Add NRPE role, provision checks for it

This commit is contained in:
Salt 2021-08-15 14:24:35 -05:00
parent 2918a3348b
commit 4d0b005181
40 changed files with 792 additions and 0 deletions

36
playbooks/nrpe.yml Executable file
View File

@ -0,0 +1,36 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: tags_nagios-nrpe
roles:
- role: nrpe
vars:
nrpe_server_bind_address: 0.0.0.0
nrpe_server_allowed_hosts:
- 172.23.0.0/16 # Entire Zerotier management network
- 45.79.24.6/32 # web3.desu.ltd
nrpe_plugin_packages:
- monitoring-plugins
- nagios-plugins-contrib
nrpe_command:
check_disk_all:
script: check_disk
option: -M -u GB -A -X tmpfs -X overlay -X shm -w 80% -c 90% -W 80% -K 90% -I '^/run/'
check_load:
script: check_load
option: -r -w 0.8,0.7,0.7 -c 1.0,0.9,0.9
check_swap:
script: check_swap
option: -n ok -w 70% -c 80%
check_users:
script: check_users
option: -w 3 -c 10
tags: [ nrpe ]
- hosts: all
tasks:
- name: disable nrped when not tagged
systemd: name={{ item }} state=stopped enabled=no
with_items:
- nagios-nrpe-server.service
when: "'tags_nagios-nrpe' not in group_names and item in services"
tags: [ zerotier ]

View File

@ -55,6 +55,11 @@ define command {
command_name check_snmp_storage_v3
command_line /opt/Custom-Nagios-Plugins/check_snmp_storage.pl -H $HOSTADDRESS$ -l {{ secret_snmp_rouser_username }} -x {{ secret_snmp_rouser_password }} -X {{ secret_snmp_rouser_privacy_passphrase }} -L sha,aes -t 20 -m $ARG1$ -w $ARG2$ -c $ARG3$
}
define command {
# This command is included in the container image
command_name check_nrpe
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
}
# Services for all hosts
define service {
@ -84,6 +89,26 @@ define service {
hostgroup_name snmp
}
# Services for NRPE-capable hosts
define service {
use ansible-generic-service
service_description NRPE Check Disk
check_command check_nrpe!check_disk_all
hostgroup_name nagios-nrpe
}
define service {
use ansible-generic-service
service_description NRPE Check Users
check_command check_nrpe!check_users
hostgroup_name nagios-nrpe
}
define service {
use ansible-generic-service
service_description NRPE Check Load
check_command check_nrpe!check_load
hostgroup_name nagios-nrpe
}
# Hostgroups
# Everything here is dynamically-generated based on tags from Netbox
{% for tag in query('netbox.netbox.nb_lookup', 'tags', api_endpoint='https://netbox.desu.ltd', token=netbox_token) %}

View File

@ -57,3 +57,7 @@ roles:
- name: snmpd
src: oefenweb.snmpd
version: master
# Upstream: https://github.com/hspaans/ansible-role-nrpe
- name: nrpe
src: hspaans.nrpe
version: master

46
roles/nrpe/.editorconfig Normal file
View File

@ -0,0 +1,46 @@
# https://editorconfig.org/
root = true
[*]
indent_style = space
indent_size = 4
trim_trailing_whitespace = true
end_of_line = lf
charset = utf-8
# Docstrings and comments use max_line_length = 79
[*.py]
insert_final_newline = true
max_line_length = 119
# Use 2 spaces for the HTML files
[*.html]
indent_size = 2
# Use 2 spaces for the Markdown files
[*.md]
indent_size = 2
insert_final_newline = true
# The JSON files contain newlines inconsistently
[*.json]
indent_size = 2
# Makefiles always use tabs for indentation
[Makefile]
indent_style = tab
insert_final_newline = true
# Batch files use tabs for indentation
[*.bat]
indent_style = tab
insert_final_newline = true
[docs/**.txt]
insert_final_newline = true
max_line_length = 79
[*.yml]
indent_size = 2
insert_final_newline = true

2
roles/nrpe/.flake8 Normal file
View File

@ -0,0 +1,2 @@
[flake8]
max-line-length = 120

8
roles/nrpe/.github/dependabot.yml vendored Normal file
View File

@ -0,0 +1,8 @@
---
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: monthly
open-pull-requests-limit: 10

6
roles/nrpe/.github/settings.yml vendored Normal file
View File

@ -0,0 +1,6 @@
---
repository:
description: Ansible Role for Nagios Remote Plugin Executor
topics: ansible, ansible-role, nagios, nrpe, agent, monitoring
delete_branch_on_merge: true
has_wiki: false

2
roles/nrpe/.github/stale.yml vendored Normal file
View File

@ -0,0 +1,2 @@
---
_extends: .github:.github/stale.yml

View File

@ -0,0 +1,46 @@
---
name: CI
on:
pull_request:
schedule:
- cron: '30 5 15 * *'
jobs:
lint:
name: Lint Code Base
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v2.3.4
- name: Lint Code Base
uses: github/super-linter@v4.6.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
molecule:
needs: lint
name: Molecule
runs-on: ubuntu-latest
steps:
- name: Check out the codebase
uses: actions/checkout@v2.3.4
- name: Set up Python 3
uses: actions/setup-python@v2.2.2
with:
python-version: "3.x"
- name: Install Tox
run: |
pip3 install tox
- name: Run Molecule tests
run: tox
env:
PY_COLORS: "1"
ANSIBLE_FORCE_COLOR: "1"

View File

@ -0,0 +1,21 @@
---
name: Release to Ansible Galaxy
on:
push:
tags:
- v*
branches:
- master
jobs:
release:
name: Release to Ansible Galaxy
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Release Ansible Role to Galaxy
uses: hspaans/ansible-galaxy-action@v0.3.3
with:
api_key: ${{ secrets.galaxy_api_key }}

View File

@ -0,0 +1,59 @@
---
name: "CodeQL"
on:
pull_request:
branches:
- master
schedule:
- cron: "35 22 * * 4"
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ["python"]
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
# Learn more:
# https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
steps:
- name: Checkout repository
uses: actions/checkout@v2
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v1
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v1
# Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
# and modify them (or add more) to build your code if your project
# uses a compiled language
#- run: |
# make bootstrap
# make release
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1

15
roles/nrpe/.gitignore vendored Normal file
View File

@ -0,0 +1,15 @@
## Ansible
*.retry
.ansible_cache
## Molecule
.cache
.molecule
.tox
.vagrant
## Python
.pytest_cache/
__pycache__/
*.py[cod]
*$py.class

12
roles/nrpe/.yamllint.yml Normal file
View File

@ -0,0 +1,12 @@
---
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
line-length: disable
truthy: disable

21
roles/nrpe/LICENSE Normal file
View File

@ -0,0 +1,21 @@
MIT License
Copyright (c) 2020 Hans Spaans
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

51
roles/nrpe/README.md Normal file
View File

@ -0,0 +1,51 @@
# Role Name
Install and configure NRPE
## Requirements
None as the nrpe package is being installed.
## Role Variables
Default variables are set in `defaults/main.yml`.
## Dependencies
No dependency on other Ansible Galaxy roles.
## Example Playbook
```yaml
---
- hosts: servers
vars:
nrpe_server_allowed_hosts:
- 10.0.10.0/24
- 10.0.11.2
- 127.0.0.1
nrpe_plugin_packages:
- nagios-plugins-disk
- nagios-plugins-nagios
- nagios-plugins-users
nrpe_command:
check_disk_all:
script: check_disk
option: -w 80 -c 90
check_users:
script: check_users2
option: -w 1 -c 1
check_nagios:
script: check_nagios
option: -F /var/log/nagios/nagios.log -e 15 -C nagios
roles:
- { role: hspaans.nrpe, become: true }
```
## License
MIT
## Author Information
This role was created in 2020 by [Hans Spaans](https://github.com/hspaans).

View File

@ -0,0 +1,7 @@
---
nrpe_server_bind_address: 127.0.0.1
nrpe_server_port: 5666
nrpe_server_allowed_hosts:
- 127.0.0.1
nrpe_server_dont_blame_nrpe: 0
nrpe_package: ""

View File

@ -0,0 +1,5 @@
---
- name: restart nrpe service
service:
name: "{{ nrpe_service }}"
state: restarted

View File

@ -0,0 +1,2 @@
install_date: 'Sun 15 Aug 2021 06:14:47 PM '
version: master

32
roles/nrpe/meta/main.yml Normal file
View File

@ -0,0 +1,32 @@
---
galaxy_info:
role_name: nrpe
author: hspaans
description: Ansible Role for NRPE
license: MIT
min_ansible_version: 2.9
platforms:
- name: EL
versions:
- 7
- 8
- name: Debian
versions:
- buster
- bullseye
- name: Fedora
versions:
- 33
- 34
- name: Ubuntu
versions:
- bionic
- focal
galaxy_tags:
- monitoring
dependencies: []

View File

@ -0,0 +1,22 @@
*******
Docker driver installation guide
*******
Requirements
============
* Docker Engine
Install
=======
Please refer to the `Virtual environment`_ documentation for installation best
practices. If not using a virtual environment, please consider passing the
widely recommended `'--user' flag`_ when invoking ``pip``.
.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
.. code-block:: bash
$ pip install 'molecule[docker]'

View File

@ -0,0 +1,5 @@
---
- name: Converge
hosts: all
roles:
- role: hspaans.nrpe

View File

@ -0,0 +1,47 @@
---
dependency:
name: galaxy
driver:
name: docker
lint: |
set -e
yamllint `git ls-files '*.yaml' '*.yml'`
ansible-lint
# flake8
platforms:
- name: debian-10
image: "ghcr.io/hspaans/molecule-container-debian:10"
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
- name: debian-11
image: "ghcr.io/hspaans/molecule-container-debian:11"
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
- name: ubuntu-18.04
image: "ghcr.io/hspaans/molecule-container-ubuntu:18.04"
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
- name: ubuntu-20.04
image: "ghcr.io/hspaans/molecule-container-ubuntu:20.04"
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
provisioner:
name: ansible
inventory:
group_vars:
all:
nrpe_plugin_packages: []
verifier:
name: testinfra

View File

@ -0,0 +1,27 @@
---
- name: Prepare
hosts: all
pre_tasks:
- name: Update apt cache (on Debian).
apt:
update_cache: true
cache_valid_time: 3600
when: ansible_os_family == 'Debian'
- name: Remove packages
package:
name: apt-utils
state: present
when: ansible_os_family == 'Debian'
- name: Update yum cache (on Redhat).
yum:
update_cache: true
when: ansible_os_family == 'RedHat'
tasks:
- name: Remove packages
package:
name: git
state: absent

View File

@ -0,0 +1,23 @@
"""PyTest Fixtures."""
from __future__ import absolute_import
import os
import pytest
def pytest_runtest_setup():
"""Run tests only when under molecule with testinfra installed."""
try:
# pylint: disable = import-outside-toplevel
import testinfra
except ImportError:
pytest.skip("Test requires testinfra", allow_module_level=True)
if "MOLECULE_INVENTORY_FILE" in os.environ:
pytest.testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("all")
else:
pytest.skip(
"Test should run only from inside molecule.", allow_module_level=True
)

View File

@ -0,0 +1,11 @@
"""Role testing files using testinfra."""
import pytest
@pytest.mark.parametrize("pkg", ["nagios-nrpe-server"])
def test_pkg_installed(host, pkg):
"""Test if package installed."""
package = host.package(pkg)
assert package.is_installed

View File

@ -0,0 +1,22 @@
*******
Docker driver installation guide
*******
Requirements
============
* Docker Engine
Install
=======
Please refer to the `Virtual environment`_ documentation for installation best
practices. If not using a virtual environment, please consider passing the
widely recommended `'--user' flag`_ when invoking ``pip``.
.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
.. code-block:: bash
$ pip install 'molecule[docker]'

View File

@ -0,0 +1,5 @@
---
- name: Converge
hosts: all
roles:
- role: hspaans.nrpe

View File

@ -0,0 +1,47 @@
---
dependency:
name: galaxy
driver:
name: docker
lint: |
set -e
yamllint `git ls-files '*.yaml' '*.yml'`
ansible-lint
# flake8
platforms:
- name: centos-7
image: "ghcr.io/hspaans/molecule-container-centos:7"
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
- name: centos-8
image: "ghcr.io/hspaans/molecule-container-centos:8"
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
- name: fedora-33
image: "ghcr.io/hspaans/molecule-container-fedora:33"
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
- name: fedora-34
image: "ghcr.io/hspaans/molecule-container-fedora:34"
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
provisioner:
name: ansible
inventory:
group_vars:
all:
nrpe_plugin_packages: []
verifier:
name: testinfra

View File

@ -0,0 +1,27 @@
---
- name: Prepare
hosts: all
pre_tasks:
- name: Update apt cache (on Debian).
apt:
update_cache: true
cache_valid_time: 3600
when: ansible_os_family == 'Debian'
- name: Remove packages
package:
name: apt-utils
state: present
when: ansible_os_family == 'Debian'
- name: Update yum cache (on Redhat).
yum:
update_cache: true
when: ansible_os_family == 'RedHat'
tasks:
- name: Remove packages
package:
name: git
state: absent

View File

@ -0,0 +1,23 @@
"""PyTest Fixtures."""
from __future__ import absolute_import
import os
import pytest
def pytest_runtest_setup():
"""Run tests only when under molecule with testinfra installed."""
try:
# pylint: disable = import-outside-toplevel
import testinfra
except ImportError:
pytest.skip("Test requires testinfra", allow_module_level=True)
if "MOLECULE_INVENTORY_FILE" in os.environ:
pytest.testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("all")
else:
pytest.skip(
"Test should run only from inside molecule.", allow_module_level=True
)

View File

@ -0,0 +1,11 @@
"""Role testing files using testinfra."""
import pytest
@pytest.mark.parametrize("pkg", ["nrpe"])
def test_pkg_installed(host, pkg):
"""Test if package installed."""
package = host.package(pkg)
assert package.is_installed

68
roles/nrpe/tasks/main.yml Normal file
View File

@ -0,0 +1,68 @@
---
- name: Gather OS specific variables for nrpe
include_vars: "{{ item }}"
with_first_found:
- "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_distribution|lower }}.yml"
- "{{ ansible_os_family|lower }}.yml"
- "main.yml"
- name: Enable CentOS-PowerTools repository
block:
- name: Enable CentOS-PowerTools repository
yum_repository:
name: PowerTools
file: CentOS-PowerTools
description: CentOS-$releasever - PowerTool
mirrorlist: http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=PowerTools&infra=$infra
enabled: yes
gpgcheck: 1
gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
when: (ansible_facts['distribution'] == 'CentOS' and ansible_facts['distribution_major_version'] == "8")
- name: Enable CentOS-EPEL repository
block:
- name: Enable CentOS-EPEL repository
package:
name: epel-release
state: present
- name: Update yum cache (on Redhat).
yum:
update_cache: true
when: (ansible_facts['distribution'] == 'CentOS')
- name: Install NRPE service
package:
name: "{{ nrpe_package }}"
state: present
tags:
- packages
- name: Install NRPE plugins
package:
name: "{{ nrpe_plugin_packages }}"
state: present
tags:
- packages
- name: Create nrpe.cfg from template
template:
src: "nrpe_local.cfg.j2"
dest: "{{ nrpe_server_dir }}/nrpe_local.cfg"
owner: root
group: root
mode: "0644"
notify: restart nrpe service
tags:
- configuration
- name: Ensure NRPE server is running
service:
name: "{{ nrpe_service }}"
state: started
enabled: true

View File

@ -0,0 +1,11 @@
{% if nrpe_server_allowed_hosts is defined %}
# Allowed_hosts
allowed_hosts={{ nrpe_server_allowed_hosts | join(',') }}
{% endif %}
{% if nrpe_command is defined %}
# Commands
{% for command in nrpe_command %}
command[{{ command }}]={{ nrpe_server_plugins_dir }}/{{ nrpe_command[command]["script"] }} {{ nrpe_command[command]["option"] }}
{% endfor %}
{% endif %}

View File

@ -0,0 +1 @@
localhost

View File

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- hspaans.nrpe

20
roles/nrpe/tox.ini Normal file
View File

@ -0,0 +1,20 @@
[tox]
minversion = 3.23.0
envlist = py3
skipsdist = true
[testenv]
passenv = *
deps =
ansible-lint
molecule
molecule-docker
docker
flake8
flake8-docstrings
flake8-pylint
pytest
pytest-testinfra
anisble
commands =
molecule test --all

View File

@ -0,0 +1,7 @@
---
nrpe_service: nagios-nrpe-server
nrpe_server_dir: /etc/nagios
nrpe_server_plugins_dir: /usr/lib/nagios/plugins
nrpe_package: nagios-nrpe-server
nrpe_plugin_packages:
- monitoring-plugins

2
roles/nrpe/vars/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# vars file for nrpe

View File

@ -0,0 +1,7 @@
---
nrpe_service: nrpe
nrpe_server_dir: /etc/nagios
nrpe_server_plugins_dir: /usr/lib64/nagios/plugins
nrpe_package: nrpe
nrpe_plugin_packages:
- nagios-plugins-all

View File

@ -40,6 +40,7 @@
# Fundamental daemon configuration
- import_playbook: playbooks/zerotier.yml
- import_playbook: playbooks/snmp.yml
- import_playbook: playbooks/nrpe.yml
# Application configuration
- import_playbook: playbooks/db.yml
- import_playbook: playbooks/web.yml