Major refactoring. Moved all the library roles under 'library/roles' and changed all the occurrances inside all the playbooks.

This commit is contained in:
Andrea Dell'Amico 2015-05-28 11:32:57 +02:00
commit 73d37f81a6
278 changed files with 18388 additions and 0 deletions

65
R/defaults/main.yml Normal file
View File

@ -0,0 +1,65 @@
---
#
# To list the installed R packages
# Run R, then execute
# packinfo <- installed.packages (fields = c ("Package", "Version"))
# packinfo[,c("Package", "Version")]
#
# The install/remove script has been taken from here: http://adamj.eu/tech/2014/07/19/installing-and-removing-r-packages-with-ansible/
#
r_install_cran_repo: False
#r_cran_mirror_site: http://cran.rstudio.com
r_cran_mirror_site: http://cran.mirror.garr.it/mirrors/CRAN/
r_base_pkg_version: 2.14.1
r_packages_state: present
r_base_packages_list:
- r-base
- jags
r_plugins_packages_list:
- r-cran-rjags
- r-cran-abind
- r-cran-boot
- r-cran-class
- r-cran-cluster
- r-cran-coda
- r-cran-codetools
- r-cran-foreign
- r-cran-lattice
- r-cran-maptools
- r-cran-mass
- r-cran-matrix
- r-cran-mgcv
- r-cran-nlme
- r-cran-nnet
- r-cran-rpart
- r-cran-sp
- r-cran-spatial
- r-cran-survival
r_plugins_list_to_install:
- R2WinBUGS
- R2jags
- bayesmix
- coda
- rjags
- runjags
- base
- compiler
- datasets
- grDevices
- graphics
- grid
- methods
- parallel
- splines
- stats
- stats4
- tcltk
- tools
- utils
#r_plugins_list_to_remove:

59
R/tasks/main.yml Normal file
View File

@ -0,0 +1,59 @@
---
- name: Install the cran repository key
apt_key: id=E084DAB9 keyserver=keyserver.ubuntu.com state=present
register: update_apt_cache
when: r_install_cran_repo
tags:
- r_software
- r_repo
- name: Install the cran repository definition
apt_repository: repo='deb http://cran.rstudio.com/bin/linux/ubuntu {{ ansible_distribution_release }}/' state=present
register: update_apt_cache
when: r_install_cran_repo
tags:
- r_software
- r_repo
- name: Install the cran repository definition
apt_repository: repo='deb {{ r_cran_mirror_site }}/bin/linux/ubuntu {{ ansible_distribution_release }}/' state=absent
register: update_apt_cache
when: not r_install_cran_repo
tags:
- r_software
- r_repo
- name: Update the apt cache if needed
apt: update_cache=yes
when: ( update_apt_cache | changed )
tags:
- r_software
- r_repo
- name: Install the R base packages
apt: pkg={{ item }} state={{ r_packages_state }}
with_items: r_base_packages_list
tags:
- r_software
- r_pkg
- name: Install the R plugins from the ubuntu repo
apt: pkg={{ item }} state={{ r_packages_state }}
with_items: r_plugins_packages_list
tags:
- r_software
- r_pkg
- name: Install R plugins from the cran binaries repo
command: >
Rscript --slave --no-save --no-restore-history -e "if (! ('{{ item }}' %in% installed.packages()[,'Package'])) { install.packages(pkgs='{{ item }}', repos=c('{{ r_cran_mirror_site }}/')); print('Added'); } else { print('Already installed'); }"
register: install_plugins_result
failed_when: "install_plugins_result.rc != 0 or 'had non-zero exit status' in install_plugins_result.stderr"
changed_when: "'Added' in install_plugins_result.stdout"
with_items: r_plugins_list_to_install
tags:
- r_software
- r_pkg

View File

@ -0,0 +1,12 @@
---
# ansible PKG state: latest, installed, absent
ansible_pkg_state: latest
ansible_cfg_file: /etc/ansible/ansible.cfg
# options: smart, implicit, explicit.
ansible_gathering: smart
ansible_command_warnings: True
ansible_control_path: '%(directory)s/%%h-%%r'
#
# Note: it breaks sudo if there's 'requiretty' inside the sudoers file
ansible_pipelining: True
ansible_scp_if_ssh: True

View File

@ -0,0 +1,32 @@
---
- name: Set the gather facts policy
action: configfile path={{ ansible_cfg_file }} key=gathering value='{{ ansible_gathering }}'
tags:
- ansible
- ansible_cfg
- name: Warn if some shell commands can be avoided using modules
action: configfile path={{ ansible_cfg_file }} key=command_warning value='{{ ansible_command_warnings }}'
tags:
- ansible
- ansible_cfg
- name: Shorten the ansible control path
action: configfile path={{ ansible_cfg_file }} key=control_path value='{{ ansible_control_path }}'
tags:
- ansible
- ansible_cfg
- name: Be fast, use pipelining when possible
action: configfile path={{ ansible_cfg_file }} key=pipelining value='{{ ansible_pipelining }}'
tags:
- ansible
- ansible_cfg
- name: Use scp instead of sftp to transfer files
action: configfile path={{ ansible_cfg_file }} key=scp_if_ssh value='{{ ansible_scp_if_ssh }}'
tags:
- ansible
- ansible_cfg

View File

@ -0,0 +1,24 @@
---
- name: Remove the now obsolete rquillo ppa for ansible
apt_repository: repo='ppa:rquillo/ansible' state=absent
register: update_apt_cache_rquillo
tags:
- ansible
- name: Add the ansible ppa for ansible
apt_repository: repo='ppa:ansible/ansible'
register: update_apt_cache
tags:
- ansible
- name: Update the apt cache if needed
apt: update_cache=yes
when: (update_apt_cache|changed) or (update_apt_cache_rquillo|changed)
tags:
- ansible
- name: Install the ansible package
apt: pkg=ansible state={{ ansible_pkg_state }}
tags:
- ansible

View File

@ -0,0 +1,4 @@
---
- include: ansible-packages.yml
- include: ansible-config.yml

32
apache/defaults/main.yml Normal file
View File

@ -0,0 +1,32 @@
---
apache_user: www-data
apache_group: '{{ apache_user }}'
apache_packages:
- apache2
- apache2-mpm-prefork
- apache2-utils
- libapache2-mod-xsendfile
- unzip
- zip
apache_default_modules:
- headers
- rewrite
- expires
- xsendfile
apache_basic_auth: False
apache_basic_auth_single_file: True
apache_basic_auth_dir: /etc/apache2/auth
apache_basic_auth_file: '{{ apache_basic_auth_dir }}/htpasswd'
apache_basic_auth_modules:
- auth_basic
- authn_file
- authz_user
# Put them in a vault file. auth_file is optional. Not used when apache_basic_auth_single_file is true
# apache_basic_users:
# - { username:'', password:'', state:'present,absent', auth_file:'path_to_file' }

4
apache/handlers/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
- name: apache2 reload
service: name=apache2 state=reloaded

View File

@ -0,0 +1,36 @@
---
- name: Load the basic auth modules
apache2_module: name={{ item }} state=present
with_items: apache_basic_auth_modules
notify: apache2 reload
tags:
- apache
- apache_basic_auth
- name: Create the authentication directory
file: path={{ apache_basic_auth_dir }} mode=0750 owner=root group={{ apache_group }} state=directory
tags:
- apache
- apache_basic_auth
- name: Install the python-passlib library
apt: pkg=python-passlib state=present
tags:
- apache
- apache_basic_auth
- name: Create the basic auth file
htpasswd: path={{ apache_basic_auth_file }} name={{ item.username }} password={{ item.password }} create=yes state={{ item.state }}
when: apache_basic_users is defined and apache_basic_auth_single_file
tags:
- apache
- apache_basic_auth
- name: Create the basic auth file
htpasswd: path={{ item.auth_file }} name={{ item.username }} password={{ item.password }} create=yes state={{ item.state }}
with_items: apache_basic_users
when: apache_basic_users is defined and not apache_basic_auth_single_file
tags:
- apache
- apache_basic_auth

22
apache/tasks/apache.yml Normal file
View File

@ -0,0 +1,22 @@
---
- name: Install the apache packages
apt: pkg={{ item }} state=installed force=yes
with_items: apache_packages
tags:
- apache
- name: Load the required modules
apache2_module: name={{ item }} state=present
with_items: apache_default_modules
notify: apache2 reload
tags:
- apache
- name: Remove the default virtualhost file
file: dest=/etc/apache2/sites-enabled/{{ item }} state=absent
with_items:
- 000-default
- 000-default.conf
notify: apache2 reload
tags:
- apache

4
apache/tasks/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
- include: apache.yml
- include: apache-basic-auth.yml
when: apache_basic_auth

15
chkconfig/tasks/main.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: install chkconfig and insserv
apt: pkg={{ item }} state=present
with_items:
- chkconfig
- insserv
tags:
- chkconfig
# Workaround for a bug in the insserv package. insserv is needed by chkconfig
- name: Workaround for a bug in the insserv package.
action: file src=/usr/lib/insserv/insserv dest=/sbin/insserv state=link
tags:
- chkconfig

View File

@ -0,0 +1,18 @@
---
# First things first: install the basic requirements with a raw command
- name: install python-apt
raw: "apt-get update; apt-get install -y python python-apt lsb-release"
tags:
- pythonapt
- name: Install python-software-properties
apt: pkg=python-software-properties state=installed
tags:
- pythonapt
- name: Install software-properties-common on quantal distributions
apt: pkg=software-properties-common state=installed
when: is_quantal
tags:
- pythonapt

View File

@ -0,0 +1,3 @@
---
deb_default_locale: "en_US.UTF-8"
deb_locales: "{{ deb_default_locale }} en_US, it_IT.UTF-8 it_IT"

View File

@ -0,0 +1,12 @@
---
- name: Generate locales
debconf: name=locales question='locales/locales_to_be_generated' value='{{ deb_locales }}' vtype='multiselect'
tags:
- locale
- name: Update the locale default
debconf: name=locales question='locales/default_environment_locale' value='{{ deb_default_locale }}' vtype='select'
tags:
- locale

View File

@ -0,0 +1,30 @@
---
- name: apt key for the internal ppa repository
apt_key: url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present
when: has_apt
register: update_apt_cache
tags:
- dnet
- name: Install the D-Net apt repositories
apt_repository: repo='{{ item }}'
with_items:
- deb http://ppa.research-infrastructures.eu/dnet lucid main
- deb http://ppa.research-infrastructures.eu/dnet unstable main
when: has_apt
register: update_apt_cache
tags:
- dnet
- name: Install the D-NET repository key
action: apt_key url=http://ppa.research-infrastructures.eu/dnet/keys/dnet-archive.asc
tags:
- dnet
- name: Update the apt cache
apt: update_cache=yes
when: update_apt_cache.changed
ignore_errors: True
tags:
- dnet

3
docker/handlers/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
- name: Restart docker
service: name=docker state=restarted

7
docker/tasks/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
- include: pkgs.yml
- name: Enable Docker TCP on local bridge (for docker swarm)
action: configfile path=/etc/default/docker syntax=shell key=DOCKER_OPTS value="\"-H tcp://172.17.42.1:2375 -H unix:///var/run/docker.sock\""
notify: Restart docker
tags: docker-conf

16
docker/tasks/pkgs.yml Normal file
View File

@ -0,0 +1,16 @@
---
- name: Add Docker repository key
apt_key: url="https://get.docker.io/gpg"
tags:
- docker
- name: Add Docker repository
apt_repository: repo='deb http://get.docker.io/ubuntu docker main' update_cache=yes
tags:
- docker
- name: Install Docker
apt: pkg=lxc-docker state=present
tags:
- docker

View File

@ -0,0 +1,33 @@
---
# Fail2ban
# Needed by the fail2ban template
cm_ip: 146.48.123.18
monitoring_ip: 146.48.123.23
# ban time in seconds. 86400 == 1 day
f2b_ban_time: 86400
f2b_findtime: 600
f2b_maxretry: 5
f2b_default_backend: auto
f2b_usedns: warn
f2b_dest_email: sysadmin@research-infrastructures.eu
f2b_sender_email: denyhosts@research-infrastructures.eu
f2b_default_banaction: iptables-multiport
# Default action: ban. Not send email
f2b_default_action: action_
f2b_default_iptableschain: INPUT
f2b_ssh_enabled: true
f2b_ssh_ddos_enabled: true
f2b_apache_auth_enabled: false
f2b_apache_noscript_enabled: false
f2b_apache_overflow_enabled: false
f2b_php_url_popen: false
f2b_nginx_auth_enabled: false
f2b_vsftpd_enabled: false
f2b_vsftpd_logpath: /var/log/vsftpd.log
f2b_recidive_enabled: true
# 604800: one week
f2b_recidive_findtime: 604800
# 14515200 24 weeks
f2b_recidive_ban_time: 14515200

View File

@ -0,0 +1,4 @@
---
- name: Restart fail2ban
service: name=fail2ban state=restarted enabled=yes

3
fail2ban/meta/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
dependencies:
- role: '../../library/roles/iptables'

View File

@ -0,0 +1,14 @@
---
- name: install fail2ban ubuntu >= 14.04
apt: pkg={{ item }} state=installed
with_items:
- fail2ban
tags:
- fail2ban
- name: Install the fail2ban custom jail file
template: src=jail.local.j2 dest=/etc/fail2ban/jail.local owner=root group=root mode=444
notify: Restart fail2ban
tags:
- fail2ban

4
fail2ban/tasks/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
- include: fail2ban.yml
when: is_trusty

View File

@ -0,0 +1,254 @@
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# Comments: use '#' for comment lines and ';' for inline comments
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 {{ cm_ip }} {{ monitoring_ip }}
# "bantime" is the number of seconds that a host is banned.
bantime = {{ f2b_ban_time }}
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = {{ f2b_findtime }}
maxretry = {{ f2b_maxretry }}
# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
backend = {{ f2b_default_backend }}
# "usedns" specifies if jails should trust hostnames in logs,
# warn when reverse DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a reverse DNS lookup will be performed.
# warn: if a hostname is encountered, a reverse DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
usedns = {{ f2b_usedns }}
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = {{ f2b_dest_email }}
#
# Name of the sender for mta actions
sendername = {{ f2b_sender_email }}
#
# ACTIONS
#
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = {{ f2b_default_banaction }}
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
# Specify chain where jumps would need to be added in iptables-* actions
chain = {{ f2b_default_iptableschain }}
#
# Action shortcuts. To be used to define action parameter
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %({{ f2b_default_action }})s
#
# JAILS
#
# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local
[ssh]
enabled = {{ f2b_ssh_enabled }}
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = {{ f2b_maxretry }}
[dropbear]
enabled = false
port = ssh
filter = dropbear
logpath = /var/log/auth.log
maxretry = 6
# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]
enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6
[xinetd-fail]
enabled = false
filter = xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2
[ssh-ddos]
enabled = {{ f2b_ssh_ddos_enabled }}
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = {{ f2b_maxretry }}
#
# HTTP servers
#
# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]
enabled = {{ f2b_apache_auth_enabled }}
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-noscript]
enabled = {{ f2b_apache_noscript_enabled }}
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-overflows]
enabled = {{ f2b_apache_overflow_enabled }}
port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2
# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.
[php-url-fopen]
enabled = {{ f2b_php_url_popen }}
port = http,https
filter = php-url-fopen
logpath = /var/www/*/logs/access_log
# A simple PHP-fastcgi jail which works with lighttpd.
# If you run a lighttpd server, then you probably will
# find these kinds of messages in your error_log:
# ALERT tried to register forbidden variable GLOBALS
# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
[nginx-http-auth]
enabled = {{ f2b_nginx_auth_enabled }}
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log
#
# FTP servers
#
[vsftpd]
enabled = {{ f2b_vsftpd_enabled }}
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = {{ f2b_vsftpd_logpath }}
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6
# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
# Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
[recidive]
enabled = {{ f2b_recidive_enabled }}
filter = recidive
logpath = /var/log/fail2ban.log
action = iptables-allports[name=recidive]
sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
bantime = {{ f2b_recidive_ban_time }}
findtime = {{ f2b_recidive_findtime }}
maxretry = 5

10
ganglia/defaults/main.yml Normal file
View File

@ -0,0 +1,10 @@
# These are for reference only.
# Define your own set of variables
#
ganglia_gmond_cluster: "CNR-ISTI NeMIS Cluster"
ganglia_gmond_cluster_port: 8649
ganglia_gmond_mcast_addr: 239.2.11.71
ganglia_gmetad_host: monitoring.research-infrastructures.eu
ganglia_gmond_send_metadata_interval: 60
# Needed to build the correct firewall rules when jmxtrans is in use
ganglia_gmond_use_jmxtrans: False

View File

@ -0,0 +1,9 @@
modules {
module {
name = "python_module"
path = "/usr/lib/ganglia/modpython.so"
params = "/usr/lib/ganglia/python_modules"
}
}
include('/etc/ganglia/conf.d/*.pyconf')

View File

@ -0,0 +1,2 @@
- name: Restart ganglia monitor
service: name=ganglia-monitor state=restarted

91
ganglia/tasks/main.yml Normal file
View File

@ -0,0 +1,91 @@
---
- name: Install the ganglia client
apt: pkg={{ item }} state=installed
with_items:
- ganglia-monitor
tags:
- monitoring
- ganglia
- name: Install the ganglia linux specific plugins. We need at least ubuntu trusty or debian 7
apt: pkg={{ item }} state=installed force=yes
with_items:
- ganglia-modules-linux
- ganglia-monitor-python
notify:
Restart ganglia monitor
when: is_trusty_or_debian7
tags:
- monitoring
- ganglia
- name: Distribute the ganglia configuration file for Ubuntu >= 12.04
template: src=gmond.j2 dest=/etc/ganglia/gmond.conf owner=root group=root mode=444
when: is_not_ubuntu_less_than_precise
notify:
Restart ganglia monitor
tags:
- monitoring
- ganglia
- name: Distribute the ganglia configuration file for Debian 7
template: src=gmond.j2 dest=/etc/ganglia/gmond.conf owner=root group=root mode=444
when: is_debian7
notify:
Restart ganglia monitor
tags:
- monitoring
- ganglia
- name: Distribute the ganglia configuration file for Ubuntu < 12.04 and >= 10.04 and Debian 6
template: src=gmond-3.1.j2 dest=/etc/ganglia/gmond.conf owner=root group=root mode=444
when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6
notify:
Restart ganglia monitor
tags:
- monitoring
- ganglia
- name: Distribute the ganglia configuration file for Ubuntu < 10.04 and Debian 4
template: src=gmond-2.5.j2 dest=/etc/gmond.conf owner=root group=root mode=444
when:
- is_ubuntu_between_8_and_9_and_is_debian_4
notify:
Restart ganglia monitor
tags:
- monitoring
- ganglia
- name: Distribute the ganglia configuration on broken hardy 8.04.4
template: src=gmond-2.5.j2 dest=/etc/gmond.conf owner=root group=root mode=444
when:
- is_broken_hardy_lts
notify:
Restart ganglia monitor
tags:
- monitoring
- ganglia
- name: Setup the ganglia directory for python modules
file: dest=/usr/lib/ganglia/python_modules state=directory
when: is_precise
tags:
- ganglia
- monitoring
- name: Ensure that the ganglia include conf dir exists
file: path=/etc/ganglia/conf.d state=directory
when: is_precise
tags:
- ganglia
- monitoring
- name: Setup the ganglia configuration for python modules
copy: src=modpython.conf dest=/etc/ganglia/conf.d/modpython.conf owner=root group=root mode=0644
notify:
- Restart ganglia monitor
when: is_precise
tags:
- monitoring
- ganglia

View File

@ -0,0 +1,121 @@
# $Id: gmond.conf,v 1.3 2004/01/20 19:15:23 sacerdoti Exp $
# This is the configuration file for the Ganglia Monitor Daemon (gmond)
# Documentation can be found at http://ganglia.sourceforge.net/docs/
#
# To change a value from it's default simply uncomment the line
# and alter the value
#####################
#
# The name of the cluster this node is a part of
# default: "unspecified"
name "{{ ganglia_gmond_cluster }}"
#
# The owner of this cluster. Represents an administrative
# domain. The pair name/owner should be unique for all clusters
# in the world.
# default: "unspecified"
owner "{{ ganglia_gmond_cluster_owner }}"
#
# The latitude and longitude GPS coordinates of this cluster on earth.
# Specified to 1 mile accuracy with two decimal places per axis in Decimal
# DMS format: "N61.18 W130.50".
# default: "unspecified"
# latlong "N32.87 W117.22"
#
# The URL for more information on the Cluster. Intended to give purpose,
# owner, administration, and account details for this cluster.
# default: "unspecified"
# url "http://www.mycluster.edu/"
#
# The location of this host in the cluster. Given as a 3D coordinate:
# "Rack,Rank,Plane" that corresponds to a Euclidean coordinate "x,y,z".
# default: "unspecified"
location "{{ ganglia_gmond_location }}"
#
# The multicast channel for gmond to send/receive data on
# default: 239.2.11.71
mcast_channel {{ ganglia_gmond_mcast_addr }}
#
# The multicast port for gmond to send/receive data on
# default: 8649
mcast_port {{ ganglia_gmond_cluster_port }}
#
# The multicast interface for gmond to send/receive data on
# default: the kernel decides based on routing configuration
# mcast_if eth1
#
# The multicast Time-To-Live (TTL) for outgoing messages
# default: 1
# mcast_ttl 1
#
# The number of threads listening to multicast traffic
# default: 2
# mcast_threads 2
#
# Which port should gmond listen for XML requests on
# default: 8649
xml_port {{ ganglia_gmond_cluster_port }}
#
# The number of threads answering XML requests
# default: 2
# xml_threads 2
#
# Hosts ASIDE from "127.0.0.1"/localhost and those multicasting
# on the same multicast channel which you will share your XML
# data with. Multiple hosts are allowed on multiple lines.
# Can be specified with either hostnames or IP addresses.
# default: none
# trusted_hosts 1.1.1.1 1.1.1.2 1.1.1.3 \
# 2.3.2.3 3.4.3.4 5.6.5.6
trusted_hosts {{ ganglia_gmetad_host }}
#
# The number of nodes in your cluster. This value is used in the
# creation of the cluster hash.
# default: 1024
# num_nodes 1024
#
# The number of custom metrics this gmond will be storing. This
# value is used in the creation of the host custom_metrics hash.
# default: 16
# num_custom_metrics 16
#
# Run gmond in "mute" mode. Gmond will only listen to the multicast
# channel but will not send any data on the channel.
# default: off
mute off
#
# Run gmond in "deaf" mode. Gmond will only send data on the multicast
# channel but will not listen/store any data from the channel.
# default: off
deaf off
#
# Run gmond in "debug" mode. Gmond will not background. Debug messages
# are sent to stdout. Value from 0-100. The higher the number the more
# detailed debugging information will be sent.
# default: 0
# debug_level 10
#
# If you don't want gmond to setuid, set this to "on"
# default: off
# no_setuid on
#
# Which user should gmond run as?
# default: nobody
setuid ganglia
#
# If you do not want this host to appear in the gexec host list, set
# this value to "on"
# default: off
# no_gexec on
#
# If you want any host which connects to the gmond XML to receive
# data, then set this value to "on"
# default: off
all_trusted on
#
# If you want dead nodes to "time out", enter a nonzero value here. If specified,
# a host will be removed from our state if we have not heard from it in this
# number of seconds.
# default: 0 (immortal)
# host_dmax 108000

View File

@ -0,0 +1,342 @@
/* This configuration is as close to 2.5.x default behavior as possible
The values closely match ./gmond/metric.h definitions in 2.5.x */
globals {
daemonize = yes
setuid = yes
user = ganglia
debug_level = 0
# max_udp_msg_len = 1472
mute = no
deaf = no
host_dmax = 3600 /*secs */
cleanup_threshold = 300 /*secs */
gexec = no
allow_extra_data = yes
send_metadata_interval = 60
}
/* If a cluster attribute is specified, then all gmond hosts are wrapped inside
* of a <CLUSTER> tag. If you do not specify a cluster tag, then all <HOSTS> will
* NOT be wrapped inside of a <CLUSTER> tag. */
cluster {
name = "{{ ganglia_gmond_cluster }}"
owner = "{{ ganglia_gmond_cluster_owner }}"
latlong = "unspecified"
url = "unspecified"
}
/* The host section describes attributes of the host, like the location */
host {
location = "{{ ganglia_gmond_location }}"
}
/* Feel free to specify as many udp_send_channels as you like. Gmond
used to only support having a single channel */
udp_send_channel {
mcast_join = {{ ganglia_gmond_mcast_addr }}
port = {{ ganglia_gmond_cluster_port }}
ttl = 1
}
/* You can specify as many udp_recv_channels as you like as well. */
udp_recv_channel {
mcast_join = {{ ganglia_gmond_mcast_addr }}
port = {{ ganglia_gmond_cluster_port }}
}
udp_recv_channel {
bind = {{ ansible_fqdn }}
port = {{ ganglia_gmond_cluster_port }}
}
/* You can specify as many tcp_accept_channels as you like to share
an xml description of the state of the cluster */
tcp_accept_channel {
port = {{ ganglia_gmond_cluster_port }}
}
/* Each metrics module that is referenced by gmond must be specified and
loaded. If the module has been statically linked with gmond, it does not
require a load path. However all dynamically loadable modules must include
a load path. */
modules {
module {
name = "core_metrics"
}
module {
name = "cpu_module"
path = "/usr/lib/ganglia/modcpu.so"
}
module {
name = "disk_module"
path = "/usr/lib/ganglia/moddisk.so"
}
module {
name = "load_module"
path = "/usr/lib/ganglia/modload.so"
}
module {
name = "mem_module"
path = "/usr/lib/ganglia/modmem.so"
}
module {
name = "net_module"
path = "/usr/lib/ganglia/modnet.so"
}
module {
name = "proc_module"
path = "/usr/lib/ganglia/modproc.so"
}
module {
name = "sys_module"
path = "/usr/lib/ganglia/modsys.so"
}
}
include ('/etc/ganglia/conf.d/*.conf')
/* The old internal 2.5.x metric array has been replaced by the following
collection_group directives. What follows is the default behavior for
collecting and sending metrics that is as close to 2.5.x behavior as
possible. */
/* This collection group will cause a heartbeat (or beacon) to be sent every
20 seconds. In the heartbeat is the GMOND_STARTED data which expresses
the age of the running gmond. */
collection_group {
collect_once = yes
time_threshold = 20
metric {
name = "heartbeat"
}
}
/* This collection group will send general info about this host every 1200 secs.
This information doesn't change between reboots and is only collected once. */
collection_group {
collect_once = yes
time_threshold = 1200
metric {
name = "cpu_num"
title = "CPU Count"
}
metric {
name = "cpu_speed"
title = "CPU Speed"
}
metric {
name = "mem_total"
title = "Memory Total"
}
/* Should this be here? Swap can be added/removed between reboots. */
metric {
name = "swap_total"
title = "Swap Space Total"
}
metric {
name = "boottime"
title = "Last Boot Time"
}
metric {
name = "machine_type"
title = "Machine Type"
}
metric {
name = "os_name"
title = "Operating System"
}
metric {
name = "os_release"
title = "Operating System Release"
}
metric {
name = "location"
title = "Location"
}
}
/* This collection group will send the status of gexecd for this host every 300 secs */
/* Unlike 2.5.x the default behavior is to report gexecd OFF. */
collection_group {
collect_once = yes
time_threshold = 300
metric {
name = "gexec"
title = "Gexec Status"
}
}
/* This collection group will collect the CPU status info every 20 secs.
The time threshold is set to 90 seconds. In honesty, this time_threshold could be
set significantly higher to reduce unneccessary network chatter. */
collection_group {
collect_every = 20
time_threshold = 180
/* CPU status */
metric {
name = "cpu_user"
value_threshold = "1.0"
title = "CPU User"
}
metric {
name = "cpu_system"
value_threshold = "1.0"
title = "CPU System"
}
metric {
name = "cpu_idle"
value_threshold = "5.0"
title = "CPU Idle"
}
metric {
name = "cpu_nice"
value_threshold = "1.0"
title = "CPU Nice"
}
metric {
name = "cpu_aidle"
value_threshold = "5.0"
title = "CPU aidle"
}
metric {
name = "cpu_wio"
value_threshold = "1.0"
title = "CPU wio"
}
/* The next two metrics are optional if you want more detail...
... since they are accounted for in cpu_system.
metric {
name = "cpu_intr"
value_threshold = "1.0"
title = "CPU intr"
}
metric {
name = "cpu_sintr"
value_threshold = "1.0"
title = "CPU sintr"
}
*/
}
collection_group {
collect_every = 20
time_threshold = 90
/* Load Averages */
metric {
name = "load_one"
value_threshold = "1.0"
title = "One Minute Load Average"
}
metric {
name = "load_five"
value_threshold = "1.0"
title = "Five Minute Load Average"
}
metric {
name = "load_fifteen"
value_threshold = "1.0"
title = "Fifteen Minute Load Average"
}
}
/* This group collects the number of running and total processes */
collection_group {
collect_every = 80
time_threshold = 950
metric {
name = "proc_run"
value_threshold = "1.0"
title = "Total Running Processes"
}
metric {
name = "proc_total"
value_threshold = "1.0"
title = "Total Processes"
}
}
/* This collection group grabs the volatile memory metrics every 40 secs and
sends them at least every 180 secs. This time_threshold can be increased
significantly to reduce unneeded network traffic. */
collection_group {
collect_every = 40
time_threshold = 180
metric {
name = "mem_free"
value_threshold = "1024.0"
title = "Free Memory"
}
metric {
name = "mem_shared"
value_threshold = "1024.0"
title = "Shared Memory"
}
metric {
name = "mem_buffers"
value_threshold = "1024.0"
title = "Memory Buffers"
}
metric {
name = "mem_cached"
value_threshold = "1024.0"
title = "Cached Memory"
}
metric {
name = "swap_free"
value_threshold = "1024.0"
title = "Free Swap Space"
}
}
collection_group {
collect_every = 40
time_threshold = 300
metric {
name = "bytes_out"
value_threshold = 4096
title = "Bytes Sent"
}
metric {
name = "bytes_in"
value_threshold = 4096
title = "Bytes Received"
}
metric {
name = "pkts_in"
value_threshold = 256
title = "Packets Received"
}
metric {
name = "pkts_out"
value_threshold = 256
title = "Packets Sent"
}
}
/* Different than 2.5.x default since the old config made no sense */
collection_group {
collect_every = 1800
time_threshold = 3600
metric {
name = "disk_total"
value_threshold = 1.0
title = "Total Disk Space"
}
}
collection_group {
collect_every = 40
time_threshold = 180
metric {
name = "disk_free"
value_threshold = 1.0
title = "Disk Space Available"
}
metric {
name = "part_max_used"
value_threshold = 1.0
title = "Maximum Disk Space Used"
}
}

343
ganglia/templates/gmond.j2 Normal file
View File

@ -0,0 +1,343 @@
/* This configuration is as close to 2.5.x default behavior as possible
The values closely match ./gmond/metric.h definitions in 2.5.x */
globals {
daemonize = yes
setuid = yes
user = ganglia
debug_level = 0
# max_udp_msg_len = 1472
mute = no
deaf = no
host_dmax = 3600 /*secs */
cleanup_threshold = 300 /*secs */
gexec = no
allow_extra_data = yes
send_metadata_interval = {{ ganglia_gmond_send_metadata_interval }}
}
/* If a cluster attribute is specified, then all gmond hosts are wrapped inside
* of a <CLUSTER> tag. If you do not specify a cluster tag, then all <HOSTS> will
* NOT be wrapped inside of a <CLUSTER> tag. */
cluster {
name = "{{ ganglia_gmond_cluster }}"
owner = "{{ ganglia_gmond_cluster_owner }}"
latlong = "unspecified"
url = "unspecified"
}
/* The host section describes attributes of the host, like the location */
host {
location = "{{ ganglia_gmond_location }}"
}
/* Feel free to specify as many udp_send_channels as you like. Gmond
used to only support having a single channel */
udp_send_channel {
bind_hostname = yes
mcast_join = {{ ganglia_gmond_mcast_addr }}
port = {{ ganglia_gmond_cluster_port }}
ttl = 1
}
/* You can specify as many udp_recv_channels as you like as well. */
udp_recv_channel {
mcast_join = {{ ganglia_gmond_mcast_addr }}
port = {{ ganglia_gmond_cluster_port }}
}
udp_recv_channel {
bind = {{ ansible_fqdn }}
port = {{ ganglia_gmond_cluster_port }}
}
/* You can specify as many tcp_accept_channels as you like to share
an xml description of the state of the cluster */
tcp_accept_channel {
port = {{ ganglia_gmond_cluster_port }}
}
/* Each metrics module that is referenced by gmond must be specified and
loaded. If the module has been statically linked with gmond, it does not
require a load path. However all dynamically loadable modules must include
a load path. */
modules {
module {
name = "core_metrics"
}
module {
name = "cpu_module"
path = "/usr/lib/ganglia/modcpu.so"
}
module {
name = "disk_module"
path = "/usr/lib/ganglia/moddisk.so"
}
module {
name = "load_module"
path = "/usr/lib/ganglia/modload.so"
}
module {
name = "mem_module"
path = "/usr/lib/ganglia/modmem.so"
}
module {
name = "net_module"
path = "/usr/lib/ganglia/modnet.so"
}
module {
name = "proc_module"
path = "/usr/lib/ganglia/modproc.so"
}
module {
name = "sys_module"
path = "/usr/lib/ganglia/modsys.so"
}
}
include ('/etc/ganglia/conf.d/*.conf')
/* The old internal 2.5.x metric array has been replaced by the following
collection_group directives. What follows is the default behavior for
collecting and sending metrics that is as close to 2.5.x behavior as
possible. */
/* This collection group will cause a heartbeat (or beacon) to be sent every
20 seconds. In the heartbeat is the GMOND_STARTED data which expresses
the age of the running gmond. */
collection_group {
collect_once = yes
time_threshold = 20
metric {
name = "heartbeat"
}
}
/* This collection group will send general info about this host every 1200 secs.
This information doesn't change between reboots and is only collected once. */
collection_group {
collect_once = yes
time_threshold = 1200
metric {
name = "cpu_num"
title = "CPU Count"
}
metric {
name = "cpu_speed"
title = "CPU Speed"
}
metric {
name = "mem_total"
title = "Memory Total"
}
/* Should this be here? Swap can be added/removed between reboots. */
metric {
name = "swap_total"
title = "Swap Space Total"
}
metric {
name = "boottime"
title = "Last Boot Time"
}
metric {
name = "machine_type"
title = "Machine Type"
}
metric {
name = "os_name"
title = "Operating System"
}
metric {
name = "os_release"
title = "Operating System Release"
}
metric {
name = "location"
title = "Location"
}
}
/* This collection group will send the status of gexecd for this host every 300 secs */
/* Unlike 2.5.x the default behavior is to report gexecd OFF. */
collection_group {
collect_once = yes
time_threshold = 300
metric {
name = "gexec"
title = "Gexec Status"
}
}
/* This collection group will collect the CPU status info every 20 secs.
The time threshold is set to 90 seconds. In honesty, this time_threshold could be
set significantly higher to reduce unneccessary network chatter. */
collection_group {
collect_every = 20
time_threshold = 180
/* CPU status */
metric {
name = "cpu_user"
value_threshold = "1.0"
title = "CPU User"
}
metric {
name = "cpu_system"
value_threshold = "1.0"
title = "CPU System"
}
metric {
name = "cpu_idle"
value_threshold = "5.0"
title = "CPU Idle"
}
metric {
name = "cpu_nice"
value_threshold = "1.0"
title = "CPU Nice"
}
metric {
name = "cpu_aidle"
value_threshold = "5.0"
title = "CPU aidle"
}
metric {
name = "cpu_wio"
value_threshold = "1.0"
title = "CPU wio"
}
/* The next two metrics are optional if you want more detail...
... since they are accounted for in cpu_system.
metric {
name = "cpu_intr"
value_threshold = "1.0"
title = "CPU intr"
}
metric {
name = "cpu_sintr"
value_threshold = "1.0"
title = "CPU sintr"
}
*/
}
collection_group {
collect_every = 20
time_threshold = 90
/* Load Averages */
metric {
name = "load_one"
value_threshold = "1.0"
title = "One Minute Load Average"
}
metric {
name = "load_five"
value_threshold = "1.0"
title = "Five Minute Load Average"
}
metric {
name = "load_fifteen"
value_threshold = "1.0"
title = "Fifteen Minute Load Average"
}
}
/* This group collects the number of running and total processes */
collection_group {
collect_every = 80
time_threshold = 950
metric {
name = "proc_run"
value_threshold = "1.0"
title = "Total Running Processes"
}
metric {
name = "proc_total"
value_threshold = "1.0"
title = "Total Processes"
}
}
/* This collection group grabs the volatile memory metrics every 40 secs and
sends them at least every 180 secs. This time_threshold can be increased
significantly to reduce unneeded network traffic. */
collection_group {
collect_every = 40
time_threshold = 180
metric {
name = "mem_free"
value_threshold = "1024.0"
title = "Free Memory"
}
metric {
name = "mem_shared"
value_threshold = "1024.0"
title = "Shared Memory"
}
metric {
name = "mem_buffers"
value_threshold = "1024.0"
title = "Memory Buffers"
}
metric {
name = "mem_cached"
value_threshold = "1024.0"
title = "Cached Memory"
}
metric {
name = "swap_free"
value_threshold = "1024.0"
title = "Free Swap Space"
}
}
collection_group {
collect_every = 40
time_threshold = 300
metric {
name = "bytes_out"
value_threshold = 4096
title = "Bytes Sent"
}
metric {
name = "bytes_in"
value_threshold = 4096
title = "Bytes Received"
}
metric {
name = "pkts_in"
value_threshold = 256
title = "Packets Received"
}
metric {
name = "pkts_out"
value_threshold = 256
title = "Packets Sent"
}
}
/* Different than 2.5.x default since the old config made no sense */
collection_group {
collect_every = 1800
time_threshold = 3600
metric {
name = "disk_total"
value_threshold = 1.0
title = "Total Disk Space"
}
}
collection_group {
collect_every = 40
time_threshold = 180
metric {
name = "disk_free"
value_threshold = 1.0
title = "Disk Space Available"
}
metric {
name = "part_max_used"
value_threshold = 1.0
title = "Maximum Disk Space Used"
}
}

View File

@ -0,0 +1,8 @@
---
haproxy_latest_release: False
haproxy_version: 1.5
haproxy_latest_repo: "deb http://haproxy.debian.net {{ ansible_distribution }}-backports-{{ haproxy_version }} main"
haproxy_pkg_state: latest
haproxy_default_port: 80
haproxy_terminate_tls: False

27
haproxy/tasks/main.yml Normal file
View File

@ -0,0 +1,27 @@
---
- name: Get the haproxy repo key
apt_key: url=http://haproxy.debian.net/bernat.debian.org.gpg state=present
when: haproxy_latest_release
register: haproxy_repo
tags: haproxy
- name: Define the haproxy repository
apt_repository: repo='{{ haproxy_latest_repo }}' state=present
when: haproxy_latest_release
register: haproxy_repo
tags: haproxy
- name: Update the apt cache if needed
apt: update_cache=yes
when: ( haproxy_repo | changed )
tags: haproxy
- name: Install the haproxy package
apt: name=haproxy state=latest default_release={{ ansible_distribution}}-backports
when: not haproxy_latest_release
tags: haproxy
- name: Install the haproxy package
apt: name=haproxy state=latest default_release={{ ansible_distribution}}-backports-{{ haproxy_version }}
when: not haproxy_latest_release
tags: haproxy

View File

@ -0,0 +1,43 @@
---
#
# Reference only. Check the iptables-rules.v4.j2 for the list of accepted variables
#
#pg_allowed_hosts:
# - 146.48.123.17/32
# - 146.48.122.110/32
#
#munin_server:
# - 146.48.122.15
# - 146.48.87.88
#http_port: 80
#http_allowed_hosts:
# - 1.2.3.4/24
#https_port: 443
#https_allowed_hosts:
# - 0.0.0.0/0
#
# Generic tcp and udp access
# iptables:
# tcp_rules: True
# tcp:
# - { port: '8080', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}' ] }
# - { port: '80', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}' ] }
# - { port: '80' }
# udp_rules: True
# udp:
# - { port: '123', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}' ] }
# munin_server:
# - 146.48.122.15
# - 146.48.87.88
#nagios_monitoring_server_ip: 146.48.123.23
#mongodb:
# start_server: 'yes'
# tcp_port: 27017
# allowed_hosts:
# - 146.48.123.100/32
#iptables_default_policy: REJECT
iptables_default_policy: ACCEPT
iptables_open_all_to_isti_nets: False

View File

@ -0,0 +1,22 @@
---
- name: Start the iptables service
service: name=iptables-persistent state=started
notify: Restart fail2ban
- name: Flush the iptables rules
command: /etc/init.d/iptables-persistent flush
ignore_errors: true
- name: Start the iptables service on Ubuntu < 12.04
command: /etc/init.d/iptables-persistent start
ignore_errors: true
- name: Stop the iptables service on Ubuntu < 12.04
command: /etc/init.d/iptables-persistent stop
ignore_errors: true
- name: Restart fail2ban
service: name=fail2ban state=restarted enabled=yes
when: is_trusty

32
iptables/tasks/main.yml Normal file
View File

@ -0,0 +1,32 @@
---
- name: Install the needed iptables packages
apt: pkg={{ item }} state=installed
with_items:
- iptables
- iptables-persistent
tags:
- iptables
- name: Install the IPv4 rules with a different name. Needed by Ubuntu < 12.04
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/rules owner=root group=root mode=0640
with_items:
- rules.v4
when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6
notify:
- Start the iptables service on Ubuntu < 12.04
tags:
- iptables
- iptables_rules
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items:
- rules.v4
- rules.v6
when: is_not_ubuntu_less_than_precise
notify:
- Start the iptables service
tags:
- iptables
- iptables_rules

View File

@ -0,0 +1,182 @@
#
# don't manually modify this file
#
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#
{% if iptables_managed_ssh is defined and iptables_managed_ssh %}
{% if iptables_ssh_allowed_hosts is defined %}
# ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses
{% for ip in ssh_allowed_hosts %}
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport 22 -j ACCEPT
{% endfor %}
{% endif %}
{% else %}
# ssh is always open. We use denyhosts to prevent unauthorized accesses
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
{% endif %}
{% if iptables_open_all_to_isti_nets %}
# Permit all traffic from our networks
-A INPUT -s {{ network.isti }} -j ACCEPT
-A INPUT -s {{ network.nmis }} -j ACCEPT
-A INPUT -s {{ network.eduroam }} -j ACCEPT
{% endif %}
{% if http_port is defined %}
# http
{% if http_allowed_hosts is defined %}
{% for ip in http_allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ http_port }} -j ACCEPT
{% endfor %}
{% else %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ http_port }} -j ACCEPT
{% endif %}
{% endif %}
{% if https_port is defined %}
# https
{% if https_allowed_hosts is defined %}
{% for ip in https_allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ https_port }} -j ACCEPT
{% endfor %}
{% else %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ https_port }} -j ACCEPT
{% endif %}
{% endif %}
{% if psql_db_port is defined %}
{% if psql_listen_on_ext_int %}
# postgresql clients
{% for db in psql_db_data %}
{% for ip in db.allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
{% endfor %}
{% endfor %}
{% endif %}
-A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP
{% endif %}
{% if mongodb_allowed_hosts is defined %}
# mongodb clients
{% for ip in mongodb_allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j ACCEPT
{% endfor %}
-A INPUT -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j DROP
{% endif %}
{% if dnet_ports is defined %}
# dnet services
{% for tcp_port in dnet_ports %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tcp_port }} -j ACCEPT
{% endfor %}
{% endif %}
{% if dnet_jmx_ports is defined %}
# dnet jmx ports. Open to the isti networks only
{% for tcp_port in dnet_jmx_ports %}
-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.isti }} --dport {{ tcp_port }} -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.nmis }} --dport {{ tcp_port }} -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.eduroam }} --dport {{ tcp_port }} -j ACCEPT
{% endfor %}
{% endif %}
{% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %}
# Someone still uses ftp
{% if vsftpd_iptables_allowed_hosts is defined and vsftpd_iptables_allowed_hosts %}
{% for ip in vsftpd_iptables_allowed_hosts %}
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport ftp -j ACCEPT
-A INPUT -m state --state NEW,RELATED -m tcp -p tcp -s {{ ip }} --dport {{ vsftpd_pasv_min_port }}:{{ vsftpd_pasv_max_port }} -j ACCEPT
{% endfor %}
-A INPUT -m helper --helper ftp -j ACCEPT
{% endif %}
{% endif %}
{% if nagios_monitoring_server_ip is defined %}
# Nagios NRPE
-A INPUT -m state --state NEW -s {{ nagios_monitoring_server_ip }} -p tcp -m tcp --dport 5666 -j ACCEPT
-A INPUT -s {{ nagios_monitoring_server_ip }} -p udp -m udp --dport 123 -j ACCEPT
{% endif %}
{% if munin_server is defined and configure_munin is defined and configure_munin %}
{% for ip in munin_server %}
# Munin
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 4949 -j ACCEPT
{% endfor %}
{% endif %}
{% if ganglia_gmond_cluster_port is defined %}
# Ganglia
{% if ganglia_gmond_use_jmxtrans is not defined or not ganglia_gmond_use_jmxtrans %}
-A INPUT -m pkttype --pkt-type multicast -d {{ ganglia_gmond_mcast_addr }} -j ACCEPT
{% else %}
-A INPUT -m pkttype --pkt-type multicast -j ACCEPT
-A INPUT -p udp -m udp -d {{ ganglia_gmond_mcast_addr }} --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
{% endif %}
-A INPUT -m state --state NEW -s {{ ganglia_gmetad_host }} -p tcp -m tcp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
-A INPUT -s {{ ganglia_gmetad_host }} -p udp -m udp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
{% endif %}
{% if postfix_relay_server is defined and postfix_relay_server %}
#
# These are only needed on the machines that act as relay servers
#
-A INPUT -p tcp -m multiport --dports 25,587,465 -s {{ network.nmis }} -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
{% if postfix_use_relay_host is defined and postfix_use_relay_host %}
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
{% else %}
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -j ACCEPT
{% endif %}
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP
{% endif %}
{% if postfix_relay_server is defined and not postfix_relay_server %}
#
# When we are not a relay server but we want send email using our relay
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP
{% endif %}
{% if iptables is defined %}
{% if iptables.tcp_rules is defined and iptables.tcp_rules %}
{% for tcp_rule in iptables.tcp %}
{% if tcp_rule.allowed_hosts is defined %}
{% for ip in tcp_rule.allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j ACCEPT
{% endfor %}
{% else %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ tcp_rule.port }} -j ACCEPT
{% endif %}
{% endfor %}
{% endif %}
{% if iptables.udp_rules is defined and iptables.udp_rules %}
{% for udp_rule in iptables.udp %}
{% if udp_rule.allowed_hosts is defined %}
{% for ip in udp_rule.allowed_hosts %}
-A INPUT -s {{ ip }} -p udp -m udp --dport {{ udp_rule.port }} -j ACCEPT
{% endfor %}
{% else %}
-A INPUT -p udp -m udp --dport {{ udp_rule.port }} -j ACCEPT
{% endif %}
{% endfor %}
{% endif %}
{% endif %}
#
#
-A INPUT -s 125.24.0.0/14 -j DROP
{% if iptables_default_policy == 'REJECT' %}
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
{% else %}
-A INPUT -j {{ iptables_default_policy }}
-A FORWARD -j {{ iptables_default_policy }}
{% endif %}
COMMIT

View File

@ -0,0 +1,5 @@
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

View File

@ -0,0 +1,22 @@
---
jetty:
activate_at_boot: True
listen_ip: 127.0.0.1
user: jetty
group: jetty
verbose: "Yes"
java_opts: "-Xmx1024m -Djava.awt.headless=true"
http_port: 8080
java_opts: "-Xmx2048m -XX:MaxPermSize=512m -Djava.awt.headless=true -Dorg.mortbay.util.URI.charset=utf-8"
enable_jmx: False
jmx_java_options: "-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=8286 -Dcom.sun.management.jmxremote.ssl=false"
cache_dir: /var/cache/jetty
tmp_dir: /var/cache/jetty/data
jvm_tmp_dir: /var/cache/jetty/tmp
shutdown_timeout: 30
java_home: ""
logfile_days: 14
define_lang: False
lang: "en_US.UTF-8"
open_files: 2048

View File

@ -0,0 +1,9 @@
---
- name: apache2 reload
service: name=apache2 state=reloaded
- name: Start jetty
service: name=jetty state=started
- name: Restart jetty
service: name=jetty state=restarted

View File

@ -0,0 +1,29 @@
---
- name: Install the apache packages
apt: pkg={{ item }} state=installed force=yes
with_items:
- apache2
- apache2-mpm-prefork
- apache2-utils
- unzip
- zip
tags:
- apache
- name: Load the required modules
file: src=/etc/apache2/mods-available/{{ item }} dest=/etc/apache2/mods-enabled/{{ item }} state=link
with_items:
- proxy.load
- proxy_http.load
- headers.load
- rewrite.load
- expires.load
notify: apache2 reload
tags:
- apache
- name: Remove the default apache virtualhost
file: dest=/etc/apache2/sites-enabled/000-default state=absent
notify: apache2 reload
tags:
- apache

View File

@ -0,0 +1,53 @@
---
- name: Install the jetty packages
apt: pkg={{ item }} state=installed force=yes
with_items:
- jetty
- libapache2-mod-jk
notify:
apache2 reload
tags:
- jetty
- name: Ensure that the jetty cache directory exists
file: dest={{ item }} owner={{ jetty.user }} group={{ jetty.group }} mode=0750 state=directory
with_items:
- '{{ jetty.cache_dir }}'
- '{{ jetty.tmp_dir }}'
- '{{ jetty.jvm_tmp_dir }}'
tags:
- jetty
- name: Install the jetty defaults
template: src=jetty-defaults.j2 dest=/etc/default/jetty
notify:
Restart jetty
tags:
- jetty
# - name: Set the jetty limits
# template: src={{ item }}.j2 dest=/etc/jetty/{{ item }}
# with_items:
# - jetty-setuid.xml
# notify:
# Restart jetty
# tags:
# - jetty
# - name: Load jetty-setuid.xml in /etc/jetty/jetty.conf
# lineinfile: name=/etc/jetty/jetty.conf line={{ item }}
# with_items:
# - '/etc/jetty/jetty-setuid.xml'
# notify:
# Restart jetty
# tags:
# - jetty
- name: Set the jetty limits
template: src={{ item }}.j2 dest=/etc/security/limits.d/{{ item }}
with_items:
- jetty-limits.conf
notify:
Restart jetty
tags:
- jetty

View File

@ -0,0 +1,3 @@
---
- include: apache.yml
- include: jetty.yml

View File

@ -0,0 +1,51 @@
# change to 0 to allow Jetty to start
{% if jetty.activate_at_boot %}
NO_START=0
{% else %}
NO_START=YES
{% endif %}
# change to 'no' or uncomment to use the default setting in /etc/default/rcS
VERBOSE={{ jetty.verbose }}
# Run Jetty as this user ID (default: jetty)
# Set this to an empty string to prevent Jetty from starting automatically
JETTY_USER={{ jetty.user }}
# Listen to connections from this network host
# Use 0.0.0.0 as host to accept all connections.
# Uncomment to restrict access to localhost
JETTY_HOST={{ jetty.listen_ip }}
# The network port used by Jetty
JETTY_PORT={{ jetty.http_port }}
# Timeout in seconds for the shutdown of all webapps
JETTY_SHUTDOWN={{ jetty.shutdown_timeout }}
# Additional arguments to pass to Jetty
#JETTY_ARGS=
# Extra options to pass to the JVM
JAVA_OPTIONS="{{ jetty.java_opts }}"
{% if jetty.enable_jmx %}
JAVA_OPTIONS="$JAVA_OPTIONS {{ jetty.jmx_java_options }}"
{% endif %}
# Home of Java installation.
JAVA_HOME={{ jetty.java_home }}
# Jetty uses a directory to store temporary files like unpacked webapps
JETTY_TMP={{ jetty.tmp_dir }}
JVM_TMP={{ jetty.jvm_tmp_dir }}
# Jetty uses a config file to setup its boot classpath
#JETTY_START_CONFIG=/etc/jetty/start.config
# Default for number of days to keep old log files in /var/log/jetty/
LOGFILE_DAYS={{ jetty.logfile_days }}
{% if jetty.define_lang %}
export LANG={{ jetty.lang }}
{% endif %}

View File

@ -0,0 +1,4 @@
{{ jetty.user }} soft nofile {{ jetty.open_files }}
{{ jetty.user }} hard nofile {{ jetty.open_files }}
root soft nofile {{ jetty.open_files }}
root hard nofile {{ jetty.open_files }}

View File

@ -0,0 +1,22 @@
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
<!-- =============================================================== -->
<!-- Configure the Jetty SetUIDServer -->
<!-- this configuration file should be used in combination with -->
<!-- other configuration files. e.g. -->
<!-- java -jar start.jar etc/jetty-setuid.xml etc/jetty.xml -->
<!-- =============================================================== -->
<Configure id="Server" class="org.mortbay.setuid.SetUIDServer">
<Set name="startServerAsPrivileged">false</Set>
<Set name="umask">2</Set>
<Set name="uid">{{ jetty.user }}</Set>
<Set name="gid">{{ jetty.group }}</Set>
<Call name="setRLimitNoFiles">
<Arg>
<New class="org.mortbay.setuid.RLimit">
<Set name="soft">{{ jetty.open_files }}</Set>
<Set name="hard">{{ jetty.open_files }}</Set>
</New>
</Arg>
</Call>
</Configure>

25
jetty/defaults/main.yml Normal file
View File

@ -0,0 +1,25 @@
---
jetty_activate_at_boot: True
jetty_listen_ip: 127.0.0.1
jetty_user: jetty
jetty_group: jetty
jetty_verbose: "Yes"
jetty_http_port: 8080
jetty_ajp_port: 8009
jetty_java_opts: "-Xmx2048m -XX:MaxPermSize=512m -Djava.awt.headless=true -Dorg.mortbay.util.URI.charset=utf-8"
jetty_enable_jmx: False
jetty_jmx_port: 8286
jetty_jmx_authenticate: "false"
jetty_jmx_ssl: "false"
jetty_jmx_java_options: "-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=${jetty_jmx_authenticate} -Dcom.sun.management.jmxremote.port=${jetty_jmx_port} -Dcom.sun.management.jmxremote.ssl=${jetty_jmx_ssl}"
jetty_cache_dir: /var/cache/jetty
jetty_tmp_dir: /var/cache/jetty/data
jetty_jvm_tmp_dir: /var/cache/jetty/tmp
jetty_shutdown_timeout: 30
jetty_java_home: ""
jetty_logfile_days: 14
jetty_define_lang: False
jetty_lang: "en_US.UTF-8"
jetty_open_files: 2048
jetty_use_apache: False

9
jetty/handlers/main.yml Normal file
View File

@ -0,0 +1,9 @@
---
- name: apache2 reload
service: name=apache2 state=reloaded
- name: Start jetty
service: name=jetty state=started
- name: Restart jetty
service: name=jetty state=restarted

48
jetty/tasks/jetty.yml Normal file
View File

@ -0,0 +1,48 @@
---
- name: Install the jetty packages
apt: pkg={{ item }} state=installed force=yes
with_items:
- jetty
tags:
- jetty
- name: Fix the broken jetty startup script
shell: perl -pi -e "s/\^\[:space:]\*/^[[:space:]]*/g" /etc/init.d/jetty
ignore_errors: True
tags:
- jetty
- name: Install the apache mod_jk module, if needed
apt: pkg={{ item }} state=installed force=yes
with_items:
- libapache2-mod-jk
when: jetty_use_apache is defined and jetty_use_apache
notify:
apache2 reload
tags:
- jetty
- name: Ensure that the jetty cache directory exists
file: dest={{ item }} owner={{ jetty_user }} group={{ jetty_group }} mode=0750 state=directory
with_items:
- '{{ jetty_cache_dir }}'
- '{{ jetty_tmp_dir }}'
- '{{ jetty_jvm_tmp_dir }}'
tags:
- jetty
- name: Install the jetty defaults
template: src=jetty-defaults.j2 dest=/etc/default/jetty
notify:
Restart jetty
tags:
- jetty
- name: Set the jetty limits
template: src={{ item }}.j2 dest=/etc/security/limits.d/{{ item }}
with_items:
- jetty-limits.conf
notify:
Restart jetty
tags:
- jetty

2
jetty/tasks/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
- include: jetty.yml

View File

@ -0,0 +1,51 @@
# change to 0 to allow Jetty to start
{% if jetty_activate_at_boot %}
NO_START=0
{% else %}
NO_START=YES
{% endif %}
# change to 'no' or uncomment to use the default setting in /etc/default/rcS
VERBOSE={{ jetty_verbose }}
# Run Jetty as this user ID (default: jetty)
# Set this to an empty string to prevent Jetty from starting automatically
JETTY_USER={{ jetty_user }}
# Listen to connections from this network host
# Use 0.0.0.0 as host to accept all connections.
# Uncomment to restrict access to localhost
JETTY_HOST={{ jetty_listen_ip }}
# The network port used by Jetty
JETTY_PORT={{ jetty_http_port }}
# Timeout in seconds for the shutdown of all webapps
JETTY_SHUTDOWN={{ jetty_shutdown_timeout }}
# Additional arguments to pass to Jetty
#JETTY_ARGS=
# Extra options to pass to the JVM
JAVA_OPTIONS="{{ jetty_java_opts }}"
{% if jetty_enable_jmx %}
JAVA_OPTIONS="$JAVA_OPTIONS {{ jetty_jmx_java_options }}"
{% endif %}
# Home of Java installation.
JAVA_HOME={{ jetty_java_home }}
# Jetty uses a directory to store temporary files like unpacked webapps
JETTY_TMP={{ jetty_tmp_dir }}
JVM_TMP={{ jetty_jvm_tmp_dir }}
# Jetty uses a config file to setup its boot classpath
#JETTY_START_CONFIG=/etc/jetty/start.config
# Default for number of days to keep old log files in /var/log/jetty/
LOGFILE_DAYS={{ jetty_logfile_days }}
{% if jetty_define_lang %}
export LANG={{ jetty_lang }}
{% endif %}

View File

@ -0,0 +1,4 @@
{{ jetty_user }} soft nofile {{ jetty_open_files }}
{{ jetty_user }} hard nofile {{ jetty_open_files }}
root soft nofile {{ jetty_open_files }}
root hard nofile {{ jetty_open_files }}

View File

@ -0,0 +1,22 @@
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
<!-- =============================================================== -->
<!-- Configure the Jetty SetUIDServer -->
<!-- this configuration file should be used in combination with -->
<!-- other configuration files. e.g. -->
<!-- java -jar start.jar etc/jetty-setuid.xml etc/jetty.xml -->
<!-- =============================================================== -->
<Configure id="Server" class="org.mortbay.setuid.SetUIDServer">
<Set name="startServerAsPrivileged">false</Set>
<Set name="umask">2</Set>
<Set name="uid">{{ jetty_user }}</Set>
<Set name="gid">{{ jetty_group }}</Set>
<Call name="setRLimitNoFiles">
<Arg>
<New class="org.mortbay.setuid.RLimit">
<Set name="soft">{{ jetty_open_files }}</Set>
<Set name="hard">{{ jetty_open_files }}</Set>
</New>
</Arg>
</Call>
</Configure>

View File

@ -0,0 +1,4 @@
---
nemis_ldap_uri: "ldap://ldap.sub.research-infrastructures.eu"
nemis_ldap_base_dn: "dc=research-infrastructures,dc=eu"

View File

@ -0,0 +1,39 @@
---
- name: Install the ldap utilities
apt: pkg={{ item }} state={{ pkg_state }}
with_items:
- ldapscripts
- libpam-ldap
tags:
- ldap-client
- name: Write the ldap client configuration file
template: src=ldap.conf.j2 dest=/etc/ldap.conf mode=444 owner=root group=root
when: is_ubuntu_less_than_trusty
tags:
- ldap-client
- name: Write the ldap client configuration file
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=444 owner=root group=root
when: is_trusty
tags:
- ldap-client
- name: set the ldapscripts.conf uri
action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SERVER value='{{ nemis_ldap_uri }}' syntax=shell
when: is_trusty
tags:
- ldap-client
- name: set the ldapscripts.conf bind dn
action: configfile path=/etc/ldapscripts/ldapscripts.conf key=BINDDN value='cn=admin,{{ nemis_ldap_base_dn }}' syntax=shell
when: is_trusty
tags:
- ldap-client
- name: set the ldapscripts.conf dn suffix
action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SUFFIX value='{{ nemis_ldap_base_dn }}' syntax=shell
when: is_trusty
tags:
- ldap-client

View File

@ -0,0 +1,11 @@
# The distinguished name of the search base.
BASE {{ nemis_ldap_base_dn }}
# Another way to specify your LDAP server is to provide an
URI {{ nemis_ldap_uri }}
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data

View File

@ -0,0 +1,41 @@
---
#
rsyslog_install_newer_package: True
rsyslog_ppa: "ppa:adiscon/v8-stable"
rsyslog_debian_repo: "deb http://debian.adiscon.com/v8-stable wheezy/"
rsyslog_repo_key: "AEF0CF8E"
rsyslog_pkg_status: "latest"
rsyslog_use_inotify: True
# Not used when inotify is enabled
rsyslog_file_polling_interval: 10
# We use logstash if the elastisearch module is not enabled
#rsys_logstash_collector_host: logstash.t.hadoop.research-infrastructures.eu
rsys_logstash_collector_host: logstash
rsys_logstash_collector_port: 5544
# IMPORTANT: the log_state_file names must be unique
#rsys_logfiles:
# - { logfile: '/var/log/tomcat7/catalina.log', log_tag: 'solr-state', log_state_file: 'solr-state'}
# - { logfile: '/var/log/tomcat7/localhost_access.log', log_tag: 'solr-access', log_state_file: 'solr-access'}
#
# IMPORTANT NOTE: the following setting only work if rsyslog_install_newer_package is set to True
#
rsyslog_use_queues: True
rsyslog_main_queue_size: 1000000
rsyslog_main_queue_debatchsize: 256
rsyslog_main_queue_workerthreads: 2
rsyslog_action_queue_debatchsize: 1024
rsyslog_action_queue_size: 100000
rsyslog_action_queue_workerthreads: 5
# -1 means retry indefinitely if ES is unreachable
rsyslog_action_resumeretrycount: -1
# The elasticsearch module bypasses logstash and talks directly to elasticsearch
rsyslog_use_elasticsearch_module: True
#rsys_elasticsearch_collector_host: logstash.t.hadoop.research-infrastructures.eu
rsys_elasticsearch_collector_host: logstash
rsys_elasticsearch_collector_port: 9200

View File

@ -0,0 +1,6 @@
---
- name: Restart rsyslog
#service: name=rsyslog state=restarted
command: /usr/sbin/service rsyslog stop ; /usr/sbin/service rsyslog start

View File

@ -0,0 +1,70 @@
---
- name: Install the rsyslog ppa on ubuntu precise or later
apt_repository: repo='{{ rsyslog_ppa }}'
when:
- is_ubuntu
- rsyslog_install_newer_package
register: rsyslog_ubuntu_repo
tags:
- rsyslog
- logstash
- name: Install the rsyslog repo key on debian wheezy
apt_key: keyserver=keys.gnupg.net id=AEF0CF8E state=present
when:
- is_debian7
- rsyslog_install_newer_package
tags:
- rsyslog
- logstash
- name: Install the rsyslog repository on debian wheezy
copy: content="{{ rsyslog_debian_repo }}\n" dest=/etc/apt/sources.list.d/adiscon-rsyslog.list
register: rsyslog_debian_repo
when:
- is_debian7
- rsyslog_install_newer_package
tags:
- rsyslog
- logstash
- name: Update apt cache
apt: update_cache=yes
when: (rsyslog_ubuntu_repo|changed) or (rsyslog_debian_repo|changed)
tags:
- rsyslog
- logstash
- name: Add the syslog user to the adm group so it can read all the log files
user: name=syslog groups=adm
tags:
- rsyslog
- logstash
- name: Upgrade rsyslog and install the elasticsearch module
apt: pkg={{ item }} state={{ rsyslog_pkg_status }}
with_items:
- rsyslog
- rsyslog-elasticsearch
tags:
- rsyslog
- logstash
- name: Add a rsyslog configuration to send logfiles data to a logstash collector or directly to elasticsearch
template: src=rsyslog-logstash.conf.j2 dest=/etc/rsyslog.d/90-rsyslog-logstash.conf owner=root group=root mode=0444
when: rsyslog_install_newer_package
notify:
Restart rsyslog
tags:
- logstash
- rsyslog
- name: Add a rsyslog configuration to send logfiles data to a logstash collector when using the original and old rsyslog package
template: src=old-rsyslog-logstash.conf.j2 dest=/etc/rsyslog.d/90-rsyslog-logstash.conf owner=root group=root mode=0444
when: not rsyslog_install_newer_package
notify:
Restart rsyslog
tags:
- logstash
- rsyslog

View File

@ -0,0 +1,13 @@
$ModLoad imfile
{% for log in rsys_logfiles %}
$InputFileName {{ log.logfile }}
$InputFileTag {{ log.log_tag }}
$InputFileStateFile {{ log.log_state_file }}
$InputRunFileMonitor
{% endfor %}
# Send all to the logstash server
*.* @@{{ rsys_logstash_collector_host }}:{{ rsys_logstash_collector_port }}

View File

@ -0,0 +1,70 @@
{% if rsys_logfiles is defined %}
{% if rsyslog_use_inotify %}
module(load="imfile" mode="inotify" )
{% else %}
module(load="imfile" mode="polling" PollingInterval="10" )
{% endif %}
{% for log in rsys_logfiles %}
input(
Type="imfile"
File="{{ log.logfile }}"
Tag="{{ log.log_tag }}"
)
{% endfor %}
{% endif %}
{% if rsyslog_use_elasticsearch_module %}
module(load="omelasticsearch")
{% if rsyslog_use_queues %}
main_queue(
queue.size="{{ rsyslog_main_queue_size }}" # capacity of the main queue
queue.debatchsize="{{ rsyslog_main_queue_debatchsize }}" # process messages in batches of 1000 and move them to the action queues
queue.workerthreads="{{ rsyslog_main_queue_workerthreads }}" # threads for the main queue
)
{% endif %}
template(name="logstash-index"
type="list") {
constant(value="logstash-")
property(name="timereported" dateFormat="rfc3339" position.from="1" position.to="4")
constant(value=".")
property(name="timereported" dateFormat="rfc3339" position.from="6" position.to="7")
constant(value=".")
property(name="timereported" dateFormat="rfc3339" position.from="9" position.to="10")
}
# this is for formatting our syslog in JSON with @timestamp
template(name="plain-syslog"
type="list") {
constant(value="{")
constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\"received_at\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"host\":\"") property(name="hostname")
constant(value="\",\"received_from\":\"") property(name="hostname")
constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"tag\":\"") property(name="syslogtag" format="json")
constant(value="\",\"message\":\"") property(name="msg" format="json")
constant(value="\"}")
}
# this is where we actually send the logs to Elasticsearch ({{ rsys_elasticsearch_collector_host }}:{{ rsys_elasticsearch_collector_port }})
*.* action(type="omelasticsearch"
template="plain-syslog"
searchIndex="logstash-index"
dynSearchIndex="on"
{% if rsyslog_use_queues %}
bulkmode="on"
queue.dequeuebatchsize="{{ rsyslog_action_queue_debatchsize }}" # ES bulk size
queue.size="{{ rsyslog_action_queue_size }}" # capacity of the action queue
queue.workerthreads="{{ rsyslog_action_queue_workerthreads }}" # workers for the action
action.resumeretrycount="{{ rsyslog_action_resumeretrycount }}"
{% endif %}
server="{{ rsys_elasticsearch_collector_host }}"
serverport="{{ rsys_elasticsearch_collector_port }}"
)
{% else %}
# Send all to the logstash server
*.* @@{{ rsys_logstash_collector_host }}:{{ rsys_logstash_collector_port }}
{% endif %}

22
mongodb/defaults/main.yml Normal file
View File

@ -0,0 +1,22 @@
---
mongodb:
start_server: 'yes'
tcp_port: 27017
allowed_hosts:
- '{{ ansible_fqdn }}/32'
- 127.0.0.1/8
mongodb_install_from_external_repo: True
mongodb_start_server: 'yes'
mongodb_tcp_port: 27017
mongodb_http_interface: False
mongodb_http_port: 28017
mongodb_user: mongodb
mongodb_group: mongodb
mongodb_logdir: /var/log/mongodb
mongodb_logpath: '{{ mongodb_logdir }}/mongodb.log'
mongodb_dbpath: /var/lib/mongodb
mongodb_directoryperdb: False
mongodb_allowed_hosts:
- '{{ ansible_fqdn }}/32'
- 127.0.0.1/8

View File

@ -0,0 +1,7 @@
---
- name: Update apt cache
apt: update_cache=yes
ignore_errors: true
- name: Restart mongodb
service: name=mongodb state=restarted

61
mongodb/tasks/main.yml Normal file
View File

@ -0,0 +1,61 @@
---
- name: Install the mongodb apt key
#apt_key: id=7F0CEB10 state=present
raw: apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 7F0CEB10
when: mongodb_install_from_external_repo
tags: mongodb
- name: Install the mongodb repository
copy: content="deb http://downloads-distro.mongodb.org/repo/ubuntu-upstart dist 10gen" dest=/etc/apt/sources.list.d/mongodb.list owner=root group=root mode=044
when: mongodb_install_from_external_repo
register: external_repo
tags: mongodb
- name: Update the apt cache
apt: update_cache=yes
when: ( external_repo | changed )
ignore_errors: True
tags: mongodb
- name: Install the mongodb server
apt: pkg={{ item }} state=installed
with_items:
- mongodb-10gen
when: mongodb_install_from_external_repo
tags: mongodb
- name: Install the mongodb server
apt: pkg={{ item }} state=installed
with_items:
- mongodb-server
when: not mongodb_install_from_external_repo
tags: mongodb
- name: Install the mongodb defaults file
copy: content="ENABLE_MONGODB={{ mongodb_start_server }}" dest=/etc/default/mongodb owner=root group=root mode=0444
tags: mongodb
- name: Create the mongodb db directory
file: dest={{ mongodb_dbpath }} state=directory owner={{ mongodb_user }} group={{ mongodb_group }} mode=0755
tags: mongodb
- name: Create the mongodb log directory
file: dest={{ mongodb_logdir }} state=directory owner={{ mongodb_user }} group={{ mongodb_group }} mode=0755
tags: mongodb
- name: Install the mongodb 2.4 configuration
template: src=mongodb-2.4.conf.j2 dest=/etc/mongodb.conf owner=root group=root mode=0444
when: ( mongodb_start_server is defined ) and ( mongodb_start_server == 'yes' )
notify: Restart mongodb
tags: mongodb
- name: Ensure mongodb is started
service: name=mongodb state=started enabled=yes
when: ( mongodb_start_server is defined ) and ( mongodb_start_server == 'yes' )
tags: mongodb
- name: Ensure mongodb is stopped and disabled
service: name=mongodb state=stopped enabled=no
when: ( mongodb_start_server is defined ) and ( mongodb_start_server == 'no' )
tags: mongodb

View File

@ -0,0 +1,84 @@
# Note: if you run mongodb as a non-root user (recommended) you may
# need to create and set permissions for this directory manually,
# e.g., if the parent directory isn't mutable by the mongodb user.
dbpath={{ mongodb_dbpath }}
directoryperdb={{ mongodb_directoryperdb }}
#where to log
logpath={{ mongodb_logpath }}
logappend=true
port = {{ mongodb_tcp_port }}
# Disables write-ahead journaling
# nojournal = true
# Enables periodic logging of CPU utilization and I/O wait
#cpu = true
# Turn on/off security. Off is currently the default
#noauth = true
#auth = true
# Verbose logging output.
#verbose = true
# Inspect all client data for validity on receipt (useful for
# developing drivers)
#objcheck = true
# Enable db quota management
#quota = true
# Set oplogging level where n is
# 0=off (default)
# 1=W
# 2=R
# 3=both
# 7=W+some reads
#diaglog = 0
# Ignore query hints
#nohints = true
{% if not mongodb_http_interface %}
# Disable the HTTP interface (Defaults to localhost:28017).
nohttpinterface = true
{% endif %}
# Turns off server-side scripting. This will result in greatly limited
# functionality
#noscripting = true
# Turns off table scans. Any query that would do a table scan fails.
#notablescan = true
# Disable data file preallocation.
#noprealloc = true
# Specify .ns file size for new databases.
# nssize = <size>
# Accout token for Mongo monitoring server.
#mms-token = <token>
# Server name for Mongo monitoring server.
#mms-name = <server-name>
# Ping interval for Mongo monitoring server.
#mms-interval = <seconds>
# Replication Options
# in master/slave replicated mongo databases, specify here whether
# this is a slave or master
#slave = true
#source = master.example.com
# Slave only: specify a single database to replicate
#only = master.example.com
# or
#master = true
#source = slave.example.com
# in replica set configuration, specify the name of the replica set
# replSet = setname

View File

@ -0,0 +1,8 @@
---
check_tomcat_deps:
- libwww-perl
- liblwp-mediatypes-perl
- liblwp-useragent-determined-perl
- liblwp-protocol-https-perl
- libxml-xpath-perl

View File

@ -0,0 +1,387 @@
#!/usr/bin/perl
#############################################################################
# #
# This script was initially developed by Lonely Planet for internal use #
# and has kindly been made available to the Open Source community for #
# redistribution and further development under the terms of the #
# GNU General Public License v3: http://www.gnu.org/licenses/gpl.html #
# #
#############################################################################
# #
# This script is supplied 'as-is', in the hope that it will be useful, but #
# neither Lonely Planet nor the authors make any warranties or guarantees #
# as to its correct operation, including its intended function. #
# #
# Or in other words: #
# Test it yourself, and make sure it works for YOU. #
# #
#############################################################################
# Author: George Hansper e-mail: george@hansper.id.au #
#############################################################################
use strict;
use LWP;
use LWP::UserAgent;
use Getopt::Std;
use XML::XPath;
my %optarg;
my $getopt_result;
my $lwp_user_agent;
my $http_request;
my $http_response;
my $url;
my $body;
my @message;
my @message_perf;
my $exit = 0;
my @exit = qw/OK: WARNING: CRITICAL:/;
my $rcs_id = '$Id: check_tomcat.pl,v 1.4 2013/03/15 10:45:41 george Exp $';
my $rcslog = '
$Log: check_tomcat.pl,v $
Revision 1.4 2013/03/15 10:45:41 george
Fixed bug in % threads thresholds, which appear if multiple connectors are in use (thanks to Andreas Lamprecht for reporting this).
Changed MB to MiB in output text.
Revision 1.3 2011/12/11 04:56:27 george
Added currentThreadCount to performance data.
Revision 1.2 2011/11/18 11:30:57 george
Added capability to extract the connector names, and check any or all tomcat connectors for sufficient free threads.
Stripped quotes from connector names to work around tomcat7 quirkiness.
Revision 1.1 2011/04/16 12:05:26 george
Initial revision
';
# Defaults...
my $timeout = 10; # Default timeout
my $host = 'localhost'; # default host header
my $host_ip = 'localhost'; # default IP
my $port = 80; # default port
my $user = 'nagios'; # default user
my $password = 'nagios'; # default password
my $uri = '/manager/status?XML=true'; #default URI
my $http = 'http';
my $connector_arg = undef;
my $opt_warn_threads = "25%";
my $opt_crit_threads = "10%";
my $warn_threads;
my $crit_threads;
# Memory thresholds are tight, because garbage collection kicks in only when memory is low anyway
my $opt_warn_memory = "5%";
my $opt_crit_memory = "2%";
my $warn_memory;
my $crit_memory;
my $xpath;
my %xpath_checks = (
maxThreads => '/status/connector/threadInfo/@maxThreads',
currentThreadCount => '/status/connector/threadInfo/@currentThreadCount',
currentThreadsBusy => '/status/connector/threadInfo/@currentThreadsBusy',
memMax => '/status/jvm/memory/@max',
memFree => '/status/jvm/memory/@free',
memTotal => '/status/jvm/memory/@total',
);
# XPath examples...
# /status/jvm/memory/@free
# /status/connector[attribute::name="http-8080"]/threadInfo/@maxThreads
# /status/connector/threadInfo/@* <- returns multiple nodes
my %xpath_check_results;
sub VERSION_MESSAGE() {
print "$^X\n$rcs_id\n";
}
sub HELP_MESSAGE() {
print <<EOF;
Usage:
$0 [-v] [-H hostname] [-I ip_address] [-p port] [-S] [-t time_out] [-l user] [-a password] [-w /xpath[=value]...] [-c /xpath[=value]...]
-H ... Hostname and Host: header (default: $host)
-I ... IP address (default: none)
-p ... Port number (default: ${port})
-S ... Use SSL connection
-v ... verbose messages
-t ... Seconds before connection times out. (default: $timeout)
-l ... username for authentication (default: $user)
-a ... password for authentication (default: embedded in script)
-u ... uri path, (default: $uri)
-n ... connector name, regular expression
eg 'ajp-bio-8009' or 'http-8080' or '^http-'.
default is to check: .*-port_number\$
Note: leading/trailing quotes and spaces are trimmed from the connector name for matching.
-w ... warning thresholds for threads,memory (memory in MiB)
eg 20,50 or 10%,25% default is $opt_warn_threads,$opt_warn_memory
-c ... critical thresholds for threads,memory (memory in MiB)
eg 10,20 or 5%,10%, default is $opt_crit_threads,$opt_crit_memory
Example:
$0 -H app01.signon.devint.lpo -p 8080 -t 5 -l nagios -a apples -u '/manager/status?XML=true'
$0 -H app01.signon.devint.lpo -p 8080 -w 10%,50 -c 5%,10
$0 -H app01.signon.devint.lpo -p 8080 -w 10%,50 -c 5%,10 -l admin -a admin -n .
Notes:
The -I parameters connects to a alternate hostname/IP, using the Host header from the -H parameter
To check ALL connectors mentioned in the status XML file, use '-n .'
'.' is a regular expression matching all connector names.
MiB = mebibyte = 1024 * 1024 bytes
EOF
}
$getopt_result = getopts('hvSH:I:p:w:c:t:l:a:u:n:', \%optarg) ;
# Any invalid options?
if ( $getopt_result == 0 ) {
HELP_MESSAGE();
exit 1;
}
if ( $optarg{h} ) {
HELP_MESSAGE();
exit 0;
}
sub printv($) {
if ( $optarg{v} ) {
chomp( $_[-1] );
print STDERR @_;
print STDERR "\n";
}
}
if ( defined($optarg{t}) ) {
$timeout = $optarg{t};
}
# Is port number numeric?
if ( defined($optarg{p}) ) {
$port = $optarg{p};
if ( $port !~ /^[0-9][0-9]*$/ ) {
print STDERR <<EOF;
Port must be a decimal number, eg "-p 8080"
EOF
exit 1;
}
}
if ( defined($optarg{H}) ) {
$host = $optarg{H};
$host_ip = $host;
}
if ( defined($optarg{I}) ) {
$host_ip = $optarg{I};
if ( ! defined($optarg{H}) ) {
$host = $host_ip;
}
}
if ( defined($optarg{l}) ) {
$user = $optarg{l};
}
if ( defined($optarg{a}) ) {
$password = $optarg{a};
}
if ( defined($optarg{u}) ) {
$uri = $optarg{u};
}
if ( defined($optarg{S}) ) {
$http = 'https';
}
if ( defined($optarg{c}) ) {
my @threshold = split(/,/,$optarg{c});
if ( $threshold[0] ne "" ) {
$opt_crit_threads = $threshold[0];
}
if ( $threshold[1] ne "" ) {
$opt_crit_memory = $threshold[1];
}
}
if ( defined($optarg{n}) ) {
$connector_arg = $optarg{n};
} else {
$connector_arg = "-$port\$";
}
if ( defined($optarg{w}) ) {
my @threshold = split(/,/,$optarg{w});
if ( $threshold[0] ne "" ) {
$opt_warn_threads = $threshold[0];
}
if ( $threshold[1] ne "" ) {
$opt_warn_memory = $threshold[1];
}
}
*LWP::UserAgent::get_basic_credentials = sub {
return ( $user, $password );
};
# print $xpath_checks[0], "\n";
printv "Connecting to $host:${port}\n";
$lwp_user_agent = LWP::UserAgent->new;
$lwp_user_agent->timeout($timeout);
if ( $port == 80 || $port == 443 || $port eq "" ) {
$lwp_user_agent->default_header('Host' => $host);
} else {
$lwp_user_agent->default_header('Host' => "$host:$port");
}
$url = "$http://${host_ip}:${port}$uri";
$http_request = HTTP::Request->new(GET => $url);
printv "--------------- GET $url";
printv $lwp_user_agent->default_headers->as_string . $http_request->headers_as_string;
$http_response = $lwp_user_agent->request($http_request);
printv "---------------\n" . $http_response->protocol . " " . $http_response->status_line;
printv $http_response->headers_as_string;
printv "Content has " . length($http_response->content) . " bytes \n";
if ($http_response->is_success) {
$body = $http_response->content;
my $xpath = XML::XPath->new( xml => $body );
my $xpath_check;
# Parse the data out of the XML...
foreach $xpath_check ( keys %xpath_checks ) {
#print keys(%{$xpath_check}) , "\n";
my $path = $xpath_checks{$xpath_check};
$path =~ s{\$port}{$port};
#print $xpath_check->{xpath} , "\n";
my $nodeset = $xpath->find($path);
if ( $nodeset->get_nodelist == 0 ) {
push @message, "$path not found";
$exit |= 2;
push @message_perf, "$path=not_found";
next;
}
foreach my $node ($nodeset->get_nodelist) {
my $connector_name = $node->getParentNode()->getParentNode()->getAttribute("name");
$connector_name =~ s/^["'\s]+//;
$connector_name =~ s/["'\s]+$//;
my $value = $node->string_value();
if ( $value =~ /^"?([0-9.]+)"?$/ ) {
$value = $1;
} else {
push @message, "$path is not numeric";
$exit |= 2;
push @message_perf, "$path=not_numeric";
next;
}
if ( $xpath_check =~ /^mem/ ) {
# This is the .../memory/.. xpath, just store the value in the hash
$xpath_check_results{$xpath_check} = $value;
} elsif ( $connector_name =~ /${connector_arg}/ && $connector_name ne "" ) {
# This is a .../threadInfo/... xpath, put the result into a hash (key is connector_name)
$xpath_check_results{$xpath_check}{$connector_name} = $value;
}
}
}
# Now apply the logic and check the results
#----------------------------------------------
# Check memory
#----------------------------------------------
my $jvm_mem_available = $xpath_check_results{memFree} + $xpath_check_results{memMax} - $xpath_check_results{memTotal};
printv(sprintf("free=%d max=%d total=%d",$xpath_check_results{memFree}/1024, $xpath_check_results{memMax}/1024, $xpath_check_results{memTotal}/1024));
if ( $opt_warn_memory =~ /(.*)%$/ ) {
$warn_memory = int($1 * $xpath_check_results{memMax} / 100);
} else {
# Convert to bytes
$warn_memory =int($opt_warn_memory * 1024 * 1024);
}
printv("warning at $warn_memory bytes (". ( $warn_memory / 1024 /1024 )."MiB) free, max=$xpath_check_results{memMax}");
if ( $opt_crit_memory =~ /(.*)%$/ ) {
$crit_memory = int($1 * $xpath_check_results{memMax} / 100);
} else {
# Convert to bytes
$crit_memory = int($opt_crit_memory * 1024 * 1024);
}
printv("critical at $crit_memory bytes (". ( $crit_memory / 1024 /1024 )."MiB) free, max=$xpath_check_results{memMax}");
if ( $jvm_mem_available <= $crit_memory ) {
$exit |= 2;
push @message, sprintf("Memory critical <%d MiB,",$crit_memory/1024/1024);
} elsif ( $jvm_mem_available <= $warn_memory ) {
$exit |= 1;
push @message, sprintf("Memory low <%d MiB,",$warn_memory/1024/1024);
}
push @message, sprintf("memory in use %d MiB (%d MiB);",
( $xpath_check_results{memMax} - $jvm_mem_available ) / ( 1024 * 1024),
$xpath_check_results{memMax} / ( 1024 * 1024)
);
push @message_perf, "used=".( $xpath_check_results{memMax} - $jvm_mem_available ) . " free=$jvm_mem_available max=$xpath_check_results{memMax}";
#----------------------------------------------
# Check threads
#----------------------------------------------
my $name;
foreach $name ( keys( %{$xpath_check_results{currentThreadsBusy}} ) ) {
if ( $opt_warn_threads =~ /(.*)%$/ ) {
$warn_threads = int($1 * $xpath_check_results{maxThreads}{$name} / 100);
} else {
$warn_threads = $opt_warn_threads;
}
printv("warning at $warn_threads threads free, max=$xpath_check_results{maxThreads}{$name}");
if ( $opt_crit_threads =~ /(.*)%$/ ) {
$crit_threads = int($1 * $xpath_check_results{maxThreads}{$name} / 100);
} else {
$crit_threads = $opt_crit_threads;
}
printv("critical at $crit_threads threads free, max=$xpath_check_results{maxThreads}{$name}");
my $threads_available = $xpath_check_results{maxThreads}{$name} - $xpath_check_results{currentThreadsBusy}{$name};
if ( $threads_available <= $crit_threads ) {
$exit |= 2;
push @message, sprintf("Critical: free_threads<%d",$crit_threads);
} elsif ( $threads_available <= $warn_threads ) {
$exit |= 1;
push @message, sprintf("Warning: free_threads<%d",$warn_threads);
}
push @message, sprintf("threads[$name]=%d(%d);",
$xpath_check_results{currentThreadsBusy}{$name},
$xpath_check_results{maxThreads}{$name}
);
if ( defined($optarg{n}) ) {
push @message_perf, "currentThreadsBusy[$name]=$xpath_check_results{currentThreadsBusy}{$name} currentThreadCount[$name]=$xpath_check_results{currentThreadCount}{$name} maxThreads[$name]=$xpath_check_results{maxThreads}{$name}";
} else {
# For the sake of backwards-compatability of graphs etc...
push @message_perf, "currentThreadsBusy=$xpath_check_results{currentThreadsBusy}{$name} currentThreadCount=$xpath_check_results{currentThreadCount}{$name} maxThreads=$xpath_check_results{maxThreads}{$name}";
}
}
if ( keys(%{$xpath_check_results{currentThreadsBusy}}) == 0 ) {
# no matching connectors found - this is not OK.
$exit |= 1;
push @message, "Warning: No tomcat connectors matched name =~ /$connector_arg/";
}
} elsif ( $http_response->code == 401 ) {
print "WARNING: $url " . $http_response->protocol . " " . $http_response->status_line ."\n";
exit 1;
} else {
print "CRITICAL: $url " . $http_response->protocol . " " . $http_response->status_line ."\n";
exit 2;
}
if ( $exit == 3 ) {
$exit = 2;
}
print "$exit[$exit] ". join(" ",@message) . "|". join(" ",@message_perf) . "\n";
exit $exit;

View File

@ -0,0 +1,31 @@
---
- name: Install the plugin dependencies
apt: pkg={{ item }} state=installed
with_items: check_tomcat_deps
tags:
- nagios
- nrpe
- check_tomcat
- name: Install the check_tomcat plugin
copy: src=check_tomcat dest={{ nagios_isti_plugdir }}/check_tomcat owner=root group=root mode=0755
tags:
- nagios
- nrpe
- check_tomcat
- name: Install the check_tomcat nrpe commands file
template: src=check_tomcat-nrpe.cfg.j2 dest=/etc/nagios/nrpe.d/check_tomcat.cfg owner=root group=root mode=444
notify:
- Reload NRPE server
tags:
- nrpe
- nagios
- check_tomcat
- name: nagios needs root to execute some commands. We do it via sudo
template: src=nagios.sudoers.j2 dest=/etc/sudoers.d/nagios owner=root group=root mode=0440
tags:
- nagios
- nrpe

View File

@ -0,0 +1 @@
../../nagios/defaults/main.yml

55
nagios/defaults/main.yml Normal file
View File

@ -0,0 +1,55 @@
---
monitoring_group_name: 'change_this_on_your_playbook'
#nagios_server_local_plugdir: 'change_this_on_your_playbook'
nagios_plugdir: /usr/lib/nagios/plugins
nagios_plugins_dir: '{{ nagios_plugdir }}'
nagios_centos_plugins_dir: /usr/lib64/nagios/plugins
nagios_isti_plugdir: '{{ nagios_plugdir }}/isti-cnr'
nagios_common_lib: check_library.sh
# Needed inside nrpe.cfg
# It is already defined in isti-global.yml
#nagios_monitoring_server_ip: 146.48.123.23
nagios_check_disk_w:
nagios_check_disk_c:
nagios_hw: False
nagios_check_disk_w: 10
nagios_check_disk_c: 5
nagios_allowed_users: root
nagios_monitoring_obj_dir: /etc/nagios3/objects
nagios_monitoring_dir: '{{ nagios_monitoring_obj_dir }}/{{ monitoring_group_name }}'
nagios_server_files:
- contacts.cfg
- contactgroups.cfg
- generic-service.cfg
- generic-host.cfg
- hostgroups.cfg
- hosts.cfg
- services.cfg
- commands.cfg
nagios_psql_query_time_w: 40
nagios_psql_query_time_c: 60
nagios_psql_db_size_w: 150000000
nagios_psql_db_size_c: 170000000
nrpe_command_timeout: 420
nrpe_include_dir: /etc/nagios/nrpe.d/
# Old stuff. To be deleted
nagios:
plugins_dir: '{{ nagios_plugdir }}'
centos_plugins_dir: '{{ nagios_centos_plugins_dir }}'
isti_plugdir: '{{ nagios_isti_plugdir }}'
common_lib: '{{ nagios_common_lib }}'
# Needed inside nrpe.cfg
monitoring_server_ip: '{{ nagios_monitoring_server_ip }}'
check_disk_w: '{{ nagios_check_disk_w }}'
check_disk_c: '{{ nagios_check_disk_c }}'
nrpe:
command_timeout: '{{ nrpe_command_timeout }}'
include_dir: '{{ nrpe_include_dir }}'

View File

@ -0,0 +1,752 @@
#!/usr/bin/env python
'''
Nagios plug-in to pull the Dell service tag and check it
against Dell's web site to see how many days remain. By default it
issues a warning when there is less than thirty days remaining and critical
when there is less than ten days remaining. These values can be adjusted
using the command line, see --help.
Version: 4.1
Created: 2009-02-12
Author: Erinn Looney-Triggs
Revised: 2013-05-13
Revised by: Erinn Looney-Triggs, Justin Ellison, Harald Jensas
https://gitorious.org/smarmy/check_dell_warranty/source/b6438fbef45ba22be3bf0aa2e0aa2e444a384813:
'''
#=============================================================================
# TODO: omreport md enclosures, cap the threads, tests, more I suppose
#
# Revision history:
# 2013-05-13 4.1: Catch SSL exceptions from requests module.
#
# 2013-04-09 4.0: Moved to using api.dell.com and changed out urllib2 in
# preference to the requests library.
#
# 2012-10-08 3.0.2: Add support for hyphen dates
#
# 2012-10-07 3.0.1: Dell dropped the counter for days left from their site,
# this is now calculated internally. Add patch for European style dates
# with periods between that numbers.
#
# 2012-09-05 3.0: Use Net-SNMP bindings for python allowing SNMPv3 support. Add
# debugging output using -V, Small cleanups.
#
# 2012-08-23 2.2.3: Merge in patch from Colin Panisset to dedup serials before
# mutex is created
#
# 2012-07-30 2.2.2: Make regex slightly more robust on scrape.
#
# 2012-07-03 2.2.1: Fix version number mismatch, fix urllib exception catch,
# thanks go to Sven Odermatt for finding that.
#
# 2012-01-08 2.2.0: Fix to work with new website, had to add cookie handeling
# to prod the site correctly to allow scrapping of the information.
#
# 2010-07-19 2.1.2: Patch to again fix Dell's web page changes, thanks
# to Jim Browne http://blog.jbrowne.com/ as well as a patch to work against
# OM 5.3
#
# 2010-04-13 2.1.1: Change to deal with Dell's change to their web site
# dropping the warranty extension field.
#
# 2009-12-17 2.1: Change format back to % to be compatible with python 2.4
# and older.
#
# 2009-11-16 2.0: Fix formatting issues, change some variable names, fix
# a file open exception issue, Dell changed the interface so updated to
# work with that, new option --short for short output.
#
# 2009-08-07 1.9: Add smbios as a way to get the serial number.
# Move away from old string formatting to new string formatting.
#
# 2009-08-04 1.8: Improved the parsing of Dell's website, output is now much
# more complete (read larger) and includes all warranties. Thresholds are
# measured against the warranty with the greatest number of days remaining.
# This fixes the bug with doubled or even tripled warranty days being
# reported.
#
# 2009-07-24 1.7: SNMP support, DRAC - Remote Access Controller, CMC -
# Chassis Management Controller and MD/PV Disk Enclosure support.
#
# 2009-07-09 1.6: Threads!
#
# 2009-06-25 1.5: Changed optparse to handle multiple serial numbers. Changed
# the rest of the program to be able to handle multiple serial numbers. Added
# a de-duper for serial numbers just in case you get two of the same from
# the command line or as is the case with Dell blades, two of the same
# from omreport. So this ought to handle blades, though I don't have
# any to test against.
#
# 2009-06-05 1.4 Changed optparse to display %default in help output. Pretty
# up the help output with <ARG> instead of variable names. Add description
# top optparse. Will now use prefer omreport to dmidecode for systems
# that have omreport installed and in $PATH. Note, that you do not have to be
# root to run omreport and get the service tag.
#
# 2009-05-29 1.3 Display output for all warranties for a system. Add up the
# number of days left to give an accurate count of the time remaining. Fix
# basic check for Dell's database being down. Fixed regex to be non-greedy.
# Start and end dates for warranty now takes all warranties into account.
# Date output is now yyyy-mm-dd because that is more international.
#
# 2009-05-28 1.2 Added service tag to output for nagios. Fixed some typos.
# Added command-line option for specifying a serial number. This gets
# rid of the sudo dependency as well as the newer python dependency
# allowing it to run on older RHEL distros. justin@techadvise.com
#
# 2009-05-27 1.1 Fixed string conversions to do int comparisons properly.
# Remove import csv as I am not using that yet. Add a license to the file.
#
# License:
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#=============================================================================
import datetime
import logging
import os
import subprocess
import sys
__author__ = 'Erinn Looney-Triggs'
__credits__ = ['Erinn Looney-Triggs', 'Justin Ellison', 'Harald Jensas' ]
__license__ = 'GPL 3.0'
__maintainer__ = 'Erinn Looney-Triggs'
__email__ = 'erinn.looneytriggs@gmail.com'
__version__ = '4.1'
__date__ = '2009-02-12'
__revised__ = '2013-05-13'
__status__ = 'Production'
#Nagios exit codes in English
UNKNOWN = 3
CRITICAL = 2
WARNING = 1
OK = 0
try:
import requests
except ImportError:
print ('Python Requests module (http://docs.python-requests.org/) '
'is required for this to work.')
sys.exit(CRITICAL)
def extract_mtk_community():
'''
Get SNMP community string from /etc/mtk.conf
'''
mtk_conf_file = '/etc/mtk.conf'
logger.debug('Obtaining serial number via {0}.'.format(mtk_conf_file))
if os.path.isfile(mtk_conf_file):
try:
for line in open(mtk_conf_file, 'r'):
token = line.split('=')
if token[0] == 'community_string':
community_string = token[1].strip()
except IOError:
print 'Unable to open {0}, exiting!'.format(mtk_conf_file)
sys.exit(UNKNOWN)
else:
print ('The {0} file does not exist, '
'exiting!').format(mtk_conf_file)
sys.exit(UNKNOWN)
return community_string
def extract_service_tag():
'''Extracts the serial number from the localhost using (in order of
precedence) omreport, libsmbios, or dmidecode. This function takes
no arguments but expects omreport, libsmbios or dmidecode to exist
and also expects dmidecode to accept -s system-serial-number
(RHEL5 or later).
'''
dmidecode = which('dmidecode')
libsmbios = False
omreport = which('omreport')
service_tags = []
#Test for the libsmbios module
try:
logger.debug('Attempting to load libsmbios_c.')
import libsmbios_c
except ImportError:
logger.debug('Unable to load libsmbios_c continuing.')
pass
else:
libsmbios = True
if omreport:
logger.debug('Obtaining serial number via OpenManage.')
import re
try:
process = subprocess.Popen([omreport, "chassis", "info",
"-fmt", "xml"],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
except OSError:
print 'Error: {0} exiting!'.format(sys.exc_info)
sys.exit(WARNING)
text = process.stdout.read()
pattern = '''<ServiceTag>(\S+)</ServiceTag>'''
regex = re.compile(pattern, re.X)
service_tags = regex.findall(text)
elif libsmbios:
logger.debug('Obtaining serial number via libsmbios_c.')
#You have to be root to extract the serial number via this method
if os.geteuid() != 0:
print ('{0} must be run as root in order to access '
'libsmbios, exiting!').format(sys.argv[0])
sys.exit(WARNING)
service_tags.append(libsmbios_c.system_info.get_service_tag())
elif dmidecode:
logger.debug('Obtaining serial number via dmidecode.')
#Gather the information from dmidecode
sudo = which('sudo')
if not sudo:
print 'Sudo is not available, exiting!'
sys.exit(WARNING)
try:
process = subprocess.Popen([sudo, dmidecode, "-s",
"system-serial-number"],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
except OSError:
print 'Error: {0} exiting!'.format(sys.exc_info)
sys.exit(WARNING)
service_tags.append(process.stdout.read().strip())
else:
print ('Omreport, libsmbios and dmidecode are not available in '
'$PATH, exiting!')
sys.exit(WARNING)
return service_tags
def extract_service_tag_snmp( options ):
'''
Extracts the serial number from the a remote host using SNMP.
This function takes the following arguments: hostname, community,
and mtk. The mtk argument will make the plug-in read the SNMP
community string from /etc/mtk.conf. (/etc/mtk.conf is used by
the mtk-nagios plugin.
(mtk-nagios plug-in: http://www.hpccommunity.org/sysmgmt/)
'''
try:
import netsnmp
except ImportError:
print "Unable to load netsnmp python module, aborting!"
sys.exit(UNKNOWN)
service_tags = []
hostname = options.hostname
port = options.port
version = options.version
logger.debug('Obtaining serial number via SNMP '
'version: {0}.'.format(version))
if version == 3:
sec_level = options.secLevel
sec_name = options.secName
priv_protocol = options.privProtocol
priv_password = options.privPassword
auth_protocol = options.authProtocol
auth_password = options.authPassword
session = netsnmp.Session(DestHost=hostname, Version=version,
SecLevel=sec_level, SecName=sec_name,
AuthProto=auth_protocol,
AuthPass=auth_password,
PrivProto=priv_protocol,
PrivPass=priv_password,
RemotePort = port,
)
elif version == 2 or version == 1:
community = options.community
session = netsnmp.Session(DestHost=hostname, Version=version,
Community=community, RemotePort=port)
else:
print 'Unknown SNMP version {0}, exiting!'.format(version)
def _autodetect_dell_device(session):
logger.debug('Beginning auto detection of system type.')
var = netsnmp.VarList(netsnmp.Varbind('SNMPv2-SMI::enterprises',
'.674.'))
session.getnext(var)
tag = var.varbinds.pop().tag
if tag.find('enterprises.674.10892.1.') != -1:
sys_type = 'omsa' #OMSA answered.
elif tag.find('enterprises.674.10892.2.') != -1:
sys_type = 'RAC' #Blade CMC or Server DRAC answered.
elif tag.find('enterprises.674.10895.') != -1:
sys_type = 'powerconnect' #PowerConnect switch answered.
else:
print ('snmpgetnext Failed:{0} System type or system '
'unknown!').format(tag)
sys.exit(WARNING)
logger.debug('System type is: {0}'.format(sys_type))
return sys_type
system_type = _autodetect_dell_device(session)
#System is server with OMSA, will check for External DAS enclosure
#and get service tag.
if system_type == 'omsa':
#Is External DAS Storage Enclosure connected?
var = netsnmp.VarList(netsnmp.Varbind('SNMPv2-SMI::enterprises',
'.674.10893.1.20.130.3.1.1'))
enclosure_ids = session.walk(var)
logger.debug('Enclosure IDs: {0}'.format(enclosure_ids))
for enclosure_id in enclosure_ids:
#For backwards compatibility with OM 5.3
if not enclosure_id:
continue
var = netsnmp.VarList(netsnmp.Varbind('SNMPv2-SMI::enterprises',
'.674.10893.1.20.130.3.1.16.{0}'.format(enclosure_id)))
enclosure_type = session.get(var)[0]
logger.debug('Enclosure type: {0}'.format(enclosure_type))
if enclosure_type != '1': #Enclosure type 1 is integrated backplane.
#Get storage enclosure Service Tag.
var = netsnmp.VarList(netsnmp.Varbind('SNMPv2-SMI::enterprises',
'.674.10893.1.20.130.3.1.8.{0}'.format(enclosure_id)))
enclosure_serial_number = session.get(var)[0]
logger.debug('Enclosure Serial Number obtained: {0}'
.format(enclosure_serial_number))
service_tags.append(enclosure_serial_number)
#Get system Service Tag.
var = netsnmp.VarList(netsnmp.Varbind('SNMPv2-SMI::enterprises',
'.674.10892.1.300.10.1.11.1'))
serial_number = session.get(var)[0]
elif system_type == 'RAC':
var = netsnmp.VarList(netsnmp.Varbind('SNMPv2-SMI::enterprises',
'.674.10892.2.1.1.11.0'))
serial_number = session.get(var)[0]
logger.debug('RAC serial number obtained: {0}'.format(serial_number))
elif system_type == 'powerconnect':
var = netsnmp.VarList(netsnmp.Varbind('SNMPv2-SMI::enterprises',
'.674.10895.3000.1.2.100'
'.8.1.4.1'))
serial_number = session.get(var)[0]
logger.debug('PowerConnect serial number obtained: {0}'
.format(serial_number))
service_tags.append(serial_number)
logger.debug('Service_tags obtained: {0}'.format(service_tags))
return service_tags
#
# #Get enclosure type.
# # 1: Internal
# # 2: DellTM PowerVaultTM 200S (PowerVault 201S)
# # 3: Dell PowerVault 210S (PowerVault 211S)
# # 4: Dell PowerVault 220S (PowerVault 221S)
# # 5: Dell PowerVault 660F
# # 6: Dell PowerVault 224F
# # 7: Dell PowerVault 660F/PowerVault 224F
# # 8: Dell MD1000
# # 9: Dell MD1120
def get_warranty_https(service_tag_list, timeout):
'''
Obtains the warranty information from Dell's website. This function
expects a list containing one or more serial numbers to be checked
against Dell's database.
'''
url = 'https://api.dell.com/support/v2/assetinfo/warranty/tags.json'
#Additional API keys, just in case:
#d676cf6e1e0ceb8fd14e8cb69acd812d
#849e027f476027a394edd656eaef4842
apikey = '1adecee8a60444738f280aad1cd87d0e'
service_tags = ''
if len(service_tag_list) == 1:
service_tags = service_tag_list[0]
else:
for service_tag in service_tag_list:
service_tags += service_tag + '|'
#Because we can't have a trailing '|'
service_tags = service_tags.rstrip('|')
logger.debug('Requesting service tags: {0}'.format(service_tags))
payload = {'svctags': service_tags, 'apikey': apikey}
try:
response = requests.get(url, params=payload, verify=False,
timeout=timeout)
except requests.exceptions.SSLError:
print 'Unable to verify SSL certificate for url: {0}'.format(url)
sys.exit(UNKNOWN)
try:
#Throw an exception for anything but 200 response code
response.raise_for_status()
except requests.exceptions.HTTPError:
print 'Unable to contact url: {0}.format(url)'
sys.exit(UNKNOWN)
logger.debug('Requesting warranty information from Dell url: '
'{0}'.format(response.url))
result = response.json()
logger.debug('Raw output received: \n {0}'.format(result))
#We test for any faults assserted by the api.
check_faults(result)
return result
def check_faults(response):
'''
This function checks the json content for faults that are rasied by Dell's
API. Any faults results in immediate termination with status UNKNOWN.
'''
logger.debug('Testing for faults in json response.')
fault = (response['GetAssetWarrantyResponse']['GetAssetWarrantyResult']
['Faults'])
logger.debug('Raw fault return: {0}'.format(fault))
if fault:
logger.debug('Fault found.')
code = fault['FaultException']['Code']
message = fault['FaultException']['Message']
print ('API fault code: "{0}" encountered, message: "{1}". '
'Exiting!'.format(code, message))
sys.exit(UNKNOWN)
logger.debug('No faults found.')
return None
def build_warranty_line(warranty, full_line, days, short_output):
'''
This function takes a warranty object and parses the salient information
out. It then calculates the number of days remaining in the warranty
period, and builds a line for Nagios outputting.
'''
logger.debug('Warranty contains')
description = warranty['ServiceLevelDescription']
end_date = warranty['EndDate']
start_date = warranty['StartDate']
provider = warranty['ServiceProvider']
logger.debug('Found: Start date: {0}, End Date: {1},Description: {2}, '
'Provider: {3}'.format(start_date, end_date, description,
provider))
#Because we need ot be able to calculate the time left as well as
#better formatting.
start_date = convert_date(start_date)
end_date = convert_date(end_date)
days_left = (end_date - datetime.date.today()).days
#Because no one cares about egative numbers of days.
if days_left < 0:
days_left = 0
logger.debug('Number of days left in warranty: '
'{0}'.format(days_left))
if short_output:
full_line = "%s, End: %s, Days left: %i" %(full_line, str(end_date.strftime('%m/%d/%Y')), days_left)
else:
full_line = "%s, Warranty: %s, Start: %s, End: %s, Days left: %i" %(full_line, description, str(start_date.strftime('%m/%d/%Y')),
str(end_date.strftime('%m/%d/%Y')), days_left)
days.append(int(days_left))
return full_line, days
def convert_date(date):
'''
This function converts the date as returned by the Dell API into a
datetime object. Dell's API format is as follows: 2010-07-01T01:00:00
'''
#Split on 'T' grab the date then split it out on '-'
year, month, day = date.split('T')[0].split('-')
return datetime.date(int(year), int(month), int(day))
def process_asset(asset, full_line, days, short_output):
'''
This function processes a json asset returned from Dell's API and
builds a line appropriate for Nagios output, as well as the service
tag for the line and the number of days remaining for each warranty
as a list.
'''
logger.debug('Raw asset being processed: {0}'.format(asset))
service_tag = asset['ServiceTag']
warranty = asset['Warranties']['Warranty']
if ( type(warranty) == type([]) ) and len(warranty) > 0:
warranty = warranty[0]
full_line, days = build_warranty_line(warranty, full_line,
days, short_output)
return service_tag, full_line, days
def parse_exit(result, short_output):
critical = 0
days = []
warning = 0
full_line = r'%s: Service Tag: %s'
logger.debug('Beginning to parse results and construct exit line '
'and code.')
assets = (result['GetAssetWarrantyResponse']['GetAssetWarrantyResult']
['Response']['DellAsset'])
logger.debug('Assets obtained: {0}'.format(assets))
#Check if there are multiple assets being provided
if isinstance(assets, list):
logger.debug('Multiple assets being processed.')
for asset in assets:
service_tag, full_line, days = process_asset(asset, full_line,
days, short_output)
#There is only one asset
else:
logger.debug('A single asset is being processed.')
asset = assets
service_tag, full_line, days = process_asset(asset, full_line,
days, short_output)
#Put the days remaining in ascending order
days.sort()
logger.debug('Days remaining on warranties: {0}'.format(days))
if days[-1] < options.critical_days:
state = 'CRITICAL'
critical += 1
elif days[-1] < options.warning_days:
state = 'WARNING'
warning += 1
else:
state = 'OK'
print full_line % (state, service_tag),
if critical:
sys.exit(CRITICAL)
elif warning:
sys.exit(WARNING)
else:
sys.exit(OK)
return None #Should never get here
def sigalarm_handler(signum, frame):
'''
Handler for an alarm situation.
'''
print ('{0} timed out after {1} seconds, '
'signum:{2}, frame: {3}').format(sys.argv[0], options.timeout,
signum, frame)
sys.exit(CRITICAL)
return None
def which(program):
'''This is the equivalent of the 'which' BASH built-in with a check to
make sure the program that is found is executable.
'''
def is_exe(file_path):
'''Tests that a file exists and is executable.
'''
return os.path.exists(file_path) and os.access(file_path, os.X_OK)
file_path = os.path.split(program)[0]
if file_path:
if is_exe(program):
return program
else:
for path in os.environ["PATH"].split(os.pathsep):
exe_file = os.path.join(path, program)
if is_exe(exe_file):
return exe_file
return None
if __name__ == '__main__':
import optparse
import signal
parser = optparse.OptionParser(description='''Nagios plug-in to pull the
Dell service tag and check it against Dell's web site to see how many
days remain. By default it issues a warning when there is less than
thirty days remaining and critical when there is less than ten days
remaining. These values can be adjusted using the command line, see --help.
''',
prog="check_dell_warranty",
version="%prog Version: {0}".format(__version__))
parser.add_option('-a', dest='authProtocol', action='store',
help=('Set the default authentication protocol for '
'SNMPv3 (MD5 or SHA).'))
parser.add_option('-A', dest='authPassword',
help=('Set the SNMPv3 authentication protocol password.')
)
parser.add_option('-C', '--community', action='store',
dest='community', type='string',default='public',
help=('SNMP Community String to use. '
'(Default: %default)'))
parser.add_option('-c', '--critical', dest='critical_days', default=10,
help=('Number of days under which to return critical '
'(Default: %default).'), type='int', metavar='<ARG>')
parser.add_option('-H', '--hostname', action='store', type='string',
dest='hostname',
help='Specify the host name of the SNMP agent')
parser.add_option('-l', dest='secLevel', default='noAuthNoPriv',
action='store',
help=('Set the SNMPv3 security level, (noAuthNoPriv'
'|authNoPriv|authPriv) (Default: noAuthNoPriv)'))
parser.add_option('--mtk', action='store_true', dest='mtk_installed',
default=False,
help=('Get SNMP Community String from /etc/mtk.conf if '
'mtk-nagios plugin is installed. NOTE: This option '
'will make the mtk.conf community string take '
'precedence over anything entered at the '
'command line (Default: %default)'))
parser.add_option('-p', '--port', dest='port', default=161,
help=('Set the SNMP port to be connected to '
'(Default:161).'), type='int')
parser.add_option('-s', '--service_tag', dest='service_tag',
help=('Dell Service Tag of system, to enter more than '
'one use multiple flags (Default: auto-detected)'),
action='append', metavar='<ARG>')
parser.add_option('-S', '--short', dest='short_output',
action='store_true', default = False,
help=('Display short output: only the status, '
'service tag, end date and days left for each '
'warranty.'))
parser.add_option('-t', '--timeout', dest='timeout', default=10,
help=('Set the timeout for the program to run '
'(Default: %default seconds)'), type='int',
metavar='<ARG>')
parser.add_option('-u', dest='secName', action='store',
help='Set the SNMPv3 security name (user name).')
parser.add_option('-v', dest='version', default=3, action='store',
help=('Specify the SNMP version (1, 2, 3) Default: 3'),
type='int'
)
parser.add_option('-V', dest='verbose', action='store_true',
default=False, help =('Give verbose output (Default: '
'Off)')
)
parser.add_option('-w', '--warning', dest='warning_days', default=30,
help=('Number of days under which to return a warning '
'(Default: %default)'), type='int', metavar='<ARG>' )
parser.add_option('-x', dest='privProtocol', action='store',
help='Set the SNMPv3 privacy protocol (DES or AES).')
parser.add_option('-X', dest='privPassword', action='store',
help='Set the SNMPv3 privacy pass phrase.')
(options, args) = parser.parse_args()
##Configure logging
logger = logging.getLogger("check_dell_warranty")
handler = logging.StreamHandler()
if options.verbose:
sys.stderr.write('Switching on debug mode.\n')
handler.setLevel(logging.DEBUG)
logger.setLevel(logging.DEBUG)
##Set the logging format, time, log level name, and the message
formatter = logging.Formatter('%(levelname)s - %(message)s')
handler.setFormatter(formatter)
logger.addHandler(handler)
signal.signal(signal.SIGALRM, sigalarm_handler)
signal.alarm(options.timeout)
if options.service_tag:
SERVICE_TAGS = options.service_tag
elif options.hostname or options.mtk_installed:
SERVICE_TAGS = extract_service_tag_snmp(options)
else:
SERVICE_TAGS = extract_service_tag()
RESULT = get_warranty_https(SERVICE_TAGS, options.timeout)
signal.alarm(0)
parse_exit(RESULT, options.short_output)

115
nagios/files/check_linux_raid Executable file
View File

@ -0,0 +1,115 @@
#!/usr/bin/perl -w
# Copyright (c) 2002 ISOMEDIA, Inc.
# originally written by Steve Milton
# later updates by sean finney <seanius@seanius.net>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# Usage: check_raid [raid-name]
# Example: check_raid md0
# WARNING md0 status=[UUU_U], recovery=46.4%, finish=123.0min
use strict;
use lib "/usr/lib/nagios/plugins";
use utils qw(%ERRORS);
# die with an error if we're not on Linux
if ($^O ne 'linux') {
print "This plugin only applicable on Linux.\n";
exit $ERRORS{'UNKNOWN'};
}
sub max_state($$){
my ($a, $b) = @_;
if ($a eq "CRITICAL" || $b eq "CRITICAL") { return "CRITICAL"; }
elsif ($a eq "WARNING" || $b eq "WARNING") { return "WARNING"; }
elsif ($a eq "OK" || $b eq "OK") { return "OK"; }
elsif ($a eq "UNKNOWN" || $b eq "UNKNOWN") { return "UNKNOWN"; }
elsif ($a eq "DEPENDENT" || $b eq "DEPENDENT") { return "DEPENDENT"; }
return "UNKNOWN";
}
my $nextdev;
if(defined $ARGV[0]) { $nextdev = shift; }
else { $nextdev = "md[0-9]+"; }
my $code = "UNKNOWN";
my $msg = "";
my %status;
my %recovery;
my %finish;
my %active;
my %devices;
while(defined $nextdev){
open (MDSTAT, "< /proc/mdstat") or die "Failed to open /proc/mdstat";
my $device = undef;
while(<MDSTAT>) {
if (defined $device) {
if (/(\[[_U]+\])/) {
$status{$device} = $1;
} elsif (/recovery = (.*?)\s/) {
$recovery{$device} = $1;
($finish{$device}) = /finish=(.*?min)/;
$device=undef;
} elsif (/^\s*$/) {
$device=undef;
}
} elsif (/^($nextdev)\s*:/) {
$device=$1;
$devices{$device}=$device;
if (/\sactive/) {
$status{$device} = ''; # Shall be filled later if available
$active{$device} = 1;
}
}
}
$nextdev = shift;
}
foreach my $k (sort keys %devices){
if (!exists($status{$k})) {
$msg .= sprintf " %s inactive with no status information.",
$devices{$k};
$code = max_state($code, "CRITICAL");
} elsif ($status{$k} =~ /_/) {
if (defined $recovery{$k}) {
$msg .= sprintf " %s status=%s, recovery=%s, finish=%s.",
$devices{$k}, $status{$k}, $recovery{$k}, $finish{$k};
$code = max_state($code, "WARNING");
} else {
$msg .= sprintf " %s status=%s.", $devices{$k}, $status{$k};
$code = max_state($code, "CRITICAL");
}
} elsif ($status{$k} =~ /U+/) {
$msg .= sprintf " %s status=%s.", $devices{$k}, $status{$k};
$code = max_state($code, "OK");
} else {
if ($active{$k}) {
$msg .= sprintf " %s active with no status information.",
$devices{$k};
$code = max_state($code, "OK");
} else {
# This should't run anymore, but is left as a catch-all
$msg .= sprintf " %s does not exist.\n", $devices{$k};
$code = max_state($code, "CRITICAL");
}
}
}
print $code, $msg, "\n";
exit ($ERRORS{$code});

2731
nagios/files/check_netint.pl Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,38 @@
#!/bin/bash
TIMESTAMP=$( date +%s )
ONEDAY=86400
RETVAL=0
MSG=
if [ -f /etc/default/pg_backup ] ; then
. /etc/default/pg_backup
else
BACKUPDIR=/var/lib/pgsql/backups
fi
TIMESTAMP_LOG=$BACKUPDIR/.timestamp
NAGIOS_LOG=$BACKUPDIR/.nagios-status
function check_db_freshness() {
DB_LASTRUN=$( cat $TIMESTAMP_LOG )
FRESHNESS=$( echo "$TIMESTAMP - $DB_LASTRUN" | bc )
if [ $FRESHNESS -gt $ONEDAY ] ; then
MSG_FRESH="Dump older than 1 day ; "
RETVAL=1
fi
}
function check_dump_status() {
MSG_STATUS=$( grep FAILED $NAGIOS_LOG )
if [ $? -eq 0 ] ; then
RETVAL=2
else
MSG_STATUS="All dumps OK"
fi
}
check_db_freshness
check_dump_status
MSG="$MSG_FRESH $MSG_STATUS"
echo -n $MSG
exit $RETVAL

311
nagios/files/check_smart Executable file
View File

@ -0,0 +1,311 @@
#!/usr/bin/perl -w
# Check SMART status of ATA/SCSI disks, returning any usable metrics as perfdata.
# For usage information, run ./check_smart -h
#
# This script was created under contract for the US Government and is therefore Public Domain
#
# Changes and Modifications
# =========================
# Feb 3, 2009: Kurt Yoder - initial version of script
use strict;
use Getopt::Long;
use File::Basename qw(basename);
my $basename = basename($0);
my $revision = '$Revision: 1.0 $';
use lib '/usr/lib/nagios/plugins/';
use utils qw(%ERRORS &print_revision &support &usage);
$ENV{'PATH'}='/bin:/usr/bin:/sbin:/usr/sbin';
$ENV{'BASH_ENV'}='';
$ENV{'ENV'}='';
use vars qw($opt_d $opt_debug $opt_h $opt_i $opt_v);
Getopt::Long::Configure('bundling');
GetOptions(
"debug" => \$opt_debug,
"d=s" => \$opt_d, "device=s" => \$opt_d,
"h" => \$opt_h, "help" => \$opt_h,
"i=s" => \$opt_i, "interface=s" => \$opt_i,
"v" => \$opt_v, "version" => \$opt_v,
);
if ($opt_v) {
print_revision($basename,$revision);
exit $ERRORS{'OK'};
}
if ($opt_h) {
print_help();
exit $ERRORS{'OK'};
}
my ($device, $interface) = qw//;
if ($opt_d) {
unless($opt_i){
print "must specify an interface for $opt_d using -i/--interface!\n\n";
print_help();
exit $ERRORS{'UNKNOWN'};
}
if (-b $opt_d){
$device = $opt_d;
}
else{
print "$opt_d is not a valid block device!\n\n";
print_help();
exit $ERRORS{'UNKNOWN'};
}
if(grep {$opt_i eq $_} ('ata', 'scsi')){
$interface = $opt_i;
}
else{
print "invalid interface $opt_i for $opt_d!\n\n";
print_help();
exit $ERRORS{'UNKNOWN'};
}
}
else{
print "must specify a device!\n\n";
print_help();
exit $ERRORS{'UNKNOWN'};
}
my $smart_command = '/usr/bin/sudo /usr/sbin/smartctl';
my @error_messages = qw//;
my $exit_status = 'OK';
warn "###########################################################\n" if $opt_debug;
warn "(debug) CHECK 1: getting overall SMART health status\n" if $opt_debug;
warn "###########################################################\n\n\n" if $opt_debug;
my $full_command = "$smart_command -d $interface -H $device";
warn "(debug) executing:\n$full_command\n\n" if $opt_debug;
my @output = `$full_command`;
warn "(debug) output:\n@output\n\n" if $opt_debug;
# parse ata output, looking for "health status: passed"
my $found_status = 0;
my $line_str = 'SMART overall-health self-assessment test result: '; # ATA SMART line
my $ok_str = 'PASSED'; # ATA SMART OK string
if ($interface eq 'scsi'){
$line_str = 'SMART Health Status: '; # SCSI SMART line
$ok_str = 'OK'; #SCSI SMART OK string
}
foreach my $line (@output){
if($line =~ /$line_str(.+)/){
$found_status = 1;
warn "(debug) parsing line:\n$line\n\n" if $opt_debug;
if ($1 eq $ok_str) {
warn "(debug) found string '$ok_str'; status OK\n\n" if $opt_debug;
}
else {
warn "(debug) no '$ok_str' status; failing\n\n" if $opt_debug;
push(@error_messages, "Health status: $1");
escalate_status('CRITICAL');
}
}
}
unless ($found_status) {
push(@error_messages, 'No health status line found');
escalate_status('UNKNOWN');
}
warn "###########################################################\n" if $opt_debug;
warn "(debug) CHECK 2: getting silent SMART health check\n" if $opt_debug;
warn "###########################################################\n\n\n" if $opt_debug;
$full_command = "$smart_command -d $interface -q silent -A $device";
warn "(debug) executing:\n$full_command\n\n" if $opt_debug;
system($full_command);
my $return_code = $?;
warn "(debug) exit code:\n$return_code\n\n" if $opt_debug;
if ($return_code & 0x01) {
push(@error_messages, 'Commandline parse failure');
escalate_status('UNKNOWN');
}
if ($return_code & 0x02) {
push(@error_messages, 'Device could not be opened');
escalate_status('UNKNOWN');
}
if ($return_code & 0x04) {
push(@error_messages, 'Checksum failure');
escalate_status('WARNING');
}
if ($return_code & 0x08) {
push(@error_messages, 'Disk is failing');
escalate_status('CRITICAL');
}
if ($return_code & 0x10) {
push(@error_messages, 'Disk is in prefail');
escalate_status('WARNING');
}
if ($return_code & 0x20) {
push(@error_messages, 'Disk may be close to failure');
escalate_status('WARNING');
}
if ($return_code & 0x40) {
push(@error_messages, 'Error log contains errors');
escalate_status('WARNING');
}
if ($return_code & 0x80) {
push(@error_messages, 'Self-test log contains errors');
escalate_status('WARNING');
}
if ($return_code && !$exit_status) {
push(@error_messages, 'Unknown return code');
escalate_status('CRITICAL');
}
if ($return_code) {
warn "(debug) non-zero exit code, generating error condition\n\n" if $opt_debug;
}
else {
warn "(debug) zero exit code, status OK\n\n" if $opt_debug;
}
warn "###########################################################\n" if $opt_debug;
warn "(debug) CHECK 3: getting detailed statistics\n" if $opt_debug;
warn "(debug) information contains a few more potential trouble spots\n" if $opt_debug;
warn "(debug) plus, we can also use the information for perfdata/graphing\n" if $opt_debug;
warn "###########################################################\n\n\n" if $opt_debug;
$full_command = "$smart_command -d $interface -A $device";
warn "(debug) executing:\n$full_command\n\n" if $opt_debug;
@output = `$full_command`;
warn "(debug) output:\n@output\n\n" if $opt_debug;
my @perfdata = qw//;
# separate metric-gathering and output analysis for ATA vs SCSI SMART output
if ($interface eq 'ata'){
foreach my $line(@output){
# get lines that look like this:
# 9 Power_On_Minutes 0x0032 241 241 000 Old_age Always - 113h+12m
next unless $line =~ /^\s*\d+\s(\S+)\s+(?:\S+\s+){6}(\S+)\s+(\d+)/;
my ($attribute_name, $when_failed, $raw_value) = ($1, $2, $3);
if ($when_failed ne '-'){
push(@error_messages, "Attribute $attribute_name failed at $when_failed");
escalate_status('WARNING');
warn "(debug) parsed SMART attribute $attribute_name with error condition:\n$when_failed\n\n" if $opt_debug;
}
# some attributes produce questionable data; no need to graph them
if (grep {$_ eq $attribute_name} ('Unknown_Attribute', 'Power_On_Minutes') ){
next;
}
push (@perfdata, "$attribute_name=$raw_value");
# do some manual checks
if ( ($attribute_name eq 'Current_Pending_Sector') && $raw_value ) {
push(@error_messages, "Sectors pending re-allocation");
escalate_status('WARNING');
warn "(debug) Current_Pending_Sector is non-zero ($raw_value)\n\n" if $opt_debug;
}
}
}
else{
my ($current_temperature, $max_temperature, $current_start_stop, $max_start_stop) = qw//;
foreach my $line(@output){
if ($line =~ /Current Drive Temperature:\s+(\d+)/){
$current_temperature = $1;
}
elsif ($line =~ /Drive Trip Temperature:\s+(\d+)/){
$max_temperature = $1;
}
elsif ($line =~ /Current start stop count:\s+(\d+)/){
$current_start_stop = $1;
}
elsif ($line =~ /Recommended maximum start stop count:\s+(\d+)/){
$max_start_stop = $1;
}
elsif ($line =~ /Elements in grown defect list:\s+(\d+)/){
push (@perfdata, "defect_list=$1");
}
elsif ($line =~ /Blocks sent to initiator =\s+(\d+)/){
push (@perfdata, "sent_blocks=$1");
}
}
if($current_temperature){
if($max_temperature){
push (@perfdata, "temperature=$current_temperature;;$max_temperature");
if($current_temperature > $max_temperature){
warn "(debug) Disk temperature is greater than max ($current_temperature > $max_temperature)\n\n" if $opt_debug;
push(@error_messages, 'Disk temperature is higher than maximum');
escalate_status('CRITICAL');
}
}
else{
push (@perfdata, "temperature=$current_temperature");
}
}
if($current_start_stop){
if($max_start_stop){
push (@perfdata, "start_stop=$current_start_stop;$max_start_stop");
if($current_start_stop > $max_start_stop){
warn "(debug) Disk start_stop is greater than max ($current_start_stop > $max_start_stop)\n\n" if $opt_debug;
push(@error_messages, 'Disk start_stop is higher than maximum');
escalate_status('WARNING');
}
}
else{
push (@perfdata, "start_stop=$current_start_stop");
}
}
}
warn "(debug) gathered perfdata:\n@perfdata\n\n" if $opt_debug;
my $perf_string = join(' ', @perfdata);
warn "###########################################################\n" if $opt_debug;
warn "(debug) FINAL STATUS: $exit_status\n" if $opt_debug;
warn "###########################################################\n\n\n" if $opt_debug;
warn "(debug) final status/output:\n" if $opt_debug;
my $status_string = '';
if($exit_status ne 'OK'){
$status_string = "$exit_status: ".join(', ', @error_messages);
}
else {
$status_string = "OK: no SMART errors detected";
}
print "$status_string|$perf_string\n";
exit $ERRORS{$exit_status};
sub print_help {
print_revision($basename,$revision);
print "Usage: $basename (--device=<SMART device> --interface=(ata|scsi)|-h|-v) [--debug]\n";
print " --debug: show debugging information\n";
print " -d/--device: a device to be SMART monitored, eg /dev/sda\n";
print " -i/--interface: ata or scsi, depending upon the device's interface type\n";
print " -h/--help: this help\n";
print " -v/--version: Version number\n";
support();
}
# escalate an exit status IFF it's more severe than the previous exit status
sub escalate_status {
my $requested_status = shift;
# no test for 'CRITICAL'; automatically escalates upwards
if ($requested_status eq 'WARNING') {
return if $exit_status eq 'CRITICAL';
}
if ($requested_status eq 'UNKNOWN') {
return if $exit_status eq 'WARNING';
return if $exit_status eq 'CRITICAL';
}
$exit_status = $requested_status;
}

View File

@ -0,0 +1,162 @@
#!/bin/bash
#
# https://www.monitoringexchange.org/inventory/Check-Plugins/Operating-Systems/Linux/Check-Processes-and-Ports
# Usage: .//check_system_pp
#
# Description:
# This plugin determines whether the server
# is running properly. It will check the following:
# * Are all required processes running?
# * Are all the required TCP/IP ports open?
#
# Created: 27.01.2006 (FBA)
#
# Changes: 28.01.2006 added yellow check (FBA)
# 29.01.2006 change "px -ef" to "ps -ax" (FBA). Problems with long arguments
# 31.01.2006 added all OK Status with all procs and ports (FBA)
# 15.07.2006 change "ps -ax" to "ps ax" (FBA). Also problems with long arguments under RedHat 3/4
# 17.07.2006 Plugin rewrite and bugfixes (Magnus Glantz)
# 19.07.2006 Removed utils.sh dependency.
#
#
#
COMMON_SH_LIB=/usr/lib/nagios/plugins/isti-cnr/check_library.sh
if [ -f $COMMON_SH_LIB ] ; then
. $COMMON_SH_LIB
else
PLUGIN_DIR=/usr/lib/nagios/plugins
ISTI_PLUGDIR=$PLUGIN_DIR/isti-cnr
fi
# We want the list of processes and ports to be customizable without editing this script
PP_CONF=$ISTI_PLUGDIR/check_system_pp.conf
if [ -f $PP_CONF ] ; then
. $PP_CONF
else
##################################################################################
#
# Processes to check
PROCLIST_RED="sshd"
PROCLIST_YELLOW="syslogd cron"
# Ports to check
PORTLIST="22"
##################################################################################
fi
PATH="/usr/bin:/usr/sbin:/bin:/sbin"
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
STATE_DEPENDENT=4
print_gpl() {
echo "This program is free software; you can redistribute it and/or modify"
echo "it under the terms of the GNU General Public License as published by"
echo "the Free Software Foundation; either version 2 of the License, or"
echo "(at your option) any later version."
echo ""
echo "This program is distributed in the hope that it will be useful,"
echo "but WITHOUT ANY WARRANTY; without even the implied warranty of"
echo "MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the"
echo "GNU General Public License for more details."
echo ""
echo "You should have received a copy of the GNU General Public License"
echo "along with this program; if not, write to the Free Software"
echo "Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA"
}
print_help(){
echo ""
echo "System process and port check script for Nagios."
echo ""
echo "Usage: ./check_system_pp"
echo "Website: http://www.nagiosexchange.org"
echo "https://www.monitoringexchange.org/inventory/Check-Plugins/Operating-Systems/Linux/Check-Processes-and-Ports"
echo ""
print_gpl
}
while test -n "$1"
do
case "$1" in
*) print_help; exit $STATE_OK;;
esac
done
check_processes_red()
{
PROCESS="0"
ERROR_PROCS=""
for PROC in `echo $PROCLIST_RED`; do
if [ `ps -ef | grep -w $PROC | grep -v grep | wc -l` -lt 1 ]; then
PROCESS=1
ERROR_PROCS="$ERROR_PROCS""$PROC ";
fi
done
if [ $PROCESS -eq "1" ]; then
exit_red=$STATE_CRITICAL
elif [ $PROCESS -eq "0" ]; then
exit_red=$STATE_OK
fi
}
check_processes_yellow()
{
PROCESS="0"
WARNING_PROCS=""
for PROC in `echo $PROCLIST_YELLOW`; do
if [ `ps -ef | grep $PROC | grep -v grep | wc -l` -lt 1 ]; then
PROCESS=1
WARNING_PROCS="$WARNING_PROCS""$PROC ";
fi
done
if [ $PROCESS -eq "1" ]; then
exit_yellow=$STATE_WARNING
elif [ $PROCESS -eq "0" ]; then
exit_yellow=$STATE_OK
fi
}
check_ports()
{
PORTS="0"
ERROR_PORTS=""
for NUM in `echo $PORTLIST`; do
if [ `netstat -an | grep LISTEN | grep -w $NUM | grep -v grep | wc -l` -lt 1 ]; then
PORTS=1
ERROR_PORTS="$ERROR_PORTS""$NUM ";
fi
done
if [ $PORTS -eq "1" ]; then
exit_ports=$STATE_CRITICAL
elif [ $PORTS -eq "0" ]; then
exit_ports=$STATE_OK
fi
}
check_processes_red
check_ports
check_processes_yellow
final_exit=`expr $exit_ports + $exit_red + $exit_yellow`
if [ $final_exit -eq "0" ]; then
echo "SYSTEM OK - All monitored resources OK. Processes: $PROCLIST_RED $PROCLIST_YELLOW. Ports: $PORTLIST."
exitstatus=$STATE_OK
elif [ $final_exit -eq "1" ]; then
echo "SYSTEM WARNING - Processes DOWN. ($WARNING_PROCS)."
exitstatus=$STATE_WARNING
elif [ $final_exit -ge "1" ]; then
echo "SYSTEM CRITICAL - Resources DOWN! Processes: $ERROR_PROCS $WARNING_PROCS. Ports: $ERROR_PORTS"
exitstatus=$STATE_CRITICAL
fi
exit $exitstatus

View File

@ -0,0 +1,27 @@
#!/bin/bash
# semaphore leak su debian 6 col kernel backports. Il problema è del check nagios per l'hardware che usa le utility Dell.
# Workaround: individuare ed eliminare i semafori inutilizzati ( http://serverfault.com/questions/352026/anyone-know-how-to-fix-issues-with-omsa-on-red-hat-5-1-that-reports-no-controll ):
# "One common non-obvious cause of this problem is system semaphore exhaustion. Check your system logs; if you see something like this:
# Server Administrator (Shared Library): Data Engine EventID: 0 A semaphore set has to be created but the system limit for the maximum number of semaphore sets has been exceeded
# then you're running out of semaphores.
# You can run ipcs -s to list all of the semaphores currently allocated on your system and then use ipcrm -s <id> to remove a semaphore (if you're reasonably sure it's no longer needed). You might also want to track down the program that created them (using information from ipcs -s -i <id>) to make sure it's not leaking semaphores. In my experience, though, most leaks come from programs that were interrupted (by segfaults or similar) before they could run their cleanup code.
# If your system really needs all of the semaphores currently allocated, you can increase the number of semaphores available. Run sysctl -a | grep kernel.sem to see what the current settings are. The final number is the number of semaphores available on the system (normally 128). Copy that line into /etc/sysctl.conf, change the final number to a larger value, save it, and run sysctl -p to load the new settings."
for id in $( ipcs -s | grep nagios | awk '{print $2}' ) ; do
SEM_ID_PROC=$( ipcs -s -i $id | grep -A1 pid | grep -v pid | awk '{print $5}')
ps auwwx | grep " $SEM_ID_PROC " | grep -v grep >/dev/null 2>&1
RETVAL=$?
if [ $RETVAL -eq 1 ] ; then
# ipcs -s -i $id
ipcrm -s $id > /dev/null 2>&1
fi
done
exit 0

View File

@ -0,0 +1 @@
deb http://ppa.launchpad.net/tormodvolden/ubuntu hardy main

View File

@ -0,0 +1 @@
deb http://linux.dell.com/repo/community/deb/latest /

View File

@ -0,0 +1,2 @@
deb http://ppa.research-infrastructures.eu/system stable main

242
nagios/files/show_users Executable file
View File

@ -0,0 +1,242 @@
#!/bin/bash
#
# Copyright Hari Sekhon 2007
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# Nagios Plugin to list all currently logged on users to a system.
# Modified by Rob MacKenzie, SFU - rmackenz@sfu.ca
# Added the -w and -c options to check for number of users.
version=0.3
# This makes coding much safer as a varible typo is caught
# with an error rather than passing through
set -u
# Note: resisted urge to use <<<, instead sticking with |
# in case anyone uses this with an older version of bash
# so no bash bashers please on this
# Standard Nagios exit codes
OK=0
WARNING=1
CRITICAL=2
UNKNOWN=3
usage(){
echo "usage: ${0##*/} [--simple] [ --mandatory username ] [ --unauthorized username ] [ --whitelist username ]"
echo
echo "returns a list of users on the local machine"
echo
echo " -s, --simple show users without the number of sessions"
echo " -m username, --mandatory username"
echo " Mandatory users. Return CRITICAL if any of these users are not"
echo " currently logged in"
echo " -b username, --blacklist username"
echo " Unauthorized users. Returns CRITICAL if any of these users are"
echo " logged in. This can be useful if you have a policy that states"
echo " that you may not have a root shell but must instead only use "
echo " 'sudo command'. Specifying '-u root' would alert on root having"
echo " a session and hence catch people violating such a policy."
echo " -a username, --whitelist username"
echo " Whitelist users. This is exceptionally useful. If you define"
echo " a bunch of users here that you know you use, and suddenly"
echo " there is a user session open for another account it could"
echo " alert you to a compromise. If you run this check say every"
echo " 3 minutes, then any attacker has very little time to evade"
echo " detection before this trips."
echo
echo " -m,-u and -w can be specified multiple times for multiple users"
echo " or you can use a switch a single time with a comma separated"
echo " list."
echo " -w integer, --warning integer"
echo " Set WARNING status if more than INTEGER users are logged in"
echo " -c integer, --critical integer"
echo " Set CRITICAL status if more than INTEGER users are logged in"
echo
echo
echo " -V --version Print the version number and exit"
echo
exit $UNKNOWN
}
simple=""
mandatory_users=""
unauthorized_users=""
whitelist_users=""
warning_users=0
critical_users=0
while [ "$#" -ge 1 ]; do
case "$1" in
-h|--help) usage
;;
-V|--version) echo $version
exit $UNKNOWN
;;
-s|--simple) simple=true
;;
-m|--mandatory) if [ "$#" -ge 2 ]; then
if [ -n "$mandatory_users" ]; then
mandatory_users="$mandatory_users $2"
else
mandatory_users="$2"
fi
shift
else
usage
fi
;;
-b|--blacklist) if [ "$#" -ge 2 ]; then
if [ -n "$unauthorized_users" ]; then
unauthorized_users="$unauthorized_users $2"
else
unauthorized_users="$2"
fi
shift
else
usage
fi
;;
-a|--whitelist) if [ "$#" -ge 2 ]; then
if [ -n "$whitelist_users" ]; then
whitelist_users="$whitelist_users $2"
else
whitelist_users="$2"
fi
shift
else
usage
fi
;;
-w|--warning) if [ "$#" -ge 2 ]; then
if [ $2 -ge 1 ]; then
warning_users=$2
fi
shift
else
usage
fi
;;
-c|--critical) if [ "$#" -ge 2 ]; then
if [ $2 -ge 1 ]; then
critical_users=$2
fi
shift
else
usage
fi
;;
*) usage
;;
esac
shift
done
mandatory_users="`echo $mandatory_users | tr ',' ' '`"
unauthorized_users="`echo $unauthorized_users | tr ',' ' '`"
whitelist_users="`echo $whitelist_users | tr ',' ' '`"
# Must be a list of usernames only.
userlist="`who|grep -v "^ *$"|awk '{print $1}'|sort`"
usercount="`who|wc -l`"
errormsg=""
exitcode=$OK
if [ -n "$userlist" ]; then
if [ -n "$mandatory_users" ]; then
missing_users=""
for user in $mandatory_users; do
if ! echo "$userlist"|grep "^$user$" >/dev/null 2>&1; then
missing_users="$missing_users $user"
exitcode=$CRITICAL
fi
done
for user in `echo $missing_users|tr " " "\n"|sort -u`; do
errormsg="${errormsg}user '$user' not logged in. "
done
fi
if [ -n "$unauthorized_users" ]; then
blacklisted_users=""
for user in $unauthorized_users; do
if echo "$userlist"|sort -u|grep "^$user$" >/dev/null 2>&1; then
blacklisted_users="$blacklisted_users $user"
exitcode=$CRITICAL
fi
done
for user in `echo $blacklisted_users|tr " " "\n"|sort -u`; do
errormsg="${errormsg}Unauthorized user '$user' is logged in! "
done
fi
if [ -n "$whitelist_users" ]; then
unwanted_users=""
for user in `echo "$userlist"|sort -u`; do
if ! echo $whitelist_users|tr " " "\n"|grep "^$user$" >/dev/null 2>&1; then
unwanted_users="$unwanted_users $user"
exitcode=$CRITICAL
fi
done
for user in `echo $unwanted_users|tr " " "\n"|sort -u`; do
errormsg="${errormsg}Unauthorized user '$user' detected! "
done
fi
if [ $warning_users -ne 0 -o $critical_users -ne 0 ]; then
unwanted_users=`who`
if [ $usercount -ge $critical_users -a $critical_users -ne 0 ]; then
exitcode=$CRITICAL
elif [ $usercount -ge $warning_users -a $warning_users -ne 0 ]; then
exitcode=$WARNING
fi
OLDIFS="$IFS"
IFS=$'\n'
for user in $unwanted_users; do
errormsg="${errormsg} --- $user"
done
IFS="$OLDIFS"
fi
if [ "$simple" == "true" ]
then
finallist=`echo "$userlist"|uniq`
else
finallist=`echo "$userlist"|uniq -c|awk '{print $2"("$1")"}'`
fi
else
finallist="no users logged in"
fi
if [ "$exitcode" -eq $OK ]; then
echo "USERS OK:" $finallist
exit $OK
elif [ "$exitcode" -eq $WARNING ]; then
echo "USERS WARNING: [users: "$finallist"]" $errormsg
exit $WARNING
elif [ "$exitcode" -eq $CRITICAL ]; then
echo "USERS CRITICAL: [users: "$finallist"]" $errormsg
exit $CRITICAL
else
echo "USERS UNKNOWN:" $errormsg"[users: "$finallist"]"
exit $UNKNOWN
fi
exit $UNKNOWN

19
nagios/handlers/main.yml Normal file
View File

@ -0,0 +1,19 @@
- name: Reload NRPE server
service: name=nagios-nrpe-server state=reloaded
- name: Restart NRPE server
service: name=nagios-nrpe-server state=restarted
- name: Restart Nagios server
service: name=nagios3 state=restarted
- name: Reload Nagios server
service: name=nagios3 state=reloaded
- name: Update apt cache
apt: update_cache=yes
ignore_errors: True
- name: Start Dell OMSA
service: name=dataeng state=restarted enabled=yes
ignore_errors: True

144
nagios/tasks/dell-omsa.yml Normal file
View File

@ -0,0 +1,144 @@
---
# The internal repository is used for the check-openmanage nagios plugin:
# http://folk.uio.no/trondham/software/check_openmanage.html
- name: research infrastructures system repository on ubuntu
apt_repository: repo='{{ item }}'
with_items:
- deb http://ppa.research-infrastructures.eu/system stable main
when: is_ubuntu
register: update_apt_cache
tags:
- dell
- nagios
notify: Update apt cache
- name: research infrastructures system repository on debian
copy: src={{ item }} dest=/etc/apt/sources.list.d/{{ item }}
with_items:
- research-infrastructures.eu.system.list
when: is_debian6
register: update_apt_cache
tags:
- dell
- nagios
- name: Install the Dell apt repository
template: src={{ item }}.j2 dest=/etc/apt/sources.list.d/{{ item }}
with_items:
- linux.dell.com.sources.list
when: is_not_debian6
register: update_apt_cache
tags:
- dell
- nagios
- action: apt_key url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present
tags:
- dell
- nagios
ignore_errors: True
#- action: apt_key id=1285491434D8786F state=present
- shell: gpg --keyserver pool.sks-keyservers.net --recv-key 1285491434D8786F ; gpg -a --export 1285491434D8786F | apt-key add -
tags:
- dell
- nagios
- name: Update apt cache
apt: update_cache=yes
when: update_apt_cache.changed
tags:
- dell
- nagios
- name: Install the Dell OMSA packages dependencies
apt: pkg={{ item }} state=installed
with_items:
- libnet-snmp-perl
- libconfig-tiny-perl
- ipmitool
- check-openmanage
tags:
- dell
- nagios
- name: Install the Dell OMSA packages dependencies
apt: pkg={{ item }} state=installed
with_items:
- python-requests
register: requests_pkg
ignore_errors: True
tags:
- dell
- nagios
- name: Install the python-pip package if requests is not available as a package
apt: pkg={{ item }} state=installed
with_items:
- python-pip
when: requests_pkg|failed
tags:
- dell
- nagios
- name: Install the python-requests package via pip if it s not available as package
pip: name={{ item }} state=latest use_mirrors=no
with_items:
- requests
when: requests_pkg|failed
tags:
- dell
- nagios
- name: Get the old libssl0.9.8_9.9.8 needed by del Dell OMSA utilities on debian 7
get_url: url=http://ppa.research-infrastructures.eu/dell-legacy/libssl0.9.8_0.9.8o-4squeeze14_amd64.deb dest=/var/lib/libssl0.9.8_0.9.8o-4squeeze14_amd64.deb
when: is_debian7
register: libssl_legacy
tags:
- dell
- nagios
- name: Install libssl0.9.8_0.9.8o-4squeeze14_amd64.deb on debian 7
shell: /usr/bin/dpkg -i /var/lib/libssl0.9.8_0.9.8o-4squeeze14_amd64.deb
when: libssl_legacy.changed
tags:
- dell
- nagios
- name: Install the Dell OMSA packages
apt: pkg={{ item }} state=installed force=yes
with_items:
- syscfg
when: is_not_debian6
tags:
- dell
- nagios
- name: Install the Dell OMSA packages
apt: pkg={{ item }} state=installed force=yes
with_items:
- srvadmin-base
- srvadmin-idrac
- srvadmin-storageservices
notify:
Start Dell OMSA
tags:
- dell
- nagios
- name: Install the check_warranty plugin for dell systems
copy: src={{ item }} dest={{ nagios_isti_plugdir }}/{{ item }} owner=root group=nagios mode=0750
with_items:
- check_dell_warranty.py
tags:
- dell
- nagios
- name: Install a cron job that removes the leaked semaphores created by the nagios check of Dell hardware status
copy: src={{ item }} dest=/etc/cron.daily/{{ item }} owner=root group=root mode=0555
with_items:
- cleanup-leaked-ipvsems.sh
tags:
- dell
- nagios

View File

@ -0,0 +1,45 @@
---
# The original check_linux_raid is often buggy
- name: Install some plugins that check hardware parts
copy: src={{ item }} dest={{ nagios_isti_plugdir }}/{{ item }} owner=root group=nagios mode=0750
with_items:
- check_linux_raid
- check_smart
tags:
- nagios-hw
- nagios
- name: Install some packages needed by the hardware checks
apt: pkg={{ item }} state=installed
with_items:
- smartmontools
tags:
- nagios-hw
- nagios
- name: Configure the smart server to run
lineinfile: name=/etc/default/smartmontools regexp="^start_smartd=" line="start_smartd=yes"
tags:
- nagios-hw
- nagios
- name: Ensure that the smart server is enabled and running
service: name=smartmontools state=started enabled=yes
tags:
- nagios-hw
- nagios
- name: Configure NRPE to allow arguments. Needed by the check_smart plugin
lineinfile: name=/etc/nagios/nrpe.cfg regexp="^dont_blame_nrpe=" line="dont_blame_nrpe=0"
notify: Restart NRPE server
tags:
- nagios-hw
- nagios
- nrpe
- name: nagios needs root to execute some hardware checks. We do it via sudo
template: src=nagios-hw.sudoers.j2 dest=/etc/sudoers.d/nagios-hw owner=root group=root mode=0440
tags:
- nagios-hw
- nagios
- nrpe

9
nagios/tasks/main.yml Normal file
View File

@ -0,0 +1,9 @@
---
- include: nagios.yml
- include: dell-omsa.yml
when: dell_system is defined
- include: postgresql-nagios.yml
when: nagios_postgresql_check is defined and nagios_postgresql_check
#- include: nsca.yml
- include: hardware-checks.yml
when: nagios_hw is defined and nagios_hw

71
nagios/tasks/nagios.yml Normal file
View File

@ -0,0 +1,71 @@
---
- name: Install the nagios packages
apt: pkg={{ item }} state=installed
with_items:
- nagios-plugins
- nagios-plugins-basic
- nagios-plugins-standard
- nagios-nrpe-server
- sudo
when: is_not_debian_less_than_6
tags:
- nagios
- name: debian 6 has other nagios plugins
apt: pkg={{ item }} state=installed
with_items:
- nagios-plugins-contrib
when: is_debian6
tags:
- nagios
- name: Create the directory where our local plugins are installed
file: path={{ nagios_isti_plugdir }} state=directory
tags:
- nagios
- name: Install the generic shell library used by some custom checks
template: src=check_library.sh.j2 dest={{ nagios_isti_plugdir }}/check_library.sh owner=root group=root mode=0644
tags:
- nagios
- name: Install plugins that can be useful on all the installed servers
copy: src={{ item }} dest={{ nagios_isti_plugdir }}/{{ item }} owner=root group=nagios mode=0755
with_items:
- check_system_pp
- show_users
- check_netint.pl
tags:
- nagios
- name: Install the global nrpe commands file
template: src=common-nrpe.cfg.j2 dest=/etc/nagios/nrpe.d/common.cfg owner=root group=root mode=444
notify:
- Reload NRPE server
tags:
- nrpe
- nagios
- name: set the NRPE ACL
action: |
lineinfile name=/etc/nagios/nrpe.cfg regexp="allowed_hosts=" line="allowed_hosts=127.0.0.1,{{ nagios_monitoring_server_ip }}"
notify:
- Reload NRPE server
tags:
- nagios
- nrpe
- name: set the NRPE default timeout
lineinfile: name=/etc/nagios/nrpe.cfg regexp="command_timeout=" line="command_timeout={{ nrpe_command_timeout }}"
notify:
- Reload NRPE server
tags:
- nagios
- nrpe
- name: nagios needs root to execute some commands. We do it via sudo
template: src=nagios.sudoers.j2 dest=/etc/sudoers.d/nagios owner=root group=root mode=0440
tags:
- nagios
- nrpe

19
nagios/tasks/nsca.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Configure the nsca client
template: src=send_nsca.j2 dest=/etc/send_nsca.cfg owner=root group=root mode=400
tags:
- nsca
- apt: pkg={{ item }} state=installed
with_items:
- nsca-client
when: '(({{ is_not_ubuntu_less_than_precise }}) == True) or (({{ is_debian7 }}) == True)'
tags:
- nsca
- apt: pkg={{ item }} state=installed
with_items:
- nsca
when: "(({{ is_not_debian_less_than_6 }}) == True) and (({{ is_ubuntu_less_than_precise }}) == True)"
tags:
- nsca

View File

@ -0,0 +1,35 @@
---
- name: Ensure that the isti local nagios plugins directory exists
file: dest={{ nagios_isti_plugdir }} owner=root group=root state=directory
tags:
- nrpe
- nagios
- name: Install the postgresql backup nagios check
copy: src=check_postgresql_backup dest={{ nagios_isti_plugdir }}/check_postgresql_backup owner=root group=root mode=0555
tags:
- nrpe
- nagios
- name: Install the packages needed to check postgres via nagios
apt: pkg={{ item }} state=installed
with_items:
- check-postgres
tags:
- nrpe
- nagios
- name: Install the sudoers file needed by some nagios checks
template: src=postgresql-sudoers.j2 dest=/etc/sudoers.d/postgresql owner=root group=root mode=440
tags:
- nrpe
- nagios
- name: Install the nrpe configuration for check_postgres
template: src=postgresql-nrpe.cfg.j2 dest=/etc/nagios/nrpe.d/postgresql-nrpe.cfg owner=root group=root mode=444
notify:
- Reload NRPE server
tags:
- nrpe
- nagios

View File

@ -0,0 +1,10 @@
ISTI_PLUGDIR={{ nagios_isti_plugdir }}
COMMON_LIB={{ nagios_common_lib }}
if [ -d {{ nagios_plugins_dir }} ] ; then
PLUGIN_DIR={{ nagios_plugins_dir }}
elif [ -d {{ nagios_centos_plugins_dir }} ] ; then
PLUGIN_DIR={{ nagios_centos_plugins_dir }}
fi

View File

@ -0,0 +1,40 @@
# Debian 4 doesn't support "-A -i options"
command[global_check_disk]={{ nagios_plugins_dir }}/check_disk -w {{ nagios_check_disk_w }}% -c {{ nagios_check_disk_c }}% -X tmpfs -X proc -X sysfs -X devpts -X dev -A -i /mnt/.*
#command[global_check_disk]={{ nagios_plugins_dir }}/check_disk -w {{ nagios_check_disk_w }}% -c {{ nagios_check_disk_c }}% -X tmpfs -X proc -X sysfs -X devpts
command[global_check_load]={{ nagios_plugins_dir }}/check_load -w 20,15,10 -c 35,30,25
command[global_check_zombie_procs]={{ nagios_plugins_dir }}/check_procs -w 5 -c 10 -s Z
command[global_check_total_procs]={{ nagios_plugins_dir }}/check_procs -w 800 -c 1000
# Ganglia gmond server
command[global_check_gmond]={{ nagios_plugins_dir }}/check_procs -w 1:1 -c 1:1 -C gmond
# Munin node
command[global_check_munin]={{ nagios_plugins_dir }}/check_procs -w 1:1 -c 1:1 -C munin-node
# Show number and username of the logged users
command[global_show_users]={{ nagios_isti_plugdir }}/show_users -a {{ nagios_allowed_users }}
# Generic script that monitors the existance of a given processes list
command[global_check_system_pp]={{ nagios_isti_plugdir }}/check_system_pp
# Linux RAID check
command[global_check_linux_raid]={{ nagios_isti_plugdir }}/check_linux_raid
# Disks S.M.A.R.T. check
command[global_check_smart]={{ nagios_isti_plugdir }}/check_smart -d $ARG1$ -i $ARG2$
# Network interfaces
command[global_net_interfaces]={{ nagios_isti_plugdir }}/check_netint.pl -K -f -e
# Restart ntp (via handler)
command[global_restart_ntp]=/usr/bin/sudo /etc/init.d/ntp start
# Restart gmond (via handler)
command[global_restart_gmond]=/usr/bin/sudo /etc/init.d/ganglia-monitor start
# Restart munin node (via handler)
command[global_restart_munin]=/usr/bin/sudo /etc/init.d/munin-node start

View File

@ -0,0 +1 @@
deb http://linux.dell.com/repo/community/ubuntu {{ ansible_distribution_version }} openmanage

View File

@ -0,0 +1 @@
nagios ALL=(root) NOPASSWD: /usr/sbin/smartctl

View File

@ -0,0 +1 @@
nagios ALL=(ALL) NOPASSWD: {{ nagios_plugins_dir }}/, {{ nagios_isti_plugdir }}/, {{ nagios_centos_plugins_dir }}/, /etc/init.d/, /usr/sbin/service, /sbin/service

View File

@ -0,0 +1 @@
include_dir={{ nrpe_include_dir }}

View File

@ -0,0 +1,20 @@
# Check the status of the postgresql local dumps
command[{{ monitoring_group_name }}_check_postgresql_backup]={{ nagios_isti_plugdir }}/check_postgresql_backup
command[{{ monitoring_group_name }}_check_postgresql_connection]=/usr/bin/sudo -u postgres /usr/bin/check_postgres_connection -db template1
command[{{ monitoring_group_name }}_check_postgresql_timesync]=/usr/bin/sudo -u postgres /usr/bin/check_postgres_timesync -db template1
command[{{ monitoring_group_name }}_check_postgresql_backends]=/usr/bin/sudo -u postgres /usr/bin/check_postgres_backends -db template1
command[{{ monitoring_group_name }}_check_postgresql_commitratio]=/usr/bin/sudo -u postgres /usr/bin/check_postgres_commitratio -db template1
command[{{ monitoring_group_name }}_check_postgresql_database_size]=/usr/bin/sudo -u postgres /usr/bin/check_postgres_database_size -db template1 -w {{ nagios_psql_db_size_w }} -c {{ nagios_psql_db_size_c }}
{% for db in psql_db_data %}
command[{{ monitoring_group_name }}_check_postgresql_{{ db.name }}_query]=/usr/bin/sudo -u postgres /usr/bin/check_postgres_query_time -db {{ db.name }} -w {{ nagios_psql_query_time_w }} -c {{ nagios_psql_query_time_c }}
command[{{ monitoring_group_name }}_check_postgresql_{{ db.name }}_dbstats]=/usr/bin/sudo -u postgres /usr/bin/check_postgres_dbstats -db {{ db.name }}
command[{{ monitoring_group_name }}_check_postgresql_{{ db.name }}_sequence]=/usr/bin/sudo -u postgres /usr/bin/check_postgres_sequence -db {{ db.name }}
{% endfor %}

View File

@ -0,0 +1 @@
nagios ALL=(postgres) NOPASSWD: /usr/bin/check_postgres_*

View File

@ -0,0 +1,2 @@
password={{ nsca_password }}
decryption_method={{ nsca_encryption }}

View File

@ -0,0 +1,24 @@
---
- name: apt key for the internal precise-backports repository
apt_key: url=http://ppa.research-infrastructures.eu/precise-backports/keys/precise-backports.asc state=present
when: is_precise
register: update_apt_cache
tags:
- apt
- name: Install the precise backports apt repository
apt_repository: repo='{{ item }}'
with_items:
- deb http://ppa.research-infrastructures.eu/precise-backports precise main
when: is_precise
register: update_apt_cache
tags:
- apt
- name: Update the apt cache
apt: update_cache=yes
when: ( update_apt_cache | changed )
ignore_errors: True
tags:
- apt

6
nginx/defaults/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
nginx_use_ldap_pam_auth: False
nginx_pam_svc_name: nginx
nginx_ldap_uri: "ldap://ldap.sub.research-infrastructures.eu"
nginx_ldap_base_dn: "dc=research-infrastructures,dc=eu"
nginx_enabled: "Yes"

Some files were not shown because too many files have changed in this diff Show More