Merge branch 'Dec2014merge' into 'master'

riseup Dec2014merge

riseup changes from the last few months, rebased to be easier to deal with.
adds:
* mrpe support (to replace nrpe)
* ps support (to replace statd)
* storing ssh keys in an alternate location
* update docs
* some bug fixes

See merge request !2

12 files changed, 258 insertions, 45 deletions

diff --git a/README.md b/README.md
index 0f567ee..a8736f2 100644
--- a/README.md
+++ b/README.md
@@ -204,6 +204,59 @@ You can also include host tags - for example:
 
 Remember to run the Puppet agent on your monitoring host to pick up any changes.
 
+## Migrating from nagios-statd
+
+nagios-statd provides several features that can be replaced with check_mk
+plugins.
+
+*nagios-stat-proc*: checks processes on the agent system
+If you previously used the nagios puppet module to do something like:
+
+       check_command => 'nagios-stat-proc!/usr/sbin/foo!1!1!proc'
+
+you can now use the check_mk ps check:
+
+       check_mk::agent::ps {
+         'foo':
+           procname => '/usr/local/weirdpath/foo',
+           levels => '1, 2, 2, 3',
+           owner => 'alice'
+       }
+
+defaults:
+  procname: "/usr/sbin/${name}"
+  levels:   '1, 1, 1, 1'
+  owner: not required
+
+Run check_mk with '-M ps' for the manpage explaining the parameters.
+
+*swap*: check_mk has a 'mem.used' check which is enabled by default. But
+  as it's manpage explains if you want to measure swappiness you are
+  better off using the 'kernel' check and measuring 'Major Page Faults'
+  (pgmajfault).
+
+*disk*: check_mk has a 'df' check which is enabled by default.
+ 
+## Migrating from nrpe to mrpe
+
+If you were using nrpe to run a nagios plugin locally, first check if a
+native check_mk check exists with the same functionality, if not consider
+writing one. But if continuing to use the nagios plugin makes sense you
+can switch to mrpe.
+
+* Continue to deliver the plugin to the agent system
+* include check_mk::agent::mrpe
+* add a line to the mrpe.cfg file using augeas
+
+       augeas {
+         "Foo":
+           incl    => '/etc/check_mk/mrpe.cfg',
+           lens    => 'Spacevars.lns',
+           changes => 'set FOO /usr/local/lib/nagios/plugins/check_foo',
+           require => [ File['/usr/local/lib/nagios/plugins' ], Package['check-mk-agent'] ];
+       }
+
+
 This is the riseup clone, available at:
 
 git://labs.riseup.net/module_check_mk
diff --git a/TODO b/TODO
index 1e0a106..1697f34 100644
--- a/TODO
+++ b/TODO
@@ -1,2 +1,5 @@
 Use nagios_hostgroup type rather than clumsily creating our own.
 Add support for ignored_services to eliminate false alerts.
+Implement support for choosing either upstream install or distro supplied
+  packages. If using distro packages, detect distro and set package names
+  to reasonable default (currently requires overriding).
diff --git a/manifests/agent.pp b/manifests/agent.pp
index 2ff9da5..c455bd5 100644
--- a/manifests/agent.pp
+++ b/manifests/agent.pp
@@ -4,7 +4,9 @@ class check_mk::agent (
   $ip_whitelist = undef,
   $port         = '6556',
   $server_dir   = '/usr/bin',
-  $homedir      = '/omd/sites/monitoring',
+  $keydir       = '/omd/sites/monitoring',
+  $authdir      = '/omd/sites/monitoring',
+  $authfile     = undef,
   $use_cache    = false,
   $user         = 'root',
   $version      = undef,
@@ -13,6 +15,7 @@ class check_mk::agent (
   $agent_logwatch_package_name  = 'check_mk-agent-logwatch',
   $method                       = 'xinetd',
   $generate_sshkey              = false,
+  $sshuser                      = undef,
   $use_ssh_tag                  = 'ssh',
   $register_agent               = true
 ) {
@@ -23,10 +26,10 @@ class check_mk::agent (
       include check_mk::agent::service
     }
     'ssh': {
-      if ( $host_tags != '' ) {
-        $tags = "${host_tags}|${use_ssh_tag}"
-      } else {
+      if ( $host_tags == undef ) or ( $host_tags == '' ) {
         $tags = $use_ssh_tag
+      } else {
+        $tags = "${host_tags}|${use_ssh_tag}"
       }
     }
     default: {}
@@ -40,16 +43,20 @@ class check_mk::agent (
     agent_logwatch_package_name => $agent_logwatch_package_name,
     method                      => $method
   }
+
   class { 'check_mk::agent::config':
-    ip_whitelist       => $ip_whitelist,
-    port               => $port,
-    server_dir         => $server_dir,
-    homedir            => $homedir,
-    use_cache          => $use_cache,
-    user               => $user,
-    method             => $method,
-    generate_sshkey    => $generate_sshkey,
-    require            => Class['check_mk::agent::install'],
+    ip_whitelist    => $ip_whitelist,
+    port            => $port,
+    server_dir      => $server_dir,
+    keydir          => $keydir,
+    authdir         => $authdir,
+    authfile        => $authfile,
+    use_cache       => $use_cache,
+    user            => $user,
+    method          => $method,
+    generate_sshkey => $generate_sshkey,
+    sshuser         => $sshuser,
+    require         => Class['check_mk::agent::install'],
   }
 
   if ( $register_agent ) {
diff --git a/manifests/agent/config.pp b/manifests/agent/config.pp
index 256af8f..36f2910 100644
--- a/manifests/agent/config.pp
+++ b/manifests/agent/config.pp
@@ -1,12 +1,15 @@
 class check_mk::agent::config (
-  $ip_whitelist = '',
+  $ip_whitelist    = '',
   $port,
   $server_dir,
-  $homedir,
+  $keydir,
+  $authdir,
+  $authfile        = undef,
   $use_cache,
   $user,
   $method          = 'xinetd',
   $generate_sshkey = false,
+  $sshuser         = undef
 ) {
   if $use_cache {
     $server = "${server_dir}/check_mk_caching_agent"
@@ -34,10 +37,18 @@ class check_mk::agent::config (
     }
     'ssh'   : {
       if $generate_sshkey {
-        check_mk::agent::generate_sshkey { 'check_mk_key':
-          homedir => $homedir
+        check_mk::agent::generate_sshkey { "check_mk_key_${::fqdn}":
+          keydir   => $keydir,
+          authdir  => $authdir,
+          authfile => $authfile,
+          sshuser  => $sshuser
         }
       }
+
+      # make sure the xinetd method is not configured
+      file { '/etc/xinetd.d/check_mk':
+        ensure  => absent;
+      }
     }
     default : {}
   }
diff --git a/manifests/agent/generate_sshkey.pp b/manifests/agent/generate_sshkey.pp
index 3187037..d2d1d39 100644
--- a/manifests/agent/generate_sshkey.pp
+++ b/manifests/agent/generate_sshkey.pp
@@ -1,42 +1,68 @@
-define check_mk::agent::generate_sshkey(
-  $ssh_key_basepath = '/etc/puppet/modules/keys/files/check_mk_keys',
-  $user             = 'monitoring',
-  $group            = 'monitoring',
-  $homedir,
+define check_mk::agent::generate_sshkey (
+  # dir on the check-mk-server where the collected key pairs are stored
+  $keydir,
+  # user/group the key should be owned by on the check-mk-server
+  $keyuser          = 'nagios',
+  $keygroup         = 'nagios',
+  # dir on the check-mk-agent where the authorized_keys file is stored
+  $authdir,
+  # name of the authorized_keys file
+  $authfile         = undef,
+  # dir on the puppetmaster where keys are stored
+  # FIXME: need a way to ensure this dir is setup on the puppetmaster correctly
+  #$ssh_key_basepath = "${common::moduledir::module_dir_path}/check_mk/keys",
+  #  for now use a dir we know works
+  $ssh_key_basepath = '/etc/puppet/modules/check_mk/keys',
+  # user on the client the check_mk server will ssh to, to run the agent
+  $sshuser          = 'root',
   $check_mk_tag     = 'check_mk_sshkey'
 ){
 
-  # generate backupninja ssh keypair
-  $ssh_key_name = "monitoring_${::fqdn}_id_rsa"
+  # generate check-mk ssh keypair, stored on puppetmaster
+  $ssh_key_name = "${::fqdn}_id_rsa"
   $ssh_keys     = ssh_keygen("${ssh_key_basepath}/${ssh_key_name}")
   $public       = split($ssh_keys[1],' ')
   $public_type  = $public[0]
   $public_key   = $public[1]
   $secret_key   = $ssh_keys[0]
 
-  sshd::ssh_authorized_key { $ssh_key_name:
-      type    => 'ssh-rsa',
-      key     => $public_key,
-      user    => 'root',
-      options => 'command="/usr/bin/check_mk_agent"';
+  # if we're not root we need to use sudo
+  if $sshuser != 'root' {
+    $command = 'sudo /usr/bin/check_mk_agent'
+  } else {
+    $command = '/usr/bin/check_mk_agent'
   }
 
-  @@file { "${homedir}/.ssh/${ssh_key_name}":
-    content => $secret_key,
-    owner   => $user,
-    group   => $group,
-    mode    => '0600',
-    tag     => $check_mk_tag;
+  # setup the public half of the key in authorized_keys on the agent
+  #  and restrict it to running only the agent
+  if $authdir or $authfile {
+    # if $authkey or $authdir are set, override authorized_keys path and file
+    # and also override using the built-in ssh_authorized_key since it may
+    # not be able to write to $authdir
+    sshd::ssh_authorized_key { $ssh_key_name:
+        type             => 'ssh-rsa',
+        key              => $public_key,
+        user             => $sshuser,
+        target           => "${authdir}/${authfile}",
+        override_builtin => true,
+        options          => "command=\"${command}\"";
+  } else {
+    # otherwise use the defaults
+    sshd::ssh_authorized_key { $ssh_key_name:
+        type    => 'ssh-rsa',
+        key     => $public_key,
+        user    => $sshuser,
+        options => "command=\"${command}\"";
+    }
   }
 
-
-  @@file { "${homedir}/.ssh/${ssh_key_name}.pub":
-    content => $public_key,
-    owner   => $user,
-    group   => $group,
-    mode    => '0666',
+  # resource collector for the private half of the keys, these end up on
+  #  the check-mk-server host, and the user running check-mk needs access
+  @@file { "${keydir}/${ssh_key_name}":
+    content => $secret_key,
+    owner   => $keyuser,
+    group   => $keygroup,
+    mode    => '0600',
     tag     => $check_mk_tag;
   }
-
-
 }
diff --git a/manifests/agent/mrpe.pp b/manifests/agent/mrpe.pp
new file mode 100644
index 0000000..5bc5f33
--- /dev/null
+++ b/manifests/agent/mrpe.pp
@@ -0,0 +1,19 @@
+class check_mk::agent::mrpe {
+  # check_mk can use standard nagios plugins using
+  # a wrapper called mrpe
+  # see http://mathias-kettner.de/checkmk_mrpe.html
+  # this subclass is provided to be included by checks that use mrpe
+
+  # FIXME: this is Debian specific and should be made more generic
+  if !defined(Package['nagios-plugins-basic']) {
+    package { 'nagios-plugins-basic':
+      ensure => latest,
+    }
+  }
+
+  # ensure the config file exists, individual checks will add lines to it
+  file { '/etc/check_mk/mrpe.cfg':
+    ensure  => present,
+    require => Package['check-mk-agent']
+  }
+}
diff --git a/manifests/agent/ps.pp b/manifests/agent/ps.pp
new file mode 100644
index 0000000..67a999f
--- /dev/null
+++ b/manifests/agent/ps.pp
@@ -0,0 +1,17 @@
+define check_mk::agent::ps (
+  # procname and levels have defaults in check_mk::ps
+  $procname = undef,
+  $levels = undef,
+  # user is optional
+  $user = undef
+) {
+
+  @@check_mk::ps { "${::fqdn}_${name}":
+    desc     => $name,
+    host     => $::fqdn,
+    procname => $procname,
+    user     => $user,
+    levels   => $levels,
+    tag      => 'check_mk_ps';
+  }
+}
diff --git a/manifests/config.pp b/manifests/config.pp
index 6a6f375..6736147 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -6,8 +6,18 @@ class check_mk::config (
   $bin_dir          = "/omd/sites/${site}/bin",
   $use_storedconfigs = true
 ) {
-  file { "${etc_dir}/${nagios_subdir}/local":
-    ensure => directory,
+  file {
+    # for local check_mk checks
+    "${etc_dir}/${nagios_subdir}/local":
+      ensure => directory;
+
+    # package provided and check_mk generated files, defined so the nagios
+    #  module doesn't purge them
+    "${etc_dir}/${nagios_subdir}/conf.d/check_mk":
+      ensure => directory;
+    [ "${etc_dir}/${nagios_subdir}/conf.d/check_mk/check_mk_objects.cfg",
+      "${etc_dir}/${nagios_subdir}/conf.d/check_mk/check_mk_templates.cfg" ]:
+      ensure => present;
   }
   file_line { 'nagios-add-check_mk-cfg_dir':
     ensure  => present,
@@ -41,6 +51,7 @@ class check_mk::config (
   }
   if ( $use_storedconfigs ) {
     class { 'check_mk::server::collect_hosts': }
+    class { 'check_mk::server::collect_ps': }
   }
 
 
diff --git a/manifests/install_tarball.pp b/manifests/install_tarball.pp
index 4a0af23..af40a26 100644
--- a/manifests/install_tarball.pp
+++ b/manifests/install_tarball.pp
@@ -31,6 +31,7 @@ class check_mk::install_tarball (
     ensure  => present,
     require => Package['nagios'],
   }
+  # FIXME: this should get and check $use_ssh before requiring xinetd
   package { [ 'xinetd', 'mod_python', 'make', 'gcc-c++', 'tar', 'gzip' ]:
     ensure  => present,
   }
diff --git a/manifests/ps.pp b/manifests/ps.pp
new file mode 100644
index 0000000..1171a13
--- /dev/null
+++ b/manifests/ps.pp
@@ -0,0 +1,34 @@
+define check_mk::ps (
+  $target,
+  $host,
+  $desc,
+  $procname = "/usr/sbin/${desc}",
+  $levels = '1, 1, 1, 1',
+  $user = undef
+) {
+  # This class is called on check-mk agent machines in order to create
+  # checks using the built-in ps check type. They create stored configs
+  # and then the check_mk::server::collect_ps class on the server
+  # generates the config file to set them up
+
+  # lines in the ps.mk config file look like
+  # ( "foo.example.com", "ps", "NAME", ( "/usr/sbin/foo", 1, 1, 1, 1 ) )
+  # or with a user
+  # ( "foo.example.com", "ps", "NAME", ( "/usr/sbin/foo", "user", 1, 1, 1, 1 ) )
+  if $user {
+    $check = "  ( \"${host}\", \"ps\", \"${desc}\", ( \"${procname}\", ${user}, ${levels} ) ),\n"
+  } else {
+    $check = "  ( \"${host}\", \"ps\", \"${desc}\", ( \"${procname}\", ${levels} ) ),\n"
+  }
+
+  # FIXME: we could be smarter about this and consolidate host checks
+  # that have identical settings and that would make the config file
+  # make more sense for humans. but for now we'll just do separate
+  # lines (which may result in a very large file, but check-mk is fine)
+  concat::fragment { "check_mk_ps-${host}_${desc}":
+    target  => $target,
+    content => $check,
+    order   => 20
+  }
+}
+
diff --git a/manifests/server/collect_ps.pp b/manifests/server/collect_ps.pp
new file mode 100644
index 0000000..067a25c
--- /dev/null
+++ b/manifests/server/collect_ps.pp
@@ -0,0 +1,30 @@
+class check_mk::server::collect_ps (
+  $config = "${::check_mk::config::etc_dir}/check_mk/conf.d/ps.mk"
+) {
+
+  # this class gets run on the check-mk server in order to collect the
+  # stored configs created on clients and assemble the ps.mk config file
+  concat { $config:
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0644',
+    notify => Exec['check_mk-refresh'],
+  }
+
+  concat::fragment{'check_mk_ps_header':
+    target  => $config,
+    content => "checks += [\n",
+    order   => 10,
+  }
+
+  Check_mk::Ps <<| tag == 'check_mk_ps' |>> {
+    target => $config,
+    notify => Exec['check_mk-refresh']
+  }
+
+  concat::fragment{'check_mk_ps_footer':
+    target  => $config,
+    content => "]\n",
+    order   => 90,
+  }
+}
diff --git a/manifests/service.pp b/manifests/service.pp
index de0cbdb..36fb2d1 100644
--- a/manifests/service.pp
+++ b/manifests/service.pp
@@ -6,6 +6,7 @@ class check_mk::service {
       enable => true,
     }
   }
+  # FIXME: this should get and check $use_ssh before doing this
   if ! defined(Service[xinetd]) {
     service { 'xinetd':
       ensure    => 'running',