[sysadmin-notify] [ansible] Update nagios_client and others

commit f7b9b58e8ff5abac006a05b34f6ab87166347e28 Author: Nicolas Chauvet <kwizart(a)gmail.com&gt; Date: Mon Jun 8 19:05:53 2020 +0200 Update nagios_client and others playbooks/groups/autosign.yml | 2 +- playbooks/groups/backup-server.yml | 4 +- playbooks/groups/bastion.yml | 2 +- playbooks/groups/batcave.yml | 2 +- playbooks/groups/bodhi-backend.yml | 2 +- playbooks/groups/bodhi2.yml | 2 +- playbooks/groups/bugzilla.yml | 2 +- playbooks/groups/certgetter.yml | 36 +++ playbooks/groups/darkserver-backend.yml | 2 +- playbooks/groups/darkserver-web.yml | 2 +- playbooks/groups/dhcp.yml | 2 +- playbooks/groups/dns.yml | 8 +- playbooks/groups/fas.yml | 3 +- playbooks/groups/github2fedmsg.yml | 2 +- playbooks/groups/ipsilon.yml | 2 +- playbooks/groups/koji-hub.yml | 2 +- playbooks/groups/kojipkgs.yml | 2 +- playbooks/groups/logserver.yml | 2 +- playbooks/groups/mailman.yml | 2 +- playbooks/groups/mariadb-server.yml | 2 +- playbooks/groups/memcached.yml | 2 +- playbooks/groups/mirrormanager.yml | 2 +- playbooks/groups/moin.yml | 2 +- playbooks/groups/noc.yml | 2 +- playbooks/groups/notifs-backend.yml | 2 +- playbooks/groups/notifs-web.yml | 2 +- playbooks/groups/osbs-master.yml | 2 +- playbooks/groups/osbs/configure-osbs.yml | 3 + playbooks/groups/osbs/deploy-cluster.yml | 317 ++++++++++++++++++++ playbooks/groups/osbs/osbs-post-install.yml | 196 ++++++++++++ playbooks/groups/osbs/rebuild-osbs-buildroot.yml | 15 + .../groups/osbs/setup-orchestrator-namespace.yml | 168 +++++++++++ playbooks/groups/osbs/setup-worker-namespace.yml | 78 +++++ playbooks/groups/packages.yml | 2 +- playbooks/groups/pkgdb.yml | 2 +- playbooks/groups/pkgs.yml | 2 +- playbooks/groups/postgresql-server.yml | 2 +- playbooks/groups/proxies.yml | 2 +- playbooks/groups/smtp-mm.yml | 2 +- playbooks/groups/squid.xml | 3 +- playbooks/groups/virthost.yml | 2 +- playbooks/manual/kernel-qa.yml | 2 +- playbooks/manual/qadevel.yml | 2 +- roles/apache/handlers/main.yml | 2 + roles/base/tasks/main.yml | 2 +- roles/mod_wsgi/files/wsgi.conf | 14 + roles/mod_wsgi/meta/main.yml | 3 + roles/mod_wsgi/tasks/main.yml | 32 ++ roles/nagios_client/README.rst | 36 +++ .../files/scripts/check_datanommer_timesince.py | 72 +++++ .../nagios_client/files/scripts/check_fcomm_queue | 23 ++ .../files/scripts/check_fedmsg_consumer_backlog.py | 65 ++++ .../scripts/check_fedmsg_consumer_exceptions.py | 61 ++++ .../scripts/check_fedmsg_producer_last_ran.py | 72 +++++ .../scripts/check_fedmsg_producers_consumers.py | 67 ++++ .../files/scripts/check_haproxy_conns.py | 76 +++++ .../files/scripts/check_ipa_replication | 74 +++++ roles/nagios_client/files/scripts/check_lock | 17 + .../files/scripts/check_lock_file_age | 123 ++++++++ .../files/scripts/check_memcache_connect | 24 ++ .../nagios_client/files/scripts/check_osbs_api.py | 14 + .../files/scripts/check_postfix_queue | 49 +++ .../files/scripts/check_rabbitmq_size | 26 ++ roles/nagios_client/files/scripts/check_raid.py | 45 +++ .../nagios_client/files/scripts/check_readonly_fs | 84 +++++ .../files/scripts/check_redis_queue.sh | 23 ++ .../files/scripts/check_supybot_plugin | 108 +++++++ roles/nagios_client/files/scripts/check_testcloud | 19 ++ .../files/scripts/check_timestamp_from_file | 43 +++ roles/nagios_client/files/selinux/fi-nrpe.mod | Bin 0 -> 930 bytes roles/nagios_client/files/selinux/fi-nrpe.pp | Bin 0 -> 7286 bytes roles/nagios_client/files/selinux/fi-nrpe.te | 15 + .../files/selinux/mirrormanager_container.pp | Bin 0 -> 7276 bytes .../files/selinux/mirrormanager_container.te | 15 + roles/nagios_client/handlers/main.yml | 3 + roles/nagios_client/tasks/main.yml | 286 ++++++++++++++++++ roles/nagios_client/templates/check_basset.cfg.j2 | 4 + .../templates/check_celery_redis_queue.cfg.j2 | 1 + roles/nagios_client/templates/check_cron.cfg.j2 | 1 + .../templates/check_datanommer_history.cfg.j2 | 49 +++ roles/nagios_client/templates/check_disk.cfg.j2 | 19 ++ .../templates/check_fedmsg_composer_proc.cfg.j2 | 1 + .../templates/check_fedmsg_consumers.cfg.j2 | 60 ++++ .../templates/check_fedmsg_gateway_proc.cfg.j2 | 5 + .../templates/check_fedmsg_hub_proc.cfg.j2 | 1 + .../templates/check_fedmsg_irc_proc.cfg.j2 | 1 + .../templates/check_fedmsg_relay_proc.cfg.j2 | 1 + roles/nagios_client/templates/check_fmn.cfg.j2 | 3 + .../templates/check_happroxy_conns.cfg.j2 | 1 + roles/nagios_client/templates/check_ipa.cfg.j2 | 1 + roles/nagios_client/templates/check_lock.cfg.j2 | 1 + .../templates/check_lock_file_age.cfg.j2 | 1 + .../templates/check_mailman_api.cfg.j2 | 1 + .../nagios_client/templates/check_memcache.cfg.j2 | 2 + .../templates/check_merged_file_age.cfg.j2 | 1 + .../templates/check_mirrorlist_cache.cfg.j2 | 2 + .../templates/check_mirrorlist_docker_proxy.cfg.j2 | 1 + roles/nagios_client/templates/check_mysql.cfg.j2 | 1 + .../templates/check_openvpn_link.cfg.j2 | 1 + roles/nagios_client/templates/check_osbs.cfg.j2 | 1 + .../templates/check_postfix_queue.cfg.j2 | 1 + roles/nagios_client/templates/check_proxies.cfg.j2 | 2 + .../templates/check_rabbitmq_cluster.cfg.j2 | 1 + .../templates/check_rabbitmq_connections.cfg.j2 | 1 + .../templates/check_rabbitmq_exchange.cfg.j2 | 2 + .../templates/check_rabbitmq_overview.cfg.j2 | 1 + .../templates/check_rabbitmq_queue.cfg.j2 | 2 + .../templates/check_rabbitmq_server.cfg.j2 | 1 + .../templates/check_rabbitmq_watermark.cfg.j2 | 1 + roles/nagios_client/templates/check_raid.cfg.j2 | 1 + .../templates/check_readonly_fs.cfg.j2 | 1 + .../templates/check_redis_proc.cfg.j2 | 1 + .../templates/check_sigul_bridge_proc.cfg.j2 | 1 + .../templates/check_supybot_fedmsg_plugin.cfg.j2 | 1 + roles/nagios_client/templates/check_swap.cfg.j2 | 1 + .../nagios_client/templates/check_testcloud.cfg.j2 | 1 + .../templates/check_unbound_proc.cfg.j2 | 1 + .../templates/check_varnish_proc.cfg.j2 | 1 + .../templates/check_websites_buildtime.cfg.j2 | 2 + roles/nagios_client/templates/nrpe.cfg.j2 | 232 ++++++++++++++ roles/nagios_client/templates/rabbitmq_args.ini.j2 | 4 + 121 files changed, 2765 insertions(+), 42 deletions(-) --- diff --git a/playbooks/groups/autosign.yml b/playbooks/groups/autosign.yml index 74e1129..2c22521 100644 --- a/playbooks/groups/autosign.yml +++ b/playbooks/groups/autosign.yml @@ -17,7 +17,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - collectd/base diff --git a/playbooks/groups/backup-server.yml b/playbooks/groups/backup-server.yml index 0a7a6f3..1649807 100644 --- a/playbooks/groups/backup-server.yml +++ b/playbooks/groups/backup-server.yml @@ -4,7 +4,7 @@ # NOTE: most of these vars_path come from group_vars/backup_server or from hostvars - name: make backup server system - hosts: hv01.online.rpmfusion.net + hosts: backup user: root gather_facts: True @@ -16,7 +16,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - sudo diff --git a/playbooks/groups/bastion.yml b/playbooks/groups/bastion.yml index 4d45bc9..3a14455 100644 --- a/playbooks/groups/bastion.yml +++ b/playbooks/groups/bastion.yml @@ -13,7 +13,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - sudo diff --git a/playbooks/groups/batcave.yml b/playbooks/groups/batcave.yml index 136709c..a8d09b8 100644 --- a/playbooks/groups/batcave.yml +++ b/playbooks/groups/batcave.yml @@ -13,7 +13,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - ansible-server diff --git a/playbooks/groups/bodhi-backend.yml b/playbooks/groups/bodhi-backend.yml index 5360393..1ef32ce 100644 --- a/playbooks/groups/bodhi-backend.yml +++ b/playbooks/groups/bodhi-backend.yml @@ -24,7 +24,7 @@ roles: - base - - nagios/client + - nagios_client - collectd/base - hosts - fas_client diff --git a/playbooks/groups/bodhi2.yml b/playbooks/groups/bodhi2.yml index bb98402..c0584ac 100644 --- a/playbooks/groups/bodhi2.yml +++ b/playbooks/groups/bodhi2.yml @@ -13,7 +13,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - sudo diff --git a/playbooks/groups/bugzilla.yml b/playbooks/groups/bugzilla.yml index 35aa3a6..99298c4 100644 --- a/playbooks/groups/bugzilla.yml +++ b/playbooks/groups/bugzilla.yml @@ -17,7 +17,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - collectd/base diff --git a/playbooks/groups/certgetter.yml b/playbooks/groups/certgetter.yml new file mode 100644 index 0000000..d59f48f --- /dev/null +++ b/playbooks/groups/certgetter.yml @@ -0,0 +1,36 @@ +- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=certgetter" + +- name: make the box be real + hosts: certgetter + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - base + - rkhunter + - nagios_client + - hosts + - fas_client + - rsyncd + - sudo + - apache + - { role: openvpn/client, + when: env != "staging" } + + pre_tasks: + - import_tasks: "{{ tasks_path }}/yumrepos.yml" + + tasks: + - import_tasks: "{{ tasks_path }}/2fa_client.yml" + - import_tasks: "{{ tasks_path }}/motd.yml" + + - name: make sure certbot is installed + package: name=certbot state=installed + + handlers: + - import_tasks: "{{ handlers_path }}/restart_services.yml" diff --git a/playbooks/groups/darkserver-backend.yml b/playbooks/groups/darkserver-backend.yml index 24c819c..9eb22ed 100644 --- a/playbooks/groups/darkserver-backend.yml +++ b/playbooks/groups/darkserver-backend.yml @@ -21,7 +21,7 @@ - collectd/base - fas_client - hosts - - nagios/client + - nagios_client - rsyncd - sudo - redis diff --git a/playbooks/groups/darkserver-web.yml b/playbooks/groups/darkserver-web.yml index 310db35..c6c322a 100644 --- a/playbooks/groups/darkserver-web.yml +++ b/playbooks/groups/darkserver-web.yml @@ -21,7 +21,7 @@ - collectd/base - fas_client - hosts - - nagios/client + - nagios_client - rsyncd - sudo - { role: openvpn/client, when: env != "staging" } diff --git a/playbooks/groups/dhcp.yml b/playbooks/groups/dhcp.yml index 0978ebe..becc454 100644 --- a/playbooks/groups/dhcp.yml +++ b/playbooks/groups/dhcp.yml @@ -13,7 +13,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - collectd/base diff --git a/playbooks/groups/dns.yml b/playbooks/groups/dns.yml index 9c3e1e3..9b8232b 100644 --- a/playbooks/groups/dns.yml +++ b/playbooks/groups/dns.yml @@ -8,7 +8,7 @@ user: root gather_facts: True - vars_files: + vars_files: - /srv/web/infra/ansible/vars/global.yml - "/srv/private/ansible/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml @@ -17,7 +17,7 @@ - base - hosts - rkhunter - - nagios/client + - nagios_client - fas_client - collectd/base - rsyncd @@ -25,8 +25,10 @@ - { role: openvpn/client, when: datacenter != "online" } - dns - tasks: + pre_tasks: - import_tasks: "{{ tasks_path }}/yumrepos.yml" + + tasks: - import_tasks: "{{ tasks_path }}/2fa_client.yml" - import_tasks: "{{ tasks_path }}/motd.yml" diff --git a/playbooks/groups/fas.yml b/playbooks/groups/fas.yml index 2e480b9..fcd7236 100644 --- a/playbooks/groups/fas.yml +++ b/playbooks/groups/fas.yml @@ -10,13 +10,12 @@ vars_files: - /srv/web/infra/ansible/vars/global.yml - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - base - hosts - rkhunter - - nagios/client + - nagios_client - fas_client - collectd/base - rsyncd diff --git a/playbooks/groups/github2fedmsg.yml b/playbooks/groups/github2fedmsg.yml index 381f3f0..3a0ec32 100644 --- a/playbooks/groups/github2fedmsg.yml +++ b/playbooks/groups/github2fedmsg.yml @@ -18,7 +18,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - collectd/base diff --git a/playbooks/groups/ipsilon.yml b/playbooks/groups/ipsilon.yml index 8be115d..d643082 100644 --- a/playbooks/groups/ipsilon.yml +++ b/playbooks/groups/ipsilon.yml @@ -18,7 +18,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - rsyncd diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml index 2428661..f5b3961 100644 --- a/playbooks/groups/koji-hub.yml +++ b/playbooks/groups/koji-hub.yml @@ -25,7 +25,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - collectd/base diff --git a/playbooks/groups/kojipkgs.yml b/playbooks/groups/kojipkgs.yml index 8eaedc3..2ecdef5 100644 --- a/playbooks/groups/kojipkgs.yml +++ b/playbooks/groups/kojipkgs.yml @@ -16,7 +16,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - sudo diff --git a/playbooks/groups/logserver.yml b/playbooks/groups/logserver.yml index 8b2c305..ccac185 100644 --- a/playbooks/groups/logserver.yml +++ b/playbooks/groups/logserver.yml @@ -13,7 +13,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - apache diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml index 058e037..c59075b 100644 --- a/playbooks/groups/mailman.yml +++ b/playbooks/groups/mailman.yml @@ -17,7 +17,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - collectd/base diff --git a/playbooks/groups/mariadb-server.yml b/playbooks/groups/mariadb-server.yml index 34d987a..8261b86 100644 --- a/playbooks/groups/mariadb-server.yml +++ b/playbooks/groups/mariadb-server.yml @@ -20,7 +20,7 @@ - base - rkhunter - fas_client - - nagios/client + - nagios_client - hosts - mariadb_server - collectd/base diff --git a/playbooks/groups/memcached.yml b/playbooks/groups/memcached.yml index 436889e..1314671 100644 --- a/playbooks/groups/memcached.yml +++ b/playbooks/groups/memcached.yml @@ -13,7 +13,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - collectd/base diff --git a/playbooks/groups/mirrormanager.yml b/playbooks/groups/mirrormanager.yml index f75a065..50f50a8 100644 --- a/playbooks/groups/mirrormanager.yml +++ b/playbooks/groups/mirrormanager.yml @@ -13,7 +13,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - sudo diff --git a/playbooks/groups/moin.yml b/playbooks/groups/moin.yml index a6439ea..8166cf7 100644 --- a/playbooks/groups/moin.yml +++ b/playbooks/groups/moin.yml @@ -17,7 +17,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - collectd/base diff --git a/playbooks/groups/noc.yml b/playbooks/groups/noc.yml index 0a53f82..06f808f 100644 --- a/playbooks/groups/noc.yml +++ b/playbooks/groups/noc.yml @@ -13,7 +13,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - collectd/base diff --git a/playbooks/groups/notifs-backend.yml b/playbooks/groups/notifs-backend.yml index b2852f4..e6e5a13 100644 --- a/playbooks/groups/notifs-backend.yml +++ b/playbooks/groups/notifs-backend.yml @@ -20,7 +20,7 @@ - rkhunter - hosts - fas_client - - nagios/client + - nagios_client - collectd/base - fedmsg/base - sudo diff --git a/playbooks/groups/notifs-web.yml b/playbooks/groups/notifs-web.yml index fa19d6c..c61ec09 100644 --- a/playbooks/groups/notifs-web.yml +++ b/playbooks/groups/notifs-web.yml @@ -18,7 +18,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - collectd/base diff --git a/playbooks/groups/osbs-master.yml b/playbooks/groups/osbs-master.yml index 625911e..8a30cc8 100644 --- a/playbooks/groups/osbs-master.yml +++ b/playbooks/groups/osbs-master.yml @@ -14,7 +14,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - collectd/base diff --git a/playbooks/groups/osbs/configure-osbs.yml b/playbooks/groups/osbs/configure-osbs.yml new file mode 100644 index 0000000..8d7f37a --- /dev/null +++ b/playbooks/groups/osbs/configure-osbs.yml @@ -0,0 +1,3 @@ +- import_playbook: "/srv/web/infra/ansible/playbooks/groups/osbs/setup-worker-namespace.yml" +- import_playbook: "/srv/web/infra/ansible/playbooks/groups/osbs/setup-orchestrator-namespace.yml" +- import_playbook: "/srv/web/infra/ansible/playbooks/groups/osbs/osbs-post-install.yml" diff --git a/playbooks/groups/osbs/deploy-cluster.yml b/playbooks/groups/osbs/deploy-cluster.yml new file mode 100644 index 0000000..8464a60 --- /dev/null +++ b/playbooks/groups/osbs/deploy-cluster.yml @@ -0,0 +1,317 @@ +# create an osbs server +- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs_control" +- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs_control_stg" +- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs_nodes:osbs_masters" +- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs_nodes_stg:osbs_masters_stg" +- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs_aarch64_nodes_stg:osbs_aarch64_masters_stg" +- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs_aarch64_masters" + +- name: make the box be real + hosts: osbs_control:osbs_masters:osbs_nodes:osbs_control_stg:osbs_masters_stg:osbs_nodes_stg:osbs_aarch64_masters_stg:osbs_aarch64_nodes_stg:osbs_aarch64_masters + tags: + - osbs-cluster-prereq + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + pre_tasks: + - include_vars: dir=/srv/web/infra/ansible/vars/all/ ignore_files=README + - import_tasks: "{{ tasks_path }}/yumrepos.yml" + + roles: + - base + - rkhunter + - nagios_client + - hosts + - fas_client + - sudo + - collectd/base + - rsyncd + + tasks: + - name: put openshift repo on os- systems + template: src="{{ files }}/openshift/openshift.repo" dest="/etc/yum.repos.d/openshift.repo" + tags: + - config + - packages + - yumrepos + - name: install redhat ca file + package: + name: subscription-manager-rhsm-certificates + state: present + - import_tasks: "{{ tasks_path }}/2fa_client.yml" + - import_tasks: "{{ tasks_path }}/motd.yml" + + handlers: + - import_tasks: "{{ handlers_path }}/restart_services.yml" + +- name: OSBS control hosts pre-req setup + hosts: osbs_control:osbs_control_stg + tags: + - osbs-cluster-prereq + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - name: deploy private key to control hosts + copy: + src: "{{private}}/files/osbs/{{env}}/control_key" + dest: "/root/.ssh/id_rsa" + owner: root + mode: 0600 + + - name: set ansible to use pipelining + ini_file: + dest: /etc/ansible/ansible.cfg + section: ssh_connection + option: pipelining + value: "True" + +- name: Setup cluster masters pre-reqs + hosts: osbs_masters_stg:osbs_masters:osbs_aarch64_masters_stg:osbs_aarch64_masters + tags: + - osbs-cluster-prereq + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - name: ensure origin conf dir exists + file: + path: "/etc/origin" + state: "directory" + + - name: create cert dir for openshift public facing REST API SSL + file: + path: "/etc/origin/master/named_certificates" + state: "directory" + + - name: install cert for openshift public facing REST API SSL + copy: + src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem" + dest: "/etc/origin/master/named_certificates/{{osbs_url}}.pem" + + - name: install key for openshift public facing REST API SSL + copy: + src: "{{private}}/files/osbs/{{env}}/osbs-internal.key" + dest: "/etc/origin/master/named_certificates/{{osbs_url}}.key" + + - name: place htpasswd file + copy: + src: "{{private}}/files/httpd/osbs-{{env}}.htpasswd" + dest: /etc/origin/master/htpasswd + + +- name: Setup cluster hosts pre-reqs + hosts: osbs_masters_stg:osbs_nodes_stg:osbs_masters:osbs_nodes:osbs_aarch64_masters_stg:osbs_aarch64_nodes_stg:osbs_aarch64_masters + tags: + - osbs-cluster-prereq + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + handlers: + - name: restart NetworkManager + service: + name: NetworkManager + state: restarted + + tasks: + - name: Install necessary packages that openshift-ansible needs + package: + state: installed + name: + - tar + - rsync + - dbus-python + - NetworkManager + - libselinux-python + - python2-pyyaml + when: env == "staging" + - name: Install necessary packages that openshift-ansible needs + package: + state: installed + name: + - tar + - rsync + - dbus-python + - NetworkManager + - libselinux-python + - python3-PyYAML + when: env == "production" + + - name: Deploy controller public ssh keys to osbs cluster hosts + authorized_key: + user: root + key: "{{ lookup('file', '{{private}}/files/osbs/{{env}}/control_key.pub') }}" + + # This is required for OpenShift built-in SkyDNS inside the overlay network + # of the cluster + - name: ensure NM_CONTROLLED is set to "yes" for osbs cluster + lineinfile: + dest: "/etc/sysconfig/network-scripts/ifcfg-eth0" + line: "NM_CONTROLLED=yes" + notify: + - restart NetworkManager + + # This is required for OpenShift built-in SkyDNS inside the overlay network + # of the cluster + - name: ensure NetworkManager is enabled and started + service: + name: NetworkManager + state: started + enabled: yes + + - name: cron entry to clean up docker storage + copy: + src: "{{files}}/osbs/cleanup-docker-storage" + dest: "/etc/cron.d/cleanup-docker-storage" + + - name: copy docker-storage-setup config + copy: + src: "{{files}}/osbs/docker-storage-setup" + dest: "/etc/sysconfig/docker-storage-setup" + +- name: Deploy kerberose keytab to cluster hosts + hosts: osbs_masters_stg:osbs_nodes_stg:osbs_masters:osbs_nodes:osbs_aarch64_masters_stg:osbs_aarch64_nodes_stg:osbs_aarch64_masters + tags: + - osbs-cluster-prereq + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - role: keytab/service + owner_user: root + owner_group: root + service: osbs + host: "osbs.fedoraproject.org" + when: env == "production" + - role: keytab/service + owner_user: root + owner_group: root + service: osbs + host: "osbs.stg.fedoraproject.org" + when: env == "staging" + +- name: Deploy OpenShift Cluster x86_64 + hosts: osbs_control:osbs_control_stg + tags: + - osbs-deploy-openshift + - osbs-x86-deploy-openshift + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - role: ansible-ansible-openshift-ansible + cluster_inventory_filename: "{{ inventory_filename }}" + openshift_master_public_api_url: "https://{{ osbs_url }}:8443" + openshift_release: "v3.11" + openshift_version: "v3.11" + openshift_ansible_path: "/root/openshift-ansible" + openshift_ansible_pre_playbook: "playbooks/prerequisites.yml" + openshift_ansible_playbook: "playbooks/deploy_cluster.yml" + openshift_ansible_version: "openshift-ansible-3.11.51-1" + openshift_ansible_ssh_user: root + openshift_ansible_install_examples: false + openshift_ansible_containerized_deploy: false + openshift_cluster_masters_group: "{{ cluster_masters_group }}" + openshift_cluster_nodes_group: "{{ cluster_nodes_group }}" + openshift_cluster_infra_group: "{{ cluster_infra_group }}" + openshift_auth_profile: "osbs" + openshift_cluster_url: "{{osbs_url}}" + openshift_master_ha: false + openshift_debug_level: 2 + openshift_shared_infra: true + openshift_deployment_type: "openshift-enterprise" + openshift_ansible_use_crio: false + openshift_ansible_crio_only: false + tags: ['openshift-cluster-x86','ansible-ansible-openshift-ansible'] + +- name: Deploy OpenShift Cluster aarch64 + hosts: osbs_control:osbs_control_stg + tags: + - osbs-deploy-openshift + - osbs-aarch-deploy-openshift + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - role: ansible-ansible-openshift-ansible + cluster_inventory_filename: "{{ inventory_filename }}" + openshift_htpasswd_file: "/etc/origin/htpasswd" + openshift_master_public_api_url: "https://{{ osbs_url }}:8443" + openshift_release: "v3.11" + openshift_version: "v3.11" + openshift_ansible_path: "/root/openshift-ansible" + openshift_ansible_pre_playbook: "playbooks/prerequisites.yml" + openshift_ansible_playbook: "playbooks/deploy_cluster.yml" + openshift_ansible_version: "openshift-ansible-3.11.51-1" + openshift_ansible_ssh_user: root + openshift_ansible_install_examples: false + openshift_ansible_containerized_deploy: false + openshift_cluster_masters_group: "{{ aarch_masters_group }}" + openshift_cluster_nodes_group: "{{ aarch_nodes_group }}" + openshift_cluster_infra_group: "{{ aarch_infra_group }}" + openshift_auth_profile: "osbs" + openshift_cluster_url: "{{osbs_url}}" + openshift_master_ha: false + openshift_debug_level: 2 + openshift_shared_infra: true + openshift_deployment_type: "origin" + openshift_ansible_python_interpreter: "/usr/bin/python3" + openshift_ansible_use_crio: false + openshift_ansible_crio_only: false + openshift_arch: "aarch64" + tags: ['openshift-cluster-aarch','ansible-ansible-openshift-ansible'] + +- name: Setup OSBS requirements for OpenShift cluster hosts + hosts: osbs_masters_stg:osbs_nodes_stg:osbs_masters:osbs_nodes + tags: + - osbs-cluster-req + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - name: Ensures /etc/dnsmasq.d/ dir exists + file: path="/etc/dnsmasq.d/" state=directory + - name: install fedora dnsmasq specific config + copy: + src: "{{files}}/osbs/fedora-dnsmasq.conf.{{env}}" + dest: "/etc/dnsmasq.d/fedora-dns.conf" diff --git a/playbooks/groups/osbs/osbs-post-install.yml b/playbooks/groups/osbs/osbs-post-install.yml new file mode 100644 index 0000000..d290460 --- /dev/null +++ b/playbooks/groups/osbs/osbs-post-install.yml @@ -0,0 +1,196 @@ +- name: post-install master host osbs tasks + hosts: osbs_masters_stg:osbs_masters:osbs_aarch64_masters_stg[0]:osbs_aarch64_masters[0] + tags: + - osbs-post-install + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/private/ansible/files/openstack/passwords.yml + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + vars: + osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig + osbs_environment: + KUBECONFIG: "{{ osbs_kubeconfig_path }}" + + tasks: + - name: cron entry to clean up old builds + copy: + src: "{{files}}/osbs/cleanup-old-osbs-builds" + dest: "/etc/cron.d/cleanup-old-osbs-builds" + +- name: post-install osbs control tasks + hosts: osbs_control + tags: osbs-post-install + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/private/ansible/files/openstack/passwords.yml + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + tasks: + - name: enable nrpe for monitoring (noc01) + iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT + tags: + - iptables + + +- name: post-install node host osbs tasks + hosts: osbs_nodes_stg:osbs_nodes:osbs_aarch64_nodes_stg:osbs_aarch64_nodes + tags: + - osbs-post-install + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/private/ansible/files/openstack/passwords.yml + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + vars: + osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig + osbs_environment: + KUBECONFIG: "{{ osbs_kubeconfig_path }}" + + + handlers: + - name: Remove the previous buildroot image + docker_image: + state: absent + name: buildroot + + - name: Build the new buildroot container + docker_image: + path: /etc/osbs/buildroot/ + name: buildroot + nocache: yes + + - name: restart and reload docker service + systemd: + name: docker + state: restarted + daemon_reload: yes + + tasks: + - name: enable nrpe for monitoring (noc01) + iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT + tags: + - iptables + + - name: copy docker iptables script + copy: + src: "{{files}}/osbs/fix-docker-iptables.{{ env }}" + dest: /usr/local/bin/fix-docker-iptables + mode: 0755 + tags: + - iptables + notify: + - restart and reload docker service + + - name: copy docker custom service config + copy: + src: "{{files}}/osbs/docker.firewall.service" + dest: /etc/systemd/system/docker.service.d/firewall.conf + tags: + - docker + notify: + - restart and reload docker service + + - name: copy the osbs customization file + copy: + src: "{{item}}" + dest: "/etc/osbs/buildroot/" + owner: root + mode: 0600 + with_items: + - "{{files}}/osbs/worker_customize.json" + - "{{files}}/osbs/orchestrator_customize.json" + + - name: Create buildroot container conf directory + file: + path: "/etc/osbs/buildroot/" + state: directory + + - name: Upload Dockerfile for buildroot container + template: + src: "{{ files }}/osbs/buildroot-Dockerfile-{{env}}.j2" + dest: "/etc/osbs/buildroot/Dockerfile" + mode: 0400 + notify: + - Remove the previous buildroot image + - Build the new buildroot container + + - name: Upload krb5.conf for buildroot container + template: + src: "{{ roles_path }}/base/templates/krb5.conf.j2" + dest: "/etc/osbs/buildroot/krb5.conf" + mode: 0644 + notify: + - Remove the previous buildroot image + - Build the new buildroot container + + - name: Upload internal CA for buildroot + copy: + src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem" + dest: "/etc/osbs/buildroot/ca.crt" + mode: 0400 + notify: + - Remove the previous buildroot image + - Build the new buildroot container + + - name: stat infra repofile + stat: + path: "/etc/yum.repos.d/infra-tags.repo" + register: infra_repo_stat + + - name: stat /etc/osbs/buildroot/ infra repofile + stat: + path: "/etc/osbs/buildroot/infra-tags.repo" + register: etcosbs_infra_repo_stat + + - name: remove old /etc/osbs/buildroot/ infra repofile + file: + path: "/etc/osbs/buildroot/infra-tags.repo" + state: absent + when: etcosbs_infra_repo_stat.stat.exists and infra_repo_stat.stat.checksum != etcosbs_infra_repo_stat.stat.checksum + + - name: Copy repofile for buildroot container (because Docker) + copy: + src: "/etc/yum.repos.d/infra-tags.repo" + dest: "/etc/osbs/buildroot/infra-tags.repo" + remote_src: true + notify: + - Remove the previous buildroot image + - Build the new buildroot container + when: etcosbs_infra_repo_stat.stat.exists == false + + - name: stat /etc/ keytab + stat: + path: "/etc/krb5.osbs_{{osbs_url}}.keytab" + register: etc_kt_stat + + - name: stat /etc/osbs/buildroot/ keytab + stat: + path: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab" + register: etcosbs_kt_stat + + - name: remove old hardlink to /etc/osbs/buildroot/ keytab + file: + path: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab" + state: absent + when: etcosbs_kt_stat.stat.exists and etc_kt_stat.stat.checksum != etcosbs_kt_stat.stat.checksum + + - name: Hardlink keytab for buildroot container (because Docker) + file: + src: "/etc/krb5.osbs_{{osbs_url}}.keytab" + dest: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab" + state: hard + notify: + - Remove the previous buildroot image + - Build the new buildroot container + + when: etcosbs_kt_stat.stat.exists == false + + - name: pull fedora required docker images + command: "docker pull {{source_registry}}/{{item}}" + with_items: "{{fedora_required_images}}" + register: docker_pull_fedora + changed_when: "'Downloaded newer image' in docker_pull_fedora.stdout" + + - name: enable nrpe for monitoring (noc01) + iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT diff --git a/playbooks/groups/osbs/rebuild-osbs-buildroot.yml b/playbooks/groups/osbs/rebuild-osbs-buildroot.yml new file mode 100644 index 0000000..95b5517 --- /dev/null +++ b/playbooks/groups/osbs/rebuild-osbs-buildroot.yml @@ -0,0 +1,15 @@ +# This playbook can be used to update to rebuild the buildroot image of +# OSBS. This is useful when we want to update some dependencies in the image. + +- name: rebuild the osbs buildroot image. + hosts: osbs_nodes:osbs_nodes_stg:osbs_aarch64_nodes_stg + gather_facts: false + user: root + + tasks: + + - name: Backup the current buildroot + command: "docker tag buildroot:latest buildroot:backup" + + - name: rebuild the buildroot container image. + command: "docker build /etc/osbs/buildroot -t buildroot --no-cache --pull" diff --git a/playbooks/groups/osbs/setup-orchestrator-namespace.yml b/playbooks/groups/osbs/setup-orchestrator-namespace.yml new file mode 100644 index 0000000..3c31d8e --- /dev/null +++ b/playbooks/groups/osbs/setup-orchestrator-namespace.yml @@ -0,0 +1,168 @@ +- name: Create orchestrator namespace + hosts: osbs_masters_stg[0]:osbs_masters[0] + roles: + - role: osbs-namespace + osbs_orchestrator: true + osbs_worker_clusters: "{{ osbs_conf_worker_clusters }}" + osbs_cpu_limitrange: "{{ osbs_orchestrator_cpu_limitrange }}" + osbs_nodeselector: "{{ osbs_orchestrator_default_nodeselector|default('') }}" + osbs_sources_command: "{{ osbs_conf_sources_command }}" + osbs_readwrite_users: "{{ osbs_conf_readwrite_users }}" + osbs_service_accounts: "{{ osbs_conf_service_accounts }}" + koji_use_kerberos: true + koji_kerberos_keytab: "FILE:/etc/krb5.osbs_{{ osbs_url }}.keytab" + koji_kerberos_principal: "osbs/{{osbs_url}}@{{ ipa_realm }}" + tags: + - osbs-orchestrator-namespace + +- name: setup reactor config secret in orchestrator namespace + hosts: osbs_masters_stg[0]:osbs_masters[0] + roles: + - role: osbs-secret + osbs_secret_name: reactor-config-secret + osbs_secret_files: + - source: "/tmp/{{ osbs_namespace }}-{{ env }}-reactor-config-secret.yml" + dest: config.yaml + tags: + - osbs-orchestrator-namespace + +- name: setup client config secret in orchestrator namespace + hosts: osbs_masters_stg[0]:osbs_masters[0] + roles: + - role: osbs-secret + osbs_secret_name: client-config-secret + osbs_secret_files: + - source: "/tmp/{{ osbs_namespace }}-{{ env }}-client-config-secret.conf" + dest: osbs.conf + tags: + - osbs-orchestrator-namespace + +- name: setup ODCS secret in orchestrator namespace + hosts: osbs_masters_stg[0]:osbs_masters[0] + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + roles: + - role: osbs-secret + osbs_secret_name: odcs-oidc-secret + osbs_secret_files: + - source: "{{ private }}/files/osbs/{{ env }}/odcs-oidc-token" + dest: token + tags: + - osbs-orchestrator-namespace + +- name: Save orchestrator token x86_64 + hosts: osbs_masters_stg[0]:osbs_masters[0] + tasks: + - name: get orchestrator service account token + command: "oc -n {{ osbs_worker_namespace }} sa get-token orchestrator" + register: orchestator_token_x86_64 + - name: save the token locally + local_action: > + copy + content="{{ orchestator_token_x86_64.stdout }}" + dest=/tmp/.orchestator-token-x86_64 + mode=0400 + tags: + - osbs-orchestrator-namespace + +- name: setup orchestrator token for x86_64-osbs + hosts: osbs_masters_stg[0]:osbs_masters[0] + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + roles: + - role: osbs-secret + osbs_secret_name: x86-64-orchestrator + osbs_secret_files: + - source: "/tmp/.orchestator-token-x86_64" + dest: token + + post_tasks: + - name: Delete the temporary secret file + local_action: > + file + state=absent + path="/tmp/.orchestator-token-x86_64" + tags: + - osbs-orchestrator-namespace + +- name: Save orchestrator token aarch64 + hosts: osbs_aarch64_masters_stg[0]:osbs_aarch64_masters[0] + tasks: + - name: get orchestrator service account token + command: "oc -n {{ osbs_worker_namespace }} sa get-token orchestrator" + register: orchestator_token_aarch64 + - name: save the token locally + local_action: > + copy + content="{{ orchestator_token_aarch64.stdout }}" + dest=/tmp/.orchestator-token-aarch64 + mode=0400 + tags: + - osbs-orchestrator-namespace + +- name: setup orchestrator token for aarch64-osbs + hosts: osbs_masters_stg[0]:osbs_masters[0] + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + roles: + - role: osbs-secret + osbs_secret_can_fail: true + osbs_secret_name: aarch64-orchestrator + osbs_secret_files: + - source: "/tmp/.orchestator-token-aarch64" + dest: token + + post_tasks: + - name: Delete the temporary secret file + local_action: > + file + state=absent + path="/tmp/.orchestator-token-aarch64" + + tags: + - osbs-orchestrator-namespace + +- name: Add dockercfg secret to allow registry push orchestrator + hosts: osbs_masters_stg[0]:osbs_masters[0] + tags: + - osbs-dockercfg-secret + user: root + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + pre_tasks: + - name: Create the username:password string needed by the template + set_fact: + auth_info_prod: "{{candidate_registry_osbs_prod_username}}:{{candidate_registry_osbs_prod_password}}" + auth_info_stg: "{{candidate_registry_osbs_stg_username}}:{{candidate_registry_osbs_stg_password}}" + + - name: Create the dockercfg secret file + local_action: > + template + src="{{ files }}/osbs/dockercfg-{{env}}-secret.j2" + dest="/tmp/.dockercfg" + mode=0400 + + roles: + - role: osbs-secret + osbs_secret_name: "v2-registry-dockercfg" + osbs_secret_type: kubernetes.io/dockercfg + osbs_secret_files: + - source: "/tmp/.dockercfg" + dest: .dockercfg + + post_tasks: + - name: Delete the temporary secret file + local_action: > + file + state=absent + path="/tmp/.dockercfg" diff --git a/playbooks/groups/osbs/setup-worker-namespace.yml b/playbooks/groups/osbs/setup-worker-namespace.yml new file mode 100644 index 0000000..1b94f95 --- /dev/null +++ b/playbooks/groups/osbs/setup-worker-namespace.yml @@ -0,0 +1,78 @@ +- name: Create worker namespace + hosts: osbs_masters_stg[0]:osbs_masters[0]:osbs_aarch64_masters_stg[0]:osbs_aarch64_masters[0] + tags: + - osbs-worker-namespace + user: root + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + vars: + osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig + osbs_environment: + KUBECONFIG: "{{ osbs_kubeconfig_path }}" + + roles: + - role: osbs-namespace + osbs_namespace: "{{ osbs_worker_namespace }}" + osbs_service_accounts: "{{ osbs_worker_service_accounts }}" + osbs_nodeselector: "{{ osbs_worker_default_nodeselector|default('') }}" + osbs_sources_command: "{{ osbs_conf_sources_command }}" + +- name: setup ODCS secret in worker namespace + hosts: osbs_masters_stg[0]:osbs_masters[0]:osbs_aarch64_masters_stg[0]:osbs_aarch64_masters[0] + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + roles: + - role: osbs-secret + osbs_namespace: "{{ osbs_worker_namespace }}" + osbs_secret_name: odcs-oidc-secret + osbs_secret_files: + - source: "{{ private }}/files/osbs/{{ env }}/odcs-oidc-token" + dest: token + tags: + - osbs-worker-namespace + +- name: Add dockercfg secret to allow registry push worker + hosts: osbs_masters_stg[0]:osbs_masters[0]:osbs_aarch64_masters_stg[0]:osbs_aarch64_masters[0] + tags: + - osbs-dockercfg-secret + - osbs-worker-namespace + user: root + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + pre_tasks: + - name: Create the username:password string needed by the template + set_fact: + auth_info_prod: "{{candidate_registry_osbs_prod_username}}:{{candidate_registry_osbs_prod_password}}" + auth_info_stg: "{{candidate_registry_osbs_stg_username}}:{{candidate_registry_osbs_stg_password}}" + + - name: Create the dockercfg secret file + local_action: > + template + src="{{ files }}/osbs/dockercfg-{{env}}-secret.j2" + dest="/tmp/.dockercfg" + mode=0400 + + roles: + - role: osbs-secret + osbs_namespace: "{{ osbs_worker_namespace }}" + osbs_secret_name: "v2-registry-dockercfg" + osbs_secret_type: kubernetes.io/dockercfg + osbs_secret_files: + - source: "/tmp/.dockercfg" + dest: .dockercfg + + post_tasks: + - name: Delete the temporary secret file + local_action: > + file + state=absent + path="/tmp/.dockercfg" diff --git a/playbooks/groups/packages.yml b/playbooks/groups/packages.yml index 0345687..941673e 100644 --- a/playbooks/groups/packages.yml +++ b/playbooks/groups/packages.yml @@ -21,7 +21,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - collectd/base diff --git a/playbooks/groups/pkgdb.yml b/playbooks/groups/pkgdb.yml index 1b1f264..2f9221e 100644 --- a/playbooks/groups/pkgdb.yml +++ b/playbooks/groups/pkgdb.yml @@ -17,7 +17,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - collectd/base diff --git a/playbooks/groups/pkgs.yml b/playbooks/groups/pkgs.yml index 306c438..6aaa38c 100644 --- a/playbooks/groups/pkgs.yml +++ b/playbooks/groups/pkgs.yml @@ -13,7 +13,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - fas_client - collectd/base - sudo diff --git a/playbooks/groups/postgresql-server.yml b/playbooks/groups/postgresql-server.yml index c4bca93..2b7c379 100644 --- a/playbooks/groups/postgresql-server.yml +++ b/playbooks/groups/postgresql-server.yml @@ -23,7 +23,7 @@ - base - rkhunter - fas_client - - nagios/client + - nagios_client - hosts - postgresql_server - collectd/base diff --git a/playbooks/groups/proxies.yml b/playbooks/groups/proxies.yml index 848dafe..d879417 100644 --- a/playbooks/groups/proxies.yml +++ b/playbooks/groups/proxies.yml @@ -20,7 +20,7 @@ - base - fas_client - rkhunter - - nagios/client + - nagios_client - collectd/base - sudo - rsyncd diff --git a/playbooks/groups/smtp-mm.yml b/playbooks/groups/smtp-mm.yml index 740dd65..8509d2e 100644 --- a/playbooks/groups/smtp-mm.yml +++ b/playbooks/groups/smtp-mm.yml @@ -15,7 +15,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - collectd/base diff --git a/playbooks/groups/squid.xml b/playbooks/groups/squid.xml index 2b16af0..0f6f9e2 100644 --- a/playbooks/groups/squid.xml +++ b/playbooks/groups/squid.xml @@ -8,13 +8,12 @@ vars_files: - /srv/web/infra/ansible/vars/global.yml - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - base - hosts - rkhunter - - nagios/client + - nagios_client - collectd/base - sudo - rsyncd diff --git a/playbooks/groups/virthost.yml b/playbooks/groups/virthost.yml index 7eac207..fcf2889 100644 --- a/playbooks/groups/virthost.yml +++ b/playbooks/groups/virthost.yml @@ -21,7 +21,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - hosts - fas_client - collectd/base diff --git a/playbooks/manual/kernel-qa.yml b/playbooks/manual/kernel-qa.yml index 49766db..76c48c9 100644 --- a/playbooks/manual/kernel-qa.yml +++ b/playbooks/manual/kernel-qa.yml @@ -15,7 +15,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - fas_client - sudo - hosts diff --git a/playbooks/manual/qadevel.yml b/playbooks/manual/qadevel.yml index 52d318b..b2c14d4 100644 --- a/playbooks/manual/qadevel.yml +++ b/playbooks/manual/qadevel.yml @@ -32,7 +32,7 @@ roles: - base - rkhunter - - nagios/client + - nagios_client - fas_client - collectd/base - sudo diff --git a/roles/apache/handlers/main.yml b/roles/apache/handlers/main.yml new file mode 100644 index 0000000..f599732 --- /dev/null +++ b/roles/apache/handlers/main.yml @@ -0,0 +1,2 @@ +- name: restart apache + command: /usr/local/bin/conditional-restart.sh httpd httpd diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 89334d0..9d2e897 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -52,7 +52,7 @@ ini_file: dest=/etc/NetworkManager/NetworkManager.conf section=main option=dns value=none notify: - restart NetworkManager - when: ansible_distribution_major_version|int >=7 and ansible_distribution == 'RedHat' and nmclitest is success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv + when: ansible_distribution_major_version|int >=7 and ansible_distribution != 'Fedora' and nmclitest is success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv tags: - config - resolvconf diff --git a/roles/mod_wsgi/files/wsgi.conf b/roles/mod_wsgi/files/wsgi.conf new file mode 100644 index 0000000..6c32a15 --- /dev/null +++ b/roles/mod_wsgi/files/wsgi.conf @@ -0,0 +1,14 @@ +LoadModule wsgi_module modules/mod_wsgi.so + +# Some apps, notably anything that uses hg, need these off +WSGIRestrictStdin Off +WSGIRestrictStdout Off + +# Put the socket somewhere writable +WSGISocketPrefix run/wsgi + +# Do not Optimize without stripping docstrings +WSGIPythonOptimize 0 + +# Set WSGIApplicationGroup to global +WSGIApplicationGroup %{GLOBAL} diff --git a/roles/mod_wsgi/meta/main.yml b/roles/mod_wsgi/meta/main.yml new file mode 100644 index 0000000..7f15145 --- /dev/null +++ b/roles/mod_wsgi/meta/main.yml @@ -0,0 +1,3 @@ +dependencies: +- role: apache + when: wsgi_wants_apache diff --git a/roles/mod_wsgi/tasks/main.yml b/roles/mod_wsgi/tasks/main.yml new file mode 100644 index 0000000..e53e256 --- /dev/null +++ b/roles/mod_wsgi/tasks/main.yml @@ -0,0 +1,32 @@ +--- +# install mod_wsgi +- name: install mod_wsgi + package: + name: mod_wsgi + state: present + tags: + - packages + when: ansible_distribution_major_version|int < 7 and ansible_distribution != 'Fedora' + +- name: install mod_wsgi + package: + name: python3-mod_wsgi + state: present + tags: + - packages + when: ansible_distribution_major_version|int == 8 and ansible_distribution != 'Fedora' + +- name: install mod_wsgi + package: + name: mod_wsgi + state: present + tags: + - packages + when: ansible_distribution == 'Fedora' + +- name: wsgi.conf + copy: src="wsgi.conf" dest=/etc/httpd/conf.d/wsgi.conf + notify: + - restart apache + tags: + - config diff --git a/roles/nagios_client/README.rst b/roles/nagios_client/README.rst new file mode 100644 index 0000000..cc2f303 --- /dev/null +++ b/roles/nagios_client/README.rst @@ -0,0 +1,36 @@ +=================================== + Nagios 4 Configuration for Fedora +=================================== + +The Fedora Infrastructure Nagios is built on a set of configurations +originally written for Nagios 2 and then upgraded over time to Nagios +3 and then 4.08. With additional changes made in the 4.2 series of +Nagios this needed a better rewrite as various parts came from +pre-puppet and then various puppet modules added on top. + +In order to get this rewrite done, we will use as much of the original +layout of the Fedora ansible nagios module but with rewrites to better +match current Nagios configurations so that it can be maintained. + +Role directory layout +===================== +The original layout branched out from + + roles/nagios/client/ + roles/nagios/server/ + +With the usual trees below this. This breaks ansible best practices +and how most new modules are set up so the rewrite uses: + + roles/nagios_client/ + roles/nagios_server/ + +===================== + Nagios Client Files +===================== + +For the most part the Nagios Client files seem to work from the +original layout to the new site. Changes will only need to be made to +playbooks for the initial changes. + + diff --git a/roles/nagios_client/files/scripts/check_datanommer_timesince.py b/roles/nagios_client/files/scripts/check_datanommer_timesince.py new file mode 100755 index 0000000..ddc324c --- /dev/null +++ b/roles/nagios_client/files/scripts/check_datanommer_timesince.py @@ -0,0 +1,72 @@ +#!/usr/bin/python2 +""" NRPE check for datanommer/fedmsg health. +Given a category like 'bodhi', 'buildsys', or 'git', return an error if +datanommer hasn't seen a message of that type in such and such time. +You can alternatively provide a 'topic' which might look like +org.fedoraproject.prod.bodhi.update.comment. + +Requires: python-dateutil + +Usage: + + $ check_datanommer_timesince CATEGORY WARNING_THRESH CRITICAL_THRESH + +:Author: Ralph Bean <rbean(a)redhat.com&gt; + +""" + +import dateutil.relativedelta +import subprocess +import sys +import json + + +def query_timesince(identifier): + # If it has a '.', then assume it is a topic. + if '.' in identifier: + cmd = 'datanommer-latest --topic %s --timesince' % identifier + else: + cmd = 'datanommer-latest --category %s --timesince' % identifier + sys.stderr.write("Running %r\n" % cmd) + process = subprocess.Popen(cmd.split(), shell=False, + stdout=subprocess.PIPE, stderr=subprocess.PIPE) + stdout, stderr = process.communicate() + prefix, stdout = stdout.split("INFO] ", 1) + data = json.loads(stdout) + return float(data[0]) + + +def main(): + identifier, warning_threshold, critical_threshold = sys.argv[-3:] + timesince = query_timesince(identifier) + warning_threshold = int(warning_threshold) + critical_threshold = int(critical_threshold) + + time_strings = [] + rd = dateutil.relativedelta.relativedelta(seconds=timesince) + for denomination in ['years', 'months', 'days', 'hours', 'minutes', 'seconds']: + value = getattr(rd, denomination, 0) + if value: + time_strings.append("%d %s" % (value, denomination)) + + string = ", ".join(time_strings) + reason = "datanommer has not seen a %r message in %s" % (identifier, string) + + if timesince > critical_threshold: + print "CRIT: ", reason + sys.exit(2) + + if timesince > warning_threshold: + print "WARN: ", reason + sys.exit(1) + + print "OK: ", reason + sys.exit(0) + + +if __name__ == '__main__': + try: + main() + except Exception as e: + print "UNKNOWN: ", str(e) + sys.exit(3) diff --git a/roles/nagios_client/files/scripts/check_fcomm_queue b/roles/nagios_client/files/scripts/check_fcomm_queue new file mode 100644 index 0000000..14566fb --- /dev/null +++ b/roles/nagios_client/files/scripts/check_fcomm_queue @@ -0,0 +1,23 @@ +#!/usr/bin/python2 +import sys + +try: + import retask.queue + + queue = retask.queue.Queue('fedora-packages') + queue.connect() + + items = queue.length + if items > 500: + print "CRITICAL: %i tasks in fcomm queue" % items + sys.exit(2) + elif items > 250: + print "WARNING: %i tasks in fcomm queue" % items + sys.exit(1) + else: + print "OK: %i tasks in fcomm queue" % items + sys.exit(0) + +except Exception as e: + print "UNKNOWN:", str(e) + sys.exit(3) diff --git a/roles/nagios_client/files/scripts/check_fedmsg_consumer_backlog.py b/roles/nagios_client/files/scripts/check_fedmsg_consumer_backlog.py new file mode 100644 index 0000000..56fc98c --- /dev/null +++ b/roles/nagios_client/files/scripts/check_fedmsg_consumer_backlog.py @@ -0,0 +1,65 @@ +#!/usr/bin/python + +import json +import os +import socket +import sys +import zmq + +try: + service = sys.argv[1] + check_consumer = sys.argv[2] + backlog_warning = int(sys.argv[3]) + backlog_critical = int(sys.argv[4]) + fname = '/var/run/fedmsg/monitoring-%s.socket' % service + + if not os.path.exists(fname): + print("UNKNOWN - %s does not exist" % fname) + sys.exit(3) + + if not os.access(fname, os.W_OK): + print("UNKNOWN - cannot write to %s" % fname) + sys.exit(3) + + connect_to = "ipc:///%s" % fname + ctx = zmq.Context() + s = ctx.socket(zmq.SUB) + s.connect(connect_to) + try: + s.setsockopt(zmq.SUBSCRIBE, '') + except TypeError: + s.setsockopt_string(zmq.SUBSCRIBE, '') + + poller = zmq.Poller() + poller.register(s, zmq.POLLIN) + + timeout = 20000 + + events = dict(poller.poll(timeout)) + if s in events and events[s] == zmq.POLLIN: + msg = s.recv() + msg = json.loads(msg) + else: + print('UNKNOWN - ZMQ timeout. No message received in %i ms' % timeout) + sys.exit(3) + + for consumer in msg['consumers']: + if consumer['name'] == check_consumer: + if consumer['backlog'] is None: + print('ERROR: fedmsg consumer %s is not initialized' % consumer['name']) + sys.exit(3) + elif consumer['backlog'] > backlog_critical: + print('CRITICAL: fedmsg consumer %s backlog value is %i' % (consumer['name'],consumer['backlog'])) + sys.exit(2) + elif consumer['backlog'] > backlog_warning: + print('WARNING: fedmsg consumer %s backlog value is %i' % (consumer['name'],consumer['backlog'])) + sys.exit(1) + else: + print('OK: fedmsg consumer %s backlog value is %i' % (consumer['name'],consumer['backlog'])) + sys.exit(0) + + print("UNKNOWN: fedmsg consumer %s not found" % check_consumer) + sys.exit(3) +except Exception as err: + print("UNKNOWN:", str(err)) + sys.exit(3) diff --git a/roles/nagios_client/files/scripts/check_fedmsg_consumer_exceptions.py b/roles/nagios_client/files/scripts/check_fedmsg_consumer_exceptions.py new file mode 100644 index 0000000..2f410dd --- /dev/null +++ b/roles/nagios_client/files/scripts/check_fedmsg_consumer_exceptions.py @@ -0,0 +1,61 @@ +#!/usr/bin/python + +import json +import os +import socket +import sys +import zmq + +try: + service = sys.argv[1] + check_consumer = sys.argv[2] + exceptions_warning = int(sys.argv[3]) + exceptions_critical = int(sys.argv[4]) + fname = '/var/run/fedmsg/monitoring-%s.socket' % service + + if not os.path.exists(fname): + print("UNKNOWN - %s does not exist" % fname) + sys.exit(3) + + if not os.access(fname, os.W_OK): + print("UNKNOWN - cannot write to %s" % fname) + sys.exit(3) + + connect_to = "ipc:///%s" % fname + ctx = zmq.Context() + s = ctx.socket(zmq.SUB) + s.connect(connect_to) + try: + s.setsockopt(zmq.SUBSCRIBE, '') + except TypeError: + s.setsockopt_string(zmq.SUBSCRIBE, '') + poller = zmq.Poller() + poller.register(s, zmq.POLLIN) + + timeout = 20000 + + events = dict(poller.poll(timeout)) + if s in events and events[s] == zmq.POLLIN: + msg = s.recv() + msg = json.loads(msg) + else: + print('UNKNOWN - ZMQ timeout. No message received in %i ms' % timeout) + sys.exit(3) + + for consumer in msg['consumers']: + if consumer['name'] == check_consumer: + if consumer['exceptions'] > exceptions_critical: + print('CRITICAL: fedmsg consumer %s exceptions value is %i' % (consumer['name'],consumer['exceptions'])) + sys.exit(2) + elif consumer['exceptions'] > exceptions_warning: + print('WARNING: fedmsg consumer %s exceptions value is %i' % (consumer['name'],consumer['exceptions'])) + sys.exit(1) + else: + print('OK: fedmsg consumer %s exceptions value is %i' % (consumer['name'],consumer['exceptions'])) + sys.exit(0) + + print("UNKNOWN: fedmsg consumers %s not found" % check_consumer) + sys.exit(3) +except Exception as err: + print("UNKNOWN:", str(err)) + sys.exit(3) diff --git a/roles/nagios_client/files/scripts/check_fedmsg_producer_last_ran.py b/roles/nagios_client/files/scripts/check_fedmsg_producer_last_ran.py new file mode 100644 index 0000000..d41d07a --- /dev/null +++ b/roles/nagios_client/files/scripts/check_fedmsg_producer_last_ran.py @@ -0,0 +1,72 @@ +#!/usr/bin/python + +import arrow +import json +import os +import socket +import sys +import time +import zmq + +try: + service = sys.argv[1] + check_producer = sys.argv[2] + elapsed_warning = int(sys.argv[3]) + elapsed_critical = int(sys.argv[4]) + fname = '/var/run/fedmsg/monitoring-%s.socket' % service + + if not os.path.exists(fname): + print("UNKNOWN - %s does not exist" % fname) + sys.exit(3) + + if not os.access(fname, os.W_OK): + print("UNKNOWN - cannot write to %s" % fname) + sys.exit(3) + + connect_to = "ipc:///%s" % fname + ctx = zmq.Context() + s = ctx.socket(zmq.SUB) + s.connect(connect_to) + try: + s.setsockopt(zmq.SUBSCRIBE, '') + except TypeError: + s.setsockopt_string(zmq.SUBSCRIBE, '') + + poller = zmq.Poller() + poller.register(s, zmq.POLLIN) + + timeout = 20000 + + events = dict(poller.poll(timeout)) + if s in events and events[s] == zmq.POLLIN: + msg = s.recv() + msg = json.loads(msg) + else: + print('UNKNOWN - ZMQ timeout. No message received in %i ms' % timeout) + sys.exit(3) + + now = time.time() + + for prod in msg['producers']: + if prod['name'] != check_producer: + continue + diff = now - prod['last_ran'] + then = arrow.get(prod['last_ran']).humanize() + if diff > elapsed_critical: + print("CRITICAL: %s last ran %s (%i seconds ago)" % () + check_producer, then, diff) + sys.exit(2) + elif diff > elapsed_warning: + print("WARNING: %s last ran %s (%i seconds ago)" % () + check_producer, then, diff) + sys.exit(1) + else: + print("OK: %s last ran %s (%i seconds ago)" % () + check_producer, then, diff) + sys.exit(0) + + print("UNKNOWN: fedmsg producer %s not found" % check_producer) + sys.exit(3) +except Exception as err: + print("UNKNOWN:", str(err)) + sys.exit(3) diff --git a/roles/nagios_client/files/scripts/check_fedmsg_producers_consumers.py b/roles/nagios_client/files/scripts/check_fedmsg_producers_consumers.py new file mode 100644 index 0000000..5029a5b --- /dev/null +++ b/roles/nagios_client/files/scripts/check_fedmsg_producers_consumers.py @@ -0,0 +1,67 @@ +#!/usr/bin/python + +import json +import os +import socket +import sys +import zmq + +try: + service = sys.argv[1] + check_list = frozenset(sys.argv[2:]) + fname = '/var/run/fedmsg/monitoring-%s.socket' % service + + if not check_list: + print("UNKNOWN - empty list of fedmsg consumers and producers to check") + sys.exit(3) + + if not os.path.exists(fname): + print("UNKNOWN - %s does not exist" % fname) + sys.exit(3) + + if not os.access(fname, os.W_OK): + print("UNKNOWN - cannot write to %s" % fname) + sys.exit(3) + + connect_to = "ipc:///%s" % fname + ctx = zmq.Context() + s = ctx.socket(zmq.SUB) + s.connect(connect_to) + try: + s.setsockopt(zmq.SUBSCRIBE, '') + except TypeError: + s.setsockopt_string(zmq.SUBSCRIBE, '') + poller = zmq.Poller() + poller.register(s, zmq.POLLIN) + + timeout = 20000 + + events = dict(poller.poll(timeout)) + if s in events and events[s] == zmq.POLLIN: + msg = s.recv() + msg = json.loads(msg) + else: + print('UNKNOWN - ZMQ timeout. No message received in %i ms' % timeout) + sys.exit(3) + + for consumer in msg['consumers']: + if consumer['name'] in check_list and not consumer['initialized']: + print('ERROR: fedmsg consumer %s is not initialized' % consumer['name']) + sys.exit(2) + + for producer in msg['producers']: + if producer['name'] in check_list and not producer['initialized']: + print('ERROR: fedmsg producer %s is not initialized' % producer['name']) + sys.exit(2) + + for item in check_list: + if item not in [p['name'] for p in msg['producers'] + msg['consumers']]: + print('ERROR: %s not found among installed plugins' % item) + sys.exit(2) + + print("OK: fedmsg consumer(s) and producer(s) initialized") + sys.exit(0) + +except Exception as err: + print("UNKNOWN:", str(err)) + sys.exit(3) diff --git a/roles/nagios_client/files/scripts/check_haproxy_conns.py b/roles/nagios_client/files/scripts/check_haproxy_conns.py new file mode 100755 index 0000000..7762ffa --- /dev/null +++ b/roles/nagios_client/files/scripts/check_haproxy_conns.py @@ -0,0 +1,76 @@ +#!/usr/bin/python2 +""" Nagios check for haproxy over-subscription. + +fedmsg-gateway is the primary concern as it can eat up a ton of simultaneous +connections. + +:Author: Ralph Bean <rbean(a)redhat.com&gt; +""" + +import socket +import sys + + +def _numeric(value): + """ Type casting utility """ + try: + return int(value) + except ValueError: + try: + return float(value) + except ValueError: + return value + + +def query(sockname="/var/run/haproxy-stat"): + """ Read stats from the haproxy socket and return a dict """ + s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) + s.connect("/var/run/haproxy-stat") + s.send('show info\n') + try: + response = s.recv(2048).strip() + lines = response.split('\n') + data = dict([map(str.strip, line.split(':')) for line in lines]) + data = dict([(k, _numeric(v)) for k, v in data.items()]) + return data + except Exception, e: + print str(e) + finally: + s.close() + + return None + + +def nagios_check(data): + """ Print warnings and return nagios exit codes. """ + + current = data['CurrConns'] + maxconn = data['Maxconn'] + percent = 100 * float(current) / float(maxconn) + details = "%.2f%% subscribed. %i current of %i maxconn." % ( + percent, current, maxconn, + ) + + if percent < 50: + print "HAPROXY SUBS OK: " + details + return 0 + + if percent < 75: + print "HAPROXY SUBS WARN: " + details + return 1 + + if percent <= 100: + print "HAPROXY SUBS CRIT: " + details + return 2 + + print "HAPROXY SUBS UNKNOWN: " + details + return 3 + + +if __name__ == '__main__': + try: + data = query(sockname="/var/run/haproxy-stat") + except Exception as e: + print "HAPROXY SUBS UNKNOWN: " + str(e) + sys.exit(3) + sys.exit(nagios_check(data)) diff --git a/roles/nagios_client/files/scripts/check_ipa_replication b/roles/nagios_client/files/scripts/check_ipa_replication new file mode 100644 index 0000000..96ff469 --- /dev/null +++ b/roles/nagios_client/files/scripts/check_ipa_replication @@ -0,0 +1,74 @@ +#!/usr/bin/python +# Source: https://github.com/opinkerfi/nagios-plugins/blob/master/check_ipa/check_i... +# Copyright 2013, Tomas Edwardsson +# Copyright 2016, Patrick Uiterwijk +# +# This script is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This script is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>;. + +import ldap +from pynag.Plugins import PluginHelper, critical, warning, ok + +plugin = PluginHelper() + +plugin.parser.add_option('-u', help="ldap uri", dest="uri") +plugin.parser.add_option('-D', help="bind DN", dest="binddn") +plugin.parser.add_option('-w', help="bind password", dest="bindpw") +plugin.parse_arguments() + +if not plugin.options.uri: + plugin.parser.error('-u (uri) argument is required') + +try: + l = ldap.initialize(plugin.options.uri) + + if plugin.options.binddn: + l.bind_s(plugin.options.binddn, plugin.options.bindpw) + + replication = l.search_s('cn=config', + ldap.SCOPE_SUBTREE, + '(objectclass=nsds5replicationagreement)', + ['nsDS5ReplicaHost', 'nsds5replicaLastUpdateStatus']) +except Exception, e: + plugin.status(critical) + plugin.add_summary("Unable to initialize ldap connection: %s" % (e)) + plugin.exit() + + +# Loop through replication agreements +for rhost in replication: + plugin.add_summary("Replica %s Status: %s" % (rhost[1]['nsDS5ReplicaHost'][0], rhost[1]['nsds5replicaLastUpdateStatus'][0])) + + status = rhost[1]['nsds5replicaLastUpdateStatus'][0] + code = status[:2] + if status.startswith('Error ('): + # IPA >=4.4.0 + code = status[status.find('(')+1:status.find(')')] + else: + # IPA <4.4.0 + code = status[:status.find(' ')] + + if code == '0': + plugin.status(ok) + elif code == '1': + # Busy Replica is not an error, its "unknown" (but its "ok" for now) + plugin.status(ok) + else: + plugin.status(critical) + +if not len(replication): + plugin.add_summary("Warning: No replicas found") + plugin.status(warning) + +plugin.exit() + diff --git a/roles/nagios_client/files/scripts/check_lock b/roles/nagios_client/files/scripts/check_lock new file mode 100644 index 0000000..a0aae02 --- /dev/null +++ b/roles/nagios_client/files/scripts/check_lock @@ -0,0 +1,17 @@ +#!/usr/bin/python2 + +import fcntl +import sys + +try: + f = open('/mnt/koji/.nagios_test', 'r') + f.close() + f = open('/mnt/koji/.nagios_test', 'w') +except IOError: + print "Could not create file" + sys.exit(2) + +fcntl.flock(f, fcntl.LOCK_EX) +f.close() +print "File Locked Successfully" +sys.exit(0) diff --git a/roles/nagios_client/files/scripts/check_lock_file_age b/roles/nagios_client/files/scripts/check_lock_file_age new file mode 100755 index 0000000..f5abaa9 --- /dev/null +++ b/roles/nagios_client/files/scripts/check_lock_file_age @@ -0,0 +1,123 @@ +#! /usr/bin/perl -w + +# check_lock_file_age.pl Copyright (C) 2010 Ricky Elrod <codeblock(a)fedoraproject.org&gt; +# +# Fork of check_file_age.pl +# +# Checks a lock file's size and modification time to make sure it's not empty +# and that it's sufficiently recent. +# +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty +# of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# you should have received a copy of the GNU General Public License +# along with this program (or with Nagios); if not, write to the +# Free Software Foundation, Inc., 59 Temple Place - Suite 330, +# Boston, MA 02111-1307, USA + +use strict; +use English; +use Getopt::Long; +use File::stat; +use vars qw($PROGNAME); +use lib "/usr/lib64/nagios/plugins"; +use utils qw (%ERRORS &print_revision &support); + +sub print_help (); +sub print_usage (); + +my ($opt_c, $opt_f, $opt_w, $opt_h, $opt_V); +my ($result, $message, $age, $size, $st); + +$PROGNAME="check_lock_file_age"; + +$opt_w = 1; +$opt_c = 5; +$opt_f = ""; + +Getopt::Long::Configure('bundling'); +GetOptions( + "V" => \$opt_V, "version" => \$opt_V, + "h" => \$opt_h, "help" => \$opt_h, + "f=s" => \$opt_f, "file" => \$opt_f, + "w=f" => \$opt_w, "warning-age=f" => \$opt_w, + "c=f" => \$opt_c, "critical-age=f" => \$opt_c); + +if ($opt_V) { + print_revision($PROGNAME, '1.4.14'); + exit $ERRORS{'OK'}; +} + +if ($opt_h) { + print_help(); + exit $ERRORS{'OK'}; +} + +if (($opt_c and $opt_w) and ($opt_c < $opt_w)) { + print "Warning time must be less than Critical time.\n"; + exit $ERRORS{'UNKNOWN'}; +} + +$opt_f = shift unless ($opt_f); + +if (! $opt_f) { + print "LOCK_FILE_AGE UNKNOWN: No file specified\n"; + exit $ERRORS{'UNKNOWN'}; +} + +# Check that file exists (can be directory or link) +unless (-e $opt_f) { + print "LOCK_FILE_AGE OK: File not found (Lock file removed) - $opt_f\n"; + exit $ERRORS{'OK'}; +} + +$st = File::stat::stat($opt_f); +$age = time - $st->mtime; + +$result = 'OK'; + +# Convert minutes to seconds +if($opt_c) { $opt_c *= 60; } +if($opt_w) { $opt_w *= 60; } + +if ($opt_c and $age > $opt_c) { + $result = 'CRITICAL'; +} +elsif ($opt_w and $age > $opt_w) { + $result = 'WARNING'; +} + +# If the age is higher than 2 minutes, convert seconds -> minutes +# If it's higher than a day, use days. +# Just a nicety, to make people not have to do math ;) +if($age > 86400) { $age = int(($age/86400))." days"; } +elsif($age > 120) { $age = int(($age/60))." minutes"; } +else { $age = "$age seconds"; } + +print "LOCK_FILE_AGE $result: $opt_f is $age old.\n"; +exit $ERRORS{$result}; + +sub print_usage () { + print "Usage:\n"; + print " $PROGNAME [-w <secs>] [-c <secs>] -f <file>\n"; + print " $PROGNAME [-h | --help]\n"; + print " $PROGNAME [-V | --version]\n"; +} + +sub print_help () { + print_revision($PROGNAME, '1.4.14'); + print "Copyright (c) 2010 Ricky Elrod\n\n"; + print_usage(); + print "\n"; + print " <mins> File must be no more than this many minutes old (default: warn 1m, crit 5m)\n"; + print "\n"; + support(); +} diff --git a/roles/nagios_client/files/scripts/check_memcache_connect b/roles/nagios_client/files/scripts/check_memcache_connect new file mode 100644 index 0000000..9c9d6e9 --- /dev/null +++ b/roles/nagios_client/files/scripts/check_memcache_connect @@ -0,0 +1,24 @@ +#!/bin/bash +# +# 2014-11-19 +# Author: Ralph Bean <rbean(a)redhat.com&gt; + +# exit codes +ok=0 +warn=1 +crit=2 +unkn=3 + +# Right now we just check to see if we can even run this command without +# hanging and timing out. In the future, we could parse stdout for more +# fine-grained information. +echo stats | nc 127.0.0.1 11211 > /dev/null +status=$? + +if [ $status -ne 0 ]; then + echo "CRIT: stats command got status code $status" + exit $crit +else + echo "OK: stats command got status code $status" + exit $ok +fi diff --git a/roles/nagios_client/files/scripts/check_osbs_api.py b/roles/nagios_client/files/scripts/check_osbs_api.py new file mode 100755 index 0000000..b836f00 --- /dev/null +++ b/roles/nagios_client/files/scripts/check_osbs_api.py @@ -0,0 +1,14 @@ +#!/usr/bin/python + +import requests +import sys + +r = requests.get("https://localhost:8443/", verify=False) + +if 'paths' in r.json().keys(): + print "OK: OSBS API endpoint is responding with path data" + sys.exit(0) +else: + print "CRITICAL: OSBS API not responding properly" + sys.exit(2) + diff --git a/roles/nagios_client/files/scripts/check_postfix_queue b/roles/nagios_client/files/scripts/check_postfix_queue new file mode 100644 index 0000000..44ab444 --- /dev/null +++ b/roles/nagios_client/files/scripts/check_postfix_queue @@ -0,0 +1,49 @@ +#!/bin/bash +# +# 19-07-2010 +# Author: Cherwin Nooitmeer <cherwin(a)gmail.com&gt; +# + +# exit codes +e_ok=0 +e_warning=1 +e_critical=2 +e_unknown=3 + +# regular expression that matches queue IDs (e.g. D71EF7AC80F8) +queue_id='^[A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9]' + +usage="Invalid command line usage" + +if [ -z $1 ]; then + echo $usage + exit $e_unknown +fi + +while getopts ":w:c:" options +do + case $options in + w ) warning=$OPTARG ;; + c ) critical=$OPTARG ;; + * ) echo $usage + exit $e_unknown ;; + esac +done + +# determine queue size +qsize=$(mailq | egrep -c $queue_id) +if [ -z $qsize ] +then + exit $e_unknown +fi + +if [ $qsize -ge $critical ]; then + retval=$e_critical +elif [ $qsize -ge $warning ]; then + retval=$e_warning +elif [ $qsize -lt $warning ]; then + retval=$e_ok +fi + +echo "$qsize mail(s) in queue | mail_queue=$qsize" +exit $retval diff --git a/roles/nagios_client/files/scripts/check_rabbitmq_size b/roles/nagios_client/files/scripts/check_rabbitmq_size new file mode 100644 index 0000000..ff6154a --- /dev/null +++ b/roles/nagios_client/files/scripts/check_rabbitmq_size @@ -0,0 +1,26 @@ +#!/bin/python +import sys +import requests + +url = 'http://localhost:15672/api/queues/%%2f/%s' % (sys.argv[1]) + +r = requests.get(url, auth=('guest', 'guest')).json() +consumers = r['consumers'] +messages = r['messages'] + +msg = 'Messages in queue: %i (%i consumers)' % (messages, consumers) + +if consumers < 1: + print 'CRITICAL: No consumers: %s' % msg + sys.exit(2) + +if messages > sys.argv[2]: + print 'CRITICAL: %s' % msg + sys.exit(2) + +if messages > sys.argv[3]: + print 'WARNING: %s' % msg + sys.exit(1) + +print 'OK: %s' % msg +sys.exit(0) diff --git a/roles/nagios_client/files/scripts/check_raid.py b/roles/nagios_client/files/scripts/check_raid.py new file mode 100644 index 0000000..e2597aa --- /dev/null +++ b/roles/nagios_client/files/scripts/check_raid.py @@ -0,0 +1,45 @@ +#!/usr/bin/python2 +# +# very simple python script to parse out /proc/mdstat +# and give results for nagios to monitor +# + +import sys +import string + +devices = [] + +try: + mdstat = string.split(open('/proc/mdstat').read(), '\n') +except IOError: + # seems we have no software raid on this machines + sys.exit(0) + +error = "" +i = 0 +for line in mdstat: + if line[0:2] == 'md': + device = string.split(line)[0] + devices.append(device) + status = string.split(mdstat[i+1])[-1] + if string.count(status, "_"): + # see if we can figure out what's going on + err = string.split(mdstat[i+2]) + msg = "device=%s status=%s" % (device, status) + if len(err) > 0: + msg = msg + " rebuild=%s" % err[0] + + if not error: + error = msg + else: + error = error + ", " + msg + i = i + 1 + +if not error: + print "DEVICES %s OK" % " ".join(devices) + sys.exit(0) + +else: + print error + sys.exit(2) + diff --git a/roles/nagios_client/files/scripts/check_readonly_fs b/roles/nagios_client/files/scripts/check_readonly_fs new file mode 100755 index 0000000..cd2b197 --- /dev/null +++ b/roles/nagios_client/files/scripts/check_readonly_fs @@ -0,0 +1,84 @@ +#!/bin/bash + +# check_readonlyfs: Check for readonly filesystems +# Copyright (C) 2010 Davide Madrisan <davide.madrisan(a)gmail.com&gt; + +PROGNAME=`/bin/basename $0` +PROGPATH=`echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,'` +REVISION=`echo '$Revision: 1 $' | sed -e 's/[^0-9.]//g'` + +. $PROGPATH/utils.sh + +print_usage() { + echo "Usage: $PROGNAME --no-network-fs" + echo "Usage: $PROGNAME --help" + echo "Usage: $PROGNAME --version" +} + +print_help() { + print_revision $PROGNAME $REVISION + echo "" + print_usage + echo "" + echo "readonly filesystem checker plugin for Nagios" + echo "" + support +} + +NETFS=1 + +# Grab the command line arguments + +exitstatus=$STATE_WARNING #default + +while test -n "$1"; do + case "$1" in + --help|-h) + print_help + exit $STATE_OK + ;; + --version|-V) + print_revision $PROGNAME $REVISION + exit $STATE_OK + ;; + --no-network-fs|-n) + NETFS="0" + ;; + *) + echo "Unknown argument: $1" + print_usage + exit $STATE_UNKNOWN + ;; + esac + shift +done + +[ -r /proc/mounts ] || { echo "cannot read /proc/mounts!"; exit $STATE_UNKNOWN; } + +nerr=0 +IFS_SAVE="$IFS" + +rofs_list="" +while read dev mp fs mopt ignore; do + [ "$dev" = none ] && continue + case $fs in binfmt_misc|devpts|iso9660|proc|selinuxfs|rpc_pipefs|sysfs|tmpfs|usbfs) + continue ;; + esac + case $fs in autofs|nfs|nfs4|smbfs) + # skip the network filesystems + [ "$NETFS" = 0 ] && continue ;; + esac + + IFS=","; set -- $mopt; IFS="$IFS_SAVE" + while :; do + case "$1" in + ro) rofs_list="$rofs_list $mp"; nerr=$(( $nerr + 1 )) ;; + "") shift; break ;; + esac + shift + done +done < <(LC_ALL=C /bin/cat /proc/mounts 2>/dev/null) + +[ $nerr -eq 0 ] && { echo OK; exit $STATE_OK; } || echo "$rofs_list: read only fs" + +exit $exitstatus diff --git a/roles/nagios_client/files/scripts/check_redis_queue.sh b/roles/nagios_client/files/scripts/check_redis_queue.sh new file mode 100644 index 0000000..ca1f186 --- /dev/null +++ b/roles/nagios_client/files/scripts/check_redis_queue.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +. /usr/lib64/nagios/plugins/utils.sh + +if [[ "$#" -ne 3 ]]; then + echo "Arguments: key warn crit" + exit $STATE_UNKNOWN +fi + +tasks="$(redis-cli llen "$1" | awk '{print $1}')" + +check_range $tasks $2:$3 +status=$? + +if [[ "$status" == "$STATE_OK" ]]; then + echo "OK: $1 queue has $tasks tasks" +elif [[ "$status" == "$STATE_WARNING" ]]; then + echo "WARNING: $1 queue has $tasks tasks" +elif [[ "$status" == "$STATE_CRITICAL" ]]; then + echo "CRITICAL: $1 queue has $tasks tasks" +fi + +exit $status diff --git a/roles/nagios_client/files/scripts/check_supybot_plugin b/roles/nagios_client/files/scripts/check_supybot_plugin new file mode 100755 index 0000000..7953cf0 --- /dev/null +++ b/roles/nagios_client/files/scripts/check_supybot_plugin @@ -0,0 +1,108 @@ +#!/usr/bin/python2 +""" check_supybot_plugin -- ensure that a plugin is loaded by supybot. + +Run like: + + check_supybot_plugin --target fedmsg + check_supybot_plugin --target koji --debug + +""" + +import argparse +import sys +import socket +import string +import uuid + + +def process_args(): + parser = argparse.ArgumentParser() + parser.add_argument( + '-t', '--target', default=None, dest='target', + help="Required. The plugin we're looking for." + ) + parser.add_argument( + '-n', '--nick', default=None, dest='nick', + help="NICK to use when connecting to freenode.", + ) + parser.add_argument( + '-d', '--debug', default=False, action='store_true', + help='Print out debug information.', dest='debug', + ) + parser.add_argument( + '-H', '--host', default='irc.freenode.net', + help='Host to connect to.', dest='host', + ) + parser.add_argument( + '-p', '--port', default=6667, type=int, + help='Host to connect to.', dest='port', + ) + return parser.parse_args() + +args = process_args() + +# Use a random nick so people can't mess with us +if not args.nick: + args.nick = 'nrpe-' + str(uuid.uuid4()).split('-')[0] + +name = "NRPE Bot" +readbuffer = "" + +if not args.target: + print "UNKNOWN: No 'target' specified." + sys.exit(3) + +args.target = args.target.lower() + +if args.debug: + print "connecting to %s/%i" % (args.host, args.port) + +try: + s = socket.socket() + s.connect((args.host, args.port)) + + if args.debug: + print "as %s/%s (%s)" % (args.nick, args.nick, name) + + s.send("nick %s\r\n" % args.nick) + s.send("USER %s %s bla :%s\r\n" % (args.nick, args.host, name)) + + while 1: + readbuffer = readbuffer+s.recv(1024) + temp = string.split(readbuffer, "\n") + readbuffer = temp.pop() + + for line in temp: + line = string.rstrip(line) + + if args.debug: + print " * ", line + + line = string.split(line) + + if line[1] == 'MODE': + msg = "privmsg zodbot :list\r\n" + if args.debug: + print "sending:" + print " ->", msg + s.send(msg) + + if line[1] == 'PRIVMSG' and line[0] != ':freenode-connect!frigg@freenode/utility-bot/frigg': + if args.debug: + print "Got our response.." + + plugins = map(str.lower, ' '.join(line[3:][1:]).split(', ')) + + if args.target in plugins: + print "OK" + s.send("QUIT") + sys.exit(0) + else: + print "CRITICAL: %r not loaded by supybot" % args.target + s.send("QUIT") + sys.exit(2) +except Exception as e: + print "UNKNOWN: ", str(e) + if args.debug: + raise + sys.exit(3) diff --git a/roles/nagios_client/files/scripts/check_testcloud b/roles/nagios_client/files/scripts/check_testcloud new file mode 100644 index 0000000..eb8c7aa --- /dev/null +++ b/roles/nagios_client/files/scripts/check_testcloud @@ -0,0 +1,19 @@ +#!/bin/bash + +RUNNING_VMS=`testcloud instance list | grep -i 'running' | wc -l` +CRITICAL=20 +WARNING=15 + + +if [ $RUNNING_VMS -gt $CRITICAL ] +then + echo "Testcloud: CRITICAL Number of VMs running: $RUNNING_VMS" + exit 2 +elif [ $RUNNING_VMS -gt $WARNING ] +then + echo "Testcloud: WARNING Number of VMs running: $RUNNING_VMS" + exit 1 +else + echo "Testcloud: OK Number of VMs running: $RUNNING_VMS" + exit 0 +fi diff --git a/roles/nagios_client/files/scripts/check_timestamp_from_file b/roles/nagios_client/files/scripts/check_timestamp_from_file new file mode 100644 index 0000000..9064337 --- /dev/null +++ b/roles/nagios_client/files/scripts/check_timestamp_from_file @@ -0,0 +1,43 @@ +#!/usr/bin/env python + +# Takes a path to a file and a delta. The file must simply contain an epoch +# timestamp. It can be an integer or a float, as can the delta. +# +# Alerts critical if (now - timestamp contained in file) > delta. +# +# Rick Elrod <relrod(a)redhat.com&gt; +# MIT + +import sys +import time + +if len(sys.argv) != 3: + print('UNKNOWN: Pass path to file and delta as parameters') + sys.exit(3) + +filename = sys.argv[1] +delta = float(sys.argv[2]) + +timestamp = None + +try: + with open(filename, 'r') as f: + timestamp = float(f.read().strip()) +except Exception as e: + print('UNKNOWN: Unable to open/read file path') + sys.exit(3) + +difference = round(time.time() - timestamp, 2) +if difference > delta: + print( + 'CRITICAL: Timestamp in file (%.2f) exceeds delta (%.2f) by %.2f seconds' % ( + timestamp, + delta, + difference - delta)) + sys.exit(2) + +print('OK: Timestamp in file (%.2f) is within delta (%.2f) of now, by %.2f seconds' % ( + timestamp, + delta, + abs(difference - delta))) +sys.exit(0) diff --git a/roles/nagios_client/files/selinux/fi-nrpe.mod b/roles/nagios_client/files/selinux/fi-nrpe.mod new file mode 100644 index 0000000..f055246 Binary files /dev/null and b/roles/nagios_client/files/selinux/fi-nrpe.mod differ diff --git a/roles/nagios_client/files/selinux/fi-nrpe.pp b/roles/nagios_client/files/selinux/fi-nrpe.pp new file mode 100644 index 0000000..0e71b44 Binary files /dev/null and b/roles/nagios_client/files/selinux/fi-nrpe.pp differ diff --git a/roles/nagios_client/files/selinux/fi-nrpe.te b/roles/nagios_client/files/selinux/fi-nrpe.te new file mode 100644 index 0000000..b438027 --- /dev/null +++ b/roles/nagios_client/files/selinux/fi-nrpe.te @@ -0,0 +1,15 @@ +module fi-nrpe 1.1; + +require { + type nagios_system_plugin_t; + type nagios_admin_plugin_t; + type nrpe_exec_t; + type bin_t; + class file { getattr map execute }; +} + +#============= nagios_system_plugin_t ============== +allow nagios_system_plugin_t nrpe_exec_t:file getattr; + +# This is needed for e.g. check_file_age, which is a perl script +allow nagios_admin_plugin_t bin_t:file { map execute }; diff --git a/roles/nagios_client/files/selinux/mirrormanager_container.pp b/roles/nagios_client/files/selinux/mirrormanager_container.pp new file mode 100644 index 0000000..31b8435 Binary files /dev/null and b/roles/nagios_client/files/selinux/mirrormanager_container.pp differ diff --git a/roles/nagios_client/files/selinux/mirrormanager_container.te b/roles/nagios_client/files/selinux/mirrormanager_container.te new file mode 100644 index 0000000..6180969 --- /dev/null +++ b/roles/nagios_client/files/selinux/mirrormanager_container.te @@ -0,0 +1,15 @@ +module mirrormanager_container 1.0; + +require { + type container_t; + type container_file_t; + type mirrormanager_log_t; + type nrpe_t; + class file { append getattr }; +} + +# Allow mirrorlist to append to its log +allow container_t mirrormanager_log_t:file append; +# Allow nrpe to check file age of mirrorlist pkl files +allow nrpe_t container_file_t:file getattr; + diff --git a/roles/nagios_client/handlers/main.yml b/roles/nagios_client/handlers/main.yml new file mode 100644 index 0000000..11c84ac --- /dev/null +++ b/roles/nagios_client/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart nrpe + service: name=nrpe state=restarted diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml index 08a453a..2b97335 100644 --- a/roles/nagios_client/tasks/main.yml +++ b/roles/nagios_client/tasks/main.yml @@ -2,3 +2,289 @@ --- # install pkgs: +- name: install nagios client pkgs + package: name={{ item }} state=present + with_items: + - nrpe + - nagios-plugins + - nagios-plugins-disk + - nagios-plugins-file_age + - nagios-plugins-users + - nagios-plugins-procs + - nagios-plugins-swap + - nagios-plugins-load + - nagios-plugins-ping + tags: + - packages + - nagios_client + +- name: install nagios tcp check for mirrorlist proxies + package: name=nagios-plugins-tcp state=present + tags: + - packages + - nagios_client + when: "'mailman' in group_names or 'mirrorlist_proxies' in group_names" + +- name: install local nrpe check scripts that are not packaged + copy: src="scripts/{{ item }}" dest="{{ libdir }}/nagios/plugins/{{ item }}" mode=0755 owner=nagios group=nagios + with_items: + - check_haproxy_conns.py + - check_postfix_queue + - check_raid.py + - check_lock + - check_fcomm_queue + - check_fedmsg_consumer_backlog.py + - check_fedmsg_consumer_exceptions.py + - check_fedmsg_producer_last_ran.py + - check_fedmsg_producers_consumers.py + - check_supybot_plugin + - check_rabbitmq_size + - check_datanommer_timesince.py + - check_memcache_connect + - check_readonly_fs + - check_lock_file_age + - check_testcloud + - check_osbs_api.py + - check_ipa_replication + - check_redis_queue.sh + - check_timestamp_from_file + when: not inventory_hostname.startswith('noc') + tags: + - nagios_client + +# create dirs +# puppet used to make /var/spool/nagios (owned by nagios.nagios) mode 750 +# and /usr/lib/nagios/plugins (owned by root) mode 755 - but we don't know WHY +# then stuff it with plugins from the plugins dir in the nagios module +# then we symlinked that to /usr/lib64/nagios/plugins +# it was a nightmare - don't do that - my ghost will haunt you if you do +# skvidal 2013-05-21 + + +# Three tasks for handling our custom selinux module +- name: ensure a directory exists for our custom selinux module + file: dest=/usr/share/nrpe state=directory + tags: + - config + - nagios_client + +- name: copy over our custom selinux module + copy: src=selinux/fi-nrpe.pp dest=/usr/share/nrpe/fi-nrpe.pp + register: selinux_module + tags: + - config + - nagios_client + - selinux + +- name: install our custom selinux module + command: semodule -i /usr/share/nrpe/fi-nrpe.pp + when: ansible_distribution_major_version|int == 7 and ansible_distribution != 'Fedora' and selinux_module is changed + tags: + - config + - nagios_client + - selinux + +- name: copy over our custom selinux module for mirrorlist + copy: src=selinux/fi-nrpe.pp dest=/usr/share/nrpe/mirrormanager_container.pp + register: selinux_module_mirrorlist + when: "'proxy' in inventory_hostname" + tags: + - config + - nagios_client + - selinux + +- name: install our custom selinux module for mirrorlist + command: semodule -i /usr/share/nrpe/mirrormanager_container.pp + when: "'proxy' in inventory_hostname and selinux_module is changed" + tags: + - config + - nagios_client + - selinux + +# Set up our base config. +- name: /etc/nagios/nrpe.cfg + template: src=nrpe.cfg.j2 dest=/etc/nagios/nrpe.cfg + when: not inventory_hostname.startswith('noc') + notify: + - restart nrpe + tags: + - config + - nagios_client + +# +# The actual items files here end in .j2 (they are templates) +# So when adding or modifying them change the .j2 version in git. +# +- name: install nrpe client configs + template: src={{ item }}.j2 dest=/etc/nrpe.d/{{ item }} owner=root group=root mode=0644 + with_items: + - check_raid.cfg + - check_ipa.cfg + - check_readonly_fs.cfg + - check_cron.cfg + - check_disk.cfg + - check_swap.cfg + - check_postfix_queue.cfg + - check_lock.cfg + - check_fedmsg_hub_proc.cfg + - check_fedmsg_irc_proc.cfg + - check_fedmsg_relay_proc.cfg + - check_fedmsg_gateway_proc.cfg + - check_fedmsg_composer_proc.cfg + - check_redis_proc.cfg + - check_fedmsg_consumers.cfg + - check_supybot_fedmsg_plugin.cfg + - check_datanommer_history.cfg + - check_memcache.cfg + - check_lock_file_age.cfg + - check_basset.cfg + - check_fmn.cfg + - check_osbs.cfg + - check_testcloud.cfg + - check_mirrorlist_docker_proxy.cfg + - check_mirrorlist_cache.cfg + - check_celery_redis_queue.cfg + - check_proxies.cfg + notify: + - restart nrpe + tags: + - config + - nagios_client + +# +# The actual items files here end in .j2 (they are templates) +# So when adding or modifying them change the .j2 version in git. +# +- name: install nrpe openvpn check config + template: src=check_openvpn_link.cfg.j2 dest=/etc/nrpe.d/check_openvpn_link.cfg owner=root group=root mode=0644 + when: vpn == true + notify: + - restart nrpe + tags: + - nagios_client +# +# The actual items files here end in .j2 (they are templates) +# So when adding or modifying them change the .j2 version in git. +# +- name: install nrpe unbound check config + template: src=check_unbound_proc.cfg.j2 dest=/etc/nrpe.d/check_unbound_proc.cfg owner=root group=root mode=0644 + when: inventory_hostname.startswith('unbound') + notify: + - restart nrpe + tags: + - nagios_client +# +# The actual items files here end in .j2 (they are templates) +# So when adding or modifying them change the .j2 version in git. +# +- name: install nrpe merged log check script on log01 + template: src=check_merged_file_age.cfg.j2 dest=/etc/nrpe.d/check_merged_file_age.cfg owner=root group=root mode=0644 + when: inventory_hostname.startswith('log0') + notify: + - restart nrpe + tags: + - nagios_client +# +# The actual items files here end in .j2 (they are templates) +# So when adding or modifying them change the .j2 version in git. +# +- name: install nrpe check_mysql config for mariadb servers + template: src=check_mysql.cfg.j2 dest=/etc/nrpe.d/check_mysql.cfg owner=root group=root mode=0644 + when: inventory_hostname.startswith('db03') + notify: + - restart nrpe + tags: + - nagios_client + +- name: install nrpe checks for mailman01 + template: src={{ item }}.j2 dest=/etc/nrpe.d/{{ item }} owner=root group=root mode=0644 + with_items: + - check_mailman_api.cfg + when: inventory_hostname.startswith('mailman01') + notify: + - restart nrpe + tags: + - nagios_client + +- name: install nrpe checks for proxies + template: src={{ item }}.j2 dest=/etc/nrpe.d/{{ item }} owner=root group=root mode=0644 + with_items: + - check_happroxy_conns.cfg + - check_varnish_proc.cfg + when: inventory_hostname.startswith('proxy') + notify: + - restart nrpe + tags: + - nagios_client + +- name: install nrpe checks for sigul_bridge + template: src={{ item }}.j2 dest=/etc/nrpe.d/{{ item }} owner=root group=root mode=0644 + with_items: + - check_sigul_bridge_proc.cfg + when: inventory_hostname.startswith('sign-bridge') + notify: + - restart nrpe + tags: + - nagios_client + +- name: install nrpe checks for sundries/websites + template: src={{ item }}.j2 dest=/etc/nrpe.d/{{ item }} owner=root group=root mode=0644 + with_items: + - check_websites_buildtime.cfg + when: inventory_hostname.startswith('sundries') + notify: + - restart nrpe + tags: + - nagios_client + +- name: install nrpe config for the RabbitMQ checks + template: + src: "rabbitmq_args.ini.j2" + dest: "/etc/nrpe.d/rabbitmq_args.ini" + owner: root + group: nrpe + mode: 0640 + when: inventory_hostname.startswith('rabbitmq') + tags: + - nagios_client + +- name: install nrpe checks for the RabbitMQ cluster + template: + src: "{{ item }}.j2" + dest: "/etc/nrpe.d/{{ item }}" + owner: root + group: root + mode: 0644 + with_items: + - check_rabbitmq_server.cfg + - check_rabbitmq_watermark.cfg + - check_rabbitmq_cluster.cfg + - check_rabbitmq_connections.cfg + - check_rabbitmq_overview.cfg + - check_rabbitmq_exchange.cfg + - check_rabbitmq_queue.cfg + when: inventory_hostname.startswith('rabbitmq') + notify: + - restart nrpe + tags: + - nagios_client + +- name: nrpe service start + service: name=nrpe state=started enabled=true + tags: + - service + - nagios_client + +- name: Check if the fedmsg group exists + shell: /usr/bin/getent group fedmsg | /usr/bin/wc -l | tr -d ' ' + register: fedmsg_exists + check_mode: no + changed_when: "1 != 1" + tags: + - nagios_client + +- name: Add nrpe user to the fedmsg group if it exists + user: name=nrpe groups=fedmsg append=yes + when: fedmsg_exists.stdout == "1" + tags: + - nagios_client diff --git a/roles/nagios_client/templates/check_basset.cfg.j2 b/roles/nagios_client/templates/check_basset.cfg.j2 new file mode 100644 index 0000000..c543d1c --- /dev/null +++ b/roles/nagios_client/templates/check_basset.cfg.j2 @@ -0,0 +1,4 @@ +command[check_mongo_proc]={{ libdir }}/nagios/plugins/check_procs -s RSD -u mongodb -C mongod -c 1:1 +command[check_rabbitmq_proc]={{ libdir }}/nagios/plugins/check_procs -s RSD -u rabbitmq -C beam.smp -c 1:1 +command[check_worker_proc]={{ libdir }}/nagios/plugins/check_procs -s RSD -u basset-worker -C basset-worker -c 1:6 +command[check_basset_queue]={{ libdir }}/nagios/plugins/check_rabbitmq_size check_submission 10 20 diff --git a/roles/nagios_client/templates/check_celery_redis_queue.cfg.j2 b/roles/nagios_client/templates/check_celery_redis_queue.cfg.j2 new file mode 100644 index 0000000..56279f3 --- /dev/null +++ b/roles/nagios_client/templates/check_celery_redis_queue.cfg.j2 @@ -0,0 +1 @@ +command[check_celery_redis_queue]=/usr/lib64/nagios/plugins/check_redis_queue.sh celery 5 10 diff --git a/roles/nagios_client/templates/check_cron.cfg.j2 b/roles/nagios_client/templates/check_cron.cfg.j2 new file mode 100644 index 0000000..b2030c5 --- /dev/null +++ b/roles/nagios_client/templates/check_cron.cfg.j2 @@ -0,0 +1 @@ +command[check_cron]={{ libdir }}/nagios/plugins/check_procs -c 1:15 -C 'crond' -u root diff --git a/roles/nagios_client/templates/check_datanommer_history.cfg.j2 b/roles/nagios_client/templates/check_datanommer_history.cfg.j2 new file mode 100644 index 0000000..aa58c83 --- /dev/null +++ b/roles/nagios_client/templates/check_datanommer_history.cfg.j2 @@ -0,0 +1,49 @@ +# Checks on the datanommer history to make sure we're still receiving messages +# of all types. +# +# The following are fedmsg/datanommer checks to be run on busgateway01. +# They check for the time since the latest message in any particular category. +# The first number is the seconds elapsed until we should raise a warning. +# The second number is the seconds elapsed until we should raise an error. +# For your reference: +# 4 hours -> 14400 +# 1 day -> 86400 +# 3 days -> 259200 +# 1 week -> 604800 +# 3 weeks -> 1814400 +# 1 month -> 2628000 +# 3 months -> 7884000 +command[check_datanommer_anitya]={{libdir}}/nagios/plugins/check_datanommer_timesince.py anitya 604800 1814400 +command[check_datanommer_ansible]={{libdir}}/nagios/plugins/check_datanommer_timesince.py ansible 432000 604800 +command[check_datanommer_bodhi]={{libdir}}/nagios/plugins/check_datanommer_timesince.py bodhi 86400 604800 +command[check_datanommer_bodhi_composes]={{libdir}}/nagios/plugins/check_datanommer_timesince.py org.fedoraproject.prod.bodhi.compose.start 86400 90000 +command[check_datanommer_buildsys]={{libdir}}/nagios/plugins/check_datanommer_timesince.py buildsys 14400 86400 +command[check_datanommer_compose]={{libdir}}/nagios/plugins/check_datanommer_timesince.py compose 259200 1814400 +command[check_datanommer_copr]={{libdir}}/nagios/plugins/check_datanommer_timesince.py copr 21600 86400 +command[check_datanommer_faf]={{libdir}}/nagios/plugins/check_datanommer_timesince.py faf 86400 259200 +command[check_datanommer_fas]={{libdir}}/nagios/plugins/check_datanommer_timesince.py fas 1814400 2628000 +command[check_datanommer_fedbadges]={{libdir}}/nagios/plugins/check_datanommer_timesince.py fedbadges 86400 259200 +command[check_datanommer_fedimg]={{libdir}}/nagios/plugins/check_datanommer_timesince.py fedimg 259200 604800 +command[check_datanommer_fedocal]={{libdir}}/nagios/plugins/check_datanommer_timesince.py fedocal 7884000 23652000 +command[check_datanommer_fmn]={{libdir}}/nagios/plugins/check_datanommer_timesince.py fmn 604800 1814400 +command[check_datanommer_git]={{libdir}}/nagios/plugins/check_datanommer_timesince.py git 86400 604800 +command[check_datanommer_github]={{libdir}}/nagios/plugins/check_datanommer_timesince.py github 432000 604800 +command[check_datanommer_greenwave]=/usr/lib64/nagios/plugins/check_datanommer_timesince.py greenwave 172800 172800 +command[check_datanommer_hotness]={{libdir}}/nagios/plugins/check_datanommer_timesince.py hotness 604800 1814400 +command[check_datanommer_kerneltest]={{libdir}}/nagios/plugins/check_datanommer_timesince.py kerneltest 604800 1814400 +command[check_datanommer_koschei]={{libdir}}/nagios/plugins/check_datanommer_timesince.py koschei 86400 604800 +command[check_datanommer_mdapi]=/usr/lib64/nagios/plugins/check_datanommer_timesince.py mdapi 28800 86400 +command[check_datanommer_meetbot]={{libdir}}/nagios/plugins/check_datanommer_timesince.py meetbot 604800 2628000 +command[check_datanommer_pkgdb]={{libdir}}/nagios/plugins/check_datanommer_timesince.py pkgdb 1814400 2628000 +command[check_datanommer_planet]={{libdir}}/nagios/plugins/check_datanommer_timesince.py planet 2628000 7884000 +command[check_datanommer_resultsdb]=/usr/lib64/nagios/plugins/check_datanommer_timesince.py resultsdb 172800 172800 +command[check_datanommer_trac]={{libdir}}/nagios/plugins/check_datanommer_timesince.py trac 86400 259200 +command[check_datanommer_rpmsign]=/usr/lib64/nagios/plugins/check_datanommer_timesince.py org.fedoraproject.prod.buildsys.rpm.sign 14400 10800 +command[check_datanommer_wiki]={{libdir}}/nagios/plugins/check_datanommer_timesince.py wiki 259200 1814400 + +# This one is retired since it times out all the time. Too few messages. +#command[check_datanommer_nuancier]={{libdir}}/nagios/plugins/check_datanommer_timesince.py nuancier 23652000 31536000 + +# These are not actually finished and deployed yet +command[check_datanommer_mailman]={{libdir}}/nagios/plugins/check_datanommer_timesince.py mailman 14400 86400 +command[check_datanommer_bugzilla]={{libdir}}/nagios/plugins/check_datanommer_timesince.py bugzilla 86400 259200 diff --git a/roles/nagios_client/templates/check_disk.cfg.j2 b/roles/nagios_client/templates/check_disk.cfg.j2 new file mode 100644 index 0000000..27dff82 --- /dev/null +++ b/roles/nagios_client/templates/check_disk.cfg.j2 @@ -0,0 +1,19 @@ +{% if inventory_hostname.startswith('openqa') %} +command[check_disk_/]=/usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -p / +{% else %} +command[check_disk_/]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p / +{% endif %} +command[check_disk_/boot]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /boot +command[check_disk_/git]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /git +command[check_disk_/mnt/koji]=/usr/lib64/nagios/plugins/check_disk -w 10% -c 5% -p /mnt/koji +command[check_disk_/postgreslogs]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /postgreslogs +command[check_disk_/project/]=/usr/lib64/nagios/plugins/check_disk -w 5% -c 1% -p /project/ +command[check_disk_/srv/buildmaster]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv/buildmaster +command[check_disk_/srv/cache/lookaside]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv/cache/lookaside +command[check_disk_/srv/diskimages]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv/diskimages +command[check_disk_/srv]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv +command[check_disk_huge_/srv]=/usr/lib64/nagios/plugins/check_disk -w 5% -c 1% -p /srv +command[check_disk_/u01]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /u01 +command[check_disk_/srv/registry]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /srv/registry +command[check_disk_/var/lib64/mock]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /var/lib/mock +command[check_disk_/var/log]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 10% -p /var/log diff --git a/roles/nagios_client/templates/check_fedmsg_composer_proc.cfg.j2 b/roles/nagios_client/templates/check_fedmsg_composer_proc.cfg.j2 new file mode 100644 index 0000000..9e41841 --- /dev/null +++ b/roles/nagios_client/templates/check_fedmsg_composer_proc.cfg.j2 @@ -0,0 +1 @@ +command[check_fedmsg_composer_proc]={{ libdir }}/nagios/plugins/check_procs -c 1:1 -C 'fedmsg-hub-3' -u apache diff --git a/roles/nagios_client/templates/check_fedmsg_consumers.cfg.j2 b/roles/nagios_client/templates/check_fedmsg_consumers.cfg.j2 new file mode 100644 index 0000000..4160a8a --- /dev/null +++ b/roles/nagios_client/templates/check_fedmsg_consumers.cfg.j2 @@ -0,0 +1,60 @@ +# Fedmsg checks for consumers and producers +command[check_fedmsg_cp_busgateway_hub]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-hub Nommer MonitoringProducer +command[check_fedmsg_cp_busgateway_relay]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-relay RelayConsumer MonitoringProducer +{% if (ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 8) or (ansible_distribution_major_version|int < 30 and ansible_distribution == 'Fedora') %} +command[check_fedmsg_cp_busgateway_gateway]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-gateway GatewayConsumer MonitoringProducer +{% else %} +command[check_fedmsg_cp_busgateway_gateway]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-gateway- GatewayConsumer MonitoringProducer +{% endif %} +command[check_fedmsg_cp_anitya_relay]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-relay RelayConsumer MonitoringProducer +command[check_fedmsg_cp_app]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-relay RelayConsumer MonitoringProducer +command[check_fedmsg_cp_value]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-irc IRCBotConsumer MonitoringProducer +command[check_fedmsg_cp_badges_backend]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-hub FedoraBadgesConsumer MonitoringProducer +command[check_fedmsg_cp_notifs_backend]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-hub FMNConsumer DigestProducer ConfirmationProducer MonitoringProducer +command[check_fedmsg_cp_bugzilla2fedmsg]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py moksha-hub BugzillaConsumer MonitoringProducer +command[check_fedmsg_cp_fedimg_backend]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-hub FedimgConsumer MonitoringProducer +command[check_fedmsg_cp_hotness_backend]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-hub BugzillaTicketFiler MonitoringProducer +command[check_fedmsg_cp_packages_backend]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-hub CacheInvalidator MonitoringProducer +command[check_fedmsg_cp_pdc_backend]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-hub PDCUpdater MonitoringProducer +command[check_fedmsg_cp_mbs_backend]={{libdir}}/nagios/plugins/check_fedmsg_producers_consumers.py fedmsg-hub MBSConsumer MBSProducer MonitoringProducer + +command[check_fedmsg_cexceptions_busgateway_hub]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-hub Nommer 1 10 +command[check_fedmsg_cexceptions_busgateway_relay]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-relay RelayConsumer 1 10 +{% if (ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 8) or (ansible_distribution_major_version|int < 30 and ansible_distribution == 'Fedora') %} +command[check_fedmsg_cexceptions_busgateway_gateway]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-gateway GatewayConsumer 1 10 +{% else %} +command[check_fedmsg_cexceptions_busgateway_gateway]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-gateway- GatewayConsumer 1 10 +{% endif %} +command[check_fedmsg_cexceptions_anitya_relay]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-relay RelayConsumer 1 10 +command[check_fedmsg_cexceptions_app]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-relay RelayConsumer 1 10 +command[check_fedmsg_cexceptions_value]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-irc IRCBotConsumer 1 10 +command[check_fedmsg_cexceptions_badges_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-hub FedoraBadgesConsumer 1 10 +command[check_fedmsg_cexceptions_notifs_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-hub FMNConsumer 1 10 +command[check_fedmsg_cexceptions_bugzilla2fedmsg]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py moksha-hub BugzillaConsumer 1 10 +command[check_fedmsg_cexceptions_fedimg_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-hub FedimgConsumer 1 10 +command[check_fedmsg_cexceptions_hotness_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-hub BugzillaTicketFiler 1 10 +command[check_fedmsg_cexceptions_packages_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-hub CacheInvalidator 1 10 +command[check_fedmsg_cexceptions_pdc_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-hub PDCUpdater 1 10 +command[check_fedmsg_cexceptions_mbs_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_exceptions.py fedmsg-hub MBSConsumer 1 10 + +command[check_fedmsg_cbacklog_busgateway_hub]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub Nommer 500 1000 +command[check_fedmsg_cbacklog_busgateway_relay]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-relay RelayConsumer 10 50 +{% if (ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 8) or (ansible_distribution_major_version|int < 30 and ansible_distribution == 'Fedora') %} +command[check_fedmsg_cbacklog_busgateway_gateway]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-gateway GatewayConsumer 10 50 +{% else %} +command[check_fedmsg_cbacklog_busgateway_gateway]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-gateway- GatewayConsumer 10 50 +{% endif %} +command[check_fedmsg_cbacklog_anitya_relay]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-relay RelayConsumer 10 50 +command[check_fedmsg_cbacklog_app]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-relay RelayConsumer 10 50 +command[check_fedmsg_cbacklog_value]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-irc IRCBotConsumer 10 50 +command[check_fedmsg_cbacklog_badges_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub FedoraBadgesConsumer 25000 35000 +command[check_fedmsg_cbacklog_notifs_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub FMNConsumer 15000 20000 +command[check_fedmsg_cbacklog_bugzilla2fedmsg]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py moksha-hub BugzillaConsumer 10 100 +command[check_fedmsg_cbacklog_fedimg_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub FedimgConsumer 2000 5000 +command[check_fedmsg_cbacklog_hotness_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub BugzillaTicketFiler 1000 5000 +command[check_fedmsg_cbacklog_packages_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub CacheInvalidator 30000 40000 +command[check_fedmsg_cbacklog_pdc_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub PDCUpdater 10000 20000 +command[check_fedmsg_cbacklog_mbs_backend]={{libdir}}/nagios/plugins/check_fedmsg_consumer_backlog.py fedmsg-hub MBSConsumer 10000 20000 + +command[check_fedmsg_fmn_digest_last_ran]={{libdir}}/nagios/plugins/check_fedmsg_producer_last_ran.py fedmsg-hub DigestProducer 90 600 +command[check_fedmsg_fmn_confirm_last_ran]={{libdir}}/nagios/plugins/check_fedmsg_producer_last_ran.py fedmsg-hub ConfirmationProducer 90 600 diff --git a/roles/nagios_client/templates/check_fedmsg_gateway_proc.cfg.j2 b/roles/nagios_client/templates/check_fedmsg_gateway_proc.cfg.j2 new file mode 100644 index 0000000..fbf7986 --- /dev/null +++ b/roles/nagios_client/templates/check_fedmsg_gateway_proc.cfg.j2 @@ -0,0 +1,5 @@ +{% if (( ansible_distribution_major_version == "8" ) and ( ansible_distribution == "RedHat" )) or ((ansible_distribution_major_version|int >= 30) and (ansible_distribution == "Fedora")) %} +command[check_fedmsg_gateway_proc]={{ libdir }}/nagios/plugins/check_procs -c 1:1 --ereg-argument-array='fedmsg-gateway-3' -u fedmsg +{% else %} +command[check_fedmsg_gateway_proc]={{ libdir }}/nagios/plugins/check_procs -c 1:1 -C 'fedmsg-gateway' -u fedmsg +{% endif %} diff --git a/roles/nagios_client/templates/check_fedmsg_hub_proc.cfg.j2 b/roles/nagios_client/templates/check_fedmsg_hub_proc.cfg.j2 new file mode 100644 index 0000000..17ec341 --- /dev/null +++ b/roles/nagios_client/templates/check_fedmsg_hub_proc.cfg.j2 @@ -0,0 +1 @@ +command[check_fedmsg_hub_proc]={{ libdir }}/nagios/plugins/check_procs -c 1:1 -C 'fedmsg-hub' -u fedmsg diff --git a/roles/nagios_client/templates/check_fedmsg_irc_proc.cfg.j2 b/roles/nagios_client/templates/check_fedmsg_irc_proc.cfg.j2 new file mode 100644 index 0000000..92090dc --- /dev/null +++ b/roles/nagios_client/templates/check_fedmsg_irc_proc.cfg.j2 @@ -0,0 +1 @@ +command[check_fedmsg_irc_proc]={{ libdir }}/nagios/plugins/check_procs -c 1:1 -C 'fedmsg-irc' -u fedmsg diff --git a/roles/nagios_client/templates/check_fedmsg_relay_proc.cfg.j2 b/roles/nagios_client/templates/check_fedmsg_relay_proc.cfg.j2 new file mode 100644 index 0000000..c471575 --- /dev/null +++ b/roles/nagios_client/templates/check_fedmsg_relay_proc.cfg.j2 @@ -0,0 +1 @@ +command[check_fedmsg_relay_proc]={{ libdir }}/nagios/plugins/check_procs -c 1:1 -C 'fedmsg-relay' -u fedmsg diff --git a/roles/nagios_client/templates/check_fmn.cfg.j2 b/roles/nagios_client/templates/check_fmn.cfg.j2 new file mode 100644 index 0000000..8052eea --- /dev/null +++ b/roles/nagios_client/templates/check_fmn.cfg.j2 @@ -0,0 +1,3 @@ +command[check_fmn_worker_queue]={{ libdir }}/nagios/plugins/check_rabbitmq_size fmn.tasks.unprocessed_messages 200 1000 +command[check_fmn_backend_irc_queue]={{ libdir }}/nagios/plugins/check_rabbitmq_size fmn.backends.irc 100 200 +command[check_fmn_backend_email_queue]={{ libdir }}/nagios/plugins/check_rabbitmq_size fmn.backends.email 100 200 diff --git a/roles/nagios_client/templates/check_happroxy_conns.cfg.j2 b/roles/nagios_client/templates/check_happroxy_conns.cfg.j2 new file mode 100644 index 0000000..381d2b2 --- /dev/null +++ b/roles/nagios_client/templates/check_happroxy_conns.cfg.j2 @@ -0,0 +1 @@ +command[check_haproxy_conns]=/usr/lib64/nagios/plugins/check_haproxy_conns.py diff --git a/roles/nagios_client/templates/check_ipa.cfg.j2 b/roles/nagios_client/templates/check_ipa.cfg.j2 new file mode 100644 index 0000000..0314738 --- /dev/null +++ b/roles/nagios_client/templates/check_ipa.cfg.j2 @@ -0,0 +1 @@ +command[check_ipa_replication]={{ libdir }}/nagios/plugins/check_ipa_replication -u ldaps://localhost/ diff --git a/roles/nagios_client/templates/check_lock.cfg.j2 b/roles/nagios_client/templates/check_lock.cfg.j2 new file mode 100644 index 0000000..70015b7 --- /dev/null +++ b/roles/nagios_client/templates/check_lock.cfg.j2 @@ -0,0 +1 @@ +command[check_lock]={{ libdir }}/nagios/plugins/check_lock diff --git a/roles/nagios_client/templates/check_lock_file_age.cfg.j2 b/roles/nagios_client/templates/check_lock_file_age.cfg.j2 new file mode 100644 index 0000000..c36459a --- /dev/null +++ b/roles/nagios_client/templates/check_lock_file_age.cfg.j2 @@ -0,0 +1 @@ +command[check_lock_file_age]={{ libdir }}/nagios/plugins/check_lock_file_age -w 1 -c 5 -f /var/lock/fedora-ca/lock diff --git a/roles/nagios_client/templates/check_mailman_api.cfg.j2 b/roles/nagios_client/templates/check_mailman_api.cfg.j2 new file mode 100644 index 0000000..95213f3 --- /dev/null +++ b/roles/nagios_client/templates/check_mailman_api.cfg.j2 @@ -0,0 +1 @@ +command[check_mailman_api]=/usr/lib64/nagios/plugins/check_http -H localhost -p 8001 -u /3.0 -e 'HTTP/1.0 401 Unauthorized' diff --git a/roles/nagios_client/templates/check_memcache.cfg.j2 b/roles/nagios_client/templates/check_memcache.cfg.j2 new file mode 100644 index 0000000..b0ec100 --- /dev/null +++ b/roles/nagios_client/templates/check_memcache.cfg.j2 @@ -0,0 +1,2 @@ +command[check_memcache]=/usr/lib64/nagios/plugins/check_procs -c 1:1 -a '/usr/bin/memcached' -u memcached +command[check_memcache_connect]=/usr/lib64/nagios/plugins/check_memcache_connect diff --git a/roles/nagios_client/templates/check_merged_file_age.cfg.j2 b/roles/nagios_client/templates/check_merged_file_age.cfg.j2 new file mode 100644 index 0000000..90df1c7 --- /dev/null +++ b/roles/nagios_client/templates/check_merged_file_age.cfg.j2 @@ -0,0 +1 @@ +command[check_merged_file_age]=/usr/lib64/nagios/plugins/check_file_age -w 120 -c 300 /var/log/merged/messages.log diff --git a/roles/nagios_client/templates/check_mirrorlist_cache.cfg.j2 b/roles/nagios_client/templates/check_mirrorlist_cache.cfg.j2 new file mode 100644 index 0000000..d282b7f --- /dev/null +++ b/roles/nagios_client/templates/check_mirrorlist_cache.cfg.j2 @@ -0,0 +1,2 @@ +command[check_mirrorlist1_cache]={{ libdir }}/nagios/plugins/check_file_age -w 14400 -c 129600 -f /srv/mirrorlist/data/mirrorlist1/mirrorlist_cache.proto +command[check_mirrorlist2_cache]={{ libdir }}/nagios/plugins/check_file_age -w 14400 -c 129600 -f /srv/mirrorlist/data/mirrorlist2/mirrorlist_cache.proto diff --git a/roles/nagios_client/templates/check_mirrorlist_docker_proxy.cfg.j2 b/roles/nagios_client/templates/check_mirrorlist_docker_proxy.cfg.j2 new file mode 100644 index 0000000..39c0099 --- /dev/null +++ b/roles/nagios_client/templates/check_mirrorlist_docker_proxy.cfg.j2 @@ -0,0 +1 @@ +command[check_mirrorlist_docker_proxy]=/usr/lib64/nagios/plugins/check_tcp -H localhost -p 18081 diff --git a/roles/nagios_client/templates/check_mysql.cfg.j2 b/roles/nagios_client/templates/check_mysql.cfg.j2 new file mode 100644 index 0000000..2b825d2 --- /dev/null +++ b/roles/nagios_client/templates/check_mysql.cfg.j2 @@ -0,0 +1 @@ +command[check_mysql_backup]={{ libdir }}/nagios/plugins/check_file_age -w 86400 -c 129600 -f /backups/fpo-mediawiki-latest.xz diff --git a/roles/nagios_client/templates/check_openvpn_link.cfg.j2 b/roles/nagios_client/templates/check_openvpn_link.cfg.j2 new file mode 100644 index 0000000..77d3e66 --- /dev/null +++ b/roles/nagios_client/templates/check_openvpn_link.cfg.j2 @@ -0,0 +1 @@ +command[check_openvpn_link]={{ libdir }}/nagios/plugins/check_ping -H 192.168.1.41 -w 375.0,20% -c 500,60% diff --git a/roles/nagios_client/templates/check_osbs.cfg.j2 b/roles/nagios_client/templates/check_osbs.cfg.j2 new file mode 100644 index 0000000..1bd7e2f --- /dev/null +++ b/roles/nagios_client/templates/check_osbs.cfg.j2 @@ -0,0 +1 @@ +command[check_osbs_api]={{ libdir }}/nagios/plugins/check_osbs_api.py diff --git a/roles/nagios_client/templates/check_postfix_queue.cfg.j2 b/roles/nagios_client/templates/check_postfix_queue.cfg.j2 new file mode 100644 index 0000000..40ab592 --- /dev/null +++ b/roles/nagios_client/templates/check_postfix_queue.cfg.j2 @@ -0,0 +1 @@ +command[check_postfix_queue]={{ libdir }}/nagios/plugins/check_postfix_queue -w {{ nrpe_check_postfix_queue_warn }} -c {{ nrpe_check_postfix_queue_crit }} diff --git a/roles/nagios_client/templates/check_proxies.cfg.j2 b/roles/nagios_client/templates/check_proxies.cfg.j2 new file mode 100644 index 0000000..216b647 --- /dev/null +++ b/roles/nagios_client/templates/check_proxies.cfg.j2 @@ -0,0 +1,2 @@ +command[check_ticketkey_age]={{ libdir }}/nagios/plugins/check_file_age -w 3600 -c 7200 -f /etc/httpd/ticketkey_{{env}}.tkey +command[check_ostree_summary_file_age]=/usr/lib64/nagios/plugins/check_file_age -w 1800 -c 3600 /srv/web/ostree/summary diff --git a/roles/nagios_client/templates/check_rabbitmq_cluster.cfg.j2 b/roles/nagios_client/templates/check_rabbitmq_cluster.cfg.j2 new file mode 100644 index 0000000..6a67248 --- /dev/null +++ b/roles/nagios_client/templates/check_rabbitmq_cluster.cfg.j2 @@ -0,0 +1 @@ +command[check_rabbitmq_cluster]=/usr/lib64/nagios/plugins-rabbitmq/check_rabbitmq_cluster --extra-opts=common(a)/etc/nrpe.d/rabbitmq_args.ini -n rabbit@rabbitmq01.phx2.fedoraproject.org,rabbit@rabbitmq02.phx2.fedoraproject.org,rabbit(a)rabbitmq03.phx2.fedoraproject.org \ No newline at end of file diff --git a/roles/nagios_client/templates/check_rabbitmq_connections.cfg.j2 b/roles/nagios_client/templates/check_rabbitmq_connections.cfg.j2 new file mode 100644 index 0000000..8b30a7f --- /dev/null +++ b/roles/nagios_client/templates/check_rabbitmq_connections.cfg.j2 @@ -0,0 +1 @@ +command[check_rabbitmq_connections]=/usr/lib64/nagios/plugins-rabbitmq/check_rabbitmq_connections --extra-opts=common(a)/etc/nrpe.d/rabbitmq_args.ini \ No newline at end of file diff --git a/roles/nagios_client/templates/check_rabbitmq_exchange.cfg.j2 b/roles/nagios_client/templates/check_rabbitmq_exchange.cfg.j2 new file mode 100644 index 0000000..c5a729e --- /dev/null +++ b/roles/nagios_client/templates/check_rabbitmq_exchange.cfg.j2 @@ -0,0 +1,2 @@ +command[check_rabbitmq_exchange_pubsub]=/usr/lib64/nagios/plugins-rabbitmq/check_rabbitmq_exchange --extra-opts=common(a)/etc/nrpe.d/rabbitmq_args.ini --vhost /pubsub --exchange amq.topic --period 600 +command[check_rabbitmq_exchange_public_pubsub]=/usr/lib64/nagios/plugins-rabbitmq/check_rabbitmq_exchange --extra-opts=common(a)/etc/nrpe.d/rabbitmq_args.ini --vhost /public_pubsub --exchange amq.topic --period 600 \ No newline at end of file diff --git a/roles/nagios_client/templates/check_rabbitmq_overview.cfg.j2 b/roles/nagios_client/templates/check_rabbitmq_overview.cfg.j2 new file mode 100644 index 0000000..060fb2f --- /dev/null +++ b/roles/nagios_client/templates/check_rabbitmq_overview.cfg.j2 @@ -0,0 +1 @@ +command[check_rabbitmq_overview]=/usr/lib64/nagios/plugins-rabbitmq/check_rabbitmq_overview --extra-opts=common(a)/etc/nrpe.d/rabbitmq_args.ini \ No newline at end of file diff --git a/roles/nagios_client/templates/check_rabbitmq_queue.cfg.j2 b/roles/nagios_client/templates/check_rabbitmq_queue.cfg.j2 new file mode 100644 index 0000000..d9c9367 --- /dev/null +++ b/roles/nagios_client/templates/check_rabbitmq_queue.cfg.j2 @@ -0,0 +1,2 @@ +command[check_rabbitmq_queue_pubsub]=/usr/lib64/nagios/plugins-rabbitmq/check_rabbitmq_queue --extra-opts=common(a)/etc/nrpe.d/rabbitmq_args.ini --vhost /pubsub +command[check_rabbitmq_queue_public_pubsub]=/usr/lib64/nagios/plugins-rabbitmq/check_rabbitmq_queue --extra-opts=common(a)/etc/nrpe.d/rabbitmq_args.ini --vhost /public_pubsub \ No newline at end of file diff --git a/roles/nagios_client/templates/check_rabbitmq_server.cfg.j2 b/roles/nagios_client/templates/check_rabbitmq_server.cfg.j2 new file mode 100644 index 0000000..bc8fb20 --- /dev/null +++ b/roles/nagios_client/templates/check_rabbitmq_server.cfg.j2 @@ -0,0 +1 @@ +command[check_rabbitmq_server]=/usr/lib64/nagios/plugins-rabbitmq/check_rabbitmq_server --extra-opts=common(a)/etc/nrpe.d/rabbitmq_args.ini --node={{ inventory_hostname }} \ No newline at end of file diff --git a/roles/nagios_client/templates/check_rabbitmq_watermark.cfg.j2 b/roles/nagios_client/templates/check_rabbitmq_watermark.cfg.j2 new file mode 100644 index 0000000..3dc965b --- /dev/null +++ b/roles/nagios_client/templates/check_rabbitmq_watermark.cfg.j2 @@ -0,0 +1 @@ +command[check_rabbitmq_watermark]=/usr/lib64/nagios/plugins-rabbitmq/check_rabbitmq_watermark --extra-opts=common(a)/etc/nrpe.d/rabbitmq_args.ini --vhost /pubsub --node={{ inventory_hostname }} \ No newline at end of file diff --git a/roles/nagios_client/templates/check_raid.cfg.j2 b/roles/nagios_client/templates/check_raid.cfg.j2 new file mode 100644 index 0000000..ef47d12 --- /dev/null +++ b/roles/nagios_client/templates/check_raid.cfg.j2 @@ -0,0 +1 @@ +command[check_raid]={{ libdir }}/nagios/plugins/check_raid.py diff --git a/roles/nagios_client/templates/check_readonly_fs.cfg.j2 b/roles/nagios_client/templates/check_readonly_fs.cfg.j2 new file mode 100644 index 0000000..df896b7 --- /dev/null +++ b/roles/nagios_client/templates/check_readonly_fs.cfg.j2 @@ -0,0 +1 @@ +command[check_readonly_fs]=/usr/lib64/nagios/plugins/check_readonly_fs diff --git a/roles/nagios_client/templates/check_redis_proc.cfg.j2 b/roles/nagios_client/templates/check_redis_proc.cfg.j2 new file mode 100644 index 0000000..7f05bc5 --- /dev/null +++ b/roles/nagios_client/templates/check_redis_proc.cfg.j2 @@ -0,0 +1 @@ +command[check_redis_proc]=/usr/lib64/nagios/plugins/check_procs -c 1:1 -C 'redis-server' -u redis diff --git a/roles/nagios_client/templates/check_sigul_bridge_proc.cfg.j2 b/roles/nagios_client/templates/check_sigul_bridge_proc.cfg.j2 new file mode 100644 index 0000000..a173c2f --- /dev/null +++ b/roles/nagios_client/templates/check_sigul_bridge_proc.cfg.j2 @@ -0,0 +1 @@ +command[check_sigul_bridge_proc]={{ libdir }}/nagios/plugins/check_procs -c 1:1 -a 'sigul/bridge.py' -u sigul diff --git a/roles/nagios_client/templates/check_supybot_fedmsg_plugin.cfg.j2 b/roles/nagios_client/templates/check_supybot_fedmsg_plugin.cfg.j2 new file mode 100644 index 0000000..514cf75 --- /dev/null +++ b/roles/nagios_client/templates/check_supybot_fedmsg_plugin.cfg.j2 @@ -0,0 +1 @@ +command[check_supybot_fedmsg_plugin]={{libdir}}/nagios/plugins/check_supybot_plugin -t fedmsg diff --git a/roles/nagios_client/templates/check_swap.cfg.j2 b/roles/nagios_client/templates/check_swap.cfg.j2 new file mode 100644 index 0000000..68695c9 --- /dev/null +++ b/roles/nagios_client/templates/check_swap.cfg.j2 @@ -0,0 +1 @@ +command[check_swap]={{ libdir }}/nagios/plugins/check_swap -w 15% -c 10% diff --git a/roles/nagios_client/templates/check_testcloud.cfg.j2 b/roles/nagios_client/templates/check_testcloud.cfg.j2 new file mode 100644 index 0000000..25a314f --- /dev/null +++ b/roles/nagios_client/templates/check_testcloud.cfg.j2 @@ -0,0 +1 @@ +command[check_testcloud]={{ libdir }}/nagios/plugins/check_testcloud diff --git a/roles/nagios_client/templates/check_unbound_proc.cfg.j2 b/roles/nagios_client/templates/check_unbound_proc.cfg.j2 new file mode 100644 index 0000000..cbae839 --- /dev/null +++ b/roles/nagios_client/templates/check_unbound_proc.cfg.j2 @@ -0,0 +1 @@ +command[check_unbound_proc]={{ libdir }}/nagios/plugins/check_procs -c 1:1 -C 'unbound' -u unbound diff --git a/roles/nagios_client/templates/check_varnish_proc.cfg.j2 b/roles/nagios_client/templates/check_varnish_proc.cfg.j2 new file mode 100644 index 0000000..3935c16 --- /dev/null +++ b/roles/nagios_client/templates/check_varnish_proc.cfg.j2 @@ -0,0 +1 @@ +command[check_varnish_proc]=/usr/lib64/nagios/plugins/check_procs -c 1:2 -C 'varnishd' -u varnish diff --git a/roles/nagios_client/templates/check_websites_buildtime.cfg.j2 b/roles/nagios_client/templates/check_websites_buildtime.cfg.j2 new file mode 100644 index 0000000..ff5639d --- /dev/null +++ b/roles/nagios_client/templates/check_websites_buildtime.cfg.j2 @@ -0,0 +1,2 @@ +# Alert if websites haven't been built in 3 hours +command[check_websites_buildtime]={{ libdir }}/nagios/plugins/check_timestamp_from_file /srv/websites/getfedora.org/build.timestamp.txt 10800 diff --git a/roles/nagios_client/templates/nrpe.cfg.j2 b/roles/nagios_client/templates/nrpe.cfg.j2 new file mode 100644 index 0000000..102f529 --- /dev/null +++ b/roles/nagios_client/templates/nrpe.cfg.j2 @@ -0,0 +1,232 @@ +############################################################################# +# Sample NRPE Config File +# Written by: Ethan Galstad (nagios(a)nagios.org) +# +# Last Modified: 11-23-2007 +# +# NOTES: +# This is a sample configuration file for the NRPE daemon. It needs to be +# located on the remote host that is running the NRPE daemon, not the host +# from which the check_nrpe client is being executed. +############################################################################# + + +# LOG FACILITY +# The syslog facility that should be used for logging purposes. + +log_facility=daemon + + + +# PID FILE +# The name of the file in which the NRPE daemon should write it's process ID +# number. The file is only written if the NRPE daemon is started by the root +# user and is running in standalone mode. + +#pid_file=/var/run/nrpe.pid + + + +# PORT NUMBER +# Port number we should wait for connections on. +# NOTE: This must be a non-priviledged port (i.e. > 1024). +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd + +server_port=5666 + + + +# SERVER ADDRESS +# Address that nrpe should bind to in case there are more than one interface +# and you do not want nrpe to bind on all interfaces. +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd + +#server_address=127.0.0.1 + + + +# NRPE USER +# This determines the effective user that the NRPE daemon should run as. +# You can either supply a username or a UID. +# +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd + +nrpe_user=nrpe + + + +# NRPE GROUP +# This determines the effective group that the NRPE daemon should run as. +# You can either supply a group name or a GID. +# +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd + +nrpe_group=nrpe + + + +# ALLOWED HOST ADDRESSES +# This is an optional comma-delimited list of IP address or hostnames +# that are allowed to talk to the NRPE daemon. Network addresses with a bit mask +# (i.e. 192.168.1.0/24) are also supported. Hostname wildcards are not currently +# supported. +# +# Note: The daemon only does rudimentary checking of the client's IP +# address. I would highly recommend adding entries in your /etc/hosts.allow +# file to allow only the specified host to connect to the port +# you are running this daemon on. +# +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd + + +{% if env == "staging" %} +allowed_hosts=10.5.126.2,10.5.126.41,10.5.126.241,192.168.1.10,192.168.1.20,209.132.181.35,192.168.1.166,209.132.181.102 +{% else %} +allowed_hosts=10.5.126.41,192.168.1.10,192.168.1.20,209.132.181.35,10.5.126.241,192.168.1.166,209.132.181.102 +{% endif %} + + + +# COMMAND ARGUMENT PROCESSING +# This option determines whether or not the NRPE daemon will allow clients +# to specify arguments to commands that are executed. This option only works +# if the daemon was configured with the --enable-command-args configure script +# option. +# +# *** ENABLING THIS OPTION IS A SECURITY RISK! *** +# Read the SECURITY file for information on some of the security implications +# of enabling this variable. +# +# Values: 0=do not allow arguments, 1=allow command arguments + +dont_blame_nrpe=0 + + + +# COMMAND PREFIX +# This option allows you to prefix all commands with a user-defined string. +# A space is automatically added between the specified prefix string and the +# command line from the command definition. +# +# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! *** +# Usage scenario: +# Execute restricted commmands using sudo. For this to work, you need to add +# the nagios user to your /etc/sudoers. An example entry for alllowing +# execution of the plugins from might be: +# +# nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/ +# +# This lets the nagios user run all commands in that directory (and only them) +# without asking for a password. If you do this, make sure you don't give +# random users write access to that directory or its contents! + +# command_prefix=/usr/bin/sudo + + + +# DEBUGGING OPTION +# This option determines whether or not debugging messages are logged to the +# syslog facility. +# Values: 0=debugging off, 1=debugging on + +debug=0 + + + +# COMMAND TIMEOUT +# This specifies the maximum number of seconds that the NRPE daemon will +# allow plugins to finish executing before killing them off. + +command_timeout=100 + + + +# CONNECTION TIMEOUT +# This specifies the maximum number of seconds that the NRPE daemon will +# wait for a connection to be established before exiting. This is sometimes +# seen where a network problem stops the SSL being established even though +# all network sessions are connected. This causes the nrpe daemons to +# accumulate, eating system resources. Do not set this too low. + +connection_timeout=300 + + + +# WEEK RANDOM SEED OPTION +# This directive allows you to use SSL even if your system does not have +# a /dev/random or /dev/urandom (on purpose or because the necessary patches +# were not applied). The random number generator will be seeded from a file +# which is either a file pointed to by the environment valiable $RANDFILE +# or $HOME/.rnd. If neither exists, the pseudo random number generator will +# be initialized and a warning will be issued. +# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness + +#allow_weak_random_seed=1 + + + +# INCLUDE CONFIG FILE +# This directive allows you to include definitions from an external config file. + +#include=<somefile.cfg> + + + +# INCLUDE CONFIG DIRECTORY +# This directive allows you to include definitions from config files (with a +# .cfg extension) in one or more directories (with recursion). + +include_dir=/etc/nrpe.d/ + + + +# COMMAND DEFINITIONS +# Command definitions that this daemon will run. Definitions +# are in the following format: +# +# command[<command_name>]=<command_line> +# +# When the daemon receives a request to return the results of <command_name> +# it will execute the command specified by the <command_line> argument. +# +# Unlike Nagios, the command line cannot contain macros - it must be +# typed exactly as it should be executed. +# +# Note: Any plugins that are used in the command lines must reside +# on the machine that this daemon is running on! The examples below +# assume that you have plugins installed in a /usr/local/nagios/libexec +# directory. Also note that you will have to modify the definitions below +# to match the argument format the plugins expect. Remember, these are +# examples only! + + +# The following examples use hardcoded command arguments... + +command[check_users]={{ libdir }}/nagios/plugins/check_users -w 5 -c 10 +command[check_load]={{ libdir }}/nagios/plugins/check_load -w 15,10,5 -c 30,25,20 +command[check_hda1]={{ libdir }}/nagios/plugins/check_disk -w 20% -c 10% -p /dev/hda1 +{% if inventory_hostname not in groups['zombie_infested'] %} +command[check_zombie_procs]={{ libdir }}/nagios/plugins/check_procs -w 5 -c 10 -s Z +{% else %} +# This host is prone to Zombies and we do not care or want to alert on it so we make the limits very high +command[check_zombie_procs]={{ libdir }}/nagios/plugins/check_procs -w 50000 -c 100000 -s Z +{% endif %} +command[check_total_procs]={{ libdir }}/nagios/plugins/check_procs -w {{ nrpe_procs_warn }} -c {{ nrpe_procs_crit }} + + +# The following examples allow user-supplied arguments and can +# only be used if the NRPE daemon was compiled with support for +# command arguments *AND* the dont_blame_nrpe directive in this +# config file is set to '1'. This poses a potential security risk, so +# make sure you read the SECURITY file before doing this. + +#command[check_users]=/usr/lib64/nagios/plugins/check_users -w $ARG1$ -c $ARG2$ +#command[check_load]=/usr/lib64/nagios/plugins/check_load -w $ARG1$ -c $ARG2$ +#command[check_disk]=/usr/lib64/nagios/plugins/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$ +#command[check_procs]=/usr/lib64/nagios/plugins/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$ + + +# NEVER ADD ANYTHING HERE - ANY ENTRIES TO NRPE SHOULD BE in .cfg files in /etc/nrpe.d/ + +# NEVER NEVER NEVER +# diff --git a/roles/nagios_client/templates/rabbitmq_args.ini.j2 b/roles/nagios_client/templates/rabbitmq_args.ini.j2 new file mode 100644 index 0000000..ee3078d --- /dev/null +++ b/roles/nagios_client/templates/rabbitmq_args.ini.j2 @@ -0,0 +1,4 @@ +[common] +hostname = localhost +username = nagios-monitoring +password = {{ (env == 'production')|ternary(rabbitmq_monitoring_password_production, rabbitmq_monitoring_password_staging) }} \ No newline at end of file