nagios-nrpe: add tasks/files for a wrapper
All checks were successful
gitea/ansible-roles/pipeline/head This commit looks good

This commit is contained in:
Jérémy Lecour 2023-01-30 12:05:43 +01:00 committed by Jérémy Lecour
parent e0c143d9cf
commit 8244bd4615
6 changed files with 340 additions and 2 deletions

View file

@ -13,6 +13,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Added
* nagios-nrpe: Print pool config path in check_phpfpm_multi output
* nagios-nrpe: add tasks/files for a wrapper
* fail2ban: add "Internal login failure" to Dovecot filter
### Changed

View file

@ -0,0 +1,83 @@
#!/bin/bash
# https://forge.evolix.org/projects/evolix-private/repository
#
# You should not alter this file.
# If you need to, create and customize a copy.
set -e
readonly PROGNAME=$(basename $0)
readonly PROGDIR=$(readlink -m $(dirname $0))
readonly ARGS="$@"
usage() {
echo "$PROGNAME action prefix"
}
disable_alerts () {
disabled_file="$1_disabled"
enabled_file="$1_enabled"
if [ -e "${enabled_file}" ]; then
mv "${enabled_file}" "${disabled_file}"
else
touch "${disabled_file}"
chmod 0644 "${disabled_file}"
fi
}
enable_alerts () {
disabled_file="$1_disabled"
enabled_file="$1_enabled"
if [ -e "${disabled_file}" ]; then
mv "${disabled_file}" "${enabled_file}"
else
touch "${enabled_file}"
chmod 0644 "${enabled_file}"
fi
}
now () {
date --iso-8601=seconds
}
log_disable () {
echo "$(now) - alerts disabled by $(logname || echo unknown)" >> $1
}
log_enable () {
echo "$(now) - alerts enabled by $(logname || echo unknown)" >> $1
}
main () {
local action=$1
local prefix=$2
local base_dir="/var/lib/misc"
mkdir -p "${base_dir}"
local file_path="${base_dir}/${prefix}_alerts"
local log_file="/var/log/${prefix}_alerts.log"
case "$action" in
enable)
enable_alerts ${file_path}
log_enable ${log_file}
;;
disable)
disable_alerts ${file_path}
log_disable ${log_file}
;;
help)
usage
;;
*)
>&2 echo "Unknown action '$action'"
exit 1
;;
esac
}
main $ARGS

View file

@ -0,0 +1,217 @@
#!/bin/bash
# https://forge.evolix.org/projects/evolix-private/repository
#
# You should not alter this file.
# If you need to, create and customize a copy.
VERSION="21.04"
readonly VERSION
# base functions
show_version() {
cat <<END
alerts_wrapper version ${VERSION}
Copyright 2018-2021 Evolix <info@evolix.fr>,
Jérémy Lecour <jlecour@evolix.fr>
and others.
alerts_wrapper comes with ABSOLUTELY NO WARRANTY.This is free software,
and you are welcome to redistribute it under certain conditions.
See the GNU General Public License v3.0 for details.
END
}
show_help() {
cat <<END
alerts_wrapper is supposed to wrap an NRPE command and overrides the return code.
Usage: alerts_wrapper --limit=1d --name=check_name command with optional arguments
or alerts_wrapper --name=check_name command with optional arguments
or alerts_wrapper check_name command with optional arguments
Options
--limit max age of the "check file" ;
can be "1d" for 1 day, "5m" for 5 minutes…
or more complex expressions like "1w2d10m42s"
--name check name
-h, --help print this message and exit
-V, --version print version and exit
END
}
time_in_seconds() {
if echo "${1}" | grep -E -q '^([0-9]+[wdhms])+$'; then
echo "${1}" | sed 's/w/ * 604800 + /g; s/d/ * 86400 + /g; s/h/ * 3600 + /g; s/m/ * 60 + /g; s/s/ + /g; s/+ $//' | xargs expr
elif echo "${1}" | grep -E -q '^([0-9]+$)'; then
echo "${1} * 3600" | xargs expr
else
return 1
fi
}
delay_from_alerts_disabled_file() {
last_change=$(stat -c %Z "${alerts_disabled_file}")
limit_seconds=$(time_in_seconds "${wrapper_limit}" || time_in_seconds "${wrapper_limit_default}")
limit_date=$(date --date "${limit_seconds} seconds ago" +"%s")
echo $(( last_change - limit_date ))
}
enable_check() {
if [ "$(id -u)" -eq "0" ] ; then
/usr/local/bin/alerts_switch enable "${check_name}"
else
sudo /usr/local/bin/alerts_switch enable "${check_name}"
fi
}
main() {
${check_command} > "${check_stdout}"
check_rc=$?
readonly check_rc
delay=0
if [ -e "${alerts_disabled_file}" ]; then
delay=$(delay_from_alerts_disabled_file)
if [ "${delay}" -le "0" ]; then
enable_check
fi
fi
if [ -e "${alerts_disabled_file}" ]; then
formatted_last_change=$(date --date "@$(stat -c %Z "${alerts_disabled_file}")" +'%c')
readonly formatted_last_change
echo "ALERTS DISABLED for ${check_name} (since ${formatted_last_change}, delay: ${delay} sec) - $(cat "${check_stdout}")"
if [ ${check_rc} = 0 ]; then
# Nagios OK
exit 0
else
# Nagios WARNING
exit 1
fi
else
cat "${check_stdout}"
exit ${check_rc}
fi
}
# Default: 1 day before re-enabling the check
wrapper_limit_default="1d"
readonly wrapper_limit_default
if [[ "${1}" =~ -.* ]]; then
# parse options
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
while :; do
case $1 in
-h|-\?|--help)
show_help
exit 0
;;
-V|--version)
show_version
exit 0
;;
--limit)
# with value separated by space
if [ -n "$2" ]; then
wrapper_limit=$2
shift
else
printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2
exit 1
fi
;;
--limit=?*)
# with value speparated by =
wrapper_limit=${1#*=}
;;
--limit=)
# without value
printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2
exit 1
;;
--name)
# with value separated by space
if [ -n "$2" ]; then
check_name=$2
shift
else
printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2
exit 1
fi
;;
--name=?*)
# with value speparated by =
check_name=${1#*=}
;;
--name=)
# without value
printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2
exit 1
;;
--)
# End of all options.
shift
break
;;
-?*)
# ignore unknown options
printf 'WARN: Unknown option : %s\n' "$1" >&2
exit 1
;;
*)
# Default case: If no more options then break out of the loop.
break
;;
esac
shift
done
# The rest is the command
check_command="$*"
else
# no option is passed (backward compatibility with previous version)
# treat the first argument as check_name and the rest as the command
check_name="${1}"
shift
check_command="$*"
fi
# Default values or errors
if [ -z "${wrapper_limit}" ]; then
wrapper_limit="${wrapper_limit_default}"
fi
if [ -z "${check_name}" ]; then
printf 'ERROR: You must specify a check name, with --name.\n' >&2
exit 1
fi
if [ -z "${check_command}" ]; then
printf 'ERROR: You must specify a command to execute.\n' >&2
exit 1
fi
readonly check_name
readonly check_command
readonly wrapper_limit
alerts_disabled_file="/var/lib/misc/${check_name}_alerts_disabled"
readonly alerts_disabled_file
check_file="/var/lib/misc/${check_name}_alerts_disabled"
readonly check_file
check_stdout=$(mktemp --tmpdir=/tmp "${check_name}_stdout.XXXX")
readonly check_stdout
# shellcheck disable=SC2064
trap "rm ${check_stdout}" EXIT
main

View file

@ -59,9 +59,9 @@ delay_from_check_file() {
enable_check() {
if [ "$(id -u)" -eq "0" ] ; then
/usr/share/scripts/alerts_switch enable "${check_name}"
/usr/local/bin/alerts_switch enable "${check_name}"
else
sudo /usr/share/scripts/alerts_switch enable "${check_name}"
sudo /usr/local/bin/alerts_switch enable "${check_name}"
fi
}

View file

@ -83,3 +83,5 @@
notify: restart nagios-nrpe-server
tags:
- nagios-nrpe
- include_tasks: wrapper.yml

View file

@ -0,0 +1,35 @@
---
- name: "Remount /usr if needed"
include_role:
name: remount-usr
- name: alerts_switch is at the right place
command: "mv /usr/share/scripts/alerts_switch /usr/local/bin/alerts_switch"
args:
creates: /usr/local/bin/alerts_switch
- name: "copy alerts_switch"
copy:
src: alerts_switch
dest: /usr/local/bin/alerts_switch
owner: root
group: root
mode: "0750"
force: yes
- name: "symlink for backward compatibility"
file:
src: /usr/local/bin/alerts_switch
dest: /usr/share/scripts/alerts_switch
state: link
- name: "copy alerts_wrapper"
copy:
src: alerts_wrapper
dest: "{{ nagios_plugins_directory }}/alerts_wrapper"
owner: root
group: staff
mode: "0755"
force: yes