diff options
-rw-r--r-- | README.md | 53 | ||||
-rw-r--r-- | TODO | 3 | ||||
-rw-r--r-- | manifests/agent.pp | 33 | ||||
-rw-r--r-- | manifests/agent/config.pp | 19 | ||||
-rw-r--r-- | manifests/agent/generate_sshkey.pp | 78 | ||||
-rw-r--r-- | manifests/agent/mrpe.pp | 19 | ||||
-rw-r--r-- | manifests/agent/ps.pp | 17 | ||||
-rw-r--r-- | manifests/config.pp | 15 | ||||
-rw-r--r-- | manifests/install_tarball.pp | 1 | ||||
-rw-r--r-- | manifests/ps.pp | 34 | ||||
-rw-r--r-- | manifests/server/collect_ps.pp | 30 | ||||
-rw-r--r-- | manifests/service.pp | 1 |
12 files changed, 258 insertions, 45 deletions
@@ -204,6 +204,59 @@ You can also include host tags - for example: Remember to run the Puppet agent on your monitoring host to pick up any changes. +## Migrating from nagios-statd + +nagios-statd provides several features that can be replaced with check_mk +plugins. + +*nagios-stat-proc*: checks processes on the agent system +If you previously used the nagios puppet module to do something like: + + check_command => 'nagios-stat-proc!/usr/sbin/foo!1!1!proc' + +you can now use the check_mk ps check: + + check_mk::agent::ps { + 'foo': + procname => '/usr/local/weirdpath/foo', + levels => '1, 2, 2, 3', + owner => 'alice' + } + +defaults: + procname: "/usr/sbin/${name}" + levels: '1, 1, 1, 1' + owner: not required + +Run check_mk with '-M ps' for the manpage explaining the parameters. + +*swap*: check_mk has a 'mem.used' check which is enabled by default. But + as it's manpage explains if you want to measure swappiness you are + better off using the 'kernel' check and measuring 'Major Page Faults' + (pgmajfault). + +*disk*: check_mk has a 'df' check which is enabled by default. + +## Migrating from nrpe to mrpe + +If you were using nrpe to run a nagios plugin locally, first check if a +native check_mk check exists with the same functionality, if not consider +writing one. But if continuing to use the nagios plugin makes sense you +can switch to mrpe. + +* Continue to deliver the plugin to the agent system +* include check_mk::agent::mrpe +* add a line to the mrpe.cfg file using augeas + + augeas { + "Foo": + incl => '/etc/check_mk/mrpe.cfg', + lens => 'Spacevars.lns', + changes => 'set FOO /usr/local/lib/nagios/plugins/check_foo', + require => [ File['/usr/local/lib/nagios/plugins' ], Package['check-mk-agent'] ]; + } + + This is the riseup clone, available at: git://labs.riseup.net/module_check_mk @@ -1,2 +1,5 @@ Use nagios_hostgroup type rather than clumsily creating our own. Add support for ignored_services to eliminate false alerts. +Implement support for choosing either upstream install or distro supplied + packages. If using distro packages, detect distro and set package names + to reasonable default (currently requires overriding). diff --git a/manifests/agent.pp b/manifests/agent.pp index 2ff9da5..c455bd5 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -4,7 +4,9 @@ class check_mk::agent ( $ip_whitelist = undef, $port = '6556', $server_dir = '/usr/bin', - $homedir = '/omd/sites/monitoring', + $keydir = '/omd/sites/monitoring', + $authdir = '/omd/sites/monitoring', + $authfile = undef, $use_cache = false, $user = 'root', $version = undef, @@ -13,6 +15,7 @@ class check_mk::agent ( $agent_logwatch_package_name = 'check_mk-agent-logwatch', $method = 'xinetd', $generate_sshkey = false, + $sshuser = undef, $use_ssh_tag = 'ssh', $register_agent = true ) { @@ -23,10 +26,10 @@ class check_mk::agent ( include check_mk::agent::service } 'ssh': { - if ( $host_tags != '' ) { - $tags = "${host_tags}|${use_ssh_tag}" - } else { + if ( $host_tags == undef ) or ( $host_tags == '' ) { $tags = $use_ssh_tag + } else { + $tags = "${host_tags}|${use_ssh_tag}" } } default: {} @@ -40,16 +43,20 @@ class check_mk::agent ( agent_logwatch_package_name => $agent_logwatch_package_name, method => $method } + class { 'check_mk::agent::config': - ip_whitelist => $ip_whitelist, - port => $port, - server_dir => $server_dir, - homedir => $homedir, - use_cache => $use_cache, - user => $user, - method => $method, - generate_sshkey => $generate_sshkey, - require => Class['check_mk::agent::install'], + ip_whitelist => $ip_whitelist, + port => $port, + server_dir => $server_dir, + keydir => $keydir, + authdir => $authdir, + authfile => $authfile, + use_cache => $use_cache, + user => $user, + method => $method, + generate_sshkey => $generate_sshkey, + sshuser => $sshuser, + require => Class['check_mk::agent::install'], } if ( $register_agent ) { diff --git a/manifests/agent/config.pp b/manifests/agent/config.pp index 256af8f..36f2910 100644 --- a/manifests/agent/config.pp +++ b/manifests/agent/config.pp @@ -1,12 +1,15 @@ class check_mk::agent::config ( - $ip_whitelist = '', + $ip_whitelist = '', $port, $server_dir, - $homedir, + $keydir, + $authdir, + $authfile = undef, $use_cache, $user, $method = 'xinetd', $generate_sshkey = false, + $sshuser = undef ) { if $use_cache { $server = "${server_dir}/check_mk_caching_agent" @@ -34,10 +37,18 @@ class check_mk::agent::config ( } 'ssh' : { if $generate_sshkey { - check_mk::agent::generate_sshkey { 'check_mk_key': - homedir => $homedir + check_mk::agent::generate_sshkey { "check_mk_key_${::fqdn}": + keydir => $keydir, + authdir => $authdir, + authfile => $authfile, + sshuser => $sshuser } } + + # make sure the xinetd method is not configured + file { '/etc/xinetd.d/check_mk': + ensure => absent; + } } default : {} } diff --git a/manifests/agent/generate_sshkey.pp b/manifests/agent/generate_sshkey.pp index 3187037..d2d1d39 100644 --- a/manifests/agent/generate_sshkey.pp +++ b/manifests/agent/generate_sshkey.pp @@ -1,42 +1,68 @@ -define check_mk::agent::generate_sshkey( - $ssh_key_basepath = '/etc/puppet/modules/keys/files/check_mk_keys', - $user = 'monitoring', - $group = 'monitoring', - $homedir, +define check_mk::agent::generate_sshkey ( + # dir on the check-mk-server where the collected key pairs are stored + $keydir, + # user/group the key should be owned by on the check-mk-server + $keyuser = 'nagios', + $keygroup = 'nagios', + # dir on the check-mk-agent where the authorized_keys file is stored + $authdir, + # name of the authorized_keys file + $authfile = undef, + # dir on the puppetmaster where keys are stored + # FIXME: need a way to ensure this dir is setup on the puppetmaster correctly + #$ssh_key_basepath = "${common::moduledir::module_dir_path}/check_mk/keys", + # for now use a dir we know works + $ssh_key_basepath = '/etc/puppet/modules/check_mk/keys', + # user on the client the check_mk server will ssh to, to run the agent + $sshuser = 'root', $check_mk_tag = 'check_mk_sshkey' ){ - # generate backupninja ssh keypair - $ssh_key_name = "monitoring_${::fqdn}_id_rsa" + # generate check-mk ssh keypair, stored on puppetmaster + $ssh_key_name = "${::fqdn}_id_rsa" $ssh_keys = ssh_keygen("${ssh_key_basepath}/${ssh_key_name}") $public = split($ssh_keys[1],' ') $public_type = $public[0] $public_key = $public[1] $secret_key = $ssh_keys[0] - sshd::ssh_authorized_key { $ssh_key_name: - type => 'ssh-rsa', - key => $public_key, - user => 'root', - options => 'command="/usr/bin/check_mk_agent"'; + # if we're not root we need to use sudo + if $sshuser != 'root' { + $command = 'sudo /usr/bin/check_mk_agent' + } else { + $command = '/usr/bin/check_mk_agent' } - @@file { "${homedir}/.ssh/${ssh_key_name}": - content => $secret_key, - owner => $user, - group => $group, - mode => '0600', - tag => $check_mk_tag; + # setup the public half of the key in authorized_keys on the agent + # and restrict it to running only the agent + if $authdir or $authfile { + # if $authkey or $authdir are set, override authorized_keys path and file + # and also override using the built-in ssh_authorized_key since it may + # not be able to write to $authdir + sshd::ssh_authorized_key { $ssh_key_name: + type => 'ssh-rsa', + key => $public_key, + user => $sshuser, + target => "${authdir}/${authfile}", + override_builtin => true, + options => "command=\"${command}\""; + } else { + # otherwise use the defaults + sshd::ssh_authorized_key { $ssh_key_name: + type => 'ssh-rsa', + key => $public_key, + user => $sshuser, + options => "command=\"${command}\""; + } } - - @@file { "${homedir}/.ssh/${ssh_key_name}.pub": - content => $public_key, - owner => $user, - group => $group, - mode => '0666', + # resource collector for the private half of the keys, these end up on + # the check-mk-server host, and the user running check-mk needs access + @@file { "${keydir}/${ssh_key_name}": + content => $secret_key, + owner => $keyuser, + group => $keygroup, + mode => '0600', tag => $check_mk_tag; } - - } diff --git a/manifests/agent/mrpe.pp b/manifests/agent/mrpe.pp new file mode 100644 index 0000000..5bc5f33 --- /dev/null +++ b/manifests/agent/mrpe.pp @@ -0,0 +1,19 @@ +class check_mk::agent::mrpe { + # check_mk can use standard nagios plugins using + # a wrapper called mrpe + # see http://mathias-kettner.de/checkmk_mrpe.html + # this subclass is provided to be included by checks that use mrpe + + # FIXME: this is Debian specific and should be made more generic + if !defined(Package['nagios-plugins-basic']) { + package { 'nagios-plugins-basic': + ensure => latest, + } + } + + # ensure the config file exists, individual checks will add lines to it + file { '/etc/check_mk/mrpe.cfg': + ensure => present, + require => Package['check-mk-agent'] + } +} diff --git a/manifests/agent/ps.pp b/manifests/agent/ps.pp new file mode 100644 index 0000000..67a999f --- /dev/null +++ b/manifests/agent/ps.pp @@ -0,0 +1,17 @@ +define check_mk::agent::ps ( + # procname and levels have defaults in check_mk::ps + $procname = undef, + $levels = undef, + # user is optional + $user = undef +) { + + @@check_mk::ps { "${::fqdn}_${name}": + desc => $name, + host => $::fqdn, + procname => $procname, + user => $user, + levels => $levels, + tag => 'check_mk_ps'; + } +} diff --git a/manifests/config.pp b/manifests/config.pp index 6a6f375..6736147 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -6,8 +6,18 @@ class check_mk::config ( $bin_dir = "/omd/sites/${site}/bin", $use_storedconfigs = true ) { - file { "${etc_dir}/${nagios_subdir}/local": - ensure => directory, + file { + # for local check_mk checks + "${etc_dir}/${nagios_subdir}/local": + ensure => directory; + + # package provided and check_mk generated files, defined so the nagios + # module doesn't purge them + "${etc_dir}/${nagios_subdir}/conf.d/check_mk": + ensure => directory; + [ "${etc_dir}/${nagios_subdir}/conf.d/check_mk/check_mk_objects.cfg", + "${etc_dir}/${nagios_subdir}/conf.d/check_mk/check_mk_templates.cfg" ]: + ensure => present; } file_line { 'nagios-add-check_mk-cfg_dir': ensure => present, @@ -41,6 +51,7 @@ class check_mk::config ( } if ( $use_storedconfigs ) { class { 'check_mk::server::collect_hosts': } + class { 'check_mk::server::collect_ps': } } diff --git a/manifests/install_tarball.pp b/manifests/install_tarball.pp index 4a0af23..af40a26 100644 --- a/manifests/install_tarball.pp +++ b/manifests/install_tarball.pp @@ -31,6 +31,7 @@ class check_mk::install_tarball ( ensure => present, require => Package['nagios'], } + # FIXME: this should get and check $use_ssh before requiring xinetd package { [ 'xinetd', 'mod_python', 'make', 'gcc-c++', 'tar', 'gzip' ]: ensure => present, } diff --git a/manifests/ps.pp b/manifests/ps.pp new file mode 100644 index 0000000..1171a13 --- /dev/null +++ b/manifests/ps.pp @@ -0,0 +1,34 @@ +define check_mk::ps ( + $target, + $host, + $desc, + $procname = "/usr/sbin/${desc}", + $levels = '1, 1, 1, 1', + $user = undef +) { + # This class is called on check-mk agent machines in order to create + # checks using the built-in ps check type. They create stored configs + # and then the check_mk::server::collect_ps class on the server + # generates the config file to set them up + + # lines in the ps.mk config file look like + # ( "foo.example.com", "ps", "NAME", ( "/usr/sbin/foo", 1, 1, 1, 1 ) ) + # or with a user + # ( "foo.example.com", "ps", "NAME", ( "/usr/sbin/foo", "user", 1, 1, 1, 1 ) ) + if $user { + $check = " ( \"${host}\", \"ps\", \"${desc}\", ( \"${procname}\", ${user}, ${levels} ) ),\n" + } else { + $check = " ( \"${host}\", \"ps\", \"${desc}\", ( \"${procname}\", ${levels} ) ),\n" + } + + # FIXME: we could be smarter about this and consolidate host checks + # that have identical settings and that would make the config file + # make more sense for humans. but for now we'll just do separate + # lines (which may result in a very large file, but check-mk is fine) + concat::fragment { "check_mk_ps-${host}_${desc}": + target => $target, + content => $check, + order => 20 + } +} + diff --git a/manifests/server/collect_ps.pp b/manifests/server/collect_ps.pp new file mode 100644 index 0000000..067a25c --- /dev/null +++ b/manifests/server/collect_ps.pp @@ -0,0 +1,30 @@ +class check_mk::server::collect_ps ( + $config = "${::check_mk::config::etc_dir}/check_mk/conf.d/ps.mk" +) { + + # this class gets run on the check-mk server in order to collect the + # stored configs created on clients and assemble the ps.mk config file + concat { $config: + owner => 'root', + group => 'root', + mode => '0644', + notify => Exec['check_mk-refresh'], + } + + concat::fragment{'check_mk_ps_header': + target => $config, + content => "checks += [\n", + order => 10, + } + + Check_mk::Ps <<| tag == 'check_mk_ps' |>> { + target => $config, + notify => Exec['check_mk-refresh'] + } + + concat::fragment{'check_mk_ps_footer': + target => $config, + content => "]\n", + order => 90, + } +} diff --git a/manifests/service.pp b/manifests/service.pp index de0cbdb..36fb2d1 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -6,6 +6,7 @@ class check_mk::service { enable => true, } } + # FIXME: this should get and check $use_ssh before doing this if ! defined(Service[xinetd]) { service { 'xinetd': ensure => 'running', |