diff --git a/CHANGELOG.md b/CHANGELOG.md index adaf8ea0..a443fcf7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added * nagios-nrpe: Print pool config path in check_phpfpm_multi output +* nagios-nrpe: add tasks/files for a wrapper * fail2ban: add "Internal login failure" to Dovecot filter ### Changed diff --git a/nagios-nrpe/files/alerts_switch b/nagios-nrpe/files/alerts_switch new file mode 100644 index 00000000..3c5a1417 --- /dev/null +++ b/nagios-nrpe/files/alerts_switch @@ -0,0 +1,83 @@ +#!/bin/bash + +# https://forge.evolix.org/projects/evolix-private/repository +# +# You should not alter this file. +# If you need to, create and customize a copy. + +set -e + +readonly PROGNAME=$(basename $0) +readonly PROGDIR=$(readlink -m $(dirname $0)) +readonly ARGS="$@" + +usage() { + echo "$PROGNAME action prefix" +} + +disable_alerts () { + disabled_file="$1_disabled" + enabled_file="$1_enabled" + + if [ -e "${enabled_file}" ]; then + mv "${enabled_file}" "${disabled_file}" + else + touch "${disabled_file}" + chmod 0644 "${disabled_file}" + fi +} + +enable_alerts () { + disabled_file="$1_disabled" + enabled_file="$1_enabled" + + if [ -e "${disabled_file}" ]; then + mv "${disabled_file}" "${enabled_file}" + else + touch "${enabled_file}" + chmod 0644 "${enabled_file}" + fi +} + +now () { + date --iso-8601=seconds +} + +log_disable () { + echo "$(now) - alerts disabled by $(logname || echo unknown)" >> $1 +} + +log_enable () { + echo "$(now) - alerts enabled by $(logname || echo unknown)" >> $1 +} + +main () { + local action=$1 + local prefix=$2 + + local base_dir="/var/lib/misc" + mkdir -p "${base_dir}" + + local file_path="${base_dir}/${prefix}_alerts" + local log_file="/var/log/${prefix}_alerts.log" + + case "$action" in + enable) + enable_alerts ${file_path} + log_enable ${log_file} + ;; + disable) + disable_alerts ${file_path} + log_disable ${log_file} + ;; + help) + usage + ;; + *) + >&2 echo "Unknown action '$action'" + exit 1 + ;; + esac +} + +main $ARGS diff --git a/nagios-nrpe/files/alerts_wrapper b/nagios-nrpe/files/alerts_wrapper new file mode 100644 index 00000000..d4524fdd --- /dev/null +++ b/nagios-nrpe/files/alerts_wrapper @@ -0,0 +1,217 @@ +#!/bin/bash + +# https://forge.evolix.org/projects/evolix-private/repository +# +# You should not alter this file. +# If you need to, create and customize a copy. + +VERSION="21.04" +readonly VERSION + +# base functions + +show_version() { + cat <, + Jérémy Lecour + and others. + +alerts_wrapper comes with ABSOLUTELY NO WARRANTY.This is free software, +and you are welcome to redistribute it under certain conditions. +See the GNU General Public License v3.0 for details. +END +} +show_help() { + cat < "${check_stdout}" + check_rc=$? + readonly check_rc + + delay=0 + + if [ -e "${alerts_disabled_file}" ]; then + delay=$(delay_from_alerts_disabled_file) + + if [ "${delay}" -le "0" ]; then + enable_check + fi + fi + + if [ -e "${alerts_disabled_file}" ]; then + formatted_last_change=$(date --date "@$(stat -c %Z "${alerts_disabled_file}")" +'%c') + readonly formatted_last_change + + echo "ALERTS DISABLED for ${check_name} (since ${formatted_last_change}, delay: ${delay} sec) - $(cat "${check_stdout}")" + if [ ${check_rc} = 0 ]; then + # Nagios OK + exit 0 + else + # Nagios WARNING + exit 1 + fi + else + cat "${check_stdout}" + exit ${check_rc} + fi +} + +# Default: 1 day before re-enabling the check +wrapper_limit_default="1d" +readonly wrapper_limit_default + +if [[ "${1}" =~ -.* ]]; then + # parse options + # based on https://gist.github.com/deshion/10d3cb5f88a21671e17a + while :; do + case $1 in + -h|-\?|--help) + show_help + exit 0 + ;; + -V|--version) + show_version + exit 0 + ;; + + --limit) + # with value separated by space + if [ -n "$2" ]; then + wrapper_limit=$2 + shift + else + printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2 + exit 1 + fi + ;; + --limit=?*) + # with value speparated by = + wrapper_limit=${1#*=} + ;; + --limit=) + # without value + printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2 + exit 1 + ;; + + --name) + # with value separated by space + if [ -n "$2" ]; then + check_name=$2 + shift + else + printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2 + exit 1 + fi + ;; + --name=?*) + # with value speparated by = + check_name=${1#*=} + ;; + --name=) + # without value + printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2 + exit 1 + ;; + + --) + # End of all options. + shift + break + ;; + -?*) + # ignore unknown options + printf 'WARN: Unknown option : %s\n' "$1" >&2 + exit 1 + ;; + *) + # Default case: If no more options then break out of the loop. + break + ;; + esac + + shift + done + # The rest is the command + check_command="$*" +else + # no option is passed (backward compatibility with previous version) + # treat the first argument as check_name and the rest as the command + check_name="${1}" + shift + check_command="$*" +fi + +# Default values or errors +if [ -z "${wrapper_limit}" ]; then + wrapper_limit="${wrapper_limit_default}" +fi +if [ -z "${check_name}" ]; then + printf 'ERROR: You must specify a check name, with --name.\n' >&2 + exit 1 +fi +if [ -z "${check_command}" ]; then + printf 'ERROR: You must specify a command to execute.\n' >&2 + exit 1 +fi + +readonly check_name +readonly check_command +readonly wrapper_limit +alerts_disabled_file="/var/lib/misc/${check_name}_alerts_disabled" +readonly alerts_disabled_file + +check_file="/var/lib/misc/${check_name}_alerts_disabled" +readonly check_file + +check_stdout=$(mktemp --tmpdir=/tmp "${check_name}_stdout.XXXX") +readonly check_stdout + +# shellcheck disable=SC2064 +trap "rm ${check_stdout}" EXIT + +main diff --git a/nagios-nrpe/files/check_async b/nagios-nrpe/files/check_async index 5ff8ad24..2a54f920 100644 --- a/nagios-nrpe/files/check_async +++ b/nagios-nrpe/files/check_async @@ -59,9 +59,9 @@ delay_from_check_file() { enable_check() { if [ "$(id -u)" -eq "0" ] ; then - /usr/share/scripts/alerts_switch enable "${check_name}" + /usr/local/bin/alerts_switch enable "${check_name}" else - sudo /usr/share/scripts/alerts_switch enable "${check_name}" + sudo /usr/local/bin/alerts_switch enable "${check_name}" fi } diff --git a/nagios-nrpe/tasks/main.yml b/nagios-nrpe/tasks/main.yml index 7ccc6718..5a77c4ee 100644 --- a/nagios-nrpe/tasks/main.yml +++ b/nagios-nrpe/tasks/main.yml @@ -83,3 +83,5 @@ notify: restart nagios-nrpe-server tags: - nagios-nrpe + +- include_tasks: wrapper.yml \ No newline at end of file diff --git a/nagios-nrpe/tasks/wrapper.yml b/nagios-nrpe/tasks/wrapper.yml new file mode 100644 index 00000000..99cd50f3 --- /dev/null +++ b/nagios-nrpe/tasks/wrapper.yml @@ -0,0 +1,35 @@ +--- + + +- name: "Remount /usr if needed" + include_role: + name: remount-usr + +- name: alerts_switch is at the right place + command: "mv /usr/share/scripts/alerts_switch /usr/local/bin/alerts_switch" + args: + creates: /usr/local/bin/alerts_switch + +- name: "copy alerts_switch" + copy: + src: alerts_switch + dest: /usr/local/bin/alerts_switch + owner: root + group: root + mode: "0750" + force: yes + +- name: "symlink for backward compatibility" + file: + src: /usr/local/bin/alerts_switch + dest: /usr/share/scripts/alerts_switch + state: link + +- name: "copy alerts_wrapper" + copy: + src: alerts_wrapper + dest: "{{ nagios_plugins_directory }}/alerts_wrapper" + owner: root + group: staff + mode: "0755" + force: yes \ No newline at end of file