forked from ISTI-ansible-roles/ansible-roles
Major refactoring. Moved all the library roles under 'library/roles' and changed all the occurrances inside all the playbooks.
This commit is contained in:
commit
73d37f81a6
|
@ -0,0 +1,65 @@
|
|||
---
|
||||
#
|
||||
# To list the installed R packages
|
||||
# Run R, then execute
|
||||
# packinfo <- installed.packages (fields = c ("Package", "Version"))
|
||||
# packinfo[,c("Package", "Version")]
|
||||
#
|
||||
# The install/remove script has been taken from here: http://adamj.eu/tech/2014/07/19/installing-and-removing-r-packages-with-ansible/
|
||||
#
|
||||
|
||||
r_install_cran_repo: False
|
||||
#r_cran_mirror_site: http://cran.rstudio.com
|
||||
r_cran_mirror_site: http://cran.mirror.garr.it/mirrors/CRAN/
|
||||
r_base_pkg_version: 2.14.1
|
||||
r_packages_state: present
|
||||
|
||||
r_base_packages_list:
|
||||
- r-base
|
||||
- jags
|
||||
|
||||
r_plugins_packages_list:
|
||||
- r-cran-rjags
|
||||
- r-cran-abind
|
||||
- r-cran-boot
|
||||
- r-cran-class
|
||||
- r-cran-cluster
|
||||
- r-cran-coda
|
||||
- r-cran-codetools
|
||||
- r-cran-foreign
|
||||
- r-cran-lattice
|
||||
- r-cran-maptools
|
||||
- r-cran-mass
|
||||
- r-cran-matrix
|
||||
- r-cran-mgcv
|
||||
- r-cran-nlme
|
||||
- r-cran-nnet
|
||||
- r-cran-rpart
|
||||
- r-cran-sp
|
||||
- r-cran-spatial
|
||||
- r-cran-survival
|
||||
|
||||
r_plugins_list_to_install:
|
||||
- R2WinBUGS
|
||||
- R2jags
|
||||
- bayesmix
|
||||
- coda
|
||||
- rjags
|
||||
- runjags
|
||||
- base
|
||||
- compiler
|
||||
- datasets
|
||||
- grDevices
|
||||
- graphics
|
||||
- grid
|
||||
- methods
|
||||
- parallel
|
||||
- splines
|
||||
- stats
|
||||
- stats4
|
||||
- tcltk
|
||||
- tools
|
||||
- utils
|
||||
|
||||
#r_plugins_list_to_remove:
|
||||
|
|
@ -0,0 +1,59 @@
|
|||
---
|
||||
- name: Install the cran repository key
|
||||
apt_key: id=E084DAB9 keyserver=keyserver.ubuntu.com state=present
|
||||
register: update_apt_cache
|
||||
when: r_install_cran_repo
|
||||
tags:
|
||||
- r_software
|
||||
- r_repo
|
||||
|
||||
- name: Install the cran repository definition
|
||||
apt_repository: repo='deb http://cran.rstudio.com/bin/linux/ubuntu {{ ansible_distribution_release }}/' state=present
|
||||
register: update_apt_cache
|
||||
when: r_install_cran_repo
|
||||
tags:
|
||||
- r_software
|
||||
- r_repo
|
||||
|
||||
- name: Install the cran repository definition
|
||||
apt_repository: repo='deb {{ r_cran_mirror_site }}/bin/linux/ubuntu {{ ansible_distribution_release }}/' state=absent
|
||||
register: update_apt_cache
|
||||
when: not r_install_cran_repo
|
||||
tags:
|
||||
- r_software
|
||||
- r_repo
|
||||
|
||||
- name: Update the apt cache if needed
|
||||
apt: update_cache=yes
|
||||
when: ( update_apt_cache | changed )
|
||||
tags:
|
||||
- r_software
|
||||
- r_repo
|
||||
|
||||
- name: Install the R base packages
|
||||
apt: pkg={{ item }} state={{ r_packages_state }}
|
||||
with_items: r_base_packages_list
|
||||
tags:
|
||||
- r_software
|
||||
- r_pkg
|
||||
|
||||
- name: Install the R plugins from the ubuntu repo
|
||||
apt: pkg={{ item }} state={{ r_packages_state }}
|
||||
with_items: r_plugins_packages_list
|
||||
tags:
|
||||
- r_software
|
||||
- r_pkg
|
||||
|
||||
- name: Install R plugins from the cran binaries repo
|
||||
command: >
|
||||
Rscript --slave --no-save --no-restore-history -e "if (! ('{{ item }}' %in% installed.packages()[,'Package'])) { install.packages(pkgs='{{ item }}', repos=c('{{ r_cran_mirror_site }}/')); print('Added'); } else { print('Already installed'); }"
|
||||
register: install_plugins_result
|
||||
failed_when: "install_plugins_result.rc != 0 or 'had non-zero exit status' in install_plugins_result.stderr"
|
||||
changed_when: "'Added' in install_plugins_result.stdout"
|
||||
with_items: r_plugins_list_to_install
|
||||
tags:
|
||||
- r_software
|
||||
- r_pkg
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
# ansible PKG state: latest, installed, absent
|
||||
ansible_pkg_state: latest
|
||||
ansible_cfg_file: /etc/ansible/ansible.cfg
|
||||
# options: smart, implicit, explicit.
|
||||
ansible_gathering: smart
|
||||
ansible_command_warnings: True
|
||||
ansible_control_path: '%(directory)s/%%h-%%r'
|
||||
#
|
||||
# Note: it breaks sudo if there's 'requiretty' inside the sudoers file
|
||||
ansible_pipelining: True
|
||||
ansible_scp_if_ssh: True
|
|
@ -0,0 +1,32 @@
|
|||
---
|
||||
- name: Set the gather facts policy
|
||||
action: configfile path={{ ansible_cfg_file }} key=gathering value='{{ ansible_gathering }}'
|
||||
tags:
|
||||
- ansible
|
||||
- ansible_cfg
|
||||
|
||||
- name: Warn if some shell commands can be avoided using modules
|
||||
action: configfile path={{ ansible_cfg_file }} key=command_warning value='{{ ansible_command_warnings }}'
|
||||
tags:
|
||||
- ansible
|
||||
- ansible_cfg
|
||||
|
||||
- name: Shorten the ansible control path
|
||||
action: configfile path={{ ansible_cfg_file }} key=control_path value='{{ ansible_control_path }}'
|
||||
tags:
|
||||
- ansible
|
||||
- ansible_cfg
|
||||
|
||||
- name: Be fast, use pipelining when possible
|
||||
action: configfile path={{ ansible_cfg_file }} key=pipelining value='{{ ansible_pipelining }}'
|
||||
tags:
|
||||
- ansible
|
||||
- ansible_cfg
|
||||
|
||||
- name: Use scp instead of sftp to transfer files
|
||||
action: configfile path={{ ansible_cfg_file }} key=scp_if_ssh value='{{ ansible_scp_if_ssh }}'
|
||||
tags:
|
||||
- ansible
|
||||
- ansible_cfg
|
||||
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
---
|
||||
- name: Remove the now obsolete rquillo ppa for ansible
|
||||
apt_repository: repo='ppa:rquillo/ansible' state=absent
|
||||
register: update_apt_cache_rquillo
|
||||
tags:
|
||||
- ansible
|
||||
|
||||
- name: Add the ansible ppa for ansible
|
||||
apt_repository: repo='ppa:ansible/ansible'
|
||||
register: update_apt_cache
|
||||
tags:
|
||||
- ansible
|
||||
|
||||
- name: Update the apt cache if needed
|
||||
apt: update_cache=yes
|
||||
when: (update_apt_cache|changed) or (update_apt_cache_rquillo|changed)
|
||||
tags:
|
||||
- ansible
|
||||
|
||||
- name: Install the ansible package
|
||||
apt: pkg=ansible state={{ ansible_pkg_state }}
|
||||
tags:
|
||||
- ansible
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
- include: ansible-packages.yml
|
||||
- include: ansible-config.yml
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
---
|
||||
apache_user: www-data
|
||||
apache_group: '{{ apache_user }}'
|
||||
|
||||
apache_packages:
|
||||
- apache2
|
||||
- apache2-mpm-prefork
|
||||
- apache2-utils
|
||||
- libapache2-mod-xsendfile
|
||||
- unzip
|
||||
- zip
|
||||
|
||||
apache_default_modules:
|
||||
- headers
|
||||
- rewrite
|
||||
- expires
|
||||
- xsendfile
|
||||
|
||||
apache_basic_auth: False
|
||||
apache_basic_auth_single_file: True
|
||||
apache_basic_auth_dir: /etc/apache2/auth
|
||||
apache_basic_auth_file: '{{ apache_basic_auth_dir }}/htpasswd'
|
||||
|
||||
apache_basic_auth_modules:
|
||||
- auth_basic
|
||||
- authn_file
|
||||
- authz_user
|
||||
|
||||
# Put them in a vault file. auth_file is optional. Not used when apache_basic_auth_single_file is true
|
||||
# apache_basic_users:
|
||||
# - { username:'', password:'', state:'present,absent', auth_file:'path_to_file' }
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
- name: apache2 reload
|
||||
service: name=apache2 state=reloaded
|
||||
|
|
@ -0,0 +1,36 @@
|
|||
---
|
||||
- name: Load the basic auth modules
|
||||
apache2_module: name={{ item }} state=present
|
||||
with_items: apache_basic_auth_modules
|
||||
notify: apache2 reload
|
||||
tags:
|
||||
- apache
|
||||
- apache_basic_auth
|
||||
|
||||
- name: Create the authentication directory
|
||||
file: path={{ apache_basic_auth_dir }} mode=0750 owner=root group={{ apache_group }} state=directory
|
||||
tags:
|
||||
- apache
|
||||
- apache_basic_auth
|
||||
|
||||
- name: Install the python-passlib library
|
||||
apt: pkg=python-passlib state=present
|
||||
tags:
|
||||
- apache
|
||||
- apache_basic_auth
|
||||
|
||||
- name: Create the basic auth file
|
||||
htpasswd: path={{ apache_basic_auth_file }} name={{ item.username }} password={{ item.password }} create=yes state={{ item.state }}
|
||||
when: apache_basic_users is defined and apache_basic_auth_single_file
|
||||
tags:
|
||||
- apache
|
||||
- apache_basic_auth
|
||||
|
||||
- name: Create the basic auth file
|
||||
htpasswd: path={{ item.auth_file }} name={{ item.username }} password={{ item.password }} create=yes state={{ item.state }}
|
||||
with_items: apache_basic_users
|
||||
when: apache_basic_users is defined and not apache_basic_auth_single_file
|
||||
tags:
|
||||
- apache
|
||||
- apache_basic_auth
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
- name: Install the apache packages
|
||||
apt: pkg={{ item }} state=installed force=yes
|
||||
with_items: apache_packages
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- name: Load the required modules
|
||||
apache2_module: name={{ item }} state=present
|
||||
with_items: apache_default_modules
|
||||
notify: apache2 reload
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- name: Remove the default virtualhost file
|
||||
file: dest=/etc/apache2/sites-enabled/{{ item }} state=absent
|
||||
with_items:
|
||||
- 000-default
|
||||
- 000-default.conf
|
||||
notify: apache2 reload
|
||||
tags:
|
||||
- apache
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
- include: apache.yml
|
||||
- include: apache-basic-auth.yml
|
||||
when: apache_basic_auth
|
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
- name: install chkconfig and insserv
|
||||
apt: pkg={{ item }} state=present
|
||||
with_items:
|
||||
- chkconfig
|
||||
- insserv
|
||||
tags:
|
||||
- chkconfig
|
||||
|
||||
# Workaround for a bug in the insserv package. insserv is needed by chkconfig
|
||||
- name: Workaround for a bug in the insserv package.
|
||||
action: file src=/usr/lib/insserv/insserv dest=/sbin/insserv state=link
|
||||
tags:
|
||||
- chkconfig
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
# First things first: install the basic requirements with a raw command
|
||||
- name: install python-apt
|
||||
raw: "apt-get update; apt-get install -y python python-apt lsb-release"
|
||||
tags:
|
||||
- pythonapt
|
||||
|
||||
- name: Install python-software-properties
|
||||
apt: pkg=python-software-properties state=installed
|
||||
tags:
|
||||
- pythonapt
|
||||
|
||||
- name: Install software-properties-common on quantal distributions
|
||||
apt: pkg=software-properties-common state=installed
|
||||
when: is_quantal
|
||||
tags:
|
||||
- pythonapt
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
deb_default_locale: "en_US.UTF-8"
|
||||
deb_locales: "{{ deb_default_locale }} en_US, it_IT.UTF-8 it_IT"
|
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
- name: Generate locales
|
||||
debconf: name=locales question='locales/locales_to_be_generated' value='{{ deb_locales }}' vtype='multiselect'
|
||||
tags:
|
||||
- locale
|
||||
|
||||
|
||||
- name: Update the locale default
|
||||
debconf: name=locales question='locales/default_environment_locale' value='{{ deb_default_locale }}' vtype='select'
|
||||
tags:
|
||||
- locale
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
---
|
||||
- name: apt key for the internal ppa repository
|
||||
apt_key: url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present
|
||||
when: has_apt
|
||||
register: update_apt_cache
|
||||
tags:
|
||||
- dnet
|
||||
|
||||
- name: Install the D-Net apt repositories
|
||||
apt_repository: repo='{{ item }}'
|
||||
with_items:
|
||||
- deb http://ppa.research-infrastructures.eu/dnet lucid main
|
||||
- deb http://ppa.research-infrastructures.eu/dnet unstable main
|
||||
when: has_apt
|
||||
register: update_apt_cache
|
||||
tags:
|
||||
- dnet
|
||||
|
||||
- name: Install the D-NET repository key
|
||||
action: apt_key url=http://ppa.research-infrastructures.eu/dnet/keys/dnet-archive.asc
|
||||
tags:
|
||||
- dnet
|
||||
|
||||
- name: Update the apt cache
|
||||
apt: update_cache=yes
|
||||
when: update_apt_cache.changed
|
||||
ignore_errors: True
|
||||
tags:
|
||||
- dnet
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
- name: Restart docker
|
||||
service: name=docker state=restarted
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
- include: pkgs.yml
|
||||
|
||||
- name: Enable Docker TCP on local bridge (for docker swarm)
|
||||
action: configfile path=/etc/default/docker syntax=shell key=DOCKER_OPTS value="\"-H tcp://172.17.42.1:2375 -H unix:///var/run/docker.sock\""
|
||||
notify: Restart docker
|
||||
tags: docker-conf
|
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
- name: Add Docker repository key
|
||||
apt_key: url="https://get.docker.io/gpg"
|
||||
tags:
|
||||
- docker
|
||||
|
||||
- name: Add Docker repository
|
||||
apt_repository: repo='deb http://get.docker.io/ubuntu docker main' update_cache=yes
|
||||
tags:
|
||||
- docker
|
||||
|
||||
- name: Install Docker
|
||||
apt: pkg=lxc-docker state=present
|
||||
tags:
|
||||
- docker
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
---
|
||||
|
||||
# Fail2ban
|
||||
# Needed by the fail2ban template
|
||||
cm_ip: 146.48.123.18
|
||||
monitoring_ip: 146.48.123.23
|
||||
# ban time in seconds. 86400 == 1 day
|
||||
f2b_ban_time: 86400
|
||||
f2b_findtime: 600
|
||||
f2b_maxretry: 5
|
||||
f2b_default_backend: auto
|
||||
f2b_usedns: warn
|
||||
f2b_dest_email: sysadmin@research-infrastructures.eu
|
||||
f2b_sender_email: denyhosts@research-infrastructures.eu
|
||||
f2b_default_banaction: iptables-multiport
|
||||
# Default action: ban. Not send email
|
||||
f2b_default_action: action_
|
||||
f2b_default_iptableschain: INPUT
|
||||
f2b_ssh_enabled: true
|
||||
f2b_ssh_ddos_enabled: true
|
||||
f2b_apache_auth_enabled: false
|
||||
f2b_apache_noscript_enabled: false
|
||||
f2b_apache_overflow_enabled: false
|
||||
f2b_php_url_popen: false
|
||||
f2b_nginx_auth_enabled: false
|
||||
f2b_vsftpd_enabled: false
|
||||
f2b_vsftpd_logpath: /var/log/vsftpd.log
|
||||
f2b_recidive_enabled: true
|
||||
# 604800: one week
|
||||
f2b_recidive_findtime: 604800
|
||||
# 14515200 24 weeks
|
||||
f2b_recidive_ban_time: 14515200
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
- name: Restart fail2ban
|
||||
service: name=fail2ban state=restarted enabled=yes
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
dependencies:
|
||||
- role: '../../library/roles/iptables'
|
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
- name: install fail2ban ubuntu >= 14.04
|
||||
apt: pkg={{ item }} state=installed
|
||||
with_items:
|
||||
- fail2ban
|
||||
tags:
|
||||
- fail2ban
|
||||
|
||||
- name: Install the fail2ban custom jail file
|
||||
template: src=jail.local.j2 dest=/etc/fail2ban/jail.local owner=root group=root mode=444
|
||||
notify: Restart fail2ban
|
||||
tags:
|
||||
- fail2ban
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
- include: fail2ban.yml
|
||||
when: is_trusty
|
||||
|
|
@ -0,0 +1,254 @@
|
|||
# Fail2Ban configuration file.
|
||||
#
|
||||
# This file was composed for Debian systems from the original one
|
||||
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
|
||||
# for additional examples.
|
||||
#
|
||||
# Comments: use '#' for comment lines and ';' for inline comments
|
||||
#
|
||||
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
|
||||
# and rather provide your changes in /etc/fail2ban/jail.local
|
||||
#
|
||||
|
||||
# The DEFAULT allows a global definition of the options. They can be overridden
|
||||
# in each jail afterwards.
|
||||
|
||||
[DEFAULT]
|
||||
|
||||
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
|
||||
# ban a host which matches an address in this list. Several addresses can be
|
||||
# defined using space separator.
|
||||
ignoreip = 127.0.0.1/8 {{ cm_ip }} {{ monitoring_ip }}
|
||||
|
||||
# "bantime" is the number of seconds that a host is banned.
|
||||
bantime = {{ f2b_ban_time }}
|
||||
|
||||
# A host is banned if it has generated "maxretry" during the last "findtime"
|
||||
# seconds.
|
||||
findtime = {{ f2b_findtime }}
|
||||
maxretry = {{ f2b_maxretry }}
|
||||
|
||||
# "backend" specifies the backend used to get files modification.
|
||||
# Available options are "pyinotify", "gamin", "polling" and "auto".
|
||||
# This option can be overridden in each jail as well.
|
||||
#
|
||||
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
|
||||
# If pyinotify is not installed, Fail2ban will use auto.
|
||||
# gamin: requires Gamin (a file alteration monitor) to be installed.
|
||||
# If Gamin is not installed, Fail2ban will use auto.
|
||||
# polling: uses a polling algorithm which does not require external libraries.
|
||||
# auto: will try to use the following backends, in order:
|
||||
# pyinotify, gamin, polling.
|
||||
backend = {{ f2b_default_backend }}
|
||||
|
||||
# "usedns" specifies if jails should trust hostnames in logs,
|
||||
# warn when reverse DNS lookups are performed, or ignore all hostnames in logs
|
||||
#
|
||||
# yes: if a hostname is encountered, a reverse DNS lookup will be performed.
|
||||
# warn: if a hostname is encountered, a reverse DNS lookup will be performed,
|
||||
# but it will be logged as a warning.
|
||||
# no: if a hostname is encountered, will not be used for banning,
|
||||
# but it will be logged as info.
|
||||
usedns = {{ f2b_usedns }}
|
||||
|
||||
#
|
||||
# Destination email address used solely for the interpolations in
|
||||
# jail.{conf,local} configuration files.
|
||||
destemail = {{ f2b_dest_email }}
|
||||
|
||||
#
|
||||
# Name of the sender for mta actions
|
||||
sendername = {{ f2b_sender_email }}
|
||||
|
||||
#
|
||||
# ACTIONS
|
||||
#
|
||||
|
||||
# Default banning action (e.g. iptables, iptables-new,
|
||||
# iptables-multiport, shorewall, etc) It is used to define
|
||||
# action_* variables. Can be overridden globally or per
|
||||
# section within jail.local file
|
||||
banaction = {{ f2b_default_banaction }}
|
||||
|
||||
# email action. Since 0.8.1 upstream fail2ban uses sendmail
|
||||
# MTA for the mailing. Change mta configuration parameter to mail
|
||||
# if you want to revert to conventional 'mail'.
|
||||
mta = sendmail
|
||||
|
||||
# Default protocol
|
||||
protocol = tcp
|
||||
|
||||
# Specify chain where jumps would need to be added in iptables-* actions
|
||||
chain = {{ f2b_default_iptableschain }}
|
||||
|
||||
#
|
||||
# Action shortcuts. To be used to define action parameter
|
||||
|
||||
# The simplest action to take: ban only
|
||||
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
||||
|
||||
# ban & send an e-mail with whois report to the destemail.
|
||||
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
||||
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
|
||||
|
||||
# ban & send an e-mail with whois report and relevant log lines
|
||||
# to the destemail.
|
||||
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
||||
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
|
||||
|
||||
# Choose default action. To change, just override value of 'action' with the
|
||||
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
|
||||
# globally (section [DEFAULT]) or per specific section
|
||||
action = %({{ f2b_default_action }})s
|
||||
|
||||
#
|
||||
# JAILS
|
||||
#
|
||||
|
||||
# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
|
||||
# was shipped in Debian. Enable any defined here jail by including
|
||||
#
|
||||
# [SECTION_NAME]
|
||||
# enabled = true
|
||||
|
||||
#
|
||||
# in /etc/fail2ban/jail.local.
|
||||
#
|
||||
# Optionally you may override any other parameter (e.g. banaction,
|
||||
# action, port, logpath, etc) in that section within jail.local
|
||||
|
||||
[ssh]
|
||||
|
||||
enabled = {{ f2b_ssh_enabled }}
|
||||
port = ssh
|
||||
filter = sshd
|
||||
logpath = /var/log/auth.log
|
||||
maxretry = {{ f2b_maxretry }}
|
||||
|
||||
[dropbear]
|
||||
|
||||
enabled = false
|
||||
port = ssh
|
||||
filter = dropbear
|
||||
logpath = /var/log/auth.log
|
||||
maxretry = 6
|
||||
|
||||
# Generic filter for pam. Has to be used with action which bans all ports
|
||||
# such as iptables-allports, shorewall
|
||||
[pam-generic]
|
||||
|
||||
enabled = false
|
||||
# pam-generic filter can be customized to monitor specific subset of 'tty's
|
||||
filter = pam-generic
|
||||
# port actually must be irrelevant but lets leave it all for some possible uses
|
||||
port = all
|
||||
banaction = iptables-allports
|
||||
port = anyport
|
||||
logpath = /var/log/auth.log
|
||||
maxretry = 6
|
||||
|
||||
[xinetd-fail]
|
||||
|
||||
enabled = false
|
||||
filter = xinetd-fail
|
||||
port = all
|
||||
banaction = iptables-multiport-log
|
||||
logpath = /var/log/daemon.log
|
||||
maxretry = 2
|
||||
|
||||
|
||||
[ssh-ddos]
|
||||
|
||||
enabled = {{ f2b_ssh_ddos_enabled }}
|
||||
port = ssh
|
||||
filter = sshd-ddos
|
||||
logpath = /var/log/auth.log
|
||||
maxretry = {{ f2b_maxretry }}
|
||||
|
||||
|
||||
#
|
||||
# HTTP servers
|
||||
#
|
||||
|
||||
# default action is now multiport, so apache-multiport jail was left
|
||||
# for compatibility with previous (<0.7.6-2) releases
|
||||
[apache-multiport]
|
||||
|
||||
enabled = {{ f2b_apache_auth_enabled }}
|
||||
port = http,https
|
||||
filter = apache-auth
|
||||
logpath = /var/log/apache*/*error.log
|
||||
maxretry = 6
|
||||
|
||||
[apache-noscript]
|
||||
|
||||
enabled = {{ f2b_apache_noscript_enabled }}
|
||||
port = http,https
|
||||
filter = apache-noscript
|
||||
logpath = /var/log/apache*/*error.log
|
||||
maxretry = 6
|
||||
|
||||
[apache-overflows]
|
||||
|
||||
enabled = {{ f2b_apache_overflow_enabled }}
|
||||
port = http,https
|
||||
filter = apache-overflows
|
||||
logpath = /var/log/apache*/*error.log
|
||||
maxretry = 2
|
||||
|
||||
# Ban attackers that try to use PHP's URL-fopen() functionality
|
||||
# through GET/POST variables. - Experimental, with more than a year
|
||||
# of usage in production environments.
|
||||
|
||||
[php-url-fopen]
|
||||
|
||||
enabled = {{ f2b_php_url_popen }}
|
||||
port = http,https
|
||||
filter = php-url-fopen
|
||||
logpath = /var/www/*/logs/access_log
|
||||
|
||||
# A simple PHP-fastcgi jail which works with lighttpd.
|
||||
# If you run a lighttpd server, then you probably will
|
||||
# find these kinds of messages in your error_log:
|
||||
# ALERT – tried to register forbidden variable ‘GLOBALS’
|
||||
# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
|
||||
|
||||
[nginx-http-auth]
|
||||
|
||||
enabled = {{ f2b_nginx_auth_enabled }}
|
||||
filter = nginx-http-auth
|
||||
port = http,https
|
||||
logpath = /var/log/nginx/error.log
|
||||
|
||||
#
|
||||
# FTP servers
|
||||
#
|
||||
|
||||
[vsftpd]
|
||||
|
||||
enabled = {{ f2b_vsftpd_enabled }}
|
||||
port = ftp,ftp-data,ftps,ftps-data
|
||||
filter = vsftpd
|
||||
logpath = {{ f2b_vsftpd_logpath }}
|
||||
# or overwrite it in jails.local to be
|
||||
# logpath = /var/log/auth.log
|
||||
# if you want to rely on PAM failed login attempts
|
||||
# vsftpd's failregex should match both of those formats
|
||||
maxretry = 6
|
||||
|
||||
|
||||
# Jail for more extended banning of persistent abusers
|
||||
# !!! WARNING !!!
|
||||
# Make sure that your loglevel specified in fail2ban.conf/.local
|
||||
# is not at DEBUG level -- which might then cause fail2ban to fall into
|
||||
# an infinite loop constantly feeding itself with non-informative lines
|
||||
[recidive]
|
||||
|
||||
enabled = {{ f2b_recidive_enabled }}
|
||||
filter = recidive
|
||||
logpath = /var/log/fail2ban.log
|
||||
action = iptables-allports[name=recidive]
|
||||
sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
|
||||
bantime = {{ f2b_recidive_ban_time }}
|
||||
findtime = {{ f2b_recidive_findtime }}
|
||||
maxretry = 5
|
|
@ -0,0 +1,10 @@
|
|||
# These are for reference only.
|
||||
# Define your own set of variables
|
||||
#
|
||||
ganglia_gmond_cluster: "CNR-ISTI NeMIS Cluster"
|
||||
ganglia_gmond_cluster_port: 8649
|
||||
ganglia_gmond_mcast_addr: 239.2.11.71
|
||||
ganglia_gmetad_host: monitoring.research-infrastructures.eu
|
||||
ganglia_gmond_send_metadata_interval: 60
|
||||
# Needed to build the correct firewall rules when jmxtrans is in use
|
||||
ganglia_gmond_use_jmxtrans: False
|
|
@ -0,0 +1,9 @@
|
|||
modules {
|
||||
module {
|
||||
name = "python_module"
|
||||
path = "/usr/lib/ganglia/modpython.so"
|
||||
params = "/usr/lib/ganglia/python_modules"
|
||||
}
|
||||
}
|
||||
|
||||
include('/etc/ganglia/conf.d/*.pyconf')
|
|
@ -0,0 +1,2 @@
|
|||
- name: Restart ganglia monitor
|
||||
service: name=ganglia-monitor state=restarted
|
|
@ -0,0 +1,91 @@
|
|||
---
|
||||
- name: Install the ganglia client
|
||||
apt: pkg={{ item }} state=installed
|
||||
with_items:
|
||||
- ganglia-monitor
|
||||
tags:
|
||||
- monitoring
|
||||
- ganglia
|
||||
|
||||
- name: Install the ganglia linux specific plugins. We need at least ubuntu trusty or debian 7
|
||||
apt: pkg={{ item }} state=installed force=yes
|
||||
with_items:
|
||||
- ganglia-modules-linux
|
||||
- ganglia-monitor-python
|
||||
notify:
|
||||
Restart ganglia monitor
|
||||
when: is_trusty_or_debian7
|
||||
tags:
|
||||
- monitoring
|
||||
- ganglia
|
||||
|
||||
- name: Distribute the ganglia configuration file for Ubuntu >= 12.04
|
||||
template: src=gmond.j2 dest=/etc/ganglia/gmond.conf owner=root group=root mode=444
|
||||
when: is_not_ubuntu_less_than_precise
|
||||
notify:
|
||||
Restart ganglia monitor
|
||||
tags:
|
||||
- monitoring
|
||||
- ganglia
|
||||
|
||||
- name: Distribute the ganglia configuration file for Debian 7
|
||||
template: src=gmond.j2 dest=/etc/ganglia/gmond.conf owner=root group=root mode=444
|
||||
when: is_debian7
|
||||
notify:
|
||||
Restart ganglia monitor
|
||||
tags:
|
||||
- monitoring
|
||||
- ganglia
|
||||
|
||||
- name: Distribute the ganglia configuration file for Ubuntu < 12.04 and >= 10.04 and Debian 6
|
||||
template: src=gmond-3.1.j2 dest=/etc/ganglia/gmond.conf owner=root group=root mode=444
|
||||
when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6
|
||||
notify:
|
||||
Restart ganglia monitor
|
||||
tags:
|
||||
- monitoring
|
||||
- ganglia
|
||||
|
||||
- name: Distribute the ganglia configuration file for Ubuntu < 10.04 and Debian 4
|
||||
template: src=gmond-2.5.j2 dest=/etc/gmond.conf owner=root group=root mode=444
|
||||
when:
|
||||
- is_ubuntu_between_8_and_9_and_is_debian_4
|
||||
notify:
|
||||
Restart ganglia monitor
|
||||
tags:
|
||||
- monitoring
|
||||
- ganglia
|
||||
|
||||
- name: Distribute the ganglia configuration on broken hardy 8.04.4
|
||||
template: src=gmond-2.5.j2 dest=/etc/gmond.conf owner=root group=root mode=444
|
||||
when:
|
||||
- is_broken_hardy_lts
|
||||
notify:
|
||||
Restart ganglia monitor
|
||||
tags:
|
||||
- monitoring
|
||||
- ganglia
|
||||
|
||||
- name: Setup the ganglia directory for python modules
|
||||
file: dest=/usr/lib/ganglia/python_modules state=directory
|
||||
when: is_precise
|
||||
tags:
|
||||
- ganglia
|
||||
- monitoring
|
||||
|
||||
- name: Ensure that the ganglia include conf dir exists
|
||||
file: path=/etc/ganglia/conf.d state=directory
|
||||
when: is_precise
|
||||
tags:
|
||||
- ganglia
|
||||
- monitoring
|
||||
|
||||
- name: Setup the ganglia configuration for python modules
|
||||
copy: src=modpython.conf dest=/etc/ganglia/conf.d/modpython.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- Restart ganglia monitor
|
||||
when: is_precise
|
||||
tags:
|
||||
- monitoring
|
||||
- ganglia
|
||||
|
|
@ -0,0 +1,121 @@
|
|||
# $Id: gmond.conf,v 1.3 2004/01/20 19:15:23 sacerdoti Exp $
|
||||
# This is the configuration file for the Ganglia Monitor Daemon (gmond)
|
||||
# Documentation can be found at http://ganglia.sourceforge.net/docs/
|
||||
#
|
||||
# To change a value from it's default simply uncomment the line
|
||||
# and alter the value
|
||||
#####################
|
||||
#
|
||||
# The name of the cluster this node is a part of
|
||||
# default: "unspecified"
|
||||
name "{{ ganglia_gmond_cluster }}"
|
||||
#
|
||||
# The owner of this cluster. Represents an administrative
|
||||
# domain. The pair name/owner should be unique for all clusters
|
||||
# in the world.
|
||||
# default: "unspecified"
|
||||
owner "{{ ganglia_gmond_cluster_owner }}"
|
||||
#
|
||||
# The latitude and longitude GPS coordinates of this cluster on earth.
|
||||
# Specified to 1 mile accuracy with two decimal places per axis in Decimal
|
||||
# DMS format: "N61.18 W130.50".
|
||||
# default: "unspecified"
|
||||
# latlong "N32.87 W117.22"
|
||||
#
|
||||
# The URL for more information on the Cluster. Intended to give purpose,
|
||||
# owner, administration, and account details for this cluster.
|
||||
# default: "unspecified"
|
||||
# url "http://www.mycluster.edu/"
|
||||
#
|
||||
# The location of this host in the cluster. Given as a 3D coordinate:
|
||||
# "Rack,Rank,Plane" that corresponds to a Euclidean coordinate "x,y,z".
|
||||
# default: "unspecified"
|
||||
location "{{ ganglia_gmond_location }}"
|
||||
#
|
||||
# The multicast channel for gmond to send/receive data on
|
||||
# default: 239.2.11.71
|
||||
mcast_channel {{ ganglia_gmond_mcast_addr }}
|
||||
#
|
||||
# The multicast port for gmond to send/receive data on
|
||||
# default: 8649
|
||||
mcast_port {{ ganglia_gmond_cluster_port }}
|
||||
#
|
||||
# The multicast interface for gmond to send/receive data on
|
||||
# default: the kernel decides based on routing configuration
|
||||
# mcast_if eth1
|
||||
#
|
||||
# The multicast Time-To-Live (TTL) for outgoing messages
|
||||
# default: 1
|
||||
# mcast_ttl 1
|
||||
#
|
||||
# The number of threads listening to multicast traffic
|
||||
# default: 2
|
||||
# mcast_threads 2
|
||||
#
|
||||
# Which port should gmond listen for XML requests on
|
||||
# default: 8649
|
||||
xml_port {{ ganglia_gmond_cluster_port }}
|
||||
#
|
||||
# The number of threads answering XML requests
|
||||
# default: 2
|
||||
# xml_threads 2
|
||||
#
|
||||
# Hosts ASIDE from "127.0.0.1"/localhost and those multicasting
|
||||
# on the same multicast channel which you will share your XML
|
||||
# data with. Multiple hosts are allowed on multiple lines.
|
||||
# Can be specified with either hostnames or IP addresses.
|
||||
# default: none
|
||||
# trusted_hosts 1.1.1.1 1.1.1.2 1.1.1.3 \
|
||||
# 2.3.2.3 3.4.3.4 5.6.5.6
|
||||
trusted_hosts {{ ganglia_gmetad_host }}
|
||||
#
|
||||
# The number of nodes in your cluster. This value is used in the
|
||||
# creation of the cluster hash.
|
||||
# default: 1024
|
||||
# num_nodes 1024
|
||||
#
|
||||
# The number of custom metrics this gmond will be storing. This
|
||||
# value is used in the creation of the host custom_metrics hash.
|
||||
# default: 16
|
||||
# num_custom_metrics 16
|
||||
#
|
||||
# Run gmond in "mute" mode. Gmond will only listen to the multicast
|
||||
# channel but will not send any data on the channel.
|
||||
# default: off
|
||||
mute off
|
||||
#
|
||||
# Run gmond in "deaf" mode. Gmond will only send data on the multicast
|
||||
# channel but will not listen/store any data from the channel.
|
||||
# default: off
|
||||
deaf off
|
||||
#
|
||||
# Run gmond in "debug" mode. Gmond will not background. Debug messages
|
||||
# are sent to stdout. Value from 0-100. The higher the number the more
|
||||
# detailed debugging information will be sent.
|
||||
# default: 0
|
||||
# debug_level 10
|
||||
#
|
||||
# If you don't want gmond to setuid, set this to "on"
|
||||
# default: off
|
||||
# no_setuid on
|
||||
#
|
||||
# Which user should gmond run as?
|
||||
# default: nobody
|
||||
setuid ganglia
|
||||
#
|
||||
# If you do not want this host to appear in the gexec host list, set
|
||||
# this value to "on"
|
||||
# default: off
|
||||
# no_gexec on
|
||||
#
|
||||
# If you want any host which connects to the gmond XML to receive
|
||||
# data, then set this value to "on"
|
||||
# default: off
|
||||
all_trusted on
|
||||
#
|
||||
# If you want dead nodes to "time out", enter a nonzero value here. If specified,
|
||||
# a host will be removed from our state if we have not heard from it in this
|
||||
# number of seconds.
|
||||
# default: 0 (immortal)
|
||||
# host_dmax 108000
|
||||
|
|
@ -0,0 +1,342 @@
|
|||
/* This configuration is as close to 2.5.x default behavior as possible
|
||||
The values closely match ./gmond/metric.h definitions in 2.5.x */
|
||||
globals {
|
||||
daemonize = yes
|
||||
setuid = yes
|
||||
user = ganglia
|
||||
debug_level = 0
|
||||
# max_udp_msg_len = 1472
|
||||
mute = no
|
||||
deaf = no
|
||||
host_dmax = 3600 /*secs */
|
||||
cleanup_threshold = 300 /*secs */
|
||||
gexec = no
|
||||
allow_extra_data = yes
|
||||
send_metadata_interval = 60
|
||||
}
|
||||
|
||||
/* If a cluster attribute is specified, then all gmond hosts are wrapped inside
|
||||
* of a <CLUSTER> tag. If you do not specify a cluster tag, then all <HOSTS> will
|
||||
* NOT be wrapped inside of a <CLUSTER> tag. */
|
||||
cluster {
|
||||
name = "{{ ganglia_gmond_cluster }}"
|
||||
owner = "{{ ganglia_gmond_cluster_owner }}"
|
||||
latlong = "unspecified"
|
||||
url = "unspecified"
|
||||
}
|
||||
|
||||
/* The host section describes attributes of the host, like the location */
|
||||
host {
|
||||
location = "{{ ganglia_gmond_location }}"
|
||||
}
|
||||
|
||||
/* Feel free to specify as many udp_send_channels as you like. Gmond
|
||||
used to only support having a single channel */
|
||||
udp_send_channel {
|
||||
mcast_join = {{ ganglia_gmond_mcast_addr }}
|
||||
port = {{ ganglia_gmond_cluster_port }}
|
||||
ttl = 1
|
||||
}
|
||||
|
||||
/* You can specify as many udp_recv_channels as you like as well. */
|
||||
udp_recv_channel {
|
||||
mcast_join = {{ ganglia_gmond_mcast_addr }}
|
||||
port = {{ ganglia_gmond_cluster_port }}
|
||||
}
|
||||
|
||||
udp_recv_channel {
|
||||
bind = {{ ansible_fqdn }}
|
||||
port = {{ ganglia_gmond_cluster_port }}
|
||||
}
|
||||
|
||||
/* You can specify as many tcp_accept_channels as you like to share
|
||||
an xml description of the state of the cluster */
|
||||
tcp_accept_channel {
|
||||
port = {{ ganglia_gmond_cluster_port }}
|
||||
}
|
||||
|
||||
/* Each metrics module that is referenced by gmond must be specified and
|
||||
loaded. If the module has been statically linked with gmond, it does not
|
||||
require a load path. However all dynamically loadable modules must include
|
||||
a load path. */
|
||||
modules {
|
||||
module {
|
||||
name = "core_metrics"
|
||||
}
|
||||
module {
|
||||
name = "cpu_module"
|
||||
path = "/usr/lib/ganglia/modcpu.so"
|
||||
}
|
||||
module {
|
||||
name = "disk_module"
|
||||
path = "/usr/lib/ganglia/moddisk.so"
|
||||
}
|
||||
module {
|
||||
name = "load_module"
|
||||
path = "/usr/lib/ganglia/modload.so"
|
||||
}
|
||||
module {
|
||||
name = "mem_module"
|
||||
path = "/usr/lib/ganglia/modmem.so"
|
||||
}
|
||||
module {
|
||||
name = "net_module"
|
||||
path = "/usr/lib/ganglia/modnet.so"
|
||||
}
|
||||
module {
|
||||
name = "proc_module"
|
||||
path = "/usr/lib/ganglia/modproc.so"
|
||||
}
|
||||
module {
|
||||
name = "sys_module"
|
||||
path = "/usr/lib/ganglia/modsys.so"
|
||||
}
|
||||
}
|
||||
|
||||
include ('/etc/ganglia/conf.d/*.conf')
|
||||
|
||||
|
||||
/* The old internal 2.5.x metric array has been replaced by the following
|
||||
collection_group directives. What follows is the default behavior for
|
||||
collecting and sending metrics that is as close to 2.5.x behavior as
|
||||
possible. */
|
||||
|
||||
/* This collection group will cause a heartbeat (or beacon) to be sent every
|
||||
20 seconds. In the heartbeat is the GMOND_STARTED data which expresses
|
||||
the age of the running gmond. */
|
||||
collection_group {
|
||||
collect_once = yes
|
||||
time_threshold = 20
|
||||
metric {
|
||||
name = "heartbeat"
|
||||
}
|
||||
}
|
||||
|
||||
/* This collection group will send general info about this host every 1200 secs.
|
||||
This information doesn't change between reboots and is only collected once. */
|
||||
collection_group {
|
||||
collect_once = yes
|
||||
time_threshold = 1200
|
||||
metric {
|
||||
name = "cpu_num"
|
||||
title = "CPU Count"
|
||||
}
|
||||
metric {
|
||||
name = "cpu_speed"
|
||||
title = "CPU Speed"
|
||||
}
|
||||
metric {
|
||||
name = "mem_total"
|
||||
title = "Memory Total"
|
||||
}
|
||||
/* Should this be here? Swap can be added/removed between reboots. */
|
||||
metric {
|
||||
name = "swap_total"
|
||||
title = "Swap Space Total"
|
||||
}
|
||||
metric {
|
||||
name = "boottime"
|
||||
title = "Last Boot Time"
|
||||
}
|
||||
metric {
|
||||
name = "machine_type"
|
||||
title = "Machine Type"
|
||||
}
|
||||
metric {
|
||||
name = "os_name"
|
||||
title = "Operating System"
|
||||
}
|
||||
metric {
|
||||
name = "os_release"
|
||||
title = "Operating System Release"
|
||||
}
|
||||
metric {
|
||||
name = "location"
|
||||
title = "Location"
|
||||
}
|
||||
}
|
||||
|
||||
/* This collection group will send the status of gexecd for this host every 300 secs */
|
||||
/* Unlike 2.5.x the default behavior is to report gexecd OFF. */
|
||||
collection_group {
|
||||
collect_once = yes
|
||||
time_threshold = 300
|
||||
metric {
|
||||
name = "gexec"
|
||||
title = "Gexec Status"
|
||||
}
|
||||
}
|
||||
|
||||
/* This collection group will collect the CPU status info every 20 secs.
|
||||
The time threshold is set to 90 seconds. In honesty, this time_threshold could be
|
||||
set significantly higher to reduce unneccessary network chatter. */
|
||||
collection_group {
|
||||
collect_every = 20
|
||||
time_threshold = 180
|
||||
/* CPU status */
|
||||
metric {
|
||||
name = "cpu_user"
|
||||
value_threshold = "1.0"
|
||||
title = "CPU User"
|
||||
}
|
||||
metric {
|
||||
name = "cpu_system"
|
||||
value_threshold = "1.0"
|
||||
title = "CPU System"
|
||||
}
|
||||
metric {
|
||||
name = "cpu_idle"
|
||||
value_threshold = "5.0"
|
||||
title = "CPU Idle"
|
||||
}
|
||||
metric {
|
||||
name = "cpu_nice"
|
||||
value_threshold = "1.0"
|
||||
title = "CPU Nice"
|
||||
}
|
||||
metric {
|
||||
name = "cpu_aidle"
|
||||
value_threshold = "5.0"
|
||||
title = "CPU aidle"
|
||||
}
|
||||
metric {
|
||||
name = "cpu_wio"
|
||||
value_threshold = "1.0"
|
||||
title = "CPU wio"
|
||||
}
|
||||
/* The next two metrics are optional if you want more detail...
|
||||
... since they are accounted for in cpu_system.
|
||||
metric {
|
||||
name = "cpu_intr"
|
||||
value_threshold = "1.0"
|
||||
title = "CPU intr"
|
||||
}
|
||||
metric {
|
||||
name = "cpu_sintr"
|
||||
value_threshold = "1.0"
|
||||
title = "CPU sintr"
|
||||
}
|
||||
*/
|
||||
}
|
||||
|
||||
collection_group {
|
||||
collect_every = 20
|
||||
time_threshold = 90
|
||||
/* Load Averages */
|
||||
metric {
|
||||
name = "load_one"
|
||||
value_threshold = "1.0"
|
||||
title = "One Minute Load Average"
|
||||
}
|
||||
metric {
|
||||
name = "load_five"
|
||||
value_threshold = "1.0"
|
||||
title = "Five Minute Load Average"
|
||||
}
|
||||
metric {
|
||||
name = "load_fifteen"
|
||||
value_threshold = "1.0"
|
||||
title = "Fifteen Minute Load Average"
|
||||
}
|
||||
}
|
||||
|
||||
/* This group collects the number of running and total processes */
|
||||
collection_group {
|
||||
collect_every = 80
|
||||
time_threshold = 950
|
||||
metric {
|
||||
name = "proc_run"
|
||||
value_threshold = "1.0"
|
||||
title = "Total Running Processes"
|
||||
}
|
||||
metric {
|
||||
name = "proc_total"
|
||||
value_threshold = "1.0"
|
||||
title = "Total Processes"
|
||||
}
|
||||
}
|
||||
|
||||
/* This collection group grabs the volatile memory metrics every 40 secs and
|
||||
sends them at least every 180 secs. This time_threshold can be increased
|
||||
significantly to reduce unneeded network traffic. */
|
||||
collection_group {
|
||||
collect_every = 40
|
||||
time_threshold = 180
|
||||
metric {
|
||||
name = "mem_free"
|
||||
value_threshold = "1024.0"
|
||||
title = "Free Memory"
|
||||
}
|
||||
metric {
|
||||
name = "mem_shared"
|
||||
value_threshold = "1024.0"
|
||||
title = "Shared Memory"
|
||||
}
|
||||
metric {
|
||||
name = "mem_buffers"
|
||||
value_threshold = "1024.0"
|
||||
title = "Memory Buffers"
|
||||
}
|
||||
metric {
|
||||
name = "mem_cached"
|
||||
value_threshold = "1024.0"
|
||||
title = "Cached Memory"
|
||||
}
|
||||
metric {
|
||||
name = "swap_free"
|
||||
value_threshold = "1024.0"
|
||||
title = "Free Swap Space"
|
||||
}
|
||||
}
|
||||
|
||||
collection_group {
|
||||
collect_every = 40
|
||||
time_threshold = 300
|
||||
metric {
|
||||
name = "bytes_out"
|
||||
value_threshold = 4096
|
||||
title = "Bytes Sent"
|
||||
}
|
||||
metric {
|
||||
name = "bytes_in"
|
||||
value_threshold = 4096
|
||||
title = "Bytes Received"
|
||||
}
|
||||
metric {
|
||||
name = "pkts_in"
|
||||
value_threshold = 256
|
||||
title = "Packets Received"
|
||||
}
|
||||
metric {
|
||||
name = "pkts_out"
|
||||
value_threshold = 256
|
||||
title = "Packets Sent"
|
||||
}
|
||||
}
|
||||
|
||||
/* Different than 2.5.x default since the old config made no sense */
|
||||
collection_group {
|
||||
collect_every = 1800
|
||||
time_threshold = 3600
|
||||
metric {
|
||||
name = "disk_total"
|
||||
value_threshold = 1.0
|
||||
title = "Total Disk Space"
|
||||
}
|
||||
}
|
||||
|
||||
collection_group {
|
||||
collect_every = 40
|
||||
time_threshold = 180
|
||||
metric {
|
||||
name = "disk_free"
|
||||
value_threshold = 1.0
|
||||
title = "Disk Space Available"
|
||||
}
|
||||
metric {
|
||||
name = "part_max_used"
|
||||
value_threshold = 1.0
|
||||
title = "Maximum Disk Space Used"
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,343 @@
|
|||
/* This configuration is as close to 2.5.x default behavior as possible
|
||||
The values closely match ./gmond/metric.h definitions in 2.5.x */
|
||||
globals {
|
||||
daemonize = yes
|
||||
setuid = yes
|
||||
user = ganglia
|
||||
debug_level = 0
|
||||
# max_udp_msg_len = 1472
|
||||
mute = no
|
||||
deaf = no
|
||||
host_dmax = 3600 /*secs */
|
||||
cleanup_threshold = 300 /*secs */
|
||||
gexec = no
|
||||
allow_extra_data = yes
|
||||
send_metadata_interval = {{ ganglia_gmond_send_metadata_interval }}
|
||||
}
|
||||
|
||||
/* If a cluster attribute is specified, then all gmond hosts are wrapped inside
|
||||
* of a <CLUSTER> tag. If you do not specify a cluster tag, then all <HOSTS> will
|
||||
* NOT be wrapped inside of a <CLUSTER> tag. */
|
||||
cluster {
|
||||
name = "{{ ganglia_gmond_cluster }}"
|
||||
owner = "{{ ganglia_gmond_cluster_owner }}"
|
||||
latlong = "unspecified"
|
||||
url = "unspecified"
|
||||
}
|
||||
|
||||
/* The host section describes attributes of the host, like the location */
|
||||
host {
|
||||
location = "{{ ganglia_gmond_location }}"
|
||||
}
|
||||
|
||||
/* Feel free to specify as many udp_send_channels as you like. Gmond
|
||||
used to only support having a single channel */
|
||||
udp_send_channel {
|
||||
bind_hostname = yes
|
||||
mcast_join = {{ ganglia_gmond_mcast_addr }}
|
||||
port = {{ ganglia_gmond_cluster_port }}
|
||||
ttl = 1
|
||||
}
|
||||
|
||||
/* You can specify as many udp_recv_channels as you like as well. */
|
||||
udp_recv_channel {
|
||||
mcast_join = {{ ganglia_gmond_mcast_addr }}
|
||||
port = {{ ganglia_gmond_cluster_port }}
|
||||
}
|
||||
|
||||
udp_recv_channel {
|
||||
bind = {{ ansible_fqdn }}
|
||||
port = {{ ganglia_gmond_cluster_port }}
|
||||
}
|
||||
|
||||
/* You can specify as many tcp_accept_channels as you like to share
|
||||
an xml description of the state of the cluster */
|
||||
tcp_accept_channel {
|
||||
port = {{ ganglia_gmond_cluster_port }}
|
||||
}
|
||||
|
||||
/* Each metrics module that is referenced by gmond must be specified and
|
||||
loaded. If the module has been statically linked with gmond, it does not
|
||||
require a load path. However all dynamically loadable modules must include
|
||||
a load path. */
|
||||
modules {
|
||||
module {
|
||||
name = "core_metrics"
|
||||
}
|
||||
module {
|
||||
name = "cpu_module"
|
||||
path = "/usr/lib/ganglia/modcpu.so"
|
||||
}
|
||||
module {
|
||||
name = "disk_module"
|
||||
path = "/usr/lib/ganglia/moddisk.so"
|
||||
}
|
||||
module {
|
||||
name = "load_module"
|
||||
path = "/usr/lib/ganglia/modload.so"
|
||||
}
|
||||
module {
|
||||
name = "mem_module"
|
||||
path = "/usr/lib/ganglia/modmem.so"
|
||||
}
|
||||
module {
|
||||
name = "net_module"
|
||||
path = "/usr/lib/ganglia/modnet.so"
|
||||
}
|
||||
module {
|
||||
name = "proc_module"
|
||||
path = "/usr/lib/ganglia/modproc.so"
|
||||
}
|
||||
module {
|
||||
name = "sys_module"
|
||||
path = "/usr/lib/ganglia/modsys.so"
|
||||
}
|
||||
}
|
||||
|
||||
include ('/etc/ganglia/conf.d/*.conf')
|
||||
|
||||
|
||||
/* The old internal 2.5.x metric array has been replaced by the following
|
||||
collection_group directives. What follows is the default behavior for
|
||||
collecting and sending metrics that is as close to 2.5.x behavior as
|
||||
possible. */
|
||||
|
||||
/* This collection group will cause a heartbeat (or beacon) to be sent every
|
||||
20 seconds. In the heartbeat is the GMOND_STARTED data which expresses
|
||||
the age of the running gmond. */
|
||||
collection_group {
|
||||
collect_once = yes
|
||||
time_threshold = 20
|
||||
metric {
|
||||
name = "heartbeat"
|
||||
}
|
||||
}
|
||||
|
||||
/* This collection group will send general info about this host every 1200 secs.
|
||||
This information doesn't change between reboots and is only collected once. */
|
||||
collection_group {
|
||||
collect_once = yes
|
||||
time_threshold = 1200
|
||||
metric {
|
||||
name = "cpu_num"
|
||||
title = "CPU Count"
|
||||
}
|
||||
metric {
|
||||
name = "cpu_speed"
|
||||
title = "CPU Speed"
|
||||
}
|
||||
metric {
|
||||
name = "mem_total"
|
||||
title = "Memory Total"
|
||||
}
|
||||
/* Should this be here? Swap can be added/removed between reboots. */
|
||||
metric {
|
||||
name = "swap_total"
|
||||
title = "Swap Space Total"
|
||||
}
|
||||
metric {
|
||||
name = "boottime"
|
||||
title = "Last Boot Time"
|
||||
}
|
||||
metric {
|
||||
name = "machine_type"
|
||||
title = "Machine Type"
|
||||
}
|
||||
metric {
|
||||
name = "os_name"
|
||||
title = "Operating System"
|
||||
}
|
||||
metric {
|
||||
name = "os_release"
|
||||
title = "Operating System Release"
|
||||
}
|
||||
metric {
|
||||
name = "location"
|
||||
title = "Location"
|
||||
}
|
||||
}
|
||||
|
||||
/* This collection group will send the status of gexecd for this host every 300 secs */
|
||||
/* Unlike 2.5.x the default behavior is to report gexecd OFF. */
|
||||
collection_group {
|
||||
collect_once = yes
|
||||
time_threshold = 300
|
||||
metric {
|
||||
name = "gexec"
|
||||
title = "Gexec Status"
|
||||
}
|
||||
}
|
||||
|
||||
/* This collection group will collect the CPU status info every 20 secs.
|
||||
The time threshold is set to 90 seconds. In honesty, this time_threshold could be
|
||||
set significantly higher to reduce unneccessary network chatter. */
|
||||
collection_group {
|
||||
collect_every = 20
|
||||
time_threshold = 180
|
||||
/* CPU status */
|
||||
metric {
|
||||
name = "cpu_user"
|
||||
value_threshold = "1.0"
|
||||
title = "CPU User"
|
||||
}
|
||||
metric {
|
||||
name = "cpu_system"
|
||||
value_threshold = "1.0"
|
||||
title = "CPU System"
|
||||
}
|
||||
metric {
|
||||
name = "cpu_idle"
|
||||
value_threshold = "5.0"
|
||||
title = "CPU Idle"
|
||||
}
|
||||
metric {
|
||||
name = "cpu_nice"
|
||||
value_threshold = "1.0"
|
||||
title = "CPU Nice"
|
||||
}
|
||||
metric {
|
||||
name = "cpu_aidle"
|
||||
value_threshold = "5.0"
|
||||
title = "CPU aidle"
|
||||
}
|
||||
metric {
|
||||
name = "cpu_wio"
|
||||
value_threshold = "1.0"
|
||||
title = "CPU wio"
|
||||
}
|
||||
/* The next two metrics are optional if you want more detail...
|
||||
... since they are accounted for in cpu_system.
|
||||
metric {
|
||||
name = "cpu_intr"
|
||||
value_threshold = "1.0"
|
||||
title = "CPU intr"
|
||||
}
|
||||
metric {
|
||||
name = "cpu_sintr"
|
||||
value_threshold = "1.0"
|
||||
title = "CPU sintr"
|
||||
}
|
||||
*/
|
||||
}
|
||||
|
||||
collection_group {
|
||||
collect_every = 20
|
||||
time_threshold = 90
|
||||
/* Load Averages */
|
||||
metric {
|
||||
name = "load_one"
|
||||
value_threshold = "1.0"
|
||||
title = "One Minute Load Average"
|
||||
}
|
||||
metric {
|
||||
name = "load_five"
|
||||
value_threshold = "1.0"
|
||||
title = "Five Minute Load Average"
|
||||
}
|
||||
metric {
|
||||
name = "load_fifteen"
|
||||
value_threshold = "1.0"
|
||||
title = "Fifteen Minute Load Average"
|
||||
}
|
||||
}
|
||||
|
||||
/* This group collects the number of running and total processes */
|
||||
collection_group {
|
||||
collect_every = 80
|
||||
time_threshold = 950
|
||||
metric {
|
||||
name = "proc_run"
|
||||
value_threshold = "1.0"
|
||||
title = "Total Running Processes"
|
||||
}
|
||||
metric {
|
||||
name = "proc_total"
|
||||
value_threshold = "1.0"
|
||||
title = "Total Processes"
|
||||
}
|
||||
}
|
||||
|
||||
/* This collection group grabs the volatile memory metrics every 40 secs and
|
||||
sends them at least every 180 secs. This time_threshold can be increased
|
||||
significantly to reduce unneeded network traffic. */
|
||||
collection_group {
|
||||
collect_every = 40
|
||||
time_threshold = 180
|
||||
metric {
|
||||
name = "mem_free"
|
||||
value_threshold = "1024.0"
|
||||
title = "Free Memory"
|
||||
}
|
||||
metric {
|
||||
name = "mem_shared"
|
||||
value_threshold = "1024.0"
|
||||
title = "Shared Memory"
|
||||
}
|
||||
metric {
|
||||
name = "mem_buffers"
|
||||
value_threshold = "1024.0"
|
||||
title = "Memory Buffers"
|
||||
}
|
||||
metric {
|
||||
name = "mem_cached"
|
||||
value_threshold = "1024.0"
|
||||
title = "Cached Memory"
|
||||
}
|
||||
metric {
|
||||
name = "swap_free"
|
||||
value_threshold = "1024.0"
|
||||
title = "Free Swap Space"
|
||||
}
|
||||
}
|
||||
|
||||
collection_group {
|
||||
collect_every = 40
|
||||
time_threshold = 300
|
||||
metric {
|
||||
name = "bytes_out"
|
||||
value_threshold = 4096
|
||||
title = "Bytes Sent"
|
||||
}
|
||||
metric {
|
||||
name = "bytes_in"
|
||||
value_threshold = 4096
|
||||
title = "Bytes Received"
|
||||
}
|
||||
metric {
|
||||
name = "pkts_in"
|
||||
value_threshold = 256
|
||||
title = "Packets Received"
|
||||
}
|
||||
metric {
|
||||
name = "pkts_out"
|
||||
value_threshold = 256
|
||||
title = "Packets Sent"
|
||||
}
|
||||
}
|
||||
|
||||
/* Different than 2.5.x default since the old config made no sense */
|
||||
collection_group {
|
||||
collect_every = 1800
|
||||
time_threshold = 3600
|
||||
metric {
|
||||
name = "disk_total"
|
||||
value_threshold = 1.0
|
||||
title = "Total Disk Space"
|
||||
}
|
||||
}
|
||||
|
||||
collection_group {
|
||||
collect_every = 40
|
||||
time_threshold = 180
|
||||
metric {
|
||||
name = "disk_free"
|
||||
value_threshold = 1.0
|
||||
title = "Disk Space Available"
|
||||
}
|
||||
metric {
|
||||
name = "part_max_used"
|
||||
value_threshold = 1.0
|
||||
title = "Maximum Disk Space Used"
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
haproxy_latest_release: False
|
||||
haproxy_version: 1.5
|
||||
haproxy_latest_repo: "deb http://haproxy.debian.net {{ ansible_distribution }}-backports-{{ haproxy_version }} main"
|
||||
haproxy_pkg_state: latest
|
||||
|
||||
haproxy_default_port: 80
|
||||
haproxy_terminate_tls: False
|
|
@ -0,0 +1,27 @@
|
|||
---
|
||||
- name: Get the haproxy repo key
|
||||
apt_key: url=http://haproxy.debian.net/bernat.debian.org.gpg state=present
|
||||
when: haproxy_latest_release
|
||||
register: haproxy_repo
|
||||
tags: haproxy
|
||||
|
||||
- name: Define the haproxy repository
|
||||
apt_repository: repo='{{ haproxy_latest_repo }}' state=present
|
||||
when: haproxy_latest_release
|
||||
register: haproxy_repo
|
||||
tags: haproxy
|
||||
|
||||
- name: Update the apt cache if needed
|
||||
apt: update_cache=yes
|
||||
when: ( haproxy_repo | changed )
|
||||
tags: haproxy
|
||||
|
||||
- name: Install the haproxy package
|
||||
apt: name=haproxy state=latest default_release={{ ansible_distribution}}-backports
|
||||
when: not haproxy_latest_release
|
||||
tags: haproxy
|
||||
|
||||
- name: Install the haproxy package
|
||||
apt: name=haproxy state=latest default_release={{ ansible_distribution}}-backports-{{ haproxy_version }}
|
||||
when: not haproxy_latest_release
|
||||
tags: haproxy
|
|
@ -0,0 +1,43 @@
|
|||
---
|
||||
#
|
||||
# Reference only. Check the iptables-rules.v4.j2 for the list of accepted variables
|
||||
#
|
||||
#pg_allowed_hosts:
|
||||
# - 146.48.123.17/32
|
||||
# - 146.48.122.110/32
|
||||
#
|
||||
#munin_server:
|
||||
# - 146.48.122.15
|
||||
# - 146.48.87.88
|
||||
#http_port: 80
|
||||
#http_allowed_hosts:
|
||||
# - 1.2.3.4/24
|
||||
#https_port: 443
|
||||
#https_allowed_hosts:
|
||||
# - 0.0.0.0/0
|
||||
#
|
||||
# Generic tcp and udp access
|
||||
# iptables:
|
||||
# tcp_rules: True
|
||||
# tcp:
|
||||
# - { port: '8080', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}' ] }
|
||||
# - { port: '80', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}' ] }
|
||||
# - { port: '80' }
|
||||
# udp_rules: True
|
||||
# udp:
|
||||
# - { port: '123', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}' ] }
|
||||
|
||||
# munin_server:
|
||||
# - 146.48.122.15
|
||||
# - 146.48.87.88
|
||||
|
||||
#nagios_monitoring_server_ip: 146.48.123.23
|
||||
#mongodb:
|
||||
# start_server: 'yes'
|
||||
# tcp_port: 27017
|
||||
# allowed_hosts:
|
||||
# - 146.48.123.100/32
|
||||
|
||||
#iptables_default_policy: REJECT
|
||||
iptables_default_policy: ACCEPT
|
||||
iptables_open_all_to_isti_nets: False
|
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
- name: Start the iptables service
|
||||
service: name=iptables-persistent state=started
|
||||
notify: Restart fail2ban
|
||||
|
||||
- name: Flush the iptables rules
|
||||
command: /etc/init.d/iptables-persistent flush
|
||||
ignore_errors: true
|
||||
|
||||
- name: Start the iptables service on Ubuntu < 12.04
|
||||
command: /etc/init.d/iptables-persistent start
|
||||
ignore_errors: true
|
||||
|
||||
- name: Stop the iptables service on Ubuntu < 12.04
|
||||
command: /etc/init.d/iptables-persistent stop
|
||||
ignore_errors: true
|
||||
|
||||
- name: Restart fail2ban
|
||||
service: name=fail2ban state=restarted enabled=yes
|
||||
when: is_trusty
|
||||
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
---
|
||||
- name: Install the needed iptables packages
|
||||
apt: pkg={{ item }} state=installed
|
||||
with_items:
|
||||
- iptables
|
||||
- iptables-persistent
|
||||
tags:
|
||||
- iptables
|
||||
|
||||
- name: Install the IPv4 rules with a different name. Needed by Ubuntu < 12.04
|
||||
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/rules owner=root group=root mode=0640
|
||||
with_items:
|
||||
- rules.v4
|
||||
when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6
|
||||
notify:
|
||||
- Start the iptables service on Ubuntu < 12.04
|
||||
tags:
|
||||
- iptables
|
||||
- iptables_rules
|
||||
|
||||
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used
|
||||
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
|
||||
with_items:
|
||||
- rules.v4
|
||||
- rules.v6
|
||||
when: is_not_ubuntu_less_than_precise
|
||||
notify:
|
||||
- Start the iptables service
|
||||
tags:
|
||||
- iptables
|
||||
- iptables_rules
|
||||
|
|
@ -0,0 +1,182 @@
|
|||
#
|
||||
# don't manually modify this file
|
||||
#
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
-A INPUT -p icmp -j ACCEPT
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
#
|
||||
{% if iptables_managed_ssh is defined and iptables_managed_ssh %}
|
||||
{% if iptables_ssh_allowed_hosts is defined %}
|
||||
# ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses
|
||||
{% for ip in ssh_allowed_hosts %}
|
||||
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport 22 -j ACCEPT
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% else %}
|
||||
# ssh is always open. We use denyhosts to prevent unauthorized accesses
|
||||
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
|
||||
{% endif %}
|
||||
{% if iptables_open_all_to_isti_nets %}
|
||||
# Permit all traffic from our networks
|
||||
-A INPUT -s {{ network.isti }} -j ACCEPT
|
||||
-A INPUT -s {{ network.nmis }} -j ACCEPT
|
||||
-A INPUT -s {{ network.eduroam }} -j ACCEPT
|
||||
{% endif %}
|
||||
{% if http_port is defined %}
|
||||
# http
|
||||
{% if http_allowed_hosts is defined %}
|
||||
{% for ip in http_allowed_hosts %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ http_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ http_port }} -j ACCEPT
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if https_port is defined %}
|
||||
# https
|
||||
{% if https_allowed_hosts is defined %}
|
||||
{% for ip in https_allowed_hosts %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ https_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ https_port }} -j ACCEPT
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if psql_db_port is defined %}
|
||||
{% if psql_listen_on_ext_int %}
|
||||
# postgresql clients
|
||||
{% for db in psql_db_data %}
|
||||
{% for ip in db.allowed_hosts %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
-A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP
|
||||
{% endif %}
|
||||
|
||||
{% if mongodb_allowed_hosts is defined %}
|
||||
# mongodb clients
|
||||
{% for ip in mongodb_allowed_hosts %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j DROP
|
||||
{% endif %}
|
||||
|
||||
{% if dnet_ports is defined %}
|
||||
# dnet services
|
||||
{% for tcp_port in dnet_ports %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tcp_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if dnet_jmx_ports is defined %}
|
||||
# dnet jmx ports. Open to the isti networks only
|
||||
{% for tcp_port in dnet_jmx_ports %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.isti }} --dport {{ tcp_port }} -j ACCEPT
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.nmis }} --dport {{ tcp_port }} -j ACCEPT
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.eduroam }} --dport {{ tcp_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %}
|
||||
# Someone still uses ftp
|
||||
{% if vsftpd_iptables_allowed_hosts is defined and vsftpd_iptables_allowed_hosts %}
|
||||
{% for ip in vsftpd_iptables_allowed_hosts %}
|
||||
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport ftp -j ACCEPT
|
||||
-A INPUT -m state --state NEW,RELATED -m tcp -p tcp -s {{ ip }} --dport {{ vsftpd_pasv_min_port }}:{{ vsftpd_pasv_max_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -m helper --helper ftp -j ACCEPT
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if nagios_monitoring_server_ip is defined %}
|
||||
# Nagios NRPE
|
||||
-A INPUT -m state --state NEW -s {{ nagios_monitoring_server_ip }} -p tcp -m tcp --dport 5666 -j ACCEPT
|
||||
-A INPUT -s {{ nagios_monitoring_server_ip }} -p udp -m udp --dport 123 -j ACCEPT
|
||||
{% endif %}
|
||||
|
||||
{% if munin_server is defined and configure_munin is defined and configure_munin %}
|
||||
{% for ip in munin_server %}
|
||||
# Munin
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 4949 -j ACCEPT
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if ganglia_gmond_cluster_port is defined %}
|
||||
# Ganglia
|
||||
{% if ganglia_gmond_use_jmxtrans is not defined or not ganglia_gmond_use_jmxtrans %}
|
||||
-A INPUT -m pkttype --pkt-type multicast -d {{ ganglia_gmond_mcast_addr }} -j ACCEPT
|
||||
{% else %}
|
||||
-A INPUT -m pkttype --pkt-type multicast -j ACCEPT
|
||||
-A INPUT -p udp -m udp -d {{ ganglia_gmond_mcast_addr }} --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
|
||||
{% endif %}
|
||||
-A INPUT -m state --state NEW -s {{ ganglia_gmetad_host }} -p tcp -m tcp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
|
||||
-A INPUT -s {{ ganglia_gmetad_host }} -p udp -m udp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
|
||||
{% endif %}
|
||||
|
||||
{% if postfix_relay_server is defined and postfix_relay_server %}
|
||||
#
|
||||
# These are only needed on the machines that act as relay servers
|
||||
#
|
||||
-A INPUT -p tcp -m multiport --dports 25,587,465 -s {{ network.nmis }} -j ACCEPT
|
||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
|
||||
{% if postfix_use_relay_host is defined and postfix_use_relay_host %}
|
||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
|
||||
{% else %}
|
||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -j ACCEPT
|
||||
{% endif %}
|
||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid
|
||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP
|
||||
{% endif %}
|
||||
{% if postfix_relay_server is defined and not postfix_relay_server %}
|
||||
#
|
||||
# When we are not a relay server but we want send email using our relay
|
||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
|
||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
|
||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid
|
||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP
|
||||
{% endif %}
|
||||
|
||||
{% if iptables is defined %}
|
||||
{% if iptables.tcp_rules is defined and iptables.tcp_rules %}
|
||||
{% for tcp_rule in iptables.tcp %}
|
||||
{% if tcp_rule.allowed_hosts is defined %}
|
||||
{% for ip in tcp_rule.allowed_hosts %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ tcp_rule.port }} -j ACCEPT
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if iptables.udp_rules is defined and iptables.udp_rules %}
|
||||
{% for udp_rule in iptables.udp %}
|
||||
{% if udp_rule.allowed_hosts is defined %}
|
||||
{% for ip in udp_rule.allowed_hosts %}
|
||||
-A INPUT -s {{ ip }} -p udp -m udp --dport {{ udp_rule.port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
-A INPUT -p udp -m udp --dport {{ udp_rule.port }} -j ACCEPT
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
#
|
||||
#
|
||||
-A INPUT -s 125.24.0.0/14 -j DROP
|
||||
{% if iptables_default_policy == 'REJECT' %}
|
||||
-A INPUT -j REJECT --reject-with icmp-host-prohibited
|
||||
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
||||
{% else %}
|
||||
-A INPUT -j {{ iptables_default_policy }}
|
||||
-A FORWARD -j {{ iptables_default_policy }}
|
||||
{% endif %}
|
||||
|
||||
COMMIT
|
|
@ -0,0 +1,5 @@
|
|||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
COMMIT
|
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
jetty:
|
||||
activate_at_boot: True
|
||||
listen_ip: 127.0.0.1
|
||||
user: jetty
|
||||
group: jetty
|
||||
verbose: "Yes"
|
||||
java_opts: "-Xmx1024m -Djava.awt.headless=true"
|
||||
http_port: 8080
|
||||
java_opts: "-Xmx2048m -XX:MaxPermSize=512m -Djava.awt.headless=true -Dorg.mortbay.util.URI.charset=utf-8"
|
||||
enable_jmx: False
|
||||
jmx_java_options: "-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=8286 -Dcom.sun.management.jmxremote.ssl=false"
|
||||
cache_dir: /var/cache/jetty
|
||||
tmp_dir: /var/cache/jetty/data
|
||||
jvm_tmp_dir: /var/cache/jetty/tmp
|
||||
shutdown_timeout: 30
|
||||
java_home: ""
|
||||
logfile_days: 14
|
||||
define_lang: False
|
||||
lang: "en_US.UTF-8"
|
||||
open_files: 2048
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
- name: apache2 reload
|
||||
service: name=apache2 state=reloaded
|
||||
|
||||
- name: Start jetty
|
||||
service: name=jetty state=started
|
||||
|
||||
- name: Restart jetty
|
||||
service: name=jetty state=restarted
|
|
@ -0,0 +1,29 @@
|
|||
---
|
||||
- name: Install the apache packages
|
||||
apt: pkg={{ item }} state=installed force=yes
|
||||
with_items:
|
||||
- apache2
|
||||
- apache2-mpm-prefork
|
||||
- apache2-utils
|
||||
- unzip
|
||||
- zip
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- name: Load the required modules
|
||||
file: src=/etc/apache2/mods-available/{{ item }} dest=/etc/apache2/mods-enabled/{{ item }} state=link
|
||||
with_items:
|
||||
- proxy.load
|
||||
- proxy_http.load
|
||||
- headers.load
|
||||
- rewrite.load
|
||||
- expires.load
|
||||
notify: apache2 reload
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- name: Remove the default apache virtualhost
|
||||
file: dest=/etc/apache2/sites-enabled/000-default state=absent
|
||||
notify: apache2 reload
|
||||
tags:
|
||||
- apache
|
|
@ -0,0 +1,53 @@
|
|||
---
|
||||
- name: Install the jetty packages
|
||||
apt: pkg={{ item }} state=installed force=yes
|
||||
with_items:
|
||||
- jetty
|
||||
- libapache2-mod-jk
|
||||
notify:
|
||||
apache2 reload
|
||||
tags:
|
||||
- jetty
|
||||
|
||||
- name: Ensure that the jetty cache directory exists
|
||||
file: dest={{ item }} owner={{ jetty.user }} group={{ jetty.group }} mode=0750 state=directory
|
||||
with_items:
|
||||
- '{{ jetty.cache_dir }}'
|
||||
- '{{ jetty.tmp_dir }}'
|
||||
- '{{ jetty.jvm_tmp_dir }}'
|
||||
tags:
|
||||
- jetty
|
||||
|
||||
- name: Install the jetty defaults
|
||||
template: src=jetty-defaults.j2 dest=/etc/default/jetty
|
||||
notify:
|
||||
Restart jetty
|
||||
tags:
|
||||
- jetty
|
||||
|
||||
# - name: Set the jetty limits
|
||||
# template: src={{ item }}.j2 dest=/etc/jetty/{{ item }}
|
||||
# with_items:
|
||||
# - jetty-setuid.xml
|
||||
# notify:
|
||||
# Restart jetty
|
||||
# tags:
|
||||
# - jetty
|
||||
|
||||
# - name: Load jetty-setuid.xml in /etc/jetty/jetty.conf
|
||||
# lineinfile: name=/etc/jetty/jetty.conf line={{ item }}
|
||||
# with_items:
|
||||
# - '/etc/jetty/jetty-setuid.xml'
|
||||
# notify:
|
||||
# Restart jetty
|
||||
# tags:
|
||||
# - jetty
|
||||
|
||||
- name: Set the jetty limits
|
||||
template: src={{ item }}.j2 dest=/etc/security/limits.d/{{ item }}
|
||||
with_items:
|
||||
- jetty-limits.conf
|
||||
notify:
|
||||
Restart jetty
|
||||
tags:
|
||||
- jetty
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
- include: apache.yml
|
||||
- include: jetty.yml
|
|
@ -0,0 +1,51 @@
|
|||
# change to 0 to allow Jetty to start
|
||||
{% if jetty.activate_at_boot %}
|
||||
NO_START=0
|
||||
{% else %}
|
||||
NO_START=YES
|
||||
{% endif %}
|
||||
|
||||
# change to 'no' or uncomment to use the default setting in /etc/default/rcS
|
||||
VERBOSE={{ jetty.verbose }}
|
||||
|
||||
# Run Jetty as this user ID (default: jetty)
|
||||
# Set this to an empty string to prevent Jetty from starting automatically
|
||||
JETTY_USER={{ jetty.user }}
|
||||
|
||||
# Listen to connections from this network host
|
||||
# Use 0.0.0.0 as host to accept all connections.
|
||||
# Uncomment to restrict access to localhost
|
||||
JETTY_HOST={{ jetty.listen_ip }}
|
||||
|
||||
# The network port used by Jetty
|
||||
JETTY_PORT={{ jetty.http_port }}
|
||||
|
||||
# Timeout in seconds for the shutdown of all webapps
|
||||
JETTY_SHUTDOWN={{ jetty.shutdown_timeout }}
|
||||
|
||||
# Additional arguments to pass to Jetty
|
||||
#JETTY_ARGS=
|
||||
|
||||
# Extra options to pass to the JVM
|
||||
JAVA_OPTIONS="{{ jetty.java_opts }}"
|
||||
{% if jetty.enable_jmx %}
|
||||
JAVA_OPTIONS="$JAVA_OPTIONS {{ jetty.jmx_java_options }}"
|
||||
{% endif %}
|
||||
|
||||
# Home of Java installation.
|
||||
JAVA_HOME={{ jetty.java_home }}
|
||||
|
||||
# Jetty uses a directory to store temporary files like unpacked webapps
|
||||
JETTY_TMP={{ jetty.tmp_dir }}
|
||||
JVM_TMP={{ jetty.jvm_tmp_dir }}
|
||||
|
||||
# Jetty uses a config file to setup its boot classpath
|
||||
#JETTY_START_CONFIG=/etc/jetty/start.config
|
||||
|
||||
# Default for number of days to keep old log files in /var/log/jetty/
|
||||
LOGFILE_DAYS={{ jetty.logfile_days }}
|
||||
|
||||
{% if jetty.define_lang %}
|
||||
export LANG={{ jetty.lang }}
|
||||
{% endif %}
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
{{ jetty.user }} soft nofile {{ jetty.open_files }}
|
||||
{{ jetty.user }} hard nofile {{ jetty.open_files }}
|
||||
root soft nofile {{ jetty.open_files }}
|
||||
root hard nofile {{ jetty.open_files }}
|
|
@ -0,0 +1,22 @@
|
|||
<?xml version="1.0"?>
|
||||
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
|
||||
<!-- =============================================================== -->
|
||||
<!-- Configure the Jetty SetUIDServer -->
|
||||
<!-- this configuration file should be used in combination with -->
|
||||
<!-- other configuration files. e.g. -->
|
||||
<!-- java -jar start.jar etc/jetty-setuid.xml etc/jetty.xml -->
|
||||
<!-- =============================================================== -->
|
||||
<Configure id="Server" class="org.mortbay.setuid.SetUIDServer">
|
||||
<Set name="startServerAsPrivileged">false</Set>
|
||||
<Set name="umask">2</Set>
|
||||
<Set name="uid">{{ jetty.user }}</Set>
|
||||
<Set name="gid">{{ jetty.group }}</Set>
|
||||
<Call name="setRLimitNoFiles">
|
||||
<Arg>
|
||||
<New class="org.mortbay.setuid.RLimit">
|
||||
<Set name="soft">{{ jetty.open_files }}</Set>
|
||||
<Set name="hard">{{ jetty.open_files }}</Set>
|
||||
</New>
|
||||
</Arg>
|
||||
</Call>
|
||||
</Configure>
|
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
jetty_activate_at_boot: True
|
||||
jetty_listen_ip: 127.0.0.1
|
||||
jetty_user: jetty
|
||||
jetty_group: jetty
|
||||
jetty_verbose: "Yes"
|
||||
jetty_http_port: 8080
|
||||
jetty_ajp_port: 8009
|
||||
jetty_java_opts: "-Xmx2048m -XX:MaxPermSize=512m -Djava.awt.headless=true -Dorg.mortbay.util.URI.charset=utf-8"
|
||||
jetty_enable_jmx: False
|
||||
jetty_jmx_port: 8286
|
||||
jetty_jmx_authenticate: "false"
|
||||
jetty_jmx_ssl: "false"
|
||||
jetty_jmx_java_options: "-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=${jetty_jmx_authenticate} -Dcom.sun.management.jmxremote.port=${jetty_jmx_port} -Dcom.sun.management.jmxremote.ssl=${jetty_jmx_ssl}"
|
||||
jetty_cache_dir: /var/cache/jetty
|
||||
jetty_tmp_dir: /var/cache/jetty/data
|
||||
jetty_jvm_tmp_dir: /var/cache/jetty/tmp
|
||||
jetty_shutdown_timeout: 30
|
||||
jetty_java_home: ""
|
||||
jetty_logfile_days: 14
|
||||
jetty_define_lang: False
|
||||
jetty_lang: "en_US.UTF-8"
|
||||
jetty_open_files: 2048
|
||||
jetty_use_apache: False
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
- name: apache2 reload
|
||||
service: name=apache2 state=reloaded
|
||||
|
||||
- name: Start jetty
|
||||
service: name=jetty state=started
|
||||
|
||||
- name: Restart jetty
|
||||
service: name=jetty state=restarted
|
|
@ -0,0 +1,48 @@
|
|||
---
|
||||
- name: Install the jetty packages
|
||||
apt: pkg={{ item }} state=installed force=yes
|
||||
with_items:
|
||||
- jetty
|
||||
tags:
|
||||
- jetty
|
||||
|
||||
- name: Fix the broken jetty startup script
|
||||
shell: perl -pi -e "s/\^\[:space:]\*/^[[:space:]]*/g" /etc/init.d/jetty
|
||||
ignore_errors: True
|
||||
tags:
|
||||
- jetty
|
||||
|
||||
- name: Install the apache mod_jk module, if needed
|
||||
apt: pkg={{ item }} state=installed force=yes
|
||||
with_items:
|
||||
- libapache2-mod-jk
|
||||
when: jetty_use_apache is defined and jetty_use_apache
|
||||
notify:
|
||||
apache2 reload
|
||||
tags:
|
||||
- jetty
|
||||
|
||||
- name: Ensure that the jetty cache directory exists
|
||||
file: dest={{ item }} owner={{ jetty_user }} group={{ jetty_group }} mode=0750 state=directory
|
||||
with_items:
|
||||
- '{{ jetty_cache_dir }}'
|
||||
- '{{ jetty_tmp_dir }}'
|
||||
- '{{ jetty_jvm_tmp_dir }}'
|
||||
tags:
|
||||
- jetty
|
||||
|
||||
- name: Install the jetty defaults
|
||||
template: src=jetty-defaults.j2 dest=/etc/default/jetty
|
||||
notify:
|
||||
Restart jetty
|
||||
tags:
|
||||
- jetty
|
||||
|
||||
- name: Set the jetty limits
|
||||
template: src={{ item }}.j2 dest=/etc/security/limits.d/{{ item }}
|
||||
with_items:
|
||||
- jetty-limits.conf
|
||||
notify:
|
||||
Restart jetty
|
||||
tags:
|
||||
- jetty
|
|
@ -0,0 +1,2 @@
|
|||
---
|
||||
- include: jetty.yml
|
|
@ -0,0 +1,51 @@
|
|||
# change to 0 to allow Jetty to start
|
||||
{% if jetty_activate_at_boot %}
|
||||
NO_START=0
|
||||
{% else %}
|
||||
NO_START=YES
|
||||
{% endif %}
|
||||
|
||||
# change to 'no' or uncomment to use the default setting in /etc/default/rcS
|
||||
VERBOSE={{ jetty_verbose }}
|
||||
|
||||
# Run Jetty as this user ID (default: jetty)
|
||||
# Set this to an empty string to prevent Jetty from starting automatically
|
||||
JETTY_USER={{ jetty_user }}
|
||||
|
||||
# Listen to connections from this network host
|
||||
# Use 0.0.0.0 as host to accept all connections.
|
||||
# Uncomment to restrict access to localhost
|
||||
JETTY_HOST={{ jetty_listen_ip }}
|
||||
|
||||
# The network port used by Jetty
|
||||
JETTY_PORT={{ jetty_http_port }}
|
||||
|
||||
# Timeout in seconds for the shutdown of all webapps
|
||||
JETTY_SHUTDOWN={{ jetty_shutdown_timeout }}
|
||||
|
||||
# Additional arguments to pass to Jetty
|
||||
#JETTY_ARGS=
|
||||
|
||||
# Extra options to pass to the JVM
|
||||
JAVA_OPTIONS="{{ jetty_java_opts }}"
|
||||
{% if jetty_enable_jmx %}
|
||||
JAVA_OPTIONS="$JAVA_OPTIONS {{ jetty_jmx_java_options }}"
|
||||
{% endif %}
|
||||
|
||||
# Home of Java installation.
|
||||
JAVA_HOME={{ jetty_java_home }}
|
||||
|
||||
# Jetty uses a directory to store temporary files like unpacked webapps
|
||||
JETTY_TMP={{ jetty_tmp_dir }}
|
||||
JVM_TMP={{ jetty_jvm_tmp_dir }}
|
||||
|
||||
# Jetty uses a config file to setup its boot classpath
|
||||
#JETTY_START_CONFIG=/etc/jetty/start.config
|
||||
|
||||
# Default for number of days to keep old log files in /var/log/jetty/
|
||||
LOGFILE_DAYS={{ jetty_logfile_days }}
|
||||
|
||||
{% if jetty_define_lang %}
|
||||
export LANG={{ jetty_lang }}
|
||||
{% endif %}
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
{{ jetty_user }} soft nofile {{ jetty_open_files }}
|
||||
{{ jetty_user }} hard nofile {{ jetty_open_files }}
|
||||
root soft nofile {{ jetty_open_files }}
|
||||
root hard nofile {{ jetty_open_files }}
|
|
@ -0,0 +1,22 @@
|
|||
<?xml version="1.0"?>
|
||||
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
|
||||
<!-- =============================================================== -->
|
||||
<!-- Configure the Jetty SetUIDServer -->
|
||||
<!-- this configuration file should be used in combination with -->
|
||||
<!-- other configuration files. e.g. -->
|
||||
<!-- java -jar start.jar etc/jetty-setuid.xml etc/jetty.xml -->
|
||||
<!-- =============================================================== -->
|
||||
<Configure id="Server" class="org.mortbay.setuid.SetUIDServer">
|
||||
<Set name="startServerAsPrivileged">false</Set>
|
||||
<Set name="umask">2</Set>
|
||||
<Set name="uid">{{ jetty_user }}</Set>
|
||||
<Set name="gid">{{ jetty_group }}</Set>
|
||||
<Call name="setRLimitNoFiles">
|
||||
<Arg>
|
||||
<New class="org.mortbay.setuid.RLimit">
|
||||
<Set name="soft">{{ jetty_open_files }}</Set>
|
||||
<Set name="hard">{{ jetty_open_files }}</Set>
|
||||
</New>
|
||||
</Arg>
|
||||
</Call>
|
||||
</Configure>
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
nemis_ldap_uri: "ldap://ldap.sub.research-infrastructures.eu"
|
||||
nemis_ldap_base_dn: "dc=research-infrastructures,dc=eu"
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
---
|
||||
- name: Install the ldap utilities
|
||||
apt: pkg={{ item }} state={{ pkg_state }}
|
||||
with_items:
|
||||
- ldapscripts
|
||||
- libpam-ldap
|
||||
tags:
|
||||
- ldap-client
|
||||
|
||||
- name: Write the ldap client configuration file
|
||||
template: src=ldap.conf.j2 dest=/etc/ldap.conf mode=444 owner=root group=root
|
||||
when: is_ubuntu_less_than_trusty
|
||||
tags:
|
||||
- ldap-client
|
||||
|
||||
- name: Write the ldap client configuration file
|
||||
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=444 owner=root group=root
|
||||
when: is_trusty
|
||||
tags:
|
||||
- ldap-client
|
||||
|
||||
- name: set the ldapscripts.conf uri
|
||||
action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SERVER value='{{ nemis_ldap_uri }}' syntax=shell
|
||||
when: is_trusty
|
||||
tags:
|
||||
- ldap-client
|
||||
|
||||
- name: set the ldapscripts.conf bind dn
|
||||
action: configfile path=/etc/ldapscripts/ldapscripts.conf key=BINDDN value='cn=admin,{{ nemis_ldap_base_dn }}' syntax=shell
|
||||
when: is_trusty
|
||||
tags:
|
||||
- ldap-client
|
||||
|
||||
- name: set the ldapscripts.conf dn suffix
|
||||
action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SUFFIX value='{{ nemis_ldap_base_dn }}' syntax=shell
|
||||
when: is_trusty
|
||||
tags:
|
||||
- ldap-client
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
# The distinguished name of the search base.
|
||||
BASE {{ nemis_ldap_base_dn }}
|
||||
|
||||
# Another way to specify your LDAP server is to provide an
|
||||
URI {{ nemis_ldap_uri }}
|
||||
|
||||
# The LDAP version to use (defaults to 3
|
||||
# if supported by client library)
|
||||
ldap_version 3
|
||||
|
||||
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data
|
|
@ -0,0 +1,41 @@
|
|||
---
|
||||
#
|
||||
rsyslog_install_newer_package: True
|
||||
rsyslog_ppa: "ppa:adiscon/v8-stable"
|
||||
rsyslog_debian_repo: "deb http://debian.adiscon.com/v8-stable wheezy/"
|
||||
rsyslog_repo_key: "AEF0CF8E"
|
||||
rsyslog_pkg_status: "latest"
|
||||
|
||||
rsyslog_use_inotify: True
|
||||
# Not used when inotify is enabled
|
||||
rsyslog_file_polling_interval: 10
|
||||
|
||||
# We use logstash if the elastisearch module is not enabled
|
||||
#rsys_logstash_collector_host: logstash.t.hadoop.research-infrastructures.eu
|
||||
rsys_logstash_collector_host: logstash
|
||||
rsys_logstash_collector_port: 5544
|
||||
|
||||
# IMPORTANT: the log_state_file names must be unique
|
||||
#rsys_logfiles:
|
||||
# - { logfile: '/var/log/tomcat7/catalina.log', log_tag: 'solr-state', log_state_file: 'solr-state'}
|
||||
# - { logfile: '/var/log/tomcat7/localhost_access.log', log_tag: 'solr-access', log_state_file: 'solr-access'}
|
||||
|
||||
#
|
||||
# IMPORTANT NOTE: the following setting only work if rsyslog_install_newer_package is set to True
|
||||
#
|
||||
rsyslog_use_queues: True
|
||||
rsyslog_main_queue_size: 1000000
|
||||
rsyslog_main_queue_debatchsize: 256
|
||||
rsyslog_main_queue_workerthreads: 2
|
||||
rsyslog_action_queue_debatchsize: 1024
|
||||
rsyslog_action_queue_size: 100000
|
||||
rsyslog_action_queue_workerthreads: 5
|
||||
# -1 means retry indefinitely if ES is unreachable
|
||||
rsyslog_action_resumeretrycount: -1
|
||||
|
||||
# The elasticsearch module bypasses logstash and talks directly to elasticsearch
|
||||
rsyslog_use_elasticsearch_module: True
|
||||
#rsys_elasticsearch_collector_host: logstash.t.hadoop.research-infrastructures.eu
|
||||
rsys_elasticsearch_collector_host: logstash
|
||||
rsys_elasticsearch_collector_port: 9200
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
- name: Restart rsyslog
|
||||
#service: name=rsyslog state=restarted
|
||||
command: /usr/sbin/service rsyslog stop ; /usr/sbin/service rsyslog start
|
||||
|
||||
|
|
@ -0,0 +1,70 @@
|
|||
---
|
||||
- name: Install the rsyslog ppa on ubuntu precise or later
|
||||
apt_repository: repo='{{ rsyslog_ppa }}'
|
||||
when:
|
||||
- is_ubuntu
|
||||
- rsyslog_install_newer_package
|
||||
register: rsyslog_ubuntu_repo
|
||||
tags:
|
||||
- rsyslog
|
||||
- logstash
|
||||
|
||||
- name: Install the rsyslog repo key on debian wheezy
|
||||
apt_key: keyserver=keys.gnupg.net id=AEF0CF8E state=present
|
||||
when:
|
||||
- is_debian7
|
||||
- rsyslog_install_newer_package
|
||||
tags:
|
||||
- rsyslog
|
||||
- logstash
|
||||
|
||||
- name: Install the rsyslog repository on debian wheezy
|
||||
copy: content="{{ rsyslog_debian_repo }}\n" dest=/etc/apt/sources.list.d/adiscon-rsyslog.list
|
||||
register: rsyslog_debian_repo
|
||||
when:
|
||||
- is_debian7
|
||||
- rsyslog_install_newer_package
|
||||
tags:
|
||||
- rsyslog
|
||||
- logstash
|
||||
|
||||
- name: Update apt cache
|
||||
apt: update_cache=yes
|
||||
when: (rsyslog_ubuntu_repo|changed) or (rsyslog_debian_repo|changed)
|
||||
tags:
|
||||
- rsyslog
|
||||
- logstash
|
||||
|
||||
- name: Add the syslog user to the adm group so it can read all the log files
|
||||
user: name=syslog groups=adm
|
||||
tags:
|
||||
- rsyslog
|
||||
- logstash
|
||||
|
||||
- name: Upgrade rsyslog and install the elasticsearch module
|
||||
apt: pkg={{ item }} state={{ rsyslog_pkg_status }}
|
||||
with_items:
|
||||
- rsyslog
|
||||
- rsyslog-elasticsearch
|
||||
tags:
|
||||
- rsyslog
|
||||
- logstash
|
||||
|
||||
- name: Add a rsyslog configuration to send logfiles data to a logstash collector or directly to elasticsearch
|
||||
template: src=rsyslog-logstash.conf.j2 dest=/etc/rsyslog.d/90-rsyslog-logstash.conf owner=root group=root mode=0444
|
||||
when: rsyslog_install_newer_package
|
||||
notify:
|
||||
Restart rsyslog
|
||||
tags:
|
||||
- logstash
|
||||
- rsyslog
|
||||
|
||||
- name: Add a rsyslog configuration to send logfiles data to a logstash collector when using the original and old rsyslog package
|
||||
template: src=old-rsyslog-logstash.conf.j2 dest=/etc/rsyslog.d/90-rsyslog-logstash.conf owner=root group=root mode=0444
|
||||
when: not rsyslog_install_newer_package
|
||||
notify:
|
||||
Restart rsyslog
|
||||
tags:
|
||||
- logstash
|
||||
- rsyslog
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
$ModLoad imfile
|
||||
|
||||
{% for log in rsys_logfiles %}
|
||||
$InputFileName {{ log.logfile }}
|
||||
$InputFileTag {{ log.log_tag }}
|
||||
$InputFileStateFile {{ log.log_state_file }}
|
||||
$InputRunFileMonitor
|
||||
|
||||
{% endfor %}
|
||||
|
||||
# Send all to the logstash server
|
||||
*.* @@{{ rsys_logstash_collector_host }}:{{ rsys_logstash_collector_port }}
|
||||
|
|
@ -0,0 +1,70 @@
|
|||
{% if rsys_logfiles is defined %}
|
||||
{% if rsyslog_use_inotify %}
|
||||
module(load="imfile" mode="inotify" )
|
||||
{% else %}
|
||||
module(load="imfile" mode="polling" PollingInterval="10" )
|
||||
{% endif %}
|
||||
{% for log in rsys_logfiles %}
|
||||
input(
|
||||
Type="imfile"
|
||||
File="{{ log.logfile }}"
|
||||
Tag="{{ log.log_tag }}"
|
||||
)
|
||||
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if rsyslog_use_elasticsearch_module %}
|
||||
module(load="omelasticsearch")
|
||||
|
||||
{% if rsyslog_use_queues %}
|
||||
main_queue(
|
||||
queue.size="{{ rsyslog_main_queue_size }}" # capacity of the main queue
|
||||
queue.debatchsize="{{ rsyslog_main_queue_debatchsize }}" # process messages in batches of 1000 and move them to the action queues
|
||||
queue.workerthreads="{{ rsyslog_main_queue_workerthreads }}" # threads for the main queue
|
||||
)
|
||||
{% endif %}
|
||||
|
||||
template(name="logstash-index"
|
||||
type="list") {
|
||||
constant(value="logstash-")
|
||||
property(name="timereported" dateFormat="rfc3339" position.from="1" position.to="4")
|
||||
constant(value=".")
|
||||
property(name="timereported" dateFormat="rfc3339" position.from="6" position.to="7")
|
||||
constant(value=".")
|
||||
property(name="timereported" dateFormat="rfc3339" position.from="9" position.to="10")
|
||||
}
|
||||
|
||||
# this is for formatting our syslog in JSON with @timestamp
|
||||
template(name="plain-syslog"
|
||||
type="list") {
|
||||
constant(value="{")
|
||||
constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
|
||||
constant(value="\"received_at\":\"") property(name="timereported" dateFormat="rfc3339")
|
||||
constant(value="\",\"host\":\"") property(name="hostname")
|
||||
constant(value="\",\"received_from\":\"") property(name="hostname")
|
||||
constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
|
||||
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
|
||||
constant(value="\",\"tag\":\"") property(name="syslogtag" format="json")
|
||||
constant(value="\",\"message\":\"") property(name="msg" format="json")
|
||||
constant(value="\"}")
|
||||
}
|
||||
# this is where we actually send the logs to Elasticsearch ({{ rsys_elasticsearch_collector_host }}:{{ rsys_elasticsearch_collector_port }})
|
||||
*.* action(type="omelasticsearch"
|
||||
template="plain-syslog"
|
||||
searchIndex="logstash-index"
|
||||
dynSearchIndex="on"
|
||||
{% if rsyslog_use_queues %}
|
||||
bulkmode="on"
|
||||
queue.dequeuebatchsize="{{ rsyslog_action_queue_debatchsize }}" # ES bulk size
|
||||
queue.size="{{ rsyslog_action_queue_size }}" # capacity of the action queue
|
||||
queue.workerthreads="{{ rsyslog_action_queue_workerthreads }}" # workers for the action
|
||||
action.resumeretrycount="{{ rsyslog_action_resumeretrycount }}"
|
||||
{% endif %}
|
||||
server="{{ rsys_elasticsearch_collector_host }}"
|
||||
serverport="{{ rsys_elasticsearch_collector_port }}"
|
||||
)
|
||||
{% else %}
|
||||
# Send all to the logstash server
|
||||
*.* @@{{ rsys_logstash_collector_host }}:{{ rsys_logstash_collector_port }}
|
||||
{% endif %}
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
mongodb:
|
||||
start_server: 'yes'
|
||||
tcp_port: 27017
|
||||
allowed_hosts:
|
||||
- '{{ ansible_fqdn }}/32'
|
||||
- 127.0.0.1/8
|
||||
|
||||
mongodb_install_from_external_repo: True
|
||||
mongodb_start_server: 'yes'
|
||||
mongodb_tcp_port: 27017
|
||||
mongodb_http_interface: False
|
||||
mongodb_http_port: 28017
|
||||
mongodb_user: mongodb
|
||||
mongodb_group: mongodb
|
||||
mongodb_logdir: /var/log/mongodb
|
||||
mongodb_logpath: '{{ mongodb_logdir }}/mongodb.log'
|
||||
mongodb_dbpath: /var/lib/mongodb
|
||||
mongodb_directoryperdb: False
|
||||
mongodb_allowed_hosts:
|
||||
- '{{ ansible_fqdn }}/32'
|
||||
- 127.0.0.1/8
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
- name: Update apt cache
|
||||
apt: update_cache=yes
|
||||
ignore_errors: true
|
||||
|
||||
- name: Restart mongodb
|
||||
service: name=mongodb state=restarted
|
|
@ -0,0 +1,61 @@
|
|||
---
|
||||
- name: Install the mongodb apt key
|
||||
#apt_key: id=7F0CEB10 state=present
|
||||
raw: apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 7F0CEB10
|
||||
when: mongodb_install_from_external_repo
|
||||
tags: mongodb
|
||||
|
||||
- name: Install the mongodb repository
|
||||
copy: content="deb http://downloads-distro.mongodb.org/repo/ubuntu-upstart dist 10gen" dest=/etc/apt/sources.list.d/mongodb.list owner=root group=root mode=044
|
||||
when: mongodb_install_from_external_repo
|
||||
register: external_repo
|
||||
tags: mongodb
|
||||
|
||||
- name: Update the apt cache
|
||||
apt: update_cache=yes
|
||||
when: ( external_repo | changed )
|
||||
ignore_errors: True
|
||||
tags: mongodb
|
||||
|
||||
- name: Install the mongodb server
|
||||
apt: pkg={{ item }} state=installed
|
||||
with_items:
|
||||
- mongodb-10gen
|
||||
when: mongodb_install_from_external_repo
|
||||
tags: mongodb
|
||||
|
||||
- name: Install the mongodb server
|
||||
apt: pkg={{ item }} state=installed
|
||||
with_items:
|
||||
- mongodb-server
|
||||
when: not mongodb_install_from_external_repo
|
||||
tags: mongodb
|
||||
|
||||
- name: Install the mongodb defaults file
|
||||
copy: content="ENABLE_MONGODB={{ mongodb_start_server }}" dest=/etc/default/mongodb owner=root group=root mode=0444
|
||||
tags: mongodb
|
||||
|
||||
- name: Create the mongodb db directory
|
||||
file: dest={{ mongodb_dbpath }} state=directory owner={{ mongodb_user }} group={{ mongodb_group }} mode=0755
|
||||
tags: mongodb
|
||||
|
||||
- name: Create the mongodb log directory
|
||||
file: dest={{ mongodb_logdir }} state=directory owner={{ mongodb_user }} group={{ mongodb_group }} mode=0755
|
||||
tags: mongodb
|
||||
|
||||
- name: Install the mongodb 2.4 configuration
|
||||
template: src=mongodb-2.4.conf.j2 dest=/etc/mongodb.conf owner=root group=root mode=0444
|
||||
when: ( mongodb_start_server is defined ) and ( mongodb_start_server == 'yes' )
|
||||
notify: Restart mongodb
|
||||
tags: mongodb
|
||||
|
||||
- name: Ensure mongodb is started
|
||||
service: name=mongodb state=started enabled=yes
|
||||
when: ( mongodb_start_server is defined ) and ( mongodb_start_server == 'yes' )
|
||||
tags: mongodb
|
||||
|
||||
- name: Ensure mongodb is stopped and disabled
|
||||
service: name=mongodb state=stopped enabled=no
|
||||
when: ( mongodb_start_server is defined ) and ( mongodb_start_server == 'no' )
|
||||
tags: mongodb
|
||||
|
|
@ -0,0 +1,84 @@
|
|||
# Note: if you run mongodb as a non-root user (recommended) you may
|
||||
# need to create and set permissions for this directory manually,
|
||||
# e.g., if the parent directory isn't mutable by the mongodb user.
|
||||
dbpath={{ mongodb_dbpath }}
|
||||
directoryperdb={{ mongodb_directoryperdb }}
|
||||
|
||||
#where to log
|
||||
logpath={{ mongodb_logpath }}
|
||||
|
||||
logappend=true
|
||||
|
||||
port = {{ mongodb_tcp_port }}
|
||||
|
||||
# Disables write-ahead journaling
|
||||
# nojournal = true
|
||||
|
||||
# Enables periodic logging of CPU utilization and I/O wait
|
||||
#cpu = true
|
||||
|
||||
# Turn on/off security. Off is currently the default
|
||||
#noauth = true
|
||||
#auth = true
|
||||
|
||||
# Verbose logging output.
|
||||
#verbose = true
|
||||
|
||||
# Inspect all client data for validity on receipt (useful for
|
||||
# developing drivers)
|
||||
#objcheck = true
|
||||
|
||||
# Enable db quota management
|
||||
#quota = true
|
||||
|
||||
# Set oplogging level where n is
|
||||
# 0=off (default)
|
||||
# 1=W
|
||||
# 2=R
|
||||
# 3=both
|
||||
# 7=W+some reads
|
||||
#diaglog = 0
|
||||
# Ignore query hints
|
||||
#nohints = true
|
||||
|
||||
{% if not mongodb_http_interface %}
|
||||
# Disable the HTTP interface (Defaults to localhost:28017).
|
||||
nohttpinterface = true
|
||||
{% endif %}
|
||||
|
||||
# Turns off server-side scripting. This will result in greatly limited
|
||||
# functionality
|
||||
#noscripting = true
|
||||
|
||||
# Turns off table scans. Any query that would do a table scan fails.
|
||||
#notablescan = true
|
||||
|
||||
# Disable data file preallocation.
|
||||
#noprealloc = true
|
||||
|
||||
# Specify .ns file size for new databases.
|
||||
# nssize = <size>
|
||||
|
||||
# Accout token for Mongo monitoring server.
|
||||
#mms-token = <token>
|
||||
|
||||
# Server name for Mongo monitoring server.
|
||||
#mms-name = <server-name>
|
||||
|
||||
# Ping interval for Mongo monitoring server.
|
||||
#mms-interval = <seconds>
|
||||
|
||||
# Replication Options
|
||||
|
||||
# in master/slave replicated mongo databases, specify here whether
|
||||
# this is a slave or master
|
||||
#slave = true
|
||||
#source = master.example.com
|
||||
# Slave only: specify a single database to replicate
|
||||
#only = master.example.com
|
||||
# or
|
||||
#master = true
|
||||
#source = slave.example.com
|
||||
|
||||
# in replica set configuration, specify the name of the replica set
|
||||
# replSet = setname
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
|
||||
check_tomcat_deps:
|
||||
- libwww-perl
|
||||
- liblwp-mediatypes-perl
|
||||
- liblwp-useragent-determined-perl
|
||||
- liblwp-protocol-https-perl
|
||||
- libxml-xpath-perl
|
|
@ -0,0 +1,387 @@
|
|||
#!/usr/bin/perl
|
||||
|
||||
#############################################################################
|
||||
# #
|
||||
# This script was initially developed by Lonely Planet for internal use #
|
||||
# and has kindly been made available to the Open Source community for #
|
||||
# redistribution and further development under the terms of the #
|
||||
# GNU General Public License v3: http://www.gnu.org/licenses/gpl.html #
|
||||
# #
|
||||
#############################################################################
|
||||
# #
|
||||
# This script is supplied 'as-is', in the hope that it will be useful, but #
|
||||
# neither Lonely Planet nor the authors make any warranties or guarantees #
|
||||
# as to its correct operation, including its intended function. #
|
||||
# #
|
||||
# Or in other words: #
|
||||
# Test it yourself, and make sure it works for YOU. #
|
||||
# #
|
||||
#############################################################################
|
||||
# Author: George Hansper e-mail: george@hansper.id.au #
|
||||
#############################################################################
|
||||
|
||||
use strict;
|
||||
use LWP;
|
||||
use LWP::UserAgent;
|
||||
use Getopt::Std;
|
||||
use XML::XPath;
|
||||
|
||||
my %optarg;
|
||||
my $getopt_result;
|
||||
|
||||
my $lwp_user_agent;
|
||||
my $http_request;
|
||||
my $http_response;
|
||||
my $url;
|
||||
my $body;
|
||||
|
||||
my @message;
|
||||
my @message_perf;
|
||||
my $exit = 0;
|
||||
my @exit = qw/OK: WARNING: CRITICAL:/;
|
||||
|
||||
my $rcs_id = '$Id: check_tomcat.pl,v 1.4 2013/03/15 10:45:41 george Exp $';
|
||||
my $rcslog = '
|
||||
$Log: check_tomcat.pl,v $
|
||||
Revision 1.4 2013/03/15 10:45:41 george
|
||||
Fixed bug in % threads thresholds, which appear if multiple connectors are in use (thanks to Andreas Lamprecht for reporting this).
|
||||
Changed MB to MiB in output text.
|
||||
|
||||
Revision 1.3 2011/12/11 04:56:27 george
|
||||
Added currentThreadCount to performance data.
|
||||
|
||||
Revision 1.2 2011/11/18 11:30:57 george
|
||||
Added capability to extract the connector names, and check any or all tomcat connectors for sufficient free threads.
|
||||
Stripped quotes from connector names to work around tomcat7 quirkiness.
|
||||
|
||||
Revision 1.1 2011/04/16 12:05:26 george
|
||||
Initial revision
|
||||
|
||||
';
|
||||
|
||||
# Defaults...
|
||||
my $timeout = 10; # Default timeout
|
||||
my $host = 'localhost'; # default host header
|
||||
my $host_ip = 'localhost'; # default IP
|
||||
my $port = 80; # default port
|
||||
my $user = 'nagios'; # default user
|
||||
my $password = 'nagios'; # default password
|
||||
my $uri = '/manager/status?XML=true'; #default URI
|
||||
my $http = 'http';
|
||||
my $connector_arg = undef;
|
||||
my $opt_warn_threads = "25%";
|
||||
my $opt_crit_threads = "10%";
|
||||
my $warn_threads;
|
||||
my $crit_threads;
|
||||
# Memory thresholds are tight, because garbage collection kicks in only when memory is low anyway
|
||||
my $opt_warn_memory = "5%";
|
||||
my $opt_crit_memory = "2%";
|
||||
my $warn_memory;
|
||||
my $crit_memory;
|
||||
|
||||
my $xpath;
|
||||
my %xpath_checks = (
|
||||
maxThreads => '/status/connector/threadInfo/@maxThreads',
|
||||
currentThreadCount => '/status/connector/threadInfo/@currentThreadCount',
|
||||
currentThreadsBusy => '/status/connector/threadInfo/@currentThreadsBusy',
|
||||
memMax => '/status/jvm/memory/@max',
|
||||
memFree => '/status/jvm/memory/@free',
|
||||
memTotal => '/status/jvm/memory/@total',
|
||||
);
|
||||
# XPath examples...
|
||||
# /status/jvm/memory/@free
|
||||
# /status/connector[attribute::name="http-8080"]/threadInfo/@maxThreads
|
||||
# /status/connector/threadInfo/@* <- returns multiple nodes
|
||||
|
||||
my %xpath_check_results;
|
||||
|
||||
sub VERSION_MESSAGE() {
|
||||
print "$^X\n$rcs_id\n";
|
||||
}
|
||||
|
||||
sub HELP_MESSAGE() {
|
||||
print <<EOF;
|
||||
Usage:
|
||||
$0 [-v] [-H hostname] [-I ip_address] [-p port] [-S] [-t time_out] [-l user] [-a password] [-w /xpath[=value]...] [-c /xpath[=value]...]
|
||||
|
||||
-H ... Hostname and Host: header (default: $host)
|
||||
-I ... IP address (default: none)
|
||||
-p ... Port number (default: ${port})
|
||||
-S ... Use SSL connection
|
||||
-v ... verbose messages
|
||||
-t ... Seconds before connection times out. (default: $timeout)
|
||||
-l ... username for authentication (default: $user)
|
||||
-a ... password for authentication (default: embedded in script)
|
||||
-u ... uri path, (default: $uri)
|
||||
-n ... connector name, regular expression
|
||||
eg 'ajp-bio-8009' or 'http-8080' or '^http-'.
|
||||
default is to check: .*-port_number\$
|
||||
Note: leading/trailing quotes and spaces are trimmed from the connector name for matching.
|
||||
-w ... warning thresholds for threads,memory (memory in MiB)
|
||||
eg 20,50 or 10%,25% default is $opt_warn_threads,$opt_warn_memory
|
||||
-c ... critical thresholds for threads,memory (memory in MiB)
|
||||
eg 10,20 or 5%,10%, default is $opt_crit_threads,$opt_crit_memory
|
||||
Example:
|
||||
$0 -H app01.signon.devint.lpo -p 8080 -t 5 -l nagios -a apples -u '/manager/status?XML=true'
|
||||
$0 -H app01.signon.devint.lpo -p 8080 -w 10%,50 -c 5%,10
|
||||
$0 -H app01.signon.devint.lpo -p 8080 -w 10%,50 -c 5%,10 -l admin -a admin -n .
|
||||
|
||||
Notes:
|
||||
The -I parameters connects to a alternate hostname/IP, using the Host header from the -H parameter
|
||||
|
||||
To check ALL connectors mentioned in the status XML file, use '-n .'
|
||||
'.' is a regular expression matching all connector names.
|
||||
|
||||
MiB = mebibyte = 1024 * 1024 bytes
|
||||
|
||||
EOF
|
||||
}
|
||||
|
||||
$getopt_result = getopts('hvSH:I:p:w:c:t:l:a:u:n:', \%optarg) ;
|
||||
|
||||
# Any invalid options?
|
||||
if ( $getopt_result == 0 ) {
|
||||
HELP_MESSAGE();
|
||||
exit 1;
|
||||
}
|
||||
if ( $optarg{h} ) {
|
||||
HELP_MESSAGE();
|
||||
exit 0;
|
||||
}
|
||||
|
||||
sub printv($) {
|
||||
if ( $optarg{v} ) {
|
||||
chomp( $_[-1] );
|
||||
print STDERR @_;
|
||||
print STDERR "\n";
|
||||
}
|
||||
}
|
||||
|
||||
if ( defined($optarg{t}) ) {
|
||||
$timeout = $optarg{t};
|
||||
}
|
||||
|
||||
# Is port number numeric?
|
||||
if ( defined($optarg{p}) ) {
|
||||
$port = $optarg{p};
|
||||
if ( $port !~ /^[0-9][0-9]*$/ ) {
|
||||
print STDERR <<EOF;
|
||||
Port must be a decimal number, eg "-p 8080"
|
||||
EOF
|
||||
exit 1;
|
||||
}
|
||||
}
|
||||
|
||||
if ( defined($optarg{H}) ) {
|
||||
$host = $optarg{H};
|
||||
$host_ip = $host;
|
||||
}
|
||||
|
||||
if ( defined($optarg{I}) ) {
|
||||
$host_ip = $optarg{I};
|
||||
if ( ! defined($optarg{H}) ) {
|
||||
$host = $host_ip;
|
||||
}
|
||||
}
|
||||
|
||||
if ( defined($optarg{l}) ) {
|
||||
$user = $optarg{l};
|
||||
}
|
||||
|
||||
if ( defined($optarg{a}) ) {
|
||||
$password = $optarg{a};
|
||||
}
|
||||
|
||||
if ( defined($optarg{u}) ) {
|
||||
$uri = $optarg{u};
|
||||
}
|
||||
|
||||
if ( defined($optarg{S}) ) {
|
||||
$http = 'https';
|
||||
}
|
||||
|
||||
if ( defined($optarg{c}) ) {
|
||||
my @threshold = split(/,/,$optarg{c});
|
||||
if ( $threshold[0] ne "" ) {
|
||||
$opt_crit_threads = $threshold[0];
|
||||
}
|
||||
if ( $threshold[1] ne "" ) {
|
||||
$opt_crit_memory = $threshold[1];
|
||||
}
|
||||
}
|
||||
|
||||
if ( defined($optarg{n}) ) {
|
||||
$connector_arg = $optarg{n};
|
||||
} else {
|
||||
$connector_arg = "-$port\$";
|
||||
}
|
||||
|
||||
if ( defined($optarg{w}) ) {
|
||||
my @threshold = split(/,/,$optarg{w});
|
||||
if ( $threshold[0] ne "" ) {
|
||||
$opt_warn_threads = $threshold[0];
|
||||
}
|
||||
if ( $threshold[1] ne "" ) {
|
||||
$opt_warn_memory = $threshold[1];
|
||||
}
|
||||
}
|
||||
|
||||
*LWP::UserAgent::get_basic_credentials = sub {
|
||||
return ( $user, $password );
|
||||
};
|
||||
|
||||
# print $xpath_checks[0], "\n";
|
||||
|
||||
printv "Connecting to $host:${port}\n";
|
||||
|
||||
$lwp_user_agent = LWP::UserAgent->new;
|
||||
$lwp_user_agent->timeout($timeout);
|
||||
if ( $port == 80 || $port == 443 || $port eq "" ) {
|
||||
$lwp_user_agent->default_header('Host' => $host);
|
||||
} else {
|
||||
$lwp_user_agent->default_header('Host' => "$host:$port");
|
||||
}
|
||||
|
||||
$url = "$http://${host_ip}:${port}$uri";
|
||||
$http_request = HTTP::Request->new(GET => $url);
|
||||
|
||||
printv "--------------- GET $url";
|
||||
printv $lwp_user_agent->default_headers->as_string . $http_request->headers_as_string;
|
||||
|
||||
$http_response = $lwp_user_agent->request($http_request);
|
||||
printv "---------------\n" . $http_response->protocol . " " . $http_response->status_line;
|
||||
printv $http_response->headers_as_string;
|
||||
printv "Content has " . length($http_response->content) . " bytes \n";
|
||||
|
||||
if ($http_response->is_success) {
|
||||
$body = $http_response->content;
|
||||
my $xpath = XML::XPath->new( xml => $body );
|
||||
my $xpath_check;
|
||||
# Parse the data out of the XML...
|
||||
foreach $xpath_check ( keys %xpath_checks ) {
|
||||
#print keys(%{$xpath_check}) , "\n";
|
||||
my $path = $xpath_checks{$xpath_check};
|
||||
$path =~ s{\$port}{$port};
|
||||
#print $xpath_check->{xpath} , "\n";
|
||||
my $nodeset = $xpath->find($path);
|
||||
if ( $nodeset->get_nodelist == 0 ) {
|
||||
push @message, "$path not found";
|
||||
$exit |= 2;
|
||||
push @message_perf, "$path=not_found";
|
||||
next;
|
||||
}
|
||||
foreach my $node ($nodeset->get_nodelist) {
|
||||
my $connector_name = $node->getParentNode()->getParentNode()->getAttribute("name");
|
||||
$connector_name =~ s/^["'\s]+//;
|
||||
$connector_name =~ s/["'\s]+$//;
|
||||
my $value = $node->string_value();
|
||||
if ( $value =~ /^"?([0-9.]+)"?$/ ) {
|
||||
$value = $1;
|
||||
} else {
|
||||
push @message, "$path is not numeric";
|
||||
$exit |= 2;
|
||||
push @message_perf, "$path=not_numeric";
|
||||
next;
|
||||
}
|
||||
if ( $xpath_check =~ /^mem/ ) {
|
||||
# This is the .../memory/.. xpath, just store the value in the hash
|
||||
$xpath_check_results{$xpath_check} = $value;
|
||||
} elsif ( $connector_name =~ /${connector_arg}/ && $connector_name ne "" ) {
|
||||
# This is a .../threadInfo/... xpath, put the result into a hash (key is connector_name)
|
||||
$xpath_check_results{$xpath_check}{$connector_name} = $value;
|
||||
}
|
||||
}
|
||||
}
|
||||
# Now apply the logic and check the results
|
||||
#----------------------------------------------
|
||||
# Check memory
|
||||
#----------------------------------------------
|
||||
my $jvm_mem_available = $xpath_check_results{memFree} + $xpath_check_results{memMax} - $xpath_check_results{memTotal};
|
||||
printv(sprintf("free=%d max=%d total=%d",$xpath_check_results{memFree}/1024, $xpath_check_results{memMax}/1024, $xpath_check_results{memTotal}/1024));
|
||||
if ( $opt_warn_memory =~ /(.*)%$/ ) {
|
||||
$warn_memory = int($1 * $xpath_check_results{memMax} / 100);
|
||||
} else {
|
||||
# Convert to bytes
|
||||
$warn_memory =int($opt_warn_memory * 1024 * 1024);
|
||||
}
|
||||
printv("warning at $warn_memory bytes (". ( $warn_memory / 1024 /1024 )."MiB) free, max=$xpath_check_results{memMax}");
|
||||
|
||||
if ( $opt_crit_memory =~ /(.*)%$/ ) {
|
||||
$crit_memory = int($1 * $xpath_check_results{memMax} / 100);
|
||||
} else {
|
||||
# Convert to bytes
|
||||
$crit_memory = int($opt_crit_memory * 1024 * 1024);
|
||||
}
|
||||
printv("critical at $crit_memory bytes (". ( $crit_memory / 1024 /1024 )."MiB) free, max=$xpath_check_results{memMax}");
|
||||
|
||||
if ( $jvm_mem_available <= $crit_memory ) {
|
||||
$exit |= 2;
|
||||
push @message, sprintf("Memory critical <%d MiB,",$crit_memory/1024/1024);
|
||||
} elsif ( $jvm_mem_available <= $warn_memory ) {
|
||||
$exit |= 1;
|
||||
push @message, sprintf("Memory low <%d MiB,",$warn_memory/1024/1024);
|
||||
}
|
||||
push @message, sprintf("memory in use %d MiB (%d MiB);",
|
||||
( $xpath_check_results{memMax} - $jvm_mem_available ) / ( 1024 * 1024),
|
||||
$xpath_check_results{memMax} / ( 1024 * 1024)
|
||||
);
|
||||
push @message_perf, "used=".( $xpath_check_results{memMax} - $jvm_mem_available ) . " free=$jvm_mem_available max=$xpath_check_results{memMax}";
|
||||
|
||||
#----------------------------------------------
|
||||
# Check threads
|
||||
#----------------------------------------------
|
||||
my $name;
|
||||
foreach $name ( keys( %{$xpath_check_results{currentThreadsBusy}} ) ) {
|
||||
|
||||
if ( $opt_warn_threads =~ /(.*)%$/ ) {
|
||||
$warn_threads = int($1 * $xpath_check_results{maxThreads}{$name} / 100);
|
||||
} else {
|
||||
$warn_threads = $opt_warn_threads;
|
||||
}
|
||||
printv("warning at $warn_threads threads free, max=$xpath_check_results{maxThreads}{$name}");
|
||||
|
||||
if ( $opt_crit_threads =~ /(.*)%$/ ) {
|
||||
$crit_threads = int($1 * $xpath_check_results{maxThreads}{$name} / 100);
|
||||
} else {
|
||||
$crit_threads = $opt_crit_threads;
|
||||
}
|
||||
printv("critical at $crit_threads threads free, max=$xpath_check_results{maxThreads}{$name}");
|
||||
|
||||
my $threads_available = $xpath_check_results{maxThreads}{$name} - $xpath_check_results{currentThreadsBusy}{$name};
|
||||
if ( $threads_available <= $crit_threads ) {
|
||||
$exit |= 2;
|
||||
push @message, sprintf("Critical: free_threads<%d",$crit_threads);
|
||||
} elsif ( $threads_available <= $warn_threads ) {
|
||||
$exit |= 1;
|
||||
push @message, sprintf("Warning: free_threads<%d",$warn_threads);
|
||||
}
|
||||
push @message, sprintf("threads[$name]=%d(%d);",
|
||||
$xpath_check_results{currentThreadsBusy}{$name},
|
||||
$xpath_check_results{maxThreads}{$name}
|
||||
);
|
||||
if ( defined($optarg{n}) ) {
|
||||
push @message_perf, "currentThreadsBusy[$name]=$xpath_check_results{currentThreadsBusy}{$name} currentThreadCount[$name]=$xpath_check_results{currentThreadCount}{$name} maxThreads[$name]=$xpath_check_results{maxThreads}{$name}";
|
||||
} else {
|
||||
# For the sake of backwards-compatability of graphs etc...
|
||||
push @message_perf, "currentThreadsBusy=$xpath_check_results{currentThreadsBusy}{$name} currentThreadCount=$xpath_check_results{currentThreadCount}{$name} maxThreads=$xpath_check_results{maxThreads}{$name}";
|
||||
}
|
||||
}
|
||||
if ( keys(%{$xpath_check_results{currentThreadsBusy}}) == 0 ) {
|
||||
# no matching connectors found - this is not OK.
|
||||
$exit |= 1;
|
||||
push @message, "Warning: No tomcat connectors matched name =~ /$connector_arg/";
|
||||
}
|
||||
} elsif ( $http_response->code == 401 ) {
|
||||
print "WARNING: $url " . $http_response->protocol . " " . $http_response->status_line ."\n";
|
||||
exit 1;
|
||||
} else {
|
||||
print "CRITICAL: $url " . $http_response->protocol . " " . $http_response->status_line ."\n";
|
||||
exit 2;
|
||||
}
|
||||
|
||||
if ( $exit == 3 ) {
|
||||
$exit = 2;
|
||||
}
|
||||
|
||||
print "$exit[$exit] ". join(" ",@message) . "|". join(" ",@message_perf) . "\n";
|
||||
exit $exit;
|
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
- name: Install the plugin dependencies
|
||||
apt: pkg={{ item }} state=installed
|
||||
with_items: check_tomcat_deps
|
||||
tags:
|
||||
- nagios
|
||||
- nrpe
|
||||
- check_tomcat
|
||||
|
||||
- name: Install the check_tomcat plugin
|
||||
copy: src=check_tomcat dest={{ nagios_isti_plugdir }}/check_tomcat owner=root group=root mode=0755
|
||||
tags:
|
||||
- nagios
|
||||
- nrpe
|
||||
- check_tomcat
|
||||
|
||||
- name: Install the check_tomcat nrpe commands file
|
||||
template: src=check_tomcat-nrpe.cfg.j2 dest=/etc/nagios/nrpe.d/check_tomcat.cfg owner=root group=root mode=444
|
||||
notify:
|
||||
- Reload NRPE server
|
||||
tags:
|
||||
- nrpe
|
||||
- nagios
|
||||
- check_tomcat
|
||||
|
||||
- name: nagios needs root to execute some commands. We do it via sudo
|
||||
template: src=nagios.sudoers.j2 dest=/etc/sudoers.d/nagios owner=root group=root mode=0440
|
||||
tags:
|
||||
- nagios
|
||||
- nrpe
|
||||
|
|
@ -0,0 +1 @@
|
|||
../../nagios/defaults/main.yml
|
|
@ -0,0 +1,55 @@
|
|||
---
|
||||
monitoring_group_name: 'change_this_on_your_playbook'
|
||||
#nagios_server_local_plugdir: 'change_this_on_your_playbook'
|
||||
|
||||
nagios_plugdir: /usr/lib/nagios/plugins
|
||||
nagios_plugins_dir: '{{ nagios_plugdir }}'
|
||||
nagios_centos_plugins_dir: /usr/lib64/nagios/plugins
|
||||
nagios_isti_plugdir: '{{ nagios_plugdir }}/isti-cnr'
|
||||
nagios_common_lib: check_library.sh
|
||||
# Needed inside nrpe.cfg
|
||||
# It is already defined in isti-global.yml
|
||||
#nagios_monitoring_server_ip: 146.48.123.23
|
||||
nagios_check_disk_w:
|
||||
nagios_check_disk_c:
|
||||
nagios_hw: False
|
||||
nagios_check_disk_w: 10
|
||||
nagios_check_disk_c: 5
|
||||
nagios_allowed_users: root
|
||||
|
||||
nagios_monitoring_obj_dir: /etc/nagios3/objects
|
||||
nagios_monitoring_dir: '{{ nagios_monitoring_obj_dir }}/{{ monitoring_group_name }}'
|
||||
|
||||
nagios_server_files:
|
||||
- contacts.cfg
|
||||
- contactgroups.cfg
|
||||
- generic-service.cfg
|
||||
- generic-host.cfg
|
||||
- hostgroups.cfg
|
||||
- hosts.cfg
|
||||
- services.cfg
|
||||
- commands.cfg
|
||||
|
||||
nagios_psql_query_time_w: 40
|
||||
nagios_psql_query_time_c: 60
|
||||
nagios_psql_db_size_w: 150000000
|
||||
nagios_psql_db_size_c: 170000000
|
||||
|
||||
nrpe_command_timeout: 420
|
||||
nrpe_include_dir: /etc/nagios/nrpe.d/
|
||||
|
||||
# Old stuff. To be deleted
|
||||
nagios:
|
||||
plugins_dir: '{{ nagios_plugdir }}'
|
||||
centos_plugins_dir: '{{ nagios_centos_plugins_dir }}'
|
||||
isti_plugdir: '{{ nagios_isti_plugdir }}'
|
||||
common_lib: '{{ nagios_common_lib }}'
|
||||
# Needed inside nrpe.cfg
|
||||
monitoring_server_ip: '{{ nagios_monitoring_server_ip }}'
|
||||
check_disk_w: '{{ nagios_check_disk_w }}'
|
||||
check_disk_c: '{{ nagios_check_disk_c }}'
|
||||
|
||||
nrpe:
|
||||
command_timeout: '{{ nrpe_command_timeout }}'
|
||||
include_dir: '{{ nrpe_include_dir }}'
|
||||
|
|
@ -0,0 +1,752 @@
|
|||
#!/usr/bin/env python
|
||||
'''
|
||||
Nagios plug-in to pull the Dell service tag and check it
|
||||
against Dell's web site to see how many days remain. By default it
|
||||
issues a warning when there is less than thirty days remaining and critical
|
||||
when there is less than ten days remaining. These values can be adjusted
|
||||
using the command line, see --help.
|
||||
|
||||
|
||||
Version: 4.1
|
||||
Created: 2009-02-12
|
||||
Author: Erinn Looney-Triggs
|
||||
Revised: 2013-05-13
|
||||
Revised by: Erinn Looney-Triggs, Justin Ellison, Harald Jensas
|
||||
https://gitorious.org/smarmy/check_dell_warranty/source/b6438fbef45ba22be3bf0aa2e0aa2e444a384813:
|
||||
'''
|
||||
|
||||
#=============================================================================
|
||||
# TODO: omreport md enclosures, cap the threads, tests, more I suppose
|
||||
#
|
||||
# Revision history:
|
||||
# 2013-05-13 4.1: Catch SSL exceptions from requests module.
|
||||
#
|
||||
# 2013-04-09 4.0: Moved to using api.dell.com and changed out urllib2 in
|
||||
# preference to the requests library.
|
||||
#
|
||||
# 2012-10-08 3.0.2: Add support for hyphen dates
|
||||
#
|
||||
# 2012-10-07 3.0.1: Dell dropped the counter for days left from their site,
|
||||
# this is now calculated internally. Add patch for European style dates
|
||||
# with periods between that numbers.
|
||||
#
|
||||
# 2012-09-05 3.0: Use Net-SNMP bindings for python allowing SNMPv3 support. Add
|
||||
# debugging output using -V, Small cleanups.
|
||||
#
|
||||
# 2012-08-23 2.2.3: Merge in patch from Colin Panisset to dedup serials before
|
||||
# mutex is created
|
||||
#
|
||||
# 2012-07-30 2.2.2: Make regex slightly more robust on scrape.
|
||||
#
|
||||
# 2012-07-03 2.2.1: Fix version number mismatch, fix urllib exception catch,
|
||||
# thanks go to Sven Odermatt for finding that.
|
||||
#
|
||||
# 2012-01-08 2.2.0: Fix to work with new website, had to add cookie handeling
|
||||
# to prod the site correctly to allow scrapping of the information.
|
||||
#
|
||||
# 2010-07-19 2.1.2: Patch to again fix Dell's web page changes, thanks
|
||||
# to Jim Browne http://blog.jbrowne.com/ as well as a patch to work against
|
||||
# OM 5.3
|
||||
#
|
||||
# 2010-04-13 2.1.1: Change to deal with Dell's change to their web site
|
||||
# dropping the warranty extension field.
|
||||
#
|
||||
# 2009-12-17 2.1: Change format back to % to be compatible with python 2.4
|
||||
# and older.
|
||||
#
|
||||
# 2009-11-16 2.0: Fix formatting issues, change some variable names, fix
|
||||
# a file open exception issue, Dell changed the interface so updated to
|
||||
# work with that, new option --short for short output.
|
||||
#
|
||||
# 2009-08-07 1.9: Add smbios as a way to get the serial number.
|
||||
# Move away from old string formatting to new string formatting.
|
||||
#
|
||||
# 2009-08-04 1.8: Improved the parsing of Dell's website, output is now much
|
||||
# more complete (read larger) and includes all warranties. Thresholds are
|
||||
# measured against the warranty with the greatest number of days remaining.
|
||||
# This fixes the bug with doubled or even tripled warranty days being
|
||||
# reported.
|
||||
#
|
||||
# 2009-07-24 1.7: SNMP support, DRAC - Remote Access Controller, CMC -
|
||||
# Chassis Management Controller and MD/PV Disk Enclosure support.
|
||||
#
|
||||
# 2009-07-09 1.6: Threads!
|
||||
#
|
||||
# 2009-06-25 1.5: Changed optparse to handle multiple serial numbers. Changed
|
||||
# the rest of the program to be able to handle multiple serial numbers. Added
|
||||
# a de-duper for serial numbers just in case you get two of the same from
|
||||
# the command line or as is the case with Dell blades, two of the same
|
||||
# from omreport. So this ought to handle blades, though I don't have
|
||||
# any to test against.
|
||||
#
|
||||
# 2009-06-05 1.4 Changed optparse to display %default in help output. Pretty
|
||||
# up the help output with <ARG> instead of variable names. Add description
|
||||
# top optparse. Will now use prefer omreport to dmidecode for systems
|
||||
# that have omreport installed and in $PATH. Note, that you do not have to be
|
||||
# root to run omreport and get the service tag.
|
||||
#
|
||||
# 2009-05-29 1.3 Display output for all warranties for a system. Add up the
|
||||
# number of days left to give an accurate count of the time remaining. Fix
|
||||
# basic check for Dell's database being down. Fixed regex to be non-greedy.
|
||||
# Start and end dates for warranty now takes all warranties into account.
|
||||
# Date output is now yyyy-mm-dd because that is more international.
|
||||
#
|
||||
# 2009-05-28 1.2 Added service tag to output for nagios. Fixed some typos.
|
||||
# Added command-line option for specifying a serial number. This gets
|
||||
# rid of the sudo dependency as well as the newer python dependency
|
||||
# allowing it to run on older RHEL distros. justin@techadvise.com
|
||||
#
|
||||
# 2009-05-27 1.1 Fixed string conversions to do int comparisons properly.
|
||||
# Remove import csv as I am not using that yet. Add a license to the file.
|
||||
#
|
||||
# License:
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
#=============================================================================
|
||||
|
||||
import datetime
|
||||
import logging
|
||||
import os
|
||||
import subprocess
|
||||
import sys
|
||||
|
||||
__author__ = 'Erinn Looney-Triggs'
|
||||
__credits__ = ['Erinn Looney-Triggs', 'Justin Ellison', 'Harald Jensas' ]
|
||||
__license__ = 'GPL 3.0'
|
||||
__maintainer__ = 'Erinn Looney-Triggs'
|
||||
__email__ = 'erinn.looneytriggs@gmail.com'
|
||||
__version__ = '4.1'
|
||||
__date__ = '2009-02-12'
|
||||
__revised__ = '2013-05-13'
|
||||
__status__ = 'Production'
|
||||
|
||||
#Nagios exit codes in English
|
||||
UNKNOWN = 3
|
||||
CRITICAL = 2
|
||||
WARNING = 1
|
||||
OK = 0
|
||||
|
||||
try:
|
||||
import requests
|
||||
except ImportError:
|
||||
print ('Python Requests module (http://docs.python-requests.org/) '
|
||||
'is required for this to work.')
|
||||
sys.exit(CRITICAL)
|
||||
|
||||
def extract_mtk_community():
|
||||
'''
|
||||
Get SNMP community string from /etc/mtk.conf
|
||||
'''
|
||||
mtk_conf_file = '/etc/mtk.conf'
|
||||
|
||||
logger.debug('Obtaining serial number via {0}.'.format(mtk_conf_file))
|
||||
|
||||
if os.path.isfile(mtk_conf_file):
|
||||
try:
|
||||
for line in open(mtk_conf_file, 'r'):
|
||||
token = line.split('=')
|
||||
|
||||
if token[0] == 'community_string':
|
||||
community_string = token[1].strip()
|
||||
except IOError:
|
||||
print 'Unable to open {0}, exiting!'.format(mtk_conf_file)
|
||||
sys.exit(UNKNOWN)
|
||||
else:
|
||||
print ('The {0} file does not exist, '
|
||||
'exiting!').format(mtk_conf_file)
|
||||
sys.exit(UNKNOWN)
|
||||
|
||||
return community_string
|
||||
|
||||
def extract_service_tag():
|
||||
'''Extracts the serial number from the localhost using (in order of
|
||||
precedence) omreport, libsmbios, or dmidecode. This function takes
|
||||
no arguments but expects omreport, libsmbios or dmidecode to exist
|
||||
and also expects dmidecode to accept -s system-serial-number
|
||||
(RHEL5 or later).
|
||||
|
||||
'''
|
||||
|
||||
dmidecode = which('dmidecode')
|
||||
libsmbios = False
|
||||
omreport = which('omreport')
|
||||
service_tags = []
|
||||
|
||||
#Test for the libsmbios module
|
||||
try:
|
||||
logger.debug('Attempting to load libsmbios_c.')
|
||||
import libsmbios_c
|
||||
except ImportError:
|
||||
logger.debug('Unable to load libsmbios_c continuing.')
|
||||
pass
|
||||
else:
|
||||
libsmbios = True
|
||||
|
||||
if omreport:
|
||||
logger.debug('Obtaining serial number via OpenManage.')
|
||||
import re
|
||||
|
||||
try:
|
||||
process = subprocess.Popen([omreport, "chassis", "info",
|
||||
"-fmt", "xml"],
|
||||
stdout=subprocess.PIPE,
|
||||
stderr=subprocess.PIPE)
|
||||
except OSError:
|
||||
print 'Error: {0} exiting!'.format(sys.exc_info)
|
||||
sys.exit(WARNING)
|
||||
|
||||
text = process.stdout.read()
|
||||
pattern = '''<ServiceTag>(\S+)</ServiceTag>'''
|
||||
regex = re.compile(pattern, re.X)
|
||||
service_tags = regex.findall(text)
|
||||
|
||||
elif libsmbios:
|
||||
logger.debug('Obtaining serial number via libsmbios_c.')
|
||||
|
||||
#You have to be root to extract the serial number via this method
|
||||
if os.geteuid() != 0:
|
||||
print ('{0} must be run as root in order to access '
|
||||
'libsmbios, exiting!').format(sys.argv[0])
|
||||
sys.exit(WARNING)
|
||||
|
||||
service_tags.append(libsmbios_c.system_info.get_service_tag())
|
||||
|
||||
elif dmidecode:
|
||||
logger.debug('Obtaining serial number via dmidecode.')
|
||||
#Gather the information from dmidecode
|
||||
|
||||
sudo = which('sudo')
|
||||
|
||||
if not sudo:
|
||||
print 'Sudo is not available, exiting!'
|
||||
sys.exit(WARNING)
|
||||
|
||||
try:
|
||||
process = subprocess.Popen([sudo, dmidecode, "-s",
|
||||
"system-serial-number"],
|
||||
stdout=subprocess.PIPE,
|
||||
stderr=subprocess.PIPE)
|
||||
except OSError:
|
||||
print 'Error: {0} exiting!'.format(sys.exc_info)
|
||||
sys.exit(WARNING)
|
||||
|
||||
service_tags.append(process.stdout.read().strip())
|
||||
|
||||
else:
|
||||
print ('Omreport, libsmbios and dmidecode are not available in '
|
||||
'$PATH, exiting!')
|
||||
sys.exit(WARNING)
|
||||
|
||||
return service_tags
|
||||
|
||||
def extract_service_tag_snmp( options ):
|
||||
'''
|
||||
Extracts the serial number from the a remote host using SNMP.
|
||||
This function takes the following arguments: hostname, community,
|
||||
and mtk. The mtk argument will make the plug-in read the SNMP
|
||||
community string from /etc/mtk.conf. (/etc/mtk.conf is used by
|
||||
the mtk-nagios plugin.
|
||||
(mtk-nagios plug-in: http://www.hpccommunity.org/sysmgmt/)
|
||||
'''
|
||||
try:
|
||||
import netsnmp
|
||||
except ImportError:
|
||||
print "Unable to load netsnmp python module, aborting!"
|
||||
sys.exit(UNKNOWN)
|
||||
|
||||
service_tags = []
|
||||
hostname = options.hostname
|
||||
port = options.port
|
||||
version = options.version
|
||||
|
||||
logger.debug('Obtaining serial number via SNMP '
|
||||
'version: {0}.'.format(version))
|
||||
|
||||
if version == 3:
|
||||
sec_level = options.secLevel
|
||||
sec_name = options.secName
|
||||
priv_protocol = options.privProtocol
|
||||
priv_password = options.privPassword
|
||||
auth_protocol = options.authProtocol
|
||||
auth_password = options.authPassword
|
||||
|
||||
session = netsnmp.Session(DestHost=hostname, Version=version,
|
||||
SecLevel=sec_level, SecName=sec_name,
|
||||
AuthProto=auth_protocol,
|
||||
AuthPass=auth_password,
|
||||
PrivProto=priv_protocol,
|
||||
PrivPass=priv_password,
|
||||
RemotePort = port,
|
||||
)
|
||||
|
||||
elif version == 2 or version == 1:
|
||||
community = options.community
|
||||
|
||||
session = netsnmp.Session(DestHost=hostname, Version=version,
|
||||
Community=community, RemotePort=port)
|
||||
|
||||
else:
|
||||
print 'Unknown SNMP version {0}, exiting!'.format(version)
|
||||
|
||||
|
||||
def _autodetect_dell_device(session):
|
||||
|
||||
logger.debug('Beginning auto detection of system type.')
|
||||
|
||||
var = netsnmp.VarList(netsnmp.Varbind('SNMPv2-SMI::enterprises',
|
||||
'.674.'))
|
||||
session.getnext(var)
|
||||
tag = var.varbinds.pop().tag
|
||||
|
||||
if tag.find('enterprises.674.10892.1.') != -1:
|
||||
sys_type = 'omsa' #OMSA answered.
|
||||
elif tag.find('enterprises.674.10892.2.') != -1:
|
||||
sys_type = 'RAC' #Blade CMC or Server DRAC answered.
|
||||
elif tag.find('enterprises.674.10895.') != -1:
|
||||
sys_type = 'powerconnect' #PowerConnect switch answered.
|
||||
else:
|
||||
print ('snmpgetnext Failed:{0} System type or system '
|
||||
'unknown!').format(tag)
|
||||
sys.exit(WARNING)
|
||||
|
||||
logger.debug('System type is: {0}'.format(sys_type))
|
||||
|
||||
return sys_type
|
||||
|
||||
system_type = _autodetect_dell_device(session)
|
||||
|
||||
#System is server with OMSA, will check for External DAS enclosure
|
||||
#and get service tag.
|
||||
if system_type == 'omsa':
|
||||
|
||||
#Is External DAS Storage Enclosure connected?
|
||||
var = netsnmp.VarList(netsnmp.Varbind('SNMPv2-SMI::enterprises',
|
||||
'.674.10893.1.20.130.3.1.1'))
|
||||
enclosure_ids = session.walk(var)
|
||||
|
||||
logger.debug('Enclosure IDs: {0}'.format(enclosure_ids))
|
||||
|
||||
for enclosure_id in enclosure_ids:
|
||||
|
||||
#For backwards compatibility with OM 5.3
|
||||
if not enclosure_id:
|
||||
continue
|
||||
|
||||
var = netsnmp.VarList(netsnmp.Varbind('SNMPv2-SMI::enterprises',
|
||||
'.674.10893.1.20.130.3.1.16.{0}'.format(enclosure_id)))
|
||||
|
||||
enclosure_type = session.get(var)[0]
|
||||
|
||||
logger.debug('Enclosure type: {0}'.format(enclosure_type))
|
||||
|
||||
if enclosure_type != '1': #Enclosure type 1 is integrated backplane.
|
||||
|
||||
#Get storage enclosure Service Tag.
|
||||
var = netsnmp.VarList(netsnmp.Varbind('SNMPv2-SMI::enterprises',
|
||||
'.674.10893.1.20.130.3.1.8.{0}'.format(enclosure_id)))
|
||||
enclosure_serial_number = session.get(var)[0]
|
||||
|
||||
logger.debug('Enclosure Serial Number obtained: {0}'
|
||||
.format(enclosure_serial_number))
|
||||
|
||||
service_tags.append(enclosure_serial_number)
|
||||
|
||||
#Get system Service Tag.
|
||||
var = netsnmp.VarList(netsnmp.Varbind('SNMPv2-SMI::enterprises',
|
||||
'.674.10892.1.300.10.1.11.1'))
|
||||
|
||||
serial_number = session.get(var)[0]
|
||||
|
||||
elif system_type == 'RAC':
|
||||
var = netsnmp.VarList(netsnmp.Varbind('SNMPv2-SMI::enterprises',
|
||||
'.674.10892.2.1.1.11.0'))
|
||||
serial_number = session.get(var)[0]
|
||||
|
||||
logger.debug('RAC serial number obtained: {0}'.format(serial_number))
|
||||
|
||||
elif system_type == 'powerconnect':
|
||||
var = netsnmp.VarList(netsnmp.Varbind('SNMPv2-SMI::enterprises',
|
||||
'.674.10895.3000.1.2.100'
|
||||
'.8.1.4.1'))
|
||||
serial_number = session.get(var)[0]
|
||||
|
||||
logger.debug('PowerConnect serial number obtained: {0}'
|
||||
.format(serial_number))
|
||||
|
||||
service_tags.append(serial_number)
|
||||
|
||||
logger.debug('Service_tags obtained: {0}'.format(service_tags))
|
||||
|
||||
return service_tags
|
||||
|
||||
#
|
||||
# #Get enclosure type.
|
||||
# # 1: Internal
|
||||
# # 2: DellTM PowerVaultTM 200S (PowerVault 201S)
|
||||
# # 3: Dell PowerVault 210S (PowerVault 211S)
|
||||
# # 4: Dell PowerVault 220S (PowerVault 221S)
|
||||
# # 5: Dell PowerVault 660F
|
||||
# # 6: Dell PowerVault 224F
|
||||
# # 7: Dell PowerVault 660F/PowerVault 224F
|
||||
# # 8: Dell MD1000
|
||||
# # 9: Dell MD1120
|
||||
|
||||
|
||||
def get_warranty_https(service_tag_list, timeout):
|
||||
'''
|
||||
Obtains the warranty information from Dell's website. This function
|
||||
expects a list containing one or more serial numbers to be checked
|
||||
against Dell's database.
|
||||
'''
|
||||
|
||||
url = 'https://api.dell.com/support/v2/assetinfo/warranty/tags.json'
|
||||
#Additional API keys, just in case:
|
||||
#d676cf6e1e0ceb8fd14e8cb69acd812d
|
||||
#849e027f476027a394edd656eaef4842
|
||||
|
||||
apikey = '1adecee8a60444738f280aad1cd87d0e'
|
||||
|
||||
service_tags = ''
|
||||
|
||||
if len(service_tag_list) == 1:
|
||||
service_tags = service_tag_list[0]
|
||||
else:
|
||||
for service_tag in service_tag_list:
|
||||
service_tags += service_tag + '|'
|
||||
|
||||
#Because we can't have a trailing '|'
|
||||
service_tags = service_tags.rstrip('|')
|
||||
|
||||
logger.debug('Requesting service tags: {0}'.format(service_tags))
|
||||
|
||||
payload = {'svctags': service_tags, 'apikey': apikey}
|
||||
|
||||
try:
|
||||
response = requests.get(url, params=payload, verify=False,
|
||||
timeout=timeout)
|
||||
|
||||
except requests.exceptions.SSLError:
|
||||
print 'Unable to verify SSL certificate for url: {0}'.format(url)
|
||||
sys.exit(UNKNOWN)
|
||||
|
||||
try:
|
||||
#Throw an exception for anything but 200 response code
|
||||
response.raise_for_status()
|
||||
except requests.exceptions.HTTPError:
|
||||
print 'Unable to contact url: {0}.format(url)'
|
||||
sys.exit(UNKNOWN)
|
||||
|
||||
logger.debug('Requesting warranty information from Dell url: '
|
||||
'{0}'.format(response.url))
|
||||
|
||||
result = response.json()
|
||||
logger.debug('Raw output received: \n {0}'.format(result))
|
||||
|
||||
#We test for any faults assserted by the api.
|
||||
check_faults(result)
|
||||
|
||||
return result
|
||||
|
||||
def check_faults(response):
|
||||
'''
|
||||
This function checks the json content for faults that are rasied by Dell's
|
||||
API. Any faults results in immediate termination with status UNKNOWN.
|
||||
'''
|
||||
|
||||
logger.debug('Testing for faults in json response.')
|
||||
fault = (response['GetAssetWarrantyResponse']['GetAssetWarrantyResult']
|
||||
['Faults'])
|
||||
logger.debug('Raw fault return: {0}'.format(fault))
|
||||
|
||||
if fault:
|
||||
logger.debug('Fault found.')
|
||||
|
||||
code = fault['FaultException']['Code']
|
||||
message = fault['FaultException']['Message']
|
||||
|
||||
print ('API fault code: "{0}" encountered, message: "{1}". '
|
||||
'Exiting!'.format(code, message))
|
||||
sys.exit(UNKNOWN)
|
||||
|
||||
logger.debug('No faults found.')
|
||||
return None
|
||||
|
||||
def build_warranty_line(warranty, full_line, days, short_output):
|
||||
'''
|
||||
This function takes a warranty object and parses the salient information
|
||||
out. It then calculates the number of days remaining in the warranty
|
||||
period, and builds a line for Nagios outputting.
|
||||
'''
|
||||
|
||||
logger.debug('Warranty contains')
|
||||
|
||||
description = warranty['ServiceLevelDescription']
|
||||
end_date = warranty['EndDate']
|
||||
start_date = warranty['StartDate']
|
||||
provider = warranty['ServiceProvider']
|
||||
|
||||
logger.debug('Found: Start date: {0}, End Date: {1},Description: {2}, '
|
||||
'Provider: {3}'.format(start_date, end_date, description,
|
||||
provider))
|
||||
|
||||
#Because we need ot be able to calculate the time left as well as
|
||||
#better formatting.
|
||||
start_date = convert_date(start_date)
|
||||
end_date = convert_date(end_date)
|
||||
|
||||
days_left = (end_date - datetime.date.today()).days
|
||||
|
||||
#Because no one cares about egative numbers of days.
|
||||
if days_left < 0:
|
||||
days_left = 0
|
||||
|
||||
logger.debug('Number of days left in warranty: '
|
||||
'{0}'.format(days_left))
|
||||
|
||||
if short_output:
|
||||
full_line = "%s, End: %s, Days left: %i" %(full_line, str(end_date.strftime('%m/%d/%Y')), days_left)
|
||||
|
||||
else:
|
||||
full_line = "%s, Warranty: %s, Start: %s, End: %s, Days left: %i" %(full_line, description, str(start_date.strftime('%m/%d/%Y')),
|
||||
str(end_date.strftime('%m/%d/%Y')), days_left)
|
||||
|
||||
days.append(int(days_left))
|
||||
|
||||
return full_line, days
|
||||
|
||||
def convert_date(date):
|
||||
'''
|
||||
This function converts the date as returned by the Dell API into a
|
||||
datetime object. Dell's API format is as follows: 2010-07-01T01:00:00
|
||||
'''
|
||||
#Split on 'T' grab the date then split it out on '-'
|
||||
year, month, day = date.split('T')[0].split('-')
|
||||
|
||||
return datetime.date(int(year), int(month), int(day))
|
||||
|
||||
def process_asset(asset, full_line, days, short_output):
|
||||
'''
|
||||
This function processes a json asset returned from Dell's API and
|
||||
builds a line appropriate for Nagios output, as well as the service
|
||||
tag for the line and the number of days remaining for each warranty
|
||||
as a list.
|
||||
'''
|
||||
|
||||
logger.debug('Raw asset being processed: {0}'.format(asset))
|
||||
|
||||
service_tag = asset['ServiceTag']
|
||||
warranty = asset['Warranties']['Warranty']
|
||||
if ( type(warranty) == type([]) ) and len(warranty) > 0:
|
||||
warranty = warranty[0]
|
||||
full_line, days = build_warranty_line(warranty, full_line,
|
||||
days, short_output)
|
||||
|
||||
return service_tag, full_line, days
|
||||
|
||||
def parse_exit(result, short_output):
|
||||
|
||||
critical = 0
|
||||
days = []
|
||||
warning = 0
|
||||
full_line = r'%s: Service Tag: %s'
|
||||
|
||||
logger.debug('Beginning to parse results and construct exit line '
|
||||
'and code.')
|
||||
|
||||
assets = (result['GetAssetWarrantyResponse']['GetAssetWarrantyResult']
|
||||
['Response']['DellAsset'])
|
||||
|
||||
logger.debug('Assets obtained: {0}'.format(assets))
|
||||
|
||||
#Check if there are multiple assets being provided
|
||||
if isinstance(assets, list):
|
||||
logger.debug('Multiple assets being processed.')
|
||||
|
||||
for asset in assets:
|
||||
service_tag, full_line, days = process_asset(asset, full_line,
|
||||
days, short_output)
|
||||
|
||||
#There is only one asset
|
||||
else:
|
||||
logger.debug('A single asset is being processed.')
|
||||
asset = assets
|
||||
service_tag, full_line, days = process_asset(asset, full_line,
|
||||
days, short_output)
|
||||
|
||||
#Put the days remaining in ascending order
|
||||
days.sort()
|
||||
|
||||
logger.debug('Days remaining on warranties: {0}'.format(days))
|
||||
|
||||
if days[-1] < options.critical_days:
|
||||
state = 'CRITICAL'
|
||||
critical += 1
|
||||
|
||||
elif days[-1] < options.warning_days:
|
||||
state = 'WARNING'
|
||||
warning += 1
|
||||
|
||||
else:
|
||||
state = 'OK'
|
||||
|
||||
print full_line % (state, service_tag),
|
||||
|
||||
if critical:
|
||||
sys.exit(CRITICAL)
|
||||
elif warning:
|
||||
sys.exit(WARNING)
|
||||
else:
|
||||
sys.exit(OK)
|
||||
|
||||
return None #Should never get here
|
||||
|
||||
def sigalarm_handler(signum, frame):
|
||||
'''
|
||||
Handler for an alarm situation.
|
||||
'''
|
||||
|
||||
print ('{0} timed out after {1} seconds, '
|
||||
'signum:{2}, frame: {3}').format(sys.argv[0], options.timeout,
|
||||
signum, frame)
|
||||
|
||||
sys.exit(CRITICAL)
|
||||
return None
|
||||
|
||||
def which(program):
|
||||
'''This is the equivalent of the 'which' BASH built-in with a check to
|
||||
make sure the program that is found is executable.
|
||||
'''
|
||||
|
||||
def is_exe(file_path):
|
||||
'''Tests that a file exists and is executable.
|
||||
'''
|
||||
return os.path.exists(file_path) and os.access(file_path, os.X_OK)
|
||||
|
||||
file_path = os.path.split(program)[0]
|
||||
|
||||
if file_path:
|
||||
if is_exe(program):
|
||||
return program
|
||||
else:
|
||||
for path in os.environ["PATH"].split(os.pathsep):
|
||||
exe_file = os.path.join(path, program)
|
||||
if is_exe(exe_file):
|
||||
return exe_file
|
||||
|
||||
return None
|
||||
|
||||
if __name__ == '__main__':
|
||||
import optparse
|
||||
import signal
|
||||
|
||||
parser = optparse.OptionParser(description='''Nagios plug-in to pull the
|
||||
Dell service tag and check it against Dell's web site to see how many
|
||||
days remain. By default it issues a warning when there is less than
|
||||
thirty days remaining and critical when there is less than ten days
|
||||
remaining. These values can be adjusted using the command line, see --help.
|
||||
''',
|
||||
prog="check_dell_warranty",
|
||||
version="%prog Version: {0}".format(__version__))
|
||||
parser.add_option('-a', dest='authProtocol', action='store',
|
||||
help=('Set the default authentication protocol for '
|
||||
'SNMPv3 (MD5 or SHA).'))
|
||||
parser.add_option('-A', dest='authPassword',
|
||||
help=('Set the SNMPv3 authentication protocol password.')
|
||||
)
|
||||
parser.add_option('-C', '--community', action='store',
|
||||
dest='community', type='string',default='public',
|
||||
help=('SNMP Community String to use. '
|
||||
'(Default: %default)'))
|
||||
parser.add_option('-c', '--critical', dest='critical_days', default=10,
|
||||
help=('Number of days under which to return critical '
|
||||
'(Default: %default).'), type='int', metavar='<ARG>')
|
||||
parser.add_option('-H', '--hostname', action='store', type='string',
|
||||
dest='hostname',
|
||||
help='Specify the host name of the SNMP agent')
|
||||
parser.add_option('-l', dest='secLevel', default='noAuthNoPriv',
|
||||
action='store',
|
||||
help=('Set the SNMPv3 security level, (noAuthNoPriv'
|
||||
'|authNoPriv|authPriv) (Default: noAuthNoPriv)'))
|
||||
parser.add_option('--mtk', action='store_true', dest='mtk_installed',
|
||||
default=False,
|
||||
help=('Get SNMP Community String from /etc/mtk.conf if '
|
||||
'mtk-nagios plugin is installed. NOTE: This option '
|
||||
'will make the mtk.conf community string take '
|
||||
'precedence over anything entered at the '
|
||||
'command line (Default: %default)'))
|
||||
parser.add_option('-p', '--port', dest='port', default=161,
|
||||
help=('Set the SNMP port to be connected to '
|
||||
'(Default:161).'), type='int')
|
||||
parser.add_option('-s', '--service_tag', dest='service_tag',
|
||||
help=('Dell Service Tag of system, to enter more than '
|
||||
'one use multiple flags (Default: auto-detected)'),
|
||||
action='append', metavar='<ARG>')
|
||||
parser.add_option('-S', '--short', dest='short_output',
|
||||
action='store_true', default = False,
|
||||
help=('Display short output: only the status, '
|
||||
'service tag, end date and days left for each '
|
||||
'warranty.'))
|
||||
parser.add_option('-t', '--timeout', dest='timeout', default=10,
|
||||
help=('Set the timeout for the program to run '
|
||||
'(Default: %default seconds)'), type='int',
|
||||
metavar='<ARG>')
|
||||
parser.add_option('-u', dest='secName', action='store',
|
||||
help='Set the SNMPv3 security name (user name).')
|
||||
parser.add_option('-v', dest='version', default=3, action='store',
|
||||
help=('Specify the SNMP version (1, 2, 3) Default: 3'),
|
||||
type='int'
|
||||
)
|
||||
parser.add_option('-V', dest='verbose', action='store_true',
|
||||
default=False, help =('Give verbose output (Default: '
|
||||
'Off)')
|
||||
)
|
||||
parser.add_option('-w', '--warning', dest='warning_days', default=30,
|
||||
help=('Number of days under which to return a warning '
|
||||
'(Default: %default)'), type='int', metavar='<ARG>' )
|
||||
parser.add_option('-x', dest='privProtocol', action='store',
|
||||
help='Set the SNMPv3 privacy protocol (DES or AES).')
|
||||
parser.add_option('-X', dest='privPassword', action='store',
|
||||
help='Set the SNMPv3 privacy pass phrase.')
|
||||
|
||||
(options, args) = parser.parse_args()
|
||||
|
||||
##Configure logging
|
||||
logger = logging.getLogger("check_dell_warranty")
|
||||
handler = logging.StreamHandler()
|
||||
if options.verbose:
|
||||
sys.stderr.write('Switching on debug mode.\n')
|
||||
handler.setLevel(logging.DEBUG)
|
||||
logger.setLevel(logging.DEBUG)
|
||||
|
||||
##Set the logging format, time, log level name, and the message
|
||||
formatter = logging.Formatter('%(levelname)s - %(message)s')
|
||||
handler.setFormatter(formatter)
|
||||
|
||||
logger.addHandler(handler)
|
||||
|
||||
signal.signal(signal.SIGALRM, sigalarm_handler)
|
||||
signal.alarm(options.timeout)
|
||||
|
||||
if options.service_tag:
|
||||
SERVICE_TAGS = options.service_tag
|
||||
elif options.hostname or options.mtk_installed:
|
||||
SERVICE_TAGS = extract_service_tag_snmp(options)
|
||||
else:
|
||||
SERVICE_TAGS = extract_service_tag()
|
||||
|
||||
RESULT = get_warranty_https(SERVICE_TAGS, options.timeout)
|
||||
signal.alarm(0)
|
||||
|
||||
parse_exit(RESULT, options.short_output)
|
||||
|
|
@ -0,0 +1,115 @@
|
|||
#!/usr/bin/perl -w
|
||||
|
||||
# Copyright (c) 2002 ISOMEDIA, Inc.
|
||||
# originally written by Steve Milton
|
||||
# later updates by sean finney <seanius@seanius.net>
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 2 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
#
|
||||
# Usage: check_raid [raid-name]
|
||||
# Example: check_raid md0
|
||||
# WARNING md0 status=[UUU_U], recovery=46.4%, finish=123.0min
|
||||
|
||||
use strict;
|
||||
use lib "/usr/lib/nagios/plugins";
|
||||
use utils qw(%ERRORS);
|
||||
|
||||
# die with an error if we're not on Linux
|
||||
if ($^O ne 'linux') {
|
||||
print "This plugin only applicable on Linux.\n";
|
||||
exit $ERRORS{'UNKNOWN'};
|
||||
}
|
||||
|
||||
sub max_state($$){
|
||||
my ($a, $b) = @_;
|
||||
if ($a eq "CRITICAL" || $b eq "CRITICAL") { return "CRITICAL"; }
|
||||
elsif ($a eq "WARNING" || $b eq "WARNING") { return "WARNING"; }
|
||||
elsif ($a eq "OK" || $b eq "OK") { return "OK"; }
|
||||
elsif ($a eq "UNKNOWN" || $b eq "UNKNOWN") { return "UNKNOWN"; }
|
||||
elsif ($a eq "DEPENDENT" || $b eq "DEPENDENT") { return "DEPENDENT"; }
|
||||
return "UNKNOWN";
|
||||
}
|
||||
|
||||
my $nextdev;
|
||||
if(defined $ARGV[0]) { $nextdev = shift; }
|
||||
else { $nextdev = "md[0-9]+"; }
|
||||
|
||||
my $code = "UNKNOWN";
|
||||
my $msg = "";
|
||||
my %status;
|
||||
my %recovery;
|
||||
my %finish;
|
||||
my %active;
|
||||
my %devices;
|
||||
|
||||
while(defined $nextdev){
|
||||
open (MDSTAT, "< /proc/mdstat") or die "Failed to open /proc/mdstat";
|
||||
my $device = undef;
|
||||
while(<MDSTAT>) {
|
||||
if (defined $device) {
|
||||
if (/(\[[_U]+\])/) {
|
||||
$status{$device} = $1;
|
||||
} elsif (/recovery = (.*?)\s/) {
|
||||
$recovery{$device} = $1;
|
||||
($finish{$device}) = /finish=(.*?min)/;
|
||||
$device=undef;
|
||||
} elsif (/^\s*$/) {
|
||||
$device=undef;
|
||||
}
|
||||
} elsif (/^($nextdev)\s*:/) {
|
||||
$device=$1;
|
||||
$devices{$device}=$device;
|
||||
if (/\sactive/) {
|
||||
$status{$device} = ''; # Shall be filled later if available
|
||||
$active{$device} = 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
$nextdev = shift;
|
||||
}
|
||||
|
||||
foreach my $k (sort keys %devices){
|
||||
if (!exists($status{$k})) {
|
||||
$msg .= sprintf " %s inactive with no status information.",
|
||||
$devices{$k};
|
||||
$code = max_state($code, "CRITICAL");
|
||||
} elsif ($status{$k} =~ /_/) {
|
||||
if (defined $recovery{$k}) {
|
||||
$msg .= sprintf " %s status=%s, recovery=%s, finish=%s.",
|
||||
$devices{$k}, $status{$k}, $recovery{$k}, $finish{$k};
|
||||
$code = max_state($code, "WARNING");
|
||||
} else {
|
||||
$msg .= sprintf " %s status=%s.", $devices{$k}, $status{$k};
|
||||
$code = max_state($code, "CRITICAL");
|
||||
}
|
||||
} elsif ($status{$k} =~ /U+/) {
|
||||
$msg .= sprintf " %s status=%s.", $devices{$k}, $status{$k};
|
||||
$code = max_state($code, "OK");
|
||||
} else {
|
||||
if ($active{$k}) {
|
||||
$msg .= sprintf " %s active with no status information.",
|
||||
$devices{$k};
|
||||
$code = max_state($code, "OK");
|
||||
} else {
|
||||
# This should't run anymore, but is left as a catch-all
|
||||
$msg .= sprintf " %s does not exist.\n", $devices{$k};
|
||||
$code = max_state($code, "CRITICAL");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
print $code, $msg, "\n";
|
||||
exit ($ERRORS{$code});
|
||||
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,38 @@
|
|||
#!/bin/bash
|
||||
|
||||
TIMESTAMP=$( date +%s )
|
||||
ONEDAY=86400
|
||||
RETVAL=0
|
||||
MSG=
|
||||
if [ -f /etc/default/pg_backup ] ; then
|
||||
. /etc/default/pg_backup
|
||||
else
|
||||
BACKUPDIR=/var/lib/pgsql/backups
|
||||
fi
|
||||
TIMESTAMP_LOG=$BACKUPDIR/.timestamp
|
||||
NAGIOS_LOG=$BACKUPDIR/.nagios-status
|
||||
|
||||
function check_db_freshness() {
|
||||
DB_LASTRUN=$( cat $TIMESTAMP_LOG )
|
||||
FRESHNESS=$( echo "$TIMESTAMP - $DB_LASTRUN" | bc )
|
||||
if [ $FRESHNESS -gt $ONEDAY ] ; then
|
||||
MSG_FRESH="Dump older than 1 day ; "
|
||||
RETVAL=1
|
||||
fi
|
||||
}
|
||||
|
||||
function check_dump_status() {
|
||||
MSG_STATUS=$( grep FAILED $NAGIOS_LOG )
|
||||
if [ $? -eq 0 ] ; then
|
||||
RETVAL=2
|
||||
else
|
||||
MSG_STATUS="All dumps OK"
|
||||
fi
|
||||
}
|
||||
|
||||
check_db_freshness
|
||||
check_dump_status
|
||||
|
||||
MSG="$MSG_FRESH $MSG_STATUS"
|
||||
echo -n $MSG
|
||||
exit $RETVAL
|
|
@ -0,0 +1,311 @@
|
|||
#!/usr/bin/perl -w
|
||||
# Check SMART status of ATA/SCSI disks, returning any usable metrics as perfdata.
|
||||
# For usage information, run ./check_smart -h
|
||||
#
|
||||
# This script was created under contract for the US Government and is therefore Public Domain
|
||||
#
|
||||
# Changes and Modifications
|
||||
# =========================
|
||||
# Feb 3, 2009: Kurt Yoder - initial version of script
|
||||
|
||||
use strict;
|
||||
use Getopt::Long;
|
||||
|
||||
use File::Basename qw(basename);
|
||||
my $basename = basename($0);
|
||||
|
||||
my $revision = '$Revision: 1.0 $';
|
||||
|
||||
use lib '/usr/lib/nagios/plugins/';
|
||||
use utils qw(%ERRORS &print_revision &support &usage);
|
||||
|
||||
$ENV{'PATH'}='/bin:/usr/bin:/sbin:/usr/sbin';
|
||||
$ENV{'BASH_ENV'}='';
|
||||
$ENV{'ENV'}='';
|
||||
|
||||
use vars qw($opt_d $opt_debug $opt_h $opt_i $opt_v);
|
||||
Getopt::Long::Configure('bundling');
|
||||
GetOptions(
|
||||
"debug" => \$opt_debug,
|
||||
"d=s" => \$opt_d, "device=s" => \$opt_d,
|
||||
"h" => \$opt_h, "help" => \$opt_h,
|
||||
"i=s" => \$opt_i, "interface=s" => \$opt_i,
|
||||
"v" => \$opt_v, "version" => \$opt_v,
|
||||
);
|
||||
|
||||
if ($opt_v) {
|
||||
print_revision($basename,$revision);
|
||||
exit $ERRORS{'OK'};
|
||||
}
|
||||
|
||||
if ($opt_h) {
|
||||
print_help();
|
||||
exit $ERRORS{'OK'};
|
||||
}
|
||||
|
||||
my ($device, $interface) = qw//;
|
||||
if ($opt_d) {
|
||||
unless($opt_i){
|
||||
print "must specify an interface for $opt_d using -i/--interface!\n\n";
|
||||
print_help();
|
||||
exit $ERRORS{'UNKNOWN'};
|
||||
}
|
||||
|
||||
if (-b $opt_d){
|
||||
$device = $opt_d;
|
||||
}
|
||||
else{
|
||||
print "$opt_d is not a valid block device!\n\n";
|
||||
print_help();
|
||||
exit $ERRORS{'UNKNOWN'};
|
||||
}
|
||||
|
||||
if(grep {$opt_i eq $_} ('ata', 'scsi')){
|
||||
$interface = $opt_i;
|
||||
}
|
||||
else{
|
||||
print "invalid interface $opt_i for $opt_d!\n\n";
|
||||
print_help();
|
||||
exit $ERRORS{'UNKNOWN'};
|
||||
}
|
||||
}
|
||||
else{
|
||||
print "must specify a device!\n\n";
|
||||
print_help();
|
||||
exit $ERRORS{'UNKNOWN'};
|
||||
}
|
||||
|
||||
my $smart_command = '/usr/bin/sudo /usr/sbin/smartctl';
|
||||
my @error_messages = qw//;
|
||||
my $exit_status = 'OK';
|
||||
|
||||
|
||||
warn "###########################################################\n" if $opt_debug;
|
||||
warn "(debug) CHECK 1: getting overall SMART health status\n" if $opt_debug;
|
||||
warn "###########################################################\n\n\n" if $opt_debug;
|
||||
|
||||
my $full_command = "$smart_command -d $interface -H $device";
|
||||
warn "(debug) executing:\n$full_command\n\n" if $opt_debug;
|
||||
|
||||
my @output = `$full_command`;
|
||||
warn "(debug) output:\n@output\n\n" if $opt_debug;
|
||||
|
||||
# parse ata output, looking for "health status: passed"
|
||||
my $found_status = 0;
|
||||
my $line_str = 'SMART overall-health self-assessment test result: '; # ATA SMART line
|
||||
my $ok_str = 'PASSED'; # ATA SMART OK string
|
||||
|
||||
if ($interface eq 'scsi'){
|
||||
$line_str = 'SMART Health Status: '; # SCSI SMART line
|
||||
$ok_str = 'OK'; #SCSI SMART OK string
|
||||
}
|
||||
|
||||
foreach my $line (@output){
|
||||
if($line =~ /$line_str(.+)/){
|
||||
$found_status = 1;
|
||||
warn "(debug) parsing line:\n$line\n\n" if $opt_debug;
|
||||
if ($1 eq $ok_str) {
|
||||
warn "(debug) found string '$ok_str'; status OK\n\n" if $opt_debug;
|
||||
}
|
||||
else {
|
||||
warn "(debug) no '$ok_str' status; failing\n\n" if $opt_debug;
|
||||
push(@error_messages, "Health status: $1");
|
||||
escalate_status('CRITICAL');
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
unless ($found_status) {
|
||||
push(@error_messages, 'No health status line found');
|
||||
escalate_status('UNKNOWN');
|
||||
}
|
||||
|
||||
|
||||
warn "###########################################################\n" if $opt_debug;
|
||||
warn "(debug) CHECK 2: getting silent SMART health check\n" if $opt_debug;
|
||||
warn "###########################################################\n\n\n" if $opt_debug;
|
||||
|
||||
$full_command = "$smart_command -d $interface -q silent -A $device";
|
||||
warn "(debug) executing:\n$full_command\n\n" if $opt_debug;
|
||||
|
||||
system($full_command);
|
||||
my $return_code = $?;
|
||||
warn "(debug) exit code:\n$return_code\n\n" if $opt_debug;
|
||||
|
||||
if ($return_code & 0x01) {
|
||||
push(@error_messages, 'Commandline parse failure');
|
||||
escalate_status('UNKNOWN');
|
||||
}
|
||||
if ($return_code & 0x02) {
|
||||
push(@error_messages, 'Device could not be opened');
|
||||
escalate_status('UNKNOWN');
|
||||
}
|
||||
if ($return_code & 0x04) {
|
||||
push(@error_messages, 'Checksum failure');
|
||||
escalate_status('WARNING');
|
||||
}
|
||||
if ($return_code & 0x08) {
|
||||
push(@error_messages, 'Disk is failing');
|
||||
escalate_status('CRITICAL');
|
||||
}
|
||||
if ($return_code & 0x10) {
|
||||
push(@error_messages, 'Disk is in prefail');
|
||||
escalate_status('WARNING');
|
||||
}
|
||||
if ($return_code & 0x20) {
|
||||
push(@error_messages, 'Disk may be close to failure');
|
||||
escalate_status('WARNING');
|
||||
}
|
||||
if ($return_code & 0x40) {
|
||||
push(@error_messages, 'Error log contains errors');
|
||||
escalate_status('WARNING');
|
||||
}
|
||||
if ($return_code & 0x80) {
|
||||
push(@error_messages, 'Self-test log contains errors');
|
||||
escalate_status('WARNING');
|
||||
}
|
||||
if ($return_code && !$exit_status) {
|
||||
push(@error_messages, 'Unknown return code');
|
||||
escalate_status('CRITICAL');
|
||||
}
|
||||
|
||||
if ($return_code) {
|
||||
warn "(debug) non-zero exit code, generating error condition\n\n" if $opt_debug;
|
||||
}
|
||||
else {
|
||||
warn "(debug) zero exit code, status OK\n\n" if $opt_debug;
|
||||
}
|
||||
|
||||
|
||||
warn "###########################################################\n" if $opt_debug;
|
||||
warn "(debug) CHECK 3: getting detailed statistics\n" if $opt_debug;
|
||||
warn "(debug) information contains a few more potential trouble spots\n" if $opt_debug;
|
||||
warn "(debug) plus, we can also use the information for perfdata/graphing\n" if $opt_debug;
|
||||
warn "###########################################################\n\n\n" if $opt_debug;
|
||||
|
||||
$full_command = "$smart_command -d $interface -A $device";
|
||||
warn "(debug) executing:\n$full_command\n\n" if $opt_debug;
|
||||
@output = `$full_command`;
|
||||
warn "(debug) output:\n@output\n\n" if $opt_debug;
|
||||
my @perfdata = qw//;
|
||||
|
||||
# separate metric-gathering and output analysis for ATA vs SCSI SMART output
|
||||
if ($interface eq 'ata'){
|
||||
foreach my $line(@output){
|
||||
# get lines that look like this:
|
||||
# 9 Power_On_Minutes 0x0032 241 241 000 Old_age Always - 113h+12m
|
||||
next unless $line =~ /^\s*\d+\s(\S+)\s+(?:\S+\s+){6}(\S+)\s+(\d+)/;
|
||||
my ($attribute_name, $when_failed, $raw_value) = ($1, $2, $3);
|
||||
if ($when_failed ne '-'){
|
||||
push(@error_messages, "Attribute $attribute_name failed at $when_failed");
|
||||
escalate_status('WARNING');
|
||||
warn "(debug) parsed SMART attribute $attribute_name with error condition:\n$when_failed\n\n" if $opt_debug;
|
||||
}
|
||||
# some attributes produce questionable data; no need to graph them
|
||||
if (grep {$_ eq $attribute_name} ('Unknown_Attribute', 'Power_On_Minutes') ){
|
||||
next;
|
||||
}
|
||||
push (@perfdata, "$attribute_name=$raw_value");
|
||||
|
||||
# do some manual checks
|
||||
if ( ($attribute_name eq 'Current_Pending_Sector') && $raw_value ) {
|
||||
push(@error_messages, "Sectors pending re-allocation");
|
||||
escalate_status('WARNING');
|
||||
warn "(debug) Current_Pending_Sector is non-zero ($raw_value)\n\n" if $opt_debug;
|
||||
}
|
||||
}
|
||||
}
|
||||
else{
|
||||
my ($current_temperature, $max_temperature, $current_start_stop, $max_start_stop) = qw//;
|
||||
foreach my $line(@output){
|
||||
if ($line =~ /Current Drive Temperature:\s+(\d+)/){
|
||||
$current_temperature = $1;
|
||||
}
|
||||
elsif ($line =~ /Drive Trip Temperature:\s+(\d+)/){
|
||||
$max_temperature = $1;
|
||||
}
|
||||
elsif ($line =~ /Current start stop count:\s+(\d+)/){
|
||||
$current_start_stop = $1;
|
||||
}
|
||||
elsif ($line =~ /Recommended maximum start stop count:\s+(\d+)/){
|
||||
$max_start_stop = $1;
|
||||
}
|
||||
elsif ($line =~ /Elements in grown defect list:\s+(\d+)/){
|
||||
push (@perfdata, "defect_list=$1");
|
||||
}
|
||||
elsif ($line =~ /Blocks sent to initiator =\s+(\d+)/){
|
||||
push (@perfdata, "sent_blocks=$1");
|
||||
}
|
||||
}
|
||||
if($current_temperature){
|
||||
if($max_temperature){
|
||||
push (@perfdata, "temperature=$current_temperature;;$max_temperature");
|
||||
if($current_temperature > $max_temperature){
|
||||
warn "(debug) Disk temperature is greater than max ($current_temperature > $max_temperature)\n\n" if $opt_debug;
|
||||
push(@error_messages, 'Disk temperature is higher than maximum');
|
||||
escalate_status('CRITICAL');
|
||||
}
|
||||
}
|
||||
else{
|
||||
push (@perfdata, "temperature=$current_temperature");
|
||||
}
|
||||
}
|
||||
if($current_start_stop){
|
||||
if($max_start_stop){
|
||||
push (@perfdata, "start_stop=$current_start_stop;$max_start_stop");
|
||||
if($current_start_stop > $max_start_stop){
|
||||
warn "(debug) Disk start_stop is greater than max ($current_start_stop > $max_start_stop)\n\n" if $opt_debug;
|
||||
push(@error_messages, 'Disk start_stop is higher than maximum');
|
||||
escalate_status('WARNING');
|
||||
}
|
||||
}
|
||||
else{
|
||||
push (@perfdata, "start_stop=$current_start_stop");
|
||||
}
|
||||
}
|
||||
}
|
||||
warn "(debug) gathered perfdata:\n@perfdata\n\n" if $opt_debug;
|
||||
my $perf_string = join(' ', @perfdata);
|
||||
|
||||
warn "###########################################################\n" if $opt_debug;
|
||||
warn "(debug) FINAL STATUS: $exit_status\n" if $opt_debug;
|
||||
warn "###########################################################\n\n\n" if $opt_debug;
|
||||
|
||||
warn "(debug) final status/output:\n" if $opt_debug;
|
||||
|
||||
my $status_string = '';
|
||||
|
||||
if($exit_status ne 'OK'){
|
||||
$status_string = "$exit_status: ".join(', ', @error_messages);
|
||||
}
|
||||
else {
|
||||
$status_string = "OK: no SMART errors detected";
|
||||
}
|
||||
|
||||
print "$status_string|$perf_string\n";
|
||||
exit $ERRORS{$exit_status};
|
||||
|
||||
sub print_help {
|
||||
print_revision($basename,$revision);
|
||||
print "Usage: $basename (--device=<SMART device> --interface=(ata|scsi)|-h|-v) [--debug]\n";
|
||||
print " --debug: show debugging information\n";
|
||||
print " -d/--device: a device to be SMART monitored, eg /dev/sda\n";
|
||||
print " -i/--interface: ata or scsi, depending upon the device's interface type\n";
|
||||
print " -h/--help: this help\n";
|
||||
print " -v/--version: Version number\n";
|
||||
support();
|
||||
}
|
||||
|
||||
# escalate an exit status IFF it's more severe than the previous exit status
|
||||
sub escalate_status {
|
||||
my $requested_status = shift;
|
||||
# no test for 'CRITICAL'; automatically escalates upwards
|
||||
if ($requested_status eq 'WARNING') {
|
||||
return if $exit_status eq 'CRITICAL';
|
||||
}
|
||||
if ($requested_status eq 'UNKNOWN') {
|
||||
return if $exit_status eq 'WARNING';
|
||||
return if $exit_status eq 'CRITICAL';
|
||||
}
|
||||
$exit_status = $requested_status;
|
||||
}
|
|
@ -0,0 +1,162 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# https://www.monitoringexchange.org/inventory/Check-Plugins/Operating-Systems/Linux/Check-Processes-and-Ports
|
||||
# Usage: .//check_system_pp
|
||||
#
|
||||
# Description:
|
||||
# This plugin determines whether the server
|
||||
# is running properly. It will check the following:
|
||||
# * Are all required processes running?
|
||||
# * Are all the required TCP/IP ports open?
|
||||
#
|
||||
# Created: 27.01.2006 (FBA)
|
||||
#
|
||||
# Changes: 28.01.2006 added yellow check (FBA)
|
||||
# 29.01.2006 change "px -ef" to "ps -ax" (FBA). Problems with long arguments
|
||||
# 31.01.2006 added all OK Status with all procs and ports (FBA)
|
||||
# 15.07.2006 change "ps -ax" to "ps ax" (FBA). Also problems with long arguments under RedHat 3/4
|
||||
# 17.07.2006 Plugin rewrite and bugfixes (Magnus Glantz)
|
||||
# 19.07.2006 Removed utils.sh dependency.
|
||||
#
|
||||
#
|
||||
#
|
||||
|
||||
COMMON_SH_LIB=/usr/lib/nagios/plugins/isti-cnr/check_library.sh
|
||||
if [ -f $COMMON_SH_LIB ] ; then
|
||||
. $COMMON_SH_LIB
|
||||
else
|
||||
PLUGIN_DIR=/usr/lib/nagios/plugins
|
||||
ISTI_PLUGDIR=$PLUGIN_DIR/isti-cnr
|
||||
fi
|
||||
|
||||
# We want the list of processes and ports to be customizable without editing this script
|
||||
PP_CONF=$ISTI_PLUGDIR/check_system_pp.conf
|
||||
if [ -f $PP_CONF ] ; then
|
||||
. $PP_CONF
|
||||
else
|
||||
##################################################################################
|
||||
#
|
||||
# Processes to check
|
||||
PROCLIST_RED="sshd"
|
||||
PROCLIST_YELLOW="syslogd cron"
|
||||
|
||||
# Ports to check
|
||||
PORTLIST="22"
|
||||
|
||||
##################################################################################
|
||||
fi
|
||||
|
||||
PATH="/usr/bin:/usr/sbin:/bin:/sbin"
|
||||
|
||||
STATE_OK=0
|
||||
STATE_WARNING=1
|
||||
STATE_CRITICAL=2
|
||||
STATE_UNKNOWN=3
|
||||
STATE_DEPENDENT=4
|
||||
|
||||
print_gpl() {
|
||||
echo "This program is free software; you can redistribute it and/or modify"
|
||||
echo "it under the terms of the GNU General Public License as published by"
|
||||
echo "the Free Software Foundation; either version 2 of the License, or"
|
||||
echo "(at your option) any later version."
|
||||
echo ""
|
||||
echo "This program is distributed in the hope that it will be useful,"
|
||||
echo "but WITHOUT ANY WARRANTY; without even the implied warranty of"
|
||||
echo "MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the"
|
||||
echo "GNU General Public License for more details."
|
||||
echo ""
|
||||
echo "You should have received a copy of the GNU General Public License"
|
||||
echo "along with this program; if not, write to the Free Software"
|
||||
echo "Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA"
|
||||
}
|
||||
|
||||
print_help(){
|
||||
echo ""
|
||||
echo "System process and port check script for Nagios."
|
||||
echo ""
|
||||
echo "Usage: ./check_system_pp"
|
||||
echo "Website: http://www.nagiosexchange.org"
|
||||
echo "https://www.monitoringexchange.org/inventory/Check-Plugins/Operating-Systems/Linux/Check-Processes-and-Ports"
|
||||
echo ""
|
||||
print_gpl
|
||||
}
|
||||
|
||||
while test -n "$1"
|
||||
do
|
||||
case "$1" in
|
||||
*) print_help; exit $STATE_OK;;
|
||||
esac
|
||||
done
|
||||
|
||||
check_processes_red()
|
||||
{
|
||||
PROCESS="0"
|
||||
ERROR_PROCS=""
|
||||
for PROC in `echo $PROCLIST_RED`; do
|
||||
if [ `ps -ef | grep -w $PROC | grep -v grep | wc -l` -lt 1 ]; then
|
||||
PROCESS=1
|
||||
ERROR_PROCS="$ERROR_PROCS""$PROC ";
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $PROCESS -eq "1" ]; then
|
||||
exit_red=$STATE_CRITICAL
|
||||
elif [ $PROCESS -eq "0" ]; then
|
||||
exit_red=$STATE_OK
|
||||
fi
|
||||
}
|
||||
|
||||
check_processes_yellow()
|
||||
{
|
||||
PROCESS="0"
|
||||
WARNING_PROCS=""
|
||||
for PROC in `echo $PROCLIST_YELLOW`; do
|
||||
if [ `ps -ef | grep $PROC | grep -v grep | wc -l` -lt 1 ]; then
|
||||
PROCESS=1
|
||||
WARNING_PROCS="$WARNING_PROCS""$PROC ";
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $PROCESS -eq "1" ]; then
|
||||
exit_yellow=$STATE_WARNING
|
||||
elif [ $PROCESS -eq "0" ]; then
|
||||
exit_yellow=$STATE_OK
|
||||
fi
|
||||
}
|
||||
|
||||
check_ports()
|
||||
{
|
||||
PORTS="0"
|
||||
ERROR_PORTS=""
|
||||
for NUM in `echo $PORTLIST`; do
|
||||
if [ `netstat -an | grep LISTEN | grep -w $NUM | grep -v grep | wc -l` -lt 1 ]; then
|
||||
PORTS=1
|
||||
ERROR_PORTS="$ERROR_PORTS""$NUM ";
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $PORTS -eq "1" ]; then
|
||||
exit_ports=$STATE_CRITICAL
|
||||
elif [ $PORTS -eq "0" ]; then
|
||||
exit_ports=$STATE_OK
|
||||
fi
|
||||
}
|
||||
|
||||
check_processes_red
|
||||
check_ports
|
||||
check_processes_yellow
|
||||
|
||||
final_exit=`expr $exit_ports + $exit_red + $exit_yellow`
|
||||
|
||||
if [ $final_exit -eq "0" ]; then
|
||||
echo "SYSTEM OK - All monitored resources OK. Processes: $PROCLIST_RED $PROCLIST_YELLOW. Ports: $PORTLIST."
|
||||
exitstatus=$STATE_OK
|
||||
elif [ $final_exit -eq "1" ]; then
|
||||
echo "SYSTEM WARNING - Processes DOWN. ($WARNING_PROCS)."
|
||||
exitstatus=$STATE_WARNING
|
||||
elif [ $final_exit -ge "1" ]; then
|
||||
echo "SYSTEM CRITICAL - Resources DOWN! Processes: $ERROR_PROCS $WARNING_PROCS. Ports: $ERROR_PORTS"
|
||||
exitstatus=$STATE_CRITICAL
|
||||
fi
|
||||
|
||||
exit $exitstatus
|
|
@ -0,0 +1,27 @@
|
|||
#!/bin/bash
|
||||
|
||||
|
||||
# semaphore leak su debian 6 col kernel backports. Il problema è del check nagios per l'hardware che usa le utility Dell.
|
||||
# Workaround: individuare ed eliminare i semafori inutilizzati ( http://serverfault.com/questions/352026/anyone-know-how-to-fix-issues-with-omsa-on-red-hat-5-1-that-reports-no-controll ):
|
||||
|
||||
# "One common non-obvious cause of this problem is system semaphore exhaustion. Check your system logs; if you see something like this:
|
||||
|
||||
# Server Administrator (Shared Library): Data Engine EventID: 0 A semaphore set has to be created but the system limit for the maximum number of semaphore sets has been exceeded
|
||||
|
||||
# then you're running out of semaphores.
|
||||
|
||||
# You can run ipcs -s to list all of the semaphores currently allocated on your system and then use ipcrm -s <id> to remove a semaphore (if you're reasonably sure it's no longer needed). You might also want to track down the program that created them (using information from ipcs -s -i <id>) to make sure it's not leaking semaphores. In my experience, though, most leaks come from programs that were interrupted (by segfaults or similar) before they could run their cleanup code.
|
||||
|
||||
# If your system really needs all of the semaphores currently allocated, you can increase the number of semaphores available. Run sysctl -a | grep kernel.sem to see what the current settings are. The final number is the number of semaphores available on the system (normally 128). Copy that line into /etc/sysctl.conf, change the final number to a larger value, save it, and run sysctl -p to load the new settings."
|
||||
|
||||
for id in $( ipcs -s | grep nagios | awk '{print $2}' ) ; do
|
||||
SEM_ID_PROC=$( ipcs -s -i $id | grep -A1 pid | grep -v pid | awk '{print $5}')
|
||||
ps auwwx | grep " $SEM_ID_PROC " | grep -v grep >/dev/null 2>&1
|
||||
RETVAL=$?
|
||||
if [ $RETVAL -eq 1 ] ; then
|
||||
# ipcs -s -i $id
|
||||
ipcrm -s $id > /dev/null 2>&1
|
||||
fi
|
||||
done
|
||||
|
||||
exit 0
|
|
@ -0,0 +1 @@
|
|||
deb http://ppa.launchpad.net/tormodvolden/ubuntu hardy main
|
|
@ -0,0 +1 @@
|
|||
deb http://linux.dell.com/repo/community/deb/latest /
|
|
@ -0,0 +1,2 @@
|
|||
deb http://ppa.research-infrastructures.eu/system stable main
|
||||
|
|
@ -0,0 +1,242 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Copyright Hari Sekhon 2007
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 2 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
#
|
||||
|
||||
# Nagios Plugin to list all currently logged on users to a system.
|
||||
|
||||
# Modified by Rob MacKenzie, SFU - rmackenz@sfu.ca
|
||||
# Added the -w and -c options to check for number of users.
|
||||
|
||||
|
||||
version=0.3
|
||||
|
||||
# This makes coding much safer as a varible typo is caught
|
||||
# with an error rather than passing through
|
||||
set -u
|
||||
|
||||
# Note: resisted urge to use <<<, instead sticking with |
|
||||
# in case anyone uses this with an older version of bash
|
||||
# so no bash bashers please on this
|
||||
|
||||
# Standard Nagios exit codes
|
||||
OK=0
|
||||
WARNING=1
|
||||
CRITICAL=2
|
||||
UNKNOWN=3
|
||||
|
||||
usage(){
|
||||
echo "usage: ${0##*/} [--simple] [ --mandatory username ] [ --unauthorized username ] [ --whitelist username ]"
|
||||
echo
|
||||
echo "returns a list of users on the local machine"
|
||||
echo
|
||||
echo " -s, --simple show users without the number of sessions"
|
||||
echo " -m username, --mandatory username"
|
||||
echo " Mandatory users. Return CRITICAL if any of these users are not"
|
||||
echo " currently logged in"
|
||||
echo " -b username, --blacklist username"
|
||||
echo " Unauthorized users. Returns CRITICAL if any of these users are"
|
||||
echo " logged in. This can be useful if you have a policy that states"
|
||||
echo " that you may not have a root shell but must instead only use "
|
||||
echo " 'sudo command'. Specifying '-u root' would alert on root having"
|
||||
echo " a session and hence catch people violating such a policy."
|
||||
echo " -a username, --whitelist username"
|
||||
echo " Whitelist users. This is exceptionally useful. If you define"
|
||||
echo " a bunch of users here that you know you use, and suddenly"
|
||||
echo " there is a user session open for another account it could"
|
||||
echo " alert you to a compromise. If you run this check say every"
|
||||
echo " 3 minutes, then any attacker has very little time to evade"
|
||||
echo " detection before this trips."
|
||||
echo
|
||||
echo " -m,-u and -w can be specified multiple times for multiple users"
|
||||
echo " or you can use a switch a single time with a comma separated"
|
||||
echo " list."
|
||||
echo " -w integer, --warning integer"
|
||||
echo " Set WARNING status if more than INTEGER users are logged in"
|
||||
echo " -c integer, --critical integer"
|
||||
echo " Set CRITICAL status if more than INTEGER users are logged in"
|
||||
echo
|
||||
echo
|
||||
echo " -V --version Print the version number and exit"
|
||||
echo
|
||||
exit $UNKNOWN
|
||||
}
|
||||
|
||||
simple=""
|
||||
mandatory_users=""
|
||||
unauthorized_users=""
|
||||
whitelist_users=""
|
||||
warning_users=0
|
||||
critical_users=0
|
||||
|
||||
while [ "$#" -ge 1 ]; do
|
||||
case "$1" in
|
||||
-h|--help) usage
|
||||
;;
|
||||
-V|--version) echo $version
|
||||
exit $UNKNOWN
|
||||
;;
|
||||
-s|--simple) simple=true
|
||||
;;
|
||||
-m|--mandatory) if [ "$#" -ge 2 ]; then
|
||||
if [ -n "$mandatory_users" ]; then
|
||||
mandatory_users="$mandatory_users $2"
|
||||
else
|
||||
mandatory_users="$2"
|
||||
fi
|
||||
shift
|
||||
else
|
||||
usage
|
||||
fi
|
||||
;;
|
||||
-b|--blacklist) if [ "$#" -ge 2 ]; then
|
||||
if [ -n "$unauthorized_users" ]; then
|
||||
unauthorized_users="$unauthorized_users $2"
|
||||
else
|
||||
unauthorized_users="$2"
|
||||
fi
|
||||
shift
|
||||
else
|
||||
usage
|
||||
fi
|
||||
;;
|
||||
-a|--whitelist) if [ "$#" -ge 2 ]; then
|
||||
if [ -n "$whitelist_users" ]; then
|
||||
whitelist_users="$whitelist_users $2"
|
||||
else
|
||||
whitelist_users="$2"
|
||||
fi
|
||||
shift
|
||||
else
|
||||
usage
|
||||
fi
|
||||
;;
|
||||
-w|--warning) if [ "$#" -ge 2 ]; then
|
||||
if [ $2 -ge 1 ]; then
|
||||
warning_users=$2
|
||||
fi
|
||||
shift
|
||||
else
|
||||
usage
|
||||
fi
|
||||
;;
|
||||
-c|--critical) if [ "$#" -ge 2 ]; then
|
||||
if [ $2 -ge 1 ]; then
|
||||
critical_users=$2
|
||||
fi
|
||||
shift
|
||||
else
|
||||
usage
|
||||
fi
|
||||
;;
|
||||
*) usage
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
mandatory_users="`echo $mandatory_users | tr ',' ' '`"
|
||||
unauthorized_users="`echo $unauthorized_users | tr ',' ' '`"
|
||||
whitelist_users="`echo $whitelist_users | tr ',' ' '`"
|
||||
|
||||
# Must be a list of usernames only.
|
||||
userlist="`who|grep -v "^ *$"|awk '{print $1}'|sort`"
|
||||
usercount="`who|wc -l`"
|
||||
|
||||
errormsg=""
|
||||
exitcode=$OK
|
||||
|
||||
if [ -n "$userlist" ]; then
|
||||
if [ -n "$mandatory_users" ]; then
|
||||
missing_users=""
|
||||
for user in $mandatory_users; do
|
||||
if ! echo "$userlist"|grep "^$user$" >/dev/null 2>&1; then
|
||||
missing_users="$missing_users $user"
|
||||
exitcode=$CRITICAL
|
||||
fi
|
||||
done
|
||||
for user in `echo $missing_users|tr " " "\n"|sort -u`; do
|
||||
errormsg="${errormsg}user '$user' not logged in. "
|
||||
done
|
||||
fi
|
||||
|
||||
if [ -n "$unauthorized_users" ]; then
|
||||
blacklisted_users=""
|
||||
for user in $unauthorized_users; do
|
||||
if echo "$userlist"|sort -u|grep "^$user$" >/dev/null 2>&1; then
|
||||
blacklisted_users="$blacklisted_users $user"
|
||||
exitcode=$CRITICAL
|
||||
fi
|
||||
done
|
||||
for user in `echo $blacklisted_users|tr " " "\n"|sort -u`; do
|
||||
errormsg="${errormsg}Unauthorized user '$user' is logged in! "
|
||||
done
|
||||
fi
|
||||
|
||||
if [ -n "$whitelist_users" ]; then
|
||||
unwanted_users=""
|
||||
for user in `echo "$userlist"|sort -u`; do
|
||||
if ! echo $whitelist_users|tr " " "\n"|grep "^$user$" >/dev/null 2>&1; then
|
||||
unwanted_users="$unwanted_users $user"
|
||||
exitcode=$CRITICAL
|
||||
fi
|
||||
done
|
||||
for user in `echo $unwanted_users|tr " " "\n"|sort -u`; do
|
||||
errormsg="${errormsg}Unauthorized user '$user' detected! "
|
||||
done
|
||||
fi
|
||||
|
||||
if [ $warning_users -ne 0 -o $critical_users -ne 0 ]; then
|
||||
unwanted_users=`who`
|
||||
if [ $usercount -ge $critical_users -a $critical_users -ne 0 ]; then
|
||||
exitcode=$CRITICAL
|
||||
elif [ $usercount -ge $warning_users -a $warning_users -ne 0 ]; then
|
||||
exitcode=$WARNING
|
||||
fi
|
||||
OLDIFS="$IFS"
|
||||
IFS=$'\n'
|
||||
for user in $unwanted_users; do
|
||||
errormsg="${errormsg} --- $user"
|
||||
done
|
||||
IFS="$OLDIFS"
|
||||
fi
|
||||
|
||||
if [ "$simple" == "true" ]
|
||||
then
|
||||
finallist=`echo "$userlist"|uniq`
|
||||
else
|
||||
finallist=`echo "$userlist"|uniq -c|awk '{print $2"("$1")"}'`
|
||||
fi
|
||||
else
|
||||
finallist="no users logged in"
|
||||
fi
|
||||
|
||||
if [ "$exitcode" -eq $OK ]; then
|
||||
echo "USERS OK:" $finallist
|
||||
exit $OK
|
||||
elif [ "$exitcode" -eq $WARNING ]; then
|
||||
echo "USERS WARNING: [users: "$finallist"]" $errormsg
|
||||
exit $WARNING
|
||||
elif [ "$exitcode" -eq $CRITICAL ]; then
|
||||
echo "USERS CRITICAL: [users: "$finallist"]" $errormsg
|
||||
exit $CRITICAL
|
||||
else
|
||||
echo "USERS UNKNOWN:" $errormsg"[users: "$finallist"]"
|
||||
exit $UNKNOWN
|
||||
fi
|
||||
|
||||
exit $UNKNOWN
|
|
@ -0,0 +1,19 @@
|
|||
- name: Reload NRPE server
|
||||
service: name=nagios-nrpe-server state=reloaded
|
||||
|
||||
- name: Restart NRPE server
|
||||
service: name=nagios-nrpe-server state=restarted
|
||||
|
||||
- name: Restart Nagios server
|
||||
service: name=nagios3 state=restarted
|
||||
|
||||
- name: Reload Nagios server
|
||||
service: name=nagios3 state=reloaded
|
||||
|
||||
- name: Update apt cache
|
||||
apt: update_cache=yes
|
||||
ignore_errors: True
|
||||
|
||||
- name: Start Dell OMSA
|
||||
service: name=dataeng state=restarted enabled=yes
|
||||
ignore_errors: True
|
|
@ -0,0 +1,144 @@
|
|||
---
|
||||
# The internal repository is used for the check-openmanage nagios plugin:
|
||||
# http://folk.uio.no/trondham/software/check_openmanage.html
|
||||
- name: research infrastructures system repository on ubuntu
|
||||
apt_repository: repo='{{ item }}'
|
||||
with_items:
|
||||
- deb http://ppa.research-infrastructures.eu/system stable main
|
||||
when: is_ubuntu
|
||||
register: update_apt_cache
|
||||
tags:
|
||||
- dell
|
||||
- nagios
|
||||
notify: Update apt cache
|
||||
|
||||
- name: research infrastructures system repository on debian
|
||||
copy: src={{ item }} dest=/etc/apt/sources.list.d/{{ item }}
|
||||
with_items:
|
||||
- research-infrastructures.eu.system.list
|
||||
when: is_debian6
|
||||
register: update_apt_cache
|
||||
tags:
|
||||
- dell
|
||||
- nagios
|
||||
|
||||
- name: Install the Dell apt repository
|
||||
template: src={{ item }}.j2 dest=/etc/apt/sources.list.d/{{ item }}
|
||||
with_items:
|
||||
- linux.dell.com.sources.list
|
||||
when: is_not_debian6
|
||||
register: update_apt_cache
|
||||
tags:
|
||||
- dell
|
||||
- nagios
|
||||
|
||||
- action: apt_key url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present
|
||||
tags:
|
||||
- dell
|
||||
- nagios
|
||||
ignore_errors: True
|
||||
|
||||
#- action: apt_key id=1285491434D8786F state=present
|
||||
- shell: gpg --keyserver pool.sks-keyservers.net --recv-key 1285491434D8786F ; gpg -a --export 1285491434D8786F | apt-key add -
|
||||
tags:
|
||||
- dell
|
||||
- nagios
|
||||
|
||||
- name: Update apt cache
|
||||
apt: update_cache=yes
|
||||
when: update_apt_cache.changed
|
||||
tags:
|
||||
- dell
|
||||
- nagios
|
||||
|
||||
- name: Install the Dell OMSA packages dependencies
|
||||
apt: pkg={{ item }} state=installed
|
||||
with_items:
|
||||
- libnet-snmp-perl
|
||||
- libconfig-tiny-perl
|
||||
- ipmitool
|
||||
- check-openmanage
|
||||
tags:
|
||||
- dell
|
||||
- nagios
|
||||
|
||||
- name: Install the Dell OMSA packages dependencies
|
||||
apt: pkg={{ item }} state=installed
|
||||
with_items:
|
||||
- python-requests
|
||||
register: requests_pkg
|
||||
ignore_errors: True
|
||||
tags:
|
||||
- dell
|
||||
- nagios
|
||||
|
||||
- name: Install the python-pip package if requests is not available as a package
|
||||
apt: pkg={{ item }} state=installed
|
||||
with_items:
|
||||
- python-pip
|
||||
when: requests_pkg|failed
|
||||
tags:
|
||||
- dell
|
||||
- nagios
|
||||
|
||||
- name: Install the python-requests package via pip if it s not available as package
|
||||
pip: name={{ item }} state=latest use_mirrors=no
|
||||
with_items:
|
||||
- requests
|
||||
when: requests_pkg|failed
|
||||
tags:
|
||||
- dell
|
||||
- nagios
|
||||
|
||||
- name: Get the old libssl0.9.8_9.9.8 needed by del Dell OMSA utilities on debian 7
|
||||
get_url: url=http://ppa.research-infrastructures.eu/dell-legacy/libssl0.9.8_0.9.8o-4squeeze14_amd64.deb dest=/var/lib/libssl0.9.8_0.9.8o-4squeeze14_amd64.deb
|
||||
when: is_debian7
|
||||
register: libssl_legacy
|
||||
tags:
|
||||
- dell
|
||||
- nagios
|
||||
|
||||
- name: Install libssl0.9.8_0.9.8o-4squeeze14_amd64.deb on debian 7
|
||||
shell: /usr/bin/dpkg -i /var/lib/libssl0.9.8_0.9.8o-4squeeze14_amd64.deb
|
||||
when: libssl_legacy.changed
|
||||
tags:
|
||||
- dell
|
||||
- nagios
|
||||
|
||||
- name: Install the Dell OMSA packages
|
||||
apt: pkg={{ item }} state=installed force=yes
|
||||
with_items:
|
||||
- syscfg
|
||||
when: is_not_debian6
|
||||
tags:
|
||||
- dell
|
||||
- nagios
|
||||
|
||||
- name: Install the Dell OMSA packages
|
||||
apt: pkg={{ item }} state=installed force=yes
|
||||
with_items:
|
||||
- srvadmin-base
|
||||
- srvadmin-idrac
|
||||
- srvadmin-storageservices
|
||||
notify:
|
||||
Start Dell OMSA
|
||||
tags:
|
||||
- dell
|
||||
- nagios
|
||||
|
||||
- name: Install the check_warranty plugin for dell systems
|
||||
copy: src={{ item }} dest={{ nagios_isti_plugdir }}/{{ item }} owner=root group=nagios mode=0750
|
||||
with_items:
|
||||
- check_dell_warranty.py
|
||||
tags:
|
||||
- dell
|
||||
- nagios
|
||||
|
||||
- name: Install a cron job that removes the leaked semaphores created by the nagios check of Dell hardware status
|
||||
copy: src={{ item }} dest=/etc/cron.daily/{{ item }} owner=root group=root mode=0555
|
||||
with_items:
|
||||
- cleanup-leaked-ipvsems.sh
|
||||
tags:
|
||||
- dell
|
||||
- nagios
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
---
|
||||
# The original check_linux_raid is often buggy
|
||||
- name: Install some plugins that check hardware parts
|
||||
copy: src={{ item }} dest={{ nagios_isti_plugdir }}/{{ item }} owner=root group=nagios mode=0750
|
||||
with_items:
|
||||
- check_linux_raid
|
||||
- check_smart
|
||||
tags:
|
||||
- nagios-hw
|
||||
- nagios
|
||||
|
||||
- name: Install some packages needed by the hardware checks
|
||||
apt: pkg={{ item }} state=installed
|
||||
with_items:
|
||||
- smartmontools
|
||||
tags:
|
||||
- nagios-hw
|
||||
- nagios
|
||||
|
||||
- name: Configure the smart server to run
|
||||
lineinfile: name=/etc/default/smartmontools regexp="^start_smartd=" line="start_smartd=yes"
|
||||
tags:
|
||||
- nagios-hw
|
||||
- nagios
|
||||
|
||||
- name: Ensure that the smart server is enabled and running
|
||||
service: name=smartmontools state=started enabled=yes
|
||||
tags:
|
||||
- nagios-hw
|
||||
- nagios
|
||||
|
||||
- name: Configure NRPE to allow arguments. Needed by the check_smart plugin
|
||||
lineinfile: name=/etc/nagios/nrpe.cfg regexp="^dont_blame_nrpe=" line="dont_blame_nrpe=0"
|
||||
notify: Restart NRPE server
|
||||
tags:
|
||||
- nagios-hw
|
||||
- nagios
|
||||
- nrpe
|
||||
|
||||
- name: nagios needs root to execute some hardware checks. We do it via sudo
|
||||
template: src=nagios-hw.sudoers.j2 dest=/etc/sudoers.d/nagios-hw owner=root group=root mode=0440
|
||||
tags:
|
||||
- nagios-hw
|
||||
- nagios
|
||||
- nrpe
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
- include: nagios.yml
|
||||
- include: dell-omsa.yml
|
||||
when: dell_system is defined
|
||||
- include: postgresql-nagios.yml
|
||||
when: nagios_postgresql_check is defined and nagios_postgresql_check
|
||||
#- include: nsca.yml
|
||||
- include: hardware-checks.yml
|
||||
when: nagios_hw is defined and nagios_hw
|
|
@ -0,0 +1,71 @@
|
|||
---
|
||||
- name: Install the nagios packages
|
||||
apt: pkg={{ item }} state=installed
|
||||
with_items:
|
||||
- nagios-plugins
|
||||
- nagios-plugins-basic
|
||||
- nagios-plugins-standard
|
||||
- nagios-nrpe-server
|
||||
- sudo
|
||||
when: is_not_debian_less_than_6
|
||||
tags:
|
||||
- nagios
|
||||
|
||||
- name: debian 6 has other nagios plugins
|
||||
apt: pkg={{ item }} state=installed
|
||||
with_items:
|
||||
- nagios-plugins-contrib
|
||||
when: is_debian6
|
||||
tags:
|
||||
- nagios
|
||||
|
||||
- name: Create the directory where our local plugins are installed
|
||||
file: path={{ nagios_isti_plugdir }} state=directory
|
||||
tags:
|
||||
- nagios
|
||||
|
||||
- name: Install the generic shell library used by some custom checks
|
||||
template: src=check_library.sh.j2 dest={{ nagios_isti_plugdir }}/check_library.sh owner=root group=root mode=0644
|
||||
tags:
|
||||
- nagios
|
||||
|
||||
- name: Install plugins that can be useful on all the installed servers
|
||||
copy: src={{ item }} dest={{ nagios_isti_plugdir }}/{{ item }} owner=root group=nagios mode=0755
|
||||
with_items:
|
||||
- check_system_pp
|
||||
- show_users
|
||||
- check_netint.pl
|
||||
tags:
|
||||
- nagios
|
||||
|
||||
- name: Install the global nrpe commands file
|
||||
template: src=common-nrpe.cfg.j2 dest=/etc/nagios/nrpe.d/common.cfg owner=root group=root mode=444
|
||||
notify:
|
||||
- Reload NRPE server
|
||||
tags:
|
||||
- nrpe
|
||||
- nagios
|
||||
|
||||
- name: set the NRPE ACL
|
||||
action: |
|
||||
lineinfile name=/etc/nagios/nrpe.cfg regexp="allowed_hosts=" line="allowed_hosts=127.0.0.1,{{ nagios_monitoring_server_ip }}"
|
||||
notify:
|
||||
- Reload NRPE server
|
||||
tags:
|
||||
- nagios
|
||||
- nrpe
|
||||
|
||||
- name: set the NRPE default timeout
|
||||
lineinfile: name=/etc/nagios/nrpe.cfg regexp="command_timeout=" line="command_timeout={{ nrpe_command_timeout }}"
|
||||
notify:
|
||||
- Reload NRPE server
|
||||
tags:
|
||||
- nagios
|
||||
- nrpe
|
||||
|
||||
- name: nagios needs root to execute some commands. We do it via sudo
|
||||
template: src=nagios.sudoers.j2 dest=/etc/sudoers.d/nagios owner=root group=root mode=0440
|
||||
tags:
|
||||
- nagios
|
||||
- nrpe
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
- name: Configure the nsca client
|
||||
template: src=send_nsca.j2 dest=/etc/send_nsca.cfg owner=root group=root mode=400
|
||||
tags:
|
||||
- nsca
|
||||
|
||||
- apt: pkg={{ item }} state=installed
|
||||
with_items:
|
||||
- nsca-client
|
||||
when: '(({{ is_not_ubuntu_less_than_precise }}) == True) or (({{ is_debian7 }}) == True)'
|
||||
tags:
|
||||
- nsca
|
||||
|
||||
- apt: pkg={{ item }} state=installed
|
||||
with_items:
|
||||
- nsca
|
||||
when: "(({{ is_not_debian_less_than_6 }}) == True) and (({{ is_ubuntu_less_than_precise }}) == True)"
|
||||
tags:
|
||||
- nsca
|
|
@ -0,0 +1,35 @@
|
|||
---
|
||||
- name: Ensure that the isti local nagios plugins directory exists
|
||||
file: dest={{ nagios_isti_plugdir }} owner=root group=root state=directory
|
||||
tags:
|
||||
- nrpe
|
||||
- nagios
|
||||
|
||||
- name: Install the postgresql backup nagios check
|
||||
copy: src=check_postgresql_backup dest={{ nagios_isti_plugdir }}/check_postgresql_backup owner=root group=root mode=0555
|
||||
tags:
|
||||
- nrpe
|
||||
- nagios
|
||||
|
||||
- name: Install the packages needed to check postgres via nagios
|
||||
apt: pkg={{ item }} state=installed
|
||||
with_items:
|
||||
- check-postgres
|
||||
tags:
|
||||
- nrpe
|
||||
- nagios
|
||||
|
||||
- name: Install the sudoers file needed by some nagios checks
|
||||
template: src=postgresql-sudoers.j2 dest=/etc/sudoers.d/postgresql owner=root group=root mode=440
|
||||
tags:
|
||||
- nrpe
|
||||
- nagios
|
||||
|
||||
- name: Install the nrpe configuration for check_postgres
|
||||
template: src=postgresql-nrpe.cfg.j2 dest=/etc/nagios/nrpe.d/postgresql-nrpe.cfg owner=root group=root mode=444
|
||||
notify:
|
||||
- Reload NRPE server
|
||||
tags:
|
||||
- nrpe
|
||||
- nagios
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
|
||||
ISTI_PLUGDIR={{ nagios_isti_plugdir }}
|
||||
COMMON_LIB={{ nagios_common_lib }}
|
||||
|
||||
if [ -d {{ nagios_plugins_dir }} ] ; then
|
||||
PLUGIN_DIR={{ nagios_plugins_dir }}
|
||||
elif [ -d {{ nagios_centos_plugins_dir }} ] ; then
|
||||
PLUGIN_DIR={{ nagios_centos_plugins_dir }}
|
||||
fi
|
||||
|
|
@ -0,0 +1,40 @@
|
|||
# Debian 4 doesn't support "-A -i options"
|
||||
command[global_check_disk]={{ nagios_plugins_dir }}/check_disk -w {{ nagios_check_disk_w }}% -c {{ nagios_check_disk_c }}% -X tmpfs -X proc -X sysfs -X devpts -X dev -A -i /mnt/.*
|
||||
#command[global_check_disk]={{ nagios_plugins_dir }}/check_disk -w {{ nagios_check_disk_w }}% -c {{ nagios_check_disk_c }}% -X tmpfs -X proc -X sysfs -X devpts
|
||||
|
||||
command[global_check_load]={{ nagios_plugins_dir }}/check_load -w 20,15,10 -c 35,30,25
|
||||
command[global_check_zombie_procs]={{ nagios_plugins_dir }}/check_procs -w 5 -c 10 -s Z
|
||||
command[global_check_total_procs]={{ nagios_plugins_dir }}/check_procs -w 800 -c 1000
|
||||
|
||||
# Ganglia gmond server
|
||||
command[global_check_gmond]={{ nagios_plugins_dir }}/check_procs -w 1:1 -c 1:1 -C gmond
|
||||
|
||||
# Munin node
|
||||
command[global_check_munin]={{ nagios_plugins_dir }}/check_procs -w 1:1 -c 1:1 -C munin-node
|
||||
|
||||
# Show number and username of the logged users
|
||||
command[global_show_users]={{ nagios_isti_plugdir }}/show_users -a {{ nagios_allowed_users }}
|
||||
|
||||
# Generic script that monitors the existance of a given processes list
|
||||
command[global_check_system_pp]={{ nagios_isti_plugdir }}/check_system_pp
|
||||
|
||||
# Linux RAID check
|
||||
command[global_check_linux_raid]={{ nagios_isti_plugdir }}/check_linux_raid
|
||||
|
||||
# Disks S.M.A.R.T. check
|
||||
command[global_check_smart]={{ nagios_isti_plugdir }}/check_smart -d $ARG1$ -i $ARG2$
|
||||
|
||||
# Network interfaces
|
||||
command[global_net_interfaces]={{ nagios_isti_plugdir }}/check_netint.pl -K -f -e
|
||||
|
||||
# Restart ntp (via handler)
|
||||
command[global_restart_ntp]=/usr/bin/sudo /etc/init.d/ntp start
|
||||
|
||||
# Restart gmond (via handler)
|
||||
command[global_restart_gmond]=/usr/bin/sudo /etc/init.d/ganglia-monitor start
|
||||
|
||||
# Restart munin node (via handler)
|
||||
command[global_restart_munin]=/usr/bin/sudo /etc/init.d/munin-node start
|
||||
|
||||
|
||||
|
|
@ -0,0 +1 @@
|
|||
deb http://linux.dell.com/repo/community/ubuntu {{ ansible_distribution_version }} openmanage
|
|
@ -0,0 +1 @@
|
|||
nagios ALL=(root) NOPASSWD: /usr/sbin/smartctl
|
|
@ -0,0 +1 @@
|
|||
nagios ALL=(ALL) NOPASSWD: {{ nagios_plugins_dir }}/, {{ nagios_isti_plugdir }}/, {{ nagios_centos_plugins_dir }}/, /etc/init.d/, /usr/sbin/service, /sbin/service
|
|
@ -0,0 +1 @@
|
|||
include_dir={{ nrpe_include_dir }}
|
|
@ -0,0 +1,20 @@
|
|||
# Check the status of the postgresql local dumps
|
||||
command[{{ monitoring_group_name }}_check_postgresql_backup]={{ nagios_isti_plugdir }}/check_postgresql_backup
|
||||
|
||||
command[{{ monitoring_group_name }}_check_postgresql_connection]=/usr/bin/sudo -u postgres /usr/bin/check_postgres_connection -db template1
|
||||
|
||||
command[{{ monitoring_group_name }}_check_postgresql_timesync]=/usr/bin/sudo -u postgres /usr/bin/check_postgres_timesync -db template1
|
||||
|
||||
command[{{ monitoring_group_name }}_check_postgresql_backends]=/usr/bin/sudo -u postgres /usr/bin/check_postgres_backends -db template1
|
||||
|
||||
command[{{ monitoring_group_name }}_check_postgresql_commitratio]=/usr/bin/sudo -u postgres /usr/bin/check_postgres_commitratio -db template1
|
||||
|
||||
command[{{ monitoring_group_name }}_check_postgresql_database_size]=/usr/bin/sudo -u postgres /usr/bin/check_postgres_database_size -db template1 -w {{ nagios_psql_db_size_w }} -c {{ nagios_psql_db_size_c }}
|
||||
|
||||
{% for db in psql_db_data %}
|
||||
command[{{ monitoring_group_name }}_check_postgresql_{{ db.name }}_query]=/usr/bin/sudo -u postgres /usr/bin/check_postgres_query_time -db {{ db.name }} -w {{ nagios_psql_query_time_w }} -c {{ nagios_psql_query_time_c }}
|
||||
|
||||
command[{{ monitoring_group_name }}_check_postgresql_{{ db.name }}_dbstats]=/usr/bin/sudo -u postgres /usr/bin/check_postgres_dbstats -db {{ db.name }}
|
||||
|
||||
command[{{ monitoring_group_name }}_check_postgresql_{{ db.name }}_sequence]=/usr/bin/sudo -u postgres /usr/bin/check_postgres_sequence -db {{ db.name }}
|
||||
{% endfor %}
|
|
@ -0,0 +1 @@
|
|||
nagios ALL=(postgres) NOPASSWD: /usr/bin/check_postgres_*
|
|
@ -0,0 +1,2 @@
|
|||
password={{ nsca_password }}
|
||||
decryption_method={{ nsca_encryption }}
|
|
@ -0,0 +1,24 @@
|
|||
---
|
||||
- name: apt key for the internal precise-backports repository
|
||||
apt_key: url=http://ppa.research-infrastructures.eu/precise-backports/keys/precise-backports.asc state=present
|
||||
when: is_precise
|
||||
register: update_apt_cache
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Install the precise backports apt repository
|
||||
apt_repository: repo='{{ item }}'
|
||||
with_items:
|
||||
- deb http://ppa.research-infrastructures.eu/precise-backports precise main
|
||||
when: is_precise
|
||||
register: update_apt_cache
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Update the apt cache
|
||||
apt: update_cache=yes
|
||||
when: ( update_apt_cache | changed )
|
||||
ignore_errors: True
|
||||
tags:
|
||||
- apt
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
nginx_use_ldap_pam_auth: False
|
||||
nginx_pam_svc_name: nginx
|
||||
nginx_ldap_uri: "ldap://ldap.sub.research-infrastructures.eu"
|
||||
nginx_ldap_base_dn: "dc=research-infrastructures,dc=eu"
|
||||
nginx_enabled: "Yes"
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue