evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 32 Wiki Activity

Merge branch 'unstable' into stable

Browse source
This commit is contained in:
Jérémy Lecour 2018-10-12 10:16:50 +02:00 committed by Jérémy Lecour
parent 588efc941e 79aceac380
commit 48c2496deb
17 changed files with 310 additions and 438 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
CHANGELOG.md
View file

@ -18,6 +18,21 @@ The **patch** part changes incrementally at each release.
### Security
## [9.4.2] - 2018-10-12
### Added
* evomaintenance: install dependencies manually when installing vendored version
* nagios-nrpe: add an option to ignore servers in NOLB status
### Changed
* haproxy: move check_haproxy_stats to nagios-nrpe role
### Fixed
* evoacme: better error when apache2ctl fails
* evomaintenance: fix role compatibility with OpenBSD
* spamassassin: add missing right for amavis
* amavis: fix output result checking
## [9.4.1] - 2018-09-28
### Added

5
evoacme/files/evoacme.sh
View file

@ -55,7 +55,10 @@ sed_cert_path_for_apache() {
sed -i "s~${search}~${replace}~" "${vhost_full_path}"
debug "Config in ${vhost_full_path} has been updated"
$(command -v apache2ctl) -t
$(command -v apache2ctl) -t 2>&1 | grep -v "Syntax OK"
if [ "${PIPESTATUS[0]}" != "0" ]; then
error "Apache config test has exited with a non-zero exit code"
fi
fi
}
sed_cert_path_for_nginx() {

1
evolinux-users/templates/sudoers_jessie.j2
View file

@ -5,6 +5,7 @@ User_Alias ADMINS = {{ user.name }}
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
nagios ALL = NOPASSWD: /usr/sbin/bkctld check
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt

1
evolinux-users/templates/sudoers_stretch.j2
View file

@ -4,6 +4,7 @@ Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
nagios ALL = NOPASSWD: /usr/sbin/bkctld check
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt

15
evomaintenance/tasks/install_package.yml
View file

@ -1,15 +0,0 @@
---
- name: Install Evolix public repositry
include_role:
name: apt
tasks_from: evolix_public.yml
tags:
- evomaintenance
- name: evomaintenance is installed
apt:
name: evomaintenance
allow_unauthenticated: yes
tags:
- evomaintenance

26
evomaintenance/tasks/install_package_debian.yml Normal file
View file

@ -0,0 +1,26 @@
---
- name: Evolix public repositry is installed
include_role:
name: apt
tasks_from: evolix_public.yml
tags:
- evomaintenance
- name: Package is installed
apt:
name: evomaintenance
allow_unauthenticated: yes
tags:
- evomaintenance
- name: Configuration is installed
template:
src: evomaintenance.j2
dest: /etc/evomaintenance.cf
owner: root
group: root
mode: "0600"
force: "{{ evomaintenance_force_config | bool }}"
tags:
- evomaintenance

61
evomaintenance/tasks/install_vendor_debian.yml Normal file
View file

@ -0,0 +1,61 @@
---
- name: Dependencies are installed
apt:
name: "{{ item }}"
state: present
with_items:
- postgresql-client
- sudo
tags:
- evomaintenance
- include_role:
name: remount-usr
tags:
- evomaintenance
- name: /usr/share/scripts exists
file:
dest: /usr/share/scripts
mode: "0700"
owner: root
group: root
state: directory
tags:
- evomaintenance
- name: Script is installed
copy:
src: evomaintenance.sh
dest: /usr/share/scripts/evomaintenance.sh
mode: "0700"
owner: root
group: root
force: yes
backup: yes
tags:
- evomaintenance
- name: Template is installed
copy:
src: evomaintenance.tpl
dest: /usr/share/scripts/evomaintenance.tpl
mode: "0600"
owner: root
group: root
force: yes
backup: yes
tags:
- evomaintenance
- name: Configuration is installed
template:
src: evomaintenance.j2
dest: /etc/evomaintenance.cf
owner: root
group: root
mode: "0600"
force: "{{ evomaintenance_force_config | bool }}"
tags:
- evomaintenance

22
evomaintenance/tasks/install_vendor.yml → evomaintenance/tasks/install_vendor_openbsd.yml
View file

@ -1,16 +1,11 @@
---
- include_role:
name: remount-usr
tags:
- evomaintenance
- name: /usr/share/scripts exists
file:
dest: /usr/share/scripts
mode: "0700"
owner: root
group: root
group: wheel
state: directory
tags:
- evomaintenance
@ -21,7 +16,7 @@
dest: /usr/share/scripts/evomaintenance.sh
mode: "0700"
owner: root
group: root
group: wheel
force: yes
backup: yes
tags:
@ -33,8 +28,19 @@
dest: /usr/share/scripts/evomaintenance.tpl
mode: "0600"
owner: root
group: root
group: wheel
force: yes
backup: yes
tags:
- evomaintenance
- name: Configuration is installed
template:
src: evomaintenance.j2
dest: /etc/evomaintenance.cf
owner: root
group: wheel
mode: "0600"
force: "{{ evomaintenance_force_config | bool }}"
tags:
- evomaintenance

60
evomaintenance/tasks/main.yml
View file

@ -3,54 +3,18 @@
- set_fact:
minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
- include: install_package.yml
when: not evomaintenance_install_vendor
- include: install_package_debian.yml
when:
- not evomaintenance_install_vendor
- ansible_distribution == "Debian"
- include: install_vendor.yml
when: evomaintenance_install_vendor
- include: install_vendor_debian.yml
when:
- evomaintenance_install_vendor
- ansible_distribution == "Debian"
- name: configuration is applied
template:
src: evomaintenance.j2
dest: /etc/evomaintenance.cf
owner: root
group: root
mode: "0600"
force: "{{ evomaintenance_force_config | bool }}"
tags:
- evomaintenance
- include: install_vendor_openbsd.yml
when:
- ansible_distribution == "OpenBSD"
- name: Is minifirewall installed?
stat:
path: /etc/default/minifirewall
register: minifirewall_default_file
tags:
- evomaintenance
- name: minifirewall section for evomaintenance
lineinfile:
dest: /etc/default/minifirewall
line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT"
insertafter: "^# EvoMaintenance"
with_items: "{{ evomaintenance_hosts }}"
notify: "{{ minifirewall_restart_handler_name }}"
when: minifirewall_default_file.stat.exists
tags:
- evomaintenance
- name: remove minifirewall example rule for the proxy
lineinfile:
dest: /etc/default/minifirewall
regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)'
state: absent
notify: "{{ minifirewall_restart_handler_name }}"
when: minifirewall_default_file.stat.exists
tags:
- evomaintenance
- name: Force restart minifirewall
command: /bin/true
notify: restart minifirewall
when: minifirewall_restart_force
tags:
- evomaintenance
- include: minifirewall.yml

36
evomaintenance/tasks/minifirewall.yml Normal file
View file

@ -0,0 +1,36 @@
---
- name: Is minifirewall installed?
stat:
path: /etc/default/minifirewall
register: minifirewall_default_file
tags:
- evomaintenance
- name: minifirewall section for evomaintenance
lineinfile:
dest: /etc/default/minifirewall
line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT"
insertafter: "^# EvoMaintenance"
with_items: "{{ evomaintenance_hosts }}"
notify: "{{ minifirewall_restart_handler_name }}"
when: minifirewall_default_file.stat.exists
tags:
- evomaintenance
- name: remove minifirewall example rule for the proxy
lineinfile:
dest: /etc/default/minifirewall
regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)'
state: absent
notify: "{{ minifirewall_restart_handler_name }}"
when: minifirewall_default_file.stat.exists
tags:
- evomaintenance
- name: Force restart minifirewall
command: /bin/true
notify: restart minifirewall
when: minifirewall_restart_force
tags:
- evomaintenance

282
haproxy/files/check_haproxy_stats.pl
View file

@ -1,282 +0,0 @@
#!/usr/bin/env perl
# vim: se et ts=4:
#
# Copyright (C) 2012, Giacomo Montagner <giacomo@entirelyunlike.net>
# 2015, Yann Fertat, Romain Dessort, Jeff Palmer,
# Christophe Drevet-Droguet <dr4ke@dr4ke.net>
#
# This program is free software; you can redistribute it and/or modify it
# under the same terms as Perl 5.10.1.
# For more details, see http://dev.perl.org/licenses/artistic.html
#
# This program is distributed in the hope that it will be
# useful, but without any warranty; without even the implied
# warranty of merchantability or fitness for a particular purpose.
#
our $VERSION = "1.1.1";
open(STDERR, ">&STDOUT");
# CHANGELOG:
# 1.0.0 - first release
# 1.0.1 - fixed empty message if all proxies are OK
# 1.0.2 - add perfdata
# 1.0.3 - redirect stderr to stdout
# 1.0.4 - fix undef vars
# 1.0.5 - fix thresholds
# 1.1.0 - support for HTTP interface
# 1.1.1 - drop perl 5.10 requirement
use strict;
use warnings;
use File::Basename qw/basename/;
use IO::Socket::UNIX;
use Getopt::Long;
my $lwp = eval {
require LWP::Simple;
LWP::Simple->import;
1;
};
sub usage {
my $me = basename $0;
print <<EOU;
NAME
$me - check haproxy stats for errors, using UNIX socket interface
SYNOPSIS
$me [OPTIONS]
DESCRIPTION
Get haproxy statistics via UNIX socket and parse information searching for errors.
OPTIONS
-c, --critical
Set critical threshold for sessions number (chacks current number of sessions
against session limit, if enforced) to the specified percentage.
If no session limit (slim) was specified for the given proxy, this option has
no effect.
-d, --dump
Just dump haproxy stats and exit;
-h, --help
Print this message.
-m, --ignore-maint
Assume servers in MAINT state to be ok.
-p, --proxy
Check only named proxies, not every one. Use comma to separate proxies
in list.
-P, --no-proxy
Do not check named proxies. Use comma to separate proxies in list.
-s, --sock, --socket
Use named UNIX socket instead of default (/var/run/haproxy.sock)
-U, --url
Use HTTP URL instead of socket. The LWP::Simple perl module is used if
available. Otherwise, it falls back to using the external command `curl`.
-u, --user, --username
Username for the HTTP URL
-x, --pass, --password
Password for the HTTP URL
-w, --warning
Set warning threshold for sessions number to the specified percentage (see -c)
CHECKS AND OUTPUT
$me checks every proxy (or the named ones, if -p was given)
for status. It returns an error if any of the checked FRONTENDs is not OPEN,
any of the checked BACKENDs is not UP, or any of the checkes servers is not UP;
$me reports any problem it found.
EXAMPLES
$me -s /var/spool/haproxy/sock
Use /var/spool/haproxy/sock to communicate with haproxy.
$me -p proxy1,proxy2 -w 60 -c 80
Check only proxies named "proxy1" and "proxy2", and set sessions number
thresholds to 60% and 80%.
AUTHOR
Written by Giacomo Montagner
REPORTING BUGS
Please report any bug to bugs\@entirelyunlike.net
COPYRIGHT
Copyright (C) 2012 Giacomo Montagner <giacomo\@entirelyunlike.net>.
$me is distributed under GPL and the Artistic License 2.0
SEE ALSO
Check out online haproxy documentation at <http://haproxy.1wt.eu/>
EOU
}
my %check_statuses = (
UNK => "unknown",
INI => "initializing",
SOCKERR => "socket error",
L4OK => "layer 4 check OK",
L4CON => "connection error",
L4TMOUT => "layer 1-4 timeout",
L6OK => "layer 6 check OK",
L6TOUT => "layer 6 (SSL) timeout",
L6RSP => "layer 6 protocol error",
L7OK => "layer 7 check OK",
L7OKC => "layer 7 conditionally OK",
L7TOUT => "layer 7 (HTTP/SMTP) timeout",
L7RSP => "layer 7 protocol error",
L7STS => "layer 7 status error",
);
my @status_names = (qw/OK WARNING CRITICAL UNKNOWN/);
# Defaults
my $swarn = 80.0;
my $scrit = 90.0;
my $sock = "/var/run/haproxy.sock";
my $url;
my $user = '';
my $pass = '';
my $dump;
my $ignore_maint;
my $proxy;
my $no_proxy;
my $help;
# Read command line
Getopt::Long::Configure ("bundling");
GetOptions (
"c|critical=i" => \$scrit,
"d|dump" => \$dump,
"h|help" => \$help,
"m|ignore-maint" => \$ignore_maint,
"p|proxy=s" => \$proxy,
"P|no-proxy=s" => \$no_proxy,
"s|sock|socket=s" => \$sock,
"U|url=s" => \$url,
"u|user|username=s" => \$user,
"x|pass|password=s" => \$pass,
"w|warning=i" => \$swarn,
);
# Want help?
if ($help) {
usage;
exit 3;
}
my $haproxy;
if ($url and $lwp) {
my $geturl = $url;
if ($user ne '') {
$url =~ /^([^:]*:\/\/)(.*)/;
$geturl = $1.$user.':'.$pass.'@'.$2;
}
$geturl .= ';csv';
$haproxy = get($geturl);
} elsif ($url) {
my $haproxyio;
my $getcmd = "curl --insecure -s --fail "
. "--user '$user:$pass' '".$url.";csv'";
open $haproxyio, "-|", $getcmd;
while (<$haproxyio>) {
$haproxy .= $_;
}
close($haproxyio);
} else {
# Connect to haproxy socket and get stats
my $haproxyio = new IO::Socket::UNIX (
Peer => $sock,
Type => SOCK_STREAM,
);
die "Unable to connect to haproxy socket: $sock\n$@" unless $haproxyio;
print $haproxyio "show stat\n" or die "Print to socket failed: $!";
$haproxy = '';
while (<$haproxyio>) {
$haproxy .= $_;
}
close($haproxyio);
}
# Dump stats and exit if requested
if ($dump) {
print($haproxy);
exit 0;
}
# Get labels from first output line and map them to their position in the line
my @hastats = ( split /\n/, $haproxy );
my $labels = $hastats[0];
die "Unable to retrieve haproxy stats" unless $labels;
chomp($labels);
$labels =~ s/^# // or die "Data format not supported.";
my @labels = split /,/, $labels;
{
no strict "refs";
my $idx = 0;
map { $$_ = $idx++ } @labels;
}
# Variables I will use from here on:
our $pxname;
our $svname;
our $status;
our $slim;
our $scur;
my @proxies = split ',', $proxy if $proxy;
my @no_proxies = split ',', $no_proxy if $no_proxy;
my $exitcode = 0;
my $msg;
my $checked = 0;
my $perfdata = "";
# Remove excluded proxies from the list if both -p and -P options are
# specified.
my %hash;
@hash{@no_proxies} = undef;
@proxies = grep{ not exists $hash{$_} } @proxies;
foreach (@hastats) {
chomp;
next if /^#/;
next if /^[[:space:]]*$/;
my @data = split /,/, $_;
if (@proxies) { next unless grep {$data[$pxname] eq $_} @proxies; };
if (@no_proxies) { next if grep {$data[$pxname] eq $_} @no_proxies; };
# Is session limit enforced?
if ($data[$slim]) {
$perfdata .= sprintf "%s-%s=%u;%u;%u;0;%u;", $data[$pxname], $data[$svname], $data[$scur], $swarn * $data[$slim] / 100, $scrit * $data[$slim] / 100, $data[$slim];
# Check current session # against limit
my $sratio = $data[$scur]/$data[$slim];
if ($sratio >= $scrit / 100 || $sratio >= $swarn / 100) {
$exitcode = $sratio >= $scrit / 100 ? 2 :
$exitcode < 2 ? 1 : $exitcode;
$msg .= sprintf "%s:%s sessions: %.2f%%; ", $data[$pxname], $data[$svname], $sratio * 100;
}
}
# Check of BACKENDS
if ($data[$svname] eq 'BACKEND') {
if ($data[$status] ne 'UP') {
$msg .= sprintf "BACKEND: %s is %s; ", $data[$pxname], $data[$status];
$exitcode = 2;
}
# Check of FRONTENDS
} elsif ($data[$svname] eq 'FRONTEND') {
if ($data[$status] ne 'OPEN') {
$msg .= sprintf "FRONTEND: %s is %s; ", $data[$pxname], $data[$status];
$exitcode = 2;
}
# Check of servers
} else {
if ($data[$status] ne 'UP') {
next if ($ignore_maint && $data[$status] eq 'MAINT');
next if $data[$status] eq 'no check'; # Ignore server if no check is configured to be run
next if $data[$svname] eq 'sock-1';
$exitcode = 2;
our $check_status;
$msg .= sprintf "server: %s:%s is %s", $data[$pxname], $data[$svname], $data[$status];
$msg .= sprintf " (check status: %s)", $check_statuses{$data[$check_status]} if $check_statuses{$data[$check_status]};
$msg .= "; ";
}
}
++$checked;
}
unless ($msg) {
$msg = @proxies ? sprintf("checked proxies: %s", join ', ', sort @proxies) : "checked $checked proxies.";
}
print "Check haproxy $status_names[$exitcode] - $msg|$perfdata\n";
exit $exitcode;

1
haproxy/tasks/main.yml
View file

@ -33,5 +33,4 @@
- haproxy
- config
- include: nagios.yml
- include: munin.yml

22
haproxy/tasks/nagios.yml
View file

@ -1,22 +0,0 @@
---
- include_role:
name: remount-usr
- name: "Install check_haproxy_stats script"
copy:
src: check_haproxy_stats.pl
dest: /usr/local/lib/nagios/plugins/check_haproxy_stats.pl
mode: "0755"
tags:
- haproxy
- nrpe
- name: "Add check_haproxy to sudoers"
lineinfile:
dest: /etc/sudoers.d/evolinux
line: 'nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats.pl'
insertafter: '^nagios'
tags:
- haproxy
- nrpe
- sudo

2
nagios-nrpe/files/plugins/check_amavis
View file

@ -65,7 +65,7 @@ $smtp->close();
print "$result\n";
if ($result =~/2.5.0 Ok, id=[^,]+, BOUNCE/) {
if ($result =~/2.7.0 Ok, discarded, id=[^,]+ - INFECTED: Eicar-Test-Signature/) {
print "OK - All fine\n";
exit 0;
} else {

181
nagios-nrpe/files/plugins/check_haproxy_stats
View file

@ -1,94 +1,105 @@
#!/usr/bin/env perl
#!/usr/bin/env perl
# vim: se et ts=4:
#
# Copyright (C) 2012, Giacomo Montagner <giacomo@entirelyunlike.net>
#
# This program is free software; you can redistribute it and/or modify it
# under the same terms as Perl 5.10.1.
# 2015, Yann Fertat, Romain Dessort, Jeff Palmer,
# Christophe Drevet-Droguet <dr4ke@dr4ke.net>
#
# This program is free software; you can redistribute it and/or modify it
# under the same terms as Perl 5.10.1.
# For more details, see http://dev.perl.org/licenses/artistic.html
#
#
# This program is distributed in the hope that it will be
# useful, but without any warranty; without even the implied
# warranty of merchantability or fitness for a particular purpose.
#
our $VERSION = "1.0.1";
our $VERSION = "1.2.0";
open(STDERR, ">&STDOUT");
# CHANGELOG:
# 1.0.0 - first release
# 1.0.1 - fixed empty message if all proxies are OK
#
# 1.0.2 - add perfdata
# 1.0.3 - redirect stderr to stdout
# 1.0.4 - fix undef vars
# 1.0.5 - fix thresholds
# 1.1.0 - support for HTTP interface
# 1.1.1 - drop perl 5.10 requirement
# 1.2.0 - add an option for ignore NOLB
use strict;
use warnings;
use 5.010.001;
use File::Basename qw/basename/;
use IO::Socket::UNIX;
use Getopt::Long;
my $lwp = eval {
require LWP::Simple;
LWP::Simple->import;
1;
};
sub usage {
my $me = basename $0;
print <<EOU;
NAME
$me - check haproxy stats for errors, using UNIX socket interface
SYNOPSIS
$me [OPTIONS]
DESCRIPTION
Get haproxy statistics via UNIX socket and parse information searching for errors.
OPTIONS
-c, --critical
Set critical threshold for sessions number (chacks current number of sessions
against session limit, if enforced) to the specified percentage.
If no session limit (slim) was specified for the given proxy, this option has
no effect.
-d, --dump
Just dump haproxy stats and exit;
-h, --help
Print this message.
-m, --ignore-maint
Assume servers in MAINT state to be ok.
-n, --ignore-nolb
Assume servers in NOLB state to be ok.
-p, --proxy
Check only named proxies, not every one. Use comma to separate proxies
in list.
-P, --no-proxy
Do not check named proxies. Use comma to separate proxies in list.
-s, --sock, --socket
Use named UNIX socket instead of default (/var/run/haproxy.sock)
-U, --url
Use HTTP URL instead of socket. The LWP::Simple perl module is used if
available. Otherwise, it falls back to using the external command `curl`.
-u, --user, --username
Username for the HTTP URL
-x, --pass, --password
Password for the HTTP URL
-w, --warning
Set warning threshold for sessions number to the specified percentage (see -c)
CHECKS AND OUTPUT
$me checks every proxy (or the named ones, if -p was given)
for status. It returns an error if any of the checked FRONTENDs is not OPEN,
$me checks every proxy (or the named ones, if -p was given)
for status. It returns an error if any of the checked FRONTENDs is not OPEN,
any of the checked BACKENDs is not UP, or any of the checkes servers is not UP;
$me reports any problem it found.
$me reports any problem it found.
EXAMPLES
$me -s /var/spool/haproxy/sock
Use /var/spool/haproxy/sock to communicate with haproxy.
$me -p proxy1,proxy2 -w 60 -c 80
Check only proxies named "proxy1" and "proxy2", and set sessions number
Check only proxies named "proxy1" and "proxy2", and set sessions number
thresholds to 60% and 80%.
AUTHOR
Written by Giacomo Montagner
REPORTING BUGS
Please report any bug to bugs\@entirelyunlike.net
COPYRIGHT
Copyright (C) 2012 Giacomo Montagner <giacomo\@entirelyunlike.net>.
Copyright (C) 2012 Giacomo Montagner <giacomo\@entirelyunlike.net>.
$me is distributed under GPL and the Artistic License 2.0
SEE ALSO
Check out online haproxy documentation at <http://haproxy.1wt.eu/>
EOU
}
@ -115,19 +126,31 @@ my @status_names = (qw/OK WARNING CRITICAL UNKNOWN/);
my $swarn = 80.0;
my $scrit = 90.0;
my $sock = "/var/run/haproxy.sock";
my $url;
my $user = '';
my $pass = '';
my $dump;
my $ignore_maint;
my $ignore_nolb;
my $proxy;
my $no_proxy;
my $help;
# Read command line
Getopt::Long::Configure ("bundling");
GetOptions (
"c|critical=i" => \$scrit,
"d|dump" => \$dump,
"h|help" => \$help,
"p|proxy=s" => \$proxy,
"s|sock|socket=s" => \$sock,
"w|warning=i" => \$swarn,
"c|critical=i" => \$scrit,
"d|dump" => \$dump,
"h|help" => \$help,
"m|ignore-maint" => \$ignore_maint,
"n|ignore-nolb" => \$ignore_nolb,
"p|proxy=s" => \$proxy,
"P|no-proxy=s" => \$no_proxy,
"s|sock|socket=s" => \$sock,
"U|url=s" => \$url,
"u|user|username=s" => \$user,
"x|pass|password=s" => \$pass,
"w|warning=i" => \$swarn,
);
# Want help?
@ -136,28 +159,53 @@ if ($help) {
exit 3;
}
# Connect to haproxy socket and get stats
my $haproxy = new IO::Socket::UNIX (
Peer => $sock,
Type => SOCK_STREAM,
);
die "Unable to connect to haproxy socket: $@" unless $haproxy;
print $haproxy "show stat\n" or die "Print to socket failed: $!";
my $haproxy;
if ($url and $lwp) {
my $geturl = $url;
if ($user ne '') {
$url =~ /^([^:]*:\/\/)(.*)/;
$geturl = $1.$user.':'.$pass.'@'.$2;
}
$geturl .= ';csv';
$haproxy = get($geturl);
} elsif ($url) {
my $haproxyio;
my $getcmd = "curl --insecure -s --fail "
. "--user '$user:$pass' '".$url.";csv'";
open $haproxyio, "-|", $getcmd;
while (<$haproxyio>) {
$haproxy .= $_;
}
close($haproxyio);
} else {
# Connect to haproxy socket and get stats
my $haproxyio = new IO::Socket::UNIX (
Peer => $sock,
Type => SOCK_STREAM,
);
die "Unable to connect to haproxy socket: $sock\n$@" unless $haproxyio;
print $haproxyio "show stat\n" or die "Print to socket failed: $!";
$haproxy = '';
while (<$haproxyio>) {
$haproxy .= $_;
}
close($haproxyio);
}
# Dump stats and exit if requested
if ($dump) {
while (<$haproxy>) {
print;
}
print($haproxy);
exit 0;
}
# Get labels from first output line and map them to their position in the line
my $labels = <$haproxy>;
my @hastats = ( split /\n/, $haproxy );
my $labels = $hastats[0];
die "Unable to retrieve haproxy stats" unless $labels;
chomp($labels);
$labels =~ s/^# // or die "Data format not supported.";
$labels =~ s/^# // or die "Data format not supported.";
my @labels = split /,/, $labels;
{
{
no strict "refs";
my $idx = 0;
map { $$_ = $idx++ } @labels;
@ -167,33 +215,46 @@ my @labels = split /,/, $labels;
our $pxname;
our $svname;
our $status;
our $slim;
our $scur;
my @proxies = split ',', $proxy if $proxy;
my @no_proxies = split ',', $no_proxy if $no_proxy;
my $exitcode = 0;
my $msg;
my $checked = 0;
while (<$haproxy>) {
my $perfdata = "";
# Remove excluded proxies from the list if both -p and -P options are
# specified.
my %hash;
@hash{@no_proxies} = undef;
@proxies = grep{ not exists $hash{$_} } @proxies;
foreach (@hastats) {
chomp;
next if /^#/;
next if /^[[:space:]]*$/;
my @data = split /,/, $_;
if (@proxies) { next unless grep {$data[$pxname] eq $_} @proxies; };
if (@no_proxies) { next if grep {$data[$pxname] eq $_} @no_proxies; };
# Is session limit enforced?
our $slim;
# Is session limit enforced?
if ($data[$slim]) {
$perfdata .= sprintf "%s-%s=%u;%u;%u;0;%u;", $data[$pxname], $data[$svname], $data[$scur], $swarn * $data[$slim] / 100, $scrit * $data[$slim] / 100, $data[$slim];
# Check current session # against limit
our $scur;
my $sratio = $data[$scur]/$data[$slim];
if ($sratio >= $scrit || $sratio >= $swarn) {
$exitcode = $sratio >= $scrit ? 2 :
if ($sratio >= $scrit / 100 || $sratio >= $swarn / 100) {
$exitcode = $sratio >= $scrit / 100 ? 2 :
$exitcode < 2 ? 1 : $exitcode;
$msg .= sprintf "%s:%s sessions: %.2f%%; ", $data[$pxname], $data[$svname], $sratio;
$msg .= sprintf "%s:%s sessions: %.2f%%; ", $data[$pxname], $data[$svname], $sratio * 100;
}
}
# Check of BACKENDS
if ($data[$svname] eq 'BACKEND') {
if ($data[$status] !~ '(UP|MAINT)') {
if ($data[$status] ne 'UP') {
$msg .= sprintf "BACKEND: %s is %s; ", $data[$pxname], $data[$status];
$exitcode = 2;
}
@ -205,8 +266,11 @@ while (<$haproxy>) {
}
# Check of servers
} else {
if ($data[$status] !~ '(UP|MAINT)') {
if ($data[$status] ne 'UP') {
next if ($ignore_maint && $data[$status] eq 'MAINT');
next if ($ignore_nolb && $data[$status] eq 'NOLB');
next if $data[$status] eq 'no check'; # Ignore server if no check is configured to be run
next if $data[$svname] eq 'sock-1';
$exitcode = 2;
our $check_status;
$msg .= sprintf "server: %s:%s is %s", $data[$pxname], $data[$svname], $data[$status];
@ -220,6 +284,5 @@ while (<$haproxy>) {
unless ($msg) {
$msg = @proxies ? sprintf("checked proxies: %s", join ', ', sort @proxies) : "checked $checked proxies.";
}
say "Check haproxy $status_names[$exitcode] - $msg";
print "Check haproxy $status_names[$exitcode] - $msg|$perfdata\n";
exit $exitcode;

2
nagios-nrpe/templates/evolix.cfg.j2
View file

@ -66,7 +66,7 @@ command[check_mongodb_connect]={{ nagios_plugins_directory }}/check_mongodb -H l
command[check_glusterfs]={{ nagios_plugins_directory }}/check_glusterfs -v all -n 0
command[check_supervisord_status]={{ nagios_plugins_directory }}/check_supervisord
command[check_varnish]={{ nagios_plugins_directory }}/check_varnish_health -i 127.0.0.1 -p 6082 -s /etc/varnish/secret -w 2 -c 4
command[check_haproxy]={{ nagios_plugins_directory }}/check_haproxy_stats -s /var/run/haproxy.sock -w 80 -c 90
command[check_haproxy]=sudo {{ nagios_plugins_directory }}/check_haproxy_stats -s /var/run/haproxy.sock -w 80 -c 90 --ignore-maint --ignore-nolb
command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall
command[check_redis_instances]={{ nagios_plugins_directory }}/check_redis_instances

16
spamassasin/tasks/main.yml
View file

@ -27,6 +27,22 @@
tags:
- spamassassin
- name: add amavis user to debian-spamd group
user:
name: amavis
groups: debian-spamd
append: yes
tags:
- spamassassin
- name: fix right on /var/lib/spamassassin
file:
dest: /var/lib/spamassassin
state: directory
mode: "0750"
tags:
- spamassassin
- include_role:
name: remount-usr
tags: