Merge branch 'check_minifirewall' into unstable
This commit is contained in:
commit
baf6ddd66c
39
CHANGELOG.md
39
CHANGELOG.md
|
@ -11,38 +11,39 @@ The **patch** part changes incrementally at each release.
|
|||
## [Unreleased]
|
||||
|
||||
### Added
|
||||
* postfix: add lines in /etc/.gitignore
|
||||
* nagios-nrpe: add "check_open_files" plugin
|
||||
* nagios-nrpe: mark plugins as executable
|
||||
* mysql-oracle: new role to install MySQL 5.7 with Oracle packages
|
||||
* mysql: remount /usr before creating scripts directory
|
||||
* packweb-apache: choose mysql variant (default: `debian`)
|
||||
* haproxy: install Munin plugins
|
||||
* proftpd: use proftpd_accounts list for manage ftp accounts
|
||||
* added a few become attributes where missing
|
||||
* etc-git: add tags for Ansible
|
||||
* evolinux-base: install ncurses-term package
|
||||
* added a few become attributes where missing
|
||||
* redmine: added missing tags
|
||||
* haproxy: install Munin plugins
|
||||
* minifirewall: add "check_minifirewall" Nagios plugin (and `minifirewall_status` script)
|
||||
* mysql-oracle: new role to install MySQL 5.7 with Oracle packages
|
||||
* mysql: remount /usr before creating scripts directory
|
||||
* nagios-nrpe: add "check_open_files" plugin
|
||||
* nagios-nrpe: mark plugins as executable
|
||||
* nodejs: Yarn package manager can be installed (default: `false`)
|
||||
* packweb-apache: choose mysql variant (default: `debian`)
|
||||
* postfix: add lines in /etc/.gitignore
|
||||
* proftpd: use "proftpd_accounts" list to manage ftp accounts
|
||||
* redmine: added missing tags
|
||||
|
||||
### Changed
|
||||
* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
|
||||
* elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`)
|
||||
* nagios-nrpe: mark plugins as executable
|
||||
* mongodb: configuration is forced by default but it's configurable (default: `false`)
|
||||
* mongodb: allow unauthenticated packages for Jessie
|
||||
* mongodb: rename logrotate script
|
||||
* nginx: package name can be specified (default: `nginx-full`)
|
||||
* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
|
||||
* evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
|
||||
* webapps/evoadmin-web: Fail if variable evoadmin_contact_email isn't defined
|
||||
* mongodb: allow unauthenticated packages for Jessie
|
||||
* mongodb: configuration is forced by default but it's configurable (default: `false`)
|
||||
* mongodb: rename logrotate script
|
||||
* nagios-nrpe: mark plugins as executable
|
||||
* nginx: don't debug variables in verbosity 0
|
||||
* nginx: package name can be specified (default: `nginx-full`)
|
||||
* php: fix FPM custom file permissions
|
||||
* php: more tasks notify FPM handler to restart if needed
|
||||
* nginx: don't debug variables in verbosity 0
|
||||
* webapps/evoadmin-web: Fail if variable evoadmin_contact_email isn't defined
|
||||
|
||||
### Fixed
|
||||
* nginx: fix basic auth for default vhost
|
||||
* dovecot: fix support of plus sign
|
||||
* mysql/mysql-oracle: mysqltuner cron task is executable
|
||||
* nginx: fix basic auth for default vhost
|
||||
* rbenv: fix become user issue with copy tasks
|
||||
|
||||
## [9.1.6] - 2018-02-02
|
||||
|
|
|
@ -25,3 +25,5 @@ minifirewall_private_ports_udp: []
|
|||
minifirewall_autostart: "no"
|
||||
|
||||
evomaintenance_hosts: []
|
||||
|
||||
nagios_plugins_directory: "/usr/local/lib/nagios/plugins"
|
||||
|
|
78
minifirewall/files/check_minifirewall
Normal file
78
minifirewall/files/check_minifirewall
Normal file
|
@ -0,0 +1,78 @@
|
|||
#!/bin/sh
|
||||
|
||||
is_alert5_enabled() {
|
||||
# It's not very clear how to reliably detect if a SysVinit script
|
||||
# wrapped in a systemd unit is enabled or not.
|
||||
# Even when the script is not started in any run level, systemd says "active".
|
||||
# So we test the SysVinit script path:
|
||||
# if present, we test for an rc2.d symlink
|
||||
# if missing, we ask systemd if a unit is active or not.
|
||||
if test -f /etc/init.d/alert5; then
|
||||
test -f /etc/rc2.d/S*alert5
|
||||
else
|
||||
systemctl is-active alert5 | grep -q "^active$"
|
||||
fi
|
||||
}
|
||||
|
||||
is_minifirewall_enabled() {
|
||||
# TODO: instead of nested conditionals, we could loop with many possible paths
|
||||
# and grep the first found, or error if none is found
|
||||
if test -f /etc/rc2.d/S*alert5; then
|
||||
grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5
|
||||
else
|
||||
if test -f /usr/share/scripts/alert5.sh; then
|
||||
grep -q "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh
|
||||
else
|
||||
return_critical "No Alert5 scripts has been found."
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
is_minifirewall_started() {
|
||||
if test -x /usr/share/scripts/minifirewall_status; then
|
||||
/usr/share/scripts/minifirewall_status > /dev/null
|
||||
else
|
||||
/sbin/iptables -L -n | grep -q -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
|
||||
fi
|
||||
}
|
||||
|
||||
return_critical() {
|
||||
echo "CRITICAL: $1"
|
||||
exit 2
|
||||
}
|
||||
|
||||
return_warning() {
|
||||
echo "WARNING: $1"
|
||||
exit 1
|
||||
}
|
||||
|
||||
return_ok() {
|
||||
echo "OK: $1"
|
||||
exit 0
|
||||
}
|
||||
|
||||
main() {
|
||||
if is_alert5_enabled; then
|
||||
if is_minifirewall_enabled; then
|
||||
if is_minifirewall_started; then
|
||||
return_ok "Minifirewall is started."
|
||||
else
|
||||
return_critical "Minifirewall is not started."
|
||||
fi
|
||||
else
|
||||
if is_minifirewall_started; then
|
||||
return_warning "Minifirewall is started, but disabled in alert5."
|
||||
else
|
||||
return_ok "Minifirewall is not started, but disabled in alert5."
|
||||
fi
|
||||
fi
|
||||
else
|
||||
if is_minifirewall_started; then
|
||||
return_warning "Minifirewall is started, but Alert5 script is not enabled."
|
||||
else
|
||||
return_ok "Minifirewall is not started and Alert5 script is not enabled."
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
main
|
16
minifirewall/files/minifirewall_status
Normal file
16
minifirewall/files/minifirewall_status
Normal file
|
@ -0,0 +1,16 @@
|
|||
#!/bin/sh
|
||||
|
||||
is_started() {
|
||||
/sbin/iptables -L -n \
|
||||
| grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
|
||||
}
|
||||
return_started() {
|
||||
echo "started"
|
||||
exit 0
|
||||
}
|
||||
return_stopped() {
|
||||
echo "stopped"
|
||||
exit 1
|
||||
}
|
||||
|
||||
is_started && return_started || return_stopped
|
6
minifirewall/handlers/main.yml
Normal file
6
minifirewall/handlers/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
|
||||
- name: restart nagios-nrpe-server
|
||||
service:
|
||||
name: nagios-nrpe-server
|
||||
state: restarted
|
|
@ -4,6 +4,8 @@
|
|||
|
||||
- include: config.yml
|
||||
|
||||
- include: nrpe.yml
|
||||
|
||||
- include: activate.yml
|
||||
|
||||
- include: tail.yml
|
||||
|
|
53
minifirewall/tasks/nrpe.yml
Normal file
53
minifirewall/tasks/nrpe.yml
Normal file
|
@ -0,0 +1,53 @@
|
|||
---
|
||||
|
||||
- include_role:
|
||||
name: remount-usr
|
||||
|
||||
- name: /usr/share/scripts exists
|
||||
file:
|
||||
dest: /usr/share/scripts
|
||||
mode: "0700"
|
||||
owner: root
|
||||
group: root
|
||||
state: directory
|
||||
|
||||
- name: minifirewall_status is installed
|
||||
copy:
|
||||
src: minifirewall_status
|
||||
dest: /usr/share/scripts/minifirewall_status
|
||||
force: no
|
||||
mode: "0700"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: /usr/local/lib/nagios/plugins/ exists
|
||||
file:
|
||||
dest: "{{ nagios_plugins_directory }}"
|
||||
mode: "02755"
|
||||
owner: root
|
||||
group: staff
|
||||
state: directory
|
||||
|
||||
- name: check_minifirewall is installed
|
||||
copy:
|
||||
src: check_minifirewall
|
||||
dest: "{{ nagios_plugins_directory }}/check_minifirewall"
|
||||
force: no
|
||||
mode: "0755"
|
||||
owner: root
|
||||
group: staff
|
||||
|
||||
- name: check_minifirewall is available for NRPE
|
||||
lineinfile:
|
||||
dest: /etc/nagios/nrpe.d/evolix.cfg
|
||||
regexp: 'command\[check_minifirewall\]'
|
||||
line: 'command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall'
|
||||
notify: restart nagios-nrpe-server
|
||||
|
||||
- name: sudo without password for nagios
|
||||
lineinfile:
|
||||
dest: /etc/sudoers.d/evolinux
|
||||
regexp: 'check_minifirewall'
|
||||
line: 'nagios ALL = NOPASSWD: {{ nagios_plugins_directory }}/check_minifirewall'
|
||||
insertafter: '^nagios'
|
||||
validate: "visudo -cf %s"
|
|
@ -66,6 +66,7 @@ command[check_glusterfs]={{ nagios_plugins_directory }}/check_glusterfs -v all -
|
|||
command[check_supervisord_status]={{ nagios_plugins_directory }}/check_supervisord
|
||||
command[check_varnish]={{ nagios_plugins_directory }}/check_varnish_health -i 127.0.0.1 -p 6082 -s /etc/varnish/secret -w 2 -c 4
|
||||
command[check_haproxy]={{ nagios_plugins_directory }}/check_haproxy_stats -s /var/run/haproxy.sock -w 80 -c 90
|
||||
command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall
|
||||
|
||||
# Check HTTP "many". Use this to check many websites (http, https, ports, sockets and SSL certificates).
|
||||
# Beware! All checks must not take more than 10s!
|
||||
|
|
Loading…
Reference in a new issue