diff options
author | kwadronaut <kwadronaut@leap.se> | 2018-11-14 11:09:02 +0100 |
---|---|---|
committer | kwadronaut <kwadronaut@leap.se> | 2018-11-14 11:09:02 +0100 |
commit | 06b521b6887d33b4cfa650c0d26850c8d1cc0ef8 (patch) | |
tree | caa0bac49dfd2573462acef06b68d2ea69d8cdb8 /example/site_check_mk | |
parent | 6ffee2d778992b783bd29a1ddeaab61baf6d47aa (diff) | |
parent | 15aba17d007e076ea09e50c837081ee1bec1b301 (diff) |
Diffstat (limited to 'example/site_check_mk')
-rw-r--r-- | example/site_check_mk/README | 9 | ||||
-rw-r--r-- | example/site_check_mk/files/adjust.mk | 12 | ||||
-rw-r--r-- | example/site_check_mk/files/agent/apt/check_apt | 15 | ||||
-rw-r--r-- | example/site_check_mk/files/agent/logwatch/syslog_header.cfg | 1 | ||||
-rw-r--r-- | example/site_check_mk/files/agent/logwatch/syslog_tail.cfg | 11 | ||||
-rw-r--r-- | example/site_check_mk/files/host_contactgroups.mk | 3 | ||||
-rw-r--r-- | example/site_check_mk/files/ignore.mk | 97 | ||||
-rw-r--r-- | example/site_check_mk/files/nohost.mk | 3 | ||||
-rw-r--r-- | example/site_check_mk/files/parents.mk | 8 | ||||
-rw-r--r-- | example/site_check_mk/files/submission.mk | 4 | ||||
-rw-r--r-- | example/site_check_mk/files/use_ssh.mk | 4 | ||||
-rw-r--r-- | example/site_check_mk/manifests/agent.pp | 50 | ||||
-rw-r--r-- | example/site_check_mk/manifests/agent/apt.pp | 25 | ||||
-rw-r--r-- | example/site_check_mk/manifests/agent/logwatch.pp | 36 | ||||
-rw-r--r-- | example/site_check_mk/manifests/agent/logwatch/syslog.pp | 18 | ||||
-rw-r--r-- | example/site_check_mk/manifests/server.pp | 96 |
16 files changed, 392 insertions, 0 deletions
diff --git a/example/site_check_mk/README b/example/site_check_mk/README new file mode 100644 index 0000000..2cb85a9 --- /dev/null +++ b/example/site_check_mk/README @@ -0,0 +1,9 @@ +This is an example site_check_mk module for using the shared check_mk +module. It is a sterilized version of riseup's site_check_mk, with some +names changed. + +Project page + https://labs.riseup.net/code/projects/module-check_mk/ + +git repo + git://labs.riseup.net/module_check_mk diff --git a/example/site_check_mk/files/adjust.mk b/example/site_check_mk/files/adjust.mk new file mode 100644 index 0000000..5c0566e --- /dev/null +++ b/example/site_check_mk/files/adjust.mk @@ -0,0 +1,12 @@ +# adjust.mk - checks we need to adjust the defaults + +## global defaults +# memory usage (default 150/200%, float val indicates % of physical RAM) +memused_default_levels = (90.0, 95.0) + +## host overrides +# some check types cannot be adjusted via check_parameters, so we explicitly +# create redundant checks using host lists or tags +checks += [ + ( ['foo.example.org','bar.example.org'], 'cpu.threads', None, (6000, 7000) ), +] diff --git a/example/site_check_mk/files/agent/apt/check_apt b/example/site_check_mk/files/agent/apt/check_apt new file mode 100644 index 0000000..223dd8a --- /dev/null +++ b/example/site_check_mk/files/agent/apt/check_apt @@ -0,0 +1,15 @@ +#!/bin/sh +# check_apt wrapper to gather more info about pending packages + +# call the original plugin +MSG=`/usr/lib/nagios/plugins/check_apt $*` + +EXIT=$? + +echo -n $MSG | sed 's/available for upgrade/upgradable/' | sed 's/ updates//' | sed 's/\./:/' + +if [ "$EXIT" != "0" ] +then +apt-get -s upgrade|egrep '(^ |wi ll be up|kept back)'|sed 's/The following packages will be upgraded://'| tr '\n' ' ' | sed 's/ */ /g' +exit $EXIT +fi diff --git a/example/site_check_mk/files/agent/logwatch/syslog_header.cfg b/example/site_check_mk/files/agent/logwatch/syslog_header.cfg new file mode 100644 index 0000000..f60d752 --- /dev/null +++ b/example/site_check_mk/files/agent/logwatch/syslog_header.cfg @@ -0,0 +1 @@ +/var/log/syslog diff --git a/example/site_check_mk/files/agent/logwatch/syslog_tail.cfg b/example/site_check_mk/files/agent/logwatch/syslog_tail.cfg new file mode 100644 index 0000000..450b9e9 --- /dev/null +++ b/example/site_check_mk/files/agent/logwatch/syslog_tail.cfg @@ -0,0 +1,11 @@ +# some general patterns + C panic + C Oops + I Error: Driver 'pcspkr' is already registered, aborting... + C Error + C error + W generic protection rip + W .*Unrecovered read error - auto reallocate failed +# 401 Unauthorized error logged by webapp and possible other +# applications + C Unauthorized diff --git a/example/site_check_mk/files/host_contactgroups.mk b/example/site_check_mk/files/host_contactgroups.mk new file mode 100644 index 0000000..aeba291 --- /dev/null +++ b/example/site_check_mk/files/host_contactgroups.mk @@ -0,0 +1,3 @@ +host_contactgroups = [ + ( "sysadmins", ALL_HOSTS ), +] diff --git a/example/site_check_mk/files/ignore.mk b/example/site_check_mk/files/ignore.mk new file mode 100644 index 0000000..33aad11 --- /dev/null +++ b/example/site_check_mk/files/ignore.mk @@ -0,0 +1,97 @@ +# ignore.mk - built-in checks we ignore +ignored_checktypes = [ +# ignored until we can investigate +"hp_procurve_cpu", "hp_procurve_mem", "hp_procurve_sensors", +"ipmi", "ipmi_sensors", +"tcp_conn_stats", + +# useful generic types, ignored until we need them +"if", "if64" +"local", +"logwatch", + +# postfix_queue is only the full mailq, we have our own check_postfixqueue +# that can check individual queue (which we filed a feature request for +# upstream +"postfix_mailq", + +# ignored because we don't want them +"3ware_disks", "3ware_info", "3ware_units", +"ad_replication", +"aironet_clients", "aironet_errors", +"akcp_sensor_humidity", "akcp_sensor_temp", +"apc_symmetra", "apc_symmetra_ext_temp", "apc_symmetra_power", "apc_symmetra_temp", +"bintec_info", +"blade_bays", "blade_blades", "blade_blowers", "blade_health", "blade_mediatray", "blade_misc", "blade_powerfan", "blade_powermod", +"bluecoat_diskcpu", "bluecoat_sensors", +"brocade_fcport", +"canon_pages", +"check_mk.only_from", +"cisco_fan", "cisco_locif", "cisco_power", "cisco_qos", "cisco_temp", "cisco_temp_perf", +"cmctc.temp", +"cpsecure_sessions", +"cups_queues", +"decru_cpu", "decru_fans", "decru_perf", "decru_power", "decru_temps", +"dell_powerconnect_cpu", "dell_powerconnect_fans", "dell_powerconnect_psu", "dell_powerconnect_temp", +"df_netapp", "df_netapp32", +"dmi_sysinfo", +"drbd", "drbd.disk", "drbd.net", "drbd.stats", +"f5_bigip_cluster", "f5_bigip_fans", "f5_bigip_pool", "f5_bigip_psu", "f5_bigip_temp", "f5_bigip_vserver", +"fc_brocade_port", "fc_brocade_port_detailed", +"fjdarye60_cadaps", "fjdarye60_cmods", "fjdarye60_cmods_flash", +"fjdarye60_cmods_mem", "fjdarye60_conencs", "fjdarye60_devencs", "fjdarye60_disks", "fjdarye60_disks.summary", "fjdarye60_expanders", "fjdarye60_inletthmls", "fjdarye60_psus", "fjdarye60_rluns", "fjdarye60_sum", "fjdarye60_syscaps", "fjdarye60_thmls", +"fsc_fans", "fsc_ipmi_mem_status", "fsc_subsystems", "fsc_temp", +"h3c_lanswitch_cpu", "h3c_lanswitch_sensors", +"heartbeat_crm", "heartbeat_crm.resources", "heartbeat_nodes", "heartbeat_rscstatus", +"hp_blade", "hp_blade_blades", "hp_blade_fan", "hp_blade_manager", "hp_blade_psu", +"hp_proliant_cpu", "hp_proliant_da_phydrv", "hp_proliant_fans", "hp_proliant_mem", "hp_proliant_psu", "hp_proliant_temp", +"hpux_cpu", "hpux_if", "hpux_lvm", "hpux_multipath", "hpux_serviceguard", +"hr_cpu", "hr_fs", "hr_mem", +"ibm_imm_health", "ibm_rsa_health", +"if", "if64", +"ifoperstatus", +"ironport_misc", +"j4p_performance.app_sess", "j4p_performance.app_state", "j4p_performance.mem", "j4p_performance.serv_req", "j4p_performance.threads", "j4p_performance.uptime", +"kernel.util", +"lparstat_aix", +"lsi.array", "lsi.disk", +"mbg_lantime_refclock", "mbg_lantime_state", +"mcdata_fcport", +"megaraid_ldisks", "megaraid_pdisks", +"mem.vmalloc", +"mem.win", +"multipath", +"netapp_cluster", "netapp_vfiler", "netapp_volumes", +"netctr.combined", +"netif.link", "netif.params", +"nfsmounts", +"ntp", "ntp.time", +"nvidia.errors", "nvidia.temp", +"omd_status", +"oracle_asm_dg", "oracle_asm_disk", "oracle_inst", "oracle_logswitches", "oracle_sessions", "oracle_tablespaces", "oracle_tbs", +"printer_alerts", "printer_pages", "printer_supply", +"ps.perf", +"services", +"smbios_sel", +"snia_sml", +"snmp_info", "snmp_uptime", +"statgrab_cpu", "statgrab_disk", "statgrab_load", "statgrab_mem", "statgrab_net.ctr", "statgrab_net.link", "statgrab_net.params", +"steelhead_connections", "steelhead_status", +"strem1_sensors", +"superstack3_sensors", +"sylo", +"systemtime", +"tsm_stgpool", +"ucd_cpu_load", "ucd_cpu_util", +"ups_capacity", "ups_power", +"vbox_guest", +"vms_df", "vms_md", "vms_netif", "vms_sys.mem", "vms_sys.util", +"vmstat_aix", +"vmware_state", +"win_dhcp_pools", "win_dhcp_pools.stats", +"windows_updates", +"winperf.cpuusage", "winperf.diskstat", "winperf_msx_queues", "winperf_phydisk", "winperf_processor.util", +"wmic_process", +"wut_webtherm", +"zpool_status" +] diff --git a/example/site_check_mk/files/nohost.mk b/example/site_check_mk/files/nohost.mk new file mode 100644 index 0000000..d0ff73f --- /dev/null +++ b/example/site_check_mk/files/nohost.mk @@ -0,0 +1,3 @@ +# If you want to let nagios define the hosts rather than check_mk, +# set this to False +#generate_hostconf = False diff --git a/example/site_check_mk/files/parents.mk b/example/site_check_mk/files/parents.mk new file mode 100644 index 0000000..1b54083 --- /dev/null +++ b/example/site_check_mk/files/parents.mk @@ -0,0 +1,8 @@ +parents = [ + # all seattle hosts (except those tagged router) have router.example.org + # as a parent + ( "router.example.org", ["seattle", "!router"], ALL_HOSTS ), + + # KVM host + ( "foo.example.org", [ "vm1.example.org", "vm1.example.org" ] ), +] diff --git a/example/site_check_mk/files/submission.mk b/example/site_check_mk/files/submission.mk new file mode 100644 index 0000000..cead6c3 --- /dev/null +++ b/example/site_check_mk/files/submission.mk @@ -0,0 +1,4 @@ +# default is "pipe", but file is more efficient (and default in newer versions) +check_submission = "file" +# the default in the debian package is wrong +check_result_path = "/var/lib/nagios3/spool/checkresults/" diff --git a/example/site_check_mk/files/use_ssh.mk b/example/site_check_mk/files/use_ssh.mk new file mode 100644 index 0000000..eee1129 --- /dev/null +++ b/example/site_check_mk/files/use_ssh.mk @@ -0,0 +1,4 @@ +# http://mathias-kettner.de/checkmk_datasource_programs.html +datasource_programs = [ + ( "ssh -l checkmk -i /etc/check_mk/keys/<HOST>_id_rsa -p 1234 <HOST> sudo /usr/bin/check_mk_agent", ['ssh'], ALL_HOSTS ), + ] diff --git a/example/site_check_mk/manifests/agent.pp b/example/site_check_mk/manifests/agent.pp new file mode 100644 index 0000000..056b007 --- /dev/null +++ b/example/site_check_mk/manifests/agent.pp @@ -0,0 +1,50 @@ +class site_check_mk::agent { + + $tags = hiera('check_mk-tags') + + class { 'check_mk::agent': + # FIXME: the check_mk module should be enhanced to detect debian so we + # don't need to set these + agent_package_name => 'check-mk-agent', + agent_logwatch_package_name => 'check-mk-agent-logwatch', + # we use ssh rather than xinetd and have puppet generate and collect keys + method => 'ssh', + generate_sshkey => true, + sshuser => 'checkmk', + # where keys get stored on the check-mk-server (default is an OMD dir) + keydir => '/etc/check_mk/keys', + # we(riseup) override where authorized keys are stored, since we use a + # central directory of user named files rather than + # ~user/.ssh/authorized_keys + authdir => '/etc/ssh/authorized_keys', + authfile => 'checkmk', + host_tags => $tags + } + + # we ssh as the checkmk user and allow checkmk to run check_mk_agent + # with sudo (rather than ssh as root) + if !defined(User[checkmk]) { + user { 'checkmk': + ensure => 'present', + home => '/usr/lib/check_mk_agent', + gid => 'users', + password => '*', + comment => 'check_mk agent'; + } + } + + include site_sudo + + sudo::access { 'checkmk': + user => 'checkmk', + access => 'ALL= NOPASSWD: /usr/bin/check_mk_agent' + } + + # include checks we want on all agents here + # NOTE: we're currently doing this here, it could also be done within + # the actual classes related to the check (as we've done before with munin) + include site_check_mk::agent::apt + + # not enabled yet + #include site_check_mk::agent::logwatch +} diff --git a/example/site_check_mk/manifests/agent/apt.pp b/example/site_check_mk/manifests/agent/apt.pp new file mode 100644 index 0000000..a74a906 --- /dev/null +++ b/example/site_check_mk/manifests/agent/apt.pp @@ -0,0 +1,25 @@ +class site_check_mk::agent::apt { + include check_mk::agent::mrpe + + + # we deliver a wrapper to check_apt that makes it more useful + augeas { + "Apt": + incl => '/etc/check_mk/mrpe.cfg', + lens => 'Spacevars.lns', + changes => 'set APT "/usr/local/lib/nagios/plugins/check_apt -t 30"', + require => [ File['/usr/local/lib/nagios/plugins' ], Package['check-mk-agent'] ]; + } + + # installing a local plugin, so include this to get the dirs + include site_nagios::localplugin + + file { + '/usr/local/lib/nagios/plugins/check_apt': + source => 'puppet:///modules/site_check_mk/agent/apt/check_apt', + owner => root, + group => root, + mode => '0750', + require => [ File['/usr/local/lib/nagios/plugins' ], Package['nagios-plugins-basic'] ]; + } +} diff --git a/example/site_check_mk/manifests/agent/logwatch.pp b/example/site_check_mk/manifests/agent/logwatch.pp new file mode 100644 index 0000000..423cace --- /dev/null +++ b/example/site_check_mk/manifests/agent/logwatch.pp @@ -0,0 +1,36 @@ +class site_check_mk::agent::logwatch { + # Deploy mk_logwatch 1.2.4 so we can split the config + # into multiple config files in /etc/check_mk/logwatch.d + # see https://leap.se/code/issues/5135 + + file { '/usr/lib/check_mk_agent/plugins/mk_logwatch': + source => 'puppet:///modules/site_check_mk/agent/plugins/mk_logwatch.1.2.4', + mode => '0755', + require => Package['check-mk-agent-logwatch'] + } + + # only config files that watch a distinct logfile should go in logwatch.d/ + file { '/etc/check_mk/logwatch.d': + ensure => directory, + recurse => true, + purge => true, + require => Package['check-mk-agent-logwatch'] + } + + # service that share a common logfile (i.e. /var/log/syslog) need to get + # concanated in one file, otherwise the last file sourced will override + # the config before + # see mk_logwatch: "logwatch.cfg overwrites config files in logwatch.d", + # https://leap.se/code/issues/5155 + + # first, we need to deploy a custom logwatch.cfg that doesn't include + # a section about /var/log/syslog + + file { '/etc/check_mk/logwatch.cfg': + source => 'puppet:///modules/site_check_mk/agent/logwatch/logwatch.cfg', + require => Package['check_mk-agent-logwatch'] + } + + include concat::setup + include site_check_mk::agent::logwatch::syslog +} diff --git a/example/site_check_mk/manifests/agent/logwatch/syslog.pp b/example/site_check_mk/manifests/agent/logwatch/syslog.pp new file mode 100644 index 0000000..c927780 --- /dev/null +++ b/example/site_check_mk/manifests/agent/logwatch/syslog.pp @@ -0,0 +1,18 @@ +class site_check_mk::agent::logwatch::syslog { + + concat { '/etc/check_mk/logwatch.d/syslog.cfg': + warn => true + } + + concat::fragment { 'syslog_header': + source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog_header.cfg', + target => '/etc/check_mk/logwatch.d/syslog.cfg', + order => '01'; + } + concat::fragment { 'syslog_tail': + source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog_tail.cfg', + target => '/etc/check_mk/logwatch.d/syslog.cfg', + order => '99'; + } + +} diff --git a/example/site_check_mk/manifests/server.pp b/example/site_check_mk/manifests/server.pp new file mode 100644 index 0000000..99fee41 --- /dev/null +++ b/example/site_check_mk/manifests/server.pp @@ -0,0 +1,96 @@ +class site_check_mk::server { + + # we don't use the main check_mk class, but call things a la carte. The + # main class does: + # check_mk::install -> we don't want OMD, we install the debian packages + # check_mk::config -> we call below with special settings + # check_mk::service -> service checks for http/xinetd/omd, we don't want + # check_mk::server::configure_ssh -> we call below + # FIXME: if the check_mk module was more generic and less OMD focused, + # it would just know what to do for a debian install and we could use + # the main check_mk class with the right parameters, rather than a la carte + + # install the server package, this also pulls in check-mk-config-nagios3 + # FIXME: the check_mk module should be enhanced to better support distro + # installs and then we'd just set a $distro parameter and it would + # detect debian and install the right packages. But until it does... + package { 'check-mk-server': + ensure => installed, + } + + # the server needs check_icmp (among others) + if !defined(Package['nagios-plugins-basic']) { + package { 'nagios-plugins-basic': ensure => installed } + } + + # flush config for certain config changes + # FIXME: after testing, maybe this can go in the generic module + exec { 'check_mk-flush': + command => "/bin/su -l -c '${bin_dir}/check_mk --flush' ${site}", + refreshonly => true, + notify => Exec['check_mk-reload'], + } + + file { + '/etc/check_mk/keys': + ensure => directory; + + # don't generate host defines + '/etc/check_mk/conf.d/nohost.mk': + source => 'puppet:///modules/site_check_mk/nohost.mk', + owner => root, + group => root, + mode => '0644', + notify => Exec['check_mk-refresh']; + + # setup parent relationships + '/etc/check_mk/conf.d/parents.mk': + source => 'puppet:///modules/site_check_mk/parents.mk', + owner => root, + group => root, + mode => '0644', + notify => Exec['check_mk-refresh']; + + # checks we ignore (requires a flush to get them to go away) + '/etc/check_mk/conf.d/ignore.mk': + source => 'puppet:///modules/site_check_mk/ignore.mk', + owner => root, + group => root, + mode => '0644', + notify => Exec['check_mk-flush']; + + # checks we adjust (requires reload so checks are recompiled) + '/etc/check_mk/conf.d/adjust.mk': + source => 'puppet:///modules/site_check_mk/adjust.mk', + owner => root, + group => root, + mode => '0644', + notify => Exec['check_mk-reload']; + + # check_icmp must be suid root or called by sudo + # see https://leap.se/code/issues/5171 + '/usr/lib/nagios/plugins/check_icmp': + mode => '4755', + require => Package['nagios-plugins-basic']; + } + + # override paths to use the system check_mk rather than OMD + class { 'check_mk::config': + # default site is 'monitoring', we set to blank + site => '', + # etc_dir is an OMD dir by default, we use /etc resulting in /etc/check_mk + etc_dir => '/etc', + # nagios_subdir is nagios by default, debian uses nagios3 + nagios_subdir => 'nagios3', + # bin_dir is an OMD dir by default, we use the system path for debian + bin_dir => '/usr/bin', + # all our hosts are in the same group + host_groups => undef, + # use_storedconfigs default is true, which we want + # make sure the check-mk-server is installed or initial config will fail + # FIXME: like the above, this should move into the check_mk module + require => Package['check-mk-server'] + } + + class { 'check_mk::server::configure_ssh': } +} |