From 3bcffbe251b18c4c8ea71949834fd03c93ce12ff Mon Sep 17 00:00:00 2001 From: Pierre-Olivier Mercier Date: Thu, 13 Oct 2016 20:09:30 +0200 Subject: [PATCH] Start playbooks with nrpe role --- playbooks/.gitignore | 1 + playbooks/ansible.cfg | 4 + playbooks/group_vars/all | 2 + playbooks/playbook.yml | 6 + playbooks/roles/nrpe/defaults/main.yml | 36 ++++++ playbooks/roles/nrpe/handlers/main.yml | 3 + playbooks/roles/nrpe/tasks/main.yml | 13 +++ playbooks/roles/nrpe/templates/nrpe.cfg.j2 | 124 +++++++++++++++++++++ playbooks/stage | 2 + 9 files changed, 191 insertions(+) create mode 100644 playbooks/.gitignore create mode 100644 playbooks/ansible.cfg create mode 100644 playbooks/group_vars/all create mode 100644 playbooks/playbook.yml create mode 100644 playbooks/roles/nrpe/defaults/main.yml create mode 100644 playbooks/roles/nrpe/handlers/main.yml create mode 100644 playbooks/roles/nrpe/tasks/main.yml create mode 100644 playbooks/roles/nrpe/templates/nrpe.cfg.j2 create mode 100644 playbooks/stage diff --git a/playbooks/.gitignore b/playbooks/.gitignore new file mode 100644 index 00000000..e6016993 --- /dev/null +++ b/playbooks/.gitignore @@ -0,0 +1 @@ +playbook.retry diff --git a/playbooks/ansible.cfg b/playbooks/ansible.cfg new file mode 100644 index 00000000..7470789d --- /dev/null +++ b/playbooks/ansible.cfg @@ -0,0 +1,4 @@ +[defaults] +hostfile = stage +legacy_playbook_variables = no +pipelining = False diff --git a/playbooks/group_vars/all b/playbooks/group_vars/all new file mode 100644 index 00000000..57841ce8 --- /dev/null +++ b/playbooks/group_vars/all @@ -0,0 +1,2 @@ +nrpe_allowed_hosts: + - montou.ra.nemunai.re diff --git a/playbooks/playbook.yml b/playbooks/playbook.yml new file mode 100644 index 00000000..588559fc --- /dev/null +++ b/playbooks/playbook.yml @@ -0,0 +1,6 @@ +--- + +- name: Custom ansible playbook + hosts: all + roles: + - nrpe diff --git a/playbooks/roles/nrpe/defaults/main.yml b/playbooks/roles/nrpe/defaults/main.yml new file mode 100644 index 00000000..ce8619e0 --- /dev/null +++ b/playbooks/roles/nrpe/defaults/main.yml @@ -0,0 +1,36 @@ +--- +# Port number we should wait for connections on. +nrpe_port: 5666 + +# Comma-delimited list of IP address or hostnames that are allowed to talk +# to the NRPE daemon. +nrpe_allowed_hosts: [] + +# Allow using seed from weak location, force use of /dev/[u]random instead +# NRPE default: 1 +nrpe_allow_weak_random_seed: 0 + +# Mapping of command definitions that this daemon will run. +# The mapping key is a command name, the value is a command line. +# If the command is a core plugin or a plugin installed in {{nrpe_plugins_dir}}, +# then absolute path is not necessary, use just a filename (it will be +# automatically prefixed for nrpe.cfg). +# +# Example: +# check_swap: check_swap -w 60% -c 30% +# check_postgres: check_postgres --action=connection +# check_lemur: /home/hody/nrpe/check_lemur --alive +nrpe_commands: + # free disk space: warn <20%, critical <8% / inodes: warm <20%, critical <8%, + # exclude-type: tmpfs, devtmpfs, none (binds) + check_disk: check_disk -w 20% -c 8% -W 20% -K 8% -X tmpfs -X devtmpfs -X none + # free swap space: warn <60%, critical <30% + check_swap: check_swap -w 60% -c 30% + check_load: "check_load \ + -w {{ ansible_processor_vcpus * 1.5 }},{{ ansible_processor_vcpus }},{{ ansible_processor_vcpus * 0.7 }} \ + -c {{ ansible_processor_vcpus * 3 }},{{ ansible_processor_vcpus * 1.5 }},{{ ansible_processor_vcpus * 0.9 }}" + check_total_procs: check_procs -w 200 -c 250 -s DRSTZ + check_zombie_procs: check_procs -w 3 -c 10 -s Z + check_syslog_procs: 'check_procs -c 2: --command=syslog-ng' + check_apt: 'check_apt' + check_ntp_time: 'check_ntp_time -H fr.pool.ntp.org -w 1 -c 2' \ No newline at end of file diff --git a/playbooks/roles/nrpe/handlers/main.yml b/playbooks/roles/nrpe/handlers/main.yml new file mode 100644 index 00000000..128a61e2 --- /dev/null +++ b/playbooks/roles/nrpe/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart nagios-nrpe-server + service: name=nagios-nrpe-server state=restarted diff --git a/playbooks/roles/nrpe/tasks/main.yml b/playbooks/roles/nrpe/tasks/main.yml new file mode 100644 index 00000000..7635f2b6 --- /dev/null +++ b/playbooks/roles/nrpe/tasks/main.yml @@ -0,0 +1,13 @@ +--- +- name: install nagios-nrpe-server + apt: name=nagios-nrpe-server + +- name: configure nrpe + template: > + src=nrpe.cfg.j2 + dest=/etc/nagios/nrpe.cfg + owner=root group=root mode=0640 + notify: restart nagios-nrpe-server + +- name: enable and start nrpe daemon + service: name=nagios-nrpe-server enabled=yes state=started diff --git a/playbooks/roles/nrpe/templates/nrpe.cfg.j2 b/playbooks/roles/nrpe/templates/nrpe.cfg.j2 new file mode 100644 index 00000000..75afb7fa --- /dev/null +++ b/playbooks/roles/nrpe/templates/nrpe.cfg.j2 @@ -0,0 +1,124 @@ +# {{ ansible_managed }} + +# LOG FACILITY +# The syslog facility that should be used for logging purposes. +log_facility=daemon + +# PID FILE +# The name of the file in which the NRPE daemon should write it's process ID +# number. The file is only written if the NRPE daemon is started by the root +# user and is running in standalone mode. +pid_file=/run/nrpe.pid + +# PORT NUMBER +# Port number we should wait for connections on. +# NOTE: This must be a non-priviledged port (i.e. > 1024). +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd +server_port={{ nrpe_port }} + +# SERVER ADDRESS +# Address that nrpe should bind to in case there are more than one interface +# and you do not want nrpe to bind on all interfaces. +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd +#server_address=127.0.0.1 + +# NRPE USER +# This determines the effective user that the NRPE daemon should run as. +# You can either supply a username or a UID. +# +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd +nrpe_user=nagios + +# NRPE GROUP +# This determines the effective group that the NRPE daemon should run as. +# You can either supply a group name or a GID. +# +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd +nrpe_group=nagios + +# ALLOWED HOST ADDRESSES +# This is an optional comma-delimited list of IP address or hostnames +# that are allowed to talk to the NRPE daemon. Network addresses with a bit mask +# (i.e. 192.168.1.0/24) are also supported. Hostname wildcards are not currently +# supported. +# +# Note: The daemon only does rudimentary checking of the client's IP +# address. I would highly recommend adding entries in your /etc/hosts.allow +# file to allow only the specified host to connect to the port +# you are running this daemon on. +# +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd +allowed_hosts={{ nrpe_allowed_hosts | join(',') }} + +# COMMAND PREFIX +# This option allows you to prefix all commands with a user-defined string. +# A space is automatically added between the specified prefix string and the +# command line from the command definition. +# +# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! *** +# Usage scenario: +# Execute restricted commmands using sudo. For this to work, you need to add +# the nagios user to your /etc/sudoers. An example entry for alllowing +# execution of the plugins from might be: +# +# nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/ +# +# This lets the nagios user run all commands in that directory (and only them) +# without asking for a password. If you do this, make sure you don't give +# random users write access to that directory or its contents! +# command_prefix=/usr/bin/sudo + +# DEBUGGING OPTION +# This option determines whether or not debugging messages are logged to the +# syslog facility. +# Values: 0=debugging off, 1=debugging on +debug=0 + +# COMMAND TIMEOUT +# This specifies the maximum number of seconds that the NRPE daemon will +# allow plugins to finish executing before killing them off. +command_timeout=60 + +# CONNECTION TIMEOUT +# This specifies the maximum number of seconds that the NRPE daemon will +# wait for a connection to be established before exiting. This is sometimes +# seen where a network problem stops the SSL being established even though +# all network sessions are connected. This causes the nrpe daemons to +# accumulate, eating system resources. Do not set this too low. +connection_timeout=300 + +# WEEK RANDOM SEED OPTION +# This directive allows you to use SSL even if your system does not have +# a /dev/random or /dev/urandom (on purpose or because the necessary patches +# were not applied). The random number generator will be seeded from a file +# which is either a file pointed to by the environment valiable $RANDFILE +# or $HOME/.rnd. If neither exists, the pseudo random number generator will +# be initialized and a warning will be issued. +# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness + +allow_weak_random_seed={{ nrpe_allow_weak_random_seed }} + +# COMMAND DEFINITIONS +# Command definitions that this daemon will run. Definitions +# are in the following format: +# +# command[]= +# +# When the daemon receives a request to return the results of +# it will execute the command specified by the argument. +# +# Unlike Nagios, the command line cannot contain macros - it must be +# typed exactly as it should be executed. +# +# Note: Any plugins that are used in the command lines must reside +# on the machine that this daemon is running on! + +{% for name, cmd in nrpe_commands | dictsort %} +{# Command with absolute path. #} +{% if cmd.startswith('/') %} +command[{{ name }}]={{ cmd }} +{# Command with core plugin. #} +{% else %} +command[{{ name }}]=/usr/lib/nagios/plugins/{{ cmd }} +{% endif %} +{% endfor %} diff --git a/playbooks/stage b/playbooks/stage new file mode 100644 index 00000000..7235710f --- /dev/null +++ b/playbooks/stage @@ -0,0 +1,2 @@ +[frontend] +prodsrs ansible_python_interpreter=/usr/bin/python2 ansible_host=srs.epita.fr ansible_port=1227 ansible_user=root