summaryrefslogtreecommitdiff
path: root/global
diff options
context:
space:
mode:
Diffstat (limited to 'global')
-rw-r--r--global/overlay/etc/cosmos/keys/lundberg-9303C5DB.pub112
-rw-r--r--global/overlay/etc/puppet/cosmos-db.yaml19
-rw-r--r--global/overlay/etc/puppet/cosmos-modules.conf2
-rw-r--r--global/overlay/etc/puppet/cosmos-rules.yaml2
-rw-r--r--global/overlay/etc/puppet/manifests/cosmos-site.pp83
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp4
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/etcd_node.pp44
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/fail2ban.pp14
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/nagios.pp49
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/server.pp4
-rw-r--r--global/overlay/etc/puppet/modules/sunet/manifests/wordpress.pp16
-rwxr-xr-xglobal/overlay/etc/puppet/modules/sunet/templates/nagioshost/check_reboot.erb37
-rwxr-xr-xglobal/overlay/etc/puppet/modules/sunet/templates/nagioshost/check_uptime.pl.erb721
-rw-r--r--global/overlay/etc/puppet/modules/sunet/templates/nagioshost/nrpe.cfg.erb262
-rw-r--r--global/overlay/etc/ssl/certs/infra.crt34
-rwxr-xr-xglobal/overlay/usr/local/bin/ping-check21
16 files changed, 1311 insertions, 113 deletions
diff --git a/global/overlay/etc/cosmos/keys/lundberg-9303C5DB.pub b/global/overlay/etc/cosmos/keys/lundberg-9303C5DB.pub
index 21bcc24..f08c5bb 100644
--- a/global/overlay/etc/cosmos/keys/lundberg-9303C5DB.pub
+++ b/global/overlay/etc/cosmos/keys/lundberg-9303C5DB.pub
@@ -7,69 +7,51 @@ mQENBFNOlK4BCADXgBIEADujBCe5Tv1aul3IUjQhXNGBjdvgK9xQKaTVrfJTRxr9
07zFFXrUHzthndt83MZdB8nd/3WUbT6ubSEYO5rtjeWO30c9p16u+ErGADR0bBSz
UfpREDHlUlJ/CcOi68DQINBOELdt+g76E+rHODeCB+ojpFwjIPyHbuhI4fF/UpWu
40nU8pnS9w8kS/4cQl72NEhrH7mEsMK0Pma7ABEBAAG0KUpvaGFuIEx1bmRiZXJn
-IDxsdW5kYmVyZy5qb2hhbkBnbWFpbC5jb20+iQE/BBMBAgApBQJTTpU1AhsDBQkB
-4TOABwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQ0b7X3pMDxdsxugf/X6ZR
-qmrZq9sNyF4E3GrCE5dPGdwNKGuLr2H5GLKrBfULmqwXvacanH0qZAsteHEudv+o
-H3pqBmbt4uZoIph/VFpu7YsHSpwjtQXLeN/TJhCRSSQUiIH2gNkLdi2P2nlb6YkW
-euRPJWqL8GVQNvJgH+gaCUCsJ7mEfbcvRhjCIv5S+m9zYqDYJ5Elc6bOKnG1U39w
-FqANX/u1CBOY+fOiNYD0WcYDfvk7omWuWID0kEi4E18pPwzAZEmhOt0LZf1S1AbK
-7VFX9OMlNNEnqlmSsFc3DO8uJzelv+WpfqmKI3rbovncZNWLbiwR/eAYnNbaJujy
-V/QLGTPyB5zmg0bXjYkBHAQQAQoABgUCU2j6+gAKCRAnBzMNQDDMrdXmB/0ayjQi
-Zn4A60TpUkC3mJ6oW0bUUqWr47VuXHYwCRBCc53s27RNL2xsRcbqiQjOfSBQUvdu
-7NNT9qgvmCoPB745D3qutZ2idwJASmFrytTt8gWKiaIBUKg0/wVs8v1CW/S5EOoc
-hkujPmrofeL9K4YTOl3q27Jhdv0eKV2e2lEXeW/GBCuUje1NTcgqFDCHV9SzjBRy
-uiToEfzYyomHEmaJl4vyl+WOCFMbQav3YvjgUH6MwtXSUcerFqqnMr3MOU8ioaIV
-DipMHLSBmMG05cW4xSVo/zdgtjwyfDH5QWuwDPiRCWRmS7N1n+I9WxVhDTkIJZYw
-Ueb5qaWunWXiQWmCtCNKb2hhbiBMdW5kYmVyZyA8bHVuZGJlcmdAbm9yZHUubmV0
-PokBPgQTAQIAKAUCU06UrgIbAwUJAeEzgAYLCQgHAwIGFQgCCQoLBBYCAwECHgEC
-F4AACgkQ0b7X3pMDxds34Qf/XdI9emOcknRsJ7WpYBjjpE+Fd+gNiJfie6Fh1/CA
-gu4keD+Vwn/2IRPLo30dnShIlUxJhdFft60QvDvQSETSoizUqPOV3VomTOA2sXI1
-g+hRNoDvzR/4EgMwX4bxzb9d2CZXt1uPR5Gos1qpuh3VGBy55JhOcp1+fsw0cAax
-lmXeVQwIRoxN+b0ml3JKGLxKsYcZiCGSpzVidrvIRYabbMUOx6KtdXL4AftoXIng
-NMiQJU2NJgTXqsQsjEnhcBLw1l9dFByYfIWMh3GZjzd98JFmvCsInRUmWN/QeuBH
-w0vHrJb3EAqj7ErWss549E6hbDZFGpbgKQlkmKt0wmDy6okBHAQQAQoABgUCU2j6
-+gAKCRAnBzMNQDDMrcYPCACc8s8PQp+QVoNXN3vV6de4i/SJcMRhJEuPxyePdiDV
-sVe+lFduP878zA/qEmBeMT9l9zC1Vxnv1AAakV5j02bfjBZsLvWP+4uG0dp+J0H5
-0BuzDbl0M0Jdbt5pnfQsqc2H26Cz7aZ05lbxAeuFPhTHgBI8DVlRIRuPwW4zo7wp
-uZs8CZXAyKITOL/HA9ZmmaAPNthMsjXc8CK/kK8XvuDr5wGo55KrUGUE6bsiYkxj
-2UGUxmQSegaL8li6uEwDmJjp5y03MEeV33VxibbnAx8F1oK2uXr/DPaZot9gB46h
-Ivy52O2ydr31U+dlaFI+yFaaiFQBA9UnYAjinBQRcqowtCJKb2hhbiBMdW5kYmVy
-ZyA8bHVuZGJlcmdAc3VuZXQuc2U+iQE/BBMBAgApBQJTTpUdAhsDBQkB4TOABwsJ
-CAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQ0b7X3pMDxdthWwf+ISF1EgZuIMWL
-HfhNQrpWDJiTZ03ofehso/W+GkKcWoia/RpTxitmY4Hl8C3v5CfUvHYy2ThVfcvw
-FrhnZS6ln7WGGzkS2ir9NsA2xJzbXzKW+dxa+sXQ1SsgzUkI8K4oMWhzrnffn7cX
-Ze8qEv4ng72ZX5gDfA8T2mPNYyWPycGv2sroWU4T1hwiTvtaVdjGVqBF3jajitTg
-svsY0y9n1n9mTlxjYiFnBeiGn1I/eUNALAUzK/VIuAPsHeDrA8WPLjAAs7dQRD/X
-uCAMddvyHbtC0FNq/sJZHIQfVnyE4Gqo6IoMRxKYZo3eNS4wF3wp3VGJFBkxVccE
-W8k0EZi3VYkBHAQQAQoABgUCU2j6+gAKCRAnBzMNQDDMrSzrB/464DKt30CnEXMM
-8LX0FB5ywMVrTNPd4AtQ4t9LfXoTCaZICgb2VvBhyu+iT/t37jeFg1LzViHvyHcx
-G2fe2zmIDDsaakbq/7Ptn00sisscQrRYbqThFoTZZxT3LtxbJRT7gS6dOPXSpDAO
-2mYnUDylXwLieZ3TBwEOqMAJnqAOOg4rxuHF7oum+FgkcM0i/zyhuM2IXRmEVrvb
-j9qH3EOZmU9q5uymy86QK3tNirDxl4Kc7nnIEsUVH4qxfF0mjuDtGpTYLj0BMI70
-6UzIyYB2w42XNaUwOovOUsfB77UxNHOBnp4TlWc/U6S1SDAdbBOXdHjHKoiyVisA
-ZzqKjUiVuQENBFNOlK4BCADv5oNT5bxMoi2g847SzQEp306Kg5hsKmKdjXp3vFfB
-Fqp1Suj9BphBflyTo9Ci4F5ZyxiH3uVDglzR09ccOo+zgFaJvOU9waP7+PJayBtM
-U8lZ+dYtm5agST8aXzQ5gvJj5uASuHZGQwiBV2MIn70ejIPhL2rkUT3nSj8C+YH6
-8WJgIk5qlN1VbAsoGyAE0dGIRouRYV/JMN9rFB8kcPF4RWZRq9rqk9jAFLec4MNJ
-O4hs7QEijq4Klp2jW+3v9R52lPPeiz0xjBB+v9DHIxN6HG3RNTcGpklLzvzJb+wQ
-AecFCyRizKObMYQpGXJRpiiwYOipo3smiA8XfITY7u9dABEBAAGJASUEGAECAA8F
-AlNOlK4CGwwFCQHhM4AACgkQ0b7X3pMDxdthrwgApS7EHZNMRUd2/JpozhuJlv3k
-Iz5H5cYABSXAox9GZNGdNLgCzEVNsKyJtj55nqk1eN8rTwdyDyu+d/9QX6HrhVgM
-QdURSN87LHlcl4bRnaqu8E9Kh6L6OyWu9zIgY9KahJF83CvileV1ULqmy7qGSb9N
-ejf4leLEUjZvXObYx2rT5OjDObmD9o6HMjwQpNj6FiYz67fhJdx4i6BryAeWk6aO
-nMANPJj31+CkpDa96hkA9B8rYE1uk1W2+IlKeiX2yRmcWZa8HC84swswDFUFqYvQ
-CXEp26vnm/Rm9JyfIAu6SaIhKI3Nn0SCX0fBBXlANnXj8QUL5H56klp7OUlBpLkB
-DQRTTpU7AQgAwBzH5/T0loxhgJDGOq4dcn33WIJ5YaCAuROTVnXOV1JWPaDWFts4
-TKcoXqX6IdWGL+VdUDU7jt39M4Q/mXqj755wO+HwTOMr1lOELbcL9na7BTrFO50W
-xksEHcMPSA4nbcUbgI1uRyfZkzibmKyBQBB4INT7/LGSsxzVrmYs+CN+AjdjW2mT
-ruHmBuqXc7wepH2JeYi/3rH4QWX3oAPu8eKl7zCxxCm+8AkQQAQn1rumMtRNI1HU
-VgRXaqec7I7kJZPJop4fPdptgtbRXMrm+XQloC2LYkEaSI89epTJNXDPn4EvWDOx
-L+tmwaUcp1NsAn4NUKWDKcSKueKv1y5WLwARAQABiQElBBgBAgAPBQJTTpU7Ahsg
-BQkB4TOAAAoJENG+196TA8Xb7sUH/jJWNiUJPWcc0NZHaoCbXrRqHlJR3Zhk3dLr
-1WGQubfkKk4tXZtQzs3q3qCHY6wsz5xd52IQmYZ7zeKm8C4VuNjJcPwsGHF9//Bc
-6/oVqi5fXcjGG3aWPU99QfSlCDBxz9j5+aeAdyyarPfD0i1IDJ/vPncnYB8Tt0PW
-QswGvSnWfhYNM3anoraapv6vbwnrCaBHkPJwdMg6Ru/QIuddxl/aW94yZs8MbyA7
-wKoFpvjXHuxaihF955IPE/TQc37yLV4UZ50osDFRTE26f3HwRNSoxQkGvkvO4hFD
-8wGrZ1izT6q37uTZTDMpxCGLcRzVmYr5gGB16S3bSyWhn7rkzV4=
-=AiT9
+IDxsdW5kYmVyZy5qb2hhbkBnbWFpbC5jb20+iQE/BBMBAgApAhsDBwsJCAcDAgEG
+FQgCCQoLBBYCAwECHgECF4AFAlUv2gwFCQPCeNcACgkQ0b7X3pMDxdtCdwgAgiDc
+YCvC8xyj9I6zcP1i/ZrON5vrwhch+xolRuR2d3hc6ElsgCbkUFhNk+a+Okf7aA6R
+TdxFLEP+bG/eEYXRg7BawM1Hw8XZWPtDzutbmYwa31KgQL0Zr55U45kSQXjlG7vF
+6LkC9RT6tRUb/KXxtubT4nXLa0VnQYo5D8BmEOHsF+vxLJedmW2Mz7SIXRW4rACa
+TOxll8HGI3mu12sT8nq00mRb9fBkBLIsHHK76LYOHC6oR37+wpf0wERxQAM2cXEw
+hIK0xyHQFtbnzBzhFYF3jLWcPWJw34rJjz37DYlsSUtbnHbSVB7oaFBPKSp/GSR/
+RCxNiWIKTPfnhHvDELQjSm9oYW4gTHVuZGJlcmcgPGx1bmRiZXJnQG5vcmR1Lm5l
+dD6JAT4EEwECACgCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJVL9oVBQkD
+wnjXAAoJENG+196TA8XbFyQIAJg02gKy88JZsTv6AqUvyWgeuiU3GJbuthns55uy
+i+sWB/jFCzESd8Mwi/rJg0N/YaJakRD/S46c35FyEQ/iJiSpkwvq8WBmfjCtfA8u
+kh7tlbTLBrexYXiUfXFwpnutuoMaGRYuq7ir3NzQKX4VLdiWFMRkT4ugizs6RR2P
+lRCpXdajTmBha6XQxm3ZetO56TADEo7OBLH0K51XRJH1LeGEaXZv9KLTywJcW8Co
+vfPLSzxFM8JT5VHyV19++Up4gUJbLeAt2D4ya0EX/AkxvVDqn+fcsQse6gQ8OMGy
+9mB8T1mC+nrJ4aWgJLwaxMtQ//vaR56k1GvYFuXBmn+LHie0IkpvaGFuIEx1bmRi
+ZXJnIDxsdW5kYmVyZ0BzdW5ldC5zZT6JAT8EEwECACkCGwMHCwkIBwMCAQYVCAIJ
+CgsEFgIDAQIeAQIXgAUCVS/aHQUJA8J41wAKCRDRvtfekwPF2/DnB/9ULJLwiL1z
+FjA1hCxOZtf+PSoif/unBnyPERoNDO7dyrR4+H4qiPV6LQKoD8pPZz6tXeu+l5L3
+Sps890RD1zqwZwm9PHdT7Xu8YYndcnfUsXpgNDZHS4G0CsuhB+Vc0ir7O9XYsMBx
+T6TiH5G8bOxtFdSQgg1sii12TTtPzuo/C8GxZbXy7I48nc11IrnbiYxxAnCpBIuz
+g6XRuTaxRkEAfg6g90RV+o06XbUju9sW2BSXg51etCYA5MLmbjQYQporArPHL9rv
+y4aTPGCu4vJoLDK5hj2ZK9YzJ6zGFnCMYNFk16uxWc/45SXQrr8FQAgSReMuB0C4
+OzRACdx0UqLvuQENBFNOlK4BCADv5oNT5bxMoi2g847SzQEp306Kg5hsKmKdjXp3
+vFfBFqp1Suj9BphBflyTo9Ci4F5ZyxiH3uVDglzR09ccOo+zgFaJvOU9waP7+PJa
+yBtMU8lZ+dYtm5agST8aXzQ5gvJj5uASuHZGQwiBV2MIn70ejIPhL2rkUT3nSj8C
++YH68WJgIk5qlN1VbAsoGyAE0dGIRouRYV/JMN9rFB8kcPF4RWZRq9rqk9jAFLec
+4MNJO4hs7QEijq4Klp2jW+3v9R52lPPeiz0xjBB+v9DHIxN6HG3RNTcGpklLzvzJ
+b+wQAecFCyRizKObMYQpGXJRpiiwYOipo3smiA8XfITY7u9dABEBAAGJASUEGAEC
+AA8CGwwFAlUv2NIFCQPCd4oACgkQ0b7X3pMDxducewgAxiSllwGR7pGee2auKVDr
+/Gc3gaLNjyRRaQtRByE6tlxXcAYzpUMm/+xvHuLTjr7hMXZYW13ZjhlIoYJ9RYw6
+AzJcc2A8R2kwv5kVpqKeDL2r1ODUWo982QoRoujfosrgIzFmcDw0FOzKwyJ27V7r
+oV/UHJjxzlOPItQ14oeoEX4eXd0cwFzARvHoCQ/j45nyHQJU87ghVThdqcysB4qb
++kd+p8hf21uJ7pyRdI5UhE0r79c+nfXoOLOHJ1865uvgptQFjWeJvS3INPCTYLqK
+O6acXEC6cdBlsNCSzsI1vfVX843io0jGML9KKpKCCn+TknYqo8F8a4GzhaFMT70g
+xLkBDQRTTpU7AQgAwBzH5/T0loxhgJDGOq4dcn33WIJ5YaCAuROTVnXOV1JWPaDW
+Fts4TKcoXqX6IdWGL+VdUDU7jt39M4Q/mXqj755wO+HwTOMr1lOELbcL9na7BTrF
+O50WxksEHcMPSA4nbcUbgI1uRyfZkzibmKyBQBB4INT7/LGSsxzVrmYs+CN+Ajdj
+W2mTruHmBuqXc7wepH2JeYi/3rH4QWX3oAPu8eKl7zCxxCm+8AkQQAQn1rumMtRN
+I1HUVgRXaqec7I7kJZPJop4fPdptgtbRXMrm+XQloC2LYkEaSI89epTJNXDPn4Ev
+WDOxL+tmwaUcp1NsAn4NUKWDKcSKueKv1y5WLwARAQABiQElBBgBAgAPAhsgBQJV
+L9nrBQkDwngsAAoJENG+196TA8XbH3MH/2pUrGZmRJxUKHFcC9gKNa09VjVs/c+j
+2n8VDS9QOnj0iE44zSXTln9CbY7Dmt9zVNAjoZc51U/9gojhDR+KFVgu7sIqr2PM
+6bkcIZ2NO0RJ5ciHWb7cBbrPNmR7GMloXPx4r4b1VjNnssYTKCCBjYLez6NbuZ2R
+QHs0NZWa6gE/Hf77Ml4+ZieydXJx9TLh3KiPuKKjzNL++n/TydjoxhMouNpjJAKc
+Gs+iQeha1xVATpa8c6b6EaSyr95bqfbNTRemd6rIzxwjbkX6VP9c8FmV6E1AWrns
+lQIgDvNHOR2NpiXhO+X6xccA9nQwsrQFZSV5IdopI7cVjqZhCSIZ1CU=
+=PaZi
-----END PGP PUBLIC KEY BLOCK-----
diff --git a/global/overlay/etc/puppet/cosmos-db.yaml b/global/overlay/etc/puppet/cosmos-db.yaml
index a66bc05..53d3200 100644
--- a/global/overlay/etc/puppet/cosmos-db.yaml
+++ b/global/overlay/etc/puppet/cosmos-db.yaml
@@ -116,11 +116,19 @@ classes:
sshaccess: null
sunet::dockerhost: null
sunetops: null
+ webbackend: null
web-db2.sunet.se:
mailclient: *id001
sshaccess: null
sunet::dockerhost: null
sunetops: null
+ webbackend: null
+ web-db3.sunet.se:
+ mailclient: *id001
+ sshaccess: null
+ sunet::dockerhost: null
+ sunetops: null
+ webbackend: null
web-f1.sunet.se:
mailclient: *id001
sshaccess: null
@@ -139,7 +147,7 @@ members:
cdr2.sunet.se, web-db1.sunet.se, web-db2.sunet.se, mdx1.swamid.se, web-f1.sunet.se,
meta.swamid.se, registry.swamid.se, dane.lab.sunet.se, mdx2.swamid.se, samltest.swamid.se,
wp.sunet.se, docker.sunet.se, lobo2.lab.sunet.se, sto-tug-kvm-lab1.swamid.se,
- sto-fre-kvm1.swamid.se, web-a1.sunet.se]
+ sto-fre-kvm1.swamid.se, web-db3.sunet.se, web-a1.sunet.se]
docker_signer: [mdx2.swamid.se]
dockerhost: [datasets.sunet.se, reep.tid.isoc.org, www2.eduid.se, mdx1.swamid.se,
registry.swamid.se, mdx2.swamid.se, docker.sunet.se]
@@ -149,7 +157,7 @@ members:
web-db1.sunet.se, web-db2.sunet.se, mdx1.swamid.se, web-f1.sunet.se, meta.swamid.se,
registry.swamid.se, dane.lab.sunet.se, mdx2.swamid.se, samltest.swamid.se, wp.sunet.se,
docker.sunet.se, lobo2.lab.sunet.se, sto-tug-kvm-lab1.swamid.se, sto-fre-kvm1.swamid.se,
- web-a1.sunet.se]
+ web-db3.sunet.se, web-a1.sunet.se]
quantis: [random1.nordu.net, random2.nordu.net]
signer: [mdx1.swamid.se]
sshaccess: [cdr1.sunet.se, cdr1.sunet.se, sto-tug-kvm2.swamid.se, sto-tug-kvm2.swamid.se,
@@ -158,21 +166,22 @@ members:
cdr2.sunet.se, web-db1.sunet.se, web-db2.sunet.se, mdx1.swamid.se, web-f1.sunet.se,
meta.swamid.se, registry.swamid.se, dane.lab.sunet.se, mdx2.swamid.se, samltest.swamid.se,
wp.sunet.se, docker.sunet.se, lobo2.lab.sunet.se, sto-tug-kvm-lab1.swamid.se,
- sto-fre-kvm1.swamid.se, web-a1.sunet.se]
+ sto-fre-kvm1.swamid.se, web-db3.sunet.se, web-a1.sunet.se]
sunet-cdr: [cdr1.sunet.se, cdr2.sunet.se]
sunet::dockerhost: [sto-tug-kvm2.swamid.se, web-a2.sunet.se, web-db1.sunet.se, web-db2.sunet.se,
- web-f1.sunet.se, web-a1.sunet.se]
+ web-f1.sunet.se, web-db3.sunet.se, web-a1.sunet.se]
sunetops: [cdr1.sunet.se, cdr1.sunet.se, sto-tug-kvm2.swamid.se, datasets.sunet.se,
sto-tug-kvm-lab2.swamid.se, sto-tug-kvm1.swamid.se, ca.sunet.se, web-a2.sunet.se,
loke.sunet.se, cdr2.sunet.se, cdr2.sunet.se, web-db1.sunet.se, web-db2.sunet.se,
mdx1.swamid.se, web-f1.sunet.se, meta.swamid.se, registry.swamid.se, dane.lab.sunet.se,
mdx2.swamid.se, samltest.swamid.se, wp.sunet.se, docker.sunet.se, lobo2.lab.sunet.se,
- sto-tug-kvm-lab1.swamid.se, sto-fre-kvm1.swamid.se, web-a1.sunet.se]
+ sto-tug-kvm-lab1.swamid.se, sto-fre-kvm1.swamid.se, web-db3.sunet.se, web-a1.sunet.se]
swamidops: [sto-tug-kvm2.swamid.se, reep.tid.isoc.org, md-master.reep.refeds.org,
sto-tug-kvm-lab2.swamid.se, sto-tug-kvm1.swamid.se, mdx1.swamid.se, meta.swamid.se,
registry.swamid.se, mdx2.swamid.se, samltest.swamid.se, sto-tug-kvm-lab1.swamid.se,
sto-fre-kvm1.swamid.se]
webappserver: [web-a2.sunet.se, web-a1.sunet.se]
+ webbackend: [web-db1.sunet.se, web-db2.sunet.se, web-db3.sunet.se]
webfrontend: [web-f1.sunet.se]
webserver: [sto-tug-kvm2.swamid.se, datasets.sunet.se, registry.swamid.se, docker.sunet.se]
diff --git a/global/overlay/etc/puppet/cosmos-modules.conf b/global/overlay/etc/puppet/cosmos-modules.conf
index 911ebc1..e796979 100644
--- a/global/overlay/etc/puppet/cosmos-modules.conf
+++ b/global/overlay/etc/puppet/cosmos-modules.conf
@@ -13,7 +13,7 @@ pound git://github.com/SUNET/puppet-pound.git yes sunet-*
augeas git://github.com/SUNET/puppet-augeas.git yes sunet-*
bastion git://github.com/SUNET/puppet-bastion.git yes sunet-*
pyff git://github.com/samlbits/puppet-pyff.git yes puppet-pyff-*
-#postgresql git://github.com/SUNET/puppetlabs-postgresql.git yes sunet-*
dhcp git://github.com/SUNET/puppetlabs-dhcp.git yes sunet-*
varnish git://github.com/samlbits/puppet-varnish.git yes puppet-varnish-*
docker git://github.com/SUNET/garethr-docker.git yes sunet-*
+network git://github.com/SUNET/attachmentgenie-network.git yes sunet-*
diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
index 5035639..cea844e 100644
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -50,3 +50,5 @@ www2.eduid.se:
webappserver:
'^web-f[0-9]+\.sunet\.se$':
webfrontend:
+'^web-db[0-9]+\.sunet\.se$':
+ webbackend:
diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp
index 2713ea3..b7b1601 100644
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@@ -128,6 +128,7 @@ node 'datasets.sunet.se' {
}
node 'docker.sunet.se' {
+ class { 'sunet::nagios': }
docker::image {'registry': }
docker::image {'leifj/pound': }
docker::run {'sunetregistry':
@@ -375,7 +376,7 @@ class sunet-dhcp-hosts {
dhcp::host { 'mq-tug-3': mac => "52:54:00:03:00:22", ip => "130.242.130.22"; }
dhcp::host { 'worker-tug-3': mac => "52:54:00:03:00:23", ip => "130.242.130.23"; }
dhcp::host { 'signup-tug-3': mac => "52:54:00:03:00:24", ip => "130.242.130.24"; }
- dhcp::host { 'helpdesk-tug-3': mac => "52:54:00:03:00:25", ip => "130.242.130.25"; }
+ dhcp::host { 'dashboard-tug-3': mac => "52:54:00:03:00:25", ip => "130.242.130.25"; }
dhcp::host { 'www-tug-3': mac => "52:54:00:03:00:26", ip => "130.242.130.26"; }
dhcp::host { 'monitor-tug-3': mac => "52:54:00:03:00:27", ip => "130.242.130.27"; }
@@ -536,7 +537,6 @@ class sunet-dhcp-hosts {
dhcp::host { 'registry.swamid': mac => "52:54:00:52:53:0b", ip => "130.242.125.90" }
dhcp::host { 'mdx1.swamid': mac => "52:54:00:fe:bc:09", ip => "130.242.125.91" }
dhcp::host { 'mdx2.swamid': mac => "52:54:00:30:be:dd", ip => "130.242.125.92" }
-
}
class sshaccess {
@@ -697,7 +697,7 @@ node 'cdr1.sunet.se' {
}
node 'sto-tug-kvm2.swamid.se' {
- #class { 'fail2ban': }
+ class { 'sunet::nagios': }
file {'/var/docker':
ensure => 'directory',
} ->
@@ -713,6 +713,10 @@ node 'sto-tug-kvm2.swamid.se' {
username => 'www-data',
group => 'www-data',
} ->
+ sunet::system_user {'memcache-system-user':
+ username => 'memcache',
+ group => 'memcache',
+ } ->
file {'/var/docker/postgresql_data':
ensure => 'directory',
owner => 'postgres',
@@ -751,10 +755,13 @@ node 'sto-tug-kvm2.swamid.se' {
image => 'docker.sunet.se/flog/flog_app',
volumes => ['/opt/flog/dotenv:/opt/flog/.env','/var/log/flog/:/opt/flog/logs/'],
} ->
+ sunet::docker_run {'memcached':
+ image => 'docker.sunet.se/library/memcached',
+ } ->
sunet::docker_run {'flog_nginx':
- image => 'docker.sunet.se/flog/nginx',
- ports => ['80:80', '443:443'],
- volumes => ['/opt/flog/nginx/sites-enabled/:/etc/nginx/sites-enabled/','/opt/flog/nginx/certs/:/etc/nginx/certs', '/var/log/flog_nginx/:/var/log/nginx'],
+ image => 'docker.sunet.se/flog/nginx',
+ ports => ['80:80', '443:443'],
+ volumes => ['/opt/flog/nginx/sites-enabled/:/etc/nginx/sites-enabled/','/opt/flog/nginx/certs/:/etc/nginx/certs', '/var/log/flog_nginx/:/var/log/nginx'],
}
}
@@ -806,54 +813,50 @@ class entropyserver {
}
}
-class fail2ban {
-
- include augeas
-
- package {'fail2ban': ensure => 'latest'}
- augeas { "fail2ban_defaults":
- incl => "/etc/fail2ban/jail.conf",
- lens => "Shellvars.lns",
- changes => [
- 'set bantime "604800"',
- ],
- notify => Service['fail2ban'],
- }
-}
-
-define etcd_node($peers_file=undef,$cluster_name="etcd") {
- file { ["/data","/data/${cluster_name}","/data/${cluster_name}/${name}"]: ensure => 'directory' }
- sunet::docker_run { 'etcd_${name}':
- image => 'quay.io/coreos/etcd',
- extra_parameters => ["-initial-advertise-peer-urls http://${::ipaddress_eth1}:8001",
- "-listen-peer-urls http://${::ipaddress_eth1}:8001",
- "-advertise-client-urls http://${::ipaddress_eth1}:5001",
- "-listen-client-urls http://${::ipaddress_eth1}:5001",
- "-name ${::hostname}",
- "-data-dir /data/${cluster_name}/${name}",
- "-initial-cluster-token ${cluster_name}",
- "-peers-file ${peers_file}"],
- ports => ["8001:8001","5001:5001"]
-
-
- }
-}
-
class quantis {
apt::ppa {'ppa:ndn/quantispci': }
package {'quantispci-dkms': }
}
class webcommon {
+ file {"/data": ensure => directory }
+ sunet::docker_run{"web_registrator":
+ image => "gliderlabs/registrator",
+ imagetag => "latest",
+ hostname => "${::fqdn}",
+ volumes => ["/var/run/docker.sock:/tmp/docker.sock"],
+ command => "etcd://etcd_sunetweb.docker:4001/services"
+ }
}
class webfrontend {
class { 'webcommon': }
docker::image {'docker.sunet.se/pound': }
- docker::image {'docker.sunet.se/varnish': }
+ sunet::etcd_node {'sunetweb':
+ disco_url => 'https://discovery.etcd.io/877f25988ea1e8bb8c9a49f2ad5f5f6a',
+ proxy => true
+ } ->
+ sunet::docker_run{"varnish":
+ image => "docker.sunet.se/varnish-auto",
+ imagetag => "latest",
+ env => ["ETCD_URL=http://etcd_sunetweb.docker:4001"],
+ ports => ["80:80"],
+ }
}
class webappserver {
+ sunet::etcd_node {'sunetweb':
+ disco_url => 'https://discovery.etcd.io/877f25988ea1e8bb8c9a49f2ad5f5f6a',
+ proxy => true
+ }
+ class { 'webcommon': }
+}
+
+class webbackend {
+ sunet::etcd_node {'sunetweb':
+ disco_url => 'https://discovery.etcd.io/877f25988ea1e8bb8c9a49f2ad5f5f6a',
+ proxy => false
+ }
class { 'webcommon': }
}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp
index 8df416b..4b56a03 100644
--- a/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp
@@ -7,6 +7,8 @@ define sunet::docker_run(
$env = [],
$net = 'bridge',
$extra_parameters = [],
+ $command = "",
+ $hostname = undef,
) {
# Make container use unbound resolver on dockerhost
@@ -26,6 +28,7 @@ define sunet::docker_run(
'/etc/passwd:/etc/passwd:ro', # uid consistency
'/etc/group:/etc/group:ro', # gid consistency
]),
+ hostname => $hostname,
ports => $ports,
env => $env,
net => $net,
@@ -34,6 +37,7 @@ define sunet::docker_run(
]),
dns => $dns,
verify_checksum => false, # Rely on registry security for now. eduID risk #31.
+ command => $command,
pre_start => 'run-parts /usr/local/etc/docker.d',
post_start => 'run-parts /usr/local/etc/docker.d',
pre_stop => 'run-parts /usr/local/etc/docker.d',
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/etcd_node.pp b/global/overlay/etc/puppet/modules/sunet/manifests/etcd_node.pp
new file mode 100644
index 0000000..a80d355
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/etcd_node.pp
@@ -0,0 +1,44 @@
+define sunet::etcd_node(
+ $disco_url = undef,
+ $etcd_version = 'v2.0.8',
+ $proxy = true
+)
+{
+ include stdlib
+
+ file { ["/data/${name}","/data/${name}/${::hostname}"]: ensure => 'directory' }
+ $common_args = ["--discovery ${disco_url}",
+ "--name ${::hostname}",
+ "--data-dir /data",
+ "--key-file /etc/ssl/private/${::fqdn}_infra.key",
+ "--ca-file /etc/ssl/certs/infra.crt",
+ "--cert-file /etc/ssl/certs/${::fqdn}_infra.crt"]
+ if $proxy {
+ $args = concat($common_args,["--proxy on","--listen-client-urls http://0.0.0.0:4001,http://0.0.0.0:2379"])
+ } else {
+ $args = concat($common_args,["--initial-advertise-peer-urls http://${::ipaddress_eth1}:2380",
+ "--advertise-client-urls http://${::ipaddress_eth1}:2379",
+ "--listen-peer-urls http://0.0.0.0:2380",
+ "--listen-client-urls http://0.0.0.0:4001,http://0.0.0.0:2379",
+ "--peer-key-file /etc/ssl/private/${::fqdn}_infra.key",
+ "--peer-ca-file /etc/ssl/certs/infra.crt",
+ "--peer-cert-file /etc/ssl/certs/${::fqdn}_infra.crt"])
+ }
+ sunet::docker_run { "etcd_${name}":
+ image => 'quay.io/coreos/etcd',
+ imagetag => $etcd_version,
+ volumes => ["/data/${name}:/data","/etc/ssl:/etc/ssl"],
+ command => join($args," "),
+ ports => ["${::ipaddress_eth1}:2380:2380","${::ipaddress_eth1}:2379:2379","${::ipaddress_docker0}:4001:2379"]
+ }
+ if !$proxy {
+ ufw::allow { "allow-etcd-peer":
+ ip => "${::ipaddress_eth1}",
+ port => 2380
+ }
+ ufw::allow { "allow-etcd-client":
+ ip => "${::ipaddress_eth1}",
+ port => 2379
+ }
+ }
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/fail2ban.pp b/global/overlay/etc/puppet/modules/sunet/manifests/fail2ban.pp
new file mode 100644
index 0000000..01a9662
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/fail2ban.pp
@@ -0,0 +1,14 @@
+class sunet::fail2ban {
+
+ package {'fail2ban':
+ ensure => 'latest'
+ } ->
+ service {'fail2ban':
+ ensure => 'running'
+ }
+ exec {"fail2ban_defaults":
+ refreshonly => true,
+ subscribe => Service['fail2ban'],
+ command => "sleep 5; /usr/bin/fail2ban-client set ssh bantime 600800"
+ }
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/nagios.pp b/global/overlay/etc/puppet/modules/sunet/manifests/nagios.pp
new file mode 100644
index 0000000..91ccf6c
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/nagios.pp
@@ -0,0 +1,49 @@
+class sunet::nagios {
+
+ $nagios_ip_v4 = hiera('nagios_ip_v4', '109.105.111.111')
+ $nagios_ip_v6 = hiera('nagios_ip_v6', '2001:948:4:6::111')
+ $allowed_hosts = "${nagios_ip_v4},${nagios_ip_v6}"
+
+ package {'nagios-nrpe-server':
+ ensure => 'installed',
+ }
+ service {'nagios-nrpe-server':
+ ensure => 'running',
+ enable => 'true',
+ require => Package['nagios-nrpe-server'],
+ }
+ file { "/etc/nagios/nrpe.cfg" :
+ notify => Service['nagios-nrpe-server'],
+ ensure => 'file',
+ mode => '0640',
+ group => 'nagios',
+ require => Package['nagios-nrpe-server'],
+ content => template('sunet/nagioshost/nrpe.cfg.erb'),
+ }
+ file { "/usr/lib/nagios/plugins/check_uptime.pl" :
+ ensure => 'file',
+ mode => '0751',
+ group => 'nagios',
+ require => Package['nagios-nrpe-server'],
+ content => template('sunet/nagioshost/check_uptime.pl.erb'),
+ }
+ file { "/usr/lib/nagios/plugins/check_reboot" :
+ ensure => 'file',
+ mode => '0751',
+ group => 'nagios',
+ require => Package['nagios-nrpe-server'],
+ content => template('sunet/nagioshost/check_reboot.erb'),
+ }
+ ufw::allow { "allow-nrpe-v4":
+ from => "${nagios_ip_v4}",
+ ip => 'any',
+ proto => 'tcp',
+ port => 5666
+ }
+ ufw::allow { "allow-nrpe-v6":
+ from => "${nagios_ip_v6}",
+ ip => 'any',
+ proto => 'tcp',
+ port => 5666
+ }
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp
index 14df323..d89302f 100644
--- a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp
@@ -1,5 +1,8 @@
define sunet::server() {
+ # fail2ban
+ class { 'sunet::fail2ban': }
+
# Set up encrypted swap
sunet::encrypted_swap { 'sunet_encrypted_swap': }
@@ -84,4 +87,5 @@ define line($file, $line, $ensure = 'present') {
}
}
}
+
}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/wordpress.pp b/global/overlay/etc/puppet/modules/sunet/manifests/wordpress.pp
index 8daef2e..6f6abed 100644
--- a/global/overlay/etc/puppet/modules/sunet/manifests/wordpress.pp
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/wordpress.pp
@@ -5,12 +5,12 @@ $db_host = undef,
$wordpress_version = "4.1.1",
$myqsl_version = "5.7")
{
+ include augeas
$db_hostname = $db_host ? {
undef => "${name}_mysql.docker",
default => $db_host
}
$pwd = hiera("${name}_db_password",'NOT_SET_IN_HIERA')
- file {"/data": ensure => directory } ->
file {"/data/${name}": ensure => directory } ->
file {"/data/${name}/html": ensure => directory } ->
sunet::docker_run { "${name}_wordpress":
@@ -18,7 +18,8 @@ $myqsl_version = "5.7")
imagetag => $wordpress_version,
volumes => ["/data/${name}/html:/var/www/html"],
ports => ["8080:80"],
- env => [ "WORDPRESS_DB_HOST=${db_hostname}",
+ env => [ "SERVICE_NAME=${name}",
+ "WORDPRESS_DB_HOST=${db_hostname}",
"WORDPRESS_DB_USER=${name}",
"WORDPRESS_DB_NAME=${name}",
"WORDPRESS_DB_PASSWORD=${pwd}" ]
@@ -37,5 +38,16 @@ $myqsl_version = "5.7")
"MYSQL_ROOT_PASSWORD=${pwd}",
"MYSQL_DATABASE=${name}"]
}
+ package {'automysqlbackup': ensure => latest } ->
+ augeas { 'automysqlbackup_settings':
+ incl => "/etc/default/automysqlbackup",
+ lens => "Shellvars.lns",
+ changes => [
+ "set USERNAME ${name}",
+ "set PASSWORD ${pwd}",
+ "set DBHOST ${db_hostname}",
+ "set DBNAMES ${name}"
+ ]
+ }
}
}
diff --git a/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/check_reboot.erb b/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/check_reboot.erb
new file mode 100755
index 0000000..aa0bd5d
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/check_reboot.erb
@@ -0,0 +1,37 @@
+#!/bin/bash
+declare -rx PROGNAME=${0##*/}
+declare -rx PROGPATH=${0%/*}/
+
+function cleanup {
+ #if [ -e "$TMPFILE" ] ; then
+ #rm "$TMPFILE"
+ #fi
+ exit $1
+}
+
+if [ -r "${PROGPATH}utils.sh" ] ; then
+ source "${PROGPATH}utils.sh"
+else
+ echo "Can't find utils.sh."
+ printf "Currently being run from %s\n" "$PROGPATH"
+ # since we couldn't define STATE_UNKNOWN since reading utils.sh failed, we use 3 here but everywhere else after this use cleanup $STATE
+ cleanup 3
+fi
+
+STATE=$STATE_UNKNOWN
+
+
+if [ -f /var/run/reboot-required.pkgs ]
+then
+ pkg=`cat /var/run/reboot-required.pkgs`
+fi
+
+if [ -f /var/run/reboot-required ]
+then
+ echo "Reboot WARNING: System reboot required by package $pkg"
+ cleanup $STATE_WARNING;
+fi
+ echo "Reboot OK: No reboot required"
+ cleanup $STATE_OK;
+cleanup $STATE;
+
diff --git a/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/check_uptime.pl.erb b/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/check_uptime.pl.erb
new file mode 100755
index 0000000..dda05e4
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/check_uptime.pl.erb
@@ -0,0 +1,721 @@
+#!/usr/bin/perl -w
+#
+# ============================== SUMMARY =====================================
+#
+# Program : check_uptime.pl
+# Version : 0.52
+# Date : June 19, 2012
+# Authors : William Leibzon - william@leibzon.org
+# Licence : GPL - summary below, full text at http://www.fsf.org/licenses/gpl.txt
+#
+# =========================== PROGRAM LICENSE =================================
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+# ===================== INFORMATION ABOUT THIS PLUGIN =========================
+#
+# This plugin returns uptime of the system returning data in text (readable)
+# format as well as in minutes for performance graphing. The plugin can either
+# run on local system unix system (that supports standard 'uptime' command
+# or check remote system by SNMP. The plugin can report one CRITICAL or
+# WARNING alert if system has been rebooted since last check.
+#
+# ====================== SETUP AND PLUGIN USE NOTES =========================
+#
+# The plugin can either retrieve information from local system (when you
+# run it through check_nrpe for example) or by SNMP from remote system.
+#
+# On local system it will execute standard unix 'uptime' and 'uname -a'.
+#
+# On a remote system it'll retrieve data from sysSystem for system type
+# and use that to decide if further data should be retrieved from
+# sysUptime (OID 1.3.6.1.2.1.1.3.0) for windows or
+# hostUptime (OID 1.3.6.1.2.1.25.1.1.0) for unix system or
+# snmpEngineTime (OID 1.3.6.1.6.3.10.2.1.3) for cisco switches
+#
+# For information on available options please execute it with --help i.e:
+# check_uptime.pl --help
+#
+# As I dont have time for extensive documentation below is all very brief:
+#
+# 1. You can also specify warning and critical thresholds which will
+# give warning or critical alert if system has been up for lees then
+# specified number of minutes. Example:
+# check_uptime.pl -w 5
+# Will give warning alert if system has been up for less then 5 minutes
+#
+# 2. For performance data results you can use '-f' option which will give
+# total number of minutes the system has been up.
+#
+# 3. A special case is use of performance to feed data from previous run
+# back into the plugin. This is used to cache results about what type
+# of system it is (you can also directly specify this with -T option)
+# and also means -w and -c threshold values are ignored and instead
+# plugin will issue ONE alert (warning or critical) if system uptime
+# changes from highier value to lower
+#
+# ============================ EXAMPLES =======================================
+#
+# 1. Local server (use with NRPE or on nagios host), warning on < 5 minutes:
+#
+# define command {
+# command_name check_uptime
+# command_line $USER1$/check_uptime.pl -f -w 5
+# }
+#
+# 2. Local server (use with NRPE or on nagios host),
+# one critical alert on reboot:
+#
+# define command {
+# command_name check_uptime
+# command_line $USER1$/check_uptime.pl -f -c -P "SERVICEPERFDATA$"
+# }
+#
+# 3. Remote server SNMP v2, one warning alert on reboot,
+# autodetect and cache type of server:
+#
+# define command {
+# command_name check_snmp_uptime_v2
+# command_line $USER1$/check_uptime.pl -2 -f -w -H $HOSTADDRESS$ -C $_HOSTSNMP_COMMUNITY$ -P "$SERVICEPERFDATA$"
+# }
+#
+# 4. Remote server SNMP v3, rest as above
+#
+#define command {
+# command_name check_snmp_uptime_v3
+# command_line $USER1$/check_uptime.pl -f -w -H $HOSTADDRESS$ -l $_HOSTSNMP_V3_USER$ -x $_HOSTSNMP_V3_AUTH$ -X $_HOSTSNMP_V3_PRIV$ -L sha,aes -P "$SERVICEPERFDATA$"
+# }
+#
+# 5. Example of service definition using above
+#
+# define service{
+# use std-service
+# hostgroup_name all_snmp_hosts
+# service_description SNMP Uptime
+# max_check_attempts 1
+# check_command check_snmp_uptime
+# }
+#
+# 6. And this is optional dependency definition for above which makes
+# every SNMP service (service beloning to SNMP servicegroup) on
+# same host dependent on this SNMP Uptime check. Then if SNMP
+# daemon goes down you only receive one alert
+#
+# define servicedependency{
+# service_description SNMP Uptime
+# dependent_servicegroup_name snmp
+# }
+#
+# ============================= VERSION HISTORY ==============================
+#
+# 0.1 - sometime 2006 : Simple script for tracking local system uptime
+# 0.2 - sometime 2008 : Update to get uptime by SNMP, its now alike my other plugins
+# 0.3 - Nov 14, 2009 : Added getting system info line and using that to decide
+# format of uptime line and how to process it. Added support
+# for getting uptime with SNMP from windows systems.
+# Added documentation header alike my other plugins.
+# Planned to release it to public, but forgot.
+# 0.4 - Dec 19, 2011 : Update to support SNMP v3, released to public
+# 0.41 - Jan 13, 2012 : Added bug fix by Rom_UA posted as comment on Nagios Exchange
+# Added version history you're reading right now.
+# 0.42 - Feb 13, 2012 : Bug fix to not report WARNING if uptime is not correct output
+# 0.5 - Feb 29, 2012 : Added support for "netswitch" engine type that retrieves
+# snmpEngineTime. Added proper support for sysUpTime interpreting
+# it as 1/100s of a second and converting to days,hours,minutes
+# Changed internal processing structure, now reported uptime
+# info text is based on uptime_minutes and not separate.
+# 0.51 - Jun 05, 2012 : Bug fixed for case when when snmp system info is < 3 words.
+# 0.52 - Jun 19, 2012 : For switches if snmpEngineTime OID is not available,
+# the plugin will revert back to checking hostUptime and
+# then sysUptime. Entire logic has in fact been changed
+# to support trying more than just two OIDs. Also added
+# support to specify filename to '-v' option for debug
+# output to go to instead of console and for '--debug'
+# option as an alias to '--verbose'.
+#
+# TODO:
+# 0) Add '--extra-opts' to allow to read options from a file as specified
+# at http://nagiosplugins.org/extra-opts. This is TODO for all my plugins
+# 1) Add support for ">", "<" and other threshold qualifiers
+# as done in check_snmp_temperature.pl or check_mysqld.pl
+# 2) Support for more types, in particular network equipment such as cisco: [DONE]
+# sysUpTime is a 32-bit counter in 1/100 of a second, it rolls over after 496 days
+# snmpEngineTime (.1.3.6.1.6.3.10.2.1.3) returns the uptime in seconds and will not
+# roll over, however some cisco switches (29xx) are buggy and it gets reset too.
+# Routers running 12.0(3)T or higher can use the snmpEngineTime object from
+# the SNMP-FRAMEWORK-MIB. This keeps track of seconds since SNMP engine started.
+# 3) Add threshold into perfout as ';warn;crit'
+#
+# ========================== START OF PROGRAM CODE ===========================
+
+use strict;
+use Getopt::Long;
+
+# Nagios specific
+our $TIMEOUT;
+our %ERRORS;
+eval 'use utils qw(%ERRORS $TIMEOUT)';
+if ($@) {
+ $TIMEOUT = 10;
+ %ERRORS = ('OK'=>0,'WARNING'=>1,'CRITICAL'=>2,'UNKNOWN'=>3,'DEPENDENT'=>4);
+}
+
+our $no_snmp=0;
+eval 'use Net::SNMP';
+if ($@) {
+ $no_snmp=1;
+}
+
+# Version
+my $Version='0.52';
+
+# SNMP OID
+my $oid_sysSystem = '1.3.6.1.2.1.1.1.0'; # windows and some unix
+my $oid_hostUptime = '1.3.6.1.2.1.25.1.1.0'; # hostUptime, usually unix systems
+my $oid_sysUptime = '1.3.6.1.2.1.1.3.0'; # sysUpTime, windows
+my $oid_engineTime = '1.3.6.1.6.3.10.2.1.3'; # SNMP-FRAMEWORK-MIB
+
+my @oid_uptime_types = ( ['', '', ''], # type 0 is reserved
+ [ 'local', '', ''], # type 1 is local
+ [ 'win', 'sysUpTime', $oid_sysUptime ], # type 2 is windows
+ [ 'unix-host', 'hostUpTime', $oid_hostUptime ], # type 3 is unix-host
+ [ 'unix-sys', 'sysUpTime', $oid_sysUptime ], # type 4 is unix-sys
+ [ 'net', 'engineTime', $oid_engineTime ]); # type 5 is netswitch
+
+# Not used, but perhaps later
+my $oid_hrLoad = '1.3.6.1.2.1.25.3.3.1.2.1';
+my $oid_sysLoadInt1 = '1.3.6.1.4.1.2021.10.1.5.1';
+my $oid_sysLoadInt5 = '1.3.6.1.4.1.2021.10.1.5.2';
+my $oid_sysLoadInt15 = '1.3.6.1.4.1.2021.10.1.5.3';
+
+# Standard options
+my $o_host = undef; # hostname
+my $o_timeout= undef; # Timeout (Default 10)
+my $o_help= undef; # wan't some help ?
+my $o_verb= undef; # verbose mode
+my $o_version= undef; # print version
+my $o_label= undef; # change label instead of printing uptime
+my $o_perf= undef; # Output performance data (uptime in minutes)
+my $o_prevperf= undef; # performance data given with $SERVICEPERFDATA$ macro
+my $o_warn= undef; # WARNING alert if system has been up for < specified number of minutes
+my $o_crit= undef; # CRITICAL alert if system has been up for < specified number of minutes
+my $o_type= undef; # type of check (local, auto, unix, win)
+
+# Login and other options specific to SNMP
+my $o_port = 161; # SNMP port
+my $o_community = undef; # community
+my $o_version2 = undef; # use snmp v2c
+my $o_login= undef; # Login for snmpv3
+my $o_passwd= undef; # Pass for snmpv3
+my $v3protocols= undef; # V3 protocol list.
+my $o_authproto= 'md5'; # Auth protocol
+my $o_privproto= 'des'; # Priv protocol
+my $o_privpass= undef; # priv password
+
+## Additional global variables
+my %prev_perf= (); # array that is populated with previous performance data
+my $check_type = 0;
+
+sub p_version { print "check_uptime version : $Version\n"; }
+
+sub print_usage {
+ print "Usage: $0 [-v [debugfilename]] [-T local|unix-host|unix-sys|win|net] [-H <host> (-C <snmp_community>) [-2] | (-l login -x passwd [-X pass -L <authp>,<privp>) [-p <port>]] [-w <warn minutes> -s <crit minutes>] [-f] [-P <previous perf data from nagios \$SERVICEPERFDATA\$>] [-t <timeout>] | [-V] [--label <string>]\n";
+}
+
+sub isnnum { # Return true if arg is not a number
+ my $num = shift;
+ if ( $num =~ /^(\d+\.?\d*)|(^\.\d+)$/ ) { return 0 ;}
+ return 1;
+}
+
+sub div_mod { return int( $_[0]/$_[1]) , ($_[0] % $_[1]); }
+
+sub help {
+ print "\nUptime Plugin for Nagios (check_uptime) v. ",$Version,"\n";
+ print "GPL licence, (c) 2008-2012 William Leibzon\n\n";
+ print_usage();
+ print <<EOT;
+
+Debug & Console Options:
+ -v, --verbose[=FILENAME], --debug[=FILENAME]
+ print extra debugging information.
+ if filename is specified instead of STDOUT the debug data is written to that file
+ -h, --help
+ print this help message
+ -V, --version
+ prints version number
+
+Standard Options:
+ -T, --type=auto|local|unix-host|unis-sys|windows|netswitch
+ Type of system:
+ local : localhost (executes 'uptime' command), default if no -C or -l
+ unix-host : SNMP check from hostUptime ($oid_hostUptime) OID
+ unix-sys : SNMP check from sysUptime ($oid_sysUptime) OID
+ win | windows : SNMP check from sysUptime ($oid_sysUptime) OID
+ net | netswitch : SNMP check from snmpEngineTime ($oid_engineTime) OID
+ auto : Autodetect what system by checking sysSystem OID first, default
+ -w, --warning[=minutes]
+ Report nagios WARNING alert if system has been up for less then specified
+ number of minutes. If no minutes are specified but previous preformance
+ data is fed back with -P option then alert is sent ONLY ONCE when
+ uptime changes from greater value to smaller
+ -c, --critical[=minutes]
+ Report nagios CRITICAL alert if system has been up for less then
+ specified number of minutes or ONE ALERT if -P option is used and
+ system's previous uptime is larger then current on
+ -f, --perfparse
+ Perfparse compatible output
+ -P, --prev_perfdata
+ Previous performance data (normally put '-P \$SERVICEPERFDATA\$' in
+ nagios command definition). This is recommended if you dont specify
+ type of system with -T so that previously checked type of system info
+ is reused. This is also used to decide on warning/critical condition
+ if number of seconds is not specified with -w or -c.
+ --label=[string]
+ Optional custom label before results prefixed to results
+ -t, --timeout=INTEGER
+ timeout for SNMP in seconds (Default: 15)
+
+SNMP Access Options:
+ -H, --hostname=HOST
+ name or IP address of host to check (if not localhost)
+ -C, --community=COMMUNITY NAME
+ community name for the SNMP agent (used with v1 or v2c protocols)
+ -2, --v2c
+ use snmp v2c (can not be used with -l, -x)
+ -l, --login=LOGIN ; -x, --passwd=PASSWD
+ Login and auth password for snmpv3 authentication
+ If no priv password exists, implies AuthNoPriv
+ -X, --privpass=PASSWD
+ Priv password for snmpv3 (AuthPriv protocol)
+ -L, --protocols=<authproto>,<privproto>
+ <authproto> : Authentication protocol (md5|sha : default md5)
+ <privproto> : Priv protocols (des|aes : default des)
+ -p, --port=PORT
+ SNMP port (Default 161)
+EOT
+}
+
+# For verbose output (updated 06/06/12 to write to debug file if specified)
+sub verb {
+ my $t=shift;
+ if (defined($o_verb)) {
+ if ($o_verb eq "") {
+ print $t,"\n";
+ }
+ else {
+ if (!open(DEBUGFILE, ">>$o_verb")) {
+ print $t, "\n";
+ }
+ else {
+ print DEBUGFILE $t,"\n";
+ close DEBUGFILE;
+ }
+ }
+ }
+}
+
+# load previous performance data
+sub process_perf {
+ my %pdh;
+ my ($nm,$dt);
+ foreach (split(' ',$_[0])) {
+ if (/(.*)=(.*)/) {
+ ($nm,$dt)=($1,$2);
+ verb("prev_perf: $nm = $dt");
+ # in some of my plugins time_ is to profile how long execution takes for some part of plugin
+ # $pdh{$nm}=$dt if $nm !~ /^time_/;
+ $pdh{$nm}=$dt;
+ }
+ }
+ return %pdh;
+}
+
+sub type_from_name {
+ my $type=shift;
+ for(my $i=1; $i<scalar(@oid_uptime_types); $i++) {
+ if ($oid_uptime_types[$i][0] eq $type) {
+ return $i;
+ }
+ }
+ return -1;
+}
+
+
+sub check_options {
+ Getopt::Long::Configure ("bundling");
+ GetOptions(
+ 'v:s' => \$o_verb, 'verbose:s' => \$o_verb, "debug:s" => \$o_verb,
+ 'h' => \$o_help, 'help' => \$o_help,
+ 'H:s' => \$o_host, 'hostname:s' => \$o_host,
+ 'p:i' => \$o_port, 'port:i' => \$o_port,
+ 'C:s' => \$o_community, 'community:s' => \$o_community,
+ '2' => \$o_version2, 'v2c' => \$o_version2,
+ 'l:s' => \$o_login, 'login:s' => \$o_login,
+ 'x:s' => \$o_passwd, 'passwd:s' => \$o_passwd,
+ 'X:s' => \$o_privpass, 'privpass:s' => \$o_privpass,
+ 'L:s' => \$v3protocols, 'protocols:s' => \$v3protocols,
+ 't:i' => \$o_timeout, 'timeout:i' => \$o_timeout,
+ 'V' => \$o_version, 'version' => \$o_version,
+ 'f' => \$o_perf, 'perfparse' => \$o_perf,
+ 'w:i' => \$o_warn, 'warning:i' => \$o_warn,
+ 'c:i' => \$o_crit, 'critical:i' => \$o_crit,
+ 'label:s' => \$o_label,
+ 'P:s' => \$o_prevperf, 'prev_perfdata:s' => \$o_prevperf,
+ 'T:s' => \$o_type, 'type:s' => \$o_type,
+ );
+ if (defined ($o_help) ) { help(); exit $ERRORS{"UNKNOWN"}};
+ if (defined($o_version)) { p_version(); exit $ERRORS{"UNKNOWN"}};
+
+ $o_type = "win" if defined($o_type) && $o_type eq 'windows';
+ $o_type = "net" if defined($o_type) && $o_type eq 'netswitch';
+ if (defined($o_type) && $o_type ne 'auto' && type_from_name($o_type)==-1) {
+ print "Invalid system type specified\n"; print_usage(); exit $ERRORS{"UNNKNOWN"};
+ }
+
+ if (!defined($o_community) && (!defined($o_login) || !defined($o_passwd)) ) {
+ $o_type='local' if !defined($o_type) || $o_type eq 'auto';
+ if ($o_type ne 'local') {
+ print "Put snmp login info!\n"; print_usage(); exit $ERRORS{"UNKNOWN"}
+ }
+ if (defined($o_host)) {
+ print "Why are you specifying hostname without SNMP parameters?\n"; print_usage(); exit $ERRORS{"UNKNOWN"};
+ }
+ }
+ else {
+ $o_type='auto' if !defined($o_type);
+ if ($o_type eq 'local' ) {
+ print "Why are you specifying SNMP login for local system???\n"; print_usage(); exit $ERRORS{"UNKNOWN"}
+ }
+ if (!defined($o_host)) {
+ print "Hostname required for SNMP check.\n"; print_usage(); exit $ERRORS{"UNKNOWN"};
+ }
+ if ($no_snmp) {
+ print "Can't locate Net/SNMP.pm\n"; print_usage(); exit $ERRORS{"UNKNOWN"};
+ }
+ }
+
+ # check snmp information
+ if ((defined($o_login) || defined($o_passwd)) && (defined($o_community) || defined($o_version2)) )
+ { print "Can't mix snmp v1,2c,3 protocols!\n"; print_usage(); exit $ERRORS{"UNKNOWN"}}
+ if (defined ($v3protocols)) {
+ if (!defined($o_login)) { print "Put snmp V3 login info with protocols!\n"; print_usage(); exit $ERRORS{"UNKNOWN"}}
+ my @v3proto=split(/,/,$v3protocols);
+ if ((defined ($v3proto[0])) && ($v3proto[0] ne "")) {$o_authproto=$v3proto[0]; } # Auth protocol
+ if (defined ($v3proto[1])) {$o_privproto=$v3proto[1]; } # Priv protocol
+ if ((defined ($v3proto[1])) && (!defined($o_privpass)))
+ { print "Put snmp V3 priv login info with priv protocols!\n"; print_usage(); exit $ERRORS{"UNKNOWN"}}
+ }
+
+ if (defined($o_timeout) && (isnnum($o_timeout) || ($o_timeout < 2) || ($o_timeout > 60)))
+ { print "Timeout must be >1 and <60 !\n"; print_usage(); exit $ERRORS{"UNKNOWN"}}
+ if (!defined($o_timeout)) {$o_timeout=$TIMEOUT+5;}
+
+ if (defined($o_prevperf)) {
+ if (defined($o_perf)) {
+ %prev_perf=process_perf($o_prevperf);
+ $check_type = $prev_perf{type} if $o_type eq 'auto' && exists($prev_perf{tye}) && exists($oid_uptime_types[$prev_perf{type}][0]);
+ }
+ else {
+ print "need -f option first \n"; print_usage(); exit $ERRORS{"UNKNOWN"};
+ }
+ }
+
+ if ($o_type eq 'auto') {
+ $check_type=0;
+ }
+ else {
+ $check_type = type_from_name($o_type);
+ }
+}
+
+sub create_snmp_session {
+ my ($session,$error);
+
+ if ( defined($o_login) && defined($o_passwd)) {
+ # SNMPv3 login
+ if (!defined ($o_privpass)) {
+ verb("SNMPv3 AuthNoPriv login : $o_login, $o_authproto");
+ ($session, $error) = Net::SNMP->session(
+ -hostname => $o_host,
+ -version => '3',
+ -port => $o_port,
+ -username => $o_login,
+ -authpassword => $o_passwd,
+ -authprotocol => $o_authproto,
+ -timeout => $o_timeout
+ );
+ } else {
+ verb("SNMPv3 AuthPriv login : $o_login, $o_authproto, $o_privproto");
+ ($session, $error) = Net::SNMP->session(
+ -hostname => $o_host,
+ -version => '3',
+ -username => $o_login,
+ -port => $o_port,
+ -authpassword => $o_passwd,
+ -authprotocol => $o_authproto,
+ -privpassword => $o_privpass,
+ -privprotocol => $o_privproto,
+ -timeout => $o_timeout
+ );
+ }
+ } else {
+ if (defined ($o_version2)) {
+ # SNMPv2c Login
+ verb("SNMP v2c login");
+ ($session, $error) = Net::SNMP->session(
+ -hostname => $o_host,
+ -version => 2,
+ -community => $o_community,
+ -port => $o_port,
+ -timeout => $o_timeout
+ );
+ } else {
+ # SNMPV1 login
+ verb("SNMP v1 login");
+ ($session, $error) = Net::SNMP->session(
+ -hostname => $o_host,
+ -community => $o_community,
+ -port => $o_port,
+ -timeout => $o_timeout
+ );
+ }
+ }
+ if (!defined($session)) {
+ printf("ERROR opening session: %s.\n", $error);
+ exit $ERRORS{"UNKNOWN"};
+ }
+
+ return $session;
+}
+
+$SIG{'ALRM'} = sub {
+ print "Alarm timeout\n";
+ exit $ERRORS{"UNKNOWN"};
+};
+
+########## MAIN #######
+my $system_info="";
+my $uptime_info=undef;
+my $uptime_minutes=undef;
+my $perf_out="";
+my $status=0;
+my $uptime_output;
+my ($days, $hrs, $mins);
+
+check_options();
+
+# Check gobal timeout if snmp screws up
+if (defined($o_timeout)) {
+ verb("Alarm at $o_timeout + 5");
+ alarm($o_timeout+5);
+}
+
+if ($check_type==1) { # local
+ # Process unix uptime command output
+ $uptime_output=`uptime`;
+ verb("Local Uptime Result is: $uptime_output");
+ if ($uptime_output =~ /(\d+)\s+days?,\s+(\d+)\:(\d+)/) {
+ ($days, $hrs, $mins) = ($1, $2, $3);
+ }
+ elsif ($uptime_output =~ /up\s+(\d+)\shours?\s+(\d+)/) {
+ ($days, $hrs, $mins) = (0, $1, $2);
+ }
+ elsif ($uptime_output =~ /up\s+(\d+)\:(\d+)/) {
+ ($days, $hrs, $mins) = (0, $1, $2);
+ }
+ elsif ($uptime_output =~ /up\s+(\d+)\s+min/) {
+ ($days, $hrs, $mins) = (0,0,$1);
+ }
+ elsif ($uptime_output =~ /up\s+(d+)s+days?,s+(d+)s+min/) {
+ ($days, $hrs, $mins) = ($1,0,$2);
+ }
+ else {
+ $uptime_info = "up ".$uptime_output;
+ }
+ if (defined($days) && defined($hrs) && defined($mins)) {
+ $uptime_minutes = $days*24*60+$hrs*60+$mins;
+ }
+ my @temp=split(' ',`uname -a`);
+ if (scalar(@temp)<3) {
+ $system_info=`uname -a`;
+ }
+ else {
+ $system_info=join(' ',$temp[0],$temp[1],$temp[2]);
+ }
+}
+else {
+ # SNMP connection
+ my $session=create_snmp_session();
+ my $result=undef;
+ my $oid="";
+ my $guessed_check_type=0;
+
+ if ($check_type==0){
+ $result = $session->get_request(-varbindlist=>[$oid_sysSystem]);
+ if (!defined($result)) {
+ printf("ERROR: Can not retrieve $oid_sysSystem table: %s.\n", $session->error);
+ $session->close;
+ exit $ERRORS{"UNKNOWN"};
+ }
+ verb("$o_host SysInfo Result from OID $oid_sysSystem: $result->{$oid_sysSystem}");
+ if ($result->{$oid_sysSystem} =~ /Windows/) {
+ $guessed_check_type=2;
+ verb('Guessing Type: 2 = windows');
+ }
+ if ($result->{$oid_sysSystem} =~ /Cisco/) {
+ $guessed_check_type=5;
+ verb('Guessing Type: 5 = netswitch');
+ }
+ if ($guessed_check_type==0) {
+ $guessed_check_type=3; # will try hostUptime first
+ }
+ $oid=$oid_uptime_types[$guessed_check_type][2];
+ }
+ else {
+ $oid=$oid_uptime_types[$check_type][2];
+ }
+
+ do {
+ $result = $session->get_request(-varbindlist=>[$oid,$oid_sysSystem]);
+ if (!defined($result)) {
+ if ($check_type!=0) {
+ printf("ERROR: Can not retrieve uptime OID table $oid: %s.\n", $session->error);
+ $session->close;
+ exit $ERRORS{"UNKNOWN"};
+ }
+ else {
+ if ($session->error =~ /noSuchName/) {
+ if ($guessed_check_type==4) {
+ verb("Received noSuchName error for sysUpTime OID $oid. Giving up.");
+ $guessed_check_type=0;
+ }
+ if ($guessed_check_type==3) {
+ verb("Received noSuchName error for hostUpTime OID $oid, will now try sysUpTime");
+ $guessed_check_type=4;
+ }
+ else {
+ verb("Received noSuchName error for OID $oid, will now try hostUpTime");
+ $guessed_check_type=3;
+ }
+ if ($guessed_check_type!=0) {
+ $oid=$oid_uptime_types[$guessed_check_type][2];
+ }
+ }
+ else {
+ printf("ERROR: Can not retrieve uptime OID table $oid: %s.\n", $session->error);
+ $session->close;
+ exit $ERRORS{"UNKNOWN"};
+ }
+ }
+ }
+ else {
+ if ($check_type==0) {
+ $check_type=$guessed_check_type;
+ }
+ }
+ }
+ while (!defined($result) && $guessed_check_type!=0);
+
+ $session->close;
+ if ($check_type==0 && $guessed_check_type==0) {
+ printf("ERROR: Can not autodetermine proper uptime OID table. Giving up.\n");
+ exit $ERRORS{"UNKNOWN"};
+ }
+
+ my ($days, $hrs, $mins);
+ $uptime_output=$result->{$oid};
+ verb("$o_host Uptime Result from OID $oid: $uptime_output");
+
+ if ($uptime_output =~ /(\d+)\s+days?,\s+(\d+)\:(\d+)/) {
+ ($days, $hrs, $mins) = ($1, $2, $3);
+ }
+ elsif ($uptime_output =~ /(\d+)\s+hours?,\s+(\d+)\:(\d+)/) {
+ ($days, $hrs, $mins) = (0, $1, $2);
+ }
+ elsif ($uptime_output =~ /(\d+)\s+min/) {
+ ($days, $hrs, $mins) = (0, 0, $1);
+ }
+ if (defined($days) && defined($hrs) && defined($mins)) {
+ $uptime_minutes = $days*24*60+$hrs*60+$mins;
+ }
+ elsif ($uptime_output =~ /^(\d+)$/) {
+ my $upnum = $1;
+ if ($oid eq $oid_sysUptime) {
+ $uptime_minutes = $upnum/100/60;
+ }
+ elsif ($oid eq $oid_engineTime) {
+ $uptime_minutes = $upnum/60;
+ }
+ }
+ else {
+ $uptime_info = "up ".$uptime_output;
+ }
+ my @temp=split(' ',$result->{$oid_sysSystem});
+ if (scalar(@temp)<3) {
+ $system_info=$result->{$oid_sysSystem};
+ }
+ else {
+ $system_info=join(' ',$temp[0],$temp[1],$temp[2]);
+ }
+}
+
+if (defined($uptime_minutes) && !defined($uptime_info)) {
+ ($hrs,$mins) = div_mod($uptime_minutes,60);
+ ($days,$hrs) = div_mod($hrs,24);
+ $uptime_info = "up ";
+ $uptime_info .= "$days days " if $days>0;
+ $uptime_info .= "$hrs hours " if $hrs>0;
+ $uptime_info .= "$mins minutes";
+}
+
+verb("System Type: $check_type (".$oid_uptime_types[$check_type][0].")");
+verb("System Info: $system_info") if $system_info;
+verb("Uptime Text: $uptime_info") if defined($uptime_info);
+verb("Uptime Minutes: $uptime_minutes") if defined($uptime_minutes);
+
+if (!defined($uptime_info)) {
+ $uptime_info = "Can not determine uptime";
+ $status = 3;
+}
+
+if (defined($o_perf)) {
+ $perf_out = "type=$check_type";
+ $perf_out .= " uptime_minutes=$uptime_minutes" if defined($uptime_minutes);
+}
+
+if (defined($uptime_minutes)) {
+ if (defined($o_prevperf)) {
+ $status = 1 if defined($o_warn) && exists($prev_perf{uptime_minutes}) && $prev_perf{uptime_minutes} > $uptime_minutes;
+ $status = 2 if defined($o_crit) && exists($prev_perf{uptime_minutes}) && $prev_perf{uptime_minutes} > $uptime_minutes;
+ }
+ else {
+ $status = 1 if defined($o_warn) && !isnnum($o_warn) && $o_warn >= $uptime_minutes;
+ $status = 2 if defined($o_crit) && !isnnum($o_crit) && $o_crit >= $uptime_minutes;
+ }
+}
+alarm(0);
+
+my $exit_status="UNKNOWN";
+$exit_status="OK" if $status==0;
+$exit_status="WARNING" if $status==1;
+$exit_status="CRITICAL" if $status==2;
+$exit_status="UNKNOWN" if $status==3;
+$exit_status="$o_label $exit_status" if defined($o_label);
+print "$exit_status: $system_info";
+print " - $uptime_info";
+print " | ",$perf_out if $perf_out;
+print "\n";
+exit $status;
diff --git a/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/nrpe.cfg.erb b/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/nrpe.cfg.erb
new file mode 100644
index 0000000..960dd61
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/templates/nagioshost/nrpe.cfg.erb
@@ -0,0 +1,262 @@
+<%# nrpe.cfg %>
+
+# ###################################################
+# # #
+# # # This file is managed with
+# # #
+# # # ##### # # ##### ##### ###### #####
+# # # # # # # # # # # # #
+# # # # # # # # # # # ##### #
+# # # ##### # # ##### ##### # #
+# # # # # # # # # #
+# # # # #### # # ###### #
+# # #
+# # # ... so you can't just change it locally.
+# # #
+# # ###################################################
+
+#############################################################################
+# Sample NRPE Config File
+# Written by: Ethan Galstad (nagios@nagios.org)
+#
+# Last Modified: 11-23-2007
+#
+# NOTES:
+# This is a sample configuration file for the NRPE daemon. It needs to be
+# located on the remote host that is running the NRPE daemon, not the host
+# from which the check_nrpe client is being executed.
+#############################################################################
+
+
+# LOG FACILITY
+# The syslog facility that should be used for logging purposes.
+
+log_facility=daemon
+
+
+
+# PID FILE
+# The name of the file in which the NRPE daemon should write it's process ID
+# number. The file is only written if the NRPE daemon is started by the root
+# user and is running in standalone mode.
+
+pid_file=/var/run/nagios/nrpe.pid
+
+
+
+# PORT NUMBER
+# Port number we should wait for connections on.
+# NOTE: This must be a non-priviledged port (i.e. > 1024).
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
+
+server_port=5666
+
+
+
+# SERVER ADDRESS
+# Address that nrpe should bind to in case there are more than one interface
+# and you do not want nrpe to bind on all interfaces.
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
+
+#server_address=127.0.0.1
+
+
+
+# NRPE USER
+# This determines the effective user that the NRPE daemon should run as.
+# You can either supply a username or a UID.
+#
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
+
+nrpe_user=nagios
+
+
+
+# NRPE GROUP
+# This determines the effective group that the NRPE daemon should run as.
+# You can either supply a group name or a GID.
+#
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
+
+nrpe_group=nagios
+
+
+
+# ALLOWED HOST ADDRESSES
+# This is an optional comma-delimited list of IP address or hostnames
+# that are allowed to talk to the NRPE daemon. Network addresses with a bit mask
+# (i.e. 192.168.1.0/24) are also supported. Hostname wildcards are not currently
+# supported.
+#
+# Note: The daemon only does rudimentary checking of the client's IP
+# address. I would highly recommend adding entries in your /etc/hosts.allow
+# file to allow only the specified host to connect to the port
+# you are running this daemon on.
+#
+# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
+
+allowed_hosts= <%= @allowed_hosts %>
+
+# COMMAND ARGUMENT PROCESSING
+# This option determines whether or not the NRPE daemon will allow clients
+# to specify arguments to commands that are executed. This option only works
+# if the daemon was configured with the --enable-command-args configure script
+# option.
+#
+# *** ENABLING THIS OPTION IS A SECURITY RISK! ***
+# Read the SECURITY file for information on some of the security implications
+# of enabling this variable.
+#
+# Values: 0=do not allow arguments, 1=allow command arguments
+
+dont_blame_nrpe=0
+
+
+
+# BASH COMMAND SUBTITUTION
+# This option determines whether or not the NRPE daemon will allow clients
+# to specify arguments that contain bash command substitutions of the form
+# $(...). This option only works if the daemon was configured with both
+# the --enable-command-args and --enable-bash-command-substitution configure
+# script options.
+#
+# *** ENABLING THIS OPTION IS A HIGH SECURITY RISK! ***
+# Read the SECURITY file for information on some of the security implications
+# of enabling this variable.
+#
+# Values: 0=do not allow bash command substitutions,
+# 1=allow bash command substitutions
+
+allow_bash_command_substitution=0
+
+
+
+# COMMAND PREFIX
+# This option allows you to prefix all commands with a user-defined string.
+# A space is automatically added between the specified prefix string and the
+# command line from the command definition.
+#
+# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! ***
+# Usage scenario:
+# Execute restricted commmands using sudo. For this to work, you need to add
+# the nagios user to your /etc/sudoers. An example entry for alllowing
+# execution of the plugins from might be:
+#
+# nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/
+#
+# This lets the nagios user run all commands in that directory (and only them)
+# without asking for a password. If you do this, make sure you don't give
+# random users write access to that directory or its contents!
+
+# command_prefix=/usr/bin/sudo
+
+
+
+# DEBUGGING OPTION
+# This option determines whether or not debugging messages are logged to the
+# syslog facility.
+# Values: 0=debugging off, 1=debugging on
+
+debug=0
+
+
+
+# COMMAND TIMEOUT
+# This specifies the maximum number of seconds that the NRPE daemon will
+# allow plugins to finish executing before killing them off.
+
+command_timeout=60
+
+
+
+# CONNECTION TIMEOUT
+# This specifies the maximum number of seconds that the NRPE daemon will
+# wait for a connection to be established before exiting. This is sometimes
+# seen where a network problem stops the SSL being established even though
+# all network sessions are connected. This causes the nrpe daemons to
+# accumulate, eating system resources. Do not set this too low.
+
+connection_timeout=300
+
+
+
+# WEEK RANDOM SEED OPTION
+# This directive allows you to use SSL even if your system does not have
+# a /dev/random or /dev/urandom (on purpose or because the necessary patches
+# were not applied). The random number generator will be seeded from a file
+# which is either a file pointed to by the environment valiable $RANDFILE
+# or $HOME/.rnd. If neither exists, the pseudo random number generator will
+# be initialized and a warning will be issued.
+# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness
+
+#allow_weak_random_seed=1
+
+
+
+# INCLUDE CONFIG FILE
+# This directive allows you to include definitions from an external config file.
+
+#include=<somefile.cfg>
+
+
+
+# INCLUDE CONFIG DIRECTORY
+# This directive allows you to include definitions from config files (with a
+# .cfg extension) in one or more directories (with recursion).
+
+#include_dir=<somedirectory>
+#include_dir=<someotherdirectory>
+
+
+
+# COMMAND DEFINITIONS
+# Command definitions that this daemon will run. Definitions
+# are in the following format:
+#
+# command[<command_name>]=<command_line>
+#
+# When the daemon receives a request to return the results of <command_name>
+# it will execute the command specified by the <command_line> argument.
+#
+# Unlike Nagios, the command line cannot contain macros - it must be
+# typed exactly as it should be executed.
+#
+# Note: Any plugins that are used in the command lines must reside
+# on the machine that this daemon is running on! The examples below
+# assume that you have plugins installed in a /usr/local/nagios/libexec
+# directory. Also note that you will have to modify the definitions below
+# to match the argument format the plugins expect. Remember, these are
+# examples only!
+
+
+# The following examples use hardcoded command arguments...
+
+command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
+command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
+command[check_root]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p /
+command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
+command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 150 -c 200
+command[check_uptime]=/usr/lib/nagios/plugins/check_uptime.pl -f
+command[check_reboot]=/usr/lib/nagios/plugins/check_reboot
+
+# The following examples allow user-supplied arguments and can
+# only be used if the NRPE daemon was compiled with support for
+# command arguments *AND* the dont_blame_nrpe directive in this
+# config file is set to '1'. This poses a potential security risk, so
+# make sure you read the SECURITY file before doing this.
+
+#command[check_users]=/usr/lib/nagios/plugins/check_users -w $ARG1$ -c $ARG2$
+#command[check_load]=/usr/lib/nagios/plugins/check_load -w $ARG1$ -c $ARG2$
+#command[check_disk]=/usr/lib/nagios/plugins/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
+#command[check_procs]=/usr/lib/nagios/plugins/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
+
+#
+# local configuration:
+# if you'd prefer, you can instead place directives here
+include=/etc/nagios/nrpe_local.cfg
+
+#
+# you can place your config snipplets into nrpe.d/
+# only snipplets ending in .cfg will get included
+include_dir=/etc/nagios/nrpe.d/
+
diff --git a/global/overlay/etc/ssl/certs/infra.crt b/global/overlay/etc/ssl/certs/infra.crt
new file mode 100644
index 0000000..a34ba57
--- /dev/null
+++ b/global/overlay/etc/ssl/certs/infra.crt
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF8zCCA9ugAwIBAgIBADANBgkqhkiG9w0BAQsFADA/MSAwHgYDVQQDExdTVU5F
+VCBJbmZyYXN0cnVjdHVyZSBDQTEOMAwGA1UEChMFU1VORVQxCzAJBgNVBAYTAlNF
+MB4XDTE1MDMyNDIyMDA0M1oXDTI1MDMyMTIyMDA0M1owPzEgMB4GA1UEAxMXU1VO
+RVQgSW5mcmFzdHJ1Y3R1cmUgQ0ExDjAMBgNVBAoTBVNVTkVUMQswCQYDVQQGEwJT
+RTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANX8E3tAkO2lm7aU18ND
+hJtMARHObom9b+SpwrfgEI6dsnIqsrjzrZ1X+bv3AhlmWMS7aPr0BuvtsKxwcRaD
+TRdfM7ik7L40vXAkBwVWvXJvjdF5d+AZI750S5G1jSh/v8Nz+zHsai1mtdnx7FT6
+Pg1BJbwf0IyIHZClcnO/OmwElNnGVB5uNp3e/67KCqI4IhjAt+4G30mRfIpZ1KoU
+vexZsz++cZErCXEe0eWnhlnCjfobMKmEHhvX6RzvTbB80AL/tfrqnOEwD6y7iUOp
+N9FSTiHvHxRiD80WglLrh2qHzSn3it91RA1OvfY0HoIgdz1F/l07Nlm8a6WrrbRZ
+Pg+HzlZ31iy0/sqduj2fPrDuDDQn87Bu3ohsZPg1t700ZW+YMUWtmh9PHK04a2fI
+f9ET7llJPYzyOQ1apoiAgPRf4pnxOSOgjUhVDBY20ppTKxFJ7WY9JSKRPj92A6Ht
+2/uAfUapKPOPSaASIruVz7sZ7DqiWvq67uvRtwr5yytRoZ82HG1Z36DxSNUcJ2X8
+MmELT/ONQHolu8hiZCLDCienYWZUPBnaI9jblCqvmBrdlJzKdrWzb1zKEQNsducs
+Klwgh5hZ6tJLca3v/sDx7odUK4MF+vuhEyRZyXUQBZ3+m7iII+2mHLyZ2EUpfBjZ
+hlOERIttFErkPP5CsPkf8uvDAgMBAAGjgfkwgfYwHQYDVR0OBBYEFOcsnlEasB0B
+HeZCtCcaNZNwwG3XMB8GA1UdIwQYMBaAFOcsnlEasB0BHeZCtCcaNZNwwG3XMDsG
+CCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAoYfaHR0cDovL2NhLnN1bmV0LnNlL2lu
+ZnJhL2NhLmNydDAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY2Euc3VuZXQuc2Uv
+aW5mcmEvY3JsLnBlbTAjBgNVHRIEHDAahhhodHRwOi8vY2Euc3VuZXQuc2UvaW5m
+cmEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEL
+BQADggIBAHUlygRL3d5DEBKWVvsuWhWNq5O7QHqWYyRSEMbncHSsZJhryJvmI/4Z
+KI0UpBC6KBJDRGnKWnTfNUsNa6ZC/hPb+9RTdVV7ODq5T1xCp9bueVmf2x/CQEIK
+Rexwlv6+nMdUmFioxtTdKOCSkXu4L+dmIpzsbkUrl0wNSIeTga0StGyJZcbFq/cp
+qur89YaiDSZ490C7UrQSaMRmBYTqmISmtlLzpGEPR3e6xoJbxws3zKeUYfF4Fzzi
+t424jpgd+FHh7eEyNNqNqKP+kr/G4/BnJBzyr1uP+1/LSzJRHj/hNJV7R/8zr9KY
+hZxjP7YKLmRxfEaRIFcjDJOKEYzpN3MNWOWVKMduUEbk65sbTFIlY1wCDzV9rHeY
+81G82FQVmOMYc5RQI5ZcEqEUhOTv85bMF3rVpGR+tA8gfQWs0w8sa9wcEo/HfjXa
+wgu67cJe2grg9iaoh40cOUIbVFaHbkvOG3ZMJPOkye+nBuOJncWhpuxGRxgEvW/O
+gj5WnDwZ4J8hfGchaBSi5ZVEvUWpmx+NPzIp5YhHBRA5zadmd2fGIui/22fmJuDq
+syNaWN5Ncka6Ud5NSnuYJDZauC/3ftdwe5awkuQFon3qg0fiVprM+DOUNgakVGyF
+5G6c17lavZgC3xqdXYbnNkBTeaTgYYUdOxcT7WXARVw9ak5OhSw0
+-----END CERTIFICATE-----
diff --git a/global/overlay/usr/local/bin/ping-check b/global/overlay/usr/local/bin/ping-check
new file mode 100755
index 0000000..57d533c
--- /dev/null
+++ b/global/overlay/usr/local/bin/ping-check
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+#
+# Ping until reply or MAX_TRIES. One try == 1s.
+#
+
+MAX_TRIES=60
+LOGTAG="sunet_docker_ping_check"
+
+count=1
+until ping -c1 $1 &> /dev/null
+do
+ if [ $count -gt $MAX_TRIES ]
+ then
+ logger -t "$LOGTAG" "No response from $1 after $MAX_TRIES tries."
+ exit 1
+ fi
+ sleep 1
+ count=$[$count+1]
+done
+logger -t "$LOGTAG" "IP lookup of $1 succeeded after $count tries."
+