From 984684f56f15d9d89ea78ffe6ed67dabf3d63208 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 13 May 2015 13:38:28 +0200 Subject: remove old leap_mx logfile location from check_mk logwatch state file #6964 Change-Id: I385c639e5c096deef4f81691a85c1b83cbab9421 --- puppet/modules/site_apt/manifests/init.pp | 3 +++ puppet/modules/site_apt/manifests/preferences/augeas.pp | 15 +++++++++++++++ puppet/modules/site_config/manifests/default.pp | 5 +++++ puppet/modules/site_config/manifests/remove_files.pp | 7 +++++++ 4 files changed, 30 insertions(+) create mode 100644 puppet/modules/site_apt/manifests/preferences/augeas.pp diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index c32c29c4..75f545d4 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -1,3 +1,4 @@ +# setup basic debian package manager configuration class site_apt { $sources = hiera('sources') @@ -31,6 +32,8 @@ class site_apt { priority => 999 } + include site_apt::preferences::augeas + # All packages should be installed _after_ refresh_apt is called, # which does an apt-get update. # There is one exception: diff --git a/puppet/modules/site_apt/manifests/preferences/augeas.pp b/puppet/modules/site_apt/manifests/preferences/augeas.pp new file mode 100644 index 00000000..257d64c4 --- /dev/null +++ b/puppet/modules/site_apt/manifests/preferences/augeas.pp @@ -0,0 +1,15 @@ +# install augeas packages from backports +class site_apt::preferences::augeas { + + # i could not get + # site_config::remove_files::augeas::['rm_old_leap_mx_log_destination'] + # to remove a line matching a regex with the wheezy version of augeas-lenses + # (0.10.0-1). Therefore we install it from backports + + apt::preferences_snippet { 'augeas': + package => 'augeas-lenses augeas-tools libaugeas0', + release => "${::lsbdistcodename}-backports", + priority => 999; + } + +} diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index e69e4b7b..57e45506 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -1,3 +1,4 @@ +# This class is the basic configuration for all nodes class site_config::default { tag 'leap_base' @@ -13,6 +14,10 @@ class site_config::default { include apt::update Package { require => Exec['apt_updated'] } + class {'augeas': + version => 'latest' + } + include site_config::slow # default class, used by all hosts diff --git a/puppet/modules/site_config/manifests/remove_files.pp b/puppet/modules/site_config/manifests/remove_files.pp index 44e3e47b..05a758bb 100644 --- a/puppet/modules/site_config/manifests/remove_files.pp +++ b/puppet/modules/site_config/manifests/remove_files.pp @@ -33,4 +33,11 @@ class site_config::remove_files { rmdirs => true; } + # leax-mx logged to /var/log/leap_mx.log in the past + augeas { 'rm_old_leap_mx_log_destination': + incl => '/etc/check_mk/logwatch.state', + lens => 'Simplelines.lns', + changes => [ "rm /files/etc/check_mk/logwatch.state/*[.=~regexp('.*leap_mx.log.*')]" ], + } + } -- cgit v1.2.3 From d5dccfc5cd72188bac66d7433c94b1046b50c7fb Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 26 May 2015 11:47:26 +0200 Subject: Revert "remove old leap_mx logfile location from check_mk logwatch state file #6964" This reverts commit 984684f56f15d9d89ea78ffe6ed67dabf3d63208. Needed because: Augeas fails after upgrading augeas packages during same puppetrun, but only on first deploy - https://leap.se/code/issues/6997 --- puppet/modules/site_apt/manifests/init.pp | 3 --- puppet/modules/site_apt/manifests/preferences/augeas.pp | 15 --------------- puppet/modules/site_config/manifests/default.pp | 5 ----- puppet/modules/site_config/manifests/remove_files.pp | 7 ------- 4 files changed, 30 deletions(-) delete mode 100644 puppet/modules/site_apt/manifests/preferences/augeas.pp diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 75f545d4..c32c29c4 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -1,4 +1,3 @@ -# setup basic debian package manager configuration class site_apt { $sources = hiera('sources') @@ -32,8 +31,6 @@ class site_apt { priority => 999 } - include site_apt::preferences::augeas - # All packages should be installed _after_ refresh_apt is called, # which does an apt-get update. # There is one exception: diff --git a/puppet/modules/site_apt/manifests/preferences/augeas.pp b/puppet/modules/site_apt/manifests/preferences/augeas.pp deleted file mode 100644 index 257d64c4..00000000 --- a/puppet/modules/site_apt/manifests/preferences/augeas.pp +++ /dev/null @@ -1,15 +0,0 @@ -# install augeas packages from backports -class site_apt::preferences::augeas { - - # i could not get - # site_config::remove_files::augeas::['rm_old_leap_mx_log_destination'] - # to remove a line matching a regex with the wheezy version of augeas-lenses - # (0.10.0-1). Therefore we install it from backports - - apt::preferences_snippet { 'augeas': - package => 'augeas-lenses augeas-tools libaugeas0', - release => "${::lsbdistcodename}-backports", - priority => 999; - } - -} diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 57e45506..e69e4b7b 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -1,4 +1,3 @@ -# This class is the basic configuration for all nodes class site_config::default { tag 'leap_base' @@ -14,10 +13,6 @@ class site_config::default { include apt::update Package { require => Exec['apt_updated'] } - class {'augeas': - version => 'latest' - } - include site_config::slow # default class, used by all hosts diff --git a/puppet/modules/site_config/manifests/remove_files.pp b/puppet/modules/site_config/manifests/remove_files.pp index 05a758bb..44e3e47b 100644 --- a/puppet/modules/site_config/manifests/remove_files.pp +++ b/puppet/modules/site_config/manifests/remove_files.pp @@ -33,11 +33,4 @@ class site_config::remove_files { rmdirs => true; } - # leax-mx logged to /var/log/leap_mx.log in the past - augeas { 'rm_old_leap_mx_log_destination': - incl => '/etc/check_mk/logwatch.state', - lens => 'Simplelines.lns', - changes => [ "rm /files/etc/check_mk/logwatch.state/*[.=~regexp('.*leap_mx.log.*')]" ], - } - } -- cgit v1.2.3 From 26f7665f556570e4bbd446d7b2046854642aff58 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 26 May 2015 12:22:29 +0200 Subject: check_mk complains about non-existing logfile (#6964) Change-Id: Ic58f9516854f812d46aa3a574628318951f99a95 --- puppet/modules/site_config/manifests/remove_files.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/puppet/modules/site_config/manifests/remove_files.pp b/puppet/modules/site_config/manifests/remove_files.pp index 44e3e47b..3f46659c 100644 --- a/puppet/modules/site_config/manifests/remove_files.pp +++ b/puppet/modules/site_config/manifests/remove_files.pp @@ -33,4 +33,14 @@ class site_config::remove_files { rmdirs => true; } + # leax-mx logged to /var/log/leap_mx.log in the past + # we need to use a dumb exec here because file_line doesn't + # allow removing lines that match a regex in the current version + # of stdlib, see https://tickets.puppetlabs.com/browse/MODULES-1903 + exec { 'rm_old_leap_mx_log_destination': + command => "/bin/sed -i '/leap_mx.log/d' /etc/check_mk/logwatch.state", + onlyif => "/bin/grep -qe 'leap_mx.log' /etc/check_mk/logwatch.state" + } + + } -- cgit v1.2.3 From 344d8e5fa78cbe5ab2d2a5f4a867c03047057efd Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 26 May 2015 12:55:28 +0200 Subject: updated couchdb submodule fix random couch_doc_update errors (#6850) Change-Id: I0d824e3f65ecfc9b6442b39003dacc35009fe10d --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 02c2f59d..23b557c6 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 02c2f59dd1725cc0bd83e346259d54ea46a5ba1f +Subproject commit 23b557c6fb07929a9b04e5fb75375a85a4734370 -- cgit v1.2.3 From b77e3f7e87bc64ffaaa608e5b6a6ef385b8054d3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 26 May 2015 22:23:22 -0400 Subject: Implement weakdh recommendations for cipher suites (#7024) This is a first step mitigation until we can have a newer apache that will allow us to specify dh parameters other than the default. Change-Id: Ibfcee53b331e8919466027dde1a93117b5210d9d --- puppet/modules/site_apache/files/include.d/ssl_common.inc | 2 +- .../modules/site_nickserver/templates/nickserver-proxy.conf.erb | 8 ++------ puppet/modules/site_static/templates/apache.conf.erb | 8 ++------ 3 files changed, 5 insertions(+), 13 deletions(-) diff --git a/puppet/modules/site_apache/files/include.d/ssl_common.inc b/puppet/modules/site_apache/files/include.d/ssl_common.inc index 08b993cc..2d282c84 100644 --- a/puppet/modules/site_apache/files/include.d/ssl_common.inc +++ b/puppet/modules/site_apache/files/include.d/ssl_common.inc @@ -2,6 +2,6 @@ SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCompression off -SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" +SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" RequestHeader set X_FORWARDED_PROTO 'https' \ No newline at end of file diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb index 56a8d9f6..d4e734c3 100644 --- a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb +++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb @@ -8,17 +8,13 @@ Listen 0.0.0.0:<%= @nickserver_port -%> ServerName <%= @nickserver_domain %> ServerAlias <%= @address_domain %> - SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 - SSLHonorCipherOrder on - SSLCompression off - SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" - SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt + Include include.d/ssl_common.inc + ProxyPass / http://localhost:<%= @nickserver_local_port %>/ ProxyPreserveHost On # preserve Host header in HTTP request diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 9b516a10..4d61cc08 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -45,12 +45,8 @@ #RewriteLog "/var/log/apache2/rewrite.log" #RewriteLogLevel 3 - SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 - SSLHonorCipherOrder on - SSLCompression off - SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" - + Include include.d/ssl_common.inc + <%- if @tls_only -%> Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" <%- end -%> -- cgit v1.2.3 From ccf63cf34fedbcff2923b11f2e49c3a58b6c1180 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 27 May 2015 11:17:06 +0200 Subject: leap_couch_stats.sh handles rotated dbs (#6987) Change-Id: I115ebdefd7365bf15a30c4a3ce7a4543ad757cec --- .../agent/local_checks/couchdb/leap_couch_stats.sh | 25 ++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/puppet/modules/site_check_mk/files/agent/local_checks/couchdb/leap_couch_stats.sh b/puppet/modules/site_check_mk/files/agent/local_checks/couchdb/leap_couch_stats.sh index 51a8ac52..95474ccb 100755 --- a/puppet/modules/site_check_mk/files/agent/local_checks/couchdb/leap_couch_stats.sh +++ b/puppet/modules/site_check_mk/files/agent/local_checks/couchdb/leap_couch_stats.sh @@ -11,7 +11,7 @@ start_time=$(date +%s.%N) CURL='curl -s --netrc-file /etc/couchdb/couchdb.netrc' URL='http://127.0.0.1:5984' TMPFILE=$(mktemp) -DBLIST_EXCLUDE='user-' +DBLIST_EXCLUDE='(user-|sessions_|tokens_)' PREFIX='Couchdb_' @@ -45,7 +45,7 @@ get_global_stats_perf () { $CURL -X GET $URL/_all_dbs | json_pp | egrep -v '(\[|\])' > $TMPFILE db_count=$( wc -l < $TMPFILE) - excluded_db_count=$( grep -c "$DBLIST_EXCLUDE" $TMPFILE ) + excluded_db_count=$( egrep -c "$DBLIST_EXCLUDE" $TMPFILE ) echo "db_count=$db_count|excluded_db_count=$excluded_db_count" return ${localexit} @@ -56,7 +56,14 @@ db_stats () { local db db_stats doc_count del_doc_count localexit localexit=0 - db=$1 + db="$1" + name="$2" + + if [ -z "$name" ] + then + name="$db" + fi + perf="$perf|${db}_docs=$( $CURL -s -X GET ${URL}/$db | json_pp |grep 'doc_count' | sed 's/[^0-9]//g' )" db_stats=$( $CURL -s -X GET ${URL}/$db | json_pp ) @@ -74,8 +81,8 @@ db_stats () { bytes=$( echo "$db_stats" | grep disk_size | sed 's/[^0-9]//g' ) disk_size=$( echo "scale = 2; $bytes / 1024 / 1024" | bc -l ) - echo -n "${localexit} ${PREFIX}${db}_database ${db}_docs=$doc_count|${db}_deleted_docs=$del_doc_count|${db}_deleted_docs_percentage=${del_doc_perc}%" - printf "|${db}_disksize_mb=%02.2fmb ${STATE[localexit]}: database $db\n" "$disk_size" + echo -n "${localexit} ${PREFIX}${name}_database ${name}_docs=$doc_count|${name}_deleted_docs=$del_doc_count|${name}_deleted_docs_percentage=${del_doc_perc}%" + printf "|${name}_disksize_mb=%02.2fmb ${STATE[localexit]}: database $name\n" "$disk_size" return ${localexit} } @@ -89,13 +96,19 @@ load_nagios_utils $CURL -X GET $URL/_all_dbs | json_pp | egrep -v '(\[|\])' > $TMPFILE # get list of dbs to check -dbs=$( grep -v "${DBLIST_EXCLUDE}" $TMPFILE | tr -d '\n"' | sed 's/,/ /g' ) +dbs=$( egrep -v "${DBLIST_EXCLUDE}" $TMPFILE | tr -d '\n"' | sed 's/,/ /g' ) for db in $dbs do db_stats "$db" done +# special handling for rotated dbs +suffix=$(($(date +'%s') / (60*60*24*30) + 1)) +db_stats "sessions_${suffix}" "sessions" +db_stats "tokens_${suffix}" "tokens" + + # show global couchdb stats global_stats_perf=$(get_global_stats_perf) exitcode=$? -- cgit v1.2.3