nagios-nrpe: add tasks/files for a wrapper

CHANGELOG.md

@@ -13,6 +13,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ### Added
 
 * nagios-nrpe: Print pool config path in check_phpfpm_multi output
+* nagios-nrpe: add tasks/files for a wrapper
 * fail2ban: add "Internal login failure" to Dovecot filter
 
 ### Changed

nagios-nrpe/files/alerts_switch

@@ -0,0 +1,83 @@
+#!/bin/bash
+
+# https://forge.evolix.org/projects/evolix-private/repository
+#
+# You should not alter this file.
+# If you need to, create and customize a copy.
+
+set -e
+
+readonly PROGNAME=$(basename $0)
+readonly PROGDIR=$(readlink -m $(dirname $0))
+readonly ARGS="$@"
+
+usage() {
+    echo "$PROGNAME action prefix"
+}
+
+disable_alerts () {
+    disabled_file="$1_disabled"
+    enabled_file="$1_enabled"
+
+    if [ -e "${enabled_file}" ]; then
+        mv "${enabled_file}" "${disabled_file}"
+    else
+        touch "${disabled_file}"
+        chmod 0644 "${disabled_file}"
+    fi
+}
+
+enable_alerts () {
+    disabled_file="$1_disabled"
+    enabled_file="$1_enabled"
+
+    if [ -e "${disabled_file}" ]; then
+        mv "${disabled_file}" "${enabled_file}"
+    else
+        touch "${enabled_file}"
+        chmod 0644 "${enabled_file}"
+    fi
+}
+
+now () {
+  date --iso-8601=seconds
+}
+
+log_disable () {
+    echo "$(now) - alerts disabled by $(logname || echo unknown)" >> $1
+}
+
+log_enable () {
+    echo "$(now) - alerts enabled by $(logname || echo unknown)" >> $1
+}
+
+main () {
+    local action=$1
+    local prefix=$2
+
+    local base_dir="/var/lib/misc"
+    mkdir -p "${base_dir}"
+
+    local file_path="${base_dir}/${prefix}_alerts"
+    local log_file="/var/log/${prefix}_alerts.log"
+
+    case "$action" in
+    enable)
+        enable_alerts ${file_path}
+        log_enable ${log_file}
+        ;;
+    disable)
+        disable_alerts ${file_path}
+        log_disable ${log_file}
+        ;;
+    help)
+        usage
+        ;;
+    *)
+        >&2 echo "Unknown action '$action'"
+        exit 1
+        ;;
+    esac
+}
+
+main $ARGS

nagios-nrpe/files/alerts_wrapper

@@ -0,0 +1,217 @@
+#!/bin/bash
+
+# https://forge.evolix.org/projects/evolix-private/repository
+#
+# You should not alter this file.
+# If you need to, create and customize a copy.
+
+VERSION="21.04"
+readonly VERSION
+
+# base functions
+
+show_version() {
+    cat <<END
+alerts_wrapper version ${VERSION}
+
+Copyright 2018-2021 Evolix <info@evolix.fr>,
+                    Jérémy Lecour <jlecour@evolix.fr>
+                    and others.
+
+alerts_wrapper comes with ABSOLUTELY NO WARRANTY.This is free software,
+and you are welcome to redistribute it under certain conditions.
+See the GNU General Public License v3.0 for details.
+END
+}
+show_help() {
+    cat <<END
+alerts_wrapper is supposed to wrap an NRPE command and overrides the return code.
+
+Usage: alerts_wrapper --limit=1d --name=check_name command with optional arguments
+  or   alerts_wrapper --name=check_name command with optional arguments
+  or   alerts_wrapper check_name command with optional arguments
+
+Options
+ --limit            max age of the "check file" ;
+                    can be "1d" for 1 day, "5m" for 5 minutes…
+                    or more complex expressions like "1w2d10m42s"
+ --name             check name
+ -h, --help         print this message and exit
+ -V, --version      print version and exit
+END
+}
+
+time_in_seconds() {
+    if echo "${1}" | grep -E -q '^([0-9]+[wdhms])+$'; then
+        echo "${1}" | sed 's/w/ * 604800 + /g; s/d/ * 86400 + /g; s/h/ * 3600 + /g; s/m/ * 60 + /g; s/s/ + /g; s/+ $//' | xargs expr
+    elif echo "${1}" | grep -E -q '^([0-9]+$)'; then
+        echo "${1} * 3600" | xargs expr
+    else
+        return 1
+    fi
+}
+
+delay_from_alerts_disabled_file() {
+    last_change=$(stat -c %Z "${alerts_disabled_file}")
+    limit_seconds=$(time_in_seconds "${wrapper_limit}" || time_in_seconds "${wrapper_limit_default}") 
+    limit_date=$(date --date "${limit_seconds} seconds ago" +"%s")
+
+    echo $(( last_change - limit_date ))
+}
+
+enable_check() {
+    if [ "$(id -u)" -eq "0" ] ; then
+        /usr/local/bin/alerts_switch enable "${check_name}"
+    else
+        sudo /usr/local/bin/alerts_switch enable "${check_name}"
+    fi
+}
+
+main() {
+    ${check_command} > "${check_stdout}"
+    check_rc=$?
+    readonly check_rc
+
+    delay=0
+
+    if [ -e "${alerts_disabled_file}" ]; then
+        delay=$(delay_from_alerts_disabled_file)
+
+        if [ "${delay}" -le "0" ]; then
+            enable_check
+        fi
+    fi
+
+    if [ -e "${alerts_disabled_file}" ]; then
+        formatted_last_change=$(date --date "@$(stat -c %Z "${alerts_disabled_file}")" +'%c')
+        readonly formatted_last_change
+
+        echo "ALERTS DISABLED for ${check_name} (since ${formatted_last_change}, delay: ${delay} sec) - $(cat "${check_stdout}")"
+        if [ ${check_rc} = 0 ]; then
+            # Nagios OK
+            exit 0
+        else
+            # Nagios WARNING
+            exit 1
+        fi
+    else
+        cat "${check_stdout}"
+        exit ${check_rc}
+    fi
+}
+
+# Default: 1 day before re-enabling the check
+wrapper_limit_default="1d"
+readonly wrapper_limit_default
+
+if [[ "${1}" =~ -.* ]]; then
+    # parse options
+    # based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
+    while :; do
+        case $1 in
+            -h|-\?|--help)
+                show_help
+                exit 0
+                ;;
+            -V|--version)
+                show_version
+                exit 0
+                ;;
+
+            --limit)
+                # with value separated by space
+                if [ -n "$2" ]; then
+                    wrapper_limit=$2
+                    shift
+                else
+                    printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2
+                    exit 1
+                fi
+                ;;
+            --limit=?*)
+                # with value speparated by =
+                wrapper_limit=${1#*=}
+                ;;
+            --limit=)
+                # without value
+                printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2
+                exit 1
+                ;;
+
+            --name)
+                # with value separated by space
+                if [ -n "$2" ]; then
+                    check_name=$2
+                    shift
+                else
+                    printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2
+                    exit 1
+                fi
+                ;;
+            --name=?*)
+                # with value speparated by =
+                check_name=${1#*=}
+                ;;
+            --name=)
+                # without value
+                printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2
+                exit 1
+                ;;
+
+            --)
+                # End of all options.
+                shift
+                break
+                ;;
+            -?*)
+                # ignore unknown options
+                printf 'WARN: Unknown option : %s\n' "$1" >&2
+                exit 1
+                ;;
+            *)
+                # Default case: If no more options then break out of the loop.
+                break
+                ;;
+        esac
+
+        shift
+    done
+    # The rest is the command
+    check_command="$*"
+else
+    # no option is passed (backward compatibility with previous version)
+    # treat the first argument as check_name and the rest as the command
+    check_name="${1}"
+    shift
+    check_command="$*"
+fi
+
+# Default values or errors
+if [ -z "${wrapper_limit}" ]; then
+    wrapper_limit="${wrapper_limit_default}"
+fi
+if [ -z "${check_name}" ]; then
+    printf 'ERROR: You must specify a check name, with --name.\n' >&2
+    exit 1
+fi
+if [ -z "${check_command}" ]; then
+    printf 'ERROR: You must specify a command to execute.\n' >&2
+    exit 1
+fi
+
+readonly check_name
+readonly check_command
+readonly wrapper_limit
+alerts_disabled_file="/var/lib/misc/${check_name}_alerts_disabled"
+readonly alerts_disabled_file
+
+check_file="/var/lib/misc/${check_name}_alerts_disabled"
+readonly check_file
+
+check_stdout=$(mktemp --tmpdir=/tmp "${check_name}_stdout.XXXX")
+readonly check_stdout
+
+# shellcheck disable=SC2064
+trap "rm ${check_stdout}" EXIT
+
+main

nagios-nrpe/files/check_async

@@ -59,9 +59,9 @@ delay_from_check_file() {
 
 enable_check() {
     if [ "$(id -u)" -eq "0" ] ; then
-        /usr/share/scripts/alerts_switch enable "${check_name}"
+        /usr/local/bin/alerts_switch enable "${check_name}"
     else
-        sudo /usr/share/scripts/alerts_switch enable "${check_name}"
+        sudo /usr/local/bin/alerts_switch enable "${check_name}"
     fi
 }
 

nagios-nrpe/tasks/main.yml

@@ -83,3 +83,5 @@
   notify: restart nagios-nrpe-server
   tags:
     - nagios-nrpe
+
+- include_tasks: wrapper.yml

nagios-nrpe/tasks/wrapper.yml

@@ -0,0 +1,35 @@
+---
+
+
+- name: "Remount /usr if needed"
+  include_role:
+    name: remount-usr
+
+- name: alerts_switch is at the right place
+  command: "mv /usr/share/scripts/alerts_switch /usr/local/bin/alerts_switch"
+  args:
+    creates: /usr/local/bin/alerts_switch
+
+- name: "copy alerts_switch"
+  copy:
+    src: alerts_switch
+    dest: /usr/local/bin/alerts_switch
+    owner: root
+    group: root
+    mode: "0750"
+    force: yes
+
+- name: "symlink for backward compatibility"
+  file:
+    src: /usr/local/bin/alerts_switch
+    dest: /usr/share/scripts/alerts_switch
+    state: link
+
+- name: "copy alerts_wrapper"
+  copy:
+    src: alerts_wrapper
+    dest: "{{ nagios_plugins_directory }}/alerts_wrapper"
+    owner: root
+    group: staff
+    mode: "0755"
+    force: yes