forked from evolix/ansible-roles
Merge branch 'unstable' into stable
This commit is contained in:
commit
8e4e77cb8b
14
.Jenkinsfile
14
.Jenkinsfile
|
@ -6,6 +6,20 @@ pipeline {
|
|||
}
|
||||
|
||||
stages {
|
||||
stage('Anible Lint') {
|
||||
agent {
|
||||
docker {
|
||||
image 'evolix/ansible-lint:latest'
|
||||
}
|
||||
}
|
||||
steps {
|
||||
script {
|
||||
sh 'for role_dir in ./*/; do HOME=$WORKSPACE_TMP ansible-lint -p $role_dir || : ; done'
|
||||
recordIssues(tools: [ansibleLint()])
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
stage('Build tagged docker image') {
|
||||
when {
|
||||
buildingTag()
|
||||
|
|
7
.vscode/settings.json
vendored
Normal file
7
.vscode/settings.json
vendored
Normal file
|
@ -0,0 +1,7 @@
|
|||
{
|
||||
"files.associations": {
|
||||
"*.yml": "ansible",
|
||||
"*.yaml": "ansible"
|
||||
},
|
||||
"yaml.format.enable": false
|
||||
}
|
59
CHANGELOG.md
59
CHANGELOG.md
|
@ -8,6 +8,7 @@ The **major** part of the version is the year
|
|||
The **minor** part changes is the month
|
||||
The **patch** part changes is incremented if multiple releases happen the same month
|
||||
|
||||
|
||||
## [Unreleased]
|
||||
|
||||
### Added
|
||||
|
@ -20,6 +21,63 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
|
||||
### Security
|
||||
|
||||
## [23.03] 2023-03-16
|
||||
|
||||
### Added
|
||||
|
||||
* apache: add task to enable mailgraph on default vhost and index.html
|
||||
* apt: add move-apt-keyrings script/tasks
|
||||
* apt: add tools to migrate sources to deb822 format
|
||||
* fail2ban: add "Internal login failure" to Dovecot filter
|
||||
* lxc: copy `/etc/profile.d/evolinux.sh` from host into container
|
||||
* nagios-nrpe: add tasks/files for a wrapper
|
||||
* nagios-nrpe: Print pool config path in check_phpfpm_multi output
|
||||
* php: add `php_version` variable when sury is activated for each Debian version
|
||||
* php: add a way to choose which version to install using sury repository
|
||||
* postfix: Add task to enable mailgraph on packmail
|
||||
* postgresql: configure max_connections
|
||||
* userlogrotate: create dedicated role, separated from packweb-apache
|
||||
* varnish: add `varnish_update_config` variable to disable configuration update
|
||||
|
||||
### Changed
|
||||
|
||||
* Use systemd module instead of command
|
||||
* Removed all `warn: False` args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0.
|
||||
* apt: Use pub.evolix.org instead of pub.evolix.net
|
||||
* bind: refactor role
|
||||
* elasticsearch: Disable garabge collector logging (JDK >= 9)
|
||||
* evolinux-users: Update sudoers template to remove commands allowed without password
|
||||
* listupgrade: upstream release 23.03.3
|
||||
* kvmstats: use virsh domstats | awk to get guests informations
|
||||
* nagios-nrpe : Rewrite `check_vrrpd` for a better check (check `rp_filter`, `vrrpd` and `uvrrpd` compatible, use arguments, …)
|
||||
* openvpn: Change `check_openvpn` destination file to comply with recent EvoBSD change
|
||||
* postfix: come back to default value of `notify_classes` for pack mails.
|
||||
* userlogrotate: set rotate date format in right order (YYYY-MM-DD)!
|
||||
* webapps/nextcloud : Change default data directory to be outside web root
|
||||
* webapps/nextcloud : Small enhancement on the vhost template to lock out data dir
|
||||
* yarn: update apt key
|
||||
|
||||
### Fixed
|
||||
|
||||
* Proper jinja spacing
|
||||
* clamav: set `MaxConnectionQueueLength` to its default value (200), custom (15) was way too small and caused recurring failures in Postfix.
|
||||
* docker-host: fix type in `daemon.json` and remove host configuration that is already in the systemd service by default
|
||||
* evolinux-base: ensure dbus is started and enabled (not by default in the case of an offline netinst)
|
||||
* haproxy: fix missing admin ACL in stats module access permissions
|
||||
* openvpn: fix the client cipher configuration to match the server cipher configuration
|
||||
* php: fix error introduced in #33503e4538 (`False` evaluated as a String instead of Boolean)
|
||||
* php: install using Sury repositories on Bullseye
|
||||
* postfix (packmail only): disable `concurrency_failed_cohort_limit` for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in `minimal_backoff_time` (2h) and `maximal_backoff_time` (6h) to reduce the risk of ban from external SMTPs.
|
||||
* postfix: avoid Amavis transport to be considered dead when restarted.
|
||||
* postfix: remove unused `aliases_scope=sub` from virtual_aliases.cf (it generated warnings)
|
||||
* userlogrotate: fix bug introduced in commit 2e54944a246 (rotated files were not zipped)
|
||||
* userlogrotate: skip zipping if .gz log already exists (prevents interactive question)
|
||||
|
||||
### Removed
|
||||
|
||||
* evolinux-base: subversion is not installed anymore
|
||||
|
||||
|
||||
## [22.12] 2022-12-14
|
||||
|
||||
### Added
|
||||
|
@ -34,6 +92,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* packweb-apache: enable `log_forensic` module
|
||||
* rabbitmq: add link in default page
|
||||
* varnish: create special tmp directory for syntax validation
|
||||
* postfix: add localhost.$mydomain to mydestination
|
||||
|
||||
### Changed
|
||||
|
||||
|
|
|
@ -3,34 +3,34 @@
|
|||
- name: Launch new instance(s)
|
||||
ec2:
|
||||
state: present
|
||||
aws_access_key: "{{aws_access_key}}"
|
||||
aws_secret_key: "{{aws_secret_key}}"
|
||||
region: "{{aws_region}}"
|
||||
image: "{{ec2_base_ami}}"
|
||||
instance_type: "{{ec2_instance_type}}"
|
||||
count: "{{ec2_instance_count}}"
|
||||
assign_public_ip: "{{ec2_public_ip}}"
|
||||
group: "{{ec2_security_group.name}}"
|
||||
key_name: "{{ec2_keyname}}"
|
||||
aws_access_key: "{{ aws_access_key }}"
|
||||
aws_secret_key: "{{ aws_secret_key }}"
|
||||
region: "{{ aws_region }}"
|
||||
image: "{{ ec2_base_ami }}"
|
||||
instance_type: "{{ ec2_instance_type }}"
|
||||
count: "{{ ec2_instance_count }}"
|
||||
assign_public_ip: "{{ ec2_public_ip }}"
|
||||
group: "{{ ec2_security_group.name }}"
|
||||
key_name: "{{ ec2_keyname }}"
|
||||
wait: yes
|
||||
register: ec2
|
||||
|
||||
- name: Add newly created instance(s) to inventory
|
||||
add_host:
|
||||
hostname: "{{item.public_dns_name}}"
|
||||
hostname: "{{ item.public_dns_name }}"
|
||||
groupname: launched-instances
|
||||
ansible_user: admin
|
||||
ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
|
||||
loop: "{{ec2.instances}}"
|
||||
loop: "{{ ec2.instances }}"
|
||||
|
||||
- debug:
|
||||
msg: "Your newly created instance is reachable at: {{item.public_dns_name}}"
|
||||
loop: "{{ec2.instances}}"
|
||||
msg: "Your newly created instance is reachable at: {{ item.public_dns_name }}"
|
||||
loop: "{{ ec2.instances }}"
|
||||
|
||||
- name: Wait for SSH to come up on all instances (give up after 2m)
|
||||
wait_for:
|
||||
state: started
|
||||
host: "{{item.public_dns_name}}"
|
||||
host: "{{ item.public_dns_name }}"
|
||||
port: 22
|
||||
timeout: 120
|
||||
loop: "{{ec2.instances}}"
|
||||
loop: "{{ ec2.instances }}"
|
||||
|
|
|
@ -68,3 +68,10 @@
|
|||
insertafter: "[apache_*]"
|
||||
create: no
|
||||
notify: restart munin-node
|
||||
|
||||
- name: add mailgraph URL in index.html
|
||||
lineinfile:
|
||||
dest: /var/www/index.html
|
||||
state: present
|
||||
line: ' <li><a href="/mailgraph">Stats Mail</a></li>'
|
||||
insertbefore: "</ul>"
|
||||
|
|
|
@ -35,6 +35,15 @@
|
|||
Include /etc/apache2/ipaddr_whitelist.conf
|
||||
</Directory>
|
||||
|
||||
# Mailgraph configuration
|
||||
Alias /mailgraph /usr/share/mailgraph
|
||||
<Directory /usr/share/mailgraph>
|
||||
DirectoryIndex mailgraph.cgi
|
||||
Require all granted
|
||||
Options +FollowSymLinks +ExecCGI
|
||||
AddHandler cgi-script .cgi
|
||||
</Directory>
|
||||
|
||||
CustomLog /var/log/apache2/access.log vhost_combined
|
||||
ErrorLog /var/log/apache2/error.log
|
||||
LogLevel warn
|
||||
|
@ -118,6 +127,15 @@
|
|||
Include /etc/apache2/ipaddr_whitelist.conf
|
||||
</Location>
|
||||
|
||||
# Mailgraph configuration
|
||||
Alias /mailgraph /usr/share/mailgraph
|
||||
<Directory /usr/share/mailgraph>
|
||||
DirectoryIndex mailgraph.cgi
|
||||
Require all granted
|
||||
Options +FollowSymLinks +ExecCGI
|
||||
AddHandler cgi-script .cgi
|
||||
</Directory>
|
||||
|
||||
# BEGIN phpMyAdmin section
|
||||
# END phpMyAdmin section
|
||||
|
||||
|
|
96
apt/files/deb822-migration.py
Normal file
96
apt/files/deb822-migration.py
Normal file
|
@ -0,0 +1,96 @@
|
|||
#!/bin/env python3
|
||||
|
||||
import re
|
||||
import sys
|
||||
import os
|
||||
|
||||
if len(sys.argv) > 1:
|
||||
src_file = sys.argv[1]
|
||||
else:
|
||||
print("You must provide a source file as first argument", file=sys.stderr)
|
||||
sys.exit(1)
|
||||
|
||||
if not os.access(src_file, os.R_OK):
|
||||
print(src_file, "is not readable", file=sys.stderr)
|
||||
sys.exit(2)
|
||||
|
||||
pattern = re.compile('^(?P<type>deb|deb-src) +(?P<options>\[.+\] ?)*(?P<uri>\w+:\/\/\S+) +(?P<suite>\S+)(?: +(?P<components>.*))?$')
|
||||
|
||||
sources = {}
|
||||
|
||||
def split_options(raw):
|
||||
table = str.maketrans({
|
||||
"[": None,
|
||||
"]": None
|
||||
})
|
||||
options = raw.translate(table).split(' ')
|
||||
|
||||
return options
|
||||
|
||||
with open(src_file,'r') as file:
|
||||
for line in file:
|
||||
matches = re.match(pattern, line)
|
||||
if matches is not None:
|
||||
# print(matches.groupdict())
|
||||
uri = matches['uri']
|
||||
|
||||
options = {}
|
||||
if matches.group('options'):
|
||||
for option in split_options(matches['options']):
|
||||
if "=" in option:
|
||||
key, value = option.split("=")
|
||||
options[key] = value
|
||||
|
||||
if uri in sources:
|
||||
sources[uri]["Types"].add(matches["type"])
|
||||
sources[uri]["URIs"] = matches["uri"]
|
||||
sources[uri]["Suites"].add(matches["suite"])
|
||||
sources[uri]["Components"].update(matches["components"].split(' '))
|
||||
else:
|
||||
source = {
|
||||
"Types": {matches['type']},
|
||||
"URIs": matches['uri'],
|
||||
"Enabled": "yes",
|
||||
}
|
||||
|
||||
if matches.group('suite'):
|
||||
source["Suites"] = set(matches['suite'].split(' '))
|
||||
|
||||
if matches.group('components'):
|
||||
source["Components"] = set(matches['components'].split(' '))
|
||||
|
||||
if "arch" in options:
|
||||
if "Architectures" in source:
|
||||
source["Architectures"].append(options["arch"])
|
||||
else:
|
||||
source["Architectures"] = {options["arch"]}
|
||||
|
||||
if "signed-by" in options:
|
||||
if "Signed-by" in source:
|
||||
source["Signed-by"].append(options["signed-by"])
|
||||
else:
|
||||
source["Signed-by"] = {options["signed-by"]}
|
||||
|
||||
if "lang" in options:
|
||||
if "Languages" in source:
|
||||
source["Languages"].append(options["lang"])
|
||||
else:
|
||||
source["Languages"] = {options["lang"]}
|
||||
|
||||
if "target" in options:
|
||||
if "Targets" in source:
|
||||
source["Targets"].append(options["target"])
|
||||
else:
|
||||
source["Targets"] = {options["target"]}
|
||||
|
||||
sources[uri] = source
|
||||
|
||||
for i, (uri, source) in enumerate(sources.items()):
|
||||
if i > 0:
|
||||
print("")
|
||||
for key, value in source.items():
|
||||
if isinstance(value, str):
|
||||
print("{}: {}".format(key, value) )
|
||||
else:
|
||||
print("{}: {}".format(key, ' '.join(value)) )
|
||||
i += 1
|
48
apt/files/deb822-migration.sh
Normal file
48
apt/files/deb822-migration.sh
Normal file
|
@ -0,0 +1,48 @@
|
|||
#!/bin/sh
|
||||
|
||||
deb822_migrate_script=$(command -v deb822-migration.py)
|
||||
|
||||
if [ -z "${deb822_migrate_script}" ]; then
|
||||
deb822_migrate_script="./deb822-migration.py"
|
||||
fi
|
||||
if [ ! -x "${deb822_migrate_script}" ]; then
|
||||
>&2 echo "ERROR: '${deb822_migrate_script}' not found or not executable"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
dest_dir="/etc/apt/sources.list.d"
|
||||
rc=0
|
||||
|
||||
migrate_file() {
|
||||
legacy_file=$1
|
||||
deb822_file=$2
|
||||
|
||||
if [ -f "${legacy_file}" ]; then
|
||||
if [ -f "${deb822_file}" ]; then
|
||||
>&2 echo "ERROR: '${deb822_file}' already exists"
|
||||
rc=2
|
||||
else
|
||||
${deb822_migrate_script} "${legacy_file}" > "${deb822_file}"
|
||||
if [ $? -eq 0 ] && [ -f "${deb822_file}" ]; then
|
||||
mv "${legacy_file}" "${legacy_file}.bak"
|
||||
echo "Migrated ${legacy_file} to ${deb822_file} and renamed to ${legacy_file}.bak"
|
||||
else
|
||||
>&2 echo "ERROR: failed to convert '${legacy_file}' to '${deb822_file}'"
|
||||
rc=2
|
||||
fi
|
||||
fi
|
||||
else
|
||||
>&2 echo "ERROR: '${legacy_file}' not found"
|
||||
rc=2
|
||||
fi
|
||||
}
|
||||
|
||||
migrate_file "/etc/apt/sources.list" "${dest_dir}/system.sources"
|
||||
|
||||
# shellcheck disable=SC2044
|
||||
for legacy_file in $(find /etc/apt/sources.list.d -mindepth 1 -maxdepth 1 -type f -name '*.list'); do
|
||||
deb822_file=$(basename "${legacy_file}" .list)
|
||||
migrate_file "${legacy_file}" "${dest_dir}/${deb822_file}.sources"
|
||||
done
|
||||
|
||||
exit ${rc}
|
32
apt/files/move-apt-keyrings.sh
Normal file
32
apt/files/move-apt-keyrings.sh
Normal file
|
@ -0,0 +1,32 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Move apt repository key from /etc/apt/trusted.gpg.d/ to /etc/apt/keyrings/ and add "signed-by" tag in source list
|
||||
#
|
||||
# Example: move-apt-keyrings.sh http://repo.mongodb.org/apt/debian mongodb-server-[0-9\\.]+.asc
|
||||
|
||||
repository_pattern=$1
|
||||
key=$2
|
||||
|
||||
found_files=$(grep --files-with-matches --recursive --extended-regexp "${repository_pattern}" "/etc/apt/sources.list.d/*.list")
|
||||
|
||||
old_key_file="/etc/apt/trusted.gpg.d/${key}"
|
||||
new_key_file="/etc/apt/keyrings/${key}"
|
||||
|
||||
for file in ${found_files}; do
|
||||
if ! grep --quiet "signed-by" "${file}"; then
|
||||
signed_by="signed-by=${new_key_file}"
|
||||
if grep --quiet "deb(-src)? \[" "${file}"; then
|
||||
sed -i "s@deb\(-src\)\? \[\([^]]\+\)\]@deb\1 [\2 ${signed_by}]@" "${file}"
|
||||
else
|
||||
sed -i "s@deb\(-src\)\? @deb\1 [${signed_by}] @" "${file}"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
if [ -f "${old_key_file}" ] && [ ! -f "${new_key_file}" ]; then
|
||||
mv "${old_key_file}" "${new_key_file}"
|
||||
fi
|
||||
if [ -f "${new_key_file}" ]; then
|
||||
chmod 644 "${new_key_file}"
|
||||
chown root: "${new_key_file}"
|
||||
fi
|
87
apt/files/pub_evolix.asc
Normal file
87
apt/files/pub_evolix.asc
Normal file
|
@ -0,0 +1,87 @@
|
|||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQINBGOsRdcBEADDPJ8Tsqr5Z4crmQlNQM32hfufe7gTUrXo0cAL8clt92y1QX3N
|
||||
YyMv0Re4+Ugo7JZd4jsF2Q1twJMxsX5rA12xDnHHcZRSc/E0DIYvPnfLzEHkwseN
|
||||
OK4f9lI+xo06k+B3KQQKMeI/RjVaN6AiSply9ZGaZVeGGqd4es4PsU1VQMTWdclV
|
||||
Bn54HBWUnL5dPStPMnNkt0bMQYIqc5733Yby3qMiUKcql2bl9TYBw8SaJXvClsLw
|
||||
ERqit6FjljUOEeWtB4WZFpjhc/aqcxGcUTPHRrNTlNF0HCvk8JicEu4/lr99pwy7
|
||||
7z6SRql++WGMSG06E4MBtUt+wWAmDDHNj3fdZPnoCaDFp7vxy/FEARB2aygTtu11
|
||||
mLk4XOKheqU/WibWxoXRzyUCuclJ247Fh+YPxkYVG1dnDwpWGbYuRmzUapGLv4ma
|
||||
dnKsQN0KhXzUqkSoybBgV208dGOP7BqdY6TVnyU0v/7XDeUqFEwnllRKMSYLilV3
|
||||
huTifiCFTK45HACM/x2yckx8dyAuYg6cJaAR1yn1iaTexoyYPG9ZFifvMB6ranEm
|
||||
vkmQq1e8/7xiNSQsh5F3Ybl5hh4GVLwsR6esfZsHG0Ve+CitsmcZgWnr0JJ2PZOk
|
||||
+XHxMwo7Gb0/KVH9XGeoXk+eiNNW/kdcgBMkGkU3nWooVHDm7Dy54I5CzQARAQAB
|
||||
tC9Fdm9saXggUHVibGljIFJlcG9zaXRvcnkgPGVxdWlwZStwdWJAZXZvbGl4LmZy
|
||||
PokCVAQTAQoAPhYhBP+vfRvzUK1F+rMpCUaPWta4YwY9BQJjrEXXAhsDBQkHhM4A
|
||||
BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEEaPWta4YwY9V6oP/iYfZceiA1Sy
|
||||
x9t/7CL3EReuvpdZtZYf2KklBfxEFtzkERV/KKMMpf8mKoGD6BA+ryUc7b4a8npq
|
||||
yvKbSKDHGZW6gAbq8hneW71vRuNfPNqtfO98JbJO694nqX9sIYU2xQn0UIh0G6N7
|
||||
D2bOcaicn8AgV/8cQZfgN9yRM4VhCoWZwhLqgROUqMYfDn3szamfkPcFiw10ToVt
|
||||
c2PIFdqj2soKO9OrF5Ct/pztSGy1f+orDFiJ0AtRlqqRk9z18VB893qspfyd6y9N
|
||||
q7IrQbYsiP+D8DcXYWZA1KURsI4LVQwsudNXokvGkYdnZitVgXI2lIaY7odDou5F
|
||||
btZsCIEa45m7Vmvu0Wvtu/90EFbu9iwbOVrNpC7lLnfJpDObVXMiY1r0rQVuweEZ
|
||||
ZbBcv1NUa3R0SPsPLPKf7L6dCx8gCpZjDVJLsgBeeSEV7XFQiYDbl8THasNTKCOa
|
||||
C6v4h00mg0H6GhZvGMx+lcx8TzW6l3XXRoptHl4vkdE5usLFjy8/JWG3yJ7e2W3D
|
||||
jVbPQ0UKJAnkGn1t+UJB1GP9O4annks0nPfcomjZzaDweIL8zSLPy5R9DGNgYLjp
|
||||
5h/baLoNAOkaKssZrusq/P+BM2tdr3i/N6TK+dbrffz3hNgzSFFYVg51DspV7XWo
|
||||
JKGqhqCgQpkms+NPJiKr4NDs6DdXn0IKuQINBGOsRdcBEAC9i5qcrYLTfeGrWPo3
|
||||
Zok3jikNk181HC3HR7Wu8a5whCe/88GgJDY00sU2zZEF9hN/4Vtqq9FICVXUcs+F
|
||||
5j+Gcb/sqAgwXuwk8LKuhbtR2cnz6I0GCsqNPuj+5uM7MXQlVWeIN5Z6zA/Jw++o
|
||||
aENZHO6cnuep2KDNPUZzjmTHAa4+qXRL5cRXEOmMB1vtA8mm/43c7wicJ7MrZpba
|
||||
mqzmiQPsQ2qfmCABfx8BwBgXCVON4sgtzCa+rYOPScsDtv0pv6uG+h/GJp4MdKBp
|
||||
g3BfShQEAmOwwy3Pt2vo9Rw2s0uJJ9AM2O6tJ3x93YkUP5qj3Etr/eTcgVUiVvSs
|
||||
h2Rrz2FLen3GMAcqUUDPViCy9nEWRAo7iWQgAKgr8WjeGerOmtsYPyjIQE47eX5M
|
||||
Gomx0LVCGigYfkSAFIYzm5I+depmn1qTUyizfklvPr0bA/8Cs4zbqx6Pf6Rk5wvb
|
||||
sJ4envk3dzQRNTH1Vt7Yoktyx1+VX0HFVEaPTQ3JlFORaHYwQQ97LaOZ0VmztE0A
|
||||
5+CIFFdqp/0H7zGPol+LsPgqnzZZEQ2XFYPOy7/gB17zI2eWNWPAQmOdrUM/v12A
|
||||
etnLEthZyALcjjBpJEVIHFnuaabYp+mdotycjDkBNSh+P+8H/UsMSrNVhheKQLB8
|
||||
smzwFcSrAcnQbtiCjFWANTWyKQARAQABiQI8BBgBCgAmFiEE/699G/NQrUX6sykJ
|
||||
Ro9a1rhjBj0FAmOsRdcCGwwFCQeEzgAACgkQRo9a1rhjBj0FZw//fNhJdx55ACvX
|
||||
mpa8wz6eZOvzhr5GWSW5/Qie9nRjInPPI3bJ/jU0S/4ENqFBD9RSvY5F+0xCU67F
|
||||
V2R3a3FFcB81HLIcUrkN0GH6fLcex0Js+grq/U117e2umdfGMKQG0UFJ+XonhtlT
|
||||
foBcBjXPFr2NUaJB2SPo/RPQ3U+N3wMSm0ZbB/Xvxi5qMEb971dfObvsXTkQZvn7
|
||||
b0TvccfHhyzs2IM8pZO3PamTwA5e16/2QqisRX4CeL0a/q3Yxfw4R8RPCrz/l0k5
|
||||
FPdbdXaQuk5s+CiV+Nse7yFGoEoSlLpJM2BpueBsIg92joyOstZRm+tuCb5QefWI
|
||||
7yFPfJU6xG1CMDqIGjXNU1tzSIoReGUBCNrE9UgzBQPPVD0jNM1WdW6HWSVR7jBb
|
||||
+dvAeJNzQjJYlvKLQ383mAiVcwmCWBUp+R/kBPlLMGEpLlspti5fkmEc8xvtCaHc
|
||||
fCLVWd0r2lUFUz+W53r8IXaRcxLtFinz7SHZPrlhaVwErdtlo+5X3kq39Mc4KCmF
|
||||
bevT+qxlgzHXof+WGTYoc9IHkhDrvZ/TWeAUnBPvVn88dsBRtOC9f5wSCK4r9SfR
|
||||
Dnf0lAsLWMpNtt812W8sA82RGXRUBwonZKa7YoGNKSa2vPJcUgmpIiHNtoLWpNa+
|
||||
7pYGN7bV51zyQ1ERaLU5TBC9sPE70p25Ag0EY6xJaQEQAKsxFCb4Vxe8VuUEAKp/
|
||||
RSRNGX/v9KqXVwbnf3kTYq9FMoplZBeqj4LQ22BqRzZ74ywoyfvHHtvkAtCbmrlc
|
||||
8iLQEmicLug3Ibk97qm1lvvHnK9fqFOWh+Tx/omlaiSzEfAFbLEjNcplmq1ooqmX
|
||||
fkI9zcefLZHtUFx6Clw3rwp79d/V5XJDM+2jwB47HfIhrW6jEubUuaXIHNR/GSSd
|
||||
gTYuw55g9K97LhONX6ZvSBhjp4pOeUUbtFuG1fRkjPiObsB54fJ2R32yfm4jV53/
|
||||
YgG/Ih/o97tKV+ishQIrr85SB3XiLFlGhQuu/0a/+/vfGVTbJOzrQrE+OCWt9Xm1
|
||||
4b91MiVSSzXy6TGzPvpNXYR2PQZzVwvz7UctCikaE4gGB0lSH0LemDD0LZIZUwBL
|
||||
1G9mlwFTkMYK0+iMyHFOKeAlUnSSpO6hFYr4GHOxAMGTjHqqEJZ3lBi9SBPc7AEK
|
||||
3NcEp4etuiLOeaSBtqmUs+y7g8yMTrnyWPVxa0l5q4OUitbb2qvWYbaD3O22xYyj
|
||||
9BlqzpG9uO6/d8HefDK8XMNCHlmwFoJj3HJlHJg7oN029vYsXEwBIhFyolAPzIvB
|
||||
jpLKcebq9DJSObs1nHjAyVUpL4ZzRmujFcJYDYSixiqaWc/1aGTgUZQ/JDXcODiC
|
||||
LgFu1vLTRf6hwKSb/vnZP5OtABEBAAGJBHIEGAEKACYWIQT/r30b81CtRfqzKQlG
|
||||
j1rWuGMGPQUCY6xJaQIbAgUJA8JnAAJACRBGj1rWuGMGPcF0IAQZAQoAHRYhBA7H
|
||||
BbTwXPF0hLMgRYefxhvnjx3ABQJjrElpAAoJEIefxhvnjx3ANpUQAIFLkLcx2z3M
|
||||
jV0SgoAYertib9T/OOy/rsfeQjE6DFk6IArrHolZPA9g/PpTPuRwK165n5xw483q
|
||||
BMyssUT9IK7SZxt0gbKpvZ0HFSCwSp5wdSJZymwB4AOcgRBU5rwC/9fFxYihgIym
|
||||
Ig7TH9aWW4hDbEuGJDrKbhK+DpIL7lK3A5WUZk9ltGOpCcFctV3YnVgbMIwX5gO6
|
||||
lZ5Zi6NHJEB3HauVZJ59NIPJ/f0xe5GMte/LXckyijs9ei4WOFOjstiW64EWkOBH
|
||||
El0tj+LUxLznCP2szdXjkDN1P6/NDrY1Nid6/ECOfkh4xO/VHhkdSRAlhdP9FHiV
|
||||
sy3KUUoPH5B805z1MyOI7UYUD/8CK0juIXcbw7isbVUmLf/VV8jEDmq3WWDj8YZp
|
||||
IStn2AvQeo3VWGWUfkf3v7UthKandIUTIGc5isD+i6KvzzbggyyZWNtvb3/1wMrz
|
||||
DUKGlFi/IjMhhElJ0oF3YGsBwz2V2UKP7pPIYo+f5zthc7SbmO9yxAQebEOc3prM
|
||||
G/Br8JOZ90w1dy6CeIYxkM4YEhhG1K8CzD3ZTTI7vh8mwRc92A6HI2NFyxeYJCr0
|
||||
IsUcFQpCyXMtcLRN75DGLIjIKdYrYJuwSiUgcH5FtgkuxMYfJEX9UX8rV7HAxUvs
|
||||
UdIyHLl7k+khGlZa0/W6uCioFNiygnBEp7oP/iSj4Q2Xh5yKI6Jjw/IsfRcsiaac
|
||||
lHc7uF0caYGMkqRNHiX17d5EtaidTbiqQii1W9slSPXmUuUcKfD1xUfLng7TbZVm
|
||||
AdEbpHCT+q037cGCYFpHPMvw3OYhhGzYeh3+1oN9t3ZvyGlvAhkrtssDQB+gxX8r
|
||||
adCpihziFLjm+6IvCLYHEh3gILVFbbhdYDDUduFFjf/snlJW7j8OVc7Cxa7FbPdf
|
||||
SHLT9VESzf7oiwkP5/ijGmHiEQoJd9EWYkGGz+LZAXemBwe5ZnPPWVZvDEQRMe8v
|
||||
2V8pa37vyReaK//O8xxGg3NzGTn9otwVr/4Ti9OxrSzmDWpd967oZ42IZSeSY2bz
|
||||
kOaV8z4C8AIgIA7vWOS83Hncbrgf2nMCXmRjf0KTMm1P7Z0BQDWpxK9lP0nRpVAg
|
||||
2T3/OjJ9KcAsTz02NFC3/kOUz//NcfDP747HsQB0sltIty140B7CfcWk0a0eKSad
|
||||
OxGUehskjyKhO6v3dYF+8oR9p98Q8/Rh8r7evYy2mfhgJd7a9Cchn7612Y6k1SLf
|
||||
nmPGYu3s0lf/k6GoHLfXXQIJDgWeua4ZBr6cgpGONLSvWBeCVaqnk8nhbNIiSBHk
|
||||
jnrcX8xAtoPLgqg0+yi7rZ3NAauZcQE6UaNB+xjJxDOIpgVLUWtFyAG4MDeIh6GH
|
||||
oA9QflpnDubMnCve
|
||||
=ZCml
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
|
@ -18,8 +18,8 @@
|
|||
|
||||
- name: Add Evolix GPG key
|
||||
copy:
|
||||
src: reg.asc
|
||||
dest: "{{ apt_keyring_dir }}/reg.asc"
|
||||
src: pub_evolix.asc
|
||||
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
|
||||
force: yes
|
||||
mode: "0644"
|
||||
owner: root
|
||||
|
|
|
@ -1,5 +1,8 @@
|
|||
---
|
||||
|
||||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
|
||||
- name: "hold packages (apt)"
|
||||
shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
|
||||
args:
|
||||
|
@ -76,8 +79,8 @@
|
|||
- name: Check if Cron is installed
|
||||
shell: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
|
||||
register: is_cron
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
tags:
|
||||
- apt
|
||||
|
|
31
apt/tasks/migrate-to-deb822.yml
Normal file
31
apt/tasks/migrate-to-deb822.yml
Normal file
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
|
||||
- name: /usr/share/scripts exists
|
||||
file:
|
||||
dest: /usr/share/scripts
|
||||
mode: "0700"
|
||||
owner: root
|
||||
group: root
|
||||
state: directory
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Migration scripts are installed
|
||||
copy:
|
||||
src: "{{ item }}"
|
||||
dest: "/usr/share/scripts/{{ item }}"
|
||||
force: yes
|
||||
mode: "0755"
|
||||
loop:
|
||||
- deb822-migration.py
|
||||
- deb822-migration.sh
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Exec migration script
|
||||
command: /usr/share/scripts/deb822-migration.sh
|
||||
ignore_errors: yes
|
||||
tags:
|
||||
- apt
|
52
apt/tasks/move-apt-keyring.yml
Normal file
52
apt/tasks/move-apt-keyring.yml
Normal file
|
@ -0,0 +1,52 @@
|
|||
---
|
||||
|
||||
- name: New APT keyrings directory is present
|
||||
file:
|
||||
path: /etc/apt/keyrings
|
||||
state: directory
|
||||
mode: "0755"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
|
||||
- name: /usr/share/scripts exists
|
||||
file:
|
||||
dest: /usr/share/scripts
|
||||
mode: "0700"
|
||||
owner: root
|
||||
group: root
|
||||
state: directory
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: migration script is present
|
||||
copy:
|
||||
src: move-apt-keyrings.sh
|
||||
dest: /usr/share/scripts/move-apt-keyrings.sh
|
||||
mode: "0755"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Move repository signing key
|
||||
command: "/usr/share/scripts/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\""
|
||||
loop:
|
||||
- { repository_pattern: "http://pub.evolix.net/", key: "reg.asc" }
|
||||
- { repository_pattern: "http://pub.evolix.org/evolix", key: "pub_evolix.asc" }
|
||||
- { repository_pattern: "https://pub.evolix.org/evolix", key: "pub_evolix.asc" }
|
||||
- { repository_pattern: "https://artifacts.elastic.co/packages/[^/]+/apt", key: "elastics.asc" }
|
||||
- { repository_pattern: "https://download.docker.com/linux/debian", key: "docker-debian.asc" }
|
||||
- { repository_pattern: "https://downloads.linux.hpe.com/SDR/repo/mcp", key: "hpePublicKey2048_key1.asc" }
|
||||
- { repository_pattern: "http://pkg.jenkins-ci.org/debian-stable", key: "jenkins.asc" }
|
||||
- { repository_pattern: "https://packages.sury.org/php/", key: "sury.gpg" }
|
||||
- { repository_pattern: "http://repo.mongodb.org/apt/debian", key: "mongodb-server-[0-9\\.]+.asc" }
|
||||
- { repository_pattern: "http://apt.newrelic.com/debian/", key: "newrelic.asc" }
|
||||
- { repository_pattern: "https://deb.nodesource.com/", key: "nodesource.asc" }
|
||||
- { repository_pattern: "https://dl.yarnpkg.com/debian/", key: "yarn.asc" }
|
||||
- { repository_pattern: "http://apt.postgresql.org/pub/repos/apt/", key: "postgresql.asc" }
|
||||
register: _cmd
|
||||
|
||||
- name: Debug command
|
||||
debug:
|
||||
var: _cmd
|
|
@ -1,7 +1,3 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
{% if ansible_distribution_release == "bookworm" %}
|
||||
deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye/
|
||||
{% else %}
|
||||
deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ {{ ansible_distribution_release }}/
|
||||
{% endif %}
|
||||
deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main
|
||||
|
|
|
@ -8,4 +8,5 @@ bind_systemd_service_path: /etc/systemd/system/bind9.service
|
|||
bind_statistics_file: /var/run/named.stats
|
||||
bind_log_file: /var/log/bind.log
|
||||
bind_query_file: /var/log/bind_queries.log
|
||||
bind_query_file_enabled: False
|
||||
bind_cache_dir: /var/cache/bind
|
||||
|
|
|
@ -1,19 +1,21 @@
|
|||
---
|
||||
- name: reload systemd
|
||||
command: systemctl daemon-reload
|
||||
systemd:
|
||||
daemon-reload: yes
|
||||
|
||||
|
||||
- name: restart apparmor
|
||||
service:
|
||||
systemd:
|
||||
name: apparmor
|
||||
state: restarted
|
||||
|
||||
- name: restart bind
|
||||
service:
|
||||
systemd:
|
||||
name: bind9
|
||||
state: restarted
|
||||
|
||||
- name: restart munin-node
|
||||
service:
|
||||
systemd:
|
||||
name: munin-node
|
||||
state: restarted
|
||||
|
||||
|
|
11
bind/tasks/authoritative.yml
Normal file
11
bind/tasks/authoritative.yml
Normal file
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
|
||||
- name: Set bind configuration for authoritative server
|
||||
template:
|
||||
src: named.conf.options_authoritative.j2
|
||||
dest: /etc/bind/named.conf.options
|
||||
owner: bind
|
||||
group: bind
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify: restart bind
|
|
@ -1,22 +1,30 @@
|
|||
# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths.
|
||||
- name: set chroot variables
|
||||
set_fact:
|
||||
bind_log_file: /var/log/bind.log
|
||||
bind_query_file: /var/log/bind_queries.log
|
||||
bind_cache_dir: /var/cache/bind
|
||||
bind_statistics_file: /var/run/named.stats
|
||||
bind_chroot_path: /var/chroot-bind
|
||||
bind_log_file: /var/log/bind.log
|
||||
bind_query_file: /var/log/bind_queries.log
|
||||
bind_cache_dir: /var/cache/bind
|
||||
bind_statistics_file: /var/run/named.stats
|
||||
bind_chroot_path: /var/chroot-bind
|
||||
when: bind_chroot_set | bool
|
||||
|
||||
- name: Check AppArmor
|
||||
shell: systemctl is-active apparmor || systemctl is-enabled apparmor
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
register: check_apparmor
|
||||
|
||||
- name: configure apparmor
|
||||
template:
|
||||
src: apparmor.usr.sbin.named.j2
|
||||
dest: /etc/apparmor.d/usr.sbin.named
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify: restart apparmor
|
||||
when: check_apparmor.rc == 0
|
||||
|
||||
- name: package are installed
|
||||
apt:
|
||||
|
@ -25,47 +33,23 @@
|
|||
- dnstop
|
||||
state: present
|
||||
|
||||
- name: Set bind configuration for recursive server
|
||||
template:
|
||||
src: named.conf.options_recursive.j2
|
||||
dest: /etc/bind/named.conf.options
|
||||
owner: bind
|
||||
group: bind
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify: restart bind
|
||||
when: bind_recursive_server | bool
|
||||
|
||||
- name: enable zones.rfc1918 for recursive server
|
||||
lineinfile:
|
||||
dest: /etc/bind/named.conf.local
|
||||
line: 'include "/etc/bind/zones.rfc1918";'
|
||||
regexp: "zones.rfc1918"
|
||||
notify: restart bind
|
||||
when: bind_recursive_server | bool
|
||||
|
||||
- name: Set bind configuration for authoritative server
|
||||
template:
|
||||
src: named.conf.options_authoritative.j2
|
||||
dest: /etc/bind/named.conf.options
|
||||
owner: bind
|
||||
group: bind
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify: restart bind
|
||||
- include: authoritative.yml
|
||||
when: bind_authoritative_server | bool
|
||||
|
||||
- name: Create systemd service
|
||||
- include: recursive.yml
|
||||
when: bind_recursive_server | bool
|
||||
|
||||
- name: Create systemd service for Debian 8 (Jessie)
|
||||
template:
|
||||
src: bind9.service.j2
|
||||
src: bind9.service.jessie.j2
|
||||
dest: "{{ bind_systemd_service_path }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify:
|
||||
- reload systemd
|
||||
- restart bind
|
||||
- reload systemd
|
||||
- restart bind
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- name: "touch {{ bind_log_file }} if non chroot"
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
- bind9_rndc
|
||||
notify: restart munin-node
|
||||
when:
|
||||
- bind_authoritative_server
|
||||
- bind_authoritative_server | bool
|
||||
- munin_node_plugins_config.stat.exists
|
||||
tags:
|
||||
- bind
|
||||
|
@ -32,10 +32,10 @@
|
|||
state: link
|
||||
loop:
|
||||
- bind9
|
||||
- bind9_rndc
|
||||
notify: restart munin-node
|
||||
when:
|
||||
- bind_recursive_server
|
||||
- bind_recursive_server | bool
|
||||
- bind_query_file_enabled | bool
|
||||
- munin_node_plugins_config.stat.exists
|
||||
tags:
|
||||
- bind
|
||||
|
|
19
bind/tasks/recursive.yml
Normal file
19
bind/tasks/recursive.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
|
||||
|
||||
- name: Set bind configuration for recursive server
|
||||
template:
|
||||
src: named.conf.options_recursive.j2
|
||||
dest: /etc/bind/named.conf.options
|
||||
owner: bind
|
||||
group: bind
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify: restart bind
|
||||
|
||||
- name: enable zones.rfc1918 for recursive server
|
||||
lineinfile:
|
||||
dest: /etc/bind/named.conf.local
|
||||
line: 'include "/etc/bind/zones.rfc1918";'
|
||||
regexp: "zones.rfc1918"
|
||||
notify: restart bind
|
|
@ -56,7 +56,9 @@
|
|||
# some people like to put logs in /var/log/named/ instead of having
|
||||
# syslog do the heavy lifting.
|
||||
{{ bind_log_file }} rw,
|
||||
{% if bind_query_file_enabled | bool %}
|
||||
{{ bind_query_file }} rw,
|
||||
{% endif %}
|
||||
|
||||
# gssapi
|
||||
/var/lib/sss/pubconf/krb5.include.d/** r,
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{% if bind_chroot_set %}
|
||||
{{ bind_chroot_path }}{{bind_log_file}} {
|
||||
{% if bind_chroot_set | bool %}
|
||||
{{ bind_chroot_path }}{{ bind_log_file }} {
|
||||
{% else %}
|
||||
{{bind_log_file}} {
|
||||
{{ bind_log_file }} {
|
||||
{% endif %}
|
||||
weekly
|
||||
missingok
|
||||
|
|
|
@ -1,9 +1,17 @@
|
|||
[bind*]
|
||||
user root
|
||||
|
||||
env.logfile {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_query_file }}
|
||||
{% if bind_query_file_enabled | bool %}
|
||||
{% if bind_chroot_set | bool %}
|
||||
env.logfile {{ bind_chroot_path }}{{ bind_query_file }}
|
||||
{% else %}
|
||||
env.logfile {{ bind_query_file }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if bind_authoritative_server %}
|
||||
env.querystats {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_statistics_file }}
|
||||
{% endif %}
|
||||
|
||||
env.MUNIN_PLUGSTATE /var/lib/munin
|
||||
timeout 120
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
acl "foo" {
|
||||
::ffff:192.0.2.21; 192.0.2.21;
|
||||
2001:db8::21;
|
||||
};
|
||||
// acl "foo" {
|
||||
// ::ffff:192.0.2.21; 192.0.2.21;
|
||||
// 2001:db8::21;
|
||||
// };
|
||||
|
||||
options {
|
||||
directory "{{ bind_cache_dir }}";
|
||||
|
@ -20,16 +20,20 @@ options {
|
|||
|
||||
logging {
|
||||
category default { default_file; };
|
||||
{% if bind_query_file_enabled | bool %}
|
||||
category queries { query_logging; };
|
||||
{% endif %}
|
||||
|
||||
channel default_file {
|
||||
file "{{ bind_log_file }}";
|
||||
severity info;
|
||||
};
|
||||
{% if bind_query_file_enabled | bool %}
|
||||
channel query_logging {
|
||||
file "{{ bind_query_file }}" versions 2 size 128M;
|
||||
print-category yes;
|
||||
print-severity yes;
|
||||
print-time yes;
|
||||
};
|
||||
{% endif %}
|
||||
};
|
||||
|
|
|
@ -9,16 +9,20 @@ options {
|
|||
|
||||
logging {
|
||||
category default { default_file; };
|
||||
{% if bind_query_file_enabled | bool %}
|
||||
category queries { query_logging; };
|
||||
{% endif %}
|
||||
|
||||
channel default_file {
|
||||
file "{{ bind_log_file }}";
|
||||
severity info;
|
||||
};
|
||||
{% if bind_query_file_enabled | bool %}
|
||||
channel query_logging {
|
||||
file "{{ bind_query_file }}" versions 2 size 128M;
|
||||
print-category yes;
|
||||
print-severity yes;
|
||||
print-time yes;
|
||||
};
|
||||
{% endif %}
|
||||
};
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
- { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' }
|
||||
- { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' }
|
||||
- { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' }
|
||||
- { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' }
|
||||
- { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '200' }
|
||||
- { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' }
|
||||
- { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' }
|
||||
- { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' }
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
# If docher_home sets to /home/, the partition should be mounted with exec option.
|
||||
docker_home: /var/lib/docker
|
||||
docker_tmpdir: "{{docker_home}}/tmp"
|
||||
docker_tmpdir: "{{ docker_home }}/tmp"
|
||||
|
||||
# Chose to use iptables instead of docker-proxy userland process
|
||||
docker_conf_use_iptables: False
|
||||
|
@ -20,9 +20,9 @@ docker_remote_access_enabled: False
|
|||
docker_daemon_port: 2376
|
||||
docker_daemon_listening_ip: 0.0.0.0
|
||||
|
||||
# TLS
|
||||
# TLS
|
||||
docker_tls_enabled: False
|
||||
docker_tls_path: "{{docker_home}}/tls"
|
||||
docker_tls_path: "{{ docker_home }}/tls"
|
||||
docker_tls_ca: ca/ca.pem
|
||||
docker_tls_ca_key: ca/ca-key.pem
|
||||
docker_tls_cert: server/cert.pem
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
---
|
||||
- name: reload systemd
|
||||
command: systemctl daemon-reload
|
||||
systemd:
|
||||
daemon-reload: yes
|
||||
|
||||
- name: restart docker
|
||||
service:
|
||||
|
|
|
@ -1,40 +1,30 @@
|
|||
{
|
||||
"debug": false,
|
||||
|
||||
"debug": false
|
||||
{# Docker data-dir (default to /var/lib/docker) #}
|
||||
"data-root": "{{ docker_home }}",
|
||||
|
||||
,"data-root": "{{ docker_home }}"
|
||||
{# Keep containers running while docker daemon downtime #}
|
||||
"live-restore": {{ docker_conf_live_restore | to_json }},,
|
||||
|
||||
,"live-restore": {{ docker_conf_live_restore | to_json }}
|
||||
{# Turn on user namespace remaping #}
|
||||
"userns-remap": "default",
|
||||
|
||||
{% if docker_conf_use_iptables %}
|
||||
,"userns-remap": "default"
|
||||
{% if docker_conf_use_iptables %}
|
||||
{# Use iptables instead of docker-proxy #}
|
||||
"userland-proxy": false,
|
||||
"iptables": true,
|
||||
{% endif %}
|
||||
|
||||
,"userland-proxy": false
|
||||
,"iptables": true
|
||||
{% endif %}
|
||||
{# Disable the possibility for containers processes to gain new privileges #}
|
||||
"no-new-privileges": {{ docker_conf_no_newprivileges | to_json }},
|
||||
|
||||
{% if docker_conf_disable_default_networking %}
|
||||
,"no-new-privileges": {{ docker_conf_no_newprivileges | to_json }}
|
||||
{% if docker_conf_disable_default_networking %}
|
||||
{# Disable all default network connectivity #}
|
||||
"bridge": "none",
|
||||
"icc": false,
|
||||
{% endif %}
|
||||
|
||||
{% if docker_tls_enabled %}
|
||||
"tls": true,
|
||||
"tlscert": "{{ docker_tls_path }}/{{ docker_tls_cert }}",
|
||||
"tlscacert": "{{ docker_tls_path }}/{{ docker_tls_ca }}",
|
||||
"tlskey": "{{ docker_tls_path }}/{{ docker_tls_key }}",
|
||||
{% endif %}
|
||||
|
||||
{% if docker_remote_access_enabled %}
|
||||
"hosts": ["tcp://{{ docker_daemon_listening_ip }}:{{ docker_daemon_port }}", "fd://"]
|
||||
{% else %}
|
||||
"hosts": ["fd://"]
|
||||
{% endif %}
|
||||
,"bridge": "none"
|
||||
,"icc": false
|
||||
{% endif %}
|
||||
{% if docker_tls_enabled %}
|
||||
,"tls": true
|
||||
,"tlscert": "{{ docker_tls_path }}/{{ docker_tls_cert }}"
|
||||
,"tlscacert": "{{ docker_tls_path }}/{{ docker_tls_ca }}"
|
||||
,"tlskey": "{{ docker_tls_path }}/{{ docker_tls_key }}"
|
||||
{% endif %}
|
||||
{% if docker_remote_access_enabled %}
|
||||
,"hosts": ["tcp://{{ docker_daemon_listening_ip }}:{{ docker_daemon_port }}", "fd://"]
|
||||
{% endif %}
|
||||
}
|
||||
|
|
|
@ -87,7 +87,7 @@
|
|||
name: log2mail
|
||||
state: present
|
||||
tags: dovecot
|
||||
|
||||
|
||||
- name: dovecot is configured in log2mail
|
||||
blockinfile:
|
||||
path: /etc/log2mail/config/mail.conf
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
when: elasticsearch_additional_scripts_dir is search ("/usr")
|
||||
when: elasticsearch_additional_scripts_dir is search("/usr")
|
||||
|
||||
- name: "{{ elasticsearch_additional_scripts_dir }} exists"
|
||||
file:
|
||||
|
|
|
@ -118,6 +118,17 @@
|
|||
tags:
|
||||
- config
|
||||
|
||||
- name: Disable garbage collector logs (JDK >= 9)
|
||||
lineinfile:
|
||||
dest: /etc/elasticsearch/jvm.options
|
||||
regexp: "Xlog:gc"
|
||||
line: "#9-:-Xlog:gc*,gc+age=trace,safepoint:file=/opt/my-app/gc.log:utctime,pid,tags:filecount=32,filesize=64m"
|
||||
owner: root
|
||||
group: elasticsearch
|
||||
mode: "0640"
|
||||
tags:
|
||||
- config
|
||||
|
||||
- name: Configure cluster members
|
||||
lineinfile:
|
||||
dest: /etc/elasticsearch/elasticsearch.yml
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
|
||||
- name: "read the real datadir"
|
||||
command: readlink -f /var/lib/elasticsearch
|
||||
changed_when: false
|
||||
changed_when: False
|
||||
register: elasticsearch_current_real_datadir_test
|
||||
check_mode: no
|
||||
tags:
|
||||
|
|
|
@ -17,3 +17,4 @@
|
|||
group: root
|
||||
mode: "0750"
|
||||
when: is_cron_installed.rc == 0
|
||||
|
||||
|
|
|
@ -8,7 +8,6 @@ MAX_AGE={{ elasticsearch_log_rotate_days | mandatory }}
|
|||
# Compress logs
|
||||
find ${LOG_DIR} -type f -user ${USER} -name "*.log.????-??-??" -exec gzip --best {} \;
|
||||
find ${LOG_DIR} -type f -user ${USER} -name "*-????-??-??.log" -exec gzip --best {} \;
|
||||
find ${LOG_DIR} -type f -user ${USER} -name "*.log.??" -not -name "*.gz" -exec gzip --best {} \;
|
||||
|
||||
# Delete old logs
|
||||
find ${LOG_DIR} -type f -user ${USER} -name "*gz" -ctime +${MAX_AGE} -delete
|
||||
find ${LOG_DIR} -type f -user ${USER} -name "*gz" -ctime +${MAX_AGE} -delete
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
state: present
|
||||
tags:
|
||||
- etc-git
|
||||
when:
|
||||
when:
|
||||
- ansible_distribution == "Debian"
|
||||
|
||||
- name: Install and configure utilities
|
||||
|
|
|
@ -2,14 +2,13 @@
|
|||
|
||||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
when: repository_path is search ("/usr")
|
||||
when: repository_path is search("/usr")
|
||||
|
||||
- name: "{{ repository_path }} is versioned with git"
|
||||
command: "git init ."
|
||||
args:
|
||||
chdir: "{{ repository_path }}"
|
||||
creates: "{{ repository_path }}/.git/"
|
||||
warn: no
|
||||
register: git_init
|
||||
tags:
|
||||
- etc-git
|
||||
|
@ -54,7 +53,6 @@
|
|||
command: "git log"
|
||||
args:
|
||||
chdir: "{{ repository_path }}"
|
||||
warn: no
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
register: git_log
|
||||
|
@ -66,7 +64,6 @@
|
|||
shell: "git add -A . && git commit -m \"Initial commit via Ansible\""
|
||||
args:
|
||||
chdir: "{{ repository_path }}"
|
||||
warn: no
|
||||
register: git_commit
|
||||
when: git_log.rc != 0 or (git_init is defined and git_init is changed)
|
||||
tags:
|
||||
|
|
|
@ -51,7 +51,7 @@
|
|||
register: is_cron_installed
|
||||
|
||||
- block:
|
||||
- name: Legacy cron jobs for /etc/.git status are absent
|
||||
- name: Legacy cron jobs for /etc/.git status are absent
|
||||
file:
|
||||
dest: "{{ item }}"
|
||||
state: absent
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
### File generated by Ansible ###
|
||||
|
||||
SSL_KEY_DIR=${SSL_KEY_DIR:-{{ evoacme_ssl_key_dir }}}
|
||||
ACME_DIR=${ACME_DIR:-{{ evoacme_acme_dir }}}
|
||||
CSR_DIR=${CSR_DIR:-{{ evoacme_csr_dir }}}
|
||||
CRT_DIR=${CRT_DIR:-{{ evoacme_crt_dir }}}
|
||||
SSL_KEY_DIR=${SSL_KEY_DIR:-{{ evoacme_ssl_key_dir }} }
|
||||
ACME_DIR=${ACME_DIR:-{{ evoacme_acme_dir }} }
|
||||
CSR_DIR=${CSR_DIR:-{{ evoacme_csr_dir }} }
|
||||
CRT_DIR=${CRT_DIR:-{{ evoacme_crt_dir }} }
|
||||
HOOKS_DIR=${HOOKS_DIR:-"{{ evoacme_hooks_dir }}"}
|
||||
LOG_DIR=${LOG_DIR:-{{ evoacme_log_dir }}}
|
||||
SSL_MINDAY=${SSL_MINDAY:-{{ evoacme_ssl_minday }}}
|
||||
LOG_DIR=${LOG_DIR:-{{ evoacme_log_dir }} }
|
||||
SSL_MINDAY=${SSL_MINDAY:-{{ evoacme_ssl_minday }} }
|
||||
|
|
|
@ -1,5 +1,3 @@
|
|||
# Managed by Ansible
|
||||
#
|
||||
# Configuration for evocheck
|
||||
# Use this file to change configuration values defined in evocheck.sh
|
||||
# Ex : IS_TMP_1777=0
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
# Script to verify compliance of a Linux (Debian) server
|
||||
# powered by Evolix
|
||||
|
||||
VERSION="22.11"
|
||||
VERSION="23.03.01"
|
||||
readonly VERSION
|
||||
|
||||
# base functions
|
||||
|
|
164
evocheck/files/evocheck.sh
Normal file → Executable file
164
evocheck/files/evocheck.sh
Normal file → Executable file
|
@ -4,7 +4,7 @@
|
|||
# Script to verify compliance of a Linux (Debian) server
|
||||
# powered by Evolix
|
||||
|
||||
VERSION="22.11"
|
||||
VERSION="23.03.01"
|
||||
readonly VERSION
|
||||
|
||||
# base functions
|
||||
|
@ -100,6 +100,17 @@ is_installed(){
|
|||
|
||||
# logging
|
||||
|
||||
log() {
|
||||
date=$(/bin/date +"${DATE_FORMAT}")
|
||||
if [ "${1}" != '' ]; then
|
||||
printf "[%s] %s: %s\\n" "$date" "${PROGNAME}" "${1}" >> "${LOGFILE}"
|
||||
else
|
||||
while read line; do
|
||||
printf "[%s] %s: %s\\n" "$date" "${PROGNAME}" "${line}" >> "${LOGFILE}"
|
||||
done < /dev/stdin
|
||||
fi
|
||||
}
|
||||
|
||||
failed() {
|
||||
check_name=$1
|
||||
shift
|
||||
|
@ -113,6 +124,9 @@ failed() {
|
|||
printf "%s FAILED!\n" "${check_name}" >> "${main_output_file}"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Always log verbose
|
||||
log "${check_name} FAILED! ${check_comments}"
|
||||
}
|
||||
|
||||
# check functions
|
||||
|
@ -131,6 +145,13 @@ check_dpkgwarning() {
|
|||
test -e /etc/apt/apt.conf.d/z-evolinux.conf \
|
||||
|| failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing"
|
||||
}
|
||||
# Check if localhost, localhost.localdomain and localhost.$mydomain are set in Postfix mydestination option.
|
||||
check_localhost_in_postfix_mydestination() {
|
||||
# shellcheck disable=SC2016
|
||||
if ! grep mydestination /etc/postfix/main.cf | grep --quiet --extended-regexp '(localhost[^\\.]|localhost.localdomain|localhost.$mydomain)'; then
|
||||
failed "IS_LOCALHOST_IN_POSTFIX_MYDESTINATION" "'localhost' and/or 'localhost.localdomain' and/or 'localhost.\$mydomain' are missing in Postfix mydestination option. Consider adding then."
|
||||
fi
|
||||
}
|
||||
# Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix)
|
||||
check_nrpepostfix() {
|
||||
if is_installed postfix; then
|
||||
|
@ -391,7 +412,7 @@ check_log2mailrunning() {
|
|||
fi
|
||||
}
|
||||
check_log2mailapache() {
|
||||
conf=/etc/log2mail/config/Apache
|
||||
conf=/etc/log2mail/config/apache
|
||||
if is_pack_web && is_installed log2mail; then
|
||||
grep -s -q "^file = /var/log/apache2/error.log" $conf \
|
||||
|| failed "IS_LOG2MAILAPACHE" "missing log2mail directive for apache"
|
||||
|
@ -463,18 +484,26 @@ check_evobackup() {
|
|||
evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l)
|
||||
test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP" "missing evobackup cron"
|
||||
}
|
||||
# Vérification de la mise en place de la purge pour fail2ban
|
||||
check_purge_fail2ban() {
|
||||
# Vérification de la mise en place d'un cron de purge de la base SQLite de Fail2ban
|
||||
check_fail2ban_purge() {
|
||||
if is_debian_stretch || is_debian_buster; then
|
||||
if is_installed fail2ban; then
|
||||
test -f /etc/cron.daily/fail2ban_dbpurge || failed "IS_FAIL2BAN_PURGE" "missing script fail2ban_dbpurge cron"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
# Vérification qu'il ne reste pas des jails nommées ssh non renommées en sshd
|
||||
check_ssh_fail2ban_jail_renamed() {
|
||||
if is_installed fail2ban && [ -f /etc/fail2ban/jail.local ]; then
|
||||
if grep --quiet --fixed-strings "[ssh]" /etc/fail2ban/jail.local; then
|
||||
failed "IS_SSH_FAIL2BAN_JAIL_RENAMED" "Jail ssh must be renamed sshd in fail2ban >= 0.9."
|
||||
fi
|
||||
fi
|
||||
}
|
||||
# Vérification de l'exclusion des montages (NFS) dans les sauvegardes
|
||||
check_evobackup_exclude_mount() {
|
||||
excludes_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.evobackup_exclude_mount.XXXXX")
|
||||
files_to_cleanup="${files_to_cleanup} ${excludes_file}"
|
||||
excludes_file=$(mktemp --tmpdir "evocheck.evobackup_exclude_mount.XXXXX")
|
||||
files_to_cleanup+=("${excludes_file}")
|
||||
|
||||
# shellcheck disable=SC2044
|
||||
for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do
|
||||
|
@ -643,7 +672,7 @@ check_notupgraded() {
|
|||
fi
|
||||
done
|
||||
if $upgraded; then
|
||||
last_upgrade=$(date +%s -d "$(zgrep -h upgrade /var/log/dpkg.log* | sort -n | tail -1 | cut -f1 -d ' ')")
|
||||
last_upgrade=$(date +%s -d "$(zgrep --no-filename --no-messages upgrade /var/log/dpkg.log* | sort -n | tail -1 | cut -f1 -d ' ')")
|
||||
fi
|
||||
if grep -qs '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
|
||||
|| grep -qs -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
|
||||
|
@ -841,10 +870,17 @@ check_redis_backup() {
|
|||
# You could change the default path in /etc/evocheck.cf
|
||||
# REDIS_BACKUP_PATH may contain space-separated paths, example:
|
||||
# REDIS_BACKUP_PATH='/home/backup/redis-instance1/dump.rdb /home/backup/redis-instance2/dump.rdb'
|
||||
REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/redis/dump.rdb"}
|
||||
for file in ${REDIS_BACKUP_PATH}; do
|
||||
test -f "${file}" || failed "IS_REDIS_BACKUP" "Redis dump is missing (${file})"
|
||||
done
|
||||
# Old default path: /home/backup/dump.rdb
|
||||
# New default path: /home/backup/redis/dump.rdb
|
||||
if [ -z "${REDIS_BACKUP_PATH}" ]; then
|
||||
if ! [ -f "/home/backup/dump.rdb" ] && ! [ -f "/home/backup/redis/dump.rdb" ]; then
|
||||
failed "IS_REDIS_BACKUP" "Redis dump is missing (/home/backup/dump.rdb or /home/backup/redis/dump.rdb)."
|
||||
fi
|
||||
else
|
||||
for file in ${REDIS_BACKUP_PATH}; do
|
||||
test -f "${file}" || failed "IS_REDIS_BACKUP" "Redis dump ${file} is missing."
|
||||
done
|
||||
fi
|
||||
fi
|
||||
}
|
||||
check_elastic_backup() {
|
||||
|
@ -895,15 +931,15 @@ check_mysqlnrpe() {
|
|||
grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql" /etc/nagios/nrpe.d/evolix.cfg \
|
||||
|| failed "IS_MYSQLNRPE" "check_mysql is missing"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
check_phpevolinuxconf() {
|
||||
is_debian_stretch && phpVersion="7.0"
|
||||
is_debian_buster && phpVersion="7.3"
|
||||
is_debian_bullseye && phpVersion="7.4"
|
||||
if is_installed php; then
|
||||
{ test -f /etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini \
|
||||
&& test -f /etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini
|
||||
{ test -f "/etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini" \
|
||||
&& test -f "/etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini"
|
||||
} || failed "IS_PHPEVOLINUXCONF" "missing php evolinux config"
|
||||
fi
|
||||
}
|
||||
|
@ -929,8 +965,8 @@ check_duplicate_fs_label() {
|
|||
# Do it only if thereis blkid binary
|
||||
BLKID_BIN=$(command -v blkid)
|
||||
if [ -n "$BLKID_BIN" ]; then
|
||||
tmpFile=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.duplicate_fs_label.XXXXX")
|
||||
files_to_cleanup="${files_to_cleanup} ${tmpFile}"
|
||||
tmpFile=$(mktemp --tmpdir "evocheck.duplicate_fs_label.XXXXX")
|
||||
files_to_cleanup+=("${tmpFile}")
|
||||
|
||||
parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2)
|
||||
for part in $parts; do
|
||||
|
@ -1097,8 +1133,8 @@ check_evobackup_incs() {
|
|||
bkctld_cron_file=${bkctld_cron_file:-/etc/cron.d/bkctld}
|
||||
if [ -f "${bkctld_cron_file}" ]; then
|
||||
root_crontab=$(grep -v "^#" "${bkctld_cron_file}")
|
||||
echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}"
|
||||
echo "${root_crontab}" | grep -qE "(check-incs.sh|bkctld check-incs)" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}"
|
||||
echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "'bkctld inc' is missing in ${bkctld_cron_file}"
|
||||
echo "${root_crontab}" | grep -qE "(check-incs.sh|bkctld check-incs)" || failed "IS_EVOBACKUP_INCS" "'check-incs.sh' is missing in ${bkctld_cron_file}"
|
||||
else
|
||||
failed "IS_EVOBACKUP_INCS" "Crontab \`${bkctld_cron_file}' is missing"
|
||||
fi
|
||||
|
@ -1129,7 +1165,7 @@ check_chrooted_binary_uptodate() {
|
|||
for process_name in ${process_list}; do
|
||||
# what is the binary path?
|
||||
original_bin=$(command -v "${process_name}")
|
||||
for pid in $(pgrep ${process_name}); do
|
||||
for pid in $(pgrep "${process_name}"); do
|
||||
process_bin=$(realpath "/proc/${pid}/exe")
|
||||
# Is the process chrooted?
|
||||
real_root=$(realpath "/proc/${pid}/root")
|
||||
|
@ -1157,7 +1193,6 @@ check_nginx_letsencrypt_uptodate() {
|
|||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
check_lxc_container_resolv_conf() {
|
||||
if is_installed lxc; then
|
||||
container_list=$(lxc-ls)
|
||||
|
@ -1178,6 +1213,38 @@ check_lxc_container_resolv_conf() {
|
|||
done
|
||||
fi
|
||||
}
|
||||
# Check that there are containers if lxc is installed.
|
||||
check_no_lxc_container() {
|
||||
if is_installed lxc; then
|
||||
containers_count=$(lxc-ls | wc -l)
|
||||
if [ "$containers_count" -eq 0 ]; then
|
||||
failed "IS_NO_LXC_CONTAINER" "LXC is installed but have no container. Consider removing it."
|
||||
fi
|
||||
fi
|
||||
}
|
||||
# Check that in LXC containers, phpXX-fpm services have UMask set to 0007.
|
||||
check_lxc_php_fpm_service_umask_set() {
|
||||
if is_installed lxc; then
|
||||
php_containers_list=$(lxc-ls --filter php)
|
||||
missing_umask=""
|
||||
for container in $php_containers_list; do
|
||||
# Translate container name in service name
|
||||
if [ "$container" = "php56" ]; then
|
||||
service="php5-fpm"
|
||||
else
|
||||
service="${container:0:4}.${container:4}-fpm"
|
||||
fi
|
||||
umask=$(lxc-attach --name "${container}" -- systemctl show -p UMask "$service" | cut -d "=" -f2)
|
||||
if [ "$umask" != "0007" ]; then
|
||||
missing_umask="${missing_umask} ${container}"
|
||||
fi
|
||||
done
|
||||
if [ -n "${missing_umask}" ]; then
|
||||
failed "IS_LXC_PHP_FPM_SERVICE_UMASK_SET" "UMask is not set to 0007 in PHP-FPM services of theses containers : ${missing_umask}."
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
download_versions() {
|
||||
local file
|
||||
file=${1:-}
|
||||
|
@ -1280,8 +1347,8 @@ add_to_path() {
|
|||
echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}"
|
||||
}
|
||||
check_versions() {
|
||||
versions_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.versions.XXXXX")
|
||||
files_to_cleanup="${files_to_cleanup} ${versions_file}"
|
||||
versions_file=$(mktemp --tmpdir "evocheck.versions.XXXXX")
|
||||
files_to_cleanup+=("${versions_file}")
|
||||
|
||||
download_versions "${versions_file}"
|
||||
add_to_path "/usr/share/scripts"
|
||||
|
@ -1308,8 +1375,8 @@ main() {
|
|||
# Detect operating system name, version and release
|
||||
detect_os
|
||||
|
||||
main_output_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.main.XXXXX")
|
||||
files_to_cleanup="${files_to_cleanup} ${main_output_file}"
|
||||
main_output_file=$(mktemp --tmpdir "evocheck.main.XXXXX")
|
||||
files_to_cleanup+=("${main_output_file}")
|
||||
|
||||
test "${IS_TMP_1777:=1}" = 1 && check_tmp_1777
|
||||
test "${IS_ROOT_0700:=1}" = 1 && check_root_0700
|
||||
|
@ -1322,6 +1389,7 @@ main() {
|
|||
|
||||
test "${IS_LSBRELEASE:=1}" = 1 && check_lsbrelease
|
||||
test "${IS_DPKGWARNING:=1}" = 1 && check_dpkgwarning
|
||||
test "${IS_LOCALHOST_IN_POSTFIX_MYDESTINATION:=1}" = 1 && check_localhost_in_postfix_mydestination
|
||||
test "${IS_NRPEPOSTFIX:=1}" = 1 && check_nrpepostfix
|
||||
test "${IS_CUSTOMSUDOERS:=1}" = 1 && check_customsudoers
|
||||
test "${IS_VARTMPFS:=1}" = 1 && check_vartmpfs
|
||||
|
@ -1367,6 +1435,8 @@ main() {
|
|||
test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw
|
||||
test "${IS_NETWORKING_SERVICE:=1}" = 1 && check_networking_service
|
||||
test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup
|
||||
test "${IS_PURGE_FAIL2BAN:=1}" = 1 && check_fail2ban_purge
|
||||
test "${IS_SSH_FAIL2BAN_JAIL_RENAMED:=1}" = 1 && check_ssh_fail2ban_jail_renamed
|
||||
test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount
|
||||
test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate
|
||||
test "${IS_APACHECTL:=1}" = 1 && check_apachectl
|
||||
|
@ -1418,6 +1488,8 @@ main() {
|
|||
test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate
|
||||
test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate
|
||||
test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf
|
||||
test "${IS_NO_LXC_CONTAINER:=1}" = 1 && check_no_lxc_container
|
||||
test "${IS_LXC_PHP_FPM_SERVICE_UMASK_SET:=1}" = 1 && check_lxc_php_fpm_service_umask_set
|
||||
test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
|
||||
|
||||
if [ -f "${main_output_file}" ]; then
|
||||
|
@ -1431,9 +1503,12 @@ main() {
|
|||
|
||||
exit ${RC}
|
||||
}
|
||||
cleanup_temp_files() {
|
||||
# shellcheck disable=SC2086
|
||||
rm -f ${files_to_cleanup}
|
||||
cleanup() {
|
||||
# Cleanup tmp files
|
||||
# shellcheck disable=SC2086,SC2317
|
||||
rm -f ${files_to_cleanup[@]}
|
||||
|
||||
log "$PROGNAME exit."
|
||||
}
|
||||
|
||||
PROGNAME=$(basename "$0")
|
||||
|
@ -1444,17 +1519,23 @@ readonly PROGNAME
|
|||
ARGS=$@
|
||||
readonly ARGS
|
||||
|
||||
LOGFILE="/var/log/evocheck.log"
|
||||
readonly LOGFILE
|
||||
|
||||
CONFIGFILE="/etc/evocheck.cf"
|
||||
readonly CONFIGFILE
|
||||
|
||||
DATE_FORMAT="%Y-%m-%d %H:%M:%S"
|
||||
# shellcheck disable=SC2034
|
||||
readonly DATEFORMAT
|
||||
|
||||
# Disable LANG*
|
||||
export LANG=C
|
||||
export LANGUAGE=C
|
||||
|
||||
files_to_cleanup=""
|
||||
# shellcheck disable=SC2064
|
||||
trap cleanup_temp_files 0
|
||||
|
||||
# Source configuration file
|
||||
# shellcheck disable=SC1091
|
||||
test -f /etc/evocheck.cf && . /etc/evocheck.cf
|
||||
test -f "${CONFIGFILE}" && . "${CONFIGFILE}"
|
||||
|
||||
# Parse options
|
||||
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
|
||||
|
@ -1502,5 +1583,24 @@ while :; do
|
|||
shift
|
||||
done
|
||||
|
||||
# Keep this after "show_version(); exit 0" which is called by check_versions
|
||||
# to avoid logging exit twice.
|
||||
declare -a files_to_cleanup
|
||||
files_to_cleanup=""
|
||||
# shellcheck disable=SC2064
|
||||
trap cleanup EXIT INT TERM
|
||||
|
||||
log '-----------------------------------------------'
|
||||
log "Running $PROGNAME $VERSION..."
|
||||
|
||||
# Log config file content
|
||||
if [ -f "${CONFIGFILE}" ]; then
|
||||
log "Runtime configuration (${CONFIGFILE}):"
|
||||
sed -e '/^[[:blank:]]*#/d; s/#.*//; /^[[:blank:]]*$/d' "${CONFIGFILE}" | log
|
||||
fi
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
main ${ARGS}
|
||||
|
||||
log "End of $PROGNAME execution."
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
# Script to verify compliance of a Linux (Debian) server
|
||||
# powered by Evolix
|
||||
|
||||
VERSION="22.11"
|
||||
VERSION="23.03.01"
|
||||
readonly VERSION
|
||||
|
||||
# base functions
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
when: evocheck_bin_dir is search ("/usr")
|
||||
when: evocheck_bin_dir is search("/usr")
|
||||
tags:
|
||||
- evocheck
|
||||
|
||||
|
|
|
@ -23,13 +23,9 @@
|
|||
|
||||
- name: remount /home
|
||||
command: mount -o remount /home
|
||||
args:
|
||||
warn: no
|
||||
|
||||
- name: remount /var
|
||||
command: mount -o remount /var
|
||||
args:
|
||||
warn: no
|
||||
|
||||
|
||||
- name: restart nginx
|
||||
|
|
|
@ -4,6 +4,12 @@
|
|||
name: dbus
|
||||
state: present
|
||||
|
||||
- name: dbus is enabled and started
|
||||
service:
|
||||
name: dbus
|
||||
state: started
|
||||
enabled: true
|
||||
|
||||
- name: Set hostname "{{ evolinux_hostname }}"
|
||||
hostname:
|
||||
name: "{{ evolinux_hostname }}"
|
||||
|
|
|
@ -55,7 +55,6 @@
|
|||
- mutt
|
||||
- tree
|
||||
- git
|
||||
- subversion
|
||||
- rsync
|
||||
- bc
|
||||
- pinentry-curses
|
||||
|
|
|
@ -16,7 +16,7 @@
|
|||
vars:
|
||||
user: "{{ item.value }}"
|
||||
loop: "{{ evolinux_users | dict2items }}"
|
||||
when:
|
||||
when:
|
||||
- user.create == evolinux_users_create
|
||||
- evolinux_users | length > 0
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
Defaults umask=0077
|
||||
|
||||
Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh, /usr/bin/apt, /bin/mount
|
||||
Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh
|
||||
User_Alias ADMINS = {{ user.name }}
|
||||
|
||||
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
Defaults umask=0077
|
||||
|
||||
Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh, /usr/bin/apt, /bin/mount
|
||||
Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh
|
||||
|
||||
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
|
||||
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
[Definition]
|
||||
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=<HOST>,.*
|
||||
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Internal login failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=<HOST>,.*
|
||||
ignoreregex =
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
---
|
||||
- name: Sqlite needed
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
|
@ -6,10 +7,20 @@
|
|||
|
||||
- name: Register bantime from default config from package
|
||||
shell: "grep -R -E 'dbpurgeage[[:blank:]]*=[[:blank:]]*[0-9]+' /etc/fail2ban/fail2ban.conf |awk '{print $3}'|head -n1"
|
||||
register: default_dbpurgeage
|
||||
changed_when: false
|
||||
register: dbpurgeage
|
||||
changed_when: False
|
||||
check_mode: false
|
||||
|
||||
- name:
|
||||
set_fact:
|
||||
dbpurgeage_default : "{{ dbpurgeage.stdout }}"
|
||||
when: dbpurgeage.stdout | regex_search("^\\d+\w+$")
|
||||
|
||||
- name:
|
||||
set_fact:
|
||||
dbpurgeage_default : "{{ dbpurgeage.stdout }} second"
|
||||
when: dbpurgeage.stdout | regex_search("^\\d+$")
|
||||
|
||||
- name: Add crontab
|
||||
template:
|
||||
src: fail2ban_dbpurge.j2
|
||||
|
|
|
@ -97,7 +97,7 @@
|
|||
marker: "# ANSIBLE MANAGED"
|
||||
block: |
|
||||
[DEFAULT]
|
||||
dbpurgeage = {{ fail2ban_recidive_bantime}}
|
||||
dbpurgeage = {{ fail2ban_recidive_bantime }}
|
||||
insertafter: EOF
|
||||
create: yes
|
||||
mode: "0644"
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
# Juin - Decembre 2022 : #64088
|
||||
# Purge pour Stretch et Buster
|
||||
|
||||
/usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ bantime.stdout }} second') > datetime(timeofban, 'unixepoch');"
|
||||
/usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ dbpurgeage_default }}') > datetime(timeofban, 'unixepoch');"
|
||||
|
||||
place_dispo=$( df -h /var/lib/fail2ban/fail2ban.sqlite3 --output="avail" -h --block-size=1 |tail -n1 )
|
||||
place_pris=$( echo $(("$(stat --format %s /var/lib/fail2ban/fail2ban.sqlite3 ) * 2" )) )
|
||||
|
|
|
@ -16,7 +16,7 @@ destemail = {{ fail2ban_alert_email or general_alert_email | mandatory }}
|
|||
|
||||
# ACTIONS
|
||||
banaction = iptables-multiport
|
||||
action = %({{fail2ban_default_action}})s
|
||||
action = %({{ fail2ban_default_action }})s
|
||||
|
||||
|
||||
[sshd]
|
||||
|
|
|
@ -84,8 +84,8 @@
|
|||
command: grep logstash-input-beats /usr/share/logstash/Gemfile
|
||||
check_mode: no
|
||||
register: logstash_plugin_installed
|
||||
failed_when: false
|
||||
changed_when: false
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
when:
|
||||
- filebeat_logstash_plugin | bool
|
||||
- logstash_plugin.stat.exists
|
||||
|
|
|
@ -63,7 +63,7 @@ listen stats
|
|||
acl stats_users http_auth(stats_users)
|
||||
stats http-request auth realm "HAProxy admin" if !stats_access_ips !stats_users
|
||||
{% else %}
|
||||
stats http-request deny if !stats_access_ips
|
||||
stats http-request deny if !stats_access_ips !stats_admin_ips
|
||||
{% endif %}
|
||||
|
||||
http-request set-log-level silent
|
||||
|
|
|
@ -25,7 +25,7 @@
|
|||
|
||||
- name: Install specific openjdk package
|
||||
apt:
|
||||
name: "openjdk-{{ java_version}}-jre-headless"
|
||||
name: "openjdk-{{ java_version }}-jre-headless"
|
||||
default_release: "{{ java_apt_release }}"
|
||||
state: present
|
||||
tags:
|
||||
|
|
|
@ -1,2 +1,3 @@
|
|||
#!/bin/bash
|
||||
echo $1 $2 is in $3 state > /var/run/keepalive.state
|
||||
chmod og+r /var/run/keepalive.state
|
||||
|
|
|
@ -126,8 +126,6 @@
|
|||
|
||||
# - name: Get mount options for /usr partition
|
||||
# shell: "mount | grep 'on /usr type'"
|
||||
# args:
|
||||
# warn: no
|
||||
# register: mount
|
||||
# changed_when: False
|
||||
# failed_when: False
|
||||
|
|
|
@ -42,25 +42,34 @@ error () {
|
|||
main() {
|
||||
for VM in $(virsh list --name --all | sed '/^$/d' | sort)
|
||||
do
|
||||
echo "$VM"
|
||||
|
||||
# cpu
|
||||
virsh vcpucount --current "$VM"
|
||||
|
||||
# mem
|
||||
# libvirt stores memory in KiB, POW must be lowered by 1
|
||||
virsh dommemstat "$VM" 2>/dev/null | awk 'BEGIN{ret=1}$1~/^actual$/{print $2 / '$((POW / 1024))';ret=0}END{exit ret}' ||
|
||||
virsh dumpxml "$VM" | awk -F'[<>]' '$2~/^memory unit/{print $3/'$((POW / 1024))'}'
|
||||
|
||||
# disk
|
||||
for BLK in $(virsh domblklist "$VM" | sed '1,2d;/-$/d;/^$/d' | awk '{print $1}')
|
||||
do
|
||||
virsh domblkinfo "$VM" "$BLK" 2>/dev/null
|
||||
done | awk '/Physical:/ { size += $2 } END { print int(size / '${POW}') }'
|
||||
|
||||
# state
|
||||
virsh domstate "$VM" | grep -q '^running$' && echo yes || echo no
|
||||
done | xargs -n5 | {
|
||||
printf '%s ' "${VM}"
|
||||
virsh domstats "${VM}" | awk '
|
||||
BEGIN {
|
||||
FS = "="
|
||||
}
|
||||
/vcpu\.current/ {
|
||||
vcpu = $2
|
||||
}
|
||||
/balloon\.current/ {
|
||||
mem = $2
|
||||
}
|
||||
/balloon\.maximum/ {
|
||||
if (!mem)
|
||||
mem = $2
|
||||
}
|
||||
/block\.[0-9]+\.physical/ {
|
||||
disksize += $2
|
||||
}
|
||||
/state\.state/ {
|
||||
if ($2 == 1)
|
||||
running = "yes"
|
||||
else
|
||||
running = "no"
|
||||
}
|
||||
END {
|
||||
print vcpu, mem / 1024 ^ 2, disksize / 1024 ^ 3, running
|
||||
}'
|
||||
done | {
|
||||
echo vm vcpu ram disk running
|
||||
awk '{ print } /yes$/ { vcpu += $2; ram += $3; disk += $4; running++ } END { print "TOTAL(running)", vcpu, ram, disk, running }'
|
||||
test "$SHOW_AVAIL" && {
|
||||
|
@ -72,7 +81,19 @@ main() {
|
|||
column -t
|
||||
;;
|
||||
'html')
|
||||
awk 'BEGIN{print "<html><body>\n<table>"}{printf "<tr>";for(i=1;i<=NF;i++)printf "<td>%s</td>", $i;print "</tr>"}END{print "</table>\n</body></html>"}'
|
||||
awk '
|
||||
BEGIN {
|
||||
print "<html><body>\n<table>"
|
||||
}
|
||||
{
|
||||
printf "<tr>"
|
||||
for(i = 1; i <= NF; i++)
|
||||
printf "<td>%s</td>", $i
|
||||
print "</tr>"
|
||||
}
|
||||
END {
|
||||
print "</table>\n</body></html>"
|
||||
}'
|
||||
;;
|
||||
'csv')
|
||||
tr ' ' ','
|
||||
|
|
|
@ -9,7 +9,7 @@
|
|||
command: cat /root/.ssh/id_rsa.pub
|
||||
register: ssh_keys
|
||||
check_mode: no
|
||||
changed_when: false
|
||||
changed_when: False
|
||||
|
||||
- name: Print ssh public keys
|
||||
debug:
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
|
||||
- include_role:
|
||||
name: remount-usr
|
||||
when: kvm_scripts_dir is search ("/usr")
|
||||
when: kvm_scripts_dir is search("/usr")
|
||||
|
||||
- name: add-vm script is present
|
||||
copy:
|
||||
|
|
|
@ -9,13 +9,13 @@
|
|||
# - 60 : current release is not in the $r_releases list
|
||||
# - 70 : at least an upgradable package is not in the $r_packages list
|
||||
|
||||
VERSION="21.06.3"
|
||||
VERSION="23.03.3"
|
||||
|
||||
show_version() {
|
||||
cat <<END
|
||||
listupgrade.sh version ${VERSION}
|
||||
|
||||
Copyright 2018-2021 Evolix <info@evolix.fr>,
|
||||
Copyright 2018-2023 Evolix <info@evolix.fr>,
|
||||
Gregory Colpart <reg@evolix.fr>,
|
||||
Romain Dessort <rdessort@evolix.fr>,
|
||||
Ludovic Poujol <lpoujol@evolix.fr>,
|
||||
|
@ -84,6 +84,7 @@ Subject: Prochain creneau pour mise a jour de votre serveur ${hostname}
|
|||
X-Debian-Release: ${local_release}
|
||||
X-Packages: ${packagesParsable}
|
||||
X-Date: ${date}
|
||||
X-Listupgrade-Version: ${VERSION}
|
||||
|
||||
Bonjour,
|
||||
|
||||
|
@ -100,15 +101,15 @@ semaine prochaine.
|
|||
|
||||
Voici la listes de packages qui seront mis à jour :
|
||||
|
||||
$(cat "${packages}" | sort | uniq)
|
||||
$(sort -h "${packages}" | uniq)
|
||||
|
||||
Liste des packages dont la mise-à-jour a été manuellement suspendue :
|
||||
|
||||
$(cat "${packagesHold}" | sort | uniq)
|
||||
$(sort -h "${packagesHold}" | uniq)
|
||||
|
||||
Liste des services qui seront redémarrés :
|
||||
|
||||
$(cat "${servicesToRestart}" | sort | uniq)
|
||||
$(sort -h "${servicesToRestart}" | uniq)
|
||||
|
||||
N'hésitez pas à nous faire toute remarque sur ce créneau d'intervention le plus
|
||||
tôt possible.
|
||||
|
@ -181,6 +182,28 @@ main() {
|
|||
fi
|
||||
|
||||
local_release=$(cut -f 1 -d . </etc/debian_version)
|
||||
# In case the version is a release name and not a number
|
||||
case "${local_release}" in
|
||||
*jessie*)
|
||||
local_release=8
|
||||
;;
|
||||
*stretch*)
|
||||
local_release=9
|
||||
;;
|
||||
*buster*)
|
||||
local_release=10
|
||||
;;
|
||||
*bullseye*)
|
||||
local_release=11
|
||||
;;
|
||||
*bookworm*)
|
||||
local_release=12
|
||||
;;
|
||||
*trixie*)
|
||||
local_release=13
|
||||
;;
|
||||
esac
|
||||
|
||||
|
||||
if force_mode; then
|
||||
if ! cron_mode; then
|
||||
|
|
|
@ -47,7 +47,7 @@
|
|||
|
||||
- name: Enable listupgrade cron
|
||||
cron:
|
||||
name: "lisupgrade.sh"
|
||||
name: "listupgrade.sh"
|
||||
cron_file: "listupgrade"
|
||||
user: root
|
||||
job: "/usr/share/scripts/listupgrade.sh --cron {{ listupgrade_cron_force | bool | ternary('--force','') }}"
|
||||
|
|
|
@ -7,4 +7,5 @@
|
|||
daemon_reload: yes
|
||||
|
||||
- name: reload systemd
|
||||
command: systemctl daemon-reload
|
||||
systemd:
|
||||
daemon-reload: yes
|
|
@ -4,7 +4,7 @@
|
|||
msg: Please configure var lxc_php_version
|
||||
when: lxc_php_version is none
|
||||
|
||||
- name: "Update APT cache in container {{lxc_php_version}}"
|
||||
- name: "Update APT cache in container {{ lxc_php_version }}"
|
||||
lxc_container:
|
||||
name: "{{ lxc_php_version }}"
|
||||
container_command: "apt-get update"
|
||||
|
|
|
@ -20,12 +20,12 @@
|
|||
mode: "0644"
|
||||
loop:
|
||||
- "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main"
|
||||
- "deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye-php80/"
|
||||
- "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php80 main"
|
||||
|
||||
- name: copy pub.evolix.net GPG key
|
||||
copy:
|
||||
src: reg.asc
|
||||
dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/reg.asc
|
||||
src: pub_evolix.asc
|
||||
dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/pub_evolix.asc
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
|
|
|
@ -20,12 +20,12 @@
|
|||
mode: "0644"
|
||||
loop:
|
||||
- "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main"
|
||||
- "deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye-php81/"
|
||||
- "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php81 main"
|
||||
|
||||
- name: copy pub.evolix.net GPG key
|
||||
copy:
|
||||
src: reg.asc
|
||||
dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/reg.asc
|
||||
src: pub_evolix.asc
|
||||
dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/pub_evolix.asc
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
path: "{{ lxc_rootfs_path }}/etc/systemd/system/{{ lxc_php_services[lxc_php_version] }}.d"
|
||||
state: directory
|
||||
register: systemd_path
|
||||
|
||||
|
||||
- name: "[Service] est présent dans la surchage des services PHP-FPM des conteneurs LXC."
|
||||
ansible.builtin.lineinfile:
|
||||
path: "{{ systemd_path.path }}/evolinux.conf"
|
||||
|
|
|
@ -1 +1 @@
|
|||
{{ansible_fqdn}}
|
||||
{{ ansible_fqdn }}
|
||||
|
|
|
@ -39,4 +39,4 @@
|
|||
mode: '0755'
|
||||
|
||||
- name: "Install Solr {{ solr_version }}"
|
||||
command: "lxc-attach -n {{name}} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz -d /home/solr/{{name}} -p {{ solr_port }}"
|
||||
command: "lxc-attach -n {{ name }} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz -d /home/solr/{{ name }} -p {{ solr_port }}"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
- name: "Check if container {{ name }} exists"
|
||||
command: "lxc-ls {{ name }}"
|
||||
changed_when: false
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
register: container_exists
|
||||
|
||||
|
@ -56,3 +56,15 @@
|
|||
lxc_container:
|
||||
name: "{{ name }}"
|
||||
state: started
|
||||
|
||||
- name: "Ensure /etc/profile.d exists in container"
|
||||
ansible.builtin.file:
|
||||
path: "/var/lib/lxc/{{ name }}/rootfs/etc/profile.d"
|
||||
mode: '0755'
|
||||
state: directory
|
||||
|
||||
- name: "Copy host /etc/profile.d/evolinux into container"
|
||||
ansible.builtin.copy:
|
||||
src: "/etc/profile.d/evolinux.sh"
|
||||
remote_src: true
|
||||
dest: "/var/lib/lxc/{{ name }}/rootfs/etc/profile.d/evolinux.sh"
|
||||
|
|
|
@ -32,8 +32,8 @@
|
|||
|
||||
- name: Check if root has subuids
|
||||
command: grep '^root:100000:10000$' /etc/subuid
|
||||
failed_when: false
|
||||
changed_when: false
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
register: root_subuids
|
||||
when: lxc_unprivilegied_containers | bool
|
||||
|
||||
|
@ -45,7 +45,7 @@
|
|||
|
||||
- name: Get filesystem options
|
||||
command: findmnt --noheadings --target /var/lib/lxc --output OPTIONS
|
||||
changed_when: false
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
register: check_fs_options
|
||||
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
- block:
|
||||
- name: Install dependencies
|
||||
apt:
|
||||
name:
|
||||
name:
|
||||
- libcache-memcached-perl
|
||||
- libmemcached11
|
||||
|
||||
|
|
|
@ -29,7 +29,7 @@
|
|||
# Description: Firewall designed for standalone server
|
||||
### END INIT INFO
|
||||
|
||||
VERSION="22.06"
|
||||
VERSION="23.02"
|
||||
|
||||
NAME="minifirewall"
|
||||
# shellcheck disable=SC2034
|
||||
|
@ -147,6 +147,9 @@ fi
|
|||
# }
|
||||
## Beware that commands executed from included files are not modified by this trick.
|
||||
|
||||
remove_colors() {
|
||||
sed -r 's/\x1B\[(;?[0-9]{1,3})+[mGK]//g'
|
||||
}
|
||||
syslog_info() {
|
||||
if [ -x "${LOGGER_BIN}" ]; then
|
||||
${LOGGER_BIN} -t "${NAME}" -p daemon.info "$1"
|
||||
|
@ -268,9 +271,9 @@ check_unpersisted_state() {
|
|||
elif [ -z "${diff_bin}" ]; then
|
||||
printf "${YELLOW}skip state comparison (Can't find diff command)${RESET}\n" >&2
|
||||
else
|
||||
# store current state
|
||||
# store current state (without colors)
|
||||
mkdir -p "$(dirname "${STATE_FILE_CURRENT}")"
|
||||
status_without_numbers > "${STATE_FILE_CURRENT}"
|
||||
status_without_numbers | remove_colors > "${STATE_FILE_CURRENT}"
|
||||
|
||||
# clean previous diff file
|
||||
rm -f "${STATE_FILE_DIFF}"
|
||||
|
@ -310,9 +313,9 @@ report_state_changes() {
|
|||
check_unpersisted_state
|
||||
fi
|
||||
|
||||
# Then reset the known state
|
||||
# Then reset the known state (without colors)
|
||||
mkdir -p "$(dirname "${STATE_FILE_LATEST}")"
|
||||
status_without_numbers > "${STATE_FILE_LATEST}"
|
||||
status_without_numbers | remove_colors > "${STATE_FILE_LATEST}"
|
||||
|
||||
# But if there is a previous known state
|
||||
# let's compare with the new known state
|
||||
|
@ -920,8 +923,9 @@ stop() {
|
|||
|
||||
printf "${BLUE}flushing all rules and accepting everything${RESET}\n"
|
||||
|
||||
# Save previous state (without colors)
|
||||
mkdir -p "$(dirname "${STATE_FILE_PREVIOUS}")"
|
||||
status_without_numbers > "${STATE_FILE_PREVIOUS}"
|
||||
status_without_numbers | remove_colors > "${STATE_FILE_PREVIOUS}"
|
||||
|
||||
# Delete all rules
|
||||
${IPT} -F INPUT
|
||||
|
|
|
@ -6,6 +6,8 @@
|
|||
stat:
|
||||
path: /etc/init.d/minifirewall
|
||||
register: _minifirewall_check
|
||||
tags:
|
||||
- always
|
||||
|
||||
# Legacy versions of minifirewall don't define the VERSION variable
|
||||
- name: Look for minifirewall version
|
||||
|
@ -14,6 +16,8 @@
|
|||
changed_when: False
|
||||
check_mode: False
|
||||
register: _minifirewall_version_check
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Set install mode to legacy if needed
|
||||
set_fact:
|
||||
|
@ -24,21 +28,30 @@
|
|||
- minifirewall_install_mode != 'modern'
|
||||
- not (minifirewall_force_upgrade_script | bool)
|
||||
- _minifirewall_version_check.rc == 1 # grep didn't find but the file exists
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Set install mode to modern if not legacy
|
||||
set_fact:
|
||||
minifirewall_install_mode: modern
|
||||
when: minifirewall_install_mode != 'legacy'
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Debug install mode
|
||||
debug:
|
||||
var: minifirewall_install_mode
|
||||
verbosity: 1
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: 'Set minifirewall_restart_handler_name to "noop"'
|
||||
set_fact:
|
||||
minifirewall_restart_handler_name: "restart minifirewall (noop)"
|
||||
when: not (minifirewall_restart_if_needed | bool)
|
||||
when:
|
||||
- not (minifirewall_restart_if_needed | bool)
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: 'Set minifirewall_restart_handler_name to "legacy"'
|
||||
set_fact:
|
||||
|
@ -46,6 +59,8 @@
|
|||
when:
|
||||
- minifirewall_restart_if_needed | bool
|
||||
- minifirewall_install_mode == 'legacy'
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: 'Set minifirewall_restart_handler_name to "modern"'
|
||||
set_fact:
|
||||
|
@ -53,6 +68,8 @@
|
|||
when:
|
||||
- minifirewall_restart_if_needed | bool
|
||||
- minifirewall_install_mode != 'legacy'
|
||||
tags:
|
||||
- always
|
||||
|
||||
#######################################################################
|
||||
|
||||
|
@ -62,54 +79,74 @@
|
|||
when:
|
||||
- minifirewall_install_mode != 'legacy'
|
||||
- minifirewall_main_file is defined
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Install tasks (modern mode)
|
||||
include: install.yml
|
||||
import_tasks: install.yml
|
||||
when: minifirewall_install_mode != 'legacy'
|
||||
|
||||
- name: Install tasks (legacy mode)
|
||||
include: install.legacy.yml
|
||||
import_tasks: install.legacy.yml
|
||||
when: minifirewall_install_mode == 'legacy'
|
||||
|
||||
- name: Debug minifirewall_update_config
|
||||
debug:
|
||||
var: minifirewall_update_config | bool
|
||||
verbosity: 1
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Config tasks (modern mode)
|
||||
include: config.yml
|
||||
include_tasks: config.yml
|
||||
when:
|
||||
- minifirewall_install_mode != 'legacy'
|
||||
- minifirewall_update_config | bool
|
||||
tags:
|
||||
- manage
|
||||
|
||||
- name: Config tasks (legacy mode)
|
||||
include: config.legacy.yml
|
||||
include_tasks: config.legacy.yml
|
||||
args:
|
||||
apply:
|
||||
tags:
|
||||
- manage
|
||||
when:
|
||||
- minifirewall_install_mode == 'legacy'
|
||||
- minifirewall_update_config | bool
|
||||
|
||||
- name: Utils tasks
|
||||
include: utils.yml
|
||||
include_tasks: utils.yml
|
||||
|
||||
- name: NRPE tasks
|
||||
include: nrpe.yml
|
||||
include_tasks: nrpe.yml
|
||||
|
||||
- name: Activation tasks
|
||||
include: activate.yml
|
||||
include_tasks: activate.yml
|
||||
|
||||
- name: Debug minifirewall_tail_included
|
||||
debug:
|
||||
var: minifirewall_tail_included | bool
|
||||
verbosity: 1
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Tail tasks (modern mode)
|
||||
include: tail.yml
|
||||
include_tasks: tail.yml
|
||||
args:
|
||||
apply:
|
||||
tags:
|
||||
- manage
|
||||
when:
|
||||
- minifirewall_install_mode != 'legacy'
|
||||
- minifirewall_tail_included | bool
|
||||
|
||||
- name: Tail tasks (legacy mode)
|
||||
include: tail.legacy.yml
|
||||
include_tasks: tail.legacy.yml
|
||||
args:
|
||||
apply:
|
||||
tags:
|
||||
- manage
|
||||
when:
|
||||
- minifirewall_install_mode == 'legacy'
|
||||
- minifirewall_tail_included | bool
|
||||
|
@ -120,10 +157,14 @@
|
|||
debug:
|
||||
var: minifirewall_restart_force | bool
|
||||
verbosity: 1
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Force restart minifirewall (legacy)
|
||||
command: /bin/true
|
||||
notify: "restart minifirewall (legacy)"
|
||||
tags:
|
||||
- always
|
||||
when:
|
||||
- minifirewall_install_mode == 'legacy'
|
||||
- minifirewall_restart_force | bool
|
||||
|
@ -131,6 +172,8 @@
|
|||
- name: Force restart minifirewall (modern)
|
||||
command: /bin/true
|
||||
notify: "restart minifirewall (modern)"
|
||||
tags:
|
||||
- always
|
||||
when:
|
||||
- minifirewall_install_mode != 'legacy'
|
||||
- minifirewall_restart_force | bool
|
|
@ -3,7 +3,7 @@
|
|||
- fail:
|
||||
msg: Not compatible with Debian 11 (Bullseye)
|
||||
when:
|
||||
- ansible_distribution_release == "bullseye"
|
||||
- ansible_distribution_release == "bullseye"
|
||||
- mongodb_version is version('5.0', '<')
|
||||
|
||||
- name: Look for legacy apt keyring
|
||||
|
@ -20,8 +20,8 @@
|
|||
|
||||
- name: Add MongoDB GPG key
|
||||
copy:
|
||||
src: "server-{{mongodb_version}}.asc"
|
||||
dest: "{{ apt_keyring_dir }}/mongodb-server-{{mongodb_version}}.asc"
|
||||
src: "server-{{ mongodb_version }}.asc"
|
||||
dest: "{{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc"
|
||||
force: yes
|
||||
mode: "0644"
|
||||
owner: root
|
||||
|
@ -29,16 +29,16 @@
|
|||
|
||||
- name: Enable APT sources list
|
||||
apt_repository:
|
||||
repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{mongodb_version}}.asc] http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{mongodb_version}} main"
|
||||
repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_version }} main"
|
||||
state: present
|
||||
filename: "mongodb-org-{{mongodb_version}}"
|
||||
filename: "mongodb-org-{{ mongodb_version }}"
|
||||
update_cache: yes
|
||||
|
||||
- name: Disable unsigned APT sources list
|
||||
apt_repository:
|
||||
repo: "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{mongodb_version}} main"
|
||||
repo: "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_version }} main"
|
||||
state: absent
|
||||
filename: "mongodb-org-{{mongodb_version}}"
|
||||
filename: "mongodb-org-{{ mongodb_version }}"
|
||||
update_cache: yes
|
||||
|
||||
- name: Install packages
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
|
||||
- name: Add MongoDB GPG key
|
||||
copy:
|
||||
src: "server-{{mongodb_version}}.asc"
|
||||
src: "server-{{ mongodb_version }}.asc"
|
||||
dest: "{{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc"
|
||||
force: yes
|
||||
mode: "0644"
|
||||
|
@ -25,14 +25,14 @@
|
|||
apt_repository:
|
||||
repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_version }} main"
|
||||
state: present
|
||||
filename: "mongodb-org-{{mongodb_version}}"
|
||||
filename: "mongodb-org-{{ mongodb_version }}"
|
||||
update_cache: yes
|
||||
|
||||
- name: Disable unsigned APT sources list
|
||||
apt_repository:
|
||||
repo: "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_version }} main"
|
||||
state: absent
|
||||
filename: "mongodb-org-{{mongodb_version}}"
|
||||
filename: "mongodb-org-{{ mongodb_version }}"
|
||||
update_cache: yes
|
||||
|
||||
- name: Install packages
|
||||
|
|
|
@ -14,8 +14,8 @@
|
|||
|
||||
- name: Add MongoDB GPG key
|
||||
copy:
|
||||
src: "server-{{mongodb_version}}.asc"
|
||||
dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{mongodb_version}}.asc"
|
||||
src: "server-{{ mongodb_version }}.asc"
|
||||
dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{ mongodb_version }}.asc"
|
||||
force: yes
|
||||
mode: "0644"
|
||||
owner: root
|
||||
|
@ -23,16 +23,16 @@
|
|||
|
||||
- name: Enable APT sources list
|
||||
apt_repository:
|
||||
repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{mongodb_version}} main"
|
||||
repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{ mongodb_version }} main"
|
||||
state: present
|
||||
filename: "mongodb-org-{{mongodb_version}}"
|
||||
filename: "mongodb-org-{{ mongodb_version }}"
|
||||
update_cache: yes
|
||||
|
||||
- name: Disable APT sources list
|
||||
apt_repository:
|
||||
repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{mongodb_version}} main"
|
||||
repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{ mongodb_version }} main"
|
||||
state: absent
|
||||
filename: "mongodb-org-{{mongodb_version}}"
|
||||
filename: "mongodb-org-{{ mongodb_version }}"
|
||||
update_cache: yes
|
||||
|
||||
- name: Install packages
|
||||
|
|
|
@ -85,7 +85,7 @@
|
|||
src: /usr/share/munin/plugins/sensors_
|
||||
dest: "/etc/munin/plugins/sensors_{{ item }}"
|
||||
state: link
|
||||
with_items:
|
||||
with_items:
|
||||
- fan
|
||||
- temp
|
||||
when: ansible_virtualization_role == "host"
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
|
||||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
when: _mysql_scripts_dir is search ("/usr")
|
||||
when: _mysql_scripts_dir is search("/usr")
|
||||
|
||||
- name: Scripts directory exists
|
||||
file:
|
||||
|
@ -106,7 +106,7 @@
|
|||
name: evolix/remount-usr
|
||||
tags:
|
||||
- mysql
|
||||
when: _mysql_scripts_dir is search ("/usr")
|
||||
when: _mysql_scripts_dir is search("/usr")
|
||||
|
||||
- name: mysqltuner is installed
|
||||
# copy:
|
||||
|
@ -132,7 +132,7 @@
|
|||
name: evolix/remount-usr
|
||||
tags:
|
||||
- mysql
|
||||
when: _mysql_scripts_dir is search ("/usr")
|
||||
when: _mysql_scripts_dir is search("/usr")
|
||||
|
||||
- name: mysql-optimize.sh is installed
|
||||
copy:
|
||||
|
@ -203,7 +203,7 @@
|
|||
|
||||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
when: _mysql_scripts_dir is search ("/usr")
|
||||
when: _mysql_scripts_dir is search("/usr")
|
||||
|
||||
- name: Install my-add.sh
|
||||
copy:
|
||||
|
|
|
@ -50,8 +50,10 @@ mysql_restart_if_needed: True
|
|||
|
||||
mysql_performance_schema: True
|
||||
|
||||
mysql_skip_enabled: False
|
||||
|
||||
# replication variables:
|
||||
mysql_replication: false
|
||||
mysql_replication: False
|
||||
mysql_log_bin: null
|
||||
mysql_binlog_format: mixed
|
||||
mysql_server_id: null
|
||||
|
|
47
mysql/files/mysql_skip.sh
Normal file
47
mysql/files/mysql_skip.sh
Normal file
|
@ -0,0 +1,47 @@
|
|||
#!/bin/sh
|
||||
|
||||
# File containing error messages to skip (one per line).
|
||||
error_messages="/etc/mysql_skip.conf"
|
||||
|
||||
# Sleep interval between 2 check.
|
||||
sleep_interval="1"
|
||||
|
||||
# Exit when Seconds_Behind_Master reached 0.
|
||||
exit_when_uptodate="false"
|
||||
|
||||
# Options to pass to mysql.
|
||||
#mysql_opt="-P 3307"
|
||||
|
||||
# File to log skipped queries to (leave empty for no logs).
|
||||
log_file="/var/log/mysql_skip.log"
|
||||
|
||||
mysql_skip_error() {
|
||||
error="$1"
|
||||
|
||||
error="$(date --iso-8601=seconds) Skiping: $error"
|
||||
printf "Skipping: $error\n"
|
||||
mysql $mysql_opt -e 'SET GLOBAL SQL_SLAVE_SKIP_COUNTER=1; START SLAVE;'
|
||||
|
||||
[ -n "$log_file" ] && echo "$error" >>"$log_file"
|
||||
}
|
||||
|
||||
while true; do
|
||||
slave_status="$(mysql $mysql_opt -e 'SHOW SLAVE STATUS\G')"
|
||||
seconds_behind_master=$(echo "$slave_status" |grep 'Seconds_Behind_Master: ' |awk -F ' ' '{print $2}')
|
||||
last_SQL_error="$(echo "$slave_status" |grep 'Last_SQL_Error: ' |sed 's/^.\+Last_SQL_Error: //')"
|
||||
|
||||
if [ "$seconds_behind_master" = "0" ]; then
|
||||
#printf 'Replication is up to date!\n'
|
||||
if [ "$exit_when_uptodate" = "true" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
elif [ -z "$last_SQL_error" ]; then
|
||||
sleep $sleep_interval
|
||||
|
||||
elif echo "$last_SQL_error" |grep -q -f $error_messages; then
|
||||
mysql_skip_error "$last_SQL_error"
|
||||
|
||||
fi
|
||||
sleep 1
|
||||
done
|
|
@ -45,3 +45,5 @@
|
|||
- include_tasks: log2mail.yml
|
||||
|
||||
- include_tasks: utils.yml
|
||||
|
||||
- include_tasks: mysql_skip.yml
|
||||
|
|
54
mysql/tasks/mysql_skip.yml
Normal file
54
mysql/tasks/mysql_skip.yml
Normal file
|
@ -0,0 +1,54 @@
|
|||
---
|
||||
|
||||
- name: "Copy script mysql_skip.sh into /usr/local/bin/"
|
||||
copy:
|
||||
src: mysql_skip.sh
|
||||
dest: "/usr/local/bin/mysql_skip.sh"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0700"
|
||||
force: yes
|
||||
tags:
|
||||
- mysql_skip
|
||||
|
||||
- name: "Copy config file for mysql_skip.sh"
|
||||
template:
|
||||
src: mysql_skip.conf.j2
|
||||
dest: "/etc/mysql_skip.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0600"
|
||||
tags:
|
||||
- mysql_skip
|
||||
|
||||
- name: "Create log file for mysql_skip.sh"
|
||||
file:
|
||||
path: "/var/log/mysql_skip.log"
|
||||
state: touch
|
||||
owner: root
|
||||
group: adm
|
||||
mode: "0640"
|
||||
tags:
|
||||
- mysql_skip
|
||||
|
||||
- name: "Copy logrotate file for mysql_skip.sh"
|
||||
template:
|
||||
src: mysql_skip.logrotate.j2
|
||||
dest: "/etc/logrotate.d/mysql_skip"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0600"
|
||||
tags:
|
||||
- mysql_skip
|
||||
|
||||
- name: "Copy mysql_skip.sh systemd unit"
|
||||
template:
|
||||
src: mysql_skip.systemd.j2
|
||||
dest: /etc/systemd/system/mysql_skip.service
|
||||
force: yes
|
||||
|
||||
- name: "Start or stop systemd unit"
|
||||
systemd:
|
||||
name: mysql_skip
|
||||
daemon_reload: yes
|
||||
state: "{{ mysql_skip_enabled | bool | ternary('started', 'stopped') }}"
|
|
@ -5,7 +5,7 @@
|
|||
|
||||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
when: _mysql_scripts_dir is search ("/usr")
|
||||
when: _mysql_scripts_dir is search("/usr")
|
||||
|
||||
- name: Ensure scripts directory exists
|
||||
file:
|
||||
|
@ -96,7 +96,7 @@
|
|||
|
||||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
when: _mysql_scripts_dir is search ("/usr")
|
||||
when: _mysql_scripts_dir is search("/usr")
|
||||
|
||||
- name: Install mysqltuner
|
||||
# copy:
|
||||
|
@ -132,7 +132,7 @@
|
|||
|
||||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
when: _mysql_scripts_dir is search ("/usr")
|
||||
when: _mysql_scripts_dir is search("/usr")
|
||||
|
||||
- name: Optimize script for MySQL
|
||||
copy:
|
||||
|
@ -196,7 +196,7 @@
|
|||
|
||||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
when: _mysql_scripts_dir is search ("/usr")
|
||||
when: _mysql_scripts_dir is search("/usr")
|
||||
|
||||
- name: Install my-add.sh
|
||||
copy:
|
||||
|
|
1
mysql/templates/mysql_skip.conf.j2
Normal file
1
mysql/templates/mysql_skip.conf.j2
Normal file
|
@ -0,0 +1 @@
|
|||
## Put your matched patern here ##
|
10
mysql/templates/mysql_skip.logrotate.j2
Normal file
10
mysql/templates/mysql_skip.logrotate.j2
Normal file
|
@ -0,0 +1,10 @@
|
|||
/var/log/mysql_skip.log {
|
||||
missingok
|
||||
notifempty
|
||||
monthly
|
||||
rotate 12
|
||||
compress
|
||||
create 640 root adm
|
||||
dateext
|
||||
dateformat -%Y%m%d%H
|
||||
}
|
16
mysql/templates/mysql_skip.systemd.j2
Normal file
16
mysql/templates/mysql_skip.systemd.j2
Normal file
|
@ -0,0 +1,16 @@
|
|||
[Unit]
|
||||
Description=Script for skip define mysql replication errors
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/local/bin/mysql_skip.sh
|
||||
Type=simple
|
||||
User=root
|
||||
Group=root
|
||||
PIDFile=/run/mysql_skip.pid
|
||||
ExecStop=/bin/kill -- $MAINPID
|
||||
KillMode=process
|
||||
Restart=on-failure
|
||||
RestartSec=5s
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -1,4 +1,4 @@
|
|||
# {{ansible_managed}}
|
||||
# {{ ansible_managed }}
|
||||
|
||||
[mysqld]
|
||||
{% if mysql_log_bin %}
|
||||
|
|
83
nagios-nrpe/files/alerts_switch
Normal file
83
nagios-nrpe/files/alerts_switch
Normal file
|
@ -0,0 +1,83 @@
|
|||
#!/bin/bash
|
||||
|
||||
# https://forge.evolix.org/projects/evolix-private/repository
|
||||
#
|
||||
# You should not alter this file.
|
||||
# If you need to, create and customize a copy.
|
||||
|
||||
set -e
|
||||
|
||||
readonly PROGNAME=$(basename $0)
|
||||
readonly PROGDIR=$(readlink -m $(dirname $0))
|
||||
readonly ARGS="$@"
|
||||
|
||||
usage() {
|
||||
echo "$PROGNAME action prefix"
|
||||
}
|
||||
|
||||
disable_alerts () {
|
||||
disabled_file="$1_disabled"
|
||||
enabled_file="$1_enabled"
|
||||
|
||||
if [ -e "${enabled_file}" ]; then
|
||||
mv "${enabled_file}" "${disabled_file}"
|
||||
else
|
||||
touch "${disabled_file}"
|
||||
chmod 0644 "${disabled_file}"
|
||||
fi
|
||||
}
|
||||
|
||||
enable_alerts () {
|
||||
disabled_file="$1_disabled"
|
||||
enabled_file="$1_enabled"
|
||||
|
||||
if [ -e "${disabled_file}" ]; then
|
||||
mv "${disabled_file}" "${enabled_file}"
|
||||
else
|
||||
touch "${enabled_file}"
|
||||
chmod 0644 "${enabled_file}"
|
||||
fi
|
||||
}
|
||||
|
||||
now () {
|
||||
date --iso-8601=seconds
|
||||
}
|
||||
|
||||
log_disable () {
|
||||
echo "$(now) - alerts disabled by $(logname || echo unknown)" >> $1
|
||||
}
|
||||
|
||||
log_enable () {
|
||||
echo "$(now) - alerts enabled by $(logname || echo unknown)" >> $1
|
||||
}
|
||||
|
||||
main () {
|
||||
local action=$1
|
||||
local prefix=$2
|
||||
|
||||
local base_dir="/var/lib/misc"
|
||||
mkdir -p "${base_dir}"
|
||||
|
||||
local file_path="${base_dir}/${prefix}_alerts"
|
||||
local log_file="/var/log/${prefix}_alerts.log"
|
||||
|
||||
case "$action" in
|
||||
enable)
|
||||
enable_alerts ${file_path}
|
||||
log_enable ${log_file}
|
||||
;;
|
||||
disable)
|
||||
disable_alerts ${file_path}
|
||||
log_disable ${log_file}
|
||||
;;
|
||||
help)
|
||||
usage
|
||||
;;
|
||||
*)
|
||||
>&2 echo "Unknown action '$action'"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
main $ARGS
|
217
nagios-nrpe/files/alerts_wrapper
Normal file
217
nagios-nrpe/files/alerts_wrapper
Normal file
|
@ -0,0 +1,217 @@
|
|||
#!/bin/bash
|
||||
|
||||
# https://forge.evolix.org/projects/evolix-private/repository
|
||||
#
|
||||
# You should not alter this file.
|
||||
# If you need to, create and customize a copy.
|
||||
|
||||
VERSION="21.04"
|
||||
readonly VERSION
|
||||
|
||||
# base functions
|
||||
|
||||
show_version() {
|
||||
cat <<END
|
||||
alerts_wrapper version ${VERSION}
|
||||
|
||||
Copyright 2018-2021 Evolix <info@evolix.fr>,
|
||||
Jérémy Lecour <jlecour@evolix.fr>
|
||||
and others.
|
||||
|
||||
alerts_wrapper comes with ABSOLUTELY NO WARRANTY.This is free software,
|
||||
and you are welcome to redistribute it under certain conditions.
|
||||
See the GNU General Public License v3.0 for details.
|
||||
END
|
||||
}
|
||||
show_help() {
|
||||
cat <<END
|
||||
alerts_wrapper is supposed to wrap an NRPE command and overrides the return code.
|
||||
|
||||
Usage: alerts_wrapper --limit=1d --name=check_name command with optional arguments
|
||||
or alerts_wrapper --name=check_name command with optional arguments
|
||||
or alerts_wrapper check_name command with optional arguments
|
||||
|
||||
Options
|
||||
--limit max age of the "check file" ;
|
||||
can be "1d" for 1 day, "5m" for 5 minutes…
|
||||
or more complex expressions like "1w2d10m42s"
|
||||
--name check name
|
||||
-h, --help print this message and exit
|
||||
-V, --version print version and exit
|
||||
END
|
||||
}
|
||||
|
||||
time_in_seconds() {
|
||||
if echo "${1}" | grep -E -q '^([0-9]+[wdhms])+$'; then
|
||||
echo "${1}" | sed 's/w/ * 604800 + /g; s/d/ * 86400 + /g; s/h/ * 3600 + /g; s/m/ * 60 + /g; s/s/ + /g; s/+ $//' | xargs expr
|
||||
elif echo "${1}" | grep -E -q '^([0-9]+$)'; then
|
||||
echo "${1} * 3600" | xargs expr
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
delay_from_alerts_disabled_file() {
|
||||
last_change=$(stat -c %Z "${alerts_disabled_file}")
|
||||
limit_seconds=$(time_in_seconds "${wrapper_limit}" || time_in_seconds "${wrapper_limit_default}")
|
||||
limit_date=$(date --date "${limit_seconds} seconds ago" +"%s")
|
||||
|
||||
echo $(( last_change - limit_date ))
|
||||
}
|
||||
|
||||
enable_check() {
|
||||
if [ "$(id -u)" -eq "0" ] ; then
|
||||
/usr/local/bin/alerts_switch enable "${check_name}"
|
||||
else
|
||||
sudo /usr/local/bin/alerts_switch enable "${check_name}"
|
||||
fi
|
||||
}
|
||||
|
||||
main() {
|
||||
${check_command} > "${check_stdout}"
|
||||
check_rc=$?
|
||||
readonly check_rc
|
||||
|
||||
delay=0
|
||||
|
||||
if [ -e "${alerts_disabled_file}" ]; then
|
||||
delay=$(delay_from_alerts_disabled_file)
|
||||
|
||||
if [ "${delay}" -le "0" ]; then
|
||||
enable_check
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -e "${alerts_disabled_file}" ]; then
|
||||
formatted_last_change=$(date --date "@$(stat -c %Z "${alerts_disabled_file}")" +'%c')
|
||||
readonly formatted_last_change
|
||||
|
||||
echo "ALERTS DISABLED for ${check_name} (since ${formatted_last_change}, delay: ${delay} sec) - $(cat "${check_stdout}")"
|
||||
if [ ${check_rc} = 0 ]; then
|
||||
# Nagios OK
|
||||
exit 0
|
||||
else
|
||||
# Nagios WARNING
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
cat "${check_stdout}"
|
||||
exit ${check_rc}
|
||||
fi
|
||||
}
|
||||
|
||||
# Default: 1 day before re-enabling the check
|
||||
wrapper_limit_default="1d"
|
||||
readonly wrapper_limit_default
|
||||
|
||||
if [[ "${1}" =~ -.* ]]; then
|
||||
# parse options
|
||||
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
|
||||
while :; do
|
||||
case $1 in
|
||||
-h|-\?|--help)
|
||||
show_help
|
||||
exit 0
|
||||
;;
|
||||
-V|--version)
|
||||
show_version
|
||||
exit 0
|
||||
;;
|
||||
|
||||
--limit)
|
||||
# with value separated by space
|
||||
if [ -n "$2" ]; then
|
||||
wrapper_limit=$2
|
||||
shift
|
||||
else
|
||||
printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
--limit=?*)
|
||||
# with value speparated by =
|
||||
wrapper_limit=${1#*=}
|
||||
;;
|
||||
--limit=)
|
||||
# without value
|
||||
printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2
|
||||
exit 1
|
||||
;;
|
||||
|
||||
--name)
|
||||
# with value separated by space
|
||||
if [ -n "$2" ]; then
|
||||
check_name=$2
|
||||
shift
|
||||
else
|
||||
printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
--name=?*)
|
||||
# with value speparated by =
|
||||
check_name=${1#*=}
|
||||
;;
|
||||
--name=)
|
||||
# without value
|
||||
printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2
|
||||
exit 1
|
||||
;;
|
||||
|
||||
--)
|
||||
# End of all options.
|
||||
shift
|
||||
break
|
||||
;;
|
||||
-?*)
|
||||
# ignore unknown options
|
||||
printf 'WARN: Unknown option : %s\n' "$1" >&2
|
||||
exit 1
|
||||
;;
|
||||
*)
|
||||
# Default case: If no more options then break out of the loop.
|
||||
break
|
||||
;;
|
||||
esac
|
||||
|
||||
shift
|
||||
done
|
||||
# The rest is the command
|
||||
check_command="$*"
|
||||
else
|
||||
# no option is passed (backward compatibility with previous version)
|
||||
# treat the first argument as check_name and the rest as the command
|
||||
check_name="${1}"
|
||||
shift
|
||||
check_command="$*"
|
||||
fi
|
||||
|
||||
# Default values or errors
|
||||
if [ -z "${wrapper_limit}" ]; then
|
||||
wrapper_limit="${wrapper_limit_default}"
|
||||
fi
|
||||
if [ -z "${check_name}" ]; then
|
||||
printf 'ERROR: You must specify a check name, with --name.\n' >&2
|
||||
exit 1
|
||||
fi
|
||||
if [ -z "${check_command}" ]; then
|
||||
printf 'ERROR: You must specify a command to execute.\n' >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
readonly check_name
|
||||
readonly check_command
|
||||
readonly wrapper_limit
|
||||
alerts_disabled_file="/var/lib/misc/${check_name}_alerts_disabled"
|
||||
readonly alerts_disabled_file
|
||||
|
||||
check_file="/var/lib/misc/${check_name}_alerts_disabled"
|
||||
readonly check_file
|
||||
|
||||
check_stdout=$(mktemp --tmpdir=/tmp "${check_name}_stdout.XXXX")
|
||||
readonly check_stdout
|
||||
|
||||
# shellcheck disable=SC2064
|
||||
trap "rm ${check_stdout}" EXIT
|
||||
|
||||
main
|
|
@ -59,9 +59,9 @@ delay_from_check_file() {
|
|||
|
||||
enable_check() {
|
||||
if [ "$(id -u)" -eq "0" ] ; then
|
||||
/usr/share/scripts/alerts_switch enable "${check_name}"
|
||||
/usr/local/bin/alerts_switch enable "${check_name}"
|
||||
else
|
||||
sudo /usr/share/scripts/alerts_switch enable "${check_name}"
|
||||
sudo /usr/local/bin/alerts_switch enable "${check_name}"
|
||||
fi
|
||||
}
|
||||
|
||||
|
|
|
@ -56,20 +56,20 @@ for pool_file in $POOL_FILES; do
|
|||
|
||||
if [ "${ret}" -ge 2 ]; then
|
||||
nb_crit=$((nb_crit + 1))
|
||||
output="${output}${result}\n"
|
||||
[ "${return}" -le 2 ] && return=2
|
||||
elif [ "${ret}" -ge 1 ]; then
|
||||
nb_warn=$((nb_warn + 1))
|
||||
output="${output}${result}\n"
|
||||
[ "${return}" -le 1 ] && return=1
|
||||
else
|
||||
nb_ok=$((nb_ok + 1))
|
||||
output="${output}$(echo "$result" | cut -d '|' -f1)\n"
|
||||
[ "${return}" -le 0 ] && return=0
|
||||
fi
|
||||
|
||||
result_status=$(echo ${result} | awk -F' - ' '{ print $1}')
|
||||
result_content=$(echo ${result} | awk -F' - ' '{ print $2}')
|
||||
output="${output}${result_status} - ${pool_file} - ${result_content}\n"
|
||||
|
||||
done;
|
||||
done
|
||||
|
||||
|
||||
[ "${return}" -ge 0 ] && header="OK"
|
||||
|
|
|
@ -1,94 +1,190 @@
|
|||
#!/bin/bash
|
||||
# shellcheck disable=SC2207,SC2009,SC2076
|
||||
|
||||
# README
|
||||
#
|
||||
# Variable to adjust : is_master and vrrpd_processes.
|
||||
# vrrpd_processes is the number of vrrpd processes that should run on the server.
|
||||
# is_master defines whether the vrrpd group should be master (1) or backup (0).
|
||||
#
|
||||
# If some instances have to be master and some other have to be backup,
|
||||
# then the value of is_master is 2 and the states has to be precised in arguments.
|
||||
# e.g. : ./check_vrrpd master backup master
|
||||
# The order is defined by the output order of `ps auwx | grep vrrp`
|
||||
usage() {
|
||||
cat << EOL
|
||||
Usage :
|
||||
|
||||
RC=0
|
||||
IFS='
|
||||
'
|
||||
$0 --master X,Y --backup Z
|
||||
|
||||
is_master=2 # 1 if master ; 0 if backup ; 2 if mixed master and backup, in this case, it has to be precised in arguments
|
||||
vrrpd_processes=3 # number of vrrpd processes that should be running
|
||||
is_vrrpd_running=$(sudo /usr/lib/nagios//plugins/check_procs -C vrrpd -c $vrrpd_processes:$vrrpd_processes)
|
||||
rc_is_vrrpd_running=$?
|
||||
IP_vrrpd=($(for i in $(ps auwx | grep vrrpd | grep -v grep | grep -v check); do echo $i | awk '{print $--NF}'; done))
|
||||
INT_vrrpd=($(for i in $(ps auwx | grep vrrpd | grep -v grep | grep -v check); do echo $i | awk '{print $13}'; done))
|
||||
ID_vrrpd=($(for i in $(ps auwx | grep vrrpd | grep -v grep | grep -v check); do echo $i | awk '{print $19}'; done))
|
||||
-m|--master ID_MASTER # VRRP ID that should be master, separated by a comma ","
|
||||
-b|--backup ID_BACKUP # VRRP ID that should be backup, separated by a comma ","
|
||||
[--vrrpd] # Check for vrrpd daemon (default)
|
||||
[--uvrrpd] # Check for uvrrpd daemon
|
||||
EOL
|
||||
}
|
||||
|
||||
if [[ $rc_is_vrrpd_running -ne 0 ]]; then
|
||||
echo $is_vrrpd_running instead of $vrrpd_processes
|
||||
unset ID_master
|
||||
unset ID_backup
|
||||
vrrpd_option="unset"
|
||||
uvrrpd_option="unset"
|
||||
unset critical_output
|
||||
critical_state="unset"
|
||||
unset warning_output
|
||||
warning_state="unset"
|
||||
unset ok_output
|
||||
ok_state="unset"
|
||||
exit_code=0
|
||||
used_daemon="vrrpd"
|
||||
IFS="
|
||||
"
|
||||
|
||||
# If no argument then show usage
|
||||
if [ "$#" -eq 0 ]; then
|
||||
usage
|
||||
exit 2
|
||||
fi
|
||||
|
||||
for i in $(seq 0 $((${#ID_vrrpd[*]}-1))); do
|
||||
ifconfig vrrp_${ID_vrrpd[$i]}_${INT_vrrpd[$i]} >/dev/null 2>&1
|
||||
# If has interface
|
||||
if [[ $? -eq 0 ]]; then
|
||||
# If has to be master : OK
|
||||
if [[ $is_master -eq 1 ]]; then
|
||||
echo OK - ${IP_vrrpd[$i]} exists and is master
|
||||
# If has to be backup : KO
|
||||
elif [[ $is_master -eq 0 ]]; then
|
||||
echo CRITICAL - ${IP_vrrpd[$i]} exists whereas it should be backup
|
||||
RC=2
|
||||
# We retrieve the state it should be from args
|
||||
elif [[ $is_master -eq 2 ]]; then
|
||||
arg=$(($i+1))
|
||||
state=${!arg}
|
||||
# If has to be master : OK
|
||||
if [[ $state = master ]]; then
|
||||
echo OK - ${IP_vrrpd[$i]} exists and is master
|
||||
# If has to be backup : KO
|
||||
elif [[ $state = backup ]]; then
|
||||
echo CRITICAL - ${IP_vrrpd[$i]} exists whereas it should be backup
|
||||
RC=2
|
||||
while :; do
|
||||
case $1 in
|
||||
-h|-\?|--help) # Call a "usage" function to display a synopsis, then exit.
|
||||
usage
|
||||
exit
|
||||
;;
|
||||
-m|--master) # Takes an option argument, ensuring it has been specified.
|
||||
if [ -n "$2" ]; then
|
||||
ID_master=($(echo "$2" | tr "," "\n")) # Make an array with values separated by ","
|
||||
shift
|
||||
else
|
||||
echo "CRITICAL - The arguments have to be master or backup. Exiting"
|
||||
printf 'ERROR: "--master" requires a non-empty option argument.\n' >&2
|
||||
exit 2
|
||||
fi
|
||||
# Unknown
|
||||
else
|
||||
RC=3
|
||||
fi
|
||||
# If hasn't interface
|
||||
elif [[ $? -ne 0 ]]; then
|
||||
# If has to be master : KO
|
||||
if [[ $is_master -eq 1 ]]; then
|
||||
echo CRITICAL - ${IP_vrrpd[$i]} does not exist whereas it should be master
|
||||
RC=2
|
||||
# If has to be backup : OK
|
||||
elif [[ $is_master -eq 0 ]]; then
|
||||
echo OK - ${IP_vrrpd[$i]} is backup
|
||||
# We retrieve the state it should be from args
|
||||
elif [[ $is_master -eq 2 ]]; then
|
||||
arg=$(($i+1))
|
||||
state=${!arg}
|
||||
# If has to be master : KO
|
||||
if [[ $state = master ]]; then
|
||||
echo CRITICAL - ${IP_vrrpd[$i]} does not exist whereas it should be master
|
||||
RC=2
|
||||
# If has to be backup : OK
|
||||
elif [[ $state = backup ]]; then
|
||||
echo OK - ${IP_vrrpd[$i]} is backup
|
||||
;;
|
||||
-b|--backup) # Takes an option argument, ensuring it has been specified.
|
||||
if [ -n "$2" ]; then
|
||||
ID_backup=($(echo "$2" | tr "," "\n")) # Make an array with values separated by ","
|
||||
shift
|
||||
else
|
||||
echo "CRITICAL - The arguments have to be master or backup. Exiting"
|
||||
printf 'ERROR: "--backup" requires a non-empty option argument.\n' >&2
|
||||
exit 2
|
||||
fi
|
||||
# Unknown
|
||||
else
|
||||
RC=3
|
||||
fi
|
||||
# Unknown
|
||||
else
|
||||
RC=3
|
||||
fi
|
||||
;;
|
||||
--vrrpd)
|
||||
used_daemon="vrrpd"
|
||||
vrrpd_option="set"
|
||||
;;
|
||||
--uvrrpd)
|
||||
used_daemon="uvrrpd"
|
||||
uvrrpd_option="set"
|
||||
;;
|
||||
-?*)
|
||||
printf 'WARNING: Unknown option (ignored): %s\n' "$1" >&2
|
||||
;;
|
||||
*) # Default case: If no more options then break out of the loop.
|
||||
break
|
||||
esac
|
||||
shift
|
||||
done
|
||||
exit $RC
|
||||
|
||||
# Make sure that each given ID is given once only
|
||||
all_ID=("${ID_master[@]}" "${ID_backup[@]}")
|
||||
uniqueNum=$(printf '%s\n' "${all_ID[@]}"|awk '!($0 in seen){seen[$0];c++} END {print c}')
|
||||
if [ "$uniqueNum" != ${#all_ID[@]} ]; then
|
||||
echo "ERROR : At least one VRRP ID is given multiple times"
|
||||
exit 2
|
||||
fi
|
||||
|
||||
# Make sure --vrrpd and --uvrrpd are not both set
|
||||
if [ $vrrpd_option = "set" ] && [ $uvrrpd_option = "set" ]; then
|
||||
echo "ERROR : You cannot set both parameters --vrrpd and --uvrrpd"
|
||||
exit 2
|
||||
fi
|
||||
|
||||
# Make sure no sysclt parameter "rp_filter" is set to 1
|
||||
if grep -q 1 /proc/sys/net/ipv4/conf/*/rp_filter; then
|
||||
critical_output="${critical_output}CRITICAL - rp_filter is set to 1 at least for one interface\n"
|
||||
critical_state="set"
|
||||
fi
|
||||
|
||||
vrrpd_processes_number=$((${#ID_master[@]}+${#ID_backup[@]})) # Number of vrrpd processes that should be running = length of arrays ID_master + ID_backup
|
||||
regex_ipv4="((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])"
|
||||
regex_ipv6="(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))"
|
||||
vrrpd_processes=$(ps auwx | grep "$used_daemon" | grep -v -e grep -e check)
|
||||
ID_running_vrrpd=($(for i in ${vrrpd_processes}; do echo "$i" | grep -Eo -- "-v [0-9]+" | awk '{print $2}'; done))
|
||||
|
||||
# Check the number of running vrrpd processes in comparison to the number of ID given
|
||||
if ! sudo /usr/lib/nagios/plugins/check_procs -C "$used_daemon" -c $vrrpd_processes_number:$vrrpd_processes_number >/dev/null; then
|
||||
critical_output="${critical_output}CRITICAL : $vrrpd_processes_number VRRP ID are given but $(ps auwx | grep "$used_daemon" | grep -v -e grep -e check -c) $used_daemon processes are running\n"
|
||||
if pgrep uvrrp >/dev/null && [ $uvrrpd_option = "unset" ]; then
|
||||
critical_output="${critical_output}It seems that uvrrpd is running. Use parameter --uvrrpd\n"
|
||||
fi
|
||||
critical_state="set"
|
||||
fi
|
||||
|
||||
IFS=" "
|
||||
|
||||
# For each ID_master, make sure a process exist
|
||||
if [ ${#ID_master[@]} -ne 0 ]; then
|
||||
for i in "${ID_master[@]}"; do
|
||||
# If array contains the current ID, then a process exist, and we have to make sure the corresponding interface exists
|
||||
if [[ " ${ID_running_vrrpd[*]} " =~ " $i " ]]; then
|
||||
vrrpd_current_proccess=$(echo "$vrrpd_processes" | grep -E -- "-v $i ")
|
||||
INT_current_vrrpd=$(echo "$vrrpd_current_proccess" | grep -Eo -- "-i \S+" | awk '{print $2}')
|
||||
IP_current_vrrpd=$(echo "$vrrpd_current_proccess" | grep -Eo "${regex_ipv4}|${regex_ipv6}")
|
||||
if [ "$used_daemon" = "vrrpd" ]; then
|
||||
int_name="vrrp_${i}_${INT_current_vrrpd}"
|
||||
elif [ "$used_daemon" = "uvrrpd" ]; then
|
||||
int_name="${INT_current_vrrpd}_${i}"
|
||||
fi
|
||||
if /sbin/ifconfig "$int_name" 2> /dev/null | grep -q "$IP_current_vrrpd"; then
|
||||
ok_output="${ok_output}OK - ID $i has a process and $IP_current_vrrpd is master\n"
|
||||
ok_state="set"
|
||||
else
|
||||
warning_output="${warning_output}WARNING - The IP $IP_current_vrrpd for ID $i is backup while it should be master\n"
|
||||
warning_state="set"
|
||||
fi
|
||||
else
|
||||
critical_output="${critical_output}CRITICAL - No process is running for VRRP ID $i\n"
|
||||
critical_state="set"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
# For each ID_backup, make sure a process exist
|
||||
if [ ${#ID_backup[@]} -ne 0 ]; then
|
||||
for i in "${ID_backup[@]}"; do
|
||||
# If array contains the current ID, then a process exist, and we have to make sure the corresponding interface does not exist
|
||||
if [[ " ${ID_running_vrrpd[*]} " =~ " $i " ]]; then
|
||||
vrrpd_current_proccess=$(echo "$vrrpd_processes" | grep -E -- "-v $i ")
|
||||
INT_current_vrrpd=$(echo "$vrrpd_current_proccess" | grep -Eo -- "-i \S+" | awk '{print $2}')
|
||||
IP_current_vrrpd=$(echo "$vrrpd_current_proccess" | grep -Eo "${regex_ipv4}|${regex_ipv6}")
|
||||
if [ "$used_daemon" = "vrrpd" ]; then
|
||||
int_name="vrrp_${i}_${INT_current_vrrpd}"
|
||||
elif [ "$used_daemon" = "uvrrpd" ]; then
|
||||
int_name="${INT_current_vrrpd}_${i}"
|
||||
fi
|
||||
if ! /sbin/ifconfig "$int_name" 2> /dev/null | grep -q "$IP_current_vrrpd"; then
|
||||
ok_output="${ok_output}OK - ID $i has a process and $IP_current_vrrpd is backup\n"
|
||||
ok_state="set"
|
||||
else
|
||||
warning_output="${warning_output}WARNING - The IP $IP_current_vrrpd for ID $i is master while it should be backup\n"
|
||||
warning_state="set"
|
||||
fi
|
||||
else
|
||||
critical_output="${critical_output}CRITICAL - No process is running for VRRP ID $i\n"
|
||||
critical_state="set"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
# Make $exit_code the highest set
|
||||
if [ "$critical_state" = "set" ]; then
|
||||
exit_code=2
|
||||
elif [ "$warning_state" = "set" ]; then
|
||||
exit_code=1
|
||||
elif [ "$ok_state" = "set" ]; then
|
||||
exit_code=0
|
||||
fi
|
||||
|
||||
# Echo most critical output first, least last
|
||||
if [ -n "$critical_output" ]; then
|
||||
echo -e "$critical_output" | grep -v "^$"
|
||||
fi
|
||||
if [ -n "$warning_output" ]; then
|
||||
echo -e "$warning_output" | grep -v "^$"
|
||||
fi
|
||||
if [ -n "$ok_output" ]; then
|
||||
echo -e "$ok_output" | grep -v "^$"
|
||||
fi
|
||||
|
||||
exit $exit_code
|
||||
|
|
|
@ -58,7 +58,7 @@
|
|||
|
||||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
when: nagios_plugins_directory is search ("/usr")
|
||||
when: nagios_plugins_directory is search("/usr")
|
||||
tags:
|
||||
- nagios-nrpe
|
||||
- nagios-plugins
|
||||
|
@ -83,3 +83,5 @@
|
|||
notify: restart nagios-nrpe-server
|
||||
tags:
|
||||
- nagios-nrpe
|
||||
|
||||
- include_tasks: wrapper.yml
|
42
nagios-nrpe/tasks/wrapper.yml
Normal file
42
nagios-nrpe/tasks/wrapper.yml
Normal file
|
@ -0,0 +1,42 @@
|
|||
---
|
||||
|
||||
|
||||
- name: "Remount /usr if needed"
|
||||
include_role:
|
||||
name: remount-usr
|
||||
|
||||
- name: check if old script is present
|
||||
stat:
|
||||
path: /usr/share/scripts/alerts_switch
|
||||
register: old_alerts_switch
|
||||
|
||||
- name: alerts_switch is at the right place
|
||||
command: "mv /usr/share/scripts/alerts_switch /usr/local/bin/alerts_switch"
|
||||
args:
|
||||
creates: /usr/local/bin/alerts_switch
|
||||
when: old_alerts_switch.stat.exists
|
||||
|
||||
- name: "copy alerts_switch"
|
||||
copy:
|
||||
src: alerts_switch
|
||||
dest: /usr/local/bin/alerts_switch
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0750"
|
||||
force: yes
|
||||
|
||||
- name: "symlink for backward compatibility"
|
||||
file:
|
||||
src: /usr/local/bin/alerts_switch
|
||||
dest: /usr/share/scripts/alerts_switch
|
||||
state: link
|
||||
when: old_alerts_switch.stat.exists
|
||||
|
||||
- name: "copy alerts_wrapper"
|
||||
copy:
|
||||
src: alerts_wrapper
|
||||
dest: "{{ nagios_plugins_directory }}/alerts_wrapper"
|
||||
owner: root
|
||||
group: staff
|
||||
mode: "0755"
|
||||
force: yes
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue