diff options
author | kwadronaut <kwadronaut@leap.se> | 2018-11-14 11:09:02 +0100 |
---|---|---|
committer | kwadronaut <kwadronaut@leap.se> | 2018-11-14 11:09:02 +0100 |
commit | 06b521b6887d33b4cfa650c0d26850c8d1cc0ef8 (patch) | |
tree | caa0bac49dfd2573462acef06b68d2ea69d8cdb8 /example/site_check_mk/manifests | |
parent | 6ffee2d778992b783bd29a1ddeaab61baf6d47aa (diff) | |
parent | 15aba17d007e076ea09e50c837081ee1bec1b301 (diff) |
Diffstat (limited to 'example/site_check_mk/manifests')
-rw-r--r-- | example/site_check_mk/manifests/agent.pp | 50 | ||||
-rw-r--r-- | example/site_check_mk/manifests/agent/apt.pp | 25 | ||||
-rw-r--r-- | example/site_check_mk/manifests/agent/logwatch.pp | 36 | ||||
-rw-r--r-- | example/site_check_mk/manifests/agent/logwatch/syslog.pp | 18 | ||||
-rw-r--r-- | example/site_check_mk/manifests/server.pp | 96 |
5 files changed, 225 insertions, 0 deletions
diff --git a/example/site_check_mk/manifests/agent.pp b/example/site_check_mk/manifests/agent.pp new file mode 100644 index 0000000..056b007 --- /dev/null +++ b/example/site_check_mk/manifests/agent.pp @@ -0,0 +1,50 @@ +class site_check_mk::agent { + + $tags = hiera('check_mk-tags') + + class { 'check_mk::agent': + # FIXME: the check_mk module should be enhanced to detect debian so we + # don't need to set these + agent_package_name => 'check-mk-agent', + agent_logwatch_package_name => 'check-mk-agent-logwatch', + # we use ssh rather than xinetd and have puppet generate and collect keys + method => 'ssh', + generate_sshkey => true, + sshuser => 'checkmk', + # where keys get stored on the check-mk-server (default is an OMD dir) + keydir => '/etc/check_mk/keys', + # we(riseup) override where authorized keys are stored, since we use a + # central directory of user named files rather than + # ~user/.ssh/authorized_keys + authdir => '/etc/ssh/authorized_keys', + authfile => 'checkmk', + host_tags => $tags + } + + # we ssh as the checkmk user and allow checkmk to run check_mk_agent + # with sudo (rather than ssh as root) + if !defined(User[checkmk]) { + user { 'checkmk': + ensure => 'present', + home => '/usr/lib/check_mk_agent', + gid => 'users', + password => '*', + comment => 'check_mk agent'; + } + } + + include site_sudo + + sudo::access { 'checkmk': + user => 'checkmk', + access => 'ALL= NOPASSWD: /usr/bin/check_mk_agent' + } + + # include checks we want on all agents here + # NOTE: we're currently doing this here, it could also be done within + # the actual classes related to the check (as we've done before with munin) + include site_check_mk::agent::apt + + # not enabled yet + #include site_check_mk::agent::logwatch +} diff --git a/example/site_check_mk/manifests/agent/apt.pp b/example/site_check_mk/manifests/agent/apt.pp new file mode 100644 index 0000000..a74a906 --- /dev/null +++ b/example/site_check_mk/manifests/agent/apt.pp @@ -0,0 +1,25 @@ +class site_check_mk::agent::apt { + include check_mk::agent::mrpe + + + # we deliver a wrapper to check_apt that makes it more useful + augeas { + "Apt": + incl => '/etc/check_mk/mrpe.cfg', + lens => 'Spacevars.lns', + changes => 'set APT "/usr/local/lib/nagios/plugins/check_apt -t 30"', + require => [ File['/usr/local/lib/nagios/plugins' ], Package['check-mk-agent'] ]; + } + + # installing a local plugin, so include this to get the dirs + include site_nagios::localplugin + + file { + '/usr/local/lib/nagios/plugins/check_apt': + source => 'puppet:///modules/site_check_mk/agent/apt/check_apt', + owner => root, + group => root, + mode => '0750', + require => [ File['/usr/local/lib/nagios/plugins' ], Package['nagios-plugins-basic'] ]; + } +} diff --git a/example/site_check_mk/manifests/agent/logwatch.pp b/example/site_check_mk/manifests/agent/logwatch.pp new file mode 100644 index 0000000..423cace --- /dev/null +++ b/example/site_check_mk/manifests/agent/logwatch.pp @@ -0,0 +1,36 @@ +class site_check_mk::agent::logwatch { + # Deploy mk_logwatch 1.2.4 so we can split the config + # into multiple config files in /etc/check_mk/logwatch.d + # see https://leap.se/code/issues/5135 + + file { '/usr/lib/check_mk_agent/plugins/mk_logwatch': + source => 'puppet:///modules/site_check_mk/agent/plugins/mk_logwatch.1.2.4', + mode => '0755', + require => Package['check-mk-agent-logwatch'] + } + + # only config files that watch a distinct logfile should go in logwatch.d/ + file { '/etc/check_mk/logwatch.d': + ensure => directory, + recurse => true, + purge => true, + require => Package['check-mk-agent-logwatch'] + } + + # service that share a common logfile (i.e. /var/log/syslog) need to get + # concanated in one file, otherwise the last file sourced will override + # the config before + # see mk_logwatch: "logwatch.cfg overwrites config files in logwatch.d", + # https://leap.se/code/issues/5155 + + # first, we need to deploy a custom logwatch.cfg that doesn't include + # a section about /var/log/syslog + + file { '/etc/check_mk/logwatch.cfg': + source => 'puppet:///modules/site_check_mk/agent/logwatch/logwatch.cfg', + require => Package['check_mk-agent-logwatch'] + } + + include concat::setup + include site_check_mk::agent::logwatch::syslog +} diff --git a/example/site_check_mk/manifests/agent/logwatch/syslog.pp b/example/site_check_mk/manifests/agent/logwatch/syslog.pp new file mode 100644 index 0000000..c927780 --- /dev/null +++ b/example/site_check_mk/manifests/agent/logwatch/syslog.pp @@ -0,0 +1,18 @@ +class site_check_mk::agent::logwatch::syslog { + + concat { '/etc/check_mk/logwatch.d/syslog.cfg': + warn => true + } + + concat::fragment { 'syslog_header': + source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog_header.cfg', + target => '/etc/check_mk/logwatch.d/syslog.cfg', + order => '01'; + } + concat::fragment { 'syslog_tail': + source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog_tail.cfg', + target => '/etc/check_mk/logwatch.d/syslog.cfg', + order => '99'; + } + +} diff --git a/example/site_check_mk/manifests/server.pp b/example/site_check_mk/manifests/server.pp new file mode 100644 index 0000000..99fee41 --- /dev/null +++ b/example/site_check_mk/manifests/server.pp @@ -0,0 +1,96 @@ +class site_check_mk::server { + + # we don't use the main check_mk class, but call things a la carte. The + # main class does: + # check_mk::install -> we don't want OMD, we install the debian packages + # check_mk::config -> we call below with special settings + # check_mk::service -> service checks for http/xinetd/omd, we don't want + # check_mk::server::configure_ssh -> we call below + # FIXME: if the check_mk module was more generic and less OMD focused, + # it would just know what to do for a debian install and we could use + # the main check_mk class with the right parameters, rather than a la carte + + # install the server package, this also pulls in check-mk-config-nagios3 + # FIXME: the check_mk module should be enhanced to better support distro + # installs and then we'd just set a $distro parameter and it would + # detect debian and install the right packages. But until it does... + package { 'check-mk-server': + ensure => installed, + } + + # the server needs check_icmp (among others) + if !defined(Package['nagios-plugins-basic']) { + package { 'nagios-plugins-basic': ensure => installed } + } + + # flush config for certain config changes + # FIXME: after testing, maybe this can go in the generic module + exec { 'check_mk-flush': + command => "/bin/su -l -c '${bin_dir}/check_mk --flush' ${site}", + refreshonly => true, + notify => Exec['check_mk-reload'], + } + + file { + '/etc/check_mk/keys': + ensure => directory; + + # don't generate host defines + '/etc/check_mk/conf.d/nohost.mk': + source => 'puppet:///modules/site_check_mk/nohost.mk', + owner => root, + group => root, + mode => '0644', + notify => Exec['check_mk-refresh']; + + # setup parent relationships + '/etc/check_mk/conf.d/parents.mk': + source => 'puppet:///modules/site_check_mk/parents.mk', + owner => root, + group => root, + mode => '0644', + notify => Exec['check_mk-refresh']; + + # checks we ignore (requires a flush to get them to go away) + '/etc/check_mk/conf.d/ignore.mk': + source => 'puppet:///modules/site_check_mk/ignore.mk', + owner => root, + group => root, + mode => '0644', + notify => Exec['check_mk-flush']; + + # checks we adjust (requires reload so checks are recompiled) + '/etc/check_mk/conf.d/adjust.mk': + source => 'puppet:///modules/site_check_mk/adjust.mk', + owner => root, + group => root, + mode => '0644', + notify => Exec['check_mk-reload']; + + # check_icmp must be suid root or called by sudo + # see https://leap.se/code/issues/5171 + '/usr/lib/nagios/plugins/check_icmp': + mode => '4755', + require => Package['nagios-plugins-basic']; + } + + # override paths to use the system check_mk rather than OMD + class { 'check_mk::config': + # default site is 'monitoring', we set to blank + site => '', + # etc_dir is an OMD dir by default, we use /etc resulting in /etc/check_mk + etc_dir => '/etc', + # nagios_subdir is nagios by default, debian uses nagios3 + nagios_subdir => 'nagios3', + # bin_dir is an OMD dir by default, we use the system path for debian + bin_dir => '/usr/bin', + # all our hosts are in the same group + host_groups => undef, + # use_storedconfigs default is true, which we want + # make sure the check-mk-server is installed or initial config will fail + # FIXME: like the above, this should move into the check_mk module + require => Package['check-mk-server'] + } + + class { 'check_mk::server::configure_ssh': } +} |