diff options
| author | Matt Taggart <taggart@riseup.net> | 2015-05-12 10:43:56 -0700 |
|---|---|---|
| committer | Matt Taggart <taggart@riseup.net> | 2015-05-12 10:43:56 -0700 |
| commit | bcde059a9b1e95d72f6622604837b85496a5f75a (patch) | |
| tree | c0a6f72732eb75a9fc3ba316e789c7d8bcfbd7fe /manifests | |
| parent | f5f3bca062ea6af44f9b8eb654d3b532a3f758cc (diff) | |
| parent | 9930649228a509eda998699e213ed458685763f0 (diff) | |
Merge branch 'master' of gitlab.com:shared-puppet-modules-group/check_mk
Conflicts:
manifests/agent/generate_sshkey.pp
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/agent.pp | 33 | ||||
| -rw-r--r-- | manifests/agent/config.pp | 19 | ||||
| -rw-r--r-- | manifests/agent/generate_sshkey.pp | 75 | ||||
| -rw-r--r-- | manifests/agent/mrpe.pp | 19 | ||||
| -rw-r--r-- | manifests/agent/ps.pp | 17 | ||||
| -rw-r--r-- | manifests/config.pp | 15 | ||||
| -rw-r--r-- | manifests/install_tarball.pp | 1 | ||||
| -rw-r--r-- | manifests/ps.pp | 34 | ||||
| -rw-r--r-- | manifests/server/collect_ps.pp | 30 | ||||
| -rw-r--r-- | manifests/service.pp | 1 |
10 files changed, 202 insertions, 42 deletions
diff --git a/manifests/agent.pp b/manifests/agent.pp index 2ff9da5..c455bd5 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -4,7 +4,9 @@ class check_mk::agent ( $ip_whitelist = undef, $port = '6556', $server_dir = '/usr/bin', - $homedir = '/omd/sites/monitoring', + $keydir = '/omd/sites/monitoring', + $authdir = '/omd/sites/monitoring', + $authfile = undef, $use_cache = false, $user = 'root', $version = undef, @@ -13,6 +15,7 @@ class check_mk::agent ( $agent_logwatch_package_name = 'check_mk-agent-logwatch', $method = 'xinetd', $generate_sshkey = false, + $sshuser = undef, $use_ssh_tag = 'ssh', $register_agent = true ) { @@ -23,10 +26,10 @@ class check_mk::agent ( include check_mk::agent::service } 'ssh': { - if ( $host_tags != '' ) { - $tags = "${host_tags}|${use_ssh_tag}" - } else { + if ( $host_tags == undef ) or ( $host_tags == '' ) { $tags = $use_ssh_tag + } else { + $tags = "${host_tags}|${use_ssh_tag}" } } default: {} @@ -40,16 +43,20 @@ class check_mk::agent ( agent_logwatch_package_name => $agent_logwatch_package_name, method => $method } + class { 'check_mk::agent::config': - ip_whitelist => $ip_whitelist, - port => $port, - server_dir => $server_dir, - homedir => $homedir, - use_cache => $use_cache, - user => $user, - method => $method, - generate_sshkey => $generate_sshkey, - require => Class['check_mk::agent::install'], + ip_whitelist => $ip_whitelist, + port => $port, + server_dir => $server_dir, + keydir => $keydir, + authdir => $authdir, + authfile => $authfile, + use_cache => $use_cache, + user => $user, + method => $method, + generate_sshkey => $generate_sshkey, + sshuser => $sshuser, + require => Class['check_mk::agent::install'], } if ( $register_agent ) { diff --git a/manifests/agent/config.pp b/manifests/agent/config.pp index 13fba61..5907d43 100644 --- a/manifests/agent/config.pp +++ b/manifests/agent/config.pp @@ -1,12 +1,15 @@ class check_mk::agent::config ( - $ip_whitelist = '', + $ip_whitelist = '', $port, $server_dir, - $homedir, + $keydir, + $authdir, + $authfile = undef, $use_cache, $user, $method = 'xinetd', $generate_sshkey = false, + $sshuser = undef ) { if $use_cache { $server = "${server_dir}/check_mk_caching_agent" @@ -35,10 +38,18 @@ class check_mk::agent::config ( 'ssh': { if $generate_sshkey { - check_mk::agent::generate_sshkey { 'check_mk_key': - homedir => $homedir + check_mk::agent::generate_sshkey { "check_mk_key_${::fqdn}": + keydir => $keydir, + authdir => $authdir, + authfile => $authfile, + sshuser => $sshuser } } + + # make sure the xinetd method is not configured + file { '/etc/xinetd.d/check_mk': + ensure => absent; + } } default : {} diff --git a/manifests/agent/generate_sshkey.pp b/manifests/agent/generate_sshkey.pp index 4742238..d2d1d39 100644 --- a/manifests/agent/generate_sshkey.pp +++ b/manifests/agent/generate_sshkey.pp @@ -1,39 +1,68 @@ -define check_mk::agent::generate_sshkey( - $homedir, - $ssh_key_basepath = '/etc/puppet/modules/keys/files/check_mk_keys', - $user = 'monitoring', - $group = 'monitoring', +define check_mk::agent::generate_sshkey ( + # dir on the check-mk-server where the collected key pairs are stored + $keydir, + # user/group the key should be owned by on the check-mk-server + $keyuser = 'nagios', + $keygroup = 'nagios', + # dir on the check-mk-agent where the authorized_keys file is stored + $authdir, + # name of the authorized_keys file + $authfile = undef, + # dir on the puppetmaster where keys are stored + # FIXME: need a way to ensure this dir is setup on the puppetmaster correctly + #$ssh_key_basepath = "${common::moduledir::module_dir_path}/check_mk/keys", + # for now use a dir we know works + $ssh_key_basepath = '/etc/puppet/modules/check_mk/keys', + # user on the client the check_mk server will ssh to, to run the agent + $sshuser = 'root', $check_mk_tag = 'check_mk_sshkey' ){ - # generate backupninja ssh keypair - $ssh_key_name = "monitoring_${::fqdn}_id_rsa" + # generate check-mk ssh keypair, stored on puppetmaster + $ssh_key_name = "${::fqdn}_id_rsa" $ssh_keys = ssh_keygen("${ssh_key_basepath}/${ssh_key_name}") $public = split($ssh_keys[1],' ') $public_type = $public[0] $public_key = $public[1] $secret_key = $ssh_keys[0] - sshd::ssh_authorized_key { $ssh_key_name: - type => 'ssh-rsa', - key => $public_key, - user => 'root', - options => 'command="/usr/bin/check_mk_agent"'; + # if we're not root we need to use sudo + if $sshuser != 'root' { + $command = 'sudo /usr/bin/check_mk_agent' + } else { + $command = '/usr/bin/check_mk_agent' } - @@file { "${homedir}/.ssh/${ssh_key_name}": - content => $secret_key, - owner => $user, - group => $group, - mode => '0600', - tag => $check_mk_tag; + # setup the public half of the key in authorized_keys on the agent + # and restrict it to running only the agent + if $authdir or $authfile { + # if $authkey or $authdir are set, override authorized_keys path and file + # and also override using the built-in ssh_authorized_key since it may + # not be able to write to $authdir + sshd::ssh_authorized_key { $ssh_key_name: + type => 'ssh-rsa', + key => $public_key, + user => $sshuser, + target => "${authdir}/${authfile}", + override_builtin => true, + options => "command=\"${command}\""; + } else { + # otherwise use the defaults + sshd::ssh_authorized_key { $ssh_key_name: + type => 'ssh-rsa', + key => $public_key, + user => $sshuser, + options => "command=\"${command}\""; + } } - @@file { "${homedir}/.ssh/${ssh_key_name}.pub": - content => $public_key, - owner => $user, - group => $group, - mode => '0666', + # resource collector for the private half of the keys, these end up on + # the check-mk-server host, and the user running check-mk needs access + @@file { "${keydir}/${ssh_key_name}": + content => $secret_key, + owner => $keyuser, + group => $keygroup, + mode => '0600', tag => $check_mk_tag; } } diff --git a/manifests/agent/mrpe.pp b/manifests/agent/mrpe.pp new file mode 100644 index 0000000..5bc5f33 --- /dev/null +++ b/manifests/agent/mrpe.pp @@ -0,0 +1,19 @@ +class check_mk::agent::mrpe { + # check_mk can use standard nagios plugins using + # a wrapper called mrpe + # see http://mathias-kettner.de/checkmk_mrpe.html + # this subclass is provided to be included by checks that use mrpe + + # FIXME: this is Debian specific and should be made more generic + if !defined(Package['nagios-plugins-basic']) { + package { 'nagios-plugins-basic': + ensure => latest, + } + } + + # ensure the config file exists, individual checks will add lines to it + file { '/etc/check_mk/mrpe.cfg': + ensure => present, + require => Package['check-mk-agent'] + } +} diff --git a/manifests/agent/ps.pp b/manifests/agent/ps.pp new file mode 100644 index 0000000..67a999f --- /dev/null +++ b/manifests/agent/ps.pp @@ -0,0 +1,17 @@ +define check_mk::agent::ps ( + # procname and levels have defaults in check_mk::ps + $procname = undef, + $levels = undef, + # user is optional + $user = undef +) { + + @@check_mk::ps { "${::fqdn}_${name}": + desc => $name, + host => $::fqdn, + procname => $procname, + user => $user, + levels => $levels, + tag => 'check_mk_ps'; + } +} diff --git a/manifests/config.pp b/manifests/config.pp index 6a6f375..6736147 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -6,8 +6,18 @@ class check_mk::config ( $bin_dir = "/omd/sites/${site}/bin", $use_storedconfigs = true ) { - file { "${etc_dir}/${nagios_subdir}/local": - ensure => directory, + file { + # for local check_mk checks + "${etc_dir}/${nagios_subdir}/local": + ensure => directory; + + # package provided and check_mk generated files, defined so the nagios + # module doesn't purge them + "${etc_dir}/${nagios_subdir}/conf.d/check_mk": + ensure => directory; + [ "${etc_dir}/${nagios_subdir}/conf.d/check_mk/check_mk_objects.cfg", + "${etc_dir}/${nagios_subdir}/conf.d/check_mk/check_mk_templates.cfg" ]: + ensure => present; } file_line { 'nagios-add-check_mk-cfg_dir': ensure => present, @@ -41,6 +51,7 @@ class check_mk::config ( } if ( $use_storedconfigs ) { class { 'check_mk::server::collect_hosts': } + class { 'check_mk::server::collect_ps': } } diff --git a/manifests/install_tarball.pp b/manifests/install_tarball.pp index 4a0af23..af40a26 100644 --- a/manifests/install_tarball.pp +++ b/manifests/install_tarball.pp @@ -31,6 +31,7 @@ class check_mk::install_tarball ( ensure => present, require => Package['nagios'], } + # FIXME: this should get and check $use_ssh before requiring xinetd package { [ 'xinetd', 'mod_python', 'make', 'gcc-c++', 'tar', 'gzip' ]: ensure => present, } diff --git a/manifests/ps.pp b/manifests/ps.pp new file mode 100644 index 0000000..1171a13 --- /dev/null +++ b/manifests/ps.pp @@ -0,0 +1,34 @@ +define check_mk::ps ( + $target, + $host, + $desc, + $procname = "/usr/sbin/${desc}", + $levels = '1, 1, 1, 1', + $user = undef +) { + # This class is called on check-mk agent machines in order to create + # checks using the built-in ps check type. They create stored configs + # and then the check_mk::server::collect_ps class on the server + # generates the config file to set them up + + # lines in the ps.mk config file look like + # ( "foo.example.com", "ps", "NAME", ( "/usr/sbin/foo", 1, 1, 1, 1 ) ) + # or with a user + # ( "foo.example.com", "ps", "NAME", ( "/usr/sbin/foo", "user", 1, 1, 1, 1 ) ) + if $user { + $check = " ( \"${host}\", \"ps\", \"${desc}\", ( \"${procname}\", ${user}, ${levels} ) ),\n" + } else { + $check = " ( \"${host}\", \"ps\", \"${desc}\", ( \"${procname}\", ${levels} ) ),\n" + } + + # FIXME: we could be smarter about this and consolidate host checks + # that have identical settings and that would make the config file + # make more sense for humans. but for now we'll just do separate + # lines (which may result in a very large file, but check-mk is fine) + concat::fragment { "check_mk_ps-${host}_${desc}": + target => $target, + content => $check, + order => 20 + } +} + diff --git a/manifests/server/collect_ps.pp b/manifests/server/collect_ps.pp new file mode 100644 index 0000000..067a25c --- /dev/null +++ b/manifests/server/collect_ps.pp @@ -0,0 +1,30 @@ +class check_mk::server::collect_ps ( + $config = "${::check_mk::config::etc_dir}/check_mk/conf.d/ps.mk" +) { + + # this class gets run on the check-mk server in order to collect the + # stored configs created on clients and assemble the ps.mk config file + concat { $config: + owner => 'root', + group => 'root', + mode => '0644', + notify => Exec['check_mk-refresh'], + } + + concat::fragment{'check_mk_ps_header': + target => $config, + content => "checks += [\n", + order => 10, + } + + Check_mk::Ps <<| tag == 'check_mk_ps' |>> { + target => $config, + notify => Exec['check_mk-refresh'] + } + + concat::fragment{'check_mk_ps_footer': + target => $config, + content => "]\n", + order => 90, + } +} diff --git a/manifests/service.pp b/manifests/service.pp index de0cbdb..36fb2d1 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -6,6 +6,7 @@ class check_mk::service { enable => true, } } + # FIXME: this should get and check $use_ssh before doing this if ! defined(Service[xinetd]) { service { 'xinetd': ensure => 'running', |