6 and (ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora')
diff --git a/roles/packages3/web/templates/fedoracommunity.py b/roles/packages3/web/templates/fedoracommunity.py
new file mode 100644
index 0000000..4bb5213
--- /dev/null
+++ b/roles/packages3/web/templates/fedoracommunity.py
@@ -0,0 +1,7 @@
+config = {
+ {% if install_packages_indexer %}
+ 'fedoracommunity.fedmsg.consumer.enabled': True,
+ {% else %}
+ 'fedoracommunity.fedmsg.consumer.enabled': False,
+ {% endif %}
+}
diff --git a/roles/packages3/web/templates/packages-app.ini.j2 b/roles/packages3/web/templates/packages-app.ini.j2
new file mode 100644
index 0000000..1973c72
--- /dev/null
+++ b/roles/packages3/web/templates/packages-app.ini.j2
@@ -0,0 +1,226 @@
+##
+## Fedora Community Production configuration
+##
+## $Id: fedoracommunity-prod.ini.erb,v 1.0 2009/05/03 23:38:07 johnp Exp $
+##
+
+[DEFAULT]
+profile = false
+debug = false
+profile.connectors = false
+profile.dir = /var/log/fedoracommunity/profile
+
+# This is required to avoid a 404 error on, e.g. /packages/python-webob1.2
+disable_request_extensions = True
+
+#email_to = root(a)rpmfusion.org
+#smtp_server = gateway
+#error_email_from = fedoracommunity(a)rpmfusion.org
+
+fedoracommunity.extensions_dir = {{ pythonsitelib }}/fedoracommunity/plugins/extensions
+
+fedoracommunity.script_name = /packages
+fedoracommunity.connector.kojihub.baseurl = https://koji{{env_suffix}}.rpmfusion.org/kojihub
+fedoracommunity.connector.bodhi.baseurl = https://bodhi{{env_suffix}}.rpmfusion.org/
+fedoracommunity.connector.mdapi.baseurl = https://apps{{env_suffix}}.fedoraproject.org/mdapi
+fedoracommunity.connector.fas.baseurl = https://admin{{env_suffix}}.rpmfusion.org/accounts/
+fedoracommunity.connector.icons.baseurl = http://download01.phx2.fedoraproject.org/pub/alt/screenshots
+fedoracommunity.connector.bugzilla.baseurl = https://bugzilla.rpmfusion.org/xmlrpc.cgi
+fedoracommunity.connector.bugzilla.cookiefile = /var/cache/fedoracommunity/bugzillacookies
+fedoracommunity.connector.xapian.package-search.db = /var/cache/fedoracommunity/packages/xapian/search
+
+fedoracommunity.resource_path_prefix = /packages/_res/
+
+# Git settings
+git_repo_path = /var/cache/fedoracommunity/git.rpmfusion.org
+
+# FAS is locked down so we need a minimal user inorder to get public user info
+# to unauthenticated users. You need to get a locked down account for this
+# and fill in the user info here. Never check this file into git with
+# this information filled in
+fedoracommunity.connector.fas.minimal_user_name={{ fcommFasUser }}
+fedoracommunity.connector.fas.minimal_user_password={{ fcommFasPassword }}
+
+# This is insecure, use only for testing
+fedora.clients.check_certs = True
+
+# URL for getting message history
+datagrepper_url = https://apps.fedoraproject.org/datagrepper/raw
+
+##
+## Moksha-specific configuration options
+##
+
+# Where to store the feed caches.
+#
+feed_cache = postgres://fedoracommunity:{{ fcommFeedCacheDBPassword }}@db-community/fedoracommunity_feed_cache
+
+#
+# Feed Streamer settings
+#
+# Max age (in seconds) of each feed in the cache
+feed.max_age = 900
+
+# Timeout in seconds for the web request
+feed.timeout = 30
+
+# The number of simultaneous connections
+feed.deferred_groups = 10
+
+# Where to initialize and store our application databases. %s is the app name.
+app_db = sqlite:///%s.db
+
+# The location of our Orbited server
+orbited_host = localhost
+orbited_port = 9000
+
+# Stomp broker configuration.
+stomp_broker = localhost
+stomp_port = 61613
+stomp_user = guest
+stomp_pass = guest
+
+# Optional AMQP Broker.
+#amqp_broker = guest/guest@localhost
+
+# Documentation directory
+docs_dir = /srv/moksha/docs
+
+# Moksha chat configuration
+
+# Use a built-in IRC server
+#chat.backend = irc://localhost:9999
+#chat.builtin = true
+#chat.backend = irc://irc.freenode.net:6667
+#chat.rooms = default
+#chat.default.staticRoomName = moksha
+#chat.default.roomAssignmentMode = static
+#chat.default.display.greeting = Moksha Chat
+#chat.default.display.floating = true
+#chat.default.display.floatingToggle = false
+#chat.default.display.width = 400
+#chat.default.display.height = 300
+#chat.default.display.theme = simple
+#chat.default.display.resizable = true
+
+moksha.extensionpoints=True
+moksha.csrf_protection = False
+moksha.csrf.login_handler = /login_handler
+moksha.csrf.trusted_domains = admin.rpmfusion.org
+
+moksha.use_tw2 = True
+moksha.livesocket = False
+
+cache.bugzilla.backend=dogpile.cache.memcached
+cache.bugzilla.expiration_time=300
+cache.bugzilla.arguments.url=memcached02:11211
+cache.bugzilla.arguments.distributed_lock=False
+cache.connectors.backend=dogpile.cache.memcached
+cache.connectors.expiration_time=300
+cache.connectors.arguments.url=memcached02:11211
+cache.connectors.arguments.distributed_lock=False
+
+[server:main]
+use = egg:Paste#http
+host = 0.0.0.0
+port = 8080
+
+[app:main]
+use = egg:fedoracommunity
+full_stack = true
+#lang = ru
+#cache_dir = /var/cache/fedoracommunity/data
+beaker.session.key = fedoracommunity
+beaker.session.secret = {{ fcommBeakerSessionSecret }}
+
+beaker.cache.type = ext:memcached
+beaker.cache.url = memcached01:11211
+beaker.cache.lock_dir = /var/cache/fedoracommunity/beaker
+
+# If you'd like to fine-tune the individual locations of the cache data dirs
+# for the Cache data, or the Session saves, un-comment the desired settings
+# here:
+#beaker.cache.data_dir = %(here)s/data/cache
+#beaker.session.data_dir = %(here)s/data/sessions
+
+# pick the form for your database
+# %(here) may include a ':' character on Windows environments; this can
+# invalidate the URI when specifying a SQLite db via path name
+sqlalchemy.url=postgres://moksha:m0ksh4@localhost/moksha
+# sqlalchemy.url=mysql://username:password@hostname:port/databasename
+
+# If you have sqlite, here's a simple default to get you started
+# in development
+
+#sqlalchemy.url = sqlite:///%(here)s/devdata.db
+sqlalchemy.echo = true
+sqlalchemy.echo_pool = false
+sqlalchemy.pool_recycle = 3600
+
+sqlalchemy.pool_size=1
+sqlalchemy.max_overflow=2
+
+# WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*
+# Debug mode will enable the interactive debugging tool, allowing ANYONE to
+# execute malicious code after an exception is raised.
+set debug = false
+
+# Logging configuration
+# Add additional loggers, handlers, formatters here
+# Uses python's logging config file format
+# http://docs.python.org/lib/logging-config-fileformat.html
+
+[loggers]
+keys = root, moksha, sqlalchemy, tg, auth, pylons
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+# If you create additional loggers, add them as a key to [loggers]
+[logger_root]
+level = WARN
+handlers = console
+
+[logger_moksha]
+level = WARN
+handlers =
+qualname = moksha
+
+[logger_tg]
+level = WARN
+handlers =
+qualname = tg
+
+# repoze.who is noisy by default
+[logger_auth]
+level = WARN
+handlers =
+qualname = auth
+
+[logger_pylons]
+level = WARN
+handlers =
+qualname = pylons
+
+[logger_sqlalchemy]
+level = WARN
+handlers =
+qualname = sqlalchemy.engine
+# "level = INFO" logs SQL queries.
+# "level = DEBUG" logs SQL queries and results.
+# "level = WARN" logs neither. (Recommended for production systems.)
+
+# If you create additional handlers, add them as a key to [handlers]
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = NOTSET
+formatter = generic
+
+# If you create additional formatters, add them as a key to [formatters]
+[formatter_generic]
+format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
+datefmt = %H:%M:%S
4 years, 6 months
- 1
- 0
[ansible] Refresh playbooks
by Nicolas Chauvet
commit 07911e4402dfe536763e43b1ae7d0a6b6716a2ce
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jun 10 15:31:37 2020 +0200
Refresh playbooks
playbooks/groups/logserver.yml | 11 ++++--
playbooks/groups/mailman.yml | 16 +++++----
playbooks/groups/mariadb-server.yml | 8 +++--
playbooks/groups/memcached.yml | 8 +++--
playbooks/groups/mirrormanager.yml | 19 +++++++----
playbooks/groups/noc.yml | 25 +++++++++++----
playbooks/groups/packages.yml | 53 +------------------------------
playbooks/groups/pkgs.yml | 7 ++--
playbooks/groups/postgresql-server.yml | 1 +
9 files changed, 63 insertions(+), 85 deletions(-)
---
diff --git a/playbooks/groups/logserver.yml b/playbooks/groups/logserver.yml
index ccac185..9375181 100644
--- a/playbooks/groups/logserver.yml
+++ b/playbooks/groups/logserver.yml
@@ -1,7 +1,7 @@
-#- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=log01.rpmfusion.org"
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=logging"
- name: make the box be real
- hosts: hv01.online.rpmfusion.org
+ hosts: logging
user: root
gather_facts: True
@@ -23,14 +23,17 @@
- epylog
- awstats
- tasks:
+ pre_tasks:
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
+
+
+ tasks:
- import_tasks: "{{ tasks_path }}/2fa_client.yml"
- import_tasks: "{{ tasks_path }}/motd.yml"
#
# We exclude some dirs from restorecon on updates on logservers as they are very large
-# and it takes a long long time to run restorecon over them.
+# and it takes a long long time to run restorecon over them.
#
- name: exclude some directories from selinux relabeling on updates
copy: src="{{ files }}/logserver/fixfiles_exclude_dirs" dest=/etc/selinux/fixfiles_exclude_dirs owner=root mode=0644
diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml
index c59075b..5c90468 100644
--- a/playbooks/groups/mailman.yml
+++ b/playbooks/groups/mailman.yml
@@ -23,14 +23,15 @@
- collectd/base
- sudo
- spamassassin
- - apache
+ - mod_wsgi
+
+ pre_tasks:
+ - import_tasks: "{{ tasks_path }}/yumrepos.yml"
tasks:
# this is how you include other task lists
- - import_tasks: "{{ tasks_path }}/yumrepos.yml"
- import_tasks: "{{ tasks_path }}/2fa_client.yml"
- import_tasks: "{{ tasks_path }}/motd.yml"
- - import_tasks: "{{ tasks_path }}/mod_wsgi.yml"
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
@@ -47,7 +48,7 @@
tasks:
- name: install psycopg2 for the postgresql ansible modules
- yum: pkg=python-psycopg2 state=present
+ package: name=python-psycopg2 state=present
tags:
- packages
@@ -100,9 +101,10 @@
tasks:
- name: install more needed packages
- yum: pkg={{ item }} state=present
- with_items:
- - tar
+ package:
+ state: present
+ name:
+ - tar
tags:
- packages
diff --git a/playbooks/groups/mariadb-server.yml b/playbooks/groups/mariadb-server.yml
index 8261b86..f5e19e0 100644
--- a/playbooks/groups/mariadb-server.yml
+++ b/playbooks/groups/mariadb-server.yml
@@ -4,14 +4,14 @@
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=db03.rpmfusion.org:db03.stg.rpmfusion.org"
-# Once the instance exists, configure it.
+# Once the instance exists, configure it.
- name: configure mariadb server system
hosts: db03.rpmfusion.org:db03.stg.rpmfusion.org
user: root
gather_facts: True
- vars_files:
+ vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
@@ -26,8 +26,10 @@
- collectd/base
- sudo
- tasks:
+ pre_tasks:
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
+
+ tasks:
- import_tasks: "{{ tasks_path }}/2fa_client.yml"
- import_tasks: "{{ tasks_path }}/motd.yml"
diff --git a/playbooks/groups/memcached.yml b/playbooks/groups/memcached.yml
index 1314671..e59989b 100644
--- a/playbooks/groups/memcached.yml
+++ b/playbooks/groups/memcached.yml
@@ -1,7 +1,7 @@
-- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=memcached:memcached-stg"
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=memcached:memcached_stg"
- name: make the box be real
- hosts: memcached:memcached-stg
+ hosts: memcached:memcached_stg
user: root
gather_facts: True
@@ -21,8 +21,10 @@
- sudo
- memcached
- tasks:
+ pre_tasks:
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
+
+ tasks:
- import_tasks: "{{ tasks_path }}/2fa_client.yml"
- import_tasks: "{{ tasks_path }}/motd.yml"
diff --git a/playbooks/groups/mirrormanager.yml b/playbooks/groups/mirrormanager.yml
index 50f50a8..f091d02 100644
--- a/playbooks/groups/mirrormanager.yml
+++ b/playbooks/groups/mirrormanager.yml
@@ -1,7 +1,7 @@
-- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=mm:mm-stg"
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=mm:mm_stg"
- name: make the boxe be real for real
- hosts: mm:mm-stg
+ hosts: mm:mm_stg
user: root
gather_facts: True
@@ -21,8 +21,10 @@
- { role: openvpn/client, when: env != "staging" and inventory_hostname.startswith('mm-frontend') }
- { role: nfs/client, when: inventory_hostname.startswith('mm-backend01'), mnt_dir: '/srv/pub', nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub' }
- tasks:
+ pre_tasks:
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
+
+ tasks:
- import_tasks: "{{ tasks_path }}/2fa_client.yml"
- import_tasks: "{{ tasks_path }}/motd.yml"
@@ -30,7 +32,7 @@
- import_tasks: "{{ handlers_path }}/restart_services.yml"
- name: Deploy the backend
- hosts: mm-backend:mm-backend-stg
+ hosts: mm_backend:mm_backend_stg
user: root
gather_facts: True
@@ -39,6 +41,9 @@
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+ pre_tasks:
+ - include_vars: dir=/srv/web/infra/ansible/vars/all/ ignore_files=README
+
roles:
- mirrormanager/backend
- s3-mirror
@@ -48,7 +53,7 @@
- import_tasks: "{{ handlers_path }}/restart_services.yml"
- name: Deploy the crawler
- hosts: mm-crawler:mm-crawler-stg
+ hosts: mm_crawler:mm_crawler_stg
user: root
gather_facts: True
@@ -67,7 +72,7 @@
- import_tasks: "{{ handlers_path }}/restart_services.yml"
- name: Deploy the frontend (web-app)
- hosts: mm-frontend:mm-frontend-stg
+ hosts: mm_frontend:mm_frontend_stg
user: root
gather_facts: True
@@ -85,7 +90,7 @@
# Do this one last, since the mirrormanager user needs to exist so that it can
# own the fedmsg certs we put in place here.
- name: Put fedmsg stuff in place
- hosts: mm:mm-stg
+ hosts: mm:mm_stg
user: root
gather_facts: True
diff --git a/playbooks/groups/noc.yml b/playbooks/groups/noc.yml
index 06f808f..c958505 100644
--- a/playbooks/groups/noc.yml
+++ b/playbooks/groups/noc.yml
@@ -1,15 +1,19 @@
-- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=nagios:nagios-stg"
+# This is a basic playbook
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=nagios"
- name: make the box be real
- hosts: nagios:nagios-stg
+ hosts: nagios
user: root
gather_facts: True
- vars_files:
+ vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+ pre_tasks:
+ - import_tasks: "{{ tasks_path }}/yumrepos.yml"
+
roles:
- base
- rkhunter
@@ -21,13 +25,11 @@
- sudo
- { role: openvpn/client,
when: env != "staging" }
- - apache
+ - mod_wsgi
tasks:
- - import_tasks: "{{ tasks_path }}/yumrepos.yml"
- import_tasks: "{{ tasks_path }}/2fa_client.yml"
- import_tasks: "{{ tasks_path }}/motd.yml"
- - import_tasks: "{{ tasks_path }}/mod_wsgi.yml"
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
@@ -37,7 +39,7 @@
user: root
gather_facts: True
- vars_files:
+ vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
@@ -51,3 +53,12 @@
- { role: tftp_server, when: datacenter == 'online' }
- nagios/server
- fedmsg/base
+
+
+ tasks:
+ - name: install some packages which arent in playbooks
+ package:
+ state: present
+ name:
+ - nmap
+ - tcpdump
diff --git a/playbooks/groups/packages.yml b/playbooks/groups/packages.yml
index 941673e..d47ac1a 100644
--- a/playbooks/groups/packages.yml
+++ b/playbooks/groups/packages.yml
@@ -29,66 +29,17 @@
- sudo
- { role: openvpn/client,
when: env != "staging" }
- - apache
+ - mod_wsgi
tasks:
- import_tasks: "{{ tasks_path }}/2fa_client.yml"
- import_tasks: "{{ tasks_path }}/motd.yml"
- - import_tasks: "{{ tasks_path }}/mod_wsgi.yml"
-
- handlers:
- - import_tasks: "{{ handlers_path }}/restart_services.yml"
-
-- name: set up gluster server on prod
- hosts: packages
- user: root
- gather_facts: True
-
- vars_files:
- - /srv/web/infra/ansible/vars/global.yml
- - "/srv/private/ansible/vars.yml"
- - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-
- roles:
- - role: gluster/server
- name: gluster
- username: "{{ packagesglusterusername }}"
- password: "{{ packagesglusterpassword }}"
- owner: root
- group: root
- datadir: /srv/glusterfs/packages
-
- handlers:
- - import_tasks: "{{ handlers_path }}/restart_services.yml"
-
-- name: set up gluster client on prod
- hosts: packages
- user: root
- gather_facts: True
-
- vars_files:
- - /srv/web/infra/ansible/vars/global.yml
- - "/srv/private/ansible/vars.yml"
- - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-
- roles:
- - fedmsg/base
- - role: gluster/client
- name: gluster
- servers:
- - packages03.rpmfusion.org
- - packages04.rpmfusion.org
- username: "{{ packagesglusterusername }}"
- password: "{{ packagesglusterpassword }}"
- owner: apache
- group: fedmsg
- mountdir: /var/cache/fedoracommunity
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
- name: dole out the new service specific config
- hosts: packages:packages-stg
+ hosts: packages:packages_stg
user: root
gather_facts: True
diff --git a/playbooks/groups/pkgs.yml b/playbooks/groups/pkgs.yml
index 6aaa38c..c6df840 100644
--- a/playbooks/groups/pkgs.yml
+++ b/playbooks/groups/pkgs.yml
@@ -1,7 +1,7 @@
-- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=pkgs-stg:pkgs02.rpmfusion.org"
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=pkgs_stg:pkgs"
- name: make the box be real
- hosts: pkgs-stg:pkgs01.online.rpmfusion.net
+ hosts: pkgs_stg:pkgs
user: root
gather_facts: True
@@ -12,6 +12,7 @@
roles:
- base
+ - hosts
- rkhunter
- nagios_client
- fas_client
@@ -48,7 +49,7 @@
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-fedora-web.yml
- name: setup fedmsg on pkgs
- hosts: pkgs-stg:pkgs01.online.rpmfusion.net
+ hosts: pkgs_stg:pkgs01.online.rpmfusion.net
user: root
gather_facts: True
diff --git a/playbooks/groups/postgresql-server.yml b/playbooks/groups/postgresql-server.yml
index 2b7c379..7cedcd9 100644
--- a/playbooks/groups/postgresql-server.yml
+++ b/playbooks/groups/postgresql-server.yml
@@ -17,6 +17,7 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
pre_tasks:
+ - include_vars: dir=/srv/web/infra/ansible/vars/all/ ignore_files=README
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
roles:
4 years, 6 months
- 1
- 0
[ansible] Add others db to backup
by Nicolas Chauvet
commit 7ab67cf2da0c6a1414bed5f34f2846f33b6a4f82
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Jun 10 15:30:52 2020 +0200
Add others db to backup
inventory/host_vars/db02.online.rpmfusion.net | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
---
diff --git a/inventory/host_vars/db02.online.rpmfusion.net b/inventory/host_vars/db02.online.rpmfusion.net
index ff2c2a3..8cbc0a1 100644
--- a/inventory/host_vars/db02.online.rpmfusion.net
+++ b/inventory/host_vars/db02.online.rpmfusion.net
@@ -22,6 +22,9 @@ dbs_to_backup:
- pkgdb2
- koji
- fas2
+- hyperkitty
+- mailman
+
# These are normally group variables, but in this case db servers are often different
lvm_size: 10240
4 years, 6 months
- 1
- 0
[ansible] Update apache
by Nicolas Chauvet
commit 28dae758fe725ae0ac930d6461c56270c37792ea
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Mon Jun 8 19:07:11 2020 +0200
Update apache
roles/apache/tasks/main.yml | 78 +++++++++++++++++++++++++++++++-----------
1 files changed, 57 insertions(+), 21 deletions(-)
---
diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml
index 878da33..70fa5d8 100644
--- a/roles/apache/tasks/main.yml
+++ b/roles/apache/tasks/main.yml
@@ -1,25 +1,15 @@
---
# install apache(httpd)
-- name: install apache (yum)
- yum: name={{ item }} state=present
- with_items:
- - httpd
- - httpd-tools
+- name: install apache (package)
+ package:
+ state: present
+ name:
+ - httpd
+ - httpd-tools
tags:
- packages
- apache
- when: ansible_distribution_major_version|int < 22
-
-# install apache(httpd)
-- name: install apache (dnf)
- dnf: name={{ item }} state=present
- with_items:
- - httpd
- - httpd-tools
- tags:
- - packages
- - apache
- when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+ when: ansible_cmdline.ostree is not defined
- name: set apache running/enabled
service: name=httpd enabled=yes
@@ -29,7 +19,41 @@
tags:
- service
- apache
-
+
+# install hash randomization hotfix
+- name: hotfix - copy over new httpd init script
+ copy: src="{{ files }}/hotfix/httpd/httpd.init" dest=/etc/init.d/httpd
+ owner=root group=root mode=0755
+ when: ansible_distribution_major_version|int < 30 and ansible_distribution == 'Fedora'
+ notify:
+ - reload apache
+ tags:
+ - config
+ - hotfix
+ - apache
+
+# install hash randomization hotfix
+- name: hotfix - copy over new httpd init script
+ copy: src="{{ files }}/hotfix/httpd/httpd.init" dest=/etc/init.d/httpd
+ owner=root group=root mode=0755
+ when: ansible_distribution_major_version|int <= 8 and ansible_distribution == 'RedHat'
+ notify:
+ - reload apache
+ tags:
+ - config
+ - hotfix
+ - apache
+
+- name: hotfix - copy over new httpd sysconfig (el6)
+ copy: src="{{ files }}/hotfix/httpd/httpd.sysconfig" dest=/etc/sysconfig/httpd
+ when: ansible_distribution_major_version|int == 6 and ansible_distribution == 'RedHat'
+ notify:
+ - reload apache
+ tags:
+ - config
+ - hotfix
+ - apache
+
- name: hotfix - copy over new httpd sysconfig (el7)
copy: src="{{ files }}/hotfix/httpd/httpd.sysconfig" dest=/etc/sysconfig/httpd
when: ansible_distribution_major_version|int == 7
@@ -44,18 +68,30 @@
template: src="{{ files }}/httpd/headers.conf.j2" dest=/etc/httpd/conf.d/headers.conf
notify:
- reload apache
- tags:
+ tags:
- config
- apache
+ - apache/headers
+
+- name: add appserver h2.conf
+ template: src="{{ files }}/httpd/h2.conf.j2" dest=/etc/httpd/conf.d/h2.conf
+ when: ansible_distribution == 'Fedora'
+ notify:
+ - reload apache
+ tags:
+ - config
+ - apache
+ - h2
- name: add apache_status location for collectd
template: src="{{ files }}/httpd/apachestatus.conf" dest=/etc/httpd/conf.d/apachestatus.conf
notify:
- reload apache
- tags:
+ tags:
- config
- apache
-
+ - apachestatus
+
- name: setup logrotate to our needs
copy: src="{{ files }}/httpd/httpd.logrotate" dest=/etc/logrotate.d/httpd
tags:
4 years, 6 months
- 1
- 0
[ansible] Update nagios_client and others
by Nicolas Chauvet
commit f7b9b58e8ff5abac006a05b34f6ab87166347e28
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Mon Jun 8 19:05:53 2020 +0200
Update nagios_client and others
playbooks/groups/autosign.yml | 2 +-
playbooks/groups/backup-server.yml | 4 +-
playbooks/groups/bastion.yml | 2 +-
playbooks/groups/batcave.yml | 2 +-
playbooks/groups/bodhi-backend.yml | 2 +-
playbooks/groups/bodhi2.yml | 2 +-
playbooks/groups/bugzilla.yml | 2 +-
playbooks/groups/certgetter.yml | 36 +++
playbooks/groups/darkserver-backend.yml | 2 +-
playbooks/groups/darkserver-web.yml | 2 +-
playbooks/groups/dhcp.yml | 2 +-
playbooks/groups/dns.yml | 8 +-
playbooks/groups/fas.yml | 3 +-
playbooks/groups/github2fedmsg.yml | 2 +-
playbooks/groups/ipsilon.yml | 2 +-
playbooks/groups/koji-hub.yml | 2 +-
playbooks/groups/kojipkgs.yml | 2 +-
playbooks/groups/logserver.yml | 2 +-
playbooks/groups/mailman.yml | 2 +-
playbooks/groups/mariadb-server.yml | 2 +-
playbooks/groups/memcached.yml | 2 +-
playbooks/groups/mirrormanager.yml | 2 +-
playbooks/groups/moin.yml | 2 +-
playbooks/groups/noc.yml | 2 +-
playbooks/groups/notifs-backend.yml | 2 +-
playbooks/groups/notifs-web.yml | 2 +-
playbooks/groups/osbs-master.yml | 2 +-
playbooks/groups/osbs/configure-osbs.yml | 3 +
playbooks/groups/osbs/deploy-cluster.yml | 317 ++++++++++++++++++++
playbooks/groups/osbs/osbs-post-install.yml | 196 ++++++++++++
playbooks/groups/osbs/rebuild-osbs-buildroot.yml | 15 +
.../groups/osbs/setup-orchestrator-namespace.yml | 168 +++++++++++
playbooks/groups/osbs/setup-worker-namespace.yml | 78 +++++
playbooks/groups/packages.yml | 2 +-
playbooks/groups/pkgdb.yml | 2 +-
playbooks/groups/pkgs.yml | 2 +-
playbooks/groups/postgresql-server.yml | 2 +-
playbooks/groups/proxies.yml | 2 +-
playbooks/groups/smtp-mm.yml | 2 +-
playbooks/groups/squid.xml | 3 +-
playbooks/groups/virthost.yml | 2 +-
playbooks/manual/kernel-qa.yml | 2 +-
playbooks/manual/qadevel.yml | 2 +-
roles/apache/handlers/main.yml | 2 +
roles/base/tasks/main.yml | 2 +-
roles/mod_wsgi/files/wsgi.conf | 14 +
roles/mod_wsgi/meta/main.yml | 3 +
roles/mod_wsgi/tasks/main.yml | 32 ++
roles/nagios_client/README.rst | 36 +++
.../files/scripts/check_datanommer_timesince.py | 72 +++++
.../nagios_client/files/scripts/check_fcomm_queue | 23 ++
.../files/scripts/check_fedmsg_consumer_backlog.py | 65 ++++
.../scripts/check_fedmsg_consumer_exceptions.py | 61 ++++
.../scripts/check_fedmsg_producer_last_ran.py | 72 +++++
.../scripts/check_fedmsg_producers_consumers.py | 67 ++++
.../files/scripts/check_haproxy_conns.py | 76 +++++
.../files/scripts/check_ipa_replication | 74 +++++
roles/nagios_client/files/scripts/check_lock | 17 +
.../files/scripts/check_lock_file_age | 123 ++++++++
.../files/scripts/check_memcache_connect | 24 ++
.../nagios_client/files/scripts/check_osbs_api.py | 14 +
.../files/scripts/check_postfix_queue | 49 +++
.../files/scripts/check_rabbitmq_size | 26 ++
roles/nagios_client/files/scripts/check_raid.py | 45 +++
.../nagios_client/files/scripts/check_readonly_fs | 84 +++++
.../files/scripts/check_redis_queue.sh | 23 ++
.../files/scripts/check_supybot_plugin | 108 +++++++
roles/nagios_client/files/scripts/check_testcloud | 19 ++
.../files/scripts/check_timestamp_from_file | 43 +++
roles/nagios_client/files/selinux/fi-nrpe.mod | Bin 0 -> 930 bytes
roles/nagios_client/files/selinux/fi-nrpe.pp | Bin 0 -> 7286 bytes
roles/nagios_client/files/selinux/fi-nrpe.te | 15 +
.../files/selinux/mirrormanager_container.pp | Bin 0 -> 7276 bytes
.../files/selinux/mirrormanager_container.te | 15 +
roles/nagios_client/handlers/main.yml | 3 +
roles/nagios_client/tasks/main.yml | 286 ++++++++++++++++++
roles/nagios_client/templates/check_basset.cfg.j2 | 4 +
.../templates/check_celery_redis_queue.cfg.j2 | 1 +
roles/nagios_client/templates/check_cron.cfg.j2 | 1 +
.../templates/check_datanommer_history.cfg.j2 | 49 +++
roles/nagios_client/templates/check_disk.cfg.j2 | 19 ++
.../templates/check_fedmsg_composer_proc.cfg.j2 | 1 +
.../templates/check_fedmsg_consumers.cfg.j2 | 60 ++++
.../templates/check_fedmsg_gateway_proc.cfg.j2 | 5 +
.../templates/check_fedmsg_hub_proc.cfg.j2 | 1 +
.../templates/check_fedmsg_irc_proc.cfg.j2 | 1 +
.../templates/check_fedmsg_relay_proc.cfg.j2 | 1 +
roles/nagios_client/templates/check_fmn.cfg.j2 | 3 +
.../templates/check_happroxy_conns.cfg.j2 | 1 +
roles/nagios_client/templates/check_ipa.cfg.j2 | 1 +
roles/nagios_client/templates/check_lock.cfg.j2 | 1 +
.../templates/check_lock_file_age.cfg.j2 | 1 +
.../templates/check_mailman_api.cfg.j2 | 1 +
.../nagios_client/templates/check_memcache.cfg.j2 | 2 +
.../templates/check_merged_file_age.cfg.j2 | 1 +
.../templates/check_mirrorlist_cache.cfg.j2 | 2 +
.../templates/check_mirrorlist_docker_proxy.cfg.j2 | 1 +
roles/nagios_client/templates/check_mysql.cfg.j2 | 1 +
.../templates/check_openvpn_link.cfg.j2 | 1 +
roles/nagios_client/templates/check_osbs.cfg.j2 | 1 +
.../templates/check_postfix_queue.cfg.j2 | 1 +
roles/nagios_client/templates/check_proxies.cfg.j2 | 2 +
.../templates/check_rabbitmq_cluster.cfg.j2 | 1 +
.../templates/check_rabbitmq_connections.cfg.j2 | 1 +
.../templates/check_rabbitmq_exchange.cfg.j2 | 2 +
.../templates/check_rabbitmq_overview.cfg.j2 | 1 +
.../templates/check_rabbitmq_queue.cfg.j2 | 2 +
.../templates/check_rabbitmq_server.cfg.j2 | 1 +
.../templates/check_rabbitmq_watermark.cfg.j2 | 1 +
roles/nagios_client/templates/check_raid.cfg.j2 | 1 +
.../templates/check_readonly_fs.cfg.j2 | 1 +
.../templates/check_redis_proc.cfg.j2 | 1 +
.../templates/check_sigul_bridge_proc.cfg.j2 | 1 +
.../templates/check_supybot_fedmsg_plugin.cfg.j2 | 1 +
roles/nagios_client/templates/check_swap.cfg.j2 | 1 +
.../nagios_client/templates/check_testcloud.cfg.j2 | 1 +
.../templates/check_unbound_proc.cfg.j2 | 1 +
.../templates/check_varnish_proc.cfg.j2 | 1 +
.../templates/check_websites_buildtime.cfg.j2 | 2 +
roles/nagios_client/templates/nrpe.cfg.j2 | 232 ++++++++++++++
roles/nagios_client/templates/rabbitmq_args.ini.j2 | 4 +
121 files changed, 2765 insertions(+), 42 deletions(-)
---
diff --git a/playbooks/groups/autosign.yml b/playbooks/groups/autosign.yml
index 74e1129..2c22521 100644
--- a/playbooks/groups/autosign.yml
+++ b/playbooks/groups/autosign.yml
@@ -17,7 +17,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- collectd/base
diff --git a/playbooks/groups/backup-server.yml b/playbooks/groups/backup-server.yml
index 0a7a6f3..1649807 100644
--- a/playbooks/groups/backup-server.yml
+++ b/playbooks/groups/backup-server.yml
@@ -4,7 +4,7 @@
# NOTE: most of these vars_path come from group_vars/backup_server or from hostvars
- name: make backup server system
- hosts: hv01.online.rpmfusion.net
+ hosts: backup
user: root
gather_facts: True
@@ -16,7 +16,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- sudo
diff --git a/playbooks/groups/bastion.yml b/playbooks/groups/bastion.yml
index 4d45bc9..3a14455 100644
--- a/playbooks/groups/bastion.yml
+++ b/playbooks/groups/bastion.yml
@@ -13,7 +13,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- sudo
diff --git a/playbooks/groups/batcave.yml b/playbooks/groups/batcave.yml
index 136709c..a8d09b8 100644
--- a/playbooks/groups/batcave.yml
+++ b/playbooks/groups/batcave.yml
@@ -13,7 +13,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- ansible-server
diff --git a/playbooks/groups/bodhi-backend.yml b/playbooks/groups/bodhi-backend.yml
index 5360393..1ef32ce 100644
--- a/playbooks/groups/bodhi-backend.yml
+++ b/playbooks/groups/bodhi-backend.yml
@@ -24,7 +24,7 @@
roles:
- base
- - nagios/client
+ - nagios_client
- collectd/base
- hosts
- fas_client
diff --git a/playbooks/groups/bodhi2.yml b/playbooks/groups/bodhi2.yml
index bb98402..c0584ac 100644
--- a/playbooks/groups/bodhi2.yml
+++ b/playbooks/groups/bodhi2.yml
@@ -13,7 +13,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- sudo
diff --git a/playbooks/groups/bugzilla.yml b/playbooks/groups/bugzilla.yml
index 35aa3a6..99298c4 100644
--- a/playbooks/groups/bugzilla.yml
+++ b/playbooks/groups/bugzilla.yml
@@ -17,7 +17,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- collectd/base
diff --git a/playbooks/groups/certgetter.yml b/playbooks/groups/certgetter.yml
new file mode 100644
index 0000000..d59f48f
--- /dev/null
+++ b/playbooks/groups/certgetter.yml
@@ -0,0 +1,36 @@
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=certgetter"
+
+- name: make the box be real
+ hosts: certgetter
+ user: root
+ gather_facts: True
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ roles:
+ - base
+ - rkhunter
+ - nagios_client
+ - hosts
+ - fas_client
+ - rsyncd
+ - sudo
+ - apache
+ - { role: openvpn/client,
+ when: env != "staging" }
+
+ pre_tasks:
+ - import_tasks: "{{ tasks_path }}/yumrepos.yml"
+
+ tasks:
+ - import_tasks: "{{ tasks_path }}/2fa_client.yml"
+ - import_tasks: "{{ tasks_path }}/motd.yml"
+
+ - name: make sure certbot is installed
+ package: name=certbot state=installed
+
+ handlers:
+ - import_tasks: "{{ handlers_path }}/restart_services.yml"
diff --git a/playbooks/groups/darkserver-backend.yml b/playbooks/groups/darkserver-backend.yml
index 24c819c..9eb22ed 100644
--- a/playbooks/groups/darkserver-backend.yml
+++ b/playbooks/groups/darkserver-backend.yml
@@ -21,7 +21,7 @@
- collectd/base
- fas_client
- hosts
- - nagios/client
+ - nagios_client
- rsyncd
- sudo
- redis
diff --git a/playbooks/groups/darkserver-web.yml b/playbooks/groups/darkserver-web.yml
index 310db35..c6c322a 100644
--- a/playbooks/groups/darkserver-web.yml
+++ b/playbooks/groups/darkserver-web.yml
@@ -21,7 +21,7 @@
- collectd/base
- fas_client
- hosts
- - nagios/client
+ - nagios_client
- rsyncd
- sudo
- { role: openvpn/client, when: env != "staging" }
diff --git a/playbooks/groups/dhcp.yml b/playbooks/groups/dhcp.yml
index 0978ebe..becc454 100644
--- a/playbooks/groups/dhcp.yml
+++ b/playbooks/groups/dhcp.yml
@@ -13,7 +13,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- collectd/base
diff --git a/playbooks/groups/dns.yml b/playbooks/groups/dns.yml
index 9c3e1e3..9b8232b 100644
--- a/playbooks/groups/dns.yml
+++ b/playbooks/groups/dns.yml
@@ -8,7 +8,7 @@
user: root
gather_facts: True
- vars_files:
+ vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
@@ -17,7 +17,7 @@
- base
- hosts
- rkhunter
- - nagios/client
+ - nagios_client
- fas_client
- collectd/base
- rsyncd
@@ -25,8 +25,10 @@
- { role: openvpn/client, when: datacenter != "online" }
- dns
- tasks:
+ pre_tasks:
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
+
+ tasks:
- import_tasks: "{{ tasks_path }}/2fa_client.yml"
- import_tasks: "{{ tasks_path }}/motd.yml"
diff --git a/playbooks/groups/fas.yml b/playbooks/groups/fas.yml
index 2e480b9..fcd7236 100644
--- a/playbooks/groups/fas.yml
+++ b/playbooks/groups/fas.yml
@@ -10,13 +10,12 @@
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- base
- hosts
- rkhunter
- - nagios/client
+ - nagios_client
- fas_client
- collectd/base
- rsyncd
diff --git a/playbooks/groups/github2fedmsg.yml b/playbooks/groups/github2fedmsg.yml
index 381f3f0..3a0ec32 100644
--- a/playbooks/groups/github2fedmsg.yml
+++ b/playbooks/groups/github2fedmsg.yml
@@ -18,7 +18,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- collectd/base
diff --git a/playbooks/groups/ipsilon.yml b/playbooks/groups/ipsilon.yml
index 8be115d..d643082 100644
--- a/playbooks/groups/ipsilon.yml
+++ b/playbooks/groups/ipsilon.yml
@@ -18,7 +18,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- rsyncd
diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml
index 2428661..f5b3961 100644
--- a/playbooks/groups/koji-hub.yml
+++ b/playbooks/groups/koji-hub.yml
@@ -25,7 +25,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- collectd/base
diff --git a/playbooks/groups/kojipkgs.yml b/playbooks/groups/kojipkgs.yml
index 8eaedc3..2ecdef5 100644
--- a/playbooks/groups/kojipkgs.yml
+++ b/playbooks/groups/kojipkgs.yml
@@ -16,7 +16,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- sudo
diff --git a/playbooks/groups/logserver.yml b/playbooks/groups/logserver.yml
index 8b2c305..ccac185 100644
--- a/playbooks/groups/logserver.yml
+++ b/playbooks/groups/logserver.yml
@@ -13,7 +13,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- apache
diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml
index 058e037..c59075b 100644
--- a/playbooks/groups/mailman.yml
+++ b/playbooks/groups/mailman.yml
@@ -17,7 +17,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- collectd/base
diff --git a/playbooks/groups/mariadb-server.yml b/playbooks/groups/mariadb-server.yml
index 34d987a..8261b86 100644
--- a/playbooks/groups/mariadb-server.yml
+++ b/playbooks/groups/mariadb-server.yml
@@ -20,7 +20,7 @@
- base
- rkhunter
- fas_client
- - nagios/client
+ - nagios_client
- hosts
- mariadb_server
- collectd/base
diff --git a/playbooks/groups/memcached.yml b/playbooks/groups/memcached.yml
index 436889e..1314671 100644
--- a/playbooks/groups/memcached.yml
+++ b/playbooks/groups/memcached.yml
@@ -13,7 +13,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- collectd/base
diff --git a/playbooks/groups/mirrormanager.yml b/playbooks/groups/mirrormanager.yml
index f75a065..50f50a8 100644
--- a/playbooks/groups/mirrormanager.yml
+++ b/playbooks/groups/mirrormanager.yml
@@ -13,7 +13,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- sudo
diff --git a/playbooks/groups/moin.yml b/playbooks/groups/moin.yml
index a6439ea..8166cf7 100644
--- a/playbooks/groups/moin.yml
+++ b/playbooks/groups/moin.yml
@@ -17,7 +17,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- collectd/base
diff --git a/playbooks/groups/noc.yml b/playbooks/groups/noc.yml
index 0a53f82..06f808f 100644
--- a/playbooks/groups/noc.yml
+++ b/playbooks/groups/noc.yml
@@ -13,7 +13,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- collectd/base
diff --git a/playbooks/groups/notifs-backend.yml b/playbooks/groups/notifs-backend.yml
index b2852f4..e6e5a13 100644
--- a/playbooks/groups/notifs-backend.yml
+++ b/playbooks/groups/notifs-backend.yml
@@ -20,7 +20,7 @@
- rkhunter
- hosts
- fas_client
- - nagios/client
+ - nagios_client
- collectd/base
- fedmsg/base
- sudo
diff --git a/playbooks/groups/notifs-web.yml b/playbooks/groups/notifs-web.yml
index fa19d6c..c61ec09 100644
--- a/playbooks/groups/notifs-web.yml
+++ b/playbooks/groups/notifs-web.yml
@@ -18,7 +18,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- collectd/base
diff --git a/playbooks/groups/osbs-master.yml b/playbooks/groups/osbs-master.yml
index 625911e..8a30cc8 100644
--- a/playbooks/groups/osbs-master.yml
+++ b/playbooks/groups/osbs-master.yml
@@ -14,7 +14,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- collectd/base
diff --git a/playbooks/groups/osbs/configure-osbs.yml b/playbooks/groups/osbs/configure-osbs.yml
new file mode 100644
index 0000000..8d7f37a
--- /dev/null
+++ b/playbooks/groups/osbs/configure-osbs.yml
@@ -0,0 +1,3 @@
+- import_playbook: "/srv/web/infra/ansible/playbooks/groups/osbs/setup-worker-namespace.yml"
+- import_playbook: "/srv/web/infra/ansible/playbooks/groups/osbs/setup-orchestrator-namespace.yml"
+- import_playbook: "/srv/web/infra/ansible/playbooks/groups/osbs/osbs-post-install.yml"
diff --git a/playbooks/groups/osbs/deploy-cluster.yml b/playbooks/groups/osbs/deploy-cluster.yml
new file mode 100644
index 0000000..8464a60
--- /dev/null
+++ b/playbooks/groups/osbs/deploy-cluster.yml
@@ -0,0 +1,317 @@
+# create an osbs server
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs_control"
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs_control_stg"
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs_nodes:osbs_masters"
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs_nodes_stg:osbs_masters_stg"
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs_aarch64_nodes_stg:osbs_aarch64_masters_stg"
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs_aarch64_masters"
+
+- name: make the box be real
+ hosts: osbs_control:osbs_masters:osbs_nodes:osbs_control_stg:osbs_masters_stg:osbs_nodes_stg:osbs_aarch64_masters_stg:osbs_aarch64_nodes_stg:osbs_aarch64_masters
+ tags:
+ - osbs-cluster-prereq
+ user: root
+ gather_facts: True
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ pre_tasks:
+ - include_vars: dir=/srv/web/infra/ansible/vars/all/ ignore_files=README
+ - import_tasks: "{{ tasks_path }}/yumrepos.yml"
+
+ roles:
+ - base
+ - rkhunter
+ - nagios_client
+ - hosts
+ - fas_client
+ - sudo
+ - collectd/base
+ - rsyncd
+
+ tasks:
+ - name: put openshift repo on os- systems
+ template: src="{{ files }}/openshift/openshift.repo" dest="/etc/yum.repos.d/openshift.repo"
+ tags:
+ - config
+ - packages
+ - yumrepos
+ - name: install redhat ca file
+ package:
+ name: subscription-manager-rhsm-certificates
+ state: present
+ - import_tasks: "{{ tasks_path }}/2fa_client.yml"
+ - import_tasks: "{{ tasks_path }}/motd.yml"
+
+ handlers:
+ - import_tasks: "{{ handlers_path }}/restart_services.yml"
+
+- name: OSBS control hosts pre-req setup
+ hosts: osbs_control:osbs_control_stg
+ tags:
+ - osbs-cluster-prereq
+ user: root
+ gather_facts: True
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ tasks:
+ - name: deploy private key to control hosts
+ copy:
+ src: "{{private}}/files/osbs/{{env}}/control_key"
+ dest: "/root/.ssh/id_rsa"
+ owner: root
+ mode: 0600
+
+ - name: set ansible to use pipelining
+ ini_file:
+ dest: /etc/ansible/ansible.cfg
+ section: ssh_connection
+ option: pipelining
+ value: "True"
+
+- name: Setup cluster masters pre-reqs
+ hosts: osbs_masters_stg:osbs_masters:osbs_aarch64_masters_stg:osbs_aarch64_masters
+ tags:
+ - osbs-cluster-prereq
+ user: root
+ gather_facts: True
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ tasks:
+ - name: ensure origin conf dir exists
+ file:
+ path: "/etc/origin"
+ state: "directory"
+
+ - name: create cert dir for openshift public facing REST API SSL
+ file:
+ path: "/etc/origin/master/named_certificates"
+ state: "directory"
+
+ - name: install cert for openshift public facing REST API SSL
+ copy:
+ src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem"
+ dest: "/etc/origin/master/named_certificates/{{osbs_url}}.pem"
+
+ - name: install key for openshift public facing REST API SSL
+ copy:
+ src: "{{private}}/files/osbs/{{env}}/osbs-internal.key"
+ dest: "/etc/origin/master/named_certificates/{{osbs_url}}.key"
+
+ - name: place htpasswd file
+ copy:
+ src: "{{private}}/files/httpd/osbs-{{env}}.htpasswd"
+ dest: /etc/origin/master/htpasswd
+
+
+- name: Setup cluster hosts pre-reqs
+ hosts: osbs_masters_stg:osbs_nodes_stg:osbs_masters:osbs_nodes:osbs_aarch64_masters_stg:osbs_aarch64_nodes_stg:osbs_aarch64_masters
+ tags:
+ - osbs-cluster-prereq
+ user: root
+ gather_facts: True
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ handlers:
+ - name: restart NetworkManager
+ service:
+ name: NetworkManager
+ state: restarted
+
+ tasks:
+ - name: Install necessary packages that openshift-ansible needs
+ package:
+ state: installed
+ name:
+ - tar
+ - rsync
+ - dbus-python
+ - NetworkManager
+ - libselinux-python
+ - python2-pyyaml
+ when: env == "staging"
+ - name: Install necessary packages that openshift-ansible needs
+ package:
+ state: installed
+ name:
+ - tar
+ - rsync
+ - dbus-python
+ - NetworkManager
+ - libselinux-python
+ - python3-PyYAML
+ when: env == "production"
+
+ - name: Deploy controller public ssh keys to osbs cluster hosts
+ authorized_key:
+ user: root
+ key: "{{ lookup('file', '{{private}}/files/osbs/{{env}}/control_key.pub') }}"
+
+ # This is required for OpenShift built-in SkyDNS inside the overlay network
+ # of the cluster
+ - name: ensure NM_CONTROLLED is set to "yes" for osbs cluster
+ lineinfile:
+ dest: "/etc/sysconfig/network-scripts/ifcfg-eth0"
+ line: "NM_CONTROLLED=yes"
+ notify:
+ - restart NetworkManager
+
+ # This is required for OpenShift built-in SkyDNS inside the overlay network
+ # of the cluster
+ - name: ensure NetworkManager is enabled and started
+ service:
+ name: NetworkManager
+ state: started
+ enabled: yes
+
+ - name: cron entry to clean up docker storage
+ copy:
+ src: "{{files}}/osbs/cleanup-docker-storage"
+ dest: "/etc/cron.d/cleanup-docker-storage"
+
+ - name: copy docker-storage-setup config
+ copy:
+ src: "{{files}}/osbs/docker-storage-setup"
+ dest: "/etc/sysconfig/docker-storage-setup"
+
+- name: Deploy kerberose keytab to cluster hosts
+ hosts: osbs_masters_stg:osbs_nodes_stg:osbs_masters:osbs_nodes:osbs_aarch64_masters_stg:osbs_aarch64_nodes_stg:osbs_aarch64_masters
+ tags:
+ - osbs-cluster-prereq
+ user: root
+ gather_facts: True
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ roles:
+ - role: keytab/service
+ owner_user: root
+ owner_group: root
+ service: osbs
+ host: "osbs.fedoraproject.org"
+ when: env == "production"
+ - role: keytab/service
+ owner_user: root
+ owner_group: root
+ service: osbs
+ host: "osbs.stg.fedoraproject.org"
+ when: env == "staging"
+
+- name: Deploy OpenShift Cluster x86_64
+ hosts: osbs_control:osbs_control_stg
+ tags:
+ - osbs-deploy-openshift
+ - osbs-x86-deploy-openshift
+ user: root
+ gather_facts: True
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ roles:
+ - role: ansible-ansible-openshift-ansible
+ cluster_inventory_filename: "{{ inventory_filename }}"
+ openshift_master_public_api_url: "https://{{ osbs_url }}:8443"
+ openshift_release: "v3.11"
+ openshift_version: "v3.11"
+ openshift_ansible_path: "/root/openshift-ansible"
+ openshift_ansible_pre_playbook: "playbooks/prerequisites.yml"
+ openshift_ansible_playbook: "playbooks/deploy_cluster.yml"
+ openshift_ansible_version: "openshift-ansible-3.11.51-1"
+ openshift_ansible_ssh_user: root
+ openshift_ansible_install_examples: false
+ openshift_ansible_containerized_deploy: false
+ openshift_cluster_masters_group: "{{ cluster_masters_group }}"
+ openshift_cluster_nodes_group: "{{ cluster_nodes_group }}"
+ openshift_cluster_infra_group: "{{ cluster_infra_group }}"
+ openshift_auth_profile: "osbs"
+ openshift_cluster_url: "{{osbs_url}}"
+ openshift_master_ha: false
+ openshift_debug_level: 2
+ openshift_shared_infra: true
+ openshift_deployment_type: "openshift-enterprise"
+ openshift_ansible_use_crio: false
+ openshift_ansible_crio_only: false
+ tags: ['openshift-cluster-x86','ansible-ansible-openshift-ansible']
+
+- name: Deploy OpenShift Cluster aarch64
+ hosts: osbs_control:osbs_control_stg
+ tags:
+ - osbs-deploy-openshift
+ - osbs-aarch-deploy-openshift
+ user: root
+ gather_facts: True
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ roles:
+ - role: ansible-ansible-openshift-ansible
+ cluster_inventory_filename: "{{ inventory_filename }}"
+ openshift_htpasswd_file: "/etc/origin/htpasswd"
+ openshift_master_public_api_url: "https://{{ osbs_url }}:8443"
+ openshift_release: "v3.11"
+ openshift_version: "v3.11"
+ openshift_ansible_path: "/root/openshift-ansible"
+ openshift_ansible_pre_playbook: "playbooks/prerequisites.yml"
+ openshift_ansible_playbook: "playbooks/deploy_cluster.yml"
+ openshift_ansible_version: "openshift-ansible-3.11.51-1"
+ openshift_ansible_ssh_user: root
+ openshift_ansible_install_examples: false
+ openshift_ansible_containerized_deploy: false
+ openshift_cluster_masters_group: "{{ aarch_masters_group }}"
+ openshift_cluster_nodes_group: "{{ aarch_nodes_group }}"
+ openshift_cluster_infra_group: "{{ aarch_infra_group }}"
+ openshift_auth_profile: "osbs"
+ openshift_cluster_url: "{{osbs_url}}"
+ openshift_master_ha: false
+ openshift_debug_level: 2
+ openshift_shared_infra: true
+ openshift_deployment_type: "origin"
+ openshift_ansible_python_interpreter: "/usr/bin/python3"
+ openshift_ansible_use_crio: false
+ openshift_ansible_crio_only: false
+ openshift_arch: "aarch64"
+ tags: ['openshift-cluster-aarch','ansible-ansible-openshift-ansible']
+
+- name: Setup OSBS requirements for OpenShift cluster hosts
+ hosts: osbs_masters_stg:osbs_nodes_stg:osbs_masters:osbs_nodes
+ tags:
+ - osbs-cluster-req
+ user: root
+ gather_facts: True
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ tasks:
+ - name: Ensures /etc/dnsmasq.d/ dir exists
+ file: path="/etc/dnsmasq.d/" state=directory
+ - name: install fedora dnsmasq specific config
+ copy:
+ src: "{{files}}/osbs/fedora-dnsmasq.conf.{{env}}"
+ dest: "/etc/dnsmasq.d/fedora-dns.conf"
diff --git a/playbooks/groups/osbs/osbs-post-install.yml b/playbooks/groups/osbs/osbs-post-install.yml
new file mode 100644
index 0000000..d290460
--- /dev/null
+++ b/playbooks/groups/osbs/osbs-post-install.yml
@@ -0,0 +1,196 @@
+- name: post-install master host osbs tasks
+ hosts: osbs_masters_stg:osbs_masters:osbs_aarch64_masters_stg[0]:osbs_aarch64_masters[0]
+ tags:
+ - osbs-post-install
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - /srv/private/ansible/vars.yml
+ - /srv/private/ansible/files/openstack/passwords.yml
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+ vars:
+ osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
+ osbs_environment:
+ KUBECONFIG: "{{ osbs_kubeconfig_path }}"
+
+ tasks:
+ - name: cron entry to clean up old builds
+ copy:
+ src: "{{files}}/osbs/cleanup-old-osbs-builds"
+ dest: "/etc/cron.d/cleanup-old-osbs-builds"
+
+- name: post-install osbs control tasks
+ hosts: osbs_control
+ tags: osbs-post-install
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - /srv/private/ansible/vars.yml
+ - /srv/private/ansible/files/openstack/passwords.yml
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+ tasks:
+ - name: enable nrpe for monitoring (noc01)
+ iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
+ tags:
+ - iptables
+
+
+- name: post-install node host osbs tasks
+ hosts: osbs_nodes_stg:osbs_nodes:osbs_aarch64_nodes_stg:osbs_aarch64_nodes
+ tags:
+ - osbs-post-install
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - /srv/private/ansible/vars.yml
+ - /srv/private/ansible/files/openstack/passwords.yml
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+ vars:
+ osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
+ osbs_environment:
+ KUBECONFIG: "{{ osbs_kubeconfig_path }}"
+
+
+ handlers:
+ - name: Remove the previous buildroot image
+ docker_image:
+ state: absent
+ name: buildroot
+
+ - name: Build the new buildroot container
+ docker_image:
+ path: /etc/osbs/buildroot/
+ name: buildroot
+ nocache: yes
+
+ - name: restart and reload docker service
+ systemd:
+ name: docker
+ state: restarted
+ daemon_reload: yes
+
+ tasks:
+ - name: enable nrpe for monitoring (noc01)
+ iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
+ tags:
+ - iptables
+
+ - name: copy docker iptables script
+ copy:
+ src: "{{files}}/osbs/fix-docker-iptables.{{ env }}"
+ dest: /usr/local/bin/fix-docker-iptables
+ mode: 0755
+ tags:
+ - iptables
+ notify:
+ - restart and reload docker service
+
+ - name: copy docker custom service config
+ copy:
+ src: "{{files}}/osbs/docker.firewall.service"
+ dest: /etc/systemd/system/docker.service.d/firewall.conf
+ tags:
+ - docker
+ notify:
+ - restart and reload docker service
+
+ - name: copy the osbs customization file
+ copy:
+ src: "{{item}}"
+ dest: "/etc/osbs/buildroot/"
+ owner: root
+ mode: 0600
+ with_items:
+ - "{{files}}/osbs/worker_customize.json"
+ - "{{files}}/osbs/orchestrator_customize.json"
+
+ - name: Create buildroot container conf directory
+ file:
+ path: "/etc/osbs/buildroot/"
+ state: directory
+
+ - name: Upload Dockerfile for buildroot container
+ template:
+ src: "{{ files }}/osbs/buildroot-Dockerfile-{{env}}.j2"
+ dest: "/etc/osbs/buildroot/Dockerfile"
+ mode: 0400
+ notify:
+ - Remove the previous buildroot image
+ - Build the new buildroot container
+
+ - name: Upload krb5.conf for buildroot container
+ template:
+ src: "{{ roles_path }}/base/templates/krb5.conf.j2"
+ dest: "/etc/osbs/buildroot/krb5.conf"
+ mode: 0644
+ notify:
+ - Remove the previous buildroot image
+ - Build the new buildroot container
+
+ - name: Upload internal CA for buildroot
+ copy:
+ src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem"
+ dest: "/etc/osbs/buildroot/ca.crt"
+ mode: 0400
+ notify:
+ - Remove the previous buildroot image
+ - Build the new buildroot container
+
+ - name: stat infra repofile
+ stat:
+ path: "/etc/yum.repos.d/infra-tags.repo"
+ register: infra_repo_stat
+
+ - name: stat /etc/osbs/buildroot/ infra repofile
+ stat:
+ path: "/etc/osbs/buildroot/infra-tags.repo"
+ register: etcosbs_infra_repo_stat
+
+ - name: remove old /etc/osbs/buildroot/ infra repofile
+ file:
+ path: "/etc/osbs/buildroot/infra-tags.repo"
+ state: absent
+ when: etcosbs_infra_repo_stat.stat.exists and infra_repo_stat.stat.checksum != etcosbs_infra_repo_stat.stat.checksum
+
+ - name: Copy repofile for buildroot container (because Docker)
+ copy:
+ src: "/etc/yum.repos.d/infra-tags.repo"
+ dest: "/etc/osbs/buildroot/infra-tags.repo"
+ remote_src: true
+ notify:
+ - Remove the previous buildroot image
+ - Build the new buildroot container
+ when: etcosbs_infra_repo_stat.stat.exists == false
+
+ - name: stat /etc/ keytab
+ stat:
+ path: "/etc/krb5.osbs_{{osbs_url}}.keytab"
+ register: etc_kt_stat
+
+ - name: stat /etc/osbs/buildroot/ keytab
+ stat:
+ path: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab"
+ register: etcosbs_kt_stat
+
+ - name: remove old hardlink to /etc/osbs/buildroot/ keytab
+ file:
+ path: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab"
+ state: absent
+ when: etcosbs_kt_stat.stat.exists and etc_kt_stat.stat.checksum != etcosbs_kt_stat.stat.checksum
+
+ - name: Hardlink keytab for buildroot container (because Docker)
+ file:
+ src: "/etc/krb5.osbs_{{osbs_url}}.keytab"
+ dest: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab"
+ state: hard
+ notify:
+ - Remove the previous buildroot image
+ - Build the new buildroot container
+
+ when: etcosbs_kt_stat.stat.exists == false
+
+ - name: pull fedora required docker images
+ command: "docker pull {{source_registry}}/{{item}}"
+ with_items: "{{fedora_required_images}}"
+ register: docker_pull_fedora
+ changed_when: "'Downloaded newer image' in docker_pull_fedora.stdout"
+
+ - name: enable nrpe for monitoring (noc01)
+ iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
diff --git a/playbooks/groups/osbs/rebuild-osbs-buildroot.yml b/playbooks/groups/osbs/rebuild-osbs-buildroot.yml
new file mode 100644
index 0000000..95b5517
--- /dev/null
+++ b/playbooks/groups/osbs/rebuild-osbs-buildroot.yml
@@ -0,0 +1,15 @@
+# This playbook can be used to update to rebuild the buildroot image of
+# OSBS. This is useful when we want to update some dependencies in the image.
+
+- name: rebuild the osbs buildroot image.
+ hosts: osbs_nodes:osbs_nodes_stg:osbs_aarch64_nodes_stg
+ gather_facts: false
+ user: root
+
+ tasks:
+
+ - name: Backup the current buildroot
+ command: "docker tag buildroot:latest buildroot:backup"
+
+ - name: rebuild the buildroot container image.
+ command: "docker build /etc/osbs/buildroot -t buildroot --no-cache --pull"
diff --git a/playbooks/groups/osbs/setup-orchestrator-namespace.yml b/playbooks/groups/osbs/setup-orchestrator-namespace.yml
new file mode 100644
index 0000000..3c31d8e
--- /dev/null
+++ b/playbooks/groups/osbs/setup-orchestrator-namespace.yml
@@ -0,0 +1,168 @@
+- name: Create orchestrator namespace
+ hosts: osbs_masters_stg[0]:osbs_masters[0]
+ roles:
+ - role: osbs-namespace
+ osbs_orchestrator: true
+ osbs_worker_clusters: "{{ osbs_conf_worker_clusters }}"
+ osbs_cpu_limitrange: "{{ osbs_orchestrator_cpu_limitrange }}"
+ osbs_nodeselector: "{{ osbs_orchestrator_default_nodeselector|default('') }}"
+ osbs_sources_command: "{{ osbs_conf_sources_command }}"
+ osbs_readwrite_users: "{{ osbs_conf_readwrite_users }}"
+ osbs_service_accounts: "{{ osbs_conf_service_accounts }}"
+ koji_use_kerberos: true
+ koji_kerberos_keytab: "FILE:/etc/krb5.osbs_{{ osbs_url }}.keytab"
+ koji_kerberos_principal: "osbs/{{osbs_url}}@{{ ipa_realm }}"
+ tags:
+ - osbs-orchestrator-namespace
+
+- name: setup reactor config secret in orchestrator namespace
+ hosts: osbs_masters_stg[0]:osbs_masters[0]
+ roles:
+ - role: osbs-secret
+ osbs_secret_name: reactor-config-secret
+ osbs_secret_files:
+ - source: "/tmp/{{ osbs_namespace }}-{{ env }}-reactor-config-secret.yml"
+ dest: config.yaml
+ tags:
+ - osbs-orchestrator-namespace
+
+- name: setup client config secret in orchestrator namespace
+ hosts: osbs_masters_stg[0]:osbs_masters[0]
+ roles:
+ - role: osbs-secret
+ osbs_secret_name: client-config-secret
+ osbs_secret_files:
+ - source: "/tmp/{{ osbs_namespace }}-{{ env }}-client-config-secret.conf"
+ dest: osbs.conf
+ tags:
+ - osbs-orchestrator-namespace
+
+- name: setup ODCS secret in orchestrator namespace
+ hosts: osbs_masters_stg[0]:osbs_masters[0]
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+ roles:
+ - role: osbs-secret
+ osbs_secret_name: odcs-oidc-secret
+ osbs_secret_files:
+ - source: "{{ private }}/files/osbs/{{ env }}/odcs-oidc-token"
+ dest: token
+ tags:
+ - osbs-orchestrator-namespace
+
+- name: Save orchestrator token x86_64
+ hosts: osbs_masters_stg[0]:osbs_masters[0]
+ tasks:
+ - name: get orchestrator service account token
+ command: "oc -n {{ osbs_worker_namespace }} sa get-token orchestrator"
+ register: orchestator_token_x86_64
+ - name: save the token locally
+ local_action: >
+ copy
+ content="{{ orchestator_token_x86_64.stdout }}"
+ dest=/tmp/.orchestator-token-x86_64
+ mode=0400
+ tags:
+ - osbs-orchestrator-namespace
+
+- name: setup orchestrator token for x86_64-osbs
+ hosts: osbs_masters_stg[0]:osbs_masters[0]
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+ roles:
+ - role: osbs-secret
+ osbs_secret_name: x86-64-orchestrator
+ osbs_secret_files:
+ - source: "/tmp/.orchestator-token-x86_64"
+ dest: token
+
+ post_tasks:
+ - name: Delete the temporary secret file
+ local_action: >
+ file
+ state=absent
+ path="/tmp/.orchestator-token-x86_64"
+ tags:
+ - osbs-orchestrator-namespace
+
+- name: Save orchestrator token aarch64
+ hosts: osbs_aarch64_masters_stg[0]:osbs_aarch64_masters[0]
+ tasks:
+ - name: get orchestrator service account token
+ command: "oc -n {{ osbs_worker_namespace }} sa get-token orchestrator"
+ register: orchestator_token_aarch64
+ - name: save the token locally
+ local_action: >
+ copy
+ content="{{ orchestator_token_aarch64.stdout }}"
+ dest=/tmp/.orchestator-token-aarch64
+ mode=0400
+ tags:
+ - osbs-orchestrator-namespace
+
+- name: setup orchestrator token for aarch64-osbs
+ hosts: osbs_masters_stg[0]:osbs_masters[0]
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+ roles:
+ - role: osbs-secret
+ osbs_secret_can_fail: true
+ osbs_secret_name: aarch64-orchestrator
+ osbs_secret_files:
+ - source: "/tmp/.orchestator-token-aarch64"
+ dest: token
+
+ post_tasks:
+ - name: Delete the temporary secret file
+ local_action: >
+ file
+ state=absent
+ path="/tmp/.orchestator-token-aarch64"
+
+ tags:
+ - osbs-orchestrator-namespace
+
+- name: Add dockercfg secret to allow registry push orchestrator
+ hosts: osbs_masters_stg[0]:osbs_masters[0]
+ tags:
+ - osbs-dockercfg-secret
+ user: root
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ pre_tasks:
+ - name: Create the username:password string needed by the template
+ set_fact:
+ auth_info_prod: "{{candidate_registry_osbs_prod_username}}:{{candidate_registry_osbs_prod_password}}"
+ auth_info_stg: "{{candidate_registry_osbs_stg_username}}:{{candidate_registry_osbs_stg_password}}"
+
+ - name: Create the dockercfg secret file
+ local_action: >
+ template
+ src="{{ files }}/osbs/dockercfg-{{env}}-secret.j2"
+ dest="/tmp/.dockercfg"
+ mode=0400
+
+ roles:
+ - role: osbs-secret
+ osbs_secret_name: "v2-registry-dockercfg"
+ osbs_secret_type: kubernetes.io/dockercfg
+ osbs_secret_files:
+ - source: "/tmp/.dockercfg"
+ dest: .dockercfg
+
+ post_tasks:
+ - name: Delete the temporary secret file
+ local_action: >
+ file
+ state=absent
+ path="/tmp/.dockercfg"
diff --git a/playbooks/groups/osbs/setup-worker-namespace.yml b/playbooks/groups/osbs/setup-worker-namespace.yml
new file mode 100644
index 0000000..1b94f95
--- /dev/null
+++ b/playbooks/groups/osbs/setup-worker-namespace.yml
@@ -0,0 +1,78 @@
+- name: Create worker namespace
+ hosts: osbs_masters_stg[0]:osbs_masters[0]:osbs_aarch64_masters_stg[0]:osbs_aarch64_masters[0]
+ tags:
+ - osbs-worker-namespace
+ user: root
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ vars:
+ osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
+ osbs_environment:
+ KUBECONFIG: "{{ osbs_kubeconfig_path }}"
+
+ roles:
+ - role: osbs-namespace
+ osbs_namespace: "{{ osbs_worker_namespace }}"
+ osbs_service_accounts: "{{ osbs_worker_service_accounts }}"
+ osbs_nodeselector: "{{ osbs_worker_default_nodeselector|default('') }}"
+ osbs_sources_command: "{{ osbs_conf_sources_command }}"
+
+- name: setup ODCS secret in worker namespace
+ hosts: osbs_masters_stg[0]:osbs_masters[0]:osbs_aarch64_masters_stg[0]:osbs_aarch64_masters[0]
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+ roles:
+ - role: osbs-secret
+ osbs_namespace: "{{ osbs_worker_namespace }}"
+ osbs_secret_name: odcs-oidc-secret
+ osbs_secret_files:
+ - source: "{{ private }}/files/osbs/{{ env }}/odcs-oidc-token"
+ dest: token
+ tags:
+ - osbs-worker-namespace
+
+- name: Add dockercfg secret to allow registry push worker
+ hosts: osbs_masters_stg[0]:osbs_masters[0]:osbs_aarch64_masters_stg[0]:osbs_aarch64_masters[0]
+ tags:
+ - osbs-dockercfg-secret
+ - osbs-worker-namespace
+ user: root
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ pre_tasks:
+ - name: Create the username:password string needed by the template
+ set_fact:
+ auth_info_prod: "{{candidate_registry_osbs_prod_username}}:{{candidate_registry_osbs_prod_password}}"
+ auth_info_stg: "{{candidate_registry_osbs_stg_username}}:{{candidate_registry_osbs_stg_password}}"
+
+ - name: Create the dockercfg secret file
+ local_action: >
+ template
+ src="{{ files }}/osbs/dockercfg-{{env}}-secret.j2"
+ dest="/tmp/.dockercfg"
+ mode=0400
+
+ roles:
+ - role: osbs-secret
+ osbs_namespace: "{{ osbs_worker_namespace }}"
+ osbs_secret_name: "v2-registry-dockercfg"
+ osbs_secret_type: kubernetes.io/dockercfg
+ osbs_secret_files:
+ - source: "/tmp/.dockercfg"
+ dest: .dockercfg
+
+ post_tasks:
+ - name: Delete the temporary secret file
+ local_action: >
+ file
+ state=absent
+ path="/tmp/.dockercfg"
diff --git a/playbooks/groups/packages.yml b/playbooks/groups/packages.yml
index 0345687..941673e 100644
--- a/playbooks/groups/packages.yml
+++ b/playbooks/groups/packages.yml
@@ -21,7 +21,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- collectd/base
diff --git a/playbooks/groups/pkgdb.yml b/playbooks/groups/pkgdb.yml
index 1b1f264..2f9221e 100644
--- a/playbooks/groups/pkgdb.yml
+++ b/playbooks/groups/pkgdb.yml
@@ -17,7 +17,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- collectd/base
diff --git a/playbooks/groups/pkgs.yml b/playbooks/groups/pkgs.yml
index 306c438..6aaa38c 100644
--- a/playbooks/groups/pkgs.yml
+++ b/playbooks/groups/pkgs.yml
@@ -13,7 +13,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- fas_client
- collectd/base
- sudo
diff --git a/playbooks/groups/postgresql-server.yml b/playbooks/groups/postgresql-server.yml
index c4bca93..2b7c379 100644
--- a/playbooks/groups/postgresql-server.yml
+++ b/playbooks/groups/postgresql-server.yml
@@ -23,7 +23,7 @@
- base
- rkhunter
- fas_client
- - nagios/client
+ - nagios_client
- hosts
- postgresql_server
- collectd/base
diff --git a/playbooks/groups/proxies.yml b/playbooks/groups/proxies.yml
index 848dafe..d879417 100644
--- a/playbooks/groups/proxies.yml
+++ b/playbooks/groups/proxies.yml
@@ -20,7 +20,7 @@
- base
- fas_client
- rkhunter
- - nagios/client
+ - nagios_client
- collectd/base
- sudo
- rsyncd
diff --git a/playbooks/groups/smtp-mm.yml b/playbooks/groups/smtp-mm.yml
index 740dd65..8509d2e 100644
--- a/playbooks/groups/smtp-mm.yml
+++ b/playbooks/groups/smtp-mm.yml
@@ -15,7 +15,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- collectd/base
diff --git a/playbooks/groups/squid.xml b/playbooks/groups/squid.xml
index 2b16af0..0f6f9e2 100644
--- a/playbooks/groups/squid.xml
+++ b/playbooks/groups/squid.xml
@@ -8,13 +8,12 @@
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- base
- hosts
- rkhunter
- - nagios/client
+ - nagios_client
- collectd/base
- sudo
- rsyncd
diff --git a/playbooks/groups/virthost.yml b/playbooks/groups/virthost.yml
index 7eac207..fcf2889 100644
--- a/playbooks/groups/virthost.yml
+++ b/playbooks/groups/virthost.yml
@@ -21,7 +21,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- hosts
- fas_client
- collectd/base
diff --git a/playbooks/manual/kernel-qa.yml b/playbooks/manual/kernel-qa.yml
index 49766db..76c48c9 100644
--- a/playbooks/manual/kernel-qa.yml
+++ b/playbooks/manual/kernel-qa.yml
@@ -15,7 +15,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- fas_client
- sudo
- hosts
diff --git a/playbooks/manual/qadevel.yml b/playbooks/manual/qadevel.yml
index 52d318b..b2c14d4 100644
--- a/playbooks/manual/qadevel.yml
+++ b/playbooks/manual/qadevel.yml
@@ -32,7 +32,7 @@
roles:
- base
- rkhunter
- - nagios/client
+ - nagios_client
- fas_client
- collectd/base
- sudo
diff --git a/roles/apache/handlers/main.yml b/roles/apache/handlers/main.yml
new file mode 100644
index 0000000..f599732
--- /dev/null
+++ b/roles/apache/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: restart apache
+ command: /usr/local/bin/conditional-restart.sh httpd httpd
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 89334d0..9d2e897 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -52,7 +52,7 @@
ini_file: dest=/etc/NetworkManager/NetworkManager.conf section=main option=dns value=none
notify:
- restart NetworkManager
- when: ansible_distribution_major_version|int >=7 and ansible_distribution == 'RedHat' and nmclitest is success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv
+ when: ansible_distribution_major_version|int >=7 and ansible_distribution != 'Fedora' and nmclitest is success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv
tags:
- config
- resolvconf
diff --git a/roles/mod_wsgi/files/wsgi.conf b/roles/mod_wsgi/files/wsgi.conf
new file mode 100644
index 0000000..6c32a15
--- /dev/null
+++ b/roles/mod_wsgi/files/wsgi.conf
@@ -0,0 +1,14 @@
+LoadModule wsgi_module modules/mod_wsgi.so
+
+# Some apps, notably anything that uses hg, need these off
+WSGIRestrictStdin Off
+WSGIRestrictStdout Off
+
+# Put the socket somewhere writable
+WSGISocketPrefix run/wsgi
+
+# Do not Optimize without stripping docstrings
+WSGIPythonOptimize 0
+
+# Set WSGIApplicationGroup to global
+WSGIApplicationGroup %{GLOBAL}
diff --git a/roles/mod_wsgi/meta/main.yml b/roles/mod_wsgi/meta/main.yml
new file mode 100644
index 0000000..7f15145
--- /dev/null
+++ b/roles/mod_wsgi/meta/main.yml
@@ -0,0 +1,3 @@
+dependencies:
+- role: apache
+ when: wsgi_wants_apache
diff --git a/roles/mod_wsgi/tasks/main.yml b/roles/mod_wsgi/tasks/main.yml
new file mode 100644
index 0000000..e53e256
--- /dev/null
+++ b/roles/mod_wsgi/tasks/main.yml
@@ -0,0 +1,32 @@
+---
+# install mod_wsgi
+- name: install mod_wsgi
+ package:
+ name: mod_wsgi
+ state: present
+ tags:
+ - packages
+ when: ansible_distribution_major_version|int < 7 and ansible_distribution != 'Fedora'
+
+- name: install mod_wsgi
+ package:
+ name: python3-mod_wsgi
+ state: present
+ tags:
+ - packages
+ when: ansible_distribution_major_version|int == 8 and ansible_distribution != 'Fedora'
+
+- name: install mod_wsgi
+ package:
+ name: mod_wsgi
+ state: present
+ tags:
+ - packages
+ when: ansible_distribution == 'Fedora'
+
+- name: wsgi.conf
+ copy: src="wsgi.conf" dest=/etc/httpd/conf.d/wsgi.conf
+ notify:
+ - restart apache
+ tags:
+ - config
diff --git a/roles/nagios_client/README.rst b/roles/nagios_client/README.rst
new file mode 100644
index 0000000..cc2f303
--- /dev/null
+++ b/roles/nagios_client/README.rst
@@ -0,0 +1,36 @@
+===================================
+ Nagios 4 Configuration for Fedora
+===================================
+
+The Fedora Infrastructure Nagios is built on a set of configurations
+originally written for Nagios 2 and then upgraded over time to Nagios
+3 and then 4.08. With additional changes made in the 4.2 series of
+Nagios this needed a better rewrite as various parts came from
+pre-puppet and then various puppet modules added on top.
+
+In order to get this rewrite done, we will use as much of the original
+layout of the Fedora ansible nagios module but with rewrites to better
+match current Nagios configurations so that it can be maintained.
+
+Role directory layout
+=====================
+The original layout branched out from
+
+ roles/nagios/client/
+ roles/nagios/server/
+
+With the usual trees below this. This breaks ansible best practices
+and how most new modules are set up so the rewrite uses:
+
+ roles/nagios_client/
+ roles/nagios_server/
+
+=====================
+ Nagios Client Files
+=====================
+
+For the most part the Nagios Client files seem to work from the
+original layout to the new site. Changes will only need to be made to
+playbooks for the initial changes.
+
+
diff --git a/roles/nagios_client/files/scripts/check_datanommer_timesince.py b/roles/nagios_client/files/scripts/check_datanommer_timesince.py
new file mode 100755
index 0000000..ddc324c
--- /dev/null
+++ b/roles/nagios_client/files/scripts/check_datanommer_timesince.py
@@ -0,0 +1,72 @@
+#!/usr/bin/python2
+""" NRPE check for datanommer/fedmsg health.
+Given a category like 'bodhi', 'buildsys', or 'git', return an error if
+datanommer hasn't seen a message of that type in such and such time.
+You can alternatively provide a 'topic' which might look like
+org.fedoraproject.prod.bodhi.update.comment.
+
+Requires: python-dateutil
+
+Usage:
+
+ $ check_datanommer_timesince CATEGORY WARNING_THRESH CRITICAL_THRESH
+
+:Author: Ralph Bean <rbean(a)redhat.com>
+
+"""
+
+import dateutil.relativedelta
+import subprocess
+import sys
+import json
+
+
+def query_timesince(identifier):
+ # If it has a '.', then assume it is a topic.
+ if '.' in identifier:
+ cmd = 'datanommer-latest --topic %s --timesince' % identifier
+ else:
+ cmd = 'datanommer-latest --category %s --timesince' % identifier
+ sys.stderr.write("Running %r\n" % cmd)
+ process = subprocess.Popen(cmd.split(), shell=False,
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+ stdout, stderr = process.communicate()
+ prefix, stdout = stdout.split("INFO] ", 1)
+ data = json.loads(stdout)
+ return float(data[0])
+
+
+def main():
+ identifier, warning_threshold, critical_threshold = sys.argv[-3:]
+ timesince = query_timesince(identifier)
+ warning_threshold = int(warning_threshold)
+ critical_threshold = int(critical_threshold)
+
+ time_strings = []
+ rd = dateutil.relativedelta.relativedelta(seconds=timesince)
+ for denomination in ['years', 'months', 'days', 'hours', 'minutes', 'seconds']:
+ value = getattr(rd, denomination, 0)
+ if value:
+ time_strings.append("%d %s" % (value, denomination))
+
+ string = ", ".join(time_strings)
+ reason = "datanommer has not seen a %r message in %s" % (identifier, string)
+
+ if timesince > critical_threshold:
+ print "CRIT: ", reason
+ sys.exit(2)
+
+ if timesince > warning_threshold:
+ print "WARN: ", reason
+ sys.exit(1)
+
+ print "OK: ", reason
+ sys.exit(0)
+
+
+if __name__ == '__main__':
+ try:
+ main()
+ except Exception as e:
+ print "UNKNOWN: ", str(e)
+ sys.exit(3)
diff --git a/roles/nagios_client/files/scripts/check_fcomm_queue b/roles/nagios_client/files/scripts/check_fcomm_queue
new file mode 100644
index 0000000..14566fb
--- /dev/null
+++ b/roles/nagios_client/files/scripts/check_fcomm_queue
@@ -0,0 +1,23 @@
+#!/usr/bin/python2
+import sys
+
+try:
+ import retask.queue
+
+ queue = retask.queue.Queue('fedora-packages')
+ queue.connect()
+
+ items = queue.length
+ if items > 500:
+ print "CRITICAL: %i tasks in fcomm queue" % items
+ sys.exit(2)
+ elif items > 250:
+ print "WARNING: %i tasks in fcomm queue" % items
+ sys.exit(1)
+ else:
+ print "OK: %i tasks in fcomm queue" % items
+ sys.exit(0)
+
+except Exception as e:
+ print "UNKNOWN:", str(e)
+ sys.exit(3)
diff --git a/roles/nagios_client/files/scripts/check_fedmsg_consumer_backlog.py b/roles/nagios_client/files/scripts/check_fedmsg_consumer_backlog.py
new file mode 100644
index 0000000..56fc98c
--- /dev/null
+++ b/roles/nagios_client/files/scripts/check_fedmsg_consumer_backlog.py
@@ -0,0 +1,65 @@
+#!/usr/bin/python
+
+import json
+import os
+import socket
+import sys
+import zmq
+
+try:
+ service = sys.argv[1]
+ check_consumer = sys.argv[2]
+ backlog_warning = int(sys.argv[3])
+ backlog_critical = int(sys.argv[4])
+ fname = '/var/run/fedmsg/monitoring-%s.socket' % service
+
+ if not os.path.exists(fname):
+ print("UNKNOWN - %s does not exist" % fname)
+ sys.exit(3)
+
+ if not os.access(fname, os.W_OK):
+ print("UNKNOWN - cannot write to %s" % fname)
+ sys.exit(3)
+
+ connect_to = "ipc:///%s" % fname
+ ctx = zmq.Context()
+ s = ctx.socket(zmq.SUB)
+ s.connect(connect_to)
+ try:
+ s.setsockopt(zmq.SUBSCRIBE, '')
+ except TypeError:
+ s.setsockopt_string(zmq.SUBSCRIBE, '')
+
+ poller = zmq.Poller()
+ poller.register(s, zmq.POLLIN)
+
+ timeout = 20000
+
+ events = dict(poller.poll(timeout))
+ if s in events and events[s] == zmq.POLLIN:
+ msg = s.recv()
+ msg = json.loads(msg)
+ else:
+ print('UNKNOWN - ZMQ timeout. No message received in %i ms' % timeout)
+ sys.exit(3)
+
+ for consumer in msg['consumers']:
+ if consumer['name'] == check_consumer:
+ if consumer['backlog'] is None:
+ print('ERROR: fedmsg consumer %s is not initialized' % consumer['name'])
+ sys.exit(3)
+ elif consumer['backlog'] > backlog_critical:
+ print('CRITICAL: fedmsg consumer %s backlog value is %i' % (consumer['name'],consumer['backlog']))
+ sys.exit(2)
+ elif consumer['backlog'] > backlog_warning:
+ print('WARNING: fedmsg consumer %s backlog value is %i' % (consumer['name'],consumer['backlog']))
+ sys.exit(1)
+ else:
+ print('OK: fedmsg consumer %s backlog value is %i' % (consumer['name'],consumer['backlog']))
+ sys.exit(0)
+
+ print("UNKNOWN: fedmsg consumer %s not found" % check_consumer)
+ sys.exit(3)
+except Exception as err:
+ print("UNKNOWN:", str(err))
+ sys.exit(3)
diff --git a/roles/nagios_client/files/scripts/check_fedmsg_consumer_exceptions.py b/roles/nagios_client/files/scripts/check_fedmsg_consumer_exceptions.py
new file mode 100644
index 0000000..2f410dd
--- /dev/null
+++ b/roles/nagios_client/files/scripts/check_fedmsg_consumer_exceptions.py
@@ -0,0 +1,61 @@
+#!/usr/bin/python
+
+import json
+import os
+import socket
+import sys
+import zmq
+
+try:
+ service = sys.argv[1]
+ check_consumer = sys.argv[2]
+ exceptions_warning = int(sys.argv[3])
+ exceptions_critical = int(sys.argv[4])
+ fname = '/var/run/fedmsg/monitoring-%s.socket' % service
+
+ if not os.path.exists(fname):
+ print("UNKNOWN - %s does not exist" % fname)
+ sys.exit(3)
+
+ if not os.access(fname, os.W_OK):
+ print("UNKNOWN - cannot write to %s" % fname)
+ sys.exit(3)
+
+ connect_to = "ipc:///%s" % fname
+ ctx = zmq.Context()
+ s = ctx.socket(zmq.SUB)
+ s.connect(connect_to)
+ try:
+ s.setsockopt(zmq.SUBSCRIBE, '')
+ except TypeError:
+ s.setsockopt_string(zmq.SUBSCRIBE, '')
+ poller = zmq.Poller()
+ poller.register(s, zmq.POLLIN)
+
+ timeout = 20000
+
+ events = dict(poller.poll(timeout))
+ if s in events and events[s] == zmq.POLLIN:
+ msg = s.recv()
+ msg = json.loads(msg)
+ else:
+ print('UNKNOWN - ZMQ timeout. No message received in %i ms' % timeout)
+ sys.exit(3)
+
+ for consumer in msg['consumers']:
+ if consumer['name'] == check_consumer:
+ if consumer['exceptions'] > exceptions_critical:
+ print('CRITICAL: fedmsg consumer %s exceptions value is %i' % (consumer['name'],consumer['exceptions']))
+ sys.exit(2)
+ elif consumer['exceptions'] > exceptions_warning:
+ print('WARNING: fedmsg consumer %s exceptions value is %i' % (consumer['name'],consumer['exceptions']))
+ sys.exit(1)
+ else:
+ print('OK: fedmsg consumer %s exceptions value is %i' % (consumer['name'],consumer['exceptions']))
+ sys.exit(0)
+
+ print("UNKNOWN: fedmsg consumers %s not found" % check_consumer)
+ sys.exit(3)
+except Exception as err:
+ print("UNKNOWN:", str(err))
+ sys.exit(3)
diff --git a/roles/nagios_client/files/scripts/check_fedmsg_producer_last_ran.py b/roles/nagios_client/files/scripts/check_fedmsg_producer_last_ran.py
new file mode 100644
index 0000000..d41d07a
--- /dev/null
+++ b/roles/nagios_client/files/scripts/check_fedmsg_producer_last_ran.py
@@ -0,0 +1,72 @@
+#!/usr/bin/python
+
+import arrow
+import json
+import os
+import socket
+import sys
+import time
+import zmq
+
+try:
+ service = sys.argv[1]
+ check_producer = sys.argv[2]
+ elapsed_warning = int(sys.argv[3])
+ elapsed_critical = int(sys.argv[4])
+ fname = '/var/run/fedmsg/monitoring-%s.socket' % service
+
+ if not os.path.exists(fname):
+ print("UNKNOWN - %s does not exist" % fname)
+ sys.exit(3)
+
+ if not os.access(fname, os.W_OK):
+ print("UNKNOWN - cannot write to %s" % fname)
+ sys.exit(3)
+
+ connect_to = "ipc:///%s" % fname
+ ctx = zmq.Context()
+ s = ctx.socket(zmq.SUB)
+ s.connect(connect_to)
+ try:
+ s.setsockopt(zmq.SUBSCRIBE, '')
+ except TypeError:
+ s.setsockopt_string(zmq.SUBSCRIBE, '')
+
+ poller = zmq.Poller()
+ poller.register(s, zmq.POLLIN)
+
+ timeout = 20000
+
+ events = dict(poller.poll(timeout))
+ if s in events and events[s] == zmq.POLLIN:
+ msg = s.recv()
+ msg = json.loads(msg)
+ else:
+ print('UNKNOWN - ZMQ timeout. No message received in %i ms' % timeout)
+ sys.exit(3)
+
+ now = time.time()
+
+ for prod in msg['producers']:
+ if prod['name'] != check_producer:
+ continue
+ diff = now - prod['last_ran']
+ then = arrow.get(prod['last_ran']).humanize()
+ if diff > elapsed_critical:
+ print("CRITICAL: %s last ran %s (%i seconds ago)" % ()
+ check_producer, then, diff)
+ sys.exit(2)
+ elif diff > elapsed_warning:
+ print("WARNING: %s last ran %s (%i seconds ago)" % ()
+ check_producer, then, diff)
+ sys.exit(1)
+ else:
+ print("OK: %s last ran %s (%i seconds ago)" % ()
+ check_producer, then, diff)
+ sys.exit(0)
+
+ print("UNKNOWN: fedmsg producer %s not found" % check_producer)
+ sys.exit(3)
+except Exception as err:
+ print("UNKNOWN:", str(err))
+ sys.exit(3)
diff --git a/roles/nagios_client/files/scripts/check_fedmsg_producers_consumers.py b/roles/nagios_client/files/scripts/check_fedmsg_producers_consumers.py
new file mode 100644
index 0000000..5029a5b
--- /dev/null
+++ b/roles/nagios_client/files/scripts/check_fedmsg_producers_consumers.py
@@ -0,0 +1,67 @@
+#!/usr/bin/python
+
+import json
+import os
+import socket
+import sys
+import zmq
+
+try:
+ service = sys.argv[1]
+ check_list = frozenset(sys.argv[2:])
+ fname = '/var/run/fedmsg/monitoring-%s.socket' % service
+
+ if not check_list:
+ print("UNKNOWN - empty list of fedmsg consumers and producers to check")
+ sys.exit(3)
+
+ if not os.path.exists(fname):
+ print("UNKNOWN - %s does not exist" % fname)
+ sys.exit(3)
+
+ if not os.access(fname, os.W_OK):
+ print("UNKNOWN - cannot write to %s" % fname)
+ sys.exit(3)
+
+ connect_to = "ipc:///%s" % fname
+ ctx = zmq.Context()
+ s = ctx.socket(zmq.SUB)
+ s.connect(connect_to)
+ try:
+ s.setsockopt(zmq.SUBSCRIBE, '')
+ except TypeError:
+ s.setsockopt_string(zmq.SUBSCRIBE, '')
+ poller = zmq.Poller()
+ poller.register(s, zmq.POLLIN)
+
+ timeout = 20000
+
+ events = dict(poller.poll(timeout))
+ if s in events and events[s] == zmq.POLLIN:
+ msg = s.recv()
+ msg = json.loads(msg)
+ else:
+ print('UNKNOWN - ZMQ timeout. No message received in %i ms' % timeout)
+ sys.exit(3)
+
+ for consumer in msg['consumers']:
+ if consumer['name'] in check_list and not consumer['initialized']:
+ print('ERROR: fedmsg consumer %s is not initialized' % consumer['name'])
+ sys.exit(2)
+
+ for producer in msg['producers']:
+ if producer['name'] in check_list and not producer['initialized']:
+ print('ERROR: fedmsg producer %s is not initialized' % producer['name'])
+ sys.exit(2)
+
+ for item in check_list:
+ if item not in [p['name'] for p in msg['producers'] + msg['consumers']]:
+ print('ERROR: %s not found among installed plugins' % item)
+ sys.exit(2)
+
+ print("OK: fedmsg consumer(s) and producer(s) initialized")
+ sys.exit(0)
+
+except Exception as err:
+ print("UNKNOWN:", str(err))
+ sys.exit(3)
diff --git a/roles/nagios_client/files/scripts/check_haproxy_conns.py b/roles/nagios_client/files/scripts/check_haproxy_conns.py
new file mode 100755
index 0000000..7762ffa
--- /dev/null
+++ b/roles/nagios_client/files/scripts/check_haproxy_conns.py
@@ -0,0 +1,76 @@
+#!/usr/bin/python2
+""" Nagios check for haproxy over-subscription.
+
+fedmsg-gateway is the primary concern as it can eat up a ton of simultaneous
+connections.
+
+:Author: Ralph Bean <rbean(a)redhat.com>
+"""
+
+import socket
+import sys
+
+
+def _numeric(value):
+ """ Type casting utility """
+ try:
+ return int(value)
+ except ValueError:
+ try:
+ return float(value)
+ except ValueError:
+ return value
+
+
+def query(sockname="/var/run/haproxy-stat"):
+ """ Read stats from the haproxy socket and return a dict """
+ s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+ s.connect("/var/run/haproxy-stat")
+ s.send('show info\n')
+ try:
+ response = s.recv(2048).strip()
+ lines = response.split('\n')
+ data = dict([map(str.strip, line.split(':')) for line in lines])
+ data = dict([(k, _numeric(v)) for k, v in data.items()])
+ return data
+ except Exception, e:
+ print str(e)
+ finally:
+ s.close()
+
+ return None
+
+
+def nagios_check(data):
+ """ Print warnings and return nagios exit codes. """
+
+ current = data['CurrConns']
+ maxconn = data['Maxconn']
+ percent = 100 * float(current) / float(maxconn)
+ details = "%.2f%% subscribed. %i current of %i maxconn." % (
+ percent, current, maxconn,
+ )
+
+ if percent < 50:
+ print "HAPROXY SUBS OK: " + details
+ return 0
+
+ if percent < 75:
+ print "HAPROXY SUBS WARN: " + details
+ return 1
+
+ if percent <= 100:
+ print "HAPROXY SUBS CRIT: " + details
+ return 2
+
+ print "HAPROXY SUBS UNKNOWN: " + details
+ return 3
+
+
+if __name__ == '__main__':
+ try:
+ data = query(sockname="/var/run/haproxy-stat")
+ except Exception as e:
+ print "HAPROXY SUBS UNKNOWN: " + str(e)
+ sys.exit(3)
+ sys.exit(nagios_check(data))
diff --git a/roles/nagios_client/files/scripts/check_ipa_replication b/roles/nagios_client/files/scripts/check_ipa_replication
new file mode 100644
index 0000000..96ff469
--- /dev/null
+++ b/roles/nagios_client/files/scripts/check_ipa_replication
@@ -0,0 +1,74 @@
+#!/usr/bin/python
+# Source: https://github.com/opinkerfi/nagios-plugins/blob/master/check_ipa/check_i...
+# Copyright 2013, Tomas Edwardsson
+# Copyright 2016, Patrick Uiterwijk
+#
+# This script is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This script is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import ldap
+from pynag.Plugins import PluginHelper, critical, warning, ok
+
+plugin = PluginHelper()
+
+plugin.parser.add_option('-u', help="ldap uri", dest="uri")
+plugin.parser.add_option('-D', help="bind DN", dest="binddn")
+plugin.parser.add_option('-w', help="bind password", dest="bindpw")
+plugin.parse_arguments()
+
+if not plugin.options.uri:
+ plugin.parser.error('-u (uri) argument is required')
+
+try:
+ l = ldap.initialize(plugin.options.uri)
+
+ if plugin.options.binddn:
+ l.bind_s(plugin.options.binddn, plugin.options.bindpw)
+
+ replication = l.search_s('cn=config',
+ ldap.SCOPE_SUBTREE,
+ '(objectclass=nsds5replicationagreement)',
+ ['nsDS5ReplicaHost', 'nsds5replicaLastUpdateStatus'])
+except Exception, e:
+ plugin.status(critical)
+ plugin.add_summary("Unable to initialize ldap connection: %s" % (e))
+ plugin.exit()
+
+
+# Loop through replication agreements
+for rhost in replication:
+ plugin.add_summary("Replica %s Status: %s" % (rhost[1]['nsDS5ReplicaHost'][0], rhost[1]['nsds5replicaLastUpdateStatus'][0]))
+
+ status = rhost[1]['nsds5replicaLastUpdateStatus'][0]
+ code = status[:2]
+ if status.startswith('Error ('):
+ # IPA >=4.4.0
+ code = status[status.find('(')+1:status.find(')')]
+ else:
+ # IPA <4.4.0
+ code = status[:status.find(' ')]
+
+ if code == '0':
+ plugin.status(ok)
+ elif code == '1':
+ # Busy Replica is not an error, its "unknown" (but its "ok" for now)
+ plugin.status(ok)
+ else:
+ plugin.status(critical)
+
+if not len(replication):
+ plugin.add_summary("Warning: No replicas found")
+ plugin.status(warning)
+
+plugin.exit()
+
diff --git a/roles/nagios_client/files/scripts/check_lock b/roles/nagios_client/files/scripts/check_lock
new file mode 100644
index 0000000..a0aae02
--- /dev/null
+++ b/roles/nagios_client/files/scripts/check_lock
@@ -0,0 +1,17 @@
+#!/usr/bin/python2
+
+import fcntl
+import sys
+
+try:
+ f = open('/mnt/koji/.nagios_test', 'r')
+ f.close()
+ f = open('/mnt/koji/.nagios_test', 'w')
+except IOError:
+ print "Could not create file"
+ sys.exit(2)
+
+fcntl.flock(f, fcntl.LOCK_EX)
+f.close()
+print "File Locked Successfully"
+sys.exit(0)
diff --git a/roles/nagios_client/files/scripts/check_lock_file_age b/roles/nagios_client/files/scripts/check_lock_file_age
new file mode 100755
index 0000000..f5abaa9
--- /dev/null
+++ b/roles/nagios_client/files/scripts/check_lock_file_age
@@ -0,0 +1,123 @@
+#! /usr/bin/perl -w
+
+# check_lock_file_age.pl Copyright (C) 2010 Ricky Elrod <codeblock(a)fedoraproject.org>
+#
+# Fork of check_file_age.pl
+#
+# Checks a lock file's size and modification time to make sure it's not empty
+# and that it's sufficiently recent.
+#
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty
+# of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# you should have received a copy of the GNU General Public License
+# along with this program (or with Nagios); if not, write to the
+# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+# Boston, MA 02111-1307, USA
+
+use strict;
+use English;
+use Getopt::Long;
+use File::stat;
+use vars qw($PROGNAME);
+use lib "/usr/lib64/nagios/plugins";
+use utils qw (%ERRORS &print_revision &support);
+
+sub print_help ();
+sub print_usage ();
+
+my ($opt_c, $opt_f, $opt_w, $opt_h, $opt_V);
+my ($result, $message, $age, $size, $st);
+
+$PROGNAME="check_lock_file_age";
+
+$opt_w = 1;
+$opt_c = 5;
+$opt_f = "";
+
+Getopt::Long::Configure('bundling');
+GetOptions(
+ "V" => \$opt_V, "version" => \$opt_V,
+ "h" => \$opt_h, "help" => \$opt_h,
+ "f=s" => \$opt_f, "file" => \$opt_f,
+ "w=f" => \$opt_w, "warning-age=f" => \$opt_w,
+ "c=f" => \$opt_c, "critical-age=f" => \$opt_c);
+
+if ($opt_V) {
+ print_revision($PROGNAME, '1.4.14');
+ exit $ERRORS{'OK'};
+}
+
+if ($opt_h) {
+ print_help();
+ exit $ERRORS{'OK'};
+}
+
+if (($opt_c and $opt_w) and ($opt_c < $opt_w)) {
+ print "Warning time must be less than Critical time.\n";
+ exit $ERRORS{'UNKNOWN'};
+}
+
+$opt_f = shift unless ($opt_f);
+
+if (! $opt_f) {
+ print "LOCK_FILE_AGE UNKNOWN: No file specified\n";
+ exit $ERRORS{'UNKNOWN'};
+}
+
+# Check that file exists (can be directory or link)
+unless (-e $opt_f) {
+ print "LOCK_FILE_AGE OK: File not found (Lock file removed) - $opt_f\n";
+ exit $ERRORS{'OK'};
+}
+
+$st = File::stat::stat($opt_f);
+$age = time - $st->mtime;
+
+$result = 'OK';
+
+# Convert minutes to seconds
+if($opt_c) { $opt_c *= 60; }
+if($opt_w) { $opt_w *= 60; }
+
+if ($opt_c and $age > $opt_c) {
+ $result = 'CRITICAL';
+}
+elsif ($opt_w and $age > $opt_w) {
+ $result = 'WARNING';
+}
+
+# If the age is higher than 2 minutes, convert seconds -> minutes
+# If it's higher than a day, use days.
+# Just a nicety, to make people not have to do math ;)
+if($age > 86400) { $age = int(($age/86400))." days"; }
+elsif($age > 120) { $age = int(($age/60))." minutes"; }
+else { $age = "$age seconds"; }
+
+print "LOCK_FILE_AGE $result: $opt_f is $age old.\n";
+exit $ERRORS{$result};
+
+sub print_usage () {
+ print "Usage:\n";
+ print " $PROGNAME [-w <secs>] [-c <secs>] -f <file>\n";
+ print " $PROGNAME [-h | --help]\n";
+ print " $PROGNAME [-V | --version]\n";
+}
+
+sub print_help () {
+ print_revision($PROGNAME, '1.4.14');
+ print "Copyright (c) 2010 Ricky Elrod\n\n";
+ print_usage();
+ print "\n";
+ print " <mins> File must be no more than this many minutes old (default: warn 1m, crit 5m)\n";
+ print "\n";
+ support();
+}
diff --git a/roles/nagios_client/files/scripts/check_memcache_connect b/roles/nagios_client/files/scripts/check_memcache_connect
new file mode 100644
index 0000000..9c9d6e9
--- /dev/null
+++ b/roles/nagios_client/files/scripts/check_memcache_connect
@@ -0,0 +1,24 @@
+#!/bin/bash
+#
+# 2014-11-19
+# Author: Ralph Bean <rbean(a)redhat.com>
+
+# exit codes
+ok=0
+warn=1
+crit=2
+unkn=3
+
+# Right now we just check to see if we can even run this command without
+# hanging and timing out. In the future, we could parse stdout for more
+# fine-grained information.
+echo stats | nc 127.0.0.1 11211 > /dev/null
+status=$?
+
+if [ $status -ne 0 ]; then
+ echo "CRIT: stats command got status code $status"
+ exit $crit
+else
+ echo "OK: stats command got status code $status"
+ exit $ok
+fi
diff --git a/roles/nagios_client/files/scripts/check_osbs_api.py b/roles/nagios_client/files/scripts/check_osbs_api.py
new file mode 100755
index 0000000..b836f00
--- /dev/null
+++ b/roles/nagios_client/files/scripts/check_osbs_api.py
@@ -0,0 +1,14 @@
+#!/usr/bin/python
+
+import requests
+import sys
+
+r = requests.get("https://localhost:8443/", verify=False)
+
+if 'paths' in r.json().keys():
+ print "OK: OSBS API endpoint is responding with path data"
+ sys.exit(0)
+else:
+ print "CRITICAL: OSBS API not responding properly"
+ sys.exit(2)
+
diff --git a/roles/nagios_client/files/scripts/check_postfix_queue b/roles/nagios_client/files/scripts/check_postfix_queue
new file mode 100644
index 0000000..44ab444
--- /dev/null
+++ b/roles/nagios_client/files/scripts/check_postfix_queue
@@ -0,0 +1,49 @@
+#!/bin/bash
+#
+# 19-07-2010
+# Author: Cherwin Nooitmeer <cherwin(a)gmail.com>
+#
+
+# exit codes
+e_ok=0
+e_warning=1
+e_critical=2
+e_unknown=3
+
+# regular expression that matches queue IDs (e.g. D71EF7AC80F8)
+queue_id='^[A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9]'
+
+usage="Invalid command line usage"
+
+if [ -z $1 ]; then
+ echo $usage
+ exit $e_unknown
+fi
+
+while getopts ":w:c:" options
+do
+ case $options in
+ w ) warning=$OPTARG ;;
+ c ) critical=$OPTARG ;;
+ * ) echo $usage
+ exit $e_unknown ;;
+ esac
+done
+
+# determine queue size
+qsize=$(mailq | egrep -c $queue_id)
+if [ -z $qsize ]
+then
+ exit $e_unknown
+fi
+
+if [ $qsize -ge $critical ]; then
+ retval=$e_critical
+elif [ $qsize -ge $warning ]; then
+ retval=$e_warning
+elif [ $qsize -lt $warning ]; then
+ retval=$e_ok
+fi
+
+echo "$qsize mail(s) in queue | mail_queue=$qsize"
+exit $retval
diff --git a/roles/nagios_client/files/scripts/check_rabbitmq_size b/roles/nagios_client/files/scripts/check_rabbitmq_size
new file mode 100644
index 0000000..ff6154a
--- /dev/null
+++ b/roles/nagios_client/files/scripts/check_rabbitmq_size
@@ -0,0 +1,26 @@
+#!/bin/python
+import sys
+import requests
+
+url = 'http://localhost:15672/api/queues/%%2f/%s' % (sys.argv[1])
+
+r = requests.get(url, auth=('guest', 'guest')).json()
+consumers = r['consumers']
+messages = r['messages']
+
+msg = 'Messages in queue: %i (%i consumers)' % (messages, consumers)
+
+if consumers < 1:
+ print 'CRITICAL: No consumers: %s' % msg
+ sys.exit(2)
+
+if messages > sys.argv[2]:
+ print 'CRITICAL: %s' % msg
+ sys.exit(2)
+
+if messages > sys.argv[3]:
+ print 'WARNING: %s' % msg
+ sys.exit(1)
+
+print 'OK: %s' % msg
+sys.exit(0)
diff --git a/roles/nagios_client/files/scripts/check_raid.py b/roles/nagios_client/files/scripts/check_raid.py
new file mode 100644
index 0000000..e2597aa
--- /dev/null
+++ b/roles/nagios_client/files/scripts/check_raid.py
@@ -0,0 +1,45 @@
+#!/usr/bin/python2
+#
+# very simple python script to parse out /proc/mdstat
+# and give results for nagios to monitor
+#
+
+import sys
+import string
+
+devices = []
+
+try:
+ mdstat = string.split(open('/proc/mdstat').read(), '\n')
+except IOError:
+ # seems we have no software raid on this machines
+ sys.exit(0)
+
+error = ""
+i = 0
+for line in mdstat:
+ if line[0:2] == 'md':
+ device = string.split(line)[0]
+ devices.append(device)
+ status = string.split(mdstat[i+1])[-1]
+ if string.count(status, "_"):
+ # see if we can figure out what's going on
+ err = string.split(mdstat[i+2])
+ msg = "device=%s status=%s" % (device, status)
+ if len(err) > 0:
+ msg = msg + " rebuild=%s" % err[0]
+
+ if not error:
+ error = msg
+ else:
+ error = error + ", " + msg
+ i = i + 1
+
+if not error:
+ print "DEVICES %s OK" % " ".join(devices)
+ sys.exit(0)
+
+else:
+ print error
+ sys.exit(2)
+
diff --git a/roles/nagios_client/files/scripts/check_readonly_fs b/roles/nagios_client/files/scripts/check_readonly_fs
new file mode 100755
index 0000000..cd2b197
--- /dev/null
+++ b/roles/nagios_client/files/scripts/check_readonly_fs
@@ -0,0 +1,84 @@
+#!/bin/bash
+
+# check_readonlyfs: Check for readonly filesystems
+# Copyright (C) 2010 Davide Madrisan <davide.madrisan(a)gmail.com>
+
+PROGNAME=`/bin/basename $0`
+PROGPATH=`echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,'`
+REVISION=`echo '$Revision: 1 $' | sed -e 's/[^0-9.]//g'`
+
+. $PROGPATH/utils.sh
+
+print_usage() {
+ echo "Usage: $PROGNAME --no-network-fs"
+ echo "Usage: $PROGNAME --help"
+ echo "Usage: $PROGNAME --version"
+}
+
+print_help() {
+ print_revision $PROGNAME $REVISION
+ echo ""
+ print_usage
+ echo ""
+ echo "readonly filesystem checker plugin for Nagios"
+ echo ""
+ support
+}
+
+NETFS=1
+
+# Grab the command line arguments
+
+exitstatus=$STATE_WARNING #default
+
+while test -n "$1"; do
+ case "$1" in
+ --help|-h)
+ print_help
+ exit $STATE_OK
+ ;;
+ --version|-V)
+ print_revision $PROGNAME $REVISION
+ exit $STATE_OK
+ ;;
+ --no-network-fs|-n)
+ NETFS="0"
+ ;;
+ *)
+ echo "Unknown argument: $1"
+ print_usage
+ exit $STATE_UNKNOWN
+ ;;
+ esac
+ shift
+done
+
+[ -r /proc/mounts ] || { echo "cannot read /proc/mounts!"; exit $STATE_UNKNOWN; }
+
+nerr=0
+IFS_SAVE="$IFS"
+
+rofs_list=""
+while read dev mp fs mopt ignore; do
+ [ "$dev" = none ] && continue
+ case $fs in binfmt_misc|devpts|iso9660|proc|selinuxfs|rpc_pipefs|sysfs|tmpfs|usbfs)
+ continue ;;
+ esac
+ case $fs in autofs|nfs|nfs4|smbfs)
+ # skip the network filesystems
+ [ "$NETFS" = 0 ] && continue ;;
+ esac
+
+ IFS=","; set -- $mopt; IFS="$IFS_SAVE"
+ while :; do
+ case "$1" in
+ ro) rofs_list="$rofs_list $mp"; nerr=$(( $nerr + 1 )) ;;
+ "") shift; break ;;
+ esac
+ shift
+ done
+done < <(LC_ALL=C /bin/cat /proc/mounts 2>/dev/null)
+
+[ $nerr -eq 0 ] && { echo OK; exit $STATE_OK; } || echo "$rofs_list: read only fs"
+
+exit $exitstatus
diff --git a/roles/nagios_client/files/scripts/check_redis_queue.sh b/roles/nagios_client/files/scripts/check_redis_queue.sh
new file mode 100644
index 0000000..ca1f186
--- /dev/null
+++ b/roles/nagios_client/files/scripts/check_redis_queue.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+. /usr/lib64/nagios/plugins/utils.sh
+
+if [[ "$#" -ne 3 ]]; then
+ echo "Arguments: key warn crit"
+ exit $STATE_UNKNOWN
+fi
+
+tasks="$(redis-cli llen "$1" | awk '{print $1}')"
+
+check_range $tasks $2:$3
+status=$?
+
+if [[ "$status" == "$STATE_OK" ]]; then
+ echo "OK: $1 queue has $tasks tasks"
+elif [[ "$status" == "$STATE_WARNING" ]]; then
+ echo "WARNING: $1 queue has $tasks tasks"
+elif [[ "$status" == "$STATE_CRITICAL" ]]; then
+ echo "CRITICAL: $1 queue has $tasks tasks"
+fi
+
+exit $status
diff --git a/roles/nagios_client/files/scripts/check_supybot_plugin b/roles/nagios_client/files/scripts/check_supybot_plugin
new file mode 100755
index 0000000..7953cf0
--- /dev/null
+++ b/roles/nagios_client/files/scripts/check_supybot_plugin
@@ -0,0 +1,108 @@
+#!/usr/bin/python2
+""" check_supybot_plugin -- ensure that a plugin is loaded by supybot.
+
+Run like:
+
+ check_supybot_plugin --target fedmsg
+ check_supybot_plugin --target koji --debug
+
+"""
+
+import argparse
+import sys
+import socket
+import string
+import uuid
+
+
+def process_args():
+ parser = argparse.ArgumentParser()
+ parser.add_argument(
+ '-t', '--target', default=None, dest='target',
+ help="Required. The plugin we're looking for."
+ )
+ parser.add_argument(
+ '-n', '--nick', default=None, dest='nick',
+ help="NICK to use when connecting to freenode.",
+ )
+ parser.add_argument(
+ '-d', '--debug', default=False, action='store_true',
+ help='Print out debug information.', dest='debug',
+ )
+ parser.add_argument(
+ '-H', '--host', default='irc.freenode.net',
+ help='Host to connect to.', dest='host',
+ )
+ parser.add_argument(
+ '-p', '--port', default=6667, type=int,
+ help='Host to connect to.', dest='port',
+ )
+ return parser.parse_args()
+
+args = process_args()
+
+# Use a random nick so people can't mess with us
+if not args.nick:
+ args.nick = 'nrpe-' + str(uuid.uuid4()).split('-')[0]
+
+name = "NRPE Bot"
+readbuffer = ""
+
+if not args.target:
+ print "UNKNOWN: No 'target' specified."
+ sys.exit(3)
+
+args.target = args.target.lower()
+
+if args.debug:
+ print "connecting to %s/%i" % (args.host, args.port)
+
+try:
+ s = socket.socket()
+ s.connect((args.host, args.port))
+
+ if args.debug:
+ print "as %s/%s (%s)" % (args.nick, args.nick, name)
+
+ s.send("nick %s\r\n" % args.nick)
+ s.send("USER %s %s bla :%s\r\n" % (args.nick, args.host, name))
+
+ while 1:
+ readbuffer = readbuffer+s.recv(1024)
+ temp = string.split(readbuffer, "\n")
+ readbuffer = temp.pop()
+
+ for line in temp:
+ line = string.rstrip(line)
+
+ if args.debug:
+ print " * ", line
+
+ line = string.split(line)
+
+ if line[1] == 'MODE':
+ msg = "privmsg zodbot :list\r\n"
+ if args.debug:
+ print "sending:"
+ print " ->", msg
+ s.send(msg)
+
+ if line[1] == 'PRIVMSG' and line[0] != ':freenode-connect!frigg@freenode/utility-bot/frigg':
+ if args.debug:
+ print "Got our response.."
+
+ plugins = map(str.lower, ' '.join(line[3:][1:]).split(', '))
+
+ if args.target in plugins:
+ print "OK"
+ s.send("QUIT")
+ sys.exit(0)
+ else:
+ print "CRITICAL: %r not loaded by supybot" % args.target
+ s.send("QUIT")
+ sys.exit(2)
+except Exception as e:
+ print "UNKNOWN: ", str(e)
+ if args.debug:
+ raise
+ sys.exit(3)
diff --git a/roles/nagios_client/files/scripts/check_testcloud b/roles/nagios_client/files/scripts/check_testcloud
new file mode 100644
index 0000000..eb8c7aa
--- /dev/null
+++ b/roles/nagios_client/files/scripts/check_testcloud
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+RUNNING_VMS=`testcloud instance list | grep -i 'running' | wc -l`
+CRITICAL=20
+WARNING=15
+
+
+if [ $RUNNING_VMS -gt $CRITICAL ]
+then
+ echo "Testcloud: CRITICAL Number of VMs running: $RUNNING_VMS"
+ exit 2
+elif [ $RUNNING_VMS -gt $WARNING ]
+then
+ echo "Testcloud: WARNING Number of VMs running: $RUNNING_VMS"
+ exit 1
+else
+ echo "Testcloud: OK Number of VMs running: $RUNNING_VMS"
+ exit 0
+fi
diff --git a/roles/nagios_client/files/scripts/check_timestamp_from_file b/roles/nagios_client/files/scripts/check_timestamp_from_file
new file mode 100644
index 0000000..9064337
--- /dev/null
+++ b/roles/nagios_client/files/scripts/check_timestamp_from_file
@@ -0,0 +1,43 @@
+#!/usr/bin/env python
+
+# Takes a path to a file and a delta. The file must simply contain an epoch
+# timestamp. It can be an integer or a float, as can the delta.
+#
+# Alerts critical if (now - timestamp contained in file) > delta.
+#
+# Rick Elrod <relrod(a)redhat.com>
+# MIT
+
+import sys
+import time
+
+if len(sys.argv) != 3:
+ print('UNKNOWN: Pass path to file and delta as parameters')
+ sys.exit(3)
+
+filename = sys.argv[1]
+delta = float(sys.argv[2])
+
+timestamp = None
+
+try:
+ with open(filename, 'r') as f:
+ timestamp = float(f.read().strip())
+except Exception as e:
+ print('UNKNOWN: Unable to open/read file path')
+ sys.exit(3)
+
+difference = round(time.time() - timestamp, 2)
+if difference > delta:
+ print(
+ 'CRITICAL: Timestamp in file (%.2f) exceeds delta (%.2f) by %.2f seconds' % (
+ timestamp,
+ delta,
+ difference - delta))
+ sys.exit(2)
+
+print('OK: Timestamp in file (%.2f) is within delta (%.2f) of now, by %.2f seconds' % (
+ timestamp,
+ delta,
+ abs(difference - delta)))
+sys.exit(0)
diff --git a/roles/nagios_client/files/selinux/fi-nrpe.mod b/roles/nagios_client/files/selinux/fi-nrpe.mod
new file mode 100644
index 0000000..f055246
Binary files /dev/null and b/roles/nagios_client/files/selinux/fi-nrpe.mod differ
diff --git a/roles/nagios_client/files/selinux/fi-nrpe.pp b/roles/nagios_client/files/selinux/fi-nrpe.pp
new file mode 100644
index 0000000..0e71b44
Binary files /dev/null and b/roles/nagios_client/files/selinux/fi-nrpe.pp differ
diff --git a/roles/nagios_client/files/selinux/fi-nrpe.te b/roles/nagios_client/files/selinux/fi-nrpe.te
new file mode 100644
index 0000000..b438027
--- /dev/null
+++ b/roles/nagios_client/files/selinux/fi-nrpe.te
@@ -0,0 +1,15 @@
+module fi-nrpe 1.1;
+
+require {
+ type nagios_system_plugin_t;
+ type nagios_admin_plugin_t;
+ type nrpe_exec_t;
+ type bin_t;
+ class file { getattr map execute };
+}
+
+#============= nagios_system_plugin_t ==============
+allow nagios_system_plugin_t nrpe_exec_t:file getattr;
+
+# This is needed for e.g. check_file_age, which is a perl script
+allow nagios_admin_plugin_t bin_t:file { map execute };
diff --git a/roles/nagios_client/files/selinux/mirrormanager_container.pp b/roles/nagios_client/files/selinux/mirrormanager_container.pp
new file mode 100644
index 0000000..31b8435
Binary files /dev/null and b/roles/nagios_client/files/selinux/mirrormanager_container.pp differ
diff --git a/roles/nagios_client/files/selinux/mirrormanager_container.te b/roles/nagios_client/files/selinux/mirrormanager_container.te
new file mode 100644
index 0000000..6180969
--- /dev/null
+++ b/roles/nagios_client/files/selinux/mirrormanager_container.te
@@ -0,0 +1,15 @@
+module mirrormanager_container 1.0;
+
+require {
+ type container_t;
+ type container_file_t;
+ type mirrormanager_log_t;
+ type nrpe_t;
+ class file { append getattr };
+}
+
+# Allow mirrorlist to append to its log
+allow container_t mirrormanager_log_t:file append;
+# Allow nrpe to check file age of mirrorlist pkl files
+allow nrpe_t container_file_t:file getattr;
+
diff --git a/roles/nagios_client/handlers/main.yml b/roles/nagios_client/handlers/main.yml
new file mode 100644
index 0000000..11c84ac
--- /dev/null
+++ b/roles/nagios_client/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: restart nrpe
+ service: name=nrpe state=restarted
diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml
index 08a453a..2b97335 100644
--- a/roles/nagios_client/tasks/main.yml
+++ b/roles/nagios_client/tasks/main.yml
@@ -2,3 +2,289 @@
---
# install pkgs:
+- name: install nagios client pkgs
+ package: name={{ item }} state=present
+ with_items:
+ - nrpe
+ - nagios-plugins
+ - nagios-plugins-disk
+ - nagios-plugins-file_age
+ - nagios-plugins-users
+ - nagios-plugins-procs
+ - nagios-plugins-swap
+ - nagios-plugins-load
+ - nagios-plugins-ping
+ tags:
+ - packages
+ - nagios_client
+
+- name: install nagios tcp check for mirrorlist proxies
+ package: name=nagios-plugins-tcp state=present
+ tags:
+ - packages
+ - nagios_client
+ when: "'mailman' in group_names or 'mirrorlist_proxies' in group_names"
+
+- name: install local nrpe check scripts that are not packaged
+ copy: src="scripts/{{ item }}" dest="{{ libdir }}/nagios/plugins/{{ item }}" mode=0755 owner=nagios group=nagios
+ with_items:
+ - check_haproxy_conns.py
+ - check_postfix_queue
+ - check_raid.py
+ - check_lock
+ - check_fcomm_queue
+ - check_fedmsg_consumer_backlog.py
+ - check_fedmsg_consumer_exceptions.py
+ - check_fedmsg_producer_last_ran.py
+ - check_fedmsg_producers_consumers.py
+ - check_supybot_plugin
+ - check_rabbitmq_size
+ - check_datanommer_timesince.py
+ - check_memcache_connect
+ - check_readonly_fs
+ - check_lock_file_age
+ - check_testcloud
+ - check_osbs_api.py
+ - check_ipa_replication
+ - check_redis_queue.sh
+ - check_timestamp_from_file
+ when: not inventory_hostname.startswith('noc')
+ tags:
+ - nagios_client
+
+# create dirs
+# puppet used to make /var/spool/nagios (owned by nagios.nagios) mode 750
+# and /usr/lib/nagios/plugins (owned by root) mode 755 - but we don't know WHY
+# then stuff it with plugins from the plugins dir in the nagios module
+# then we symlinked that to /usr/lib64/nagios/plugins
+# it was a nightmare - don't do that - my ghost will haunt you if you do
+# skvidal 2013-05-21
+
+
+# Three tasks for handling our custom selinux module
+- name: ensure a directory exists for our custom selinux module
+ file: dest=/usr/share/nrpe state=directory
+ tags:
+ - config
+ - nagios_client
+
+- name: copy over our custom selinux module
+ copy: src=selinux/fi-nrpe.pp dest=/usr/share/nrpe/fi-nrpe.pp
+ register: selinux_module
+ tags:
+ - config
+ - nagios_client
+ - selinux
+
+- name: install our custom selinux module
+ command: semodule -i /usr/share/nrpe/fi-nrpe.pp
+ when: ansible_distribution_major_version|int == 7 and ansible_distribution != 'Fedora' and selinux_module is changed
+ tags:
+ - config
+ - nagios_client
+ - selinux
+
+- name: copy over our custom selinux module for mirrorlist
+ copy: src=selinux/fi-nrpe.pp dest=/usr/share/nrpe/mirrormanager_container.pp
+ register: selinux_module_mirrorlist
+ when: "'proxy' in inventory_hostname"
+ tags:
+ - config
+ - nagios_client
+ - selinux
+
+- name: install our custom selinux module for mirrorlist
+ command: semodule -i /usr/share/nrpe/mirrormanager_container.pp
+ when: "'proxy' in inventory_hostname and selinux_module is changed"
+ tags:
+ - config
+ - nagios_client
+ - selinux
+
+# Set up our base config.
+- name: /etc/nagios/nrpe.cfg
+ template: src=nrpe.cfg.j2 dest=/etc/nagios/nrpe.cfg
+ when: not inventory_hostname.startswith('noc')
+ notify:
+ - restart nrpe
+ tags:
+ - config
+ - nagios_client
+
+#
+# The actual items files here end in .j2 (they are templates)
+# So when adding or modifying them change the .j2 version in git.
+#
+- name: install nrpe client configs
+ template: src={{ item }}.j2 dest=/etc/nrpe.d/{{ item }} owner=root group=root mode=0644
+ with_items:
+ - check_raid.cfg
+ - check_ipa.cfg
+ - check_readonly_fs.cfg
+ - check_cron.cfg
+ - check_disk.cfg
+ - check_swap.cfg
+ - check_postfix_queue.cfg
+ - check_lock.cfg
+ - check_fedmsg_hub_proc.cfg
+ - check_fedmsg_irc_proc.cfg
+ - check_fedmsg_relay_proc.cfg
+ - check_fedmsg_gateway_proc.cfg
+ - check_fedmsg_composer_proc.cfg
+ - check_redis_proc.cfg
+ - check_fedmsg_consumers.cfg
+ - check_supybot_fedmsg_plugin.cfg
+ - check_datanommer_history.cfg
+ - check_memcache.cfg
+ - check_lock_file_age.cfg
+ - check_basset.cfg
+ - check_fmn.cfg
+ - check_osbs.cfg
+ - check_testcloud.cfg
+ - check_mirrorlist_docker_proxy.cfg
+ - check_mirrorlist_cache.cfg
+ - check_celery_redis_queue.cfg
+ - check_proxies.cfg
+ notify:
+ - restart nrpe
+ tags:
+ - config
+ - nagios_client
+
+#
+# The actual items files here end in .j2 (they are templates)
+# So when adding or modifying them change the .j2 version in git.
+#
+- name: install nrpe openvpn check config
+ template: src=check_openvpn_link.cfg.j2 dest=/etc/nrpe.d/check_openvpn_link.cfg owner=root group=root mode=0644
+ when: vpn == true
+ notify:
+ - restart nrpe
+ tags:
+ - nagios_client
+#
+# The actual items files here end in .j2 (they are templates)
+# So when adding or modifying them change the .j2 version in git.
+#
+- name: install nrpe unbound check config
+ template: src=check_unbound_proc.cfg.j2 dest=/etc/nrpe.d/check_unbound_proc.cfg owner=root group=root mode=0644
+ when: inventory_hostname.startswith('unbound')
+ notify:
+ - restart nrpe
+ tags:
+ - nagios_client
+#
+# The actual items files here end in .j2 (they are templates)
+# So when adding or modifying them change the .j2 version in git.
+#
+- name: install nrpe merged log check script on log01
+ template: src=check_merged_file_age.cfg.j2 dest=/etc/nrpe.d/check_merged_file_age.cfg owner=root group=root mode=0644
+ when: inventory_hostname.startswith('log0')
+ notify:
+ - restart nrpe
+ tags:
+ - nagios_client
+#
+# The actual items files here end in .j2 (they are templates)
+# So when adding or modifying them change the .j2 version in git.
+#
+- name: install nrpe check_mysql config for mariadb servers
+ template: src=check_mysql.cfg.j2 dest=/etc/nrpe.d/check_mysql.cfg owner=root group=root mode=0644
+ when: inventory_hostname.startswith('db03')
+ notify:
+ - restart nrpe
+ tags:
+ - nagios_client
+
+- name: install nrpe checks for mailman01
+ template: src={{ item }}.j2 dest=/etc/nrpe.d/{{ item }} owner=root group=root mode=0644
+ with_items:
+ - check_mailman_api.cfg
+ when: inventory_hostname.startswith('mailman01')
+ notify:
+ - restart nrpe
+ tags:
+ - nagios_client
+
+- name: install nrpe checks for proxies
+ template: src={{ item }}.j2 dest=/etc/nrpe.d/{{ item }} owner=root group=root mode=0644
+ with_items:
+ - check_happroxy_conns.cfg
+ - check_varnish_proc.cfg
+ when: inventory_hostname.startswith('proxy')
+ notify:
+ - restart nrpe
+ tags:
+ - nagios_client
+
+- name: install nrpe checks for sigul_bridge
+ template: src={{ item }}.j2 dest=/etc/nrpe.d/{{ item }} owner=root group=root mode=0644
+ with_items:
+ - check_sigul_bridge_proc.cfg
+ when: inventory_hostname.startswith('sign-bridge')
+ notify:
+ - restart nrpe
+ tags:
+ - nagios_client
+
+- name: install nrpe checks for sundries/websites
+ template: src={{ item }}.j2 dest=/etc/nrpe.d/{{ item }} owner=root group=root mode=0644
+ with_items:
+ - check_websites_buildtime.cfg
+ when: inventory_hostname.startswith('sundries')
+ notify:
+ - restart nrpe
+ tags:
+ - nagios_client
+
+- name: install nrpe config for the RabbitMQ checks
+ template:
+ src: "rabbitmq_args.ini.j2"
+ dest: "/etc/nrpe.d/rabbitmq_args.ini"
+ owner: root
+ group: nrpe
+ mode: 0640
+ when: inventory_hostname.startswith('rabbitmq')
+ tags:
+ - nagios_client
+
+- name: install nrpe checks for the RabbitMQ cluster
+ template:
+ src: "{{ item }}.j2"
+ dest: "/etc/nrpe.d/{{ item }}"
+ owner: root
+ group: root
+ mode: 0644
+ with_items:
+ - check_rabbitmq_server.cfg
+ - check_rabbitmq_watermark.cfg
+ - check_rabbitmq_cluster.cfg
+ - check_rabbitmq_connections.cfg
+ - check_rabbitmq_overview.cfg
+ - check_rabbitmq_exchange.cfg
+ - check_rabbitmq_queue.cfg
+ when: inventory_hostname.startswith('rabbitmq')
+ notify:
+ - restart nrpe
+ tags:
+ - nagios_client
+
+- name: nrpe service start
+ service: name=nrpe state=started enabled=true
+ tags:
+ - service
+ - nagios_client
+
+- name: Check if the fedmsg group exists
+ shell: /usr/bin/getent group fedmsg | /usr/bin/wc -l | tr -d ' '
+ register: fedmsg_exists
+ check_mode: no
+ changed_when: "1 != 1"
+ tags:
+ - nagios_client
+
+- name: Add nrpe user to the fedmsg group if it exists
+ user: name=nrpe groups=fedmsg append=yes
+ when: fedmsg_exists.stdout == "1"
+ tags:
+ - nagios_client
diff --git a/roles/nagios_client/templates/check_basset.cfg.j2 b/roles/nagios_client/templates/check_basset.cfg.j2
new file mode 100644
index 0000000..c543d1c
--- /dev/null
+++ b/roles/nagios_client/templates/check_basset.cfg.j2
@@ -0,0 +1,4 @@
+command[check_mongo_proc]={{ libdir }}/nagios/plugins/check_procs -s RSD -u mongodb -C mongod -c 1:1
+command[check_rabbitmq_proc]={{ libdir }}/nagios/plugins/check_procs -s RSD -u rabbitmq -C beam.smp -c 1:1
+command[check_worker_proc]={{ libdir }}/nagios/plugins/check_procs -s RSD -u basset-worker -C basset-worker -c 1:6
+command[check_basset_queue]={{ libdir }}/nagios/plugins/check_rabbitmq_size check_submission 10 20
diff --git a/roles/nagios_client/templates/check_celery_redis_queue.cfg.j2 b/roles/nagios_client/templates/check_celery_redis_queue.cfg.j2
new file mode 100644
index 0000000..56279f3
--- /dev/null
+++ b/roles/nagios_client/templates/check_celery_redis_queue.cfg.j2
@@ -0,0 +1 @@
+command[check_celery_redis_queue]=/usr/lib64/nagios/plugins/check_redis_queue.sh celery 5 10
diff --git a/roles/nagios_client/templates/check_cron.cfg.j2 b/roles/nagios_client/templates/check_cron.cfg.j2
new file mode 100644
index 0000000..b2030c5
--- /dev/null
+++ b/roles/nagios_client/templates/check_cron.cfg.j2
@@ -0,0 +1 @@
+command[check_cron]={{ libdir }}/nagios/plugins/check_procs -c 1:15 -C 'crond' -u root
diff --git a/roles/nagios_client/templates/check_datanommer_history.cfg.j2 b/roles/nagios_client/templates/check_datanommer_history.cfg.j2
new file mode 100644
index 0000000..aa58c83
--- /dev/null
+++ b/roles/nagios_client/templates/check_datanommer_history.cfg.j2
@@ -0,0 +1,49 @@
+# Checks on the datanommer history to make sure we're still receiving messages
+# of all types.
+#
+# The following are fedmsg/datanommer checks to be run on busgateway01.
+# They check for the time since the latest message in any particular category.
+# The first number is the seconds elapsed until we should raise a warning.
+# The second number is the seconds elapsed until we should raise an error.
+# For your reference:
+# 4 hours -> 14400
+# 1 day -> 86400
+# 3 days -> 259200
+# 1 week -> 604800
+# 3 weeks -> 1814400
+# 1 month -> 2628000
+# 3 months -> 7884000
+command[check_datanommer_anitya]={{libdir}}/nagios/plugins/check_datanommer_timesince.py anitya 604800 1814400
+command[check_datanommer_ansible]={{libdir}}/nagios/plugins/check_datanommer_timesince.py ansible 432000 604800
+command[check_datanommer_bodhi]={{libdir}}/nagios/plugins/check_datanommer_timesince.py bodhi 86400 604800
+command[check_datanommer_bodhi_composes]={{libdir}}/nagios/plugins/check_datanommer_timesince.py org.fedoraproject.prod.bodhi.compose.start 86400 90000
+command[check_datanommer_buildsys]={{libdir}}/nagios/plugins/check_datanommer_timesince.py buildsys 14400 86400
+command[check_datanommer_compose]={{libdir}}/nagios/plugins/check_datanommer_timesince.py compose 259200 1814400
+command[check_datanommer_copr]={{libdir}}/nagios/plugins/check_datanommer_timesince.py copr 21600 86400
+command[check_datanommer_faf]={{libdir}}/nagios/plugins/check_datanommer_timesince.py faf 86400 259200
+command[check_datanommer_fas]={{libdir}}/nagios/plugins/check_datanommer_timesince.py fas 1814400 2628000
+command[check_datanommer_fedbadges]={{libdir}}/nagios/plugins/check_datanommer_timesince.py fedbadges 86400 259200
+command[check_datanommer_fedimg]={{libdir}}/nagios/plugins/check_datanommer_timesince.py fedimg 259200 604800
+command[check_datanommer_fedocal]={{libdir}}/nagios/plugins/check_datanommer_timesince.py fedocal 7884000 23652000
+command[check_datanommer_fmn]={{libdir}}/nagios/plugins/check_datanommer_timesince.py fmn 604800 1814400
+command[check_datanommer_git]={{libdir}}/nagios/plugins/check_datanommer_timesince.py git 86400 604800
+command[check_datanommer_github]={{libdir}}/nagios/plugins/check_datanommer_timesince.py github 432000 604800
+command[check_datanommer_greenwave]=/usr/lib64/nagios/plugins/check_datanommer_timesince.py greenwave 172800 172800
+command[check_datanommer_hotness]={{libdir}}/nagios/plugins/check_datanommer_timesince.py hotness 604800 1814400
+command[check_datanommer_kerneltest]={{libdir}}/nagios/plugins/check_datanommer_timesince.py kerneltest 604800 1814400
+command[check_datanommer_koschei]={{libdir}}/nagios/plugins/check_datanommer_timesince.py koschei 86400 604800
+command[check_datanommer_mdapi]=/usr/lib64/nagios/plugins/check_datanommer_timesince.py mdapi 28800 86400
+command[check_datanommer_meetbot]={{libdir}}/nagios/plugins/check_datanommer_timesince.py meetbot 604800 2628000
+command[check_datanommer_pkgdb]={{libdir}}/nagios/plugins/check_datanommer_timesince.py pkgdb 1814400 2628000
+command[check_datanommer_planet]={{libdir}}/nagios/plugins/check_datanommer_timesince.py planet 2628000 7884000
+command[check_datanommer_resultsdb]=/usr/lib64/nagios/plugins/check_datanommer_timesince.py resultsdb 172800 172800
+command[check_datanommer_trac]={{libdir}}/nagios/plugins/check_datanommer_timesince.py trac 86400 259200
+command[check_datanommer_rpmsign]=/usr/lib64/nagios/plugins/check_datanommer_timesince.py org.fedoraproject.prod.buildsys.rpm.sign 14400 10800
+command[check_datanommer_wiki]={{libdir}}/nagios/plugins/check_datanommer_timesince.py wiki 259200 1814400
+
+# This one is retired since it times out all the time. Too few messages.
+#command[check_datanommer_nuancier]={{libdir}}/nagios/plugins/check_datanommer_timesince.py nuancier 23652000 31536000
+
+# These are not actually finished and deployed yet
+command[check_datanommer_mailman]={{libdir}}/nagios/plugins/check_datanommer_timesince.py mailman 14400 86400
+command[check_datanommer_bugzilla]={{libdir}}/nagios/plugins/check_datanommer_timesince.py bugzilla 86400 259200
diff --git a/roles/nagios_client/templates/check_disk.cfg.j2 b/roles/nagios_client/templates/check_disk.cfg.j2
new file mode 100644
index 0000000..27dff82
--- /dev/null
+++ b/roles/nagios_client/templates/check_disk.cfg.j2
@@ -0,0 +1,19 @@
+{% if inventory_hostname.startswith('openqa') %}
+command[check_disk_/]=/usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -p /
+{% else %}
+command[check_disk_/]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /
+{% endif %}
+command[check_disk_/boot]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /boot
+command[check_disk_/git]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /git
+command[check_disk_/mnt/koji]=/usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -p /mnt/koji
+command[check_disk_/postgreslogs]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /postgreslogs
+command[check_disk_/project/]=/usr/lib64/nagios/plugins/check_disk -w 5% -c 1% -p /project/
+command[check_disk_/srv/buildmaster]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv/buildmaster
+command[check_disk_/srv/cache/lookaside]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv/cache/lookaside
+command[check_disk_/srv/diskimages]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv/diskimages
+command[check_disk_/srv]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv
+command[check_disk_huge_/srv]=/usr/lib64/nagios/plugins/check_disk -w 5% -c 1% -p /srv
+command[check_disk_/u01]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /u01
+command[check_disk_/srv/registry]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv/registry
+command[check_disk_/var/lib64/mock]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /var/lib/mock
+command[check_disk_/var/log]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /var/log
diff --git a/roles/nagios_client/templates/check_fedmsg_composer_proc.cfg.j2 b/roles/nagios_client/templates/check_fedmsg_composer_proc.cfg.j2
new file mode 100644
index 0000000..9e41841
--- /dev/null
+++ b/roles/nagios_client/templates/check_fedmsg_composer_proc.cfg.j2
@@ -0,0 +1 @@
+command[check_fedmsg_composer_proc]={{ libdir }}/nagios/plugins/check_procs -c 1:1 -C 'fedmsg-hub-3' -u apache
diff --git a/roles/nagios_client/templates/check_fedmsg_consumers.cfg.j2 b/roles/nagios_client/templates/check_fedmsg_consumers.cfg.j2
new file mode 100644
index 0000000..4160a8a
--- /dev/null
+++ b/roles/nagios_client/templates/check_fedmsg_consumers.cfg.j2
@@ -0,0 +1,60 @@
+# Fedmsg checks for consumers and producers
+command[check_fedmsg_cp_busgateway_hub]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-hub Nommer MonitoringProducer
+command[check_fedmsg_cp_busgateway_relay]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-relay RelayConsumer MonitoringProducer
+{% if (ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 8) or (ansible_distribution_major_version|int < 30 and ansible_distribution == 'Fedora') %}
+command[check_fedmsg_cp_busgateway_gateway]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-gateway GatewayConsumer MonitoringProducer
+{% else %}
+command[check_fedmsg_cp_busgateway_gateway]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-gateway- GatewayConsumer MonitoringProducer
+{% endif %}
+command[check_fedmsg_cp_anitya_relay]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-relay RelayConsumer MonitoringProducer
+command[check_fedmsg_cp_app]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-relay RelayConsumer MonitoringProducer
+command[check_fedmsg_cp_value]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-irc IRCBotConsumer MonitoringProducer
+command[check_fedmsg_cp_badges_backend]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-hub FedoraBadgesConsumer MonitoringProducer
+command[check_fedmsg_cp_notifs_backend]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-hub FMNConsumer DigestProducer ConfirmationProducer MonitoringProducer
+command[check_fedmsg_cp_bugzilla2fedmsg]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py moksha-hub BugzillaConsumer MonitoringProducer
+command[check_fedmsg_cp_fedimg_backend]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-hub FedimgConsumer MonitoringProducer
+command[check_fedmsg_cp_hotness_backend]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-hub BugzillaTicketFiler MonitoringProducer
+command[check_fedmsg_cp_packages_backend]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-hub CacheInvalidator MonitoringProducer
+command[check_fedmsg_cp_pdc_backend]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-hub PDCUpdater MonitoringProducer
+command[check_fedmsg_cp_mbs_backend]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-hub MBSConsumer MBSProducer MonitoringProducer
+
+command[check_fedmsg_cexceptions_busgateway_hub]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-hub Nommer 1 10
+command[check_fedmsg_cexceptions_busgateway_relay]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-relay RelayConsumer 1 10
+{% if (ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 8) or (ansible_distribution_major_version|int < 30 and ansible_distribution == 'Fedora') %}
+command[check_fedmsg_cexceptions_busgateway_gateway]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-gateway GatewayConsumer 1 10
+{% else %}
+command[check_fedmsg_cexceptions_busgateway_gateway]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-gateway- GatewayConsumer 1 10
+{% endif %}
+command[check_fedmsg_cexceptions_anitya_relay]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-relay RelayConsumer 1 10
+command[check_fedmsg_cexceptions_app]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-relay RelayConsumer 1 10
+command[check_fedmsg_cexceptions_value]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-irc IRCBotConsumer 1 10
+command[check_fedmsg_cexceptions_badges_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-hub FedoraBadgesConsumer 1 10
+command[check_fedmsg_cexceptions_notifs_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-hub FMNConsumer 1 10
+command[check_fedmsg_cexceptions_bugzilla2fedmsg]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py moksha-hub BugzillaConsumer 1 10
+command[check_fedmsg_cexceptions_fedimg_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-hub FedimgConsumer 1 10
+command[check_fedmsg_cexceptions_hotness_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-hub BugzillaTicketFiler 1 10
+command[check_fedmsg_cexceptions_packages_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-hub CacheInvalidator 1 10
+command[check_fedmsg_cexceptions_pdc_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-hub PDCUpdater 1 10
+command[check_fedmsg_cexceptions_mbs_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-hub MBSConsumer 1 10
+
+command[check_fedmsg_cbacklog_busgateway_hub]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub Nommer 500 1000
+command[check_fedmsg_cbacklog_busgateway_relay]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-relay RelayConsumer 10 50
+{% if (ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 8) or (ansible_distribution_major_version|int < 30 and ansible_distribution == 'Fedora') %}
+command[check_fedmsg_cbacklog_busgateway_gateway]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-gateway GatewayConsumer 10 50
+{% else %}
+command[check_fedmsg_cbacklog_busgateway_gateway]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-gateway- GatewayConsumer 10 50
+{% endif %}
+command[check_fedmsg_cbacklog_anitya_relay]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-relay RelayConsumer 10 50
+command[check_fedmsg_cbacklog_app]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-relay RelayConsumer 10 50
+command[check_fedmsg_cbacklog_value]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-irc IRCBotConsumer 10 50
+command[check_fedmsg_cbacklog_badges_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub FedoraBadgesConsumer 25000 35000
+command[check_fedmsg_cbacklog_notifs_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub FMNConsumer 15000 20000
+command[check_fedmsg_cbacklog_bugzilla2fedmsg]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py moksha-hub BugzillaConsumer 10 100
+command[check_fedmsg_cbacklog_fedimg_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub FedimgConsumer 2000 5000
+command[check_fedmsg_cbacklog_hotness_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub BugzillaTicketFiler 1000 5000
+command[check_fedmsg_cbacklog_packages_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub CacheInvalidator 30000 40000
+command[check_fedmsg_cbacklog_pdc_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub PDCUpdater 10000 20000
+command[check_fedmsg_cbacklog_mbs_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub MBSConsumer 10000 20000
+
+command[check_fedmsg_fmn_digest_last_ran]={{libdir}}/nagios/plugins/check_fedmsg_producer_last_ran.py fedmsg-hub DigestProducer 90 600
+command[check_fedmsg_fmn_confirm_last_ran]={{libdir}}/nagios/plugins/check_fedmsg_producer_last_ran.py fedmsg-hub ConfirmationProducer 90 600
diff --git a/roles/nagios_client/templates/check_fedmsg_gateway_proc.cfg.j2 b/roles/nagios_client/templates/check_fedmsg_gateway_proc.cfg.j2
new file mode 100644
index 0000000..fbf7986
--- /dev/null
+++ b/roles/nagios_client/templates/check_fedmsg_gateway_proc.cfg.j2
@@ -0,0 +1,5 @@
+{% if (( ansible_distribution_major_version == "8" ) and ( ansible_distribution == "RedHat" )) or ((ansible_distribution_major_version|int >= 30) and (ansible_distribution == "Fedora")) %}
+command[check_fedmsg_gateway_proc]={{ libdir }}/nagios/plugins/check_procs -c 1:1 --ereg-argument-array='fedmsg-gateway-3' -u fedmsg
+{% else %}
+command[check_fedmsg_gateway_proc]={{ libdir }}/nagios/plugins/check_procs -c 1:1 -C 'fedmsg-gateway' -u fedmsg
+{% endif %}
diff --git a/roles/nagios_client/templates/check_fedmsg_hub_proc.cfg.j2 b/roles/nagios_client/templates/check_fedmsg_hub_proc.cfg.j2
new file mode 100644
index 0000000..17ec341
--- /dev/null
+++ b/roles/nagios_client/templates/check_fedmsg_hub_proc.cfg.j2
@@ -0,0 +1 @@
+command[check_fedmsg_hub_proc]={{ libdir }}/nagios/plugins/check_procs -c 1:1 -C 'fedmsg-hub' -u fedmsg
diff --git a/roles/nagios_client/templates/check_fedmsg_irc_proc.cfg.j2 b/roles/nagios_client/templates/check_fedmsg_irc_proc.cfg.j2
new file mode 100644
index 0000000..92090dc
--- /dev/null
+++ b/roles/nagios_client/templates/check_fedmsg_irc_proc.cfg.j2
@@ -0,0 +1 @@
+command[check_fedmsg_irc_proc]={{ libdir }}/nagios/plugins/check_procs -c 1:1 -C 'fedmsg-irc' -u fedmsg
diff --git a/roles/nagios_client/templates/check_fedmsg_relay_proc.cfg.j2 b/roles/nagios_client/templates/check_fedmsg_relay_proc.cfg.j2
new file mode 100644
index 0000000..c471575
--- /dev/null
+++ b/roles/nagios_client/templates/check_fedmsg_relay_proc.cfg.j2
@@ -0,0 +1 @@
+command[check_fedmsg_relay_proc]={{ libdir }}/nagios/plugins/check_procs -c 1:1 -C 'fedmsg-relay' -u fedmsg
diff --git a/roles/nagios_client/templates/check_fmn.cfg.j2 b/roles/nagios_client/templates/check_fmn.cfg.j2
new file mode 100644
index 0000000..8052eea
--- /dev/null
+++ b/roles/nagios_client/templates/check_fmn.cfg.j2
@@ -0,0 +1,3 @@
+command[check_fmn_worker_queue]={{ libdir }}/nagios/plugins/check_rabbitmq_size fmn.tasks.unprocessed_messages 200 1000
+command[check_fmn_backend_irc_queue]={{ libdir }}/nagios/plugins/check_rabbitmq_size fmn.backends.irc 100 200
+command[check_fmn_backend_email_queue]={{ libdir }}/nagios/plugins/check_rabbitmq_size fmn.backends.email 100 200
diff --git a/roles/nagios_client/templates/check_happroxy_conns.cfg.j2 b/roles/nagios_client/templates/check_happroxy_conns.cfg.j2
new file mode 100644
index 0000000..381d2b2
--- /dev/null
+++ b/roles/nagios_client/templates/check_happroxy_conns.cfg.j2
@@ -0,0 +1 @@
+command[check_haproxy_conns]=/usr/lib64/nagios/plugins/check_haproxy_conns.py
diff --git a/roles/nagios_client/templates/check_ipa.cfg.j2 b/roles/nagios_client/templates/check_ipa.cfg.j2
new file mode 100644
index 0000000..0314738
--- /dev/null
+++ b/roles/nagios_client/templates/check_ipa.cfg.j2
@@ -0,0 +1 @@
+command[check_ipa_replication]={{ libdir }}/nagios/plugins/check_ipa_replication -u ldaps://localhost/
diff --git a/roles/nagios_client/templates/check_lock.cfg.j2 b/roles/nagios_client/templates/check_lock.cfg.j2
new file mode 100644
index 0000000..70015b7
--- /dev/null
+++ b/roles/nagios_client/templates/check_lock.cfg.j2
@@ -0,0 +1 @@
+command[check_lock]={{ libdir }}/nagios/plugins/check_lock
diff --git a/roles/nagios_client/templates/check_lock_file_age.cfg.j2 b/roles/nagios_client/templates/check_lock_file_age.cfg.j2
new file mode 100644
index 0000000..c36459a
--- /dev/null
+++ b/roles/nagios_client/templates/check_lock_file_age.cfg.j2
@@ -0,0 +1 @@
+command[check_lock_file_age]={{ libdir }}/nagios/plugins/check_lock_file_age -w 1 -c 5 -f /var/lock/fedora-ca/lock
diff --git a/roles/nagios_client/templates/check_mailman_api.cfg.j2 b/roles/nagios_client/templates/check_mailman_api.cfg.j2
new file mode 100644
index 0000000..95213f3
--- /dev/null
+++ b/roles/nagios_client/templates/check_mailman_api.cfg.j2
@@ -0,0 +1 @@
+command[check_mailman_api]=/usr/lib64/nagios/plugins/check_http -H localhost -p 8001 -u /3.0 -e 'HTTP/1.0 401 Unauthorized'
diff --git a/roles/nagios_client/templates/check_memcache.cfg.j2 b/roles/nagios_client/templates/check_memcache.cfg.j2
new file mode 100644
index 0000000..b0ec100
--- /dev/null
+++ b/roles/nagios_client/templates/check_memcache.cfg.j2
@@ -0,0 +1,2 @@
+command[check_memcache]=/usr/lib64/nagios/plugins/check_procs -c 1:1 -a '/usr/bin/memcached' -u memcached
+command[check_memcache_connect]=/usr/lib64/nagios/plugins/check_memcache_connect
diff --git a/roles/nagios_client/templates/check_merged_file_age.cfg.j2 b/roles/nagios_client/templates/check_merged_file_age.cfg.j2
new file mode 100644
index 0000000..90df1c7
--- /dev/null
+++ b/roles/nagios_client/templates/check_merged_file_age.cfg.j2
@@ -0,0 +1 @@
+command[check_merged_file_age]=/usr/lib64/nagios/plugins/check_file_age -w 120 -c 300 /var/log/merged/messages.log
diff --git a/roles/nagios_client/templates/check_mirrorlist_cache.cfg.j2 b/roles/nagios_client/templates/check_mirrorlist_cache.cfg.j2
new file mode 100644
index 0000000..d282b7f
--- /dev/null
+++ b/roles/nagios_client/templates/check_mirrorlist_cache.cfg.j2
@@ -0,0 +1,2 @@
+command[check_mirrorlist1_cache]={{ libdir }}/nagios/plugins/check_file_age -w 14400 -c 129600 -f /srv/mirrorlist/data/mirrorlist1/mirrorlist_cache.proto
+command[check_mirrorlist2_cache]={{ libdir }}/nagios/plugins/check_file_age -w 14400 -c 129600 -f /srv/mirrorlist/data/mirrorlist2/mirrorlist_cache.proto
diff --git a/roles/nagios_client/templates/check_mirrorlist_docker_proxy.cfg.j2 b/roles/nagios_client/templates/check_mirrorlist_docker_proxy.cfg.j2
new file mode 100644
index 0000000..39c0099
--- /dev/null
+++ b/roles/nagios_client/templates/check_mirrorlist_docker_proxy.cfg.j2
@@ -0,0 +1 @@
+command[check_mirrorlist_docker_proxy]=/usr/lib64/nagios/plugins/check_tcp -H localhost -p 18081
diff --git a/roles/nagios_client/templates/check_mysql.cfg.j2 b/roles/nagios_client/templates/check_mysql.cfg.j2
new file mode 100644
index 0000000..2b825d2
--- /dev/null
+++ b/roles/nagios_client/templates/check_mysql.cfg.j2
@@ -0,0 +1 @@
+command[check_mysql_backup]={{ libdir }}/nagios/plugins/check_file_age -w 86400 -c 129600 -f /backups/fpo-mediawiki-latest.xz
diff --git a/roles/nagios_client/templates/check_openvpn_link.cfg.j2 b/roles/nagios_client/templates/check_openvpn_link.cfg.j2
new file mode 100644
index 0000000..77d3e66
--- /dev/null
+++ b/roles/nagios_client/templates/check_openvpn_link.cfg.j2
@@ -0,0 +1 @@
+command[check_openvpn_link]={{ libdir }}/nagios/plugins/check_ping -H 192.168.1.41 -w 375.0,20% -c 500,60%
diff --git a/roles/nagios_client/templates/check_osbs.cfg.j2 b/roles/nagios_client/templates/check_osbs.cfg.j2
new file mode 100644
index 0000000..1bd7e2f
--- /dev/null
+++ b/roles/nagios_client/templates/check_osbs.cfg.j2
@@ -0,0 +1 @@
+command[check_osbs_api]={{ libdir }}/nagios/plugins/check_osbs_api.py
diff --git a/roles/nagios_client/templates/check_postfix_queue.cfg.j2 b/roles/nagios_client/templates/check_postfix_queue.cfg.j2
new file mode 100644
index 0000000..40ab592
--- /dev/null
+++ b/roles/nagios_client/templates/check_postfix_queue.cfg.j2
@@ -0,0 +1 @@
+command[check_postfix_queue]={{ libdir }}/nagios/plugins/check_postfix_queue -w {{ nrpe_check_postfix_queue_warn }} -c {{ nrpe_check_postfix_queue_crit }}
diff --git a/roles/nagios_client/templates/check_proxies.cfg.j2 b/roles/nagios_client/templates/check_proxies.cfg.j2
new file mode 100644
index 0000000..216b647
--- /dev/null
+++ b/roles/nagios_client/templates/check_proxies.cfg.j2
@@ -0,0 +1,2 @@
+command[check_ticketkey_age]={{ libdir }}/nagios/plugins/check_file_age -w 3600 -c 7200 -f /etc/httpd/ticketkey_{{env}}.tkey
+command[check_ostree_summary_file_age]=/usr/lib64/nagios/plugins/check_file_age -w 1800 -c 3600 /srv/web/ostree/summary
diff --git a/roles/nagios_client/templates/check_rabbitmq_cluster.cfg.j2 b/roles/nagios_client/templates/check_rabbitmq_cluster.cfg.j2
new file mode 100644
index 0000000..6a67248
--- /dev/null
+++ b/roles/nagios_client/templates/check_rabbitmq_cluster.cfg.j2
@@ -0,0 +1 @@
+command[check_rabbitmq_cluster]=/usr/lib64/nagios/plugins-rabbitmq/check_rabbitmq_cluster --extra-opts=common(a)/etc/nrpe.d/rabbitmq_args.ini -n rabbit@rabbitmq01.phx2.fedoraproject.org,rabbit@rabbitmq02.phx2.fedoraproject.org,rabbit(a)rabbitmq03.phx2.fedoraproject.org
\ No newline at end of file
diff --git a/roles/nagios_client/templates/check_rabbitmq_connections.cfg.j2 b/roles/nagios_client/templates/check_rabbitmq_connections.cfg.j2
new file mode 100644
index 0000000..8b30a7f
--- /dev/null
+++ b/roles/nagios_client/templates/check_rabbitmq_connections.cfg.j2
@@ -0,0 +1 @@
+command[check_rabbitmq_connections]=/usr/lib64/nagios/plugins-rabbitmq/check_rabbitmq_connections --extra-opts=common(a)/etc/nrpe.d/rabbitmq_args.ini
\ No newline at end of file
diff --git a/roles/nagios_client/templates/check_rabbitmq_exchange.cfg.j2 b/roles/nagios_client/templates/check_rabbitmq_exchange.cfg.j2
new file mode 100644
index 0000000..c5a729e
--- /dev/null
+++ b/roles/nagios_client/templates/check_rabbitmq_exchange.cfg.j2
@@ -0,0 +1,2 @@
+command[check_rabbitmq_exchange_pubsub]=/usr/lib64/nagios/plugins-rabbitmq/check_rabbitmq_exchange --extra-opts=common(a)/etc/nrpe.d/rabbitmq_args.ini --vhost /pubsub --exchange amq.topic --period 600
+command[check_rabbitmq_exchange_public_pubsub]=/usr/lib64/nagios/plugins-rabbitmq/check_rabbitmq_exchange --extra-opts=common(a)/etc/nrpe.d/rabbitmq_args.ini --vhost /public_pubsub --exchange amq.topic --period 600
\ No newline at end of file
diff --git a/roles/nagios_client/templates/check_rabbitmq_overview.cfg.j2 b/roles/nagios_client/templates/check_rabbitmq_overview.cfg.j2
new file mode 100644
index 0000000..060fb2f
--- /dev/null
+++ b/roles/nagios_client/templates/check_rabbitmq_overview.cfg.j2
@@ -0,0 +1 @@
+command[check_rabbitmq_overview]=/usr/lib64/nagios/plugins-rabbitmq/check_rabbitmq_overview --extra-opts=common(a)/etc/nrpe.d/rabbitmq_args.ini
\ No newline at end of file
diff --git a/roles/nagios_client/templates/check_rabbitmq_queue.cfg.j2 b/roles/nagios_client/templates/check_rabbitmq_queue.cfg.j2
new file mode 100644
index 0000000..d9c9367
--- /dev/null
+++ b/roles/nagios_client/templates/check_rabbitmq_queue.cfg.j2
@@ -0,0 +1,2 @@
+command[check_rabbitmq_queue_pubsub]=/usr/lib64/nagios/plugins-rabbitmq/check_rabbitmq_queue --extra-opts=common(a)/etc/nrpe.d/rabbitmq_args.ini --vhost /pubsub
+command[check_rabbitmq_queue_public_pubsub]=/usr/lib64/nagios/plugins-rabbitmq/check_rabbitmq_queue --extra-opts=common(a)/etc/nrpe.d/rabbitmq_args.ini --vhost /public_pubsub
\ No newline at end of file
diff --git a/roles/nagios_client/templates/check_rabbitmq_server.cfg.j2 b/roles/nagios_client/templates/check_rabbitmq_server.cfg.j2
new file mode 100644
index 0000000..bc8fb20
--- /dev/null
+++ b/roles/nagios_client/templates/check_rabbitmq_server.cfg.j2
@@ -0,0 +1 @@
+command[check_rabbitmq_server]=/usr/lib64/nagios/plugins-rabbitmq/check_rabbitmq_server --extra-opts=common(a)/etc/nrpe.d/rabbitmq_args.ini --node={{ inventory_hostname }}
\ No newline at end of file
diff --git a/roles/nagios_client/templates/check_rabbitmq_watermark.cfg.j2 b/roles/nagios_client/templates/check_rabbitmq_watermark.cfg.j2
new file mode 100644
index 0000000..3dc965b
--- /dev/null
+++ b/roles/nagios_client/templates/check_rabbitmq_watermark.cfg.j2
@@ -0,0 +1 @@
+command[check_rabbitmq_watermark]=/usr/lib64/nagios/plugins-rabbitmq/check_rabbitmq_watermark --extra-opts=common(a)/etc/nrpe.d/rabbitmq_args.ini --vhost /pubsub --node={{ inventory_hostname }}
\ No newline at end of file
diff --git a/roles/nagios_client/templates/check_raid.cfg.j2 b/roles/nagios_client/templates/check_raid.cfg.j2
new file mode 100644
index 0000000..ef47d12
--- /dev/null
+++ b/roles/nagios_client/templates/check_raid.cfg.j2
@@ -0,0 +1 @@
+command[check_raid]={{ libdir }}/nagios/plugins/check_raid.py
diff --git a/roles/nagios_client/templates/check_readonly_fs.cfg.j2 b/roles/nagios_client/templates/check_readonly_fs.cfg.j2
new file mode 100644
index 0000000..df896b7
--- /dev/null
+++ b/roles/nagios_client/templates/check_readonly_fs.cfg.j2
@@ -0,0 +1 @@
+command[check_readonly_fs]=/usr/lib64/nagios/plugins/check_readonly_fs
diff --git a/roles/nagios_client/templates/check_redis_proc.cfg.j2 b/roles/nagios_client/templates/check_redis_proc.cfg.j2
new file mode 100644
index 0000000..7f05bc5
--- /dev/null
+++ b/roles/nagios_client/templates/check_redis_proc.cfg.j2
@@ -0,0 +1 @@
+command[check_redis_proc]=/usr/lib64/nagios/plugins/check_procs -c 1:1 -C 'redis-server' -u redis
diff --git a/roles/nagios_client/templates/check_sigul_bridge_proc.cfg.j2 b/roles/nagios_client/templates/check_sigul_bridge_proc.cfg.j2
new file mode 100644
index 0000000..a173c2f
--- /dev/null
+++ b/roles/nagios_client/templates/check_sigul_bridge_proc.cfg.j2
@@ -0,0 +1 @@
+command[check_sigul_bridge_proc]={{ libdir }}/nagios/plugins/check_procs -c 1:1 -a 'sigul/bridge.py' -u sigul
diff --git a/roles/nagios_client/templates/check_supybot_fedmsg_plugin.cfg.j2 b/roles/nagios_client/templates/check_supybot_fedmsg_plugin.cfg.j2
new file mode 100644
index 0000000..514cf75
--- /dev/null
+++ b/roles/nagios_client/templates/check_supybot_fedmsg_plugin.cfg.j2
@@ -0,0 +1 @@
+command[check_supybot_fedmsg_plugin]={{libdir}}/nagios/plugins/check_supybot_plugin -t fedmsg
diff --git a/roles/nagios_client/templates/check_swap.cfg.j2 b/roles/nagios_client/templates/check_swap.cfg.j2
new file mode 100644
index 0000000..68695c9
--- /dev/null
+++ b/roles/nagios_client/templates/check_swap.cfg.j2
@@ -0,0 +1 @@
+command[check_swap]={{ libdir }}/nagios/plugins/check_swap -w 15% -c 10%
diff --git a/roles/nagios_client/templates/check_testcloud.cfg.j2 b/roles/nagios_client/templates/check_testcloud.cfg.j2
new file mode 100644
index 0000000..25a314f
--- /dev/null
+++ b/roles/nagios_client/templates/check_testcloud.cfg.j2
@@ -0,0 +1 @@
+command[check_testcloud]={{ libdir }}/nagios/plugins/check_testcloud
diff --git a/roles/nagios_client/templates/check_unbound_proc.cfg.j2 b/roles/nagios_client/templates/check_unbound_proc.cfg.j2
new file mode 100644
index 0000000..cbae839
--- /dev/null
+++ b/roles/nagios_client/templates/check_unbound_proc.cfg.j2
@@ -0,0 +1 @@
+command[check_unbound_proc]={{ libdir }}/nagios/plugins/check_procs -c 1:1 -C 'unbound' -u unbound
diff --git a/roles/nagios_client/templates/check_varnish_proc.cfg.j2 b/roles/nagios_client/templates/check_varnish_proc.cfg.j2
new file mode 100644
index 0000000..3935c16
--- /dev/null
+++ b/roles/nagios_client/templates/check_varnish_proc.cfg.j2
@@ -0,0 +1 @@
+command[check_varnish_proc]=/usr/lib64/nagios/plugins/check_procs -c 1:2 -C 'varnishd' -u varnish
diff --git a/roles/nagios_client/templates/check_websites_buildtime.cfg.j2 b/roles/nagios_client/templates/check_websites_buildtime.cfg.j2
new file mode 100644
index 0000000..ff5639d
--- /dev/null
+++ b/roles/nagios_client/templates/check_websites_buildtime.cfg.j2
@@ -0,0 +1,2 @@
+# Alert if websites haven't been built in 3 hours
+command[check_websites_buildtime]={{ libdir }}/nagios/plugins/check_timestamp_from_file /srv/websites/getfedora.org/build.timestamp.txt 10800
diff --git a/roles/nagios_client/templates/nrpe.cfg.j2 b/roles/nagios_client/templates/nrpe.cfg.j2
new file mode 100644
index 0000000..102f529
--- /dev/null
+++ b/roles/nagios_client/templates/nrpe.cfg.j2
@@ -0,0 +1,232 @@
+#############################################################################
+# Sample NRPE Config File
+# Written by: Ethan Galstad (nagios(a)nagios.org)
+#
+# Last Modified: 11-23-2007
+#
+# NOTES:
+# This is a sample configuration file for the NRPE daemon. It needs to be
+# located on the remote host that is running the NRPE daemon, not the host
+# from which the check_nrpe client is being executed.
+#############################################################################
+
+
+# LOG FACILITY
+# The syslog facility that should be used for logging purposes.
+
+log_facility=daemon
+
+
+
+# PID FILE
+# The name of the file in which the NRPE daemon should write it's process ID
+# number. The file is only written if the NRPE daemon is started by the root
+# user and is running in standalone mode.
+
+#pid_file=/var/run/nrpe.pid
+
+
+
+# PORT NUMBER
+# Port number we should wait for connections on.
+# NOTE: This must be a non-priviledged port (i.e. > 1024).
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
+
+server_port=5666
+
+
+
+# SERVER ADDRESS
+# Address that nrpe should bind to in case there are more than one interface
+# and you do not want nrpe to bind on all interfaces.
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
+
+#server_address=127.0.0.1
+
+
+
+# NRPE USER
+# This determines the effective user that the NRPE daemon should run as.
+# You can either supply a username or a UID.
+#
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
+
+nrpe_user=nrpe
+
+
+
+# NRPE GROUP
+# This determines the effective group that the NRPE daemon should run as.
+# You can either supply a group name or a GID.
+#
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
+
+nrpe_group=nrpe
+
+
+
+# ALLOWED HOST ADDRESSES
+# This is an optional comma-delimited list of IP address or hostnames
+# that are allowed to talk to the NRPE daemon. Network addresses with a bit mask
+# (i.e. 192.168.1.0/24) are also supported. Hostname wildcards are not currently
+# supported.
+#
+# Note: The daemon only does rudimentary checking of the client's IP
+# address. I would highly recommend adding entries in your /etc/hosts.allow
+# file to allow only the specified host to connect to the port
+# you are running this daemon on.
+#
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
+
+
+{% if env == "staging" %}
+allowed_hosts=10.5.126.2,10.5.126.41,10.5.126.241,192.168.1.10,192.168.1.20,209.132.181.35,192.168.1.166,209.132.181.102
+{% else %}
+allowed_hosts=10.5.126.41,192.168.1.10,192.168.1.20,209.132.181.35,10.5.126.241,192.168.1.166,209.132.181.102
+{% endif %}
+
+
+
+# COMMAND ARGUMENT PROCESSING
+# This option determines whether or not the NRPE daemon will allow clients
+# to specify arguments to commands that are executed. This option only works
+# if the daemon was configured with the --enable-command-args configure script
+# option.
+#
+# *** ENABLING THIS OPTION IS A SECURITY RISK! ***
+# Read the SECURITY file for information on some of the security implications
+# of enabling this variable.
+#
+# Values: 0=do not allow arguments, 1=allow command arguments
+
+dont_blame_nrpe=0
+
+
+
+# COMMAND PREFIX
+# This option allows you to prefix all commands with a user-defined string.
+# A space is automatically added between the specified prefix string and the
+# command line from the command definition.
+#
+# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! ***
+# Usage scenario:
+# Execute restricted commmands using sudo. For this to work, you need to add
+# the nagios user to your /etc/sudoers. An example entry for alllowing
+# execution of the plugins from might be:
+#
+# nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/
+#
+# This lets the nagios user run all commands in that directory (and only them)
+# without asking for a password. If you do this, make sure you don't give
+# random users write access to that directory or its contents!
+
+# command_prefix=/usr/bin/sudo
+
+
+
+# DEBUGGING OPTION
+# This option determines whether or not debugging messages are logged to the
+# syslog facility.
+# Values: 0=debugging off, 1=debugging on
+
+debug=0
+
+
+
+# COMMAND TIMEOUT
+# This specifies the maximum number of seconds that the NRPE daemon will
+# allow plugins to finish executing before killing them off.
+
+command_timeout=100
+
+
+
+# CONNECTION TIMEOUT
+# This specifies the maximum number of seconds that the NRPE daemon will
+# wait for a connection to be established before exiting. This is sometimes
+# seen where a network problem stops the SSL being established even though
+# all network sessions are connected. This causes the nrpe daemons to
+# accumulate, eating system resources. Do not set this too low.
+
+connection_timeout=300
+
+
+
+# WEEK RANDOM SEED OPTION
+# This directive allows you to use SSL even if your system does not have
+# a /dev/random or /dev/urandom (on purpose or because the necessary patches
+# were not applied). The random number generator will be seeded from a file
+# which is either a file pointed to by the environment valiable $RANDFILE
+# or $HOME/.rnd. If neither exists, the pseudo random number generator will
+# be initialized and a warning will be issued.
+# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness
+
+#allow_weak_random_seed=1
+
+
+
+# INCLUDE CONFIG FILE
+# This directive allows you to include definitions from an external config file.
+
+#include=<somefile.cfg>
+
+
+
+# INCLUDE CONFIG DIRECTORY
+# This directive allows you to include definitions from config files (with a
+# .cfg extension) in one or more directories (with recursion).
+
+include_dir=/etc/nrpe.d/
+
+
+
+# COMMAND DEFINITIONS
+# Command definitions that this daemon will run. Definitions
+# are in the following format:
+#
+# command[<command_name>]=<command_line>
+#
+# When the daemon receives a request to return the results of <command_name>
+# it will execute the command specified by the <command_line> argument.
+#
+# Unlike Nagios, the command line cannot contain macros - it must be
+# typed exactly as it should be executed.
+#
+# Note: Any plugins that are used in the command lines must reside
+# on the machine that this daemon is running on! The examples below
+# assume that you have plugins installed in a /usr/local/nagios/libexec
+# directory. Also note that you will have to modify the definitions below
+# to match the argument format the plugins expect. Remember, these are
+# examples only!
+
+
+# The following examples use hardcoded command arguments...
+
+command[check_users]={{ libdir }}/nagios/plugins/check_users -w 5 -c 10
+command[check_load]={{ libdir }}/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
+command[check_hda1]={{ libdir }}/nagios/plugins/check_disk -w 20% -c 10% -p /dev/hda1
+{% if inventory_hostname not in groups['zombie_infested'] %}
+command[check_zombie_procs]={{ libdir }}/nagios/plugins/check_procs -w 5 -c 10 -s Z
+{% else %}
+# This host is prone to Zombies and we do not care or want to alert on it so we make the limits very high
+command[check_zombie_procs]={{ libdir }}/nagios/plugins/check_procs -w 50000 -c 100000 -s Z
+{% endif %}
+command[check_total_procs]={{ libdir }}/nagios/plugins/check_procs -w {{ nrpe_procs_warn }} -c {{ nrpe_procs_crit }}
+
+
+# The following examples allow user-supplied arguments and can
+# only be used if the NRPE daemon was compiled with support for
+# command arguments *AND* the dont_blame_nrpe directive in this
+# config file is set to '1'. This poses a potential security risk, so
+# make sure you read the SECURITY file before doing this.
+
+#command[check_users]=/usr/lib64/nagios/plugins/check_users -w $ARG1$ -c $ARG2$
+#command[check_load]=/usr/lib64/nagios/plugins/check_load -w $ARG1$ -c $ARG2$
+#command[check_disk]=/usr/lib64/nagios/plugins/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
+#command[check_procs]=/usr/lib64/nagios/plugins/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
+
+
+# NEVER ADD ANYTHING HERE - ANY ENTRIES TO NRPE SHOULD BE in .cfg files in /etc/nrpe.d/
+
+# NEVER NEVER NEVER
+#
diff --git a/roles/nagios_client/templates/rabbitmq_args.ini.j2 b/roles/nagios_client/templates/rabbitmq_args.ini.j2
new file mode 100644
index 0000000..ee3078d
--- /dev/null
+++ b/roles/nagios_client/templates/rabbitmq_args.ini.j2
@@ -0,0 +1,4 @@
+[common]
+hostname = localhost
+username = nagios-monitoring
+password = {{ (env == 'production')|ternary(rabbitmq_monitoring_password_production, rabbitmq_monitoring_password_staging) }}
\ No newline at end of file
4 years, 6 months
- 1
- 0
[ansible] Rename
by Nicolas Chauvet
commit e64b1e14a9adeb9e4b2be95e32bad551180b3b1a
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Mon Jun 8 19:04:59 2020 +0200
Rename
.../client => nagios_client}/tasks/main.yml | 0
1 files changed, 0 insertions(+), 0 deletions(-)
---
diff --git a/roles/nagios/client/tasks/main.yml b/roles/nagios_client/tasks/main.yml
similarity index 100%
rename from roles/nagios/client/tasks/main.yml
rename to roles/nagios_client/tasks/main.yml
4 years, 6 months
- 1
- 0
[ansible] Update buildvm05/06
by Nicolas Chauvet
commit 16f6b1d88d01b8285f938e081e0f3bf9d87ec32f
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Fri Jun 5 18:32:18 2020 +0200
Update buildvm05/06
inventory/host_vars/buildvm-05.virt.rpmfusion.net | 10 ++++++++++
inventory/host_vars/buildvm-06.virt.rpmfusion.net | 10 ++++++++++
2 files changed, 20 insertions(+), 0 deletions(-)
---
diff --git a/inventory/host_vars/buildvm-05.virt.rpmfusion.net b/inventory/host_vars/buildvm-05.virt.rpmfusion.net
new file mode 100644
index 0000000..75870da
--- /dev/null
+++ b/inventory/host_vars/buildvm-05.virt.rpmfusion.net
@@ -0,0 +1,10 @@
+---
+datacenter: virt
+ansible_ifcfg_blacklist: true
+
+#
+# We need to mount koji storage rw here so run_root can work.
+# The rest of the group can be ro, it's only builders in the
+# compose channel that need a rw mount
+
+nfs_mount_opts: "rw,hard,bg,noatime,nodev,nosuid,nfsvers=3"
diff --git a/inventory/host_vars/buildvm-06.virt.rpmfusion.net b/inventory/host_vars/buildvm-06.virt.rpmfusion.net
new file mode 100644
index 0000000..75870da
--- /dev/null
+++ b/inventory/host_vars/buildvm-06.virt.rpmfusion.net
@@ -0,0 +1,10 @@
+---
+datacenter: virt
+ansible_ifcfg_blacklist: true
+
+#
+# We need to mount koji storage rw here so run_root can work.
+# The rest of the group can be ro, it's only builders in the
+# compose channel that need a rw mount
+
+nfs_mount_opts: "rw,hard,bg,noatime,nodev,nosuid,nfsvers=3"
4 years, 6 months
- 1
- 0
[ansible] Add aarch64-jetson-tx1
by Nicolas Chauvet
commit d3a13599894945860857b8372abded1664455142
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Fri Jun 5 18:20:52 2020 +0200
Add aarch64-jetson-tx1
.../aarch64-jetson-tx1.home.rpmfusion.net | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
---
diff --git a/inventory/host_vars/aarch64-jetson-tx1.home.rpmfusion.net b/inventory/host_vars/aarch64-jetson-tx1.home.rpmfusion.net
new file mode 100644
index 0000000..6c5a34c
--- /dev/null
+++ b/inventory/host_vars/aarch64-jetson-tx1.home.rpmfusion.net
@@ -0,0 +1,2 @@
+---
+datacenter: home
4 years, 6 months
- 1
- 0
[ansible] dnf automatic for EL
by Nicolas Chauvet
commit 1bc303f2447ca038d7d9ea6d76815b7fab841d9f
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Fri Jun 5 17:40:21 2020 +0200
dnf automatic for EL
roles/dnf-automatic/tasks/main.yml | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
---
diff --git a/roles/dnf-automatic/tasks/main.yml b/roles/dnf-automatic/tasks/main.yml
index 11245f3..f9b4592 100644
--- a/roles/dnf-automatic/tasks/main.yml
+++ b/roles/dnf-automatic/tasks/main.yml
@@ -33,13 +33,13 @@
command: systemctl is-active dnf-automatic.timer
register: automaticative
check_mode: no
- changed_when: 1 != 1
+ changed_when: automaticative.rc != 0
ignore_errors: true
when: ansible_distribution_major_version|int < 8
- name: start dnf-automatic.timer if it is not active
command: systemctl start dnf-automatic.timer
- when: automaticative is failed and ansible_distribution_major_version|int < 8
+ when: automaticative is defined and ansible_distribution_major_version|int < 8
- name: enable and start dnf-automatic f26+
command: systemctl enable dnf-automatic-install.timer
4 years, 6 months
- 1
- 0
[ansible] Update buildvm-07 resolv.conf
by Nicolas Chauvet
commit 8255349ff16a4a6067d1381485017d0e35d34f9a
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Fri Jun 5 17:39:54 2020 +0200
Update buildvm-07 resolv.conf
.../resolv.conf/buildvm-07.virt.rpmfusion.net | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/roles/base/files/resolv.conf/buildvm-07.virt.rpmfusion.net b/roles/base/files/resolv.conf/buildvm-07.virt.rpmfusion.net
index ecf6ce5..873129d 100644
--- a/roles/base/files/resolv.conf/buildvm-07.virt.rpmfusion.net
+++ b/roles/base/files/resolv.conf/buildvm-07.virt.rpmfusion.net
@@ -1,2 +1,2 @@
domain virt.rpmfusion.net
-nameserver 194.168.0.1
+nameserver 192.168.0.1
4 years, 6 months
- 1
- 0