From 88d466e3aca349b3f129dd8e8967b90002a2584b Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Mon, 21 Apr 2014 15:57:36 -0700 Subject: fix comment from copied code --- manifests/agent/generate_sshkey.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/agent/generate_sshkey.pp b/manifests/agent/generate_sshkey.pp index 3187037..47f3026 100644 --- a/manifests/agent/generate_sshkey.pp +++ b/manifests/agent/generate_sshkey.pp @@ -6,7 +6,7 @@ define check_mk::agent::generate_sshkey( $check_mk_tag = 'check_mk_sshkey' ){ - # generate backupninja ssh keypair + # generate check-mk ssh keypair $ssh_key_name = "monitoring_${::fqdn}_id_rsa" $ssh_keys = ssh_keygen("${ssh_key_basepath}/${ssh_key_name}") $public = split($ssh_keys[1],' ') -- cgit v1.2.3 From 25b9b5f7cd2d64f464fb198d90cc757a1bff1c81 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Tue, 22 Apr 2014 00:17:34 -0700 Subject: replace homedir with more specific keydir, authdir, and authfile in order to allow overriding each. modify ::agent, ::agent::config, and ::agent::generate_sshkey to allow changing at each level, with reasonable defaults --- manifests/agent.pp | 44 ++++++++++++++++++++++++++++---------- manifests/agent/config.pp | 21 ++++++++++++++---- manifests/agent/generate_sshkey.pp | 43 ++++++++++++++++++++++++++----------- 3 files changed, 80 insertions(+), 28 deletions(-) diff --git a/manifests/agent.pp b/manifests/agent.pp index 2ff9da5..505db64 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -4,7 +4,9 @@ class check_mk::agent ( $ip_whitelist = undef, $port = '6556', $server_dir = '/usr/bin', - $homedir = '/omd/sites/monitoring', + $keydir = '/omd/sites/monitoring', + $authdir = '/omd/sites/monitoring', + $authfile = undef, $use_cache = false, $user = 'root', $version = undef, @@ -40,16 +42,36 @@ class check_mk::agent ( agent_logwatch_package_name => $agent_logwatch_package_name, method => $method } - class { 'check_mk::agent::config': - ip_whitelist => $ip_whitelist, - port => $port, - server_dir => $server_dir, - homedir => $homedir, - use_cache => $use_cache, - user => $user, - method => $method, - generate_sshkey => $generate_sshkey, - require => Class['check_mk::agent::install'], + + if $authfile { + # if authfile is set, pass it though + class { 'check_mk::agent::config': + ip_whitelist => $ip_whitelist, + port => $port, + server_dir => $server_dir, + keydir => $keydir, + authdir => $authdir, + authfile => $authfile, + use_cache => $use_cache, + user => $user, + method => $method, + generate_sshkey => $generate_sshkey, + require => Class['check_mk::agent::install'], + } + } else { + # otherwise don't + class { 'check_mk::agent::config': + ip_whitelist => $ip_whitelist, + port => $port, + server_dir => $server_dir, + keydir => $keydir, + authdir => $authdir, + use_cache => $use_cache, + user => $user, + method => $method, + generate_sshkey => $generate_sshkey, + require => Class['check_mk::agent::install'], + } } if ( $register_agent ) { diff --git a/manifests/agent/config.pp b/manifests/agent/config.pp index 256af8f..40b9ff5 100644 --- a/manifests/agent/config.pp +++ b/manifests/agent/config.pp @@ -1,8 +1,10 @@ class check_mk::agent::config ( - $ip_whitelist = '', + $ip_whitelist = '', $port, $server_dir, - $homedir, + $keydir, + $authdir, + $authfile = undef, $use_cache, $user, $method = 'xinetd', @@ -34,8 +36,19 @@ class check_mk::agent::config ( } 'ssh' : { if $generate_sshkey { - check_mk::agent::generate_sshkey { 'check_mk_key': - homedir => $homedir + if $authfile { + # if authfile is overridden, pass it through + check_mk::agent::generate_sshkey { 'check_mk_key': + keydir => $keydir, + authdir => $authdir, + authfile => $authfile + } + } else { + # otherwise don't + check_mk::agent::generate_sshkey { 'check_mk_key': + keydir => $keydir, + authdir => $authdir + } } } } diff --git a/manifests/agent/generate_sshkey.pp b/manifests/agent/generate_sshkey.pp index 47f3026..3bc9a1d 100644 --- a/manifests/agent/generate_sshkey.pp +++ b/manifests/agent/generate_sshkey.pp @@ -1,27 +1,47 @@ -define check_mk::agent::generate_sshkey( +define check_mk::agent::generate_sshkey ( + # dir on the check-mk-server where the collected key pairs are stored + $keydir, + # dir on the check-mk-agent where the authorized_keys file is stored + $authdir, + # name of the authorized_keys file + $authfile = undef, + # dir on the puppetmaster where keys are stored $ssh_key_basepath = '/etc/puppet/modules/keys/files/check_mk_keys', + # user and group to run the agent as $user = 'monitoring', $group = 'monitoring', - $homedir, $check_mk_tag = 'check_mk_sshkey' ){ # generate check-mk ssh keypair - $ssh_key_name = "monitoring_${::fqdn}_id_rsa" + $ssh_key_name = "${user}_${::fqdn}_id_rsa" $ssh_keys = ssh_keygen("${ssh_key_basepath}/${ssh_key_name}") $public = split($ssh_keys[1],' ') $public_type = $public[0] $public_key = $public[1] $secret_key = $ssh_keys[0] - sshd::ssh_authorized_key { $ssh_key_name: - type => 'ssh-rsa', - key => $public_key, - user => 'root', - options => 'command="/usr/bin/check_mk_agent"'; + if $authdir or $authfile { + # if $authkey or $authdir are set, override authorized_keys path and file + sshd::ssh_authorized_key { $ssh_key_name: + type => 'ssh-rsa', + key => $public_key, + user => 'root', + target => "${authdir}/${authfile}", + options => 'command="/usr/bin/check_mk_agent"'; + } + } else { + # otherwise use the defaults + sshd::ssh_authorized_key { $ssh_key_name: + type => 'ssh-rsa', + key => $public_key, + user => 'root', + options => 'command="/usr/bin/check_mk_agent"'; + } } - @@file { "${homedir}/.ssh/${ssh_key_name}": + # resource collector, these end up on the check-mk-server host + @@file { "${keydir}/${ssh_key_name}": content => $secret_key, owner => $user, group => $group, @@ -29,14 +49,11 @@ define check_mk::agent::generate_sshkey( tag => $check_mk_tag; } - - @@file { "${homedir}/.ssh/${ssh_key_name}.pub": + @@file { "${keydir}/${ssh_key_name}.pub": content => $public_key, owner => $user, group => $group, mode => '0666', tag => $check_mk_tag; } - - } -- cgit v1.2.3 From c1eda813fbe51ab3476d4e5e2a1c996230339cef Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Thu, 24 Apr 2014 15:39:08 -0700 Subject: if using ssh, clean up any existing xinetd config --- manifests/agent/config.pp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/manifests/agent/config.pp b/manifests/agent/config.pp index 40b9ff5..58e3b1e 100644 --- a/manifests/agent/config.pp +++ b/manifests/agent/config.pp @@ -51,6 +51,11 @@ class check_mk::agent::config ( } } } + + # make sure the xinetd method is not configured + file { '/etc/xinetd.d/check_mk': + ensure => absent; + } } default : {} } -- cgit v1.2.3 From 6fb6618eba1a027a8cc3ccb4b086ec05240b679e Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Thu, 24 Apr 2014 16:05:13 -0700 Subject: add some comments about how these classes should be checking if the ssh method is being used before doing xinetd related things --- manifests/install_tarball.pp | 1 + manifests/service.pp | 1 + 2 files changed, 2 insertions(+) diff --git a/manifests/install_tarball.pp b/manifests/install_tarball.pp index 4a0af23..af40a26 100644 --- a/manifests/install_tarball.pp +++ b/manifests/install_tarball.pp @@ -31,6 +31,7 @@ class check_mk::install_tarball ( ensure => present, require => Package['nagios'], } + # FIXME: this should get and check $use_ssh before requiring xinetd package { [ 'xinetd', 'mod_python', 'make', 'gcc-c++', 'tar', 'gzip' ]: ensure => present, } diff --git a/manifests/service.pp b/manifests/service.pp index da50e4e..7e3a153 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -6,6 +6,7 @@ class check_mk::service { enable => true, } } + # FIXME: this should get and check $use_ssh before doing this if ! defined(Service[xinetd]) { service { 'xinetd': ensure => 'running', -- cgit v1.2.3 From 071b80ddc51e5f2de0c337546eca20ba71dd1437 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Thu, 24 Apr 2014 16:25:56 -0700 Subject: add TODO for proper distro support --- TODO | 3 +++ 1 file changed, 3 insertions(+) diff --git a/TODO b/TODO index 1e0a106..1697f34 100644 --- a/TODO +++ b/TODO @@ -1,2 +1,5 @@ Use nagios_hostgroup type rather than clumsily creating our own. Add support for ignored_services to eliminate false alerts. +Implement support for choosing either upstream install or distro supplied + packages. If using distro packages, detect distro and set package names + to reasonable default (currently requires overriding). -- cgit v1.2.3 From 95947b5213b58be61563f966e2fb3a0cf3a072c1 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Tue, 29 Apr 2014 11:33:41 -0700 Subject: remove username from key filename, add comments explaining where things are getting installed, don't install the private key on the agent, it's not needed there --- manifests/agent/generate_sshkey.pp | 20 +++++++------------- 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/manifests/agent/generate_sshkey.pp b/manifests/agent/generate_sshkey.pp index 3bc9a1d..fb7ce11 100644 --- a/manifests/agent/generate_sshkey.pp +++ b/manifests/agent/generate_sshkey.pp @@ -13,14 +13,15 @@ define check_mk::agent::generate_sshkey ( $check_mk_tag = 'check_mk_sshkey' ){ - # generate check-mk ssh keypair - $ssh_key_name = "${user}_${::fqdn}_id_rsa" + # generate check-mk ssh keypair, stored on puppetmaster + $ssh_key_name = "${::fqdn}_id_rsa" $ssh_keys = ssh_keygen("${ssh_key_basepath}/${ssh_key_name}") $public = split($ssh_keys[1],' ') $public_type = $public[0] $public_key = $public[1] $secret_key = $ssh_keys[0] + # setup the public half of the key in authorized_keys on the agent if $authdir or $authfile { # if $authkey or $authdir are set, override authorized_keys path and file sshd::ssh_authorized_key { $ssh_key_name: @@ -40,20 +41,13 @@ define check_mk::agent::generate_sshkey ( } } - # resource collector, these end up on the check-mk-server host + # resource collector for the private half of the keys, these end up on + # the check-mk-server host @@file { "${keydir}/${ssh_key_name}": content => $secret_key, - owner => $user, - group => $group, + owner => root, + group => root, mode => '0600', tag => $check_mk_tag; } - - @@file { "${keydir}/${ssh_key_name}.pub": - content => $public_key, - owner => $user, - group => $group, - mode => '0666', - tag => $check_mk_tag; - } } -- cgit v1.2.3 From 6547ba79591886544af4eaab88b65215d579d857 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Tue, 29 Apr 2014 12:33:37 -0700 Subject: switch to using a more standard storage location on the puppetmaster, and make sure it exists, work around bug with /var/lib/puppet/modules, drop monitoring user/group --- manifests/agent/generate_sshkey.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/manifests/agent/generate_sshkey.pp b/manifests/agent/generate_sshkey.pp index fb7ce11..6f88f35 100644 --- a/manifests/agent/generate_sshkey.pp +++ b/manifests/agent/generate_sshkey.pp @@ -6,10 +6,10 @@ define check_mk::agent::generate_sshkey ( # name of the authorized_keys file $authfile = undef, # dir on the puppetmaster where keys are stored - $ssh_key_basepath = '/etc/puppet/modules/keys/files/check_mk_keys', - # user and group to run the agent as - $user = 'monitoring', - $group = 'monitoring', + # FIXME: need a way to ensure this dir is setup on the puppetmaster correctly + #$ssh_key_basepath = "${common::moduledir::module_dir_path}/check_mk/keys", + # for now use a dir we know works + $ssh_key_basepath = '/etc/puppet/modules/check_mk/keys', $check_mk_tag = 'check_mk_sshkey' ){ -- cgit v1.2.3 From ec8169eadc16fde4a8019b67f4966d2b119cb765 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Thu, 1 May 2014 14:07:53 -0700 Subject: create an sshuser parameter, so we can determine when we need to use sudo in the agent authorized_keys command --- manifests/agent.pp | 3 +++ manifests/agent/config.pp | 11 +++++++---- manifests/agent/generate_sshkey.pp | 13 +++++++++++-- 3 files changed, 21 insertions(+), 6 deletions(-) diff --git a/manifests/agent.pp b/manifests/agent.pp index 505db64..9a365a3 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -15,6 +15,7 @@ class check_mk::agent ( $agent_logwatch_package_name = 'check_mk-agent-logwatch', $method = 'xinetd', $generate_sshkey = false, + $sshuser = undef, $use_ssh_tag = 'ssh', $register_agent = true ) { @@ -56,6 +57,7 @@ class check_mk::agent ( user => $user, method => $method, generate_sshkey => $generate_sshkey, + sshuser => $sshuser, require => Class['check_mk::agent::install'], } } else { @@ -70,6 +72,7 @@ class check_mk::agent ( user => $user, method => $method, generate_sshkey => $generate_sshkey, + sshuser => $sshuser, require => Class['check_mk::agent::install'], } } diff --git a/manifests/agent/config.pp b/manifests/agent/config.pp index 58e3b1e..b00329b 100644 --- a/manifests/agent/config.pp +++ b/manifests/agent/config.pp @@ -9,6 +9,7 @@ class check_mk::agent::config ( $user, $method = 'xinetd', $generate_sshkey = false, + $sshuser = undef ) { if $use_cache { $server = "${server_dir}/check_mk_caching_agent" @@ -39,15 +40,17 @@ class check_mk::agent::config ( if $authfile { # if authfile is overridden, pass it through check_mk::agent::generate_sshkey { 'check_mk_key': - keydir => $keydir, - authdir => $authdir, - authfile => $authfile + keydir => $keydir, + authdir => $authdir, + authfile => $authfile, + sshuser => $sshuser } } else { # otherwise don't check_mk::agent::generate_sshkey { 'check_mk_key': keydir => $keydir, - authdir => $authdir + authdir => $authdir, + sshuser => $sshuser } } } diff --git a/manifests/agent/generate_sshkey.pp b/manifests/agent/generate_sshkey.pp index 6f88f35..f01d2cf 100644 --- a/manifests/agent/generate_sshkey.pp +++ b/manifests/agent/generate_sshkey.pp @@ -10,6 +10,7 @@ define check_mk::agent::generate_sshkey ( #$ssh_key_basepath = "${common::moduledir::module_dir_path}/check_mk/keys", # for now use a dir we know works $ssh_key_basepath = '/etc/puppet/modules/check_mk/keys', + $sshuser = 'root', $check_mk_tag = 'check_mk_sshkey' ){ @@ -21,7 +22,15 @@ define check_mk::agent::generate_sshkey ( $public_key = $public[1] $secret_key = $ssh_keys[0] + # if we're not root we need to use sudo + if $sshuser != 'root' { + $command = 'sudo /usr/bin/check_mk_agent' + } else { + $command = '/usr/bin/check_mk_agent' + } + # setup the public half of the key in authorized_keys on the agent + # and restrict it to running only the agent if $authdir or $authfile { # if $authkey or $authdir are set, override authorized_keys path and file sshd::ssh_authorized_key { $ssh_key_name: @@ -29,7 +38,7 @@ define check_mk::agent::generate_sshkey ( key => $public_key, user => 'root', target => "${authdir}/${authfile}", - options => 'command="/usr/bin/check_mk_agent"'; + options => "command=\"${command}\""; } } else { # otherwise use the defaults @@ -37,7 +46,7 @@ define check_mk::agent::generate_sshkey ( type => 'ssh-rsa', key => $public_key, user => 'root', - options => 'command="/usr/bin/check_mk_agent"'; + options => "command=\"${command}\""; } } -- cgit v1.2.3 From 133c87b0f3a85ccb4aafd16fef0fa68348a559c1 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Mon, 5 May 2014 13:00:49 -0700 Subject: make resource name unique per host to ensure no collisions --- manifests/agent/config.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/agent/config.pp b/manifests/agent/config.pp index b00329b..934a05f 100644 --- a/manifests/agent/config.pp +++ b/manifests/agent/config.pp @@ -39,7 +39,7 @@ class check_mk::agent::config ( if $generate_sshkey { if $authfile { # if authfile is overridden, pass it through - check_mk::agent::generate_sshkey { 'check_mk_key': + check_mk::agent::generate_sshkey { "check_mk_key_${::fqdn}": keydir => $keydir, authdir => $authdir, authfile => $authfile, @@ -47,7 +47,7 @@ class check_mk::agent::config ( } } else { # otherwise don't - check_mk::agent::generate_sshkey { 'check_mk_key': + check_mk::agent::generate_sshkey { "check_mk_key_${::fqdn}": keydir => $keydir, authdir => $authdir, sshuser => $sshuser -- cgit v1.2.3 From bb832e0f0fa92627412058f690b45eec0b4bbadc Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Tue, 13 May 2014 10:27:34 -0700 Subject: use new override_builtin parameter to fix problem with central authorized_keys directory, use sshuser --- manifests/agent/generate_sshkey.pp | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/manifests/agent/generate_sshkey.pp b/manifests/agent/generate_sshkey.pp index f01d2cf..c72da91 100644 --- a/manifests/agent/generate_sshkey.pp +++ b/manifests/agent/generate_sshkey.pp @@ -33,12 +33,15 @@ define check_mk::agent::generate_sshkey ( # and restrict it to running only the agent if $authdir or $authfile { # if $authkey or $authdir are set, override authorized_keys path and file + # and also override using the built-in ssh_authorized_key since it may + # not be able to write to $authdir sshd::ssh_authorized_key { $ssh_key_name: - type => 'ssh-rsa', - key => $public_key, - user => 'root', - target => "${authdir}/${authfile}", - options => "command=\"${command}\""; + type => 'ssh-rsa', + key => $public_key, + user => $sshuser, + target => "${authdir}/${authfile}", + override_builtin => true, + options => "command=\"${command}\""; } } else { # otherwise use the defaults -- cgit v1.2.3 From 0c2c95da25687045bd894e0780d0fd843ac235fd Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Tue, 13 May 2014 15:38:36 -0700 Subject: define some files so that the nagios module doesn't try to recurse+purge them --- manifests/config.pp | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index 6a6f375..1d7d6cd 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -6,8 +6,18 @@ class check_mk::config ( $bin_dir = "/omd/sites/${site}/bin", $use_storedconfigs = true ) { - file { "${etc_dir}/${nagios_subdir}/local": - ensure => directory, + file { + # for local check_mk checks + "${etc_dir}/${nagios_subdir}/local": + ensure => directory; + + # package provided and check_mk generated files, defined so the nagios + # module doesn't purge them + "${etc_dir}/${nagios_subdir}/conf.d/check_mk": + ensure => directory; + [ "${etc_dir}/${nagios_subdir}/conf.d/check_mk/check_mk_objects.cfg", + "${etc_dir}/${nagios_subdir}/conf.d/check_mk/check_mk_templates.cfg" ]: + ensure => present; } file_line { 'nagios-add-check_mk-cfg_dir': ensure => present, -- cgit v1.2.3 From 4a6e0fe8b1c17d2b35da7b7e548c01d93ee1ea9c Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Tue, 13 May 2014 15:56:22 -0700 Subject: set the user/group the key needs to be owner by on the server, default to nagios, but this might need to be something else for OMD (if so then that will need tobe passed down via agent::config) --- manifests/agent/generate_sshkey.pp | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/manifests/agent/generate_sshkey.pp b/manifests/agent/generate_sshkey.pp index c72da91..68c3bf1 100644 --- a/manifests/agent/generate_sshkey.pp +++ b/manifests/agent/generate_sshkey.pp @@ -1,6 +1,9 @@ define check_mk::agent::generate_sshkey ( # dir on the check-mk-server where the collected key pairs are stored $keydir, + # user/group the key should be owned by on the check-mk-server + $keyuser = 'nagios', + $keygroup = 'nagios', # dir on the check-mk-agent where the authorized_keys file is stored $authdir, # name of the authorized_keys file @@ -54,11 +57,11 @@ define check_mk::agent::generate_sshkey ( } # resource collector for the private half of the keys, these end up on - # the check-mk-server host + # the check-mk-server host, and the user running check-mk needs access @@file { "${keydir}/${ssh_key_name}": content => $secret_key, - owner => root, - group => root, + owner => $keyuser, + group => $keygroup, mode => '0600', tag => $check_mk_tag; } -- cgit v1.2.3 From 7893decc59cc67d446e65f7045e0de5ee929252e Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 16 May 2014 11:52:32 -0700 Subject: add mrpe subclass to setup the needed things for doing mrpe checks, so that those checks can just include it (stolen from the leap site_check_mk, seems like a good thing to have in the shared module) --- manifests/agent/mrpe.pp | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 manifests/agent/mrpe.pp diff --git a/manifests/agent/mrpe.pp b/manifests/agent/mrpe.pp new file mode 100644 index 0000000..749550a --- /dev/null +++ b/manifests/agent/mrpe.pp @@ -0,0 +1,17 @@ +class check_mk::agent::mrpe { + # check_mk can use standard nagios plugins using + # a wrapper called mrpe + # see http://mathias-kettner.de/checkmk_mrpe.html + # this subclass is provided to be included by checks that use mrpe + + # FIXME: this is Debian specific and should be made more generic + package { 'nagios-plugins-basic': + ensure => latest, + } + + # ensure the config file exists, individual checks will add lines to it + file { '/etc/check_mk/mrpe.cfg': + ensure => present, + require => Package['check-mk-agent'] + } +} -- cgit v1.2.3 From 989fb446c1db090f7f9a4d1401b5ba83681af581 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Thu, 26 Jun 2014 17:21:27 -0700 Subject: new resource collector for 'ps' checks --- manifests/agent/ps.pp | 17 +++++++++++++++++ manifests/config.pp | 1 + manifests/ps.pp | 29 +++++++++++++++++++++++++++++ manifests/server/collect_ps.pp | 29 +++++++++++++++++++++++++++++ 4 files changed, 76 insertions(+) create mode 100644 manifests/agent/ps.pp create mode 100644 manifests/ps.pp create mode 100644 manifests/server/collect_ps.pp diff --git a/manifests/agent/ps.pp b/manifests/agent/ps.pp new file mode 100644 index 0000000..67a999f --- /dev/null +++ b/manifests/agent/ps.pp @@ -0,0 +1,17 @@ +define check_mk::agent::ps ( + # procname and levels have defaults in check_mk::ps + $procname = undef, + $levels = undef, + # user is optional + $user = undef +) { + + @@check_mk::ps { "${::fqdn}_${name}": + desc => $name, + host => $::fqdn, + procname => $procname, + user => $user, + levels => $levels, + tag => 'check_mk_ps'; + } +} diff --git a/manifests/config.pp b/manifests/config.pp index 1d7d6cd..6736147 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -51,6 +51,7 @@ class check_mk::config ( } if ( $use_storedconfigs ) { class { 'check_mk::server::collect_hosts': } + class { 'check_mk::server::collect_ps': } } diff --git a/manifests/ps.pp b/manifests/ps.pp new file mode 100644 index 0000000..c84f583 --- /dev/null +++ b/manifests/ps.pp @@ -0,0 +1,29 @@ +define check_mk::ps ( + $target, + $host, + $desc, + $procname = "/usr/sbin/${desc}", + $levels = '1, 1, 1, 1', + $user = undef +) { + + # lines look like + # ( "foo.example.com", "ps", "NAME", ( "/usr/sbin/foo", 1, 1, 1, 1 ) ) + # or with a user + # ( "foo.example.com", "ps", "NAME", ( "/usr/sbin/foo", "user", 1, 1, 1, 1 ) ) + if $user { + $check = " ( \"${host}\", \"ps\", \"${desc}\", ( \"${procname}\", ${user}, ${levels} ) ),\n" + } else { + $check = " ( \"${host}\", \"ps\", \"${desc}\", ( \"${procname}\", ${levels} ) ),\n" + } + + # FIXME: we could be smarter about this and consolidate host checks that have + # identical settings and that would make the config file make more sense + # for humans. but for now we'll just do separate lines. + concat::fragment { "check_mk_ps-${host}_${desc}": + target => $target, + content => $check, + order => 20 + } +} + diff --git a/manifests/server/collect_ps.pp b/manifests/server/collect_ps.pp new file mode 100644 index 0000000..7a0fb8f --- /dev/null +++ b/manifests/server/collect_ps.pp @@ -0,0 +1,29 @@ +class check_mk::server::collect_ps ( + $config = "${::check_mk::config::etc_dir}/check_mk/conf.d/ps.mk" +) { + + concat { $config: + owner => 'root', + group => 'root', + mode => '0644', + notify => Exec['check_mk-refresh'], + } + + concat::fragment{'check_mk_ps_header': + target => $config, + content => "checks += [\n", + order => 10, + } + + Check_mk::Ps <<| tag == 'check_mk_ps' |>> { + target => $config, + notify => Exec['check_mk-refresh'] + } + + concat::fragment{'check_mk_ps_footer': + target => $config, + content => "]\n", + order => 90, + } + +} -- cgit v1.2.3 From d8b9f38af3fb98052abacbdb444bd69567f454af Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Tue, 8 Jul 2014 15:24:09 -0700 Subject: add details about migrating from statd and nrpe --- README.md | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/README.md b/README.md index 0f567ee..a8736f2 100644 --- a/README.md +++ b/README.md @@ -204,6 +204,59 @@ You can also include host tags - for example: Remember to run the Puppet agent on your monitoring host to pick up any changes. +## Migrating from nagios-statd + +nagios-statd provides several features that can be replaced with check_mk +plugins. + +*nagios-stat-proc*: checks processes on the agent system +If you previously used the nagios puppet module to do something like: + + check_command => 'nagios-stat-proc!/usr/sbin/foo!1!1!proc' + +you can now use the check_mk ps check: + + check_mk::agent::ps { + 'foo': + procname => '/usr/local/weirdpath/foo', + levels => '1, 2, 2, 3', + owner => 'alice' + } + +defaults: + procname: "/usr/sbin/${name}" + levels: '1, 1, 1, 1' + owner: not required + +Run check_mk with '-M ps' for the manpage explaining the parameters. + +*swap*: check_mk has a 'mem.used' check which is enabled by default. But + as it's manpage explains if you want to measure swappiness you are + better off using the 'kernel' check and measuring 'Major Page Faults' + (pgmajfault). + +*disk*: check_mk has a 'df' check which is enabled by default. + +## Migrating from nrpe to mrpe + +If you were using nrpe to run a nagios plugin locally, first check if a +native check_mk check exists with the same functionality, if not consider +writing one. But if continuing to use the nagios plugin makes sense you +can switch to mrpe. + +* Continue to deliver the plugin to the agent system +* include check_mk::agent::mrpe +* add a line to the mrpe.cfg file using augeas + + augeas { + "Foo": + incl => '/etc/check_mk/mrpe.cfg', + lens => 'Spacevars.lns', + changes => 'set FOO /usr/local/lib/nagios/plugins/check_foo', + require => [ File['/usr/local/lib/nagios/plugins' ], Package['check-mk-agent'] ]; + } + + This is the riseup clone, available at: git://labs.riseup.net/module_check_mk -- cgit v1.2.3 From 3736a2b0a2b33bc00231d7222a65ae33af5a43c9 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Mon, 10 Nov 2014 14:47:37 -0800 Subject: make setting host_tags a little safer if we're using the module default of undef --- manifests/agent.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/agent.pp b/manifests/agent.pp index 9a365a3..e34a293 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -26,10 +26,10 @@ class check_mk::agent ( include check_mk::agent::service } 'ssh': { - if ( $host_tags != '' ) { - $tags = "${host_tags}|${use_ssh_tag}" - } else { + if ( $host_tags == undef ) or ( $host_tags == '' ) { $tags = $use_ssh_tag + } else { + $tags = "${host_tags}|${use_ssh_tag}" } } default: {} -- cgit v1.2.3 From ef821fad2dda052fd60255e7c6e3a199d536fa69 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Thu, 22 Jan 2015 12:11:04 -0800 Subject: we don't need to check $authfile, puppet will do the right thing Conflicts: manifests/agent/generate_sshkey.pp --- manifests/agent.pp | 44 +++++++++++--------------------------- manifests/agent/config.pp | 20 +++++------------ manifests/agent/generate_sshkey.pp | 27 ++++++----------------- 3 files changed, 25 insertions(+), 66 deletions(-) diff --git a/manifests/agent.pp b/manifests/agent.pp index e34a293..c455bd5 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -44,37 +44,19 @@ class check_mk::agent ( method => $method } - if $authfile { - # if authfile is set, pass it though - class { 'check_mk::agent::config': - ip_whitelist => $ip_whitelist, - port => $port, - server_dir => $server_dir, - keydir => $keydir, - authdir => $authdir, - authfile => $authfile, - use_cache => $use_cache, - user => $user, - method => $method, - generate_sshkey => $generate_sshkey, - sshuser => $sshuser, - require => Class['check_mk::agent::install'], - } - } else { - # otherwise don't - class { 'check_mk::agent::config': - ip_whitelist => $ip_whitelist, - port => $port, - server_dir => $server_dir, - keydir => $keydir, - authdir => $authdir, - use_cache => $use_cache, - user => $user, - method => $method, - generate_sshkey => $generate_sshkey, - sshuser => $sshuser, - require => Class['check_mk::agent::install'], - } + class { 'check_mk::agent::config': + ip_whitelist => $ip_whitelist, + port => $port, + server_dir => $server_dir, + keydir => $keydir, + authdir => $authdir, + authfile => $authfile, + use_cache => $use_cache, + user => $user, + method => $method, + generate_sshkey => $generate_sshkey, + sshuser => $sshuser, + require => Class['check_mk::agent::install'], } if ( $register_agent ) { diff --git a/manifests/agent/config.pp b/manifests/agent/config.pp index 934a05f..36f2910 100644 --- a/manifests/agent/config.pp +++ b/manifests/agent/config.pp @@ -37,21 +37,11 @@ class check_mk::agent::config ( } 'ssh' : { if $generate_sshkey { - if $authfile { - # if authfile is overridden, pass it through - check_mk::agent::generate_sshkey { "check_mk_key_${::fqdn}": - keydir => $keydir, - authdir => $authdir, - authfile => $authfile, - sshuser => $sshuser - } - } else { - # otherwise don't - check_mk::agent::generate_sshkey { "check_mk_key_${::fqdn}": - keydir => $keydir, - authdir => $authdir, - sshuser => $sshuser - } + check_mk::agent::generate_sshkey { "check_mk_key_${::fqdn}": + keydir => $keydir, + authdir => $authdir, + authfile => $authfile, + sshuser => $sshuser } } diff --git a/manifests/agent/generate_sshkey.pp b/manifests/agent/generate_sshkey.pp index 68c3bf1..71b58e9 100644 --- a/manifests/agent/generate_sshkey.pp +++ b/manifests/agent/generate_sshkey.pp @@ -34,26 +34,13 @@ define check_mk::agent::generate_sshkey ( # setup the public half of the key in authorized_keys on the agent # and restrict it to running only the agent - if $authdir or $authfile { - # if $authkey or $authdir are set, override authorized_keys path and file - # and also override using the built-in ssh_authorized_key since it may - # not be able to write to $authdir - sshd::ssh_authorized_key { $ssh_key_name: - type => 'ssh-rsa', - key => $public_key, - user => $sshuser, - target => "${authdir}/${authfile}", - override_builtin => true, - options => "command=\"${command}\""; - } - } else { - # otherwise use the defaults - sshd::ssh_authorized_key { $ssh_key_name: - type => 'ssh-rsa', - key => $public_key, - user => 'root', - options => "command=\"${command}\""; - } + sshd::ssh_authorized_key { $ssh_key_name: + type => 'ssh-rsa', + key => $public_key, + user => $sshuser, + target => "${authdir}/${authfile}", + override_builtin => true, + options => "command=\"${command}\""; } # resource collector for the private half of the keys, these end up on -- cgit v1.2.3 From 23a17e5c42e185034e9de809625de1125fa08873 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Thu, 22 Jan 2015 12:40:06 -0800 Subject: revert this part, since we contruct $target we _do_ need to check authdir/authfile --- manifests/agent/generate_sshkey.pp | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/manifests/agent/generate_sshkey.pp b/manifests/agent/generate_sshkey.pp index 71b58e9..419e73f 100644 --- a/manifests/agent/generate_sshkey.pp +++ b/manifests/agent/generate_sshkey.pp @@ -34,13 +34,25 @@ define check_mk::agent::generate_sshkey ( # setup the public half of the key in authorized_keys on the agent # and restrict it to running only the agent - sshd::ssh_authorized_key { $ssh_key_name: - type => 'ssh-rsa', - key => $public_key, - user => $sshuser, - target => "${authdir}/${authfile}", - override_builtin => true, - options => "command=\"${command}\""; + if $authdir or $authfile { + # if $authkey or $authdir are set, override authorized_keys path and file + # and also override using the built-in ssh_authorized_key since it may + # not be able to write to $authdir + sshd::ssh_authorized_key { $ssh_key_name: + type => 'ssh-rsa', + key => $public_key, + user => $sshuser, + target => "${authdir}/${authfile}", + override_builtin => true, + options => "command=\"${command}\""; + } else { + # otherwise use the defaults + sshd::ssh_authorized_key { $ssh_key_name: + type => 'ssh-rsa', + key => $public_key, + user => $sshuser, + options => "command=\"${command}\""; + } } # resource collector for the private half of the keys, these end up on -- cgit v1.2.3 From 3d35cd86c25588449b418c996fe861f44da05bca Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Thu, 22 Jan 2015 12:55:43 -0800 Subject: add sshuser comment --- manifests/agent/generate_sshkey.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/agent/generate_sshkey.pp b/manifests/agent/generate_sshkey.pp index 419e73f..d2d1d39 100644 --- a/manifests/agent/generate_sshkey.pp +++ b/manifests/agent/generate_sshkey.pp @@ -13,6 +13,7 @@ define check_mk::agent::generate_sshkey ( #$ssh_key_basepath = "${common::moduledir::module_dir_path}/check_mk/keys", # for now use a dir we know works $ssh_key_basepath = '/etc/puppet/modules/check_mk/keys', + # user on the client the check_mk server will ssh to, to run the agent $sshuser = 'root', $check_mk_tag = 'check_mk_sshkey' ){ -- cgit v1.2.3 From bdfc4c3c3be065c3d9110cb49bb3609d643e6041 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Thu, 22 Jan 2015 12:57:33 -0800 Subject: make sure package isn't already defined first --- manifests/agent/mrpe.pp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/manifests/agent/mrpe.pp b/manifests/agent/mrpe.pp index 749550a..5bc5f33 100644 --- a/manifests/agent/mrpe.pp +++ b/manifests/agent/mrpe.pp @@ -5,8 +5,10 @@ class check_mk::agent::mrpe { # this subclass is provided to be included by checks that use mrpe # FIXME: this is Debian specific and should be made more generic - package { 'nagios-plugins-basic': - ensure => latest, + if !defined(Package['nagios-plugins-basic']) { + package { 'nagios-plugins-basic': + ensure => latest, + } } # ensure the config file exists, individual checks will add lines to it -- cgit v1.2.3 From 4ced0c5bbe605c322dc4103c3572ae18e69fa278 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Thu, 22 Jan 2015 13:10:10 -0800 Subject: improve comments for ps stuff --- manifests/ps.pp | 13 +++++++++---- manifests/server/collect_ps.pp | 3 ++- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/manifests/ps.pp b/manifests/ps.pp index c84f583..1171a13 100644 --- a/manifests/ps.pp +++ b/manifests/ps.pp @@ -6,8 +6,12 @@ define check_mk::ps ( $levels = '1, 1, 1, 1', $user = undef ) { + # This class is called on check-mk agent machines in order to create + # checks using the built-in ps check type. They create stored configs + # and then the check_mk::server::collect_ps class on the server + # generates the config file to set them up - # lines look like + # lines in the ps.mk config file look like # ( "foo.example.com", "ps", "NAME", ( "/usr/sbin/foo", 1, 1, 1, 1 ) ) # or with a user # ( "foo.example.com", "ps", "NAME", ( "/usr/sbin/foo", "user", 1, 1, 1, 1 ) ) @@ -17,9 +21,10 @@ define check_mk::ps ( $check = " ( \"${host}\", \"ps\", \"${desc}\", ( \"${procname}\", ${levels} ) ),\n" } - # FIXME: we could be smarter about this and consolidate host checks that have - # identical settings and that would make the config file make more sense - # for humans. but for now we'll just do separate lines. + # FIXME: we could be smarter about this and consolidate host checks + # that have identical settings and that would make the config file + # make more sense for humans. but for now we'll just do separate + # lines (which may result in a very large file, but check-mk is fine) concat::fragment { "check_mk_ps-${host}_${desc}": target => $target, content => $check, diff --git a/manifests/server/collect_ps.pp b/manifests/server/collect_ps.pp index 7a0fb8f..067a25c 100644 --- a/manifests/server/collect_ps.pp +++ b/manifests/server/collect_ps.pp @@ -2,6 +2,8 @@ class check_mk::server::collect_ps ( $config = "${::check_mk::config::etc_dir}/check_mk/conf.d/ps.mk" ) { + # this class gets run on the check-mk server in order to collect the + # stored configs created on clients and assemble the ps.mk config file concat { $config: owner => 'root', group => 'root', @@ -25,5 +27,4 @@ class check_mk::server::collect_ps ( content => "]\n", order => 90, } - } -- cgit v1.2.3