evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 32 Wiki Activity

Merge branch 'check_minifirewall' into unstable

Browse source
This commit is contained in:
Jérémy Lecour 2018-04-06 09:54:21 +02:00 committed by Jérémy Lecour
parent 8b9c8288c9 654c0a261f
commit baf6ddd66c
8 changed files with 178 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
CHANGELOG.md
View file

@ -11,38 +11,39 @@ The **patch** part changes incrementally at each release.
## [Unreleased]
### Added
* postfix: add lines in /etc/.gitignore
* nagios-nrpe: add "check_open_files" plugin
* nagios-nrpe: mark plugins as executable
* mysql-oracle: new role to install MySQL 5.7 with Oracle packages
* mysql: remount /usr before creating scripts directory
* packweb-apache: choose mysql variant (default: `debian`)
* haproxy: install Munin plugins
* proftpd: use proftpd_accounts list for manage ftp accounts
* added a few become attributes where missing
* etc-git: add tags for Ansible
* evolinux-base: install ncurses-term package
* added a few become attributes where missing
* redmine: added missing tags
* haproxy: install Munin plugins
* minifirewall: add "check_minifirewall" Nagios plugin (and `minifirewall_status` script)
* mysql-oracle: new role to install MySQL 5.7 with Oracle packages
* mysql: remount /usr before creating scripts directory
* nagios-nrpe: add "check_open_files" plugin
* nagios-nrpe: mark plugins as executable
* nodejs: Yarn package manager can be installed (default: `false`)
* packweb-apache: choose mysql variant (default: `debian`)
* postfix: add lines in /etc/.gitignore
* proftpd: use "proftpd_accounts" list to manage ftp accounts
* redmine: added missing tags
### Changed
* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
* elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`)
* nagios-nrpe: mark plugins as executable
* mongodb: configuration is forced by default but it's configurable (default: `false`)
* mongodb: allow unauthenticated packages for Jessie
* mongodb: rename logrotate script
* nginx: package name can be specified (default: `nginx-full`)
* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
* evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
* webapps/evoadmin-web: Fail if variable evoadmin_contact_email isn't defined
* mongodb: allow unauthenticated packages for Jessie
* mongodb: configuration is forced by default but it's configurable (default: `false`)
* mongodb: rename logrotate script
* nagios-nrpe: mark plugins as executable
* nginx: don't debug variables in verbosity 0
* nginx: package name can be specified (default: `nginx-full`)
* php: fix FPM custom file permissions
* php: more tasks notify FPM handler to restart if needed
* nginx: don't debug variables in verbosity 0
* webapps/evoadmin-web: Fail if variable evoadmin_contact_email isn't defined
### Fixed
* nginx: fix basic auth for default vhost
* dovecot: fix support of plus sign
* mysql/mysql-oracle: mysqltuner cron task is executable
* nginx: fix basic auth for default vhost
* rbenv: fix become user issue with copy tasks
## [9.1.6] - 2018-02-02

2
minifirewall/defaults/main.yml
View file

@ -25,3 +25,5 @@ minifirewall_private_ports_udp: []
minifirewall_autostart: "no"
evomaintenance_hosts: []
nagios_plugins_directory: "/usr/local/lib/nagios/plugins"

78
minifirewall/files/check_minifirewall Normal file
View file

@ -0,0 +1,78 @@
#!/bin/sh
is_alert5_enabled() {
# It's not very clear how to reliably detect if a SysVinit script
# wrapped in a systemd unit is enabled or not.
# Even when the script is not started in any run level, systemd says "active".
# So we test the SysVinit script path:
# if present, we test for an rc2.d symlink
# if missing, we ask systemd if a unit is active or not.
if test -f /etc/init.d/alert5; then
test -f /etc/rc2.d/S*alert5
else
systemctl is-active alert5 | grep -q "^active$"
fi
}
is_minifirewall_enabled() {
# TODO: instead of nested conditionals, we could loop with many possible paths
# and grep the first found, or error if none is found
if test -f /etc/rc2.d/S*alert5; then
grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5
else
if test -f /usr/share/scripts/alert5.sh; then
grep -q "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh
else
return_critical "No Alert5 scripts has been found."
fi
fi
}
is_minifirewall_started() {
if test -x /usr/share/scripts/minifirewall_status; then
/usr/share/scripts/minifirewall_status > /dev/null
else
/sbin/iptables -L -n | grep -q -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
fi
}
return_critical() {
echo "CRITICAL: $1"
exit 2
}
return_warning() {
echo "WARNING: $1"
exit 1
}
return_ok() {
echo "OK: $1"
exit 0
}
main() {
if is_alert5_enabled; then
if is_minifirewall_enabled; then
if is_minifirewall_started; then
return_ok "Minifirewall is started."
else
return_critical "Minifirewall is not started."
fi
else
if is_minifirewall_started; then
return_warning "Minifirewall is started, but disabled in alert5."
else
return_ok "Minifirewall is not started, but disabled in alert5."
fi
fi
else
if is_minifirewall_started; then
return_warning "Minifirewall is started, but Alert5 script is not enabled."
else
return_ok "Minifirewall is not started and Alert5 script is not enabled."
fi
fi
}
main

16
minifirewall/files/minifirewall_status Normal file
View file

@ -0,0 +1,16 @@
#!/bin/sh
is_started() {
/sbin/iptables -L -n \
| grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
}
return_started() {
echo "started"
exit 0
}
return_stopped() {
echo "stopped"
exit 1
}
is_started && return_started || return_stopped

6
minifirewall/handlers/main.yml Normal file
View file

@ -0,0 +1,6 @@
---
- name: restart nagios-nrpe-server
service:
name: nagios-nrpe-server
state: restarted

2
minifirewall/tasks/main.yml
View file

@ -4,6 +4,8 @@
- include: config.yml
- include: nrpe.yml
- include: activate.yml
- include: tail.yml

53
minifirewall/tasks/nrpe.yml Normal file
View file

@ -0,0 +1,53 @@
---
- include_role:
name: remount-usr
- name: /usr/share/scripts exists
file:
dest: /usr/share/scripts
mode: "0700"
owner: root
group: root
state: directory
- name: minifirewall_status is installed
copy:
src: minifirewall_status
dest: /usr/share/scripts/minifirewall_status
force: no
mode: "0700"
owner: root
group: root
- name: /usr/local/lib/nagios/plugins/ exists
file:
dest: "{{ nagios_plugins_directory }}"
mode: "02755"
owner: root
group: staff
state: directory
- name: check_minifirewall is installed
copy:
src: check_minifirewall
dest: "{{ nagios_plugins_directory }}/check_minifirewall"
force: no
mode: "0755"
owner: root
group: staff
- name: check_minifirewall is available for NRPE
lineinfile:
dest: /etc/nagios/nrpe.d/evolix.cfg
regexp: 'command\[check_minifirewall\]'
line: 'command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall'
notify: restart nagios-nrpe-server
- name: sudo without password for nagios
lineinfile:
dest: /etc/sudoers.d/evolinux
regexp: 'check_minifirewall'
line: 'nagios ALL = NOPASSWD: {{ nagios_plugins_directory }}/check_minifirewall'
insertafter: '^nagios'
validate: "visudo -cf %s"

1
nagios-nrpe/templates/evolix.cfg.j2
View file

@ -66,6 +66,7 @@ command[check_glusterfs]={{ nagios_plugins_directory }}/check_glusterfs -v all -
command[check_supervisord_status]={{ nagios_plugins_directory }}/check_supervisord
command[check_varnish]={{ nagios_plugins_directory }}/check_varnish_health -i 127.0.0.1 -p 6082 -s /etc/varnish/secret -w 2 -c 4
command[check_haproxy]={{ nagios_plugins_directory }}/check_haproxy_stats -s /var/run/haproxy.sock -w 80 -c 90
command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall
# Check HTTP "many". Use this to check many websites (http, https, ports, sockets and SSL certificates).
# Beware! All checks must not take more than 10s!