diff options
Diffstat (limited to 'global/overlay')
16 files changed, 1311 insertions, 113 deletions
diff --git a/global/overlay/etc/cosmos/keys/lundberg-9303C5DB.pub b/global/overlay/etc/cosmos/keys/lundberg-9303C5DB.pub index 21bcc24..f08c5bb 100644 --- a/global/overlay/etc/cosmos/keys/lundberg-9303C5DB.pub +++ b/global/overlay/etc/cosmos/keys/lundberg-9303C5DB.pub @@ -7,69 +7,51 @@ mQENBFNOlK4BCADXgBIEADujBCe5Tv1aul3IUjQhXNGBjdvgK9xQKaTVrfJTRxr9 07zFFXrUHzthndt83MZdB8nd/3WUbT6ubSEYO5rtjeWO30c9p16u+ErGADR0bBSz UfpREDHlUlJ/CcOi68DQINBOELdt+g76E+rHODeCB+ojpFwjIPyHbuhI4fF/UpWu 40nU8pnS9w8kS/4cQl72NEhrH7mEsMK0Pma7ABEBAAG0KUpvaGFuIEx1bmRiZXJn -IDxsdW5kYmVyZy5qb2hhbkBnbWFpbC5jb20+iQE/BBMBAgApBQJTTpU1AhsDBQkB -4TOABwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQ0b7X3pMDxdsxugf/X6ZR -qmrZq9sNyF4E3GrCE5dPGdwNKGuLr2H5GLKrBfULmqwXvacanH0qZAsteHEudv+o -H3pqBmbt4uZoIph/VFpu7YsHSpwjtQXLeN/TJhCRSSQUiIH2gNkLdi2P2nlb6YkW -euRPJWqL8GVQNvJgH+gaCUCsJ7mEfbcvRhjCIv5S+m9zYqDYJ5Elc6bOKnG1U39w -FqANX/u1CBOY+fOiNYD0WcYDfvk7omWuWID0kEi4E18pPwzAZEmhOt0LZf1S1AbK -7VFX9OMlNNEnqlmSsFc3DO8uJzelv+WpfqmKI3rbovncZNWLbiwR/eAYnNbaJujy -V/QLGTPyB5zmg0bXjYkBHAQQAQoABgUCU2j6+gAKCRAnBzMNQDDMrdXmB/0ayjQi -Zn4A60TpUkC3mJ6oW0bUUqWr47VuXHYwCRBCc53s27RNL2xsRcbqiQjOfSBQUvdu -7NNT9qgvmCoPB745D3qutZ2idwJASmFrytTt8gWKiaIBUKg0/wVs8v1CW/S5EOoc -hkujPmrofeL9K4YTOl3q27Jhdv0eKV2e2lEXeW/GBCuUje1NTcgqFDCHV9SzjBRy -uiToEfzYyomHEmaJl4vyl+WOCFMbQav3YvjgUH6MwtXSUcerFqqnMr3MOU8ioaIV -DipMHLSBmMG05cW4xSVo/zdgtjwyfDH5QWuwDPiRCWRmS7N1n+I9WxVhDTkIJZYw -Ueb5qaWunWXiQWmCtCNKb2hhbiBMdW5kYmVyZyA8bHVuZGJlcmdAbm9yZHUubmV0 -PokBPgQTAQIAKAUCU06UrgIbAwUJAeEzgAYLCQgHAwIGFQgCCQoLBBYCAwECHgEC -F4AACgkQ0b7X3pMDxds34Qf/XdI9emOcknRsJ7WpYBjjpE+Fd+gNiJfie6Fh1/CA -gu4keD+Vwn/2IRPLo30dnShIlUxJhdFft60QvDvQSETSoizUqPOV3VomTOA2sXI1 -g+hRNoDvzR/4EgMwX4bxzb9d2CZXt1uPR5Gos1qpuh3VGBy55JhOcp1+fsw0cAax -lmXeVQwIRoxN+b0ml3JKGLxKsYcZiCGSpzVidrvIRYabbMUOx6KtdXL4AftoXIng -NMiQJU2NJgTXqsQsjEnhcBLw1l9dFByYfIWMh3GZjzd98JFmvCsInRUmWN/QeuBH -w0vHrJb3EAqj7ErWss549E6hbDZFGpbgKQlkmKt0wmDy6okBHAQQAQoABgUCU2j6 -+gAKCRAnBzMNQDDMrcYPCACc8s8PQp+QVoNXN3vV6de4i/SJcMRhJEuPxyePdiDV -sVe+lFduP878zA/qEmBeMT9l9zC1Vxnv1AAakV5j02bfjBZsLvWP+4uG0dp+J0H5 -0BuzDbl0M0Jdbt5pnfQsqc2H26Cz7aZ05lbxAeuFPhTHgBI8DVlRIRuPwW4zo7wp -uZs8CZXAyKITOL/HA9ZmmaAPNthMsjXc8CK/kK8XvuDr5wGo55KrUGUE6bsiYkxj -2UGUxmQSegaL8li6uEwDmJjp5y03MEeV33VxibbnAx8F1oK2uXr/DPaZot9gB46h -Ivy52O2ydr31U+dlaFI+yFaaiFQBA9UnYAjinBQRcqowtCJKb2hhbiBMdW5kYmVy -ZyA8bHVuZGJlcmdAc3VuZXQuc2U+iQE/BBMBAgApBQJTTpUdAhsDBQkB4TOABwsJ -CAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQ0b7X3pMDxdthWwf+ISF1EgZuIMWL -HfhNQrpWDJiTZ03ofehso/W+GkKcWoia/RpTxitmY4Hl8C3v5CfUvHYy2ThVfcvw -FrhnZS6ln7WGGzkS2ir9NsA2xJzbXzKW+dxa+sXQ1SsgzUkI8K4oMWhzrnffn7cX -Ze8qEv4ng72ZX5gDfA8T2mPNYyWPycGv2sroWU4T1hwiTvtaVdjGVqBF3jajitTg -svsY0y9n1n9mTlxjYiFnBeiGn1I/eUNALAUzK/VIuAPsHeDrA8WPLjAAs7dQRD/X -uCAMddvyHbtC0FNq/sJZHIQfVnyE4Gqo6IoMRxKYZo3eNS4wF3wp3VGJFBkxVccE -W8k0EZi3VYkBHAQQAQoABgUCU2j6+gAKCRAnBzMNQDDMrSzrB/464DKt30CnEXMM -8LX0FB5ywMVrTNPd4AtQ4t9LfXoTCaZICgb2VvBhyu+iT/t37jeFg1LzViHvyHcx -G2fe2zmIDDsaakbq/7Ptn00sisscQrRYbqThFoTZZxT3LtxbJRT7gS6dOPXSpDAO -2mYnUDylXwLieZ3TBwEOqMAJnqAOOg4rxuHF7oum+FgkcM0i/zyhuM2IXRmEVrvb -j9qH3EOZmU9q5uymy86QK3tNirDxl4Kc7nnIEsUVH4qxfF0mjuDtGpTYLj0BMI70 -6UzIyYB2w42XNaUwOovOUsfB77UxNHOBnp4TlWc/U6S1SDAdbBOXdHjHKoiyVisA -ZzqKjUiVuQENBFNOlK4BCADv5oNT5bxMoi2g847SzQEp306Kg5hsKmKdjXp3vFfB -Fqp1Suj9BphBflyTo9Ci4F5ZyxiH3uVDglzR09ccOo+zgFaJvOU9waP7+PJayBtM -U8lZ+dYtm5agST8aXzQ5gvJj5uASuHZGQwiBV2MIn70ejIPhL2rkUT3nSj8C+YH6 -8WJgIk5qlN1VbAsoGyAE0dGIRouRYV/JMN9rFB8kcPF4RWZRq9rqk9jAFLec4MNJ -O4hs7QEijq4Klp2jW+3v9R52lPPeiz0xjBB+v9DHIxN6HG3RNTcGpklLzvzJb+wQ -AecFCyRizKObMYQpGXJRpiiwYOipo3smiA8XfITY7u9dABEBAAGJASUEGAECAA8F -AlNOlK4CGwwFCQHhM4AACgkQ0b7X3pMDxdthrwgApS7EHZNMRUd2/JpozhuJlv3k -Iz5H5cYABSXAox9GZNGdNLgCzEVNsKyJtj55nqk1eN8rTwdyDyu+d/9QX6HrhVgM -QdURSN87LHlcl4bRnaqu8E9Kh6L6OyWu9zIgY9KahJF83CvileV1ULqmy7qGSb9N -ejf4leLEUjZvXObYx2rT5OjDObmD9o6HMjwQpNj6FiYz67fhJdx4i6BryAeWk6aO -nMANPJj31+CkpDa96hkA9B8rYE1uk1W2+IlKeiX2yRmcWZa8HC84swswDFUFqYvQ -CXEp26vnm/Rm9JyfIAu6SaIhKI3Nn0SCX0fBBXlANnXj8QUL5H56klp7OUlBpLkB -DQRTTpU7AQgAwBzH5/T0loxhgJDGOq4dcn33WIJ5YaCAuROTVnXOV1JWPaDWFts4 -TKcoXqX6IdWGL+VdUDU7jt39M4Q/mXqj755wO+HwTOMr1lOELbcL9na7BTrFO50W -xksEHcMPSA4nbcUbgI1uRyfZkzibmKyBQBB4INT7/LGSsxzVrmYs+CN+AjdjW2mT -ruHmBuqXc7wepH2JeYi/3rH4QWX3oAPu8eKl7zCxxCm+8AkQQAQn1rumMtRNI1HU -VgRXaqec7I7kJZPJop4fPdptgtbRXMrm+XQloC2LYkEaSI89epTJNXDPn4EvWDOx -L+tmwaUcp1NsAn4NUKWDKcSKueKv1y5WLwARAQABiQElBBgBAgAPBQJTTpU7Ahsg -BQkB4TOAAAoJENG+196TA8Xb7sUH/jJWNiUJPWcc0NZHaoCbXrRqHlJR3Zhk3dLr -1WGQubfkKk4tXZtQzs3q3qCHY6wsz5xd52IQmYZ7zeKm8C4VuNjJcPwsGHF9//Bc -6/oVqi5fXcjGG3aWPU99QfSlCDBxz9j5+aeAdyyarPfD0i1IDJ/vPncnYB8Tt0PW -QswGvSnWfhYNM3anoraapv6vbwnrCaBHkPJwdMg6Ru/QIuddxl/aW94yZs8MbyA7 -wKoFpvjXHuxaihF955IPE/TQc37yLV4UZ50osDFRTE26f3HwRNSoxQkGvkvO4hFD -8wGrZ1izT6q37uTZTDMpxCGLcRzVmYr5gGB16S3bSyWhn7rkzV4= -=AiT9 +IDxsdW5kYmVyZy5qb2hhbkBnbWFpbC5jb20+iQE/BBMBAgApAhsDBwsJCAcDAgEG +FQgCCQoLBBYCAwECHgECF4AFAlUv2gwFCQPCeNcACgkQ0b7X3pMDxdtCdwgAgiDc +YCvC8xyj9I6zcP1i/ZrON5vrwhch+xolRuR2d3hc6ElsgCbkUFhNk+a+Okf7aA6R +TdxFLEP+bG/eEYXRg7BawM1Hw8XZWPtDzutbmYwa31KgQL0Zr55U45kSQXjlG7vF +6LkC9RT6tRUb/KXxtubT4nXLa0VnQYo5D8BmEOHsF+vxLJedmW2Mz7SIXRW4rACa +TOxll8HGI3mu12sT8nq00mRb9fBkBLIsHHK76LYOHC6oR37+wpf0wERxQAM2cXEw +hIK0xyHQFtbnzBzhFYF3jLWcPWJw34rJjz37DYlsSUtbnHbSVB7oaFBPKSp/GSR/ +RCxNiWIKTPfnhHvDELQjSm9oYW4gTHVuZGJlcmcgPGx1bmRiZXJnQG5vcmR1Lm5l +dD6JAT4EEwECACgCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJVL9oVBQkD +wnjXAAoJENG+196TA8XbFyQIAJg02gKy88JZsTv6AqUvyWgeuiU3GJbuthns55uy +i+sWB/jFCzESd8Mwi/rJg0N/YaJakRD/S46c35FyEQ/iJiSpkwvq8WBmfjCtfA8u +kh7tlbTLBrexYXiUfXFwpnutuoMaGRYuq7ir3NzQKX4VLdiWFMRkT4ugizs6RR2P +lRCpXdajTmBha6XQxm3ZetO56TADEo7OBLH0K51XRJH1LeGEaXZv9KLTywJcW8Co +vfPLSzxFM8JT5VHyV19++Up4gUJbLeAt2D4ya0EX/AkxvVDqn+fcsQse6gQ8OMGy +9mB8T1mC+nrJ4aWgJLwaxMtQ//vaR56k1GvYFuXBmn+LHie0IkpvaGFuIEx1bmRi +ZXJnIDxsdW5kYmVyZ0BzdW5ldC5zZT6JAT8EEwECACkCGwMHCwkIBwMCAQYVCAIJ +CgsEFgIDAQIeAQIXgAUCVS/aHQUJA8J41wAKCRDRvtfekwPF2/DnB/9ULJLwiL1z +FjA1hCxOZtf+PSoif/unBnyPERoNDO7dyrR4+H4qiPV6LQKoD8pPZz6tXeu+l5L3 +Sps890RD1zqwZwm9PHdT7Xu8YYndcnfUsXpgNDZHS4G0CsuhB+Vc0ir7O9XYsMBx +T6TiH5G8bOxtFdSQgg1sii12TTtPzuo/C8GxZbXy7I48nc11IrnbiYxxAnCpBIuz +g6XRuTaxRkEAfg6g90RV+o06XbUju9sW2BSXg51etCYA5MLmbjQYQporArPHL9rv +y4aTPGCu4vJoLDK5hj2ZK9YzJ6zGFnCMYNFk16uxWc/45SXQrr8FQAgSReMuB0C4 +OzRACdx0UqLvuQENBFNOlK4BCADv5oNT5bxMoi2g847SzQEp306Kg5hsKmKdjXp3 +vFfBFqp1Suj9BphBflyTo9Ci4F5ZyxiH3uVDglzR09ccOo+zgFaJvOU9waP7+PJa +yBtMU8lZ+dYtm5agST8aXzQ5gvJj5uASuHZGQwiBV2MIn70ejIPhL2rkUT3nSj8C ++YH68WJgIk5qlN1VbAsoGyAE0dGIRouRYV/JMN9rFB8kcPF4RWZRq9rqk9jAFLec +4MNJO4hs7QEijq4Klp2jW+3v9R52lPPeiz0xjBB+v9DHIxN6HG3RNTcGpklLzvzJ +b+wQAecFCyRizKObMYQpGXJRpiiwYOipo3smiA8XfITY7u9dABEBAAGJASUEGAEC +AA8CGwwFAlUv2NIFCQPCd4oACgkQ0b7X3pMDxducewgAxiSllwGR7pGee2auKVDr +/Gc3gaLNjyRRaQtRByE6tlxXcAYzpUMm/+xvHuLTjr7hMXZYW13ZjhlIoYJ9RYw6 +AzJcc2A8R2kwv5kVpqKeDL2r1ODUWo982QoRoujfosrgIzFmcDw0FOzKwyJ27V7r +oV/UHJjxzlOPItQ14oeoEX4eXd0cwFzARvHoCQ/j45nyHQJU87ghVThdqcysB4qb ++kd+p8hf21uJ7pyRdI5UhE0r79c+nfXoOLOHJ1865uvgptQFjWeJvS3INPCTYLqK +O6acXEC6cdBlsNCSzsI1vfVX843io0jGML9KKpKCCn+TknYqo8F8a4GzhaFMT70g +xLkBDQRTTpU7AQgAwBzH5/T0loxhgJDGOq4dcn33WIJ5YaCAuROTVnXOV1JWPaDW +Fts4TKcoXqX6IdWGL+VdUDU7jt39M4Q/mXqj755wO+HwTOMr1lOELbcL9na7BTrF +O50WxksEHcMPSA4nbcUbgI1uRyfZkzibmKyBQBB4INT7/LGSsxzVrmYs+CN+Ajdj +W2mTruHmBuqXc7wepH2JeYi/3rH4QWX3oAPu8eKl7zCxxCm+8AkQQAQn1rumMtRN +I1HUVgRXaqec7I7kJZPJop4fPdptgtbRXMrm+XQloC2LYkEaSI89epTJNXDPn4Ev +WDOxL+tmwaUcp1NsAn4NUKWDKcSKueKv1y5WLwARAQABiQElBBgBAgAPAhsgBQJV +L9nrBQkDwngsAAoJENG+196TA8XbH3MH/2pUrGZmRJxUKHFcC9gKNa09VjVs/c+j +2n8VDS9QOnj0iE44zSXTln9CbY7Dmt9zVNAjoZc51U/9gojhDR+KFVgu7sIqr2PM +6bkcIZ2NO0RJ5ciHWb7cBbrPNmR7GMloXPx4r4b1VjNnssYTKCCBjYLez6NbuZ2R +QHs0NZWa6gE/Hf77Ml4+ZieydXJx9TLh3KiPuKKjzNL++n/TydjoxhMouNpjJAKc +Gs+iQeha1xVATpa8c6b6EaSyr95bqfbNTRemd6rIzxwjbkX6VP9c8FmV6E1AWrns +lQIgDvNHOR2NpiXhO+X6xccA9nQwsrQFZSV5IdopI7cVjqZhCSIZ1CU= +=PaZi -----END PGP PUBLIC KEY BLOCK----- diff --git a/global/overlay/etc/puppet/cosmos-db.yaml b/global/overlay/etc/puppet/cosmos-db.yaml index a66bc05..53d3200 100644 --- a/global/overlay/etc/puppet/cosmos-db.yaml +++ b/global/overlay/etc/puppet/cosmos-db.yaml @@ -116,11 +116,19 @@ classes: sshaccess: null sunet::dockerhost: null sunetops: null + webbackend: null web-db2.sunet.se: mailclient: *id001 sshaccess: null sunet::dockerhost: null sunetops: null + webbackend: null + web-db3.sunet.se: + mailclient: *id001 + sshaccess: null + sunet::dockerhost: null + sunetops: null + webbackend: null web-f1.sunet.se: mailclient: *id001 sshaccess: null @@ -139,7 +147,7 @@ members: cdr2.sunet.se, web-db1.sunet.se, web-db2.sunet.se, mdx1.swamid.se, web-f1.sunet.se, meta.swamid.se, registry.swamid.se, dane.lab.sunet.se, mdx2.swamid.se, samltest.swamid.se, wp.sunet.se, docker.sunet.se, lobo2.lab.sunet.se, sto-tug-kvm-lab1.swamid.se, - sto-fre-kvm1.swamid.se, web-a1.sunet.se] + sto-fre-kvm1.swamid.se, web-db3.sunet.se, web-a1.sunet.se] docker_signer: [mdx2.swamid.se] dockerhost: [datasets.sunet.se, reep.tid.isoc.org, www2.eduid.se, mdx1.swamid.se, registry.swamid.se, mdx2.swamid.se, docker.sunet.se] @@ -149,7 +157,7 @@ members: web-db1.sunet.se, web-db2.sunet.se, mdx1.swamid.se, web-f1.sunet.se, meta.swamid.se, registry.swamid.se, dane.lab.sunet.se, mdx2.swamid.se, samltest.swamid.se, wp.sunet.se, docker.sunet.se, lobo2.lab.sunet.se, sto-tug-kvm-lab1.swamid.se, sto-fre-kvm1.swamid.se, - web-a1.sunet.se] + web-db3.sunet.se, web-a1.sunet.se] quantis: [random1.nordu.net, random2.nordu.net] signer: [mdx1.swamid.se] sshaccess: [cdr1.sunet.se, cdr1.sunet.se, sto-tug-kvm2.swamid.se, sto-tug-kvm2.swamid.se, @@ -158,21 +166,22 @@ members: cdr2.sunet.se, web-db1.sunet.se, web-db2.sunet.se, mdx1.swamid.se, web-f1.sunet.se, meta.swamid.se, registry.swamid.se, dane.lab.sunet.se, mdx2.swamid.se, samltest.swamid.se, wp.sunet.se, docker.sunet.se, lobo2.lab.sunet.se, sto-tug-kvm-lab1.swamid.se, - sto-fre-kvm1.swamid.se, web-a1.sunet.se] + sto-fre-kvm1.swamid.se, web-db3.sunet.se, web-a1.sunet.se] sunet-cdr: [cdr1.sunet.se, cdr2.sunet.se] sunet::dockerhost: [sto-tug-kvm2.swamid.se, web-a2.sunet.se, web-db1.sunet.se, web-db2.sunet.se, - web-f1.sunet.se, web-a1.sunet.se] + web-f1.sunet.se, web-db3.sunet.se, web-a1.sunet.se] sunetops: [cdr1.sunet.se, cdr1.sunet.se, sto-tug-kvm2.swamid.se, datasets.sunet.se, sto-tug-kvm-lab2.swamid.se, sto-tug-kvm1.swamid.se, ca.sunet.se, web-a2.sunet.se, loke.sunet.se, cdr2.sunet.se, cdr2.sunet.se, web-db1.sunet.se, web-db2.sunet.se, mdx1.swamid.se, web-f1.sunet.se, meta.swamid.se, registry.swamid.se, dane.lab.sunet.se, mdx2.swamid.se, samltest.swamid.se, wp.sunet.se, docker.sunet.se, lobo2.lab.sunet.se, - sto-tug-kvm-lab1.swamid.se, sto-fre-kvm1.swamid.se, web-a1.sunet.se] + sto-tug-kvm-lab1.swamid.se, sto-fre-kvm1.swamid.se, web-db3.sunet.se, web-a1.sunet.se] swamidops: [sto-tug-kvm2.swamid.se, reep.tid.isoc.org, md-master.reep.refeds.org, sto-tug-kvm-lab2.swamid.se, sto-tug-kvm1.swamid.se, mdx1.swamid.se, meta.swamid.se, registry.swamid.se, mdx2.swamid.se, samltest.swamid.se, sto-tug-kvm-lab1.swamid.se, sto-fre-kvm1.swamid.se] webappserver: [web-a2.sunet.se, web-a1.sunet.se] + webbackend: [web-db1.sunet.se, web-db2.sunet.se, web-db3.sunet.se] webfrontend: [web-f1.sunet.se] webserver: [sto-tug-kvm2.swamid.se, datasets.sunet.se, registry.swamid.se, docker.sunet.se] diff --git a/global/overlay/etc/puppet/cosmos-modules.conf b/global/overlay/etc/puppet/cosmos-modules.conf index 911ebc1..e796979 100644 --- a/global/overlay/etc/puppet/cosmos-modules.conf +++ b/global/overlay/etc/puppet/cosmos-modules.conf @@ -13,7 +13,7 @@ pound git://github.com/SUNET/puppet-pound.git yes sunet-* augeas git://github.com/SUNET/puppet-augeas.git yes sunet-* bastion git://github.com/SUNET/puppet-bastion.git yes sunet-* pyff git://github.com/samlbits/puppet-pyff.git yes puppet-pyff-* -#postgresql git://github.com/SUNET/puppetlabs-postgresql.git yes sunet-* dhcp git://github.com/SUNET/puppetlabs-dhcp.git yes sunet-* varnish git://github.com/samlbits/puppet-varnish.git yes puppet-varnish-* docker git://github.com/SUNET/garethr-docker.git yes sunet-* +network git://github.com/SUNET/attachmentgenie-network.git yes sunet-* diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml index 5035639..cea844e 100644 --- a/global/overlay/etc/puppet/cosmos-rules.yaml +++ b/global/overlay/etc/puppet/cosmos-rules.yaml @@ -50,3 +50,5 @@ www2.eduid.se: webappserver: '^web-f[0-9]+\.sunet\.se$': webfrontend: +'^web-db[0-9]+\.sunet\.se$': + webbackend: diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp index 2713ea3..b7b1601 100644 --- a/global/overlay/etc/puppet/manifests/cosmos-site.pp +++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp @@ -128,6 +128,7 @@ node 'datasets.sunet.se' { } node 'docker.sunet.se' { + class { 'sunet::nagios': } docker::image {'registry': } docker::image {'leifj/pound': } docker::run {'sunetregistry': @@ -375,7 +376,7 @@ class sunet-dhcp-hosts { dhcp::host { 'mq-tug-3': mac => "52:54:00:03:00:22", ip => "130.242.130.22"; } dhcp::host { 'worker-tug-3': mac => "52:54:00:03:00:23", ip => "130.242.130.23"; } dhcp::host { 'signup-tug-3': mac => "52:54:00:03:00:24", ip => "130.242.130.24"; } - dhcp::host { 'helpdesk-tug-3': mac => "52:54:00:03:00:25", ip => "130.242.130.25"; } + dhcp::host { 'dashboard-tug-3': mac => "52:54:00:03:00:25", ip => "130.242.130.25"; } dhcp::host { 'www-tug-3': mac => "52:54:00:03:00:26", ip => "130.242.130.26"; } dhcp::host { 'monitor-tug-3': mac => "52:54:00:03:00:27", ip => "130.242.130.27"; } @@ -536,7 +537,6 @@ class sunet-dhcp-hosts { dhcp::host { 'registry.swamid': mac => "52:54:00:52:53:0b", ip => "130.242.125.90" } dhcp::host { 'mdx1.swamid': mac => "52:54:00:fe:bc:09", ip => "130.242.125.91" } dhcp::host { 'mdx2.swamid': mac => "52:54:00:30:be:dd", ip => "130.242.125.92" } - } class sshaccess { @@ -697,7 +697,7 @@ node 'cdr1.sunet.se' { } node 'sto-tug-kvm2.swamid.se' { - #class { 'fail2ban': } + class { 'sunet::nagios': } file {'/var/docker': ensure => 'directory', } -> @@ -713,6 +713,10 @@ node 'sto-tug-kvm2.swamid.se' { username => 'www-data', group => 'www-data', } -> + sunet::system_user {'memcache-system-user': + username => 'memcache', + group => 'memcache', + } -> file {'/var/docker/postgresql_data': ensure => 'directory', owner => 'postgres', @@ -751,10 +755,13 @@ node 'sto-tug-kvm2.swamid.se' { image => 'docker.sunet.se/flog/flog_app', volumes => ['/opt/flog/dotenv:/opt/flog/.env','/var/log/flog/:/opt/flog/logs/'], } -> + sunet::docker_run {'memcached': + image => 'docker.sunet.se/library/memcached', + } -> sunet::docker_run {'flog_nginx': - image => 'docker.sunet.se/flog/nginx', - ports => ['80:80', '443:443'], - volumes => ['/opt/flog/nginx/sites-enabled/:/etc/nginx/sites-enabled/','/opt/flog/nginx/certs/:/etc/nginx/certs', '/var/log/flog_nginx/:/var/log/nginx'], + image => 'docker.sunet.se/flog/nginx', + ports => ['80:80', '443:443'], + volumes => ['/opt/flog/nginx/sites-enabled/:/etc/nginx/sites-enabled/','/opt/flog/nginx/certs/:/etc/nginx/certs', '/var/log/flog_nginx/:/var/log/nginx'], } } @@ -806,54 +813,50 @@ class entropyserver { } } -class fail2ban { - - include augeas - - package {'fail2ban': ensure => 'latest'} - augeas { "fail2ban_defaults": - incl => "/etc/fail2ban/jail.conf", - lens => "Shellvars.lns", - changes => [ - 'set bantime "604800"', - ], - notify => Service['fail2ban'], - } -} - -define etcd_node($peers_file=undef,$cluster_name="etcd") { - file { ["/data","/data/${cluster_name}","/data/${cluster_name}/${name}"]: ensure => 'directory' } - sunet::docker_run { 'etcd_${name}': - image => 'quay.io/coreos/etcd', - extra_parameters => ["-initial-advertise-peer-urls http://${::ipaddress_eth1}:8001", - "-listen-peer-urls http://${::ipaddress_eth1}:8001", - "-advertise-client-urls http://${::ipaddress_eth1}:5001", - "-listen-client-urls http://${::ipaddress_eth1}:5001", - "-name ${::hostname}", - "-data-dir /data/${cluster_name}/${name}", - "-initial-cluster-token ${cluster_name}", - "-peers-file ${peers_file}"], - ports => ["8001:8001","5001:5001"] - - - } -} - class quantis { apt::ppa {'ppa:ndn/quantispci': } package {'quantispci-dkms': } } class webcommon { + file {"/data": ensure => directory } + sunet::docker_run{"web_registrator": + image => "gliderlabs/registrator", + imagetag => "latest", + hostname => "${::fqdn}", + volumes => ["/var/run/docker.sock:/tmp/docker.sock"], + command => "etcd://etcd_sunetweb.docker:4001/services" + } } class webfrontend { class { 'webcommon': } docker::image {'docker.sunet.se/pound': } - docker::image {'docker.sunet.se/varnish': } + sunet::etcd_node {'sunetweb': + disco_url => 'https://discovery.etcd.io/877f25988ea1e8bb8c9a49f2ad5f5f6a', + proxy => true + } -> + sunet::docker_run{"varnish": + image => "docker.sunet.se/varnish-auto", + imagetag => "latest", + env => ["ETCD_URL=http://etcd_sunetweb.docker:4001"], + ports => ["80:80"], + } } class webappserver { + sunet::etcd_node {'sunetweb': + disco_url => 'https://discovery.etcd.io/877f25988ea1e8bb8c9a49f2ad5f5f6a', + proxy => true + } + class { 'webcommon': } +} + +class webbackend { + sunet::etcd_node {'sunetweb': + disco_url => 'https://discovery.etcd.io/877f25988ea1e8bb8c9a49f2ad5f5f6a', + proxy => false + } class { 'webcommon': } } diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp index 8df416b..4b56a03 100644 --- a/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp +++ b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp @@ -7,6 +7,8 @@ define sunet::docker_run( $env = [], $net = 'bridge', $extra_parameters = [], + $command = "", + $hostname = undef, ) { # Make container use unbound resolver on dockerhost @@ -26,6 +28,7 @@ define sunet::docker_run( '/etc/passwd:/etc/passwd:ro', # uid consistency '/etc/group:/etc/group:ro', # gid consistency ]), + hostname => $hostname, ports => $ports, env => $env, net => $net, @@ -34,6 +37,7 @@ define sunet::docker_run( ]), dns => $dns, verify_checksum => false, # Rely on registry security for now. eduID risk #31. + command => $command, pre_start => 'run-parts /usr/local/etc/docker.d', post_start => 'run-parts /usr/local/etc/docker.d', pre_stop => 'run-parts /usr/local/etc/docker.d', diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/etcd_node.pp b/global/overlay/etc/puppet/modules/sunet/manifests/etcd_node.pp new file mode 100644 index 0000000..a80d355 --- /dev/null +++ b/global/overlay/etc/puppet/modules/sunet/manifests/etcd_node.pp @@ -0,0 +1,44 @@ +define sunet::etcd_node( + $disco_url = undef, + $etcd_version = 'v2.0.8', + $proxy = true +) +{ + include stdlib + + file { ["/data/${name}","/data/${name}/${::hostname}"]: ensure => 'directory' } + $common_args = ["--discovery ${disco_url}", + "--name ${::hostname}", + "--data-dir /data", + "--key-file /etc/ssl/private/${::fqdn}_infra.key", + "--ca-file /etc/ssl/certs/infra.crt", + "--cert-file /etc/ssl/certs/${::fqdn}_infra.crt"] + if $proxy { + $args = concat($common_args,["--proxy on","--listen-client-urls http://0.0.0.0:4001,http://0.0.0.0:2379"]) + } else { + $args = concat($common_args,["--initial-advertise-peer-urls http://${::ipaddress_eth1}:2380", + "--advertise-client-urls http://${::ipaddress_eth1}:2379", + "--listen-peer-urls http://0.0.0.0:2380", + "--listen-client-urls http://0.0.0.0:4001,http://0.0.0.0:2379", + "--peer-key-file /etc/ssl/private/${::fqdn}_infra.key", + "--peer-ca-file /etc/ssl/certs/infra.crt", + "--peer-cert-file /etc/ssl/certs/${::fqdn}_infra.crt"]) + } + sunet::docker_run { "etcd_${name}": + image => 'quay.io/coreos/etcd', + imagetag => $etcd_version, + volumes => ["/data/${name}:/data","/etc/ssl:/etc/ssl"], + command => join($args," "), + ports => ["${::ipaddress_eth1}:2380:2380","${::ipaddress_eth1}:2379:2379","${::ipaddress_docker0}:4001:2379"] + } + if !$proxy { + ufw::allow { "allow-etcd-peer": + ip => "${::ipaddress_eth1}", + port => 2380 + } + ufw::allow { "allow-etcd-client": + ip => "${::ipaddress_eth1}", + port => 2379 + } + } +} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/fail2ban.pp b/global/overlay/etc/puppet/modules/sunet/manifests/fail2ban.pp new file mode 100644 index 0000000..01a9662 --- /dev/null +++ b/global/overlay/etc/puppet/modules/sunet/manifests/fail2ban.pp @@ -0,0 +1,14 @@ +class sunet::fail2ban { + + package {'fail2ban': + ensure => 'latest' + } -> + service {'fail2ban': + ensure => 'running' + } + exec {"fail2ban_defaults": + refreshonly => true, + subscribe => Service['fail2ban'], + command => "sleep 5; /usr/bin/fail2ban-client set ssh bantime 600800" + } +} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/nagios.pp b/global/overlay/etc/puppet/modules/sunet/manifests/nagios.pp new file mode 100644 index 0000000..91ccf6c --- /dev/null +++ b/global/overlay/etc/puppet/modules/sunet/manifests/nagios.pp @@ -0,0 +1,49 @@ +class sunet::nagios { + + $nagios_ip_v4 = hiera('nagios_ip_v4', '109.105.111.111') + $nagios_ip_v6 = hiera('nagios_ip_v6', '2001:948:4:6::111') + $allowed_hosts = "${nagios_ip_v4},${nagios_ip_v6}" + + package {'nagios-nrpe-server': + ensure => 'installed', + } + service {'nagios-nrpe-server': + ensure => 'running', + enable => 'true', + require => Package['nagios-nrpe-server'], + } + file { "/etc/nagios/nrpe.cfg" : + notify => Service['nagios-nrpe-server'], + ensure => 'file', + mode => '0640', + group => 'nagios', + require => Package['nagios-nrpe-server'], + content => template('sunet/nagioshost/nrpe.cfg.erb'), + } + file { "/usr/lib/nagios/plugins/check_uptime.pl" : + ensure => 'file', + mode => '0751', + group => 'nagios', + require => Package['nagios-nrpe-server'], + content => template('sunet/nagioshost/check_uptime.pl.erb'), + } + file { "/usr/lib/nagios/plugins/check_reboot" : + ensure => 'file', + mode => '0751', + group => 'nagios', + require => Package['nagios-nrpe-server'], + content => template('sunet/nagioshost/check_reboot.erb'), + } + ufw::allow { "allow-nrpe-v4": + from => "${nagios_ip_v4}", + ip => 'any', + proto => 'tcp', + port => 5666 + } + ufw::allow { "allow-nrpe-v6": + from => "${nagios_ip_v6}", + ip => 'any', + proto => 'tcp', + port => 5666 + } +} diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp index 14df323..d89302f 100644 --- a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp +++ b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp @@ -1,5 +1,8 @@ define sunet::server() { + # fail2ban + class { 'sunet::fail2ban': } + # Set up encrypted swap sunet::encrypted_swap { 'sunet_encrypted_swap': } @@ -84,4 +87,5 @@ define line($file, $line, $ensure = 'present') { } } } + } diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/wordpress.pp b/global/overlay/etc/puppet/modules/sunet/manifests/wordpress.pp index 8daef2e..6f6abed 100644 --- a/global/overlay/etc/puppet/modules/sunet/manifests/wordpress.pp +++ b/global/overlay/etc/puppet/modules/sunet/manifests/wordpress.pp @@ -5,12 +5,12 @@ $db_host = undef, $wordpress_version = "4.1.1", $myqsl_version = "5.7") { + include augeas $db_hostname = $db_host ? { undef => "${name}_mysql.docker", default => $db_host } $pwd = hiera("${name}_db_password",'NOT_SET_IN_HIERA') - file {"/data": ensure => directory } -> file {"/data/${name}": ensure => directory } -> file {"/data/${name}/html": ensure => directory } -> sunet::docker_run { "${name}_wordpress": @@ -18,7 +18,8 @@ $myqsl_version = "5.7") imagetag => $wordpress_version, volumes => ["/data/${name}/html:/var/www/html"], ports => ["8080:80"], - env => [ "WORDPRESS_DB_HOST=${db_hostname}", + env => [ "SERVICE_NAME=${name}", + "WORDPRESS_DB_HOST=${db_hostname}", "WORDPRESS_DB_USER=${name}", "WORDPRESS_DB_NAME=${name}", "WORDPRESS_DB_PASSWORD=${pwd}" ] @@ -37,5 +38,16 @@ $myqsl_version = "5.7") "MYSQL_ROOT_PASSWORD=${pwd}", "MYSQL_DATABASE=${name}"] } + package {'automysqlbackup': ensure => latest } -> + augeas { 'automysqlbackup_settings': + incl => "/etc/default/automysqlbackup", + lens => "Shellvars.lns", + changes => [ + "set USERNAME ${name}", + "set PASSWORD ${pwd}", + "set DBHOST ${db_hostname}", + "set DBNAMES ${name}" + ] + } } } diff --git a/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/check_reboot.erb b/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/check_reboot.erb new file mode 100755 index 0000000..aa0bd5d --- /dev/null +++ b/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/check_reboot.erb @@ -0,0 +1,37 @@ +#!/bin/bash +declare -rx PROGNAME=${0##*/} +declare -rx PROGPATH=${0%/*}/ + +function cleanup { + #if [ -e "$TMPFILE" ] ; then + #rm "$TMPFILE" + #fi + exit $1 +} + +if [ -r "${PROGPATH}utils.sh" ] ; then + source "${PROGPATH}utils.sh" +else + echo "Can't find utils.sh." + printf "Currently being run from %s\n" "$PROGPATH" + # since we couldn't define STATE_UNKNOWN since reading utils.sh failed, we use 3 here but everywhere else after this use cleanup $STATE + cleanup 3 +fi + +STATE=$STATE_UNKNOWN + + +if [ -f /var/run/reboot-required.pkgs ] +then + pkg=`cat /var/run/reboot-required.pkgs` +fi + +if [ -f /var/run/reboot-required ] +then + echo "Reboot WARNING: System reboot required by package $pkg" + cleanup $STATE_WARNING; +fi + echo "Reboot OK: No reboot required" + cleanup $STATE_OK; +cleanup $STATE; + diff --git a/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/check_uptime.pl.erb b/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/check_uptime.pl.erb new file mode 100755 index 0000000..dda05e4 --- /dev/null +++ b/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/check_uptime.pl.erb @@ -0,0 +1,721 @@ +#!/usr/bin/perl -w +# +# ============================== SUMMARY ===================================== +# +# Program : check_uptime.pl +# Version : 0.52 +# Date : June 19, 2012 +# Authors : William Leibzon - william@leibzon.org +# Licence : GPL - summary below, full text at http://www.fsf.org/licenses/gpl.txt +# +# =========================== PROGRAM LICENSE ================================= +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# +# ===================== INFORMATION ABOUT THIS PLUGIN ========================= +# +# This plugin returns uptime of the system returning data in text (readable) +# format as well as in minutes for performance graphing. The plugin can either +# run on local system unix system (that supports standard 'uptime' command +# or check remote system by SNMP. The plugin can report one CRITICAL or +# WARNING alert if system has been rebooted since last check. +# +# ====================== SETUP AND PLUGIN USE NOTES ========================= +# +# The plugin can either retrieve information from local system (when you +# run it through check_nrpe for example) or by SNMP from remote system. +# +# On local system it will execute standard unix 'uptime' and 'uname -a'. +# +# On a remote system it'll retrieve data from sysSystem for system type +# and use that to decide if further data should be retrieved from +# sysUptime (OID 1.3.6.1.2.1.1.3.0) for windows or +# hostUptime (OID 1.3.6.1.2.1.25.1.1.0) for unix system or +# snmpEngineTime (OID 1.3.6.1.6.3.10.2.1.3) for cisco switches +# +# For information on available options please execute it with --help i.e: +# check_uptime.pl --help +# +# As I dont have time for extensive documentation below is all very brief: +# +# 1. You can also specify warning and critical thresholds which will +# give warning or critical alert if system has been up for lees then +# specified number of minutes. Example: +# check_uptime.pl -w 5 +# Will give warning alert if system has been up for less then 5 minutes +# +# 2. For performance data results you can use '-f' option which will give +# total number of minutes the system has been up. +# +# 3. A special case is use of performance to feed data from previous run +# back into the plugin. This is used to cache results about what type +# of system it is (you can also directly specify this with -T option) +# and also means -w and -c threshold values are ignored and instead +# plugin will issue ONE alert (warning or critical) if system uptime +# changes from highier value to lower +# +# ============================ EXAMPLES ======================================= +# +# 1. Local server (use with NRPE or on nagios host), warning on < 5 minutes: +# +# define command { +# command_name check_uptime +# command_line $USER1$/check_uptime.pl -f -w 5 +# } +# +# 2. Local server (use with NRPE or on nagios host), +# one critical alert on reboot: +# +# define command { +# command_name check_uptime +# command_line $USER1$/check_uptime.pl -f -c -P "SERVICEPERFDATA$" +# } +# +# 3. Remote server SNMP v2, one warning alert on reboot, +# autodetect and cache type of server: +# +# define command { +# command_name check_snmp_uptime_v2 +# command_line $USER1$/check_uptime.pl -2 -f -w -H $HOSTADDRESS$ -C $_HOSTSNMP_COMMUNITY$ -P "$SERVICEPERFDATA$" +# } +# +# 4. Remote server SNMP v3, rest as above +# +#define command { +# command_name check_snmp_uptime_v3 +# command_line $USER1$/check_uptime.pl -f -w -H $HOSTADDRESS$ -l $_HOSTSNMP_V3_USER$ -x $_HOSTSNMP_V3_AUTH$ -X $_HOSTSNMP_V3_PRIV$ -L sha,aes -P "$SERVICEPERFDATA$" +# } +# +# 5. Example of service definition using above +# +# define service{ +# use std-service +# hostgroup_name all_snmp_hosts +# service_description SNMP Uptime +# max_check_attempts 1 +# check_command check_snmp_uptime +# } +# +# 6. And this is optional dependency definition for above which makes +# every SNMP service (service beloning to SNMP servicegroup) on +# same host dependent on this SNMP Uptime check. Then if SNMP +# daemon goes down you only receive one alert +# +# define servicedependency{ +# service_description SNMP Uptime +# dependent_servicegroup_name snmp +# } +# +# ============================= VERSION HISTORY ============================== +# +# 0.1 - sometime 2006 : Simple script for tracking local system uptime +# 0.2 - sometime 2008 : Update to get uptime by SNMP, its now alike my other plugins +# 0.3 - Nov 14, 2009 : Added getting system info line and using that to decide +# format of uptime line and how to process it. Added support +# for getting uptime with SNMP from windows systems. +# Added documentation header alike my other plugins. +# Planned to release it to public, but forgot. +# 0.4 - Dec 19, 2011 : Update to support SNMP v3, released to public +# 0.41 - Jan 13, 2012 : Added bug fix by Rom_UA posted as comment on Nagios Exchange +# Added version history you're reading right now. +# 0.42 - Feb 13, 2012 : Bug fix to not report WARNING if uptime is not correct output +# 0.5 - Feb 29, 2012 : Added support for "netswitch" engine type that retrieves +# snmpEngineTime. Added proper support for sysUpTime interpreting +# it as 1/100s of a second and converting to days,hours,minutes +# Changed internal processing structure, now reported uptime +# info text is based on uptime_minutes and not separate. +# 0.51 - Jun 05, 2012 : Bug fixed for case when when snmp system info is < 3 words. +# 0.52 - Jun 19, 2012 : For switches if snmpEngineTime OID is not available, +# the plugin will revert back to checking hostUptime and +# then sysUptime. Entire logic has in fact been changed +# to support trying more than just two OIDs. Also added +# support to specify filename to '-v' option for debug +# output to go to instead of console and for '--debug' +# option as an alias to '--verbose'. +# +# TODO: +# 0) Add '--extra-opts' to allow to read options from a file as specified +# at http://nagiosplugins.org/extra-opts. This is TODO for all my plugins +# 1) Add support for ">", "<" and other threshold qualifiers +# as done in check_snmp_temperature.pl or check_mysqld.pl +# 2) Support for more types, in particular network equipment such as cisco: [DONE] +# sysUpTime is a 32-bit counter in 1/100 of a second, it rolls over after 496 days +# snmpEngineTime (.1.3.6.1.6.3.10.2.1.3) returns the uptime in seconds and will not +# roll over, however some cisco switches (29xx) are buggy and it gets reset too. +# Routers running 12.0(3)T or higher can use the snmpEngineTime object from +# the SNMP-FRAMEWORK-MIB. This keeps track of seconds since SNMP engine started. +# 3) Add threshold into perfout as ';warn;crit' +# +# ========================== START OF PROGRAM CODE =========================== + +use strict; +use Getopt::Long; + +# Nagios specific +our $TIMEOUT; +our %ERRORS; +eval 'use utils qw(%ERRORS $TIMEOUT)'; +if ($@) { + $TIMEOUT = 10; + %ERRORS = ('OK'=>0,'WARNING'=>1,'CRITICAL'=>2,'UNKNOWN'=>3,'DEPENDENT'=>4); +} + +our $no_snmp=0; +eval 'use Net::SNMP'; +if ($@) { + $no_snmp=1; +} + +# Version +my $Version='0.52'; + +# SNMP OID +my $oid_sysSystem = '1.3.6.1.2.1.1.1.0'; # windows and some unix +my $oid_hostUptime = '1.3.6.1.2.1.25.1.1.0'; # hostUptime, usually unix systems +my $oid_sysUptime = '1.3.6.1.2.1.1.3.0'; # sysUpTime, windows +my $oid_engineTime = '1.3.6.1.6.3.10.2.1.3'; # SNMP-FRAMEWORK-MIB + +my @oid_uptime_types = ( ['', '', ''], # type 0 is reserved + [ 'local', '', ''], # type 1 is local + [ 'win', 'sysUpTime', $oid_sysUptime ], # type 2 is windows + [ 'unix-host', 'hostUpTime', $oid_hostUptime ], # type 3 is unix-host + [ 'unix-sys', 'sysUpTime', $oid_sysUptime ], # type 4 is unix-sys + [ 'net', 'engineTime', $oid_engineTime ]); # type 5 is netswitch + +# Not used, but perhaps later +my $oid_hrLoad = '1.3.6.1.2.1.25.3.3.1.2.1'; +my $oid_sysLoadInt1 = '1.3.6.1.4.1.2021.10.1.5.1'; +my $oid_sysLoadInt5 = '1.3.6.1.4.1.2021.10.1.5.2'; +my $oid_sysLoadInt15 = '1.3.6.1.4.1.2021.10.1.5.3'; + +# Standard options +my $o_host = undef; # hostname +my $o_timeout= undef; # Timeout (Default 10) +my $o_help= undef; # wan't some help ? +my $o_verb= undef; # verbose mode +my $o_version= undef; # print version +my $o_label= undef; # change label instead of printing uptime +my $o_perf= undef; # Output performance data (uptime in minutes) +my $o_prevperf= undef; # performance data given with $SERVICEPERFDATA$ macro +my $o_warn= undef; # WARNING alert if system has been up for < specified number of minutes +my $o_crit= undef; # CRITICAL alert if system has been up for < specified number of minutes +my $o_type= undef; # type of check (local, auto, unix, win) + +# Login and other options specific to SNMP +my $o_port = 161; # SNMP port +my $o_community = undef; # community +my $o_version2 = undef; # use snmp v2c +my $o_login= undef; # Login for snmpv3 +my $o_passwd= undef; # Pass for snmpv3 +my $v3protocols= undef; # V3 protocol list. +my $o_authproto= 'md5'; # Auth protocol +my $o_privproto= 'des'; # Priv protocol +my $o_privpass= undef; # priv password + +## Additional global variables +my %prev_perf= (); # array that is populated with previous performance data +my $check_type = 0; + +sub p_version { print "check_uptime version : $Version\n"; } + +sub print_usage { + print "Usage: $0 [-v [debugfilename]] [-T local|unix-host|unix-sys|win|net] [-H <host> (-C <snmp_community>) [-2] | (-l login -x passwd [-X pass -L <authp>,<privp>) [-p <port>]] [-w <warn minutes> -s <crit minutes>] [-f] [-P <previous perf data from nagios \$SERVICEPERFDATA\$>] [-t <timeout>] | [-V] [--label <string>]\n"; +} + +sub isnnum { # Return true if arg is not a number + my $num = shift; + if ( $num =~ /^(\d+\.?\d*)|(^\.\d+)$/ ) { return 0 ;} + return 1; +} + +sub div_mod { return int( $_[0]/$_[1]) , ($_[0] % $_[1]); } + +sub help { + print "\nUptime Plugin for Nagios (check_uptime) v. ",$Version,"\n"; + print "GPL licence, (c) 2008-2012 William Leibzon\n\n"; + print_usage(); + print <<EOT; + +Debug & Console Options: + -v, --verbose[=FILENAME], --debug[=FILENAME] + print extra debugging information. + if filename is specified instead of STDOUT the debug data is written to that file + -h, --help + print this help message + -V, --version + prints version number + +Standard Options: + -T, --type=auto|local|unix-host|unis-sys|windows|netswitch + Type of system: + local : localhost (executes 'uptime' command), default if no -C or -l + unix-host : SNMP check from hostUptime ($oid_hostUptime) OID + unix-sys : SNMP check from sysUptime ($oid_sysUptime) OID + win | windows : SNMP check from sysUptime ($oid_sysUptime) OID + net | netswitch : SNMP check from snmpEngineTime ($oid_engineTime) OID + auto : Autodetect what system by checking sysSystem OID first, default + -w, --warning[=minutes] + Report nagios WARNING alert if system has been up for less then specified + number of minutes. If no minutes are specified but previous preformance + data is fed back with -P option then alert is sent ONLY ONCE when + uptime changes from greater value to smaller + -c, --critical[=minutes] + Report nagios CRITICAL alert if system has been up for less then + specified number of minutes or ONE ALERT if -P option is used and + system's previous uptime is larger then current on + -f, --perfparse + Perfparse compatible output + -P, --prev_perfdata + Previous performance data (normally put '-P \$SERVICEPERFDATA\$' in + nagios command definition). This is recommended if you dont specify + type of system with -T so that previously checked type of system info + is reused. This is also used to decide on warning/critical condition + if number of seconds is not specified with -w or -c. + --label=[string] + Optional custom label before results prefixed to results + -t, --timeout=INTEGER + timeout for SNMP in seconds (Default: 15) + +SNMP Access Options: + -H, --hostname=HOST + name or IP address of host to check (if not localhost) + -C, --community=COMMUNITY NAME + community name for the SNMP agent (used with v1 or v2c protocols) + -2, --v2c + use snmp v2c (can not be used with -l, -x) + -l, --login=LOGIN ; -x, --passwd=PASSWD + Login and auth password for snmpv3 authentication + If no priv password exists, implies AuthNoPriv + -X, --privpass=PASSWD + Priv password for snmpv3 (AuthPriv protocol) + -L, --protocols=<authproto>,<privproto> + <authproto> : Authentication protocol (md5|sha : default md5) + <privproto> : Priv protocols (des|aes : default des) + -p, --port=PORT + SNMP port (Default 161) +EOT +} + +# For verbose output (updated 06/06/12 to write to debug file if specified) +sub verb { + my $t=shift; + if (defined($o_verb)) { + if ($o_verb eq "") { + print $t,"\n"; + } + else { + if (!open(DEBUGFILE, ">>$o_verb")) { + print $t, "\n"; + } + else { + print DEBUGFILE $t,"\n"; + close DEBUGFILE; + } + } + } +} + +# load previous performance data +sub process_perf { + my %pdh; + my ($nm,$dt); + foreach (split(' ',$_[0])) { + if (/(.*)=(.*)/) { + ($nm,$dt)=($1,$2); + verb("prev_perf: $nm = $dt"); + # in some of my plugins time_ is to profile how long execution takes for some part of plugin + # $pdh{$nm}=$dt if $nm !~ /^time_/; + $pdh{$nm}=$dt; + } + } + return %pdh; +} + +sub type_from_name { + my $type=shift; + for(my $i=1; $i<scalar(@oid_uptime_types); $i++) { + if ($oid_uptime_types[$i][0] eq $type) { + return $i; + } + } + return -1; +} + + +sub check_options { + Getopt::Long::Configure ("bundling"); + GetOptions( + 'v:s' => \$o_verb, 'verbose:s' => \$o_verb, "debug:s" => \$o_verb, + 'h' => \$o_help, 'help' => \$o_help, + 'H:s' => \$o_host, 'hostname:s' => \$o_host, + 'p:i' => \$o_port, 'port:i' => \$o_port, + 'C:s' => \$o_community, 'community:s' => \$o_community, + '2' => \$o_version2, 'v2c' => \$o_version2, + 'l:s' => \$o_login, 'login:s' => \$o_login, + 'x:s' => \$o_passwd, 'passwd:s' => \$o_passwd, + 'X:s' => \$o_privpass, 'privpass:s' => \$o_privpass, + 'L:s' => \$v3protocols, 'protocols:s' => \$v3protocols, + 't:i' => \$o_timeout, 'timeout:i' => \$o_timeout, + 'V' => \$o_version, 'version' => \$o_version, + 'f' => \$o_perf, 'perfparse' => \$o_perf, + 'w:i' => \$o_warn, 'warning:i' => \$o_warn, + 'c:i' => \$o_crit, 'critical:i' => \$o_crit, + 'label:s' => \$o_label, + 'P:s' => \$o_prevperf, 'prev_perfdata:s' => \$o_prevperf, + 'T:s' => \$o_type, 'type:s' => \$o_type, + ); + if (defined ($o_help) ) { help(); exit $ERRORS{"UNKNOWN"}}; + if (defined($o_version)) { p_version(); exit $ERRORS{"UNKNOWN"}}; + + $o_type = "win" if defined($o_type) && $o_type eq 'windows'; + $o_type = "net" if defined($o_type) && $o_type eq 'netswitch'; + if (defined($o_type) && $o_type ne 'auto' && type_from_name($o_type)==-1) { + print "Invalid system type specified\n"; print_usage(); exit $ERRORS{"UNNKNOWN"}; + } + + if (!defined($o_community) && (!defined($o_login) || !defined($o_passwd)) ) { + $o_type='local' if !defined($o_type) || $o_type eq 'auto'; + if ($o_type ne 'local') { + print "Put snmp login info!\n"; print_usage(); exit $ERRORS{"UNKNOWN"} + } + if (defined($o_host)) { + print "Why are you specifying hostname without SNMP parameters?\n"; print_usage(); exit $ERRORS{"UNKNOWN"}; + } + } + else { + $o_type='auto' if !defined($o_type); + if ($o_type eq 'local' ) { + print "Why are you specifying SNMP login for local system???\n"; print_usage(); exit $ERRORS{"UNKNOWN"} + } + if (!defined($o_host)) { + print "Hostname required for SNMP check.\n"; print_usage(); exit $ERRORS{"UNKNOWN"}; + } + if ($no_snmp) { + print "Can't locate Net/SNMP.pm\n"; print_usage(); exit $ERRORS{"UNKNOWN"}; + } + } + + # check snmp information + if ((defined($o_login) || defined($o_passwd)) && (defined($o_community) || defined($o_version2)) ) + { print "Can't mix snmp v1,2c,3 protocols!\n"; print_usage(); exit $ERRORS{"UNKNOWN"}} + if (defined ($v3protocols)) { + if (!defined($o_login)) { print "Put snmp V3 login info with protocols!\n"; print_usage(); exit $ERRORS{"UNKNOWN"}} + my @v3proto=split(/,/,$v3protocols); + if ((defined ($v3proto[0])) && ($v3proto[0] ne "")) {$o_authproto=$v3proto[0]; } # Auth protocol + if (defined ($v3proto[1])) {$o_privproto=$v3proto[1]; } # Priv protocol + if ((defined ($v3proto[1])) && (!defined($o_privpass))) + { print "Put snmp V3 priv login info with priv protocols!\n"; print_usage(); exit $ERRORS{"UNKNOWN"}} + } + + if (defined($o_timeout) && (isnnum($o_timeout) || ($o_timeout < 2) || ($o_timeout > 60))) + { print "Timeout must be >1 and <60 !\n"; print_usage(); exit $ERRORS{"UNKNOWN"}} + if (!defined($o_timeout)) {$o_timeout=$TIMEOUT+5;} + + if (defined($o_prevperf)) { + if (defined($o_perf)) { + %prev_perf=process_perf($o_prevperf); + $check_type = $prev_perf{type} if $o_type eq 'auto' && exists($prev_perf{tye}) && exists($oid_uptime_types[$prev_perf{type}][0]); + } + else { + print "need -f option first \n"; print_usage(); exit $ERRORS{"UNKNOWN"}; + } + } + + if ($o_type eq 'auto') { + $check_type=0; + } + else { + $check_type = type_from_name($o_type); + } +} + +sub create_snmp_session { + my ($session,$error); + + if ( defined($o_login) && defined($o_passwd)) { + # SNMPv3 login + if (!defined ($o_privpass)) { + verb("SNMPv3 AuthNoPriv login : $o_login, $o_authproto"); + ($session, $error) = Net::SNMP->session( + -hostname => $o_host, + -version => '3', + -port => $o_port, + -username => $o_login, + -authpassword => $o_passwd, + -authprotocol => $o_authproto, + -timeout => $o_timeout + ); + } else { + verb("SNMPv3 AuthPriv login : $o_login, $o_authproto, $o_privproto"); + ($session, $error) = Net::SNMP->session( + -hostname => $o_host, + -version => '3', + -username => $o_login, + -port => $o_port, + -authpassword => $o_passwd, + -authprotocol => $o_authproto, + -privpassword => $o_privpass, + -privprotocol => $o_privproto, + -timeout => $o_timeout + ); + } + } else { + if (defined ($o_version2)) { + # SNMPv2c Login + verb("SNMP v2c login"); + ($session, $error) = Net::SNMP->session( + -hostname => $o_host, + -version => 2, + -community => $o_community, + -port => $o_port, + -timeout => $o_timeout + ); + } else { + # SNMPV1 login + verb("SNMP v1 login"); + ($session, $error) = Net::SNMP->session( + -hostname => $o_host, + -community => $o_community, + -port => $o_port, + -timeout => $o_timeout + ); + } + } + if (!defined($session)) { + printf("ERROR opening session: %s.\n", $error); + exit $ERRORS{"UNKNOWN"}; + } + + return $session; +} + +$SIG{'ALRM'} = sub { + print "Alarm timeout\n"; + exit $ERRORS{"UNKNOWN"}; +}; + +########## MAIN ####### +my $system_info=""; +my $uptime_info=undef; +my $uptime_minutes=undef; +my $perf_out=""; +my $status=0; +my $uptime_output; +my ($days, $hrs, $mins); + +check_options(); + +# Check gobal timeout if snmp screws up +if (defined($o_timeout)) { + verb("Alarm at $o_timeout + 5"); + alarm($o_timeout+5); +} + +if ($check_type==1) { # local + # Process unix uptime command output + $uptime_output=`uptime`; + verb("Local Uptime Result is: $uptime_output"); + if ($uptime_output =~ /(\d+)\s+days?,\s+(\d+)\:(\d+)/) { + ($days, $hrs, $mins) = ($1, $2, $3); + } + elsif ($uptime_output =~ /up\s+(\d+)\shours?\s+(\d+)/) { + ($days, $hrs, $mins) = (0, $1, $2); + } + elsif ($uptime_output =~ /up\s+(\d+)\:(\d+)/) { + ($days, $hrs, $mins) = (0, $1, $2); + } + elsif ($uptime_output =~ /up\s+(\d+)\s+min/) { + ($days, $hrs, $mins) = (0,0,$1); + } + elsif ($uptime_output =~ /up\s+(d+)s+days?,s+(d+)s+min/) { + ($days, $hrs, $mins) = ($1,0,$2); + } + else { + $uptime_info = "up ".$uptime_output; + } + if (defined($days) && defined($hrs) && defined($mins)) { + $uptime_minutes = $days*24*60+$hrs*60+$mins; + } + my @temp=split(' ',`uname -a`); + if (scalar(@temp)<3) { + $system_info=`uname -a`; + } + else { + $system_info=join(' ',$temp[0],$temp[1],$temp[2]); + } +} +else { + # SNMP connection + my $session=create_snmp_session(); + my $result=undef; + my $oid=""; + my $guessed_check_type=0; + + if ($check_type==0){ + $result = $session->get_request(-varbindlist=>[$oid_sysSystem]); + if (!defined($result)) { + printf("ERROR: Can not retrieve $oid_sysSystem table: %s.\n", $session->error); + $session->close; + exit $ERRORS{"UNKNOWN"}; + } + verb("$o_host SysInfo Result from OID $oid_sysSystem: $result->{$oid_sysSystem}"); + if ($result->{$oid_sysSystem} =~ /Windows/) { + $guessed_check_type=2; + verb('Guessing Type: 2 = windows'); + } + if ($result->{$oid_sysSystem} =~ /Cisco/) { + $guessed_check_type=5; + verb('Guessing Type: 5 = netswitch'); + } + if ($guessed_check_type==0) { + $guessed_check_type=3; # will try hostUptime first + } + $oid=$oid_uptime_types[$guessed_check_type][2]; + } + else { + $oid=$oid_uptime_types[$check_type][2]; + } + + do { + $result = $session->get_request(-varbindlist=>[$oid,$oid_sysSystem]); + if (!defined($result)) { + if ($check_type!=0) { + printf("ERROR: Can not retrieve uptime OID table $oid: %s.\n", $session->error); + $session->close; + exit $ERRORS{"UNKNOWN"}; + } + else { + if ($session->error =~ /noSuchName/) { + if ($guessed_check_type==4) { + verb("Received noSuchName error for sysUpTime OID $oid. Giving up."); + $guessed_check_type=0; + } + if ($guessed_check_type==3) { + verb("Received noSuchName error for hostUpTime OID $oid, will now try sysUpTime"); + $guessed_check_type=4; + } + else { + verb("Received noSuchName error for OID $oid, will now try hostUpTime"); + $guessed_check_type=3; + } + if ($guessed_check_type!=0) { + $oid=$oid_uptime_types[$guessed_check_type][2]; + } + } + else { + printf("ERROR: Can not retrieve uptime OID table $oid: %s.\n", $session->error); + $session->close; + exit $ERRORS{"UNKNOWN"}; + } + } + } + else { + if ($check_type==0) { + $check_type=$guessed_check_type; + } + } + } + while (!defined($result) && $guessed_check_type!=0); + + $session->close; + if ($check_type==0 && $guessed_check_type==0) { + printf("ERROR: Can not autodetermine proper uptime OID table. Giving up.\n"); + exit $ERRORS{"UNKNOWN"}; + } + + my ($days, $hrs, $mins); + $uptime_output=$result->{$oid}; + verb("$o_host Uptime Result from OID $oid: $uptime_output"); + + if ($uptime_output =~ /(\d+)\s+days?,\s+(\d+)\:(\d+)/) { + ($days, $hrs, $mins) = ($1, $2, $3); + } + elsif ($uptime_output =~ /(\d+)\s+hours?,\s+(\d+)\:(\d+)/) { + ($days, $hrs, $mins) = (0, $1, $2); + } + elsif ($uptime_output =~ /(\d+)\s+min/) { + ($days, $hrs, $mins) = (0, 0, $1); + } + if (defined($days) && defined($hrs) && defined($mins)) { + $uptime_minutes = $days*24*60+$hrs*60+$mins; + } + elsif ($uptime_output =~ /^(\d+)$/) { + my $upnum = $1; + if ($oid eq $oid_sysUptime) { + $uptime_minutes = $upnum/100/60; + } + elsif ($oid eq $oid_engineTime) { + $uptime_minutes = $upnum/60; + } + } + else { + $uptime_info = "up ".$uptime_output; + } + my @temp=split(' ',$result->{$oid_sysSystem}); + if (scalar(@temp)<3) { + $system_info=$result->{$oid_sysSystem}; + } + else { + $system_info=join(' ',$temp[0],$temp[1],$temp[2]); + } +} + +if (defined($uptime_minutes) && !defined($uptime_info)) { + ($hrs,$mins) = div_mod($uptime_minutes,60); + ($days,$hrs) = div_mod($hrs,24); + $uptime_info = "up "; + $uptime_info .= "$days days " if $days>0; + $uptime_info .= "$hrs hours " if $hrs>0; + $uptime_info .= "$mins minutes"; +} + +verb("System Type: $check_type (".$oid_uptime_types[$check_type][0].")"); +verb("System Info: $system_info") if $system_info; +verb("Uptime Text: $uptime_info") if defined($uptime_info); +verb("Uptime Minutes: $uptime_minutes") if defined($uptime_minutes); + +if (!defined($uptime_info)) { + $uptime_info = "Can not determine uptime"; + $status = 3; +} + +if (defined($o_perf)) { + $perf_out = "type=$check_type"; + $perf_out .= " uptime_minutes=$uptime_minutes" if defined($uptime_minutes); +} + +if (defined($uptime_minutes)) { + if (defined($o_prevperf)) { + $status = 1 if defined($o_warn) && exists($prev_perf{uptime_minutes}) && $prev_perf{uptime_minutes} > $uptime_minutes; + $status = 2 if defined($o_crit) && exists($prev_perf{uptime_minutes}) && $prev_perf{uptime_minutes} > $uptime_minutes; + } + else { + $status = 1 if defined($o_warn) && !isnnum($o_warn) && $o_warn >= $uptime_minutes; + $status = 2 if defined($o_crit) && !isnnum($o_crit) && $o_crit >= $uptime_minutes; + } +} +alarm(0); + +my $exit_status="UNKNOWN"; +$exit_status="OK" if $status==0; +$exit_status="WARNING" if $status==1; +$exit_status="CRITICAL" if $status==2; +$exit_status="UNKNOWN" if $status==3; +$exit_status="$o_label $exit_status" if defined($o_label); +print "$exit_status: $system_info"; +print " - $uptime_info"; +print " | ",$perf_out if $perf_out; +print "\n"; +exit $status; diff --git a/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/nrpe.cfg.erb b/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/nrpe.cfg.erb new file mode 100644 index 0000000..960dd61 --- /dev/null +++ b/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/nrpe.cfg.erb @@ -0,0 +1,262 @@ +<%# nrpe.cfg %> + +# ################################################### +# # # +# # # This file is managed with +# # # +# # # ##### # # ##### ##### ###### ##### +# # # # # # # # # # # # # +# # # # # # # # # # # ##### # +# # # ##### # # ##### ##### # # +# # # # # # # # # # +# # # # #### # # ###### # +# # # +# # # ... so you can't just change it locally. +# # # +# # ################################################### + +############################################################################# +# Sample NRPE Config File +# Written by: Ethan Galstad (nagios@nagios.org) +# +# Last Modified: 11-23-2007 +# +# NOTES: +# This is a sample configuration file for the NRPE daemon. It needs to be +# located on the remote host that is running the NRPE daemon, not the host +# from which the check_nrpe client is being executed. +############################################################################# + + +# LOG FACILITY +# The syslog facility that should be used for logging purposes. + +log_facility=daemon + + + +# PID FILE +# The name of the file in which the NRPE daemon should write it's process ID +# number. The file is only written if the NRPE daemon is started by the root +# user and is running in standalone mode. + +pid_file=/var/run/nagios/nrpe.pid + + + +# PORT NUMBER +# Port number we should wait for connections on. +# NOTE: This must be a non-priviledged port (i.e. > 1024). +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd + +server_port=5666 + + + +# SERVER ADDRESS +# Address that nrpe should bind to in case there are more than one interface +# and you do not want nrpe to bind on all interfaces. +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd + +#server_address=127.0.0.1 + + + +# NRPE USER +# This determines the effective user that the NRPE daemon should run as. +# You can either supply a username or a UID. +# +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd + +nrpe_user=nagios + + + +# NRPE GROUP +# This determines the effective group that the NRPE daemon should run as. +# You can either supply a group name or a GID. +# +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd + +nrpe_group=nagios + + + +# ALLOWED HOST ADDRESSES +# This is an optional comma-delimited list of IP address or hostnames +# that are allowed to talk to the NRPE daemon. Network addresses with a bit mask +# (i.e. 192.168.1.0/24) are also supported. Hostname wildcards are not currently +# supported. +# +# Note: The daemon only does rudimentary checking of the client's IP +# address. I would highly recommend adding entries in your /etc/hosts.allow +# file to allow only the specified host to connect to the port +# you are running this daemon on. +# +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd + +allowed_hosts= <%= @allowed_hosts %> + +# COMMAND ARGUMENT PROCESSING +# This option determines whether or not the NRPE daemon will allow clients +# to specify arguments to commands that are executed. This option only works +# if the daemon was configured with the --enable-command-args configure script +# option. +# +# *** ENABLING THIS OPTION IS A SECURITY RISK! *** +# Read the SECURITY file for information on some of the security implications +# of enabling this variable. +# +# Values: 0=do not allow arguments, 1=allow command arguments + +dont_blame_nrpe=0 + + + +# BASH COMMAND SUBTITUTION +# This option determines whether or not the NRPE daemon will allow clients +# to specify arguments that contain bash command substitutions of the form +# $(...). This option only works if the daemon was configured with both +# the --enable-command-args and --enable-bash-command-substitution configure +# script options. +# +# *** ENABLING THIS OPTION IS A HIGH SECURITY RISK! *** +# Read the SECURITY file for information on some of the security implications +# of enabling this variable. +# +# Values: 0=do not allow bash command substitutions, +# 1=allow bash command substitutions + +allow_bash_command_substitution=0 + + + +# COMMAND PREFIX +# This option allows you to prefix all commands with a user-defined string. +# A space is automatically added between the specified prefix string and the +# command line from the command definition. +# +# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! *** +# Usage scenario: +# Execute restricted commmands using sudo. For this to work, you need to add +# the nagios user to your /etc/sudoers. An example entry for alllowing +# execution of the plugins from might be: +# +# nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/ +# +# This lets the nagios user run all commands in that directory (and only them) +# without asking for a password. If you do this, make sure you don't give +# random users write access to that directory or its contents! + +# command_prefix=/usr/bin/sudo + + + +# DEBUGGING OPTION +# This option determines whether or not debugging messages are logged to the +# syslog facility. +# Values: 0=debugging off, 1=debugging on + +debug=0 + + + +# COMMAND TIMEOUT +# This specifies the maximum number of seconds that the NRPE daemon will +# allow plugins to finish executing before killing them off. + +command_timeout=60 + + + +# CONNECTION TIMEOUT +# This specifies the maximum number of seconds that the NRPE daemon will +# wait for a connection to be established before exiting. This is sometimes +# seen where a network problem stops the SSL being established even though +# all network sessions are connected. This causes the nrpe daemons to +# accumulate, eating system resources. Do not set this too low. + +connection_timeout=300 + + + +# WEEK RANDOM SEED OPTION +# This directive allows you to use SSL even if your system does not have +# a /dev/random or /dev/urandom (on purpose or because the necessary patches +# were not applied). The random number generator will be seeded from a file +# which is either a file pointed to by the environment valiable $RANDFILE +# or $HOME/.rnd. If neither exists, the pseudo random number generator will +# be initialized and a warning will be issued. +# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness + +#allow_weak_random_seed=1 + + + +# INCLUDE CONFIG FILE +# This directive allows you to include definitions from an external config file. + +#include=<somefile.cfg> + + + +# INCLUDE CONFIG DIRECTORY +# This directive allows you to include definitions from config files (with a +# .cfg extension) in one or more directories (with recursion). + +#include_dir=<somedirectory> +#include_dir=<someotherdirectory> + + + +# COMMAND DEFINITIONS +# Command definitions that this daemon will run. Definitions +# are in the following format: +# +# command[<command_name>]=<command_line> +# +# When the daemon receives a request to return the results of <command_name> +# it will execute the command specified by the <command_line> argument. +# +# Unlike Nagios, the command line cannot contain macros - it must be +# typed exactly as it should be executed. +# +# Note: Any plugins that are used in the command lines must reside +# on the machine that this daemon is running on! The examples below +# assume that you have plugins installed in a /usr/local/nagios/libexec +# directory. Also note that you will have to modify the definitions below +# to match the argument format the plugins expect. Remember, these are +# examples only! + + +# The following examples use hardcoded command arguments... + +command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10 +command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20 +command[check_root]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p / +command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z +command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 150 -c 200 +command[check_uptime]=/usr/lib/nagios/plugins/check_uptime.pl -f +command[check_reboot]=/usr/lib/nagios/plugins/check_reboot + +# The following examples allow user-supplied arguments and can +# only be used if the NRPE daemon was compiled with support for +# command arguments *AND* the dont_blame_nrpe directive in this +# config file is set to '1'. This poses a potential security risk, so +# make sure you read the SECURITY file before doing this. + +#command[check_users]=/usr/lib/nagios/plugins/check_users -w $ARG1$ -c $ARG2$ +#command[check_load]=/usr/lib/nagios/plugins/check_load -w $ARG1$ -c $ARG2$ +#command[check_disk]=/usr/lib/nagios/plugins/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$ +#command[check_procs]=/usr/lib/nagios/plugins/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$ + +# +# local configuration: +# if you'd prefer, you can instead place directives here +include=/etc/nagios/nrpe_local.cfg + +# +# you can place your config snipplets into nrpe.d/ +# only snipplets ending in .cfg will get included +include_dir=/etc/nagios/nrpe.d/ + diff --git a/global/overlay/etc/ssl/certs/infra.crt b/global/overlay/etc/ssl/certs/infra.crt new file mode 100644 index 0000000..a34ba57 --- /dev/null +++ b/global/overlay/etc/ssl/certs/infra.crt @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF8zCCA9ugAwIBAgIBADANBgkqhkiG9w0BAQsFADA/MSAwHgYDVQQDExdTVU5F +VCBJbmZyYXN0cnVjdHVyZSBDQTEOMAwGA1UEChMFU1VORVQxCzAJBgNVBAYTAlNF +MB4XDTE1MDMyNDIyMDA0M1oXDTI1MDMyMTIyMDA0M1owPzEgMB4GA1UEAxMXU1VO +RVQgSW5mcmFzdHJ1Y3R1cmUgQ0ExDjAMBgNVBAoTBVNVTkVUMQswCQYDVQQGEwJT +RTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANX8E3tAkO2lm7aU18ND +hJtMARHObom9b+SpwrfgEI6dsnIqsrjzrZ1X+bv3AhlmWMS7aPr0BuvtsKxwcRaD +TRdfM7ik7L40vXAkBwVWvXJvjdF5d+AZI750S5G1jSh/v8Nz+zHsai1mtdnx7FT6 +Pg1BJbwf0IyIHZClcnO/OmwElNnGVB5uNp3e/67KCqI4IhjAt+4G30mRfIpZ1KoU +vexZsz++cZErCXEe0eWnhlnCjfobMKmEHhvX6RzvTbB80AL/tfrqnOEwD6y7iUOp +N9FSTiHvHxRiD80WglLrh2qHzSn3it91RA1OvfY0HoIgdz1F/l07Nlm8a6WrrbRZ +Pg+HzlZ31iy0/sqduj2fPrDuDDQn87Bu3ohsZPg1t700ZW+YMUWtmh9PHK04a2fI +f9ET7llJPYzyOQ1apoiAgPRf4pnxOSOgjUhVDBY20ppTKxFJ7WY9JSKRPj92A6Ht +2/uAfUapKPOPSaASIruVz7sZ7DqiWvq67uvRtwr5yytRoZ82HG1Z36DxSNUcJ2X8 +MmELT/ONQHolu8hiZCLDCienYWZUPBnaI9jblCqvmBrdlJzKdrWzb1zKEQNsducs +Klwgh5hZ6tJLca3v/sDx7odUK4MF+vuhEyRZyXUQBZ3+m7iII+2mHLyZ2EUpfBjZ +hlOERIttFErkPP5CsPkf8uvDAgMBAAGjgfkwgfYwHQYDVR0OBBYEFOcsnlEasB0B +HeZCtCcaNZNwwG3XMB8GA1UdIwQYMBaAFOcsnlEasB0BHeZCtCcaNZNwwG3XMDsG +CCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAoYfaHR0cDovL2NhLnN1bmV0LnNlL2lu +ZnJhL2NhLmNydDAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY2Euc3VuZXQuc2Uv +aW5mcmEvY3JsLnBlbTAjBgNVHRIEHDAahhhodHRwOi8vY2Euc3VuZXQuc2UvaW5m +cmEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEL +BQADggIBAHUlygRL3d5DEBKWVvsuWhWNq5O7QHqWYyRSEMbncHSsZJhryJvmI/4Z +KI0UpBC6KBJDRGnKWnTfNUsNa6ZC/hPb+9RTdVV7ODq5T1xCp9bueVmf2x/CQEIK +Rexwlv6+nMdUmFioxtTdKOCSkXu4L+dmIpzsbkUrl0wNSIeTga0StGyJZcbFq/cp +qur89YaiDSZ490C7UrQSaMRmBYTqmISmtlLzpGEPR3e6xoJbxws3zKeUYfF4Fzzi +t424jpgd+FHh7eEyNNqNqKP+kr/G4/BnJBzyr1uP+1/LSzJRHj/hNJV7R/8zr9KY +hZxjP7YKLmRxfEaRIFcjDJOKEYzpN3MNWOWVKMduUEbk65sbTFIlY1wCDzV9rHeY +81G82FQVmOMYc5RQI5ZcEqEUhOTv85bMF3rVpGR+tA8gfQWs0w8sa9wcEo/HfjXa +wgu67cJe2grg9iaoh40cOUIbVFaHbkvOG3ZMJPOkye+nBuOJncWhpuxGRxgEvW/O +gj5WnDwZ4J8hfGchaBSi5ZVEvUWpmx+NPzIp5YhHBRA5zadmd2fGIui/22fmJuDq +syNaWN5Ncka6Ud5NSnuYJDZauC/3ftdwe5awkuQFon3qg0fiVprM+DOUNgakVGyF +5G6c17lavZgC3xqdXYbnNkBTeaTgYYUdOxcT7WXARVw9ak5OhSw0 +-----END CERTIFICATE----- diff --git a/global/overlay/usr/local/bin/ping-check b/global/overlay/usr/local/bin/ping-check new file mode 100755 index 0000000..57d533c --- /dev/null +++ b/global/overlay/usr/local/bin/ping-check @@ -0,0 +1,21 @@ +#!/usr/bin/env bash +# +# Ping until reply or MAX_TRIES. One try == 1s. +# + +MAX_TRIES=60 +LOGTAG="sunet_docker_ping_check" + +count=1 +until ping -c1 $1 &> /dev/null +do + if [ $count -gt $MAX_TRIES ] + then + logger -t "$LOGTAG" "No response from $1 after $MAX_TRIES tries." + exit 1 + fi + sleep 1 + count=$[$count+1] +done +logger -t "$LOGTAG" "IP lookup of $1 succeeded after $count tries." + |