Merge branch 'unstable' (commit 3acd997eca
) into stable
This commit is contained in:
commit
c61c2c86e2
|
@ -6,3 +6,5 @@ apt_install_backports: False
|
|||
apt_backports_components: "main"
|
||||
|
||||
apt_install_evolix_public: True
|
||||
|
||||
apt_clean_gandi_sourceslist: False
|
||||
|
|
|
@ -10,6 +10,16 @@
|
|||
tags:
|
||||
- apt
|
||||
|
||||
- name: Clean GANDI sources.list.d/debian-security.list
|
||||
file:
|
||||
path: '{{ item }}'
|
||||
state: absent
|
||||
with_items:
|
||||
- /etc/apt/sources.list.d/debian-security.list
|
||||
- /etc/apt/sources.list.d/debian-stretch.list
|
||||
- /etc/apt/sources.list.d/debian-update.list
|
||||
when: apt_clean_gandi_sourceslist
|
||||
|
||||
- name: Intermediate flush of handlers
|
||||
meta: flush_handlers
|
||||
tags:
|
||||
|
|
|
@ -1,12 +1,15 @@
|
|||
---
|
||||
docker_tmpdir: /home/docker/tmp
|
||||
# If docher_home sets to /home/, the partition should be mounted with exec
|
||||
# option.
|
||||
docker_home: /srv/docker
|
||||
docker_tmpdir: "{{docker_home}}/tmp"
|
||||
|
||||
docker_remote_access_enabled: True
|
||||
docker_daemon_port: 2376
|
||||
docker_daemon_listening_ip: 0.0.0.0
|
||||
|
||||
docker_tls_enabled: True
|
||||
docker_tls_path: /home/docker/tls
|
||||
docker_tls_path: "{{docker_home}}/tls"
|
||||
docker_tls_ca: ca/ca.pem
|
||||
docker_tls_ca_key: ca/ca-key.pem
|
||||
docker_tls_cert: server/cert.pem
|
||||
|
|
|
@ -37,7 +37,6 @@
|
|||
- name: Install docker and python-docker
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
state: latest
|
||||
update_cache: yes
|
||||
with_items:
|
||||
- docker-ce
|
||||
|
@ -47,15 +46,20 @@
|
|||
template:
|
||||
src: daemon.json.j2
|
||||
dest: /etc/docker/daemon.json
|
||||
notify:
|
||||
- reload systemd
|
||||
- restart docker
|
||||
notify: restart docker
|
||||
|
||||
- name: Remove options from docker systemd service
|
||||
lineinfile:
|
||||
dest: /lib/systemd/system/docker.service
|
||||
regexp: '^ExecStart='
|
||||
line: 'ExecStart=/usr/bin/dockerd'
|
||||
- name: Create override directory for docker unit
|
||||
file:
|
||||
name: /etc/systemd/system/docker.service.d/
|
||||
state: directory
|
||||
mode: "0755"
|
||||
|
||||
- name: Remove options in ExecStart from docker unit
|
||||
copy:
|
||||
src: docker.conf
|
||||
dest: /etc/systemd/system/docker.service.d/
|
||||
mode: "0644"
|
||||
notify: reload systemd
|
||||
|
||||
- name: Creating Docker tmp directory
|
||||
file:
|
||||
|
|
|
@ -20,13 +20,12 @@
|
|||
git_config:
|
||||
name: user.email
|
||||
repo: /etc
|
||||
scope: local
|
||||
register: git_config_user_email
|
||||
ignore_errors: yes
|
||||
|
||||
- name: "set commit author"
|
||||
set_fact:
|
||||
commit_author: '{% if ansible_env.SUDO_USER == "" %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}'
|
||||
commit_author: '{% if ansible_env.SUDO_USER is not defined %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}'
|
||||
commit_email: '{% if git_config_user_email.config_value == "" %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}'
|
||||
|
||||
- name: "/etc modifications are committed"
|
||||
|
|
282
haproxy/files/check_haproxy_stats.pl
Normal file
282
haproxy/files/check_haproxy_stats.pl
Normal file
|
@ -0,0 +1,282 @@
|
|||
#!/usr/bin/env perl
|
||||
# vim: se et ts=4:
|
||||
|
||||
#
|
||||
# Copyright (C) 2012, Giacomo Montagner <giacomo@entirelyunlike.net>
|
||||
# 2015, Yann Fertat, Romain Dessort, Jeff Palmer,
|
||||
# Christophe Drevet-Droguet <dr4ke@dr4ke.net>
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify it
|
||||
# under the same terms as Perl 5.10.1.
|
||||
# For more details, see http://dev.perl.org/licenses/artistic.html
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but without any warranty; without even the implied
|
||||
# warranty of merchantability or fitness for a particular purpose.
|
||||
#
|
||||
|
||||
our $VERSION = "1.1.1";
|
||||
|
||||
open(STDERR, ">&STDOUT");
|
||||
|
||||
# CHANGELOG:
|
||||
# 1.0.0 - first release
|
||||
# 1.0.1 - fixed empty message if all proxies are OK
|
||||
# 1.0.2 - add perfdata
|
||||
# 1.0.3 - redirect stderr to stdout
|
||||
# 1.0.4 - fix undef vars
|
||||
# 1.0.5 - fix thresholds
|
||||
# 1.1.0 - support for HTTP interface
|
||||
# 1.1.1 - drop perl 5.10 requirement
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
use File::Basename qw/basename/;
|
||||
use IO::Socket::UNIX;
|
||||
use Getopt::Long;
|
||||
my $lwp = eval {
|
||||
require LWP::Simple;
|
||||
LWP::Simple->import;
|
||||
1;
|
||||
};
|
||||
|
||||
sub usage {
|
||||
my $me = basename $0;
|
||||
print <<EOU;
|
||||
NAME
|
||||
$me - check haproxy stats for errors, using UNIX socket interface
|
||||
SYNOPSIS
|
||||
$me [OPTIONS]
|
||||
DESCRIPTION
|
||||
Get haproxy statistics via UNIX socket and parse information searching for errors.
|
||||
OPTIONS
|
||||
-c, --critical
|
||||
Set critical threshold for sessions number (chacks current number of sessions
|
||||
against session limit, if enforced) to the specified percentage.
|
||||
If no session limit (slim) was specified for the given proxy, this option has
|
||||
no effect.
|
||||
-d, --dump
|
||||
Just dump haproxy stats and exit;
|
||||
-h, --help
|
||||
Print this message.
|
||||
-m, --ignore-maint
|
||||
Assume servers in MAINT state to be ok.
|
||||
-p, --proxy
|
||||
Check only named proxies, not every one. Use comma to separate proxies
|
||||
in list.
|
||||
-P, --no-proxy
|
||||
Do not check named proxies. Use comma to separate proxies in list.
|
||||
-s, --sock, --socket
|
||||
Use named UNIX socket instead of default (/var/run/haproxy.sock)
|
||||
-U, --url
|
||||
Use HTTP URL instead of socket. The LWP::Simple perl module is used if
|
||||
available. Otherwise, it falls back to using the external command `curl`.
|
||||
-u, --user, --username
|
||||
Username for the HTTP URL
|
||||
-x, --pass, --password
|
||||
Password for the HTTP URL
|
||||
-w, --warning
|
||||
Set warning threshold for sessions number to the specified percentage (see -c)
|
||||
CHECKS AND OUTPUT
|
||||
$me checks every proxy (or the named ones, if -p was given)
|
||||
for status. It returns an error if any of the checked FRONTENDs is not OPEN,
|
||||
any of the checked BACKENDs is not UP, or any of the checkes servers is not UP;
|
||||
$me reports any problem it found.
|
||||
EXAMPLES
|
||||
$me -s /var/spool/haproxy/sock
|
||||
Use /var/spool/haproxy/sock to communicate with haproxy.
|
||||
$me -p proxy1,proxy2 -w 60 -c 80
|
||||
Check only proxies named "proxy1" and "proxy2", and set sessions number
|
||||
thresholds to 60% and 80%.
|
||||
AUTHOR
|
||||
Written by Giacomo Montagner
|
||||
REPORTING BUGS
|
||||
Please report any bug to bugs\@entirelyunlike.net
|
||||
COPYRIGHT
|
||||
Copyright (C) 2012 Giacomo Montagner <giacomo\@entirelyunlike.net>.
|
||||
$me is distributed under GPL and the Artistic License 2.0
|
||||
SEE ALSO
|
||||
Check out online haproxy documentation at <http://haproxy.1wt.eu/>
|
||||
EOU
|
||||
}
|
||||
|
||||
my %check_statuses = (
|
||||
UNK => "unknown",
|
||||
INI => "initializing",
|
||||
SOCKERR => "socket error",
|
||||
L4OK => "layer 4 check OK",
|
||||
L4CON => "connection error",
|
||||
L4TMOUT => "layer 1-4 timeout",
|
||||
L6OK => "layer 6 check OK",
|
||||
L6TOUT => "layer 6 (SSL) timeout",
|
||||
L6RSP => "layer 6 protocol error",
|
||||
L7OK => "layer 7 check OK",
|
||||
L7OKC => "layer 7 conditionally OK",
|
||||
L7TOUT => "layer 7 (HTTP/SMTP) timeout",
|
||||
L7RSP => "layer 7 protocol error",
|
||||
L7STS => "layer 7 status error",
|
||||
);
|
||||
|
||||
my @status_names = (qw/OK WARNING CRITICAL UNKNOWN/);
|
||||
|
||||
# Defaults
|
||||
my $swarn = 80.0;
|
||||
my $scrit = 90.0;
|
||||
my $sock = "/var/run/haproxy.sock";
|
||||
my $url;
|
||||
my $user = '';
|
||||
my $pass = '';
|
||||
my $dump;
|
||||
my $ignore_maint;
|
||||
my $proxy;
|
||||
my $no_proxy;
|
||||
my $help;
|
||||
|
||||
# Read command line
|
||||
Getopt::Long::Configure ("bundling");
|
||||
GetOptions (
|
||||
"c|critical=i" => \$scrit,
|
||||
"d|dump" => \$dump,
|
||||
"h|help" => \$help,
|
||||
"m|ignore-maint" => \$ignore_maint,
|
||||
"p|proxy=s" => \$proxy,
|
||||
"P|no-proxy=s" => \$no_proxy,
|
||||
"s|sock|socket=s" => \$sock,
|
||||
"U|url=s" => \$url,
|
||||
"u|user|username=s" => \$user,
|
||||
"x|pass|password=s" => \$pass,
|
||||
"w|warning=i" => \$swarn,
|
||||
);
|
||||
|
||||
# Want help?
|
||||
if ($help) {
|
||||
usage;
|
||||
exit 3;
|
||||
}
|
||||
|
||||
my $haproxy;
|
||||
if ($url and $lwp) {
|
||||
my $geturl = $url;
|
||||
if ($user ne '') {
|
||||
$url =~ /^([^:]*:\/\/)(.*)/;
|
||||
$geturl = $1.$user.':'.$pass.'@'.$2;
|
||||
}
|
||||
$geturl .= ';csv';
|
||||
$haproxy = get($geturl);
|
||||
} elsif ($url) {
|
||||
my $haproxyio;
|
||||
my $getcmd = "curl --insecure -s --fail "
|
||||
. "--user '$user:$pass' '".$url.";csv'";
|
||||
open $haproxyio, "-|", $getcmd;
|
||||
while (<$haproxyio>) {
|
||||
$haproxy .= $_;
|
||||
}
|
||||
close($haproxyio);
|
||||
} else {
|
||||
# Connect to haproxy socket and get stats
|
||||
my $haproxyio = new IO::Socket::UNIX (
|
||||
Peer => $sock,
|
||||
Type => SOCK_STREAM,
|
||||
);
|
||||
die "Unable to connect to haproxy socket: $sock\n$@" unless $haproxyio;
|
||||
print $haproxyio "show stat\n" or die "Print to socket failed: $!";
|
||||
$haproxy = '';
|
||||
while (<$haproxyio>) {
|
||||
$haproxy .= $_;
|
||||
}
|
||||
close($haproxyio);
|
||||
}
|
||||
|
||||
# Dump stats and exit if requested
|
||||
if ($dump) {
|
||||
print($haproxy);
|
||||
exit 0;
|
||||
}
|
||||
|
||||
# Get labels from first output line and map them to their position in the line
|
||||
my @hastats = ( split /\n/, $haproxy );
|
||||
my $labels = $hastats[0];
|
||||
die "Unable to retrieve haproxy stats" unless $labels;
|
||||
chomp($labels);
|
||||
$labels =~ s/^# // or die "Data format not supported.";
|
||||
my @labels = split /,/, $labels;
|
||||
{
|
||||
no strict "refs";
|
||||
my $idx = 0;
|
||||
map { $$_ = $idx++ } @labels;
|
||||
}
|
||||
|
||||
# Variables I will use from here on:
|
||||
our $pxname;
|
||||
our $svname;
|
||||
our $status;
|
||||
our $slim;
|
||||
our $scur;
|
||||
|
||||
my @proxies = split ',', $proxy if $proxy;
|
||||
my @no_proxies = split ',', $no_proxy if $no_proxy;
|
||||
my $exitcode = 0;
|
||||
my $msg;
|
||||
my $checked = 0;
|
||||
my $perfdata = "";
|
||||
|
||||
# Remove excluded proxies from the list if both -p and -P options are
|
||||
# specified.
|
||||
my %hash;
|
||||
@hash{@no_proxies} = undef;
|
||||
@proxies = grep{ not exists $hash{$_} } @proxies;
|
||||
|
||||
foreach (@hastats) {
|
||||
chomp;
|
||||
next if /^#/;
|
||||
next if /^[[:space:]]*$/;
|
||||
my @data = split /,/, $_;
|
||||
if (@proxies) { next unless grep {$data[$pxname] eq $_} @proxies; };
|
||||
if (@no_proxies) { next if grep {$data[$pxname] eq $_} @no_proxies; };
|
||||
|
||||
# Is session limit enforced?
|
||||
if ($data[$slim]) {
|
||||
$perfdata .= sprintf "%s-%s=%u;%u;%u;0;%u;", $data[$pxname], $data[$svname], $data[$scur], $swarn * $data[$slim] / 100, $scrit * $data[$slim] / 100, $data[$slim];
|
||||
|
||||
# Check current session # against limit
|
||||
my $sratio = $data[$scur]/$data[$slim];
|
||||
if ($sratio >= $scrit / 100 || $sratio >= $swarn / 100) {
|
||||
$exitcode = $sratio >= $scrit / 100 ? 2 :
|
||||
$exitcode < 2 ? 1 : $exitcode;
|
||||
$msg .= sprintf "%s:%s sessions: %.2f%%; ", $data[$pxname], $data[$svname], $sratio * 100;
|
||||
}
|
||||
}
|
||||
|
||||
# Check of BACKENDS
|
||||
if ($data[$svname] eq 'BACKEND') {
|
||||
if ($data[$status] ne 'UP') {
|
||||
$msg .= sprintf "BACKEND: %s is %s; ", $data[$pxname], $data[$status];
|
||||
$exitcode = 2;
|
||||
}
|
||||
# Check of FRONTENDS
|
||||
} elsif ($data[$svname] eq 'FRONTEND') {
|
||||
if ($data[$status] ne 'OPEN') {
|
||||
$msg .= sprintf "FRONTEND: %s is %s; ", $data[$pxname], $data[$status];
|
||||
$exitcode = 2;
|
||||
}
|
||||
# Check of servers
|
||||
} else {
|
||||
if ($data[$status] ne 'UP') {
|
||||
next if ($ignore_maint && $data[$status] eq 'MAINT');
|
||||
next if $data[$status] eq 'no check'; # Ignore server if no check is configured to be run
|
||||
next if $data[$svname] eq 'sock-1';
|
||||
$exitcode = 2;
|
||||
our $check_status;
|
||||
$msg .= sprintf "server: %s:%s is %s", $data[$pxname], $data[$svname], $data[$status];
|
||||
$msg .= sprintf " (check status: %s)", $check_statuses{$data[$check_status]} if $check_statuses{$data[$check_status]};
|
||||
$msg .= "; ";
|
||||
}
|
||||
}
|
||||
++$checked;
|
||||
}
|
||||
|
||||
unless ($msg) {
|
||||
$msg = @proxies ? sprintf("checked proxies: %s", join ', ', sort @proxies) : "checked $checked proxies.";
|
||||
}
|
||||
print "Check haproxy $status_names[$exitcode] - $msg|$perfdata\n";
|
||||
exit $exitcode;
|
|
@ -32,3 +32,5 @@
|
|||
tags:
|
||||
- haproxy
|
||||
- config
|
||||
|
||||
- include: nagios.yml
|
||||
|
|
20
haproxy/tasks/nagios.yml
Normal file
20
haproxy/tasks/nagios.yml
Normal file
|
@ -0,0 +1,20 @@
|
|||
---
|
||||
|
||||
- name: "Install check_haproxy_stats script"
|
||||
copy:
|
||||
src: check_haproxy_stats.pl
|
||||
dest: /usr/local/lib/nagios/plugins/check_haproxy_stats.pl
|
||||
mode: "0755"
|
||||
tags:
|
||||
- haproxy
|
||||
- nrpe
|
||||
|
||||
- name: "Add check_haproxy to sudoers"
|
||||
lineinfile:
|
||||
dest: /etc/sudoers.d/evolinux
|
||||
line: 'nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats.pl'
|
||||
insertafter: '^nagios'
|
||||
tags:
|
||||
- haproxy
|
||||
- nrpe
|
||||
- sudo
|
|
@ -1,5 +1,12 @@
|
|||
---
|
||||
|
||||
- name: packages are installed
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- iptables
|
||||
|
||||
- include: install.yml
|
||||
|
||||
- include: config.yml
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
mysql_user:
|
||||
name: nrpe
|
||||
password: '{{ mysql_nrpe_password.stdout }}'
|
||||
priv: "*.*:REPLICATION CLIENT"
|
||||
config_file: /root/.my.cnf
|
||||
update_password: always
|
||||
state: present
|
||||
|
|
|
@ -30,8 +30,11 @@ for log in production.log delayed_job.log development.log test.log; do
|
|||
done
|
||||
done
|
||||
|
||||
if /etc/init.d/apache2 status > /dev/null ; then \
|
||||
test -x /usr/sbin/apache2ctl && if /etc/init.d/apache2 status > /dev/null ; then \
|
||||
/etc/init.d/apache2 reload > /dev/null; \
|
||||
fi;
|
||||
|
||||
test -x /usr/sbin/nginx && invoke-rc.d nginx rotate >/dev/null 2>&1
|
||||
|
||||
# we want exit 0
|
||||
true
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
state: present
|
||||
with_items:
|
||||
- libapache2-mod-php5
|
||||
- php5
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- name: "Install mod_php packages (Debian 9 or later)"
|
||||
|
@ -14,6 +15,7 @@
|
|||
state: present
|
||||
with_items:
|
||||
- libapache2-mod-php
|
||||
- php
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: "Set php.ini config for apache2 (jessie)"
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
state: present
|
||||
with_items:
|
||||
- php5-fpm
|
||||
- php5
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- name: "Install PHP FPM packages (Debian 9 or later)"
|
||||
|
@ -14,6 +15,7 @@
|
|||
state: present
|
||||
with_items:
|
||||
- php-fpm
|
||||
- php
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: "Set config files for FPM (jessie)"
|
||||
|
|
|
@ -5,7 +5,6 @@
|
|||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- php5
|
||||
- php5-cli
|
||||
- php5-gd
|
||||
- php5-imap
|
||||
|
|
|
@ -5,7 +5,6 @@
|
|||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- php
|
||||
- php-cli
|
||||
- php-gd
|
||||
- php-imap
|
||||
|
|
|
@ -28,3 +28,6 @@
|
|||
service:
|
||||
name: log2mail
|
||||
state: restarted
|
||||
|
||||
- name: restart minifirewall
|
||||
command: /etc/init.d/minifirewall restart
|
||||
|
|
|
@ -11,12 +11,14 @@
|
|||
dest: /etc/default/minifirewall
|
||||
regexp: "^(HTTPSITES='[^0-9])"
|
||||
replace: '#\1'
|
||||
notify: restart minifirewall
|
||||
|
||||
- name: all HTTPSITES are authorized in minifirewall
|
||||
lineinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
line: "HTTPSITES='0.0.0.0/0'"
|
||||
insertafter: "^#HTTPSITES="
|
||||
notify: restart minifirewall
|
||||
|
||||
- name: add iptables rules for the proxy
|
||||
lineinfile:
|
||||
|
@ -29,10 +31,12 @@
|
|||
- "/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -d {{ squid_address }} -j ACCEPT"
|
||||
- "/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.0/8 -j ACCEPT"
|
||||
- "/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8888"
|
||||
notify: restart minifirewall
|
||||
|
||||
- name: remove minifirewall example rule for the proxy
|
||||
lineinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
regexp: '^#.*(-t nat).*(-d X\.X\.X\.X)'
|
||||
state: absent
|
||||
notify: restart minifirewall
|
||||
when: minifirewall_test.stat.exists
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
[Service]
|
||||
ExecStart=
|
||||
ExecStart=/usr/sbin/varnishd -a {{ varnish_addresses | join(',') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
|
||||
ExecReload=
|
||||
ExecReload=/etc/varnish/reload-vcl.sh
|
||||
|
|
Loading…
Reference in a new issue