Merge branch 'check_minifirewall' into unstable
This commit is contained in:
commit
baf6ddd66c
39
CHANGELOG.md
39
CHANGELOG.md
|
@ -11,38 +11,39 @@ The **patch** part changes incrementally at each release.
|
||||||
## [Unreleased]
|
## [Unreleased]
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
* postfix: add lines in /etc/.gitignore
|
* added a few become attributes where missing
|
||||||
* nagios-nrpe: add "check_open_files" plugin
|
|
||||||
* nagios-nrpe: mark plugins as executable
|
|
||||||
* mysql-oracle: new role to install MySQL 5.7 with Oracle packages
|
|
||||||
* mysql: remount /usr before creating scripts directory
|
|
||||||
* packweb-apache: choose mysql variant (default: `debian`)
|
|
||||||
* haproxy: install Munin plugins
|
|
||||||
* proftpd: use proftpd_accounts list for manage ftp accounts
|
|
||||||
* etc-git: add tags for Ansible
|
* etc-git: add tags for Ansible
|
||||||
* evolinux-base: install ncurses-term package
|
* evolinux-base: install ncurses-term package
|
||||||
* added a few become attributes where missing
|
* haproxy: install Munin plugins
|
||||||
* redmine: added missing tags
|
* minifirewall: add "check_minifirewall" Nagios plugin (and `minifirewall_status` script)
|
||||||
|
* mysql-oracle: new role to install MySQL 5.7 with Oracle packages
|
||||||
|
* mysql: remount /usr before creating scripts directory
|
||||||
|
* nagios-nrpe: add "check_open_files" plugin
|
||||||
|
* nagios-nrpe: mark plugins as executable
|
||||||
* nodejs: Yarn package manager can be installed (default: `false`)
|
* nodejs: Yarn package manager can be installed (default: `false`)
|
||||||
|
* packweb-apache: choose mysql variant (default: `debian`)
|
||||||
|
* postfix: add lines in /etc/.gitignore
|
||||||
|
* proftpd: use "proftpd_accounts" list to manage ftp accounts
|
||||||
|
* redmine: added missing tags
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
|
|
||||||
* elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`)
|
* elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`)
|
||||||
* nagios-nrpe: mark plugins as executable
|
* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
|
||||||
* mongodb: configuration is forced by default but it's configurable (default: `false`)
|
|
||||||
* mongodb: allow unauthenticated packages for Jessie
|
|
||||||
* mongodb: rename logrotate script
|
|
||||||
* nginx: package name can be specified (default: `nginx-full`)
|
|
||||||
* evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
|
* evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
|
||||||
* webapps/evoadmin-web: Fail if variable evoadmin_contact_email isn't defined
|
* mongodb: allow unauthenticated packages for Jessie
|
||||||
|
* mongodb: configuration is forced by default but it's configurable (default: `false`)
|
||||||
|
* mongodb: rename logrotate script
|
||||||
|
* nagios-nrpe: mark plugins as executable
|
||||||
|
* nginx: don't debug variables in verbosity 0
|
||||||
|
* nginx: package name can be specified (default: `nginx-full`)
|
||||||
* php: fix FPM custom file permissions
|
* php: fix FPM custom file permissions
|
||||||
* php: more tasks notify FPM handler to restart if needed
|
* php: more tasks notify FPM handler to restart if needed
|
||||||
* nginx: don't debug variables in verbosity 0
|
* webapps/evoadmin-web: Fail if variable evoadmin_contact_email isn't defined
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
* nginx: fix basic auth for default vhost
|
|
||||||
* dovecot: fix support of plus sign
|
* dovecot: fix support of plus sign
|
||||||
* mysql/mysql-oracle: mysqltuner cron task is executable
|
* mysql/mysql-oracle: mysqltuner cron task is executable
|
||||||
|
* nginx: fix basic auth for default vhost
|
||||||
* rbenv: fix become user issue with copy tasks
|
* rbenv: fix become user issue with copy tasks
|
||||||
|
|
||||||
## [9.1.6] - 2018-02-02
|
## [9.1.6] - 2018-02-02
|
||||||
|
|
|
@ -25,3 +25,5 @@ minifirewall_private_ports_udp: []
|
||||||
minifirewall_autostart: "no"
|
minifirewall_autostart: "no"
|
||||||
|
|
||||||
evomaintenance_hosts: []
|
evomaintenance_hosts: []
|
||||||
|
|
||||||
|
nagios_plugins_directory: "/usr/local/lib/nagios/plugins"
|
||||||
|
|
78
minifirewall/files/check_minifirewall
Normal file
78
minifirewall/files/check_minifirewall
Normal file
|
@ -0,0 +1,78 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
is_alert5_enabled() {
|
||||||
|
# It's not very clear how to reliably detect if a SysVinit script
|
||||||
|
# wrapped in a systemd unit is enabled or not.
|
||||||
|
# Even when the script is not started in any run level, systemd says "active".
|
||||||
|
# So we test the SysVinit script path:
|
||||||
|
# if present, we test for an rc2.d symlink
|
||||||
|
# if missing, we ask systemd if a unit is active or not.
|
||||||
|
if test -f /etc/init.d/alert5; then
|
||||||
|
test -f /etc/rc2.d/S*alert5
|
||||||
|
else
|
||||||
|
systemctl is-active alert5 | grep -q "^active$"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
is_minifirewall_enabled() {
|
||||||
|
# TODO: instead of nested conditionals, we could loop with many possible paths
|
||||||
|
# and grep the first found, or error if none is found
|
||||||
|
if test -f /etc/rc2.d/S*alert5; then
|
||||||
|
grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5
|
||||||
|
else
|
||||||
|
if test -f /usr/share/scripts/alert5.sh; then
|
||||||
|
grep -q "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh
|
||||||
|
else
|
||||||
|
return_critical "No Alert5 scripts has been found."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
is_minifirewall_started() {
|
||||||
|
if test -x /usr/share/scripts/minifirewall_status; then
|
||||||
|
/usr/share/scripts/minifirewall_status > /dev/null
|
||||||
|
else
|
||||||
|
/sbin/iptables -L -n | grep -q -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
return_critical() {
|
||||||
|
echo "CRITICAL: $1"
|
||||||
|
exit 2
|
||||||
|
}
|
||||||
|
|
||||||
|
return_warning() {
|
||||||
|
echo "WARNING: $1"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
return_ok() {
|
||||||
|
echo "OK: $1"
|
||||||
|
exit 0
|
||||||
|
}
|
||||||
|
|
||||||
|
main() {
|
||||||
|
if is_alert5_enabled; then
|
||||||
|
if is_minifirewall_enabled; then
|
||||||
|
if is_minifirewall_started; then
|
||||||
|
return_ok "Minifirewall is started."
|
||||||
|
else
|
||||||
|
return_critical "Minifirewall is not started."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if is_minifirewall_started; then
|
||||||
|
return_warning "Minifirewall is started, but disabled in alert5."
|
||||||
|
else
|
||||||
|
return_ok "Minifirewall is not started, but disabled in alert5."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if is_minifirewall_started; then
|
||||||
|
return_warning "Minifirewall is started, but Alert5 script is not enabled."
|
||||||
|
else
|
||||||
|
return_ok "Minifirewall is not started and Alert5 script is not enabled."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
main
|
16
minifirewall/files/minifirewall_status
Normal file
16
minifirewall/files/minifirewall_status
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
is_started() {
|
||||||
|
/sbin/iptables -L -n \
|
||||||
|
| grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
|
||||||
|
}
|
||||||
|
return_started() {
|
||||||
|
echo "started"
|
||||||
|
exit 0
|
||||||
|
}
|
||||||
|
return_stopped() {
|
||||||
|
echo "stopped"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
is_started && return_started || return_stopped
|
6
minifirewall/handlers/main.yml
Normal file
6
minifirewall/handlers/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: restart nagios-nrpe-server
|
||||||
|
service:
|
||||||
|
name: nagios-nrpe-server
|
||||||
|
state: restarted
|
|
@ -4,6 +4,8 @@
|
||||||
|
|
||||||
- include: config.yml
|
- include: config.yml
|
||||||
|
|
||||||
|
- include: nrpe.yml
|
||||||
|
|
||||||
- include: activate.yml
|
- include: activate.yml
|
||||||
|
|
||||||
- include: tail.yml
|
- include: tail.yml
|
||||||
|
|
53
minifirewall/tasks/nrpe.yml
Normal file
53
minifirewall/tasks/nrpe.yml
Normal file
|
@ -0,0 +1,53 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- include_role:
|
||||||
|
name: remount-usr
|
||||||
|
|
||||||
|
- name: /usr/share/scripts exists
|
||||||
|
file:
|
||||||
|
dest: /usr/share/scripts
|
||||||
|
mode: "0700"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: minifirewall_status is installed
|
||||||
|
copy:
|
||||||
|
src: minifirewall_status
|
||||||
|
dest: /usr/share/scripts/minifirewall_status
|
||||||
|
force: no
|
||||||
|
mode: "0700"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
- name: /usr/local/lib/nagios/plugins/ exists
|
||||||
|
file:
|
||||||
|
dest: "{{ nagios_plugins_directory }}"
|
||||||
|
mode: "02755"
|
||||||
|
owner: root
|
||||||
|
group: staff
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: check_minifirewall is installed
|
||||||
|
copy:
|
||||||
|
src: check_minifirewall
|
||||||
|
dest: "{{ nagios_plugins_directory }}/check_minifirewall"
|
||||||
|
force: no
|
||||||
|
mode: "0755"
|
||||||
|
owner: root
|
||||||
|
group: staff
|
||||||
|
|
||||||
|
- name: check_minifirewall is available for NRPE
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/nagios/nrpe.d/evolix.cfg
|
||||||
|
regexp: 'command\[check_minifirewall\]'
|
||||||
|
line: 'command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall'
|
||||||
|
notify: restart nagios-nrpe-server
|
||||||
|
|
||||||
|
- name: sudo without password for nagios
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/sudoers.d/evolinux
|
||||||
|
regexp: 'check_minifirewall'
|
||||||
|
line: 'nagios ALL = NOPASSWD: {{ nagios_plugins_directory }}/check_minifirewall'
|
||||||
|
insertafter: '^nagios'
|
||||||
|
validate: "visudo -cf %s"
|
|
@ -66,6 +66,7 @@ command[check_glusterfs]={{ nagios_plugins_directory }}/check_glusterfs -v all -
|
||||||
command[check_supervisord_status]={{ nagios_plugins_directory }}/check_supervisord
|
command[check_supervisord_status]={{ nagios_plugins_directory }}/check_supervisord
|
||||||
command[check_varnish]={{ nagios_plugins_directory }}/check_varnish_health -i 127.0.0.1 -p 6082 -s /etc/varnish/secret -w 2 -c 4
|
command[check_varnish]={{ nagios_plugins_directory }}/check_varnish_health -i 127.0.0.1 -p 6082 -s /etc/varnish/secret -w 2 -c 4
|
||||||
command[check_haproxy]={{ nagios_plugins_directory }}/check_haproxy_stats -s /var/run/haproxy.sock -w 80 -c 90
|
command[check_haproxy]={{ nagios_plugins_directory }}/check_haproxy_stats -s /var/run/haproxy.sock -w 80 -c 90
|
||||||
|
command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall
|
||||||
|
|
||||||
# Check HTTP "many". Use this to check many websites (http, https, ports, sockets and SSL certificates).
|
# Check HTTP "many". Use this to check many websites (http, https, ports, sockets and SSL certificates).
|
||||||
# Beware! All checks must not take more than 10s!
|
# Beware! All checks must not take more than 10s!
|
||||||
|
|
Loading…
Reference in a new issue