From 0c8389baf9636585fc00c49b10a9c84224605706 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 21 Nov 2017 16:51:19 +0100 Subject: [PATCH 01/42] Adapt mongodb role for Stretch Everything changes : * package source * service name * version --- mongodb/README.md | 8 ++-- mongodb/defaults/main.yml | 3 +- mongodb/handlers/main.yml | 6 ++- mongodb/tasks/main.yml | 48 ++++--------------- mongodb/tasks/main_jessie.yml | 33 +++++++++++++ mongodb/tasks/main_stretch.yml | 29 +++++++++++ .../{logrotate.j2 => logrotate_jessie.j2} | 4 +- mongodb/templates/logrotate_stretch.j2 | 15 ++++++ .../{mongod.conf.j2 => mongod_jessie.conf.j2} | 0 mongodb/templates/mongodb_stretch.conf.j2 | 39 +++++++++++++++ 10 files changed, 136 insertions(+), 49 deletions(-) create mode 100644 mongodb/tasks/main_jessie.yml create mode 100644 mongodb/tasks/main_stretch.yml rename mongodb/templates/{logrotate.j2 => logrotate_jessie.j2} (57%) create mode 100644 mongodb/templates/logrotate_stretch.j2 rename mongodb/templates/{mongod.conf.j2 => mongod_jessie.conf.j2} (100%) create mode 100644 mongodb/templates/mongodb_stretch.conf.j2 diff --git a/mongodb/README.md b/mongodb/README.md index 3aecf5c1..5362827c 100644 --- a/mongodb/README.md +++ b/mongodb/README.md @@ -1,6 +1,8 @@ -# mongodb-org +# mongodb -Install latest MongoDB from 10Gen repository. +Install MongoDB + +We use packages from 10Gen for Jessie and packages from Debian for Stretch. ## Tasks @@ -8,8 +10,6 @@ Everything is in the `tasks/main.yml` file. ## Available variables -* `mongodb_pidfile_path`: PID file path (default: `/var/lib/mongodb/mongod.lock`) -* `mongodb_logfile_path`: log file path (default: `/var/log/mongodb/mongod.log`) * `mongodb_port`: port to listen to (default: `27017`) * `mongodb_bind`: IP to bind to (default: `127.0.0.1`) diff --git a/mongodb/defaults/main.yml b/mongodb/defaults/main.yml index 6278f20f..273db2ab 100644 --- a/mongodb/defaults/main.yml +++ b/mongodb/defaults/main.yml @@ -1,5 +1,4 @@ --- -mongodb_pidfile_path: /var/lib/mongodb/mongod.lock -mongodb_logfile_path: /var/log/mongodb/mongod.log + mongodb_port: 27017 mongodb_bind: 127.0.0.1 diff --git a/mongodb/handlers/main.yml b/mongodb/handlers/main.yml index 46a307cc..62ff5f28 100644 --- a/mongodb/handlers/main.yml +++ b/mongodb/handlers/main.yml @@ -1,7 +1,11 @@ --- # handlers file for mongodb -- name: restart mongodb +- name: restart mongod service: name: mongod state: restarted +- name: restart mongodb + service: + name: mongodb + state: restarted diff --git a/mongodb/tasks/main.yml b/mongodb/tasks/main.yml index 0caee268..a13183c6 100644 --- a/mongodb/tasks/main.yml +++ b/mongodb/tasks/main.yml @@ -1,44 +1,12 @@ --- -- fail: - msg: only compatible with Debian 8 - when: - - ansible_distribution != "Debian" or ansible_distribution_release != "jessie" +# - fail: +# msg: only compatible with Debian 8 +# when: +# - ansible_distribution != "Debian" or ansible_distribution_release != "jessie" -# Attention à bien indiquer le protocole et le port, sinon le firewall ne laisse pas passer -- name: MongoDB public GPG Key - apt_key: - # url: https://www.mongodb.org/static/pgp/server-3.4.asc - data: "{{ lookup('file', 'server-3.4.asc') }}" +- include: main_jessie.yml + when: ansible_distribution_release == "jessie" -- name: enable APT sources list - apt_repository: - repo: deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/3.4 main - state: present - filename: mongodb - update_cache: yes - -- name: Install packages - apt: - name: mongodb-org - state: installed - -- name: Custom configuration - template: - src: mongod.conf.j2 - dest: /etc/mongod.conf - force: yes - backup: no - notify: restart mongodb - -- name: Configure logrotate - template: - src: logrotate.j2 - dest: /etc/logrotate.d/mongodb - force: yes - backup: no - -- name: enable mongod service - service: - name: mongod - enabled: yes +- include: main_stretch.yml + when: ansible_distribution_major_version | version_compare('9', '>=') diff --git a/mongodb/tasks/main_jessie.yml b/mongodb/tasks/main_jessie.yml new file mode 100644 index 00000000..e9507191 --- /dev/null +++ b/mongodb/tasks/main_jessie.yml @@ -0,0 +1,33 @@ +--- + +- name: MongoDB public GPG Key + apt_key: + # url: https://www.mongodb.org/static/pgp/server-3.4.asc + data: "{{ lookup('file', 'server-3.4.asc') }}" + +- name: enable APT sources list + apt_repository: + repo: deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/3.4 main + state: present + filename: mongodb + update_cache: yes + +- name: Install packages + apt: + name: mongodb-org + state: installed + +- name: Custom configuration + template: + src: mongod_jessie.conf.j2 + dest: "/etc/mongod.conf" + force: yes + backup: no + notify: restart mongod + +- name: Configure logrotate + template: + src: logrotate_jessie.j2 + dest: /etc/logrotate.d/mongodb + force: yes + backup: no diff --git a/mongodb/tasks/main_stretch.yml b/mongodb/tasks/main_stretch.yml new file mode 100644 index 00000000..45436920 --- /dev/null +++ b/mongodb/tasks/main_stretch.yml @@ -0,0 +1,29 @@ +--- + +- name: Install packages + apt: + name: "{{ item }}" + state: installed + with_items: + - mongodb + - mongo-tools + +- name: Custom configuration + template: + src: mongodb_stretch.conf.j2 + dest: "/etc/mongodb.conf" + force: yes + backup: no + notify: restart mongodb + +- name: enable service + service: + name: mongodb + enabled: yes + +- name: Configure logrotate + template: + src: logrotate_stretch.j2 + dest: /etc/logrotate.d/mongodb + force: yes + backup: no diff --git a/mongodb/templates/logrotate.j2 b/mongodb/templates/logrotate_jessie.j2 similarity index 57% rename from mongodb/templates/logrotate.j2 rename to mongodb/templates/logrotate_jessie.j2 index afd13378..1df4d429 100644 --- a/mongodb/templates/logrotate.j2 +++ b/mongodb/templates/logrotate_jessie.j2 @@ -1,6 +1,6 @@ # {{ ansible_managed }} -{{ mongodb_logfile_path }} { +/var/log/mongodb/mongod.log { daily missingok rotate 365 @@ -10,6 +10,6 @@ notifempty sharedscripts postrotate - kill -0 $(cat {{ mongodb_pidfile_path }}) && kill -USR1 $(cat {{ mongodb_pidfile_path }}) + pidof mongod | xargs kill -USR1 endscript } diff --git a/mongodb/templates/logrotate_stretch.j2 b/mongodb/templates/logrotate_stretch.j2 new file mode 100644 index 00000000..fe5926a0 --- /dev/null +++ b/mongodb/templates/logrotate_stretch.j2 @@ -0,0 +1,15 @@ +# {{ ansible_managed }} + +/var/log/mongodb/mongodb.log { + daily + missingok + rotate 365 + dateext + compress + delaycompress + notifempty + sharedscripts + postrotate + pidof mongod | xargs kill -USR1 + endscript +} diff --git a/mongodb/templates/mongod.conf.j2 b/mongodb/templates/mongod_jessie.conf.j2 similarity index 100% rename from mongodb/templates/mongod.conf.j2 rename to mongodb/templates/mongod_jessie.conf.j2 diff --git a/mongodb/templates/mongodb_stretch.conf.j2 b/mongodb/templates/mongodb_stretch.conf.j2 new file mode 100644 index 00000000..b61479bd --- /dev/null +++ b/mongodb/templates/mongodb_stretch.conf.j2 @@ -0,0 +1,39 @@ +# mongodb.conf - {{ ansible_managed }} + +# for documentation of all options, see: +# http://docs.mongodb.org/manual/reference/configuration-options/ + +# Where and how to store data. +storage: + dbPath: /var/lib/mongodb + journal: + enabled: true +# engine: +# mmapv1: +# wiredTiger: + +# where to write logging data. +systemLog: + destination: file + logRotate: reopen + logAppend: true + path: /var/log/mongodb/mongodb.log + +# network interfaces +net: + port: {{ mongodb_port }} + bindIp: {{ mongodb_bind }} + +#security: + +#operationProfiling: + +#replication: + +#sharding: + +## Enterprise-Only Options: + +#auditLog: + +#snmp: From b3f4e4683e288453d0fb3fb176555355864d314f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 22 Nov 2017 14:08:54 +0100 Subject: [PATCH 02/42] hostname customization needs the dbus package --- evolinux-base/tasks/hostname.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/evolinux-base/tasks/hostname.yml b/evolinux-base/tasks/hostname.yml index 6a693b6b..059b6763 100644 --- a/evolinux-base/tasks/hostname.yml +++ b/evolinux-base/tasks/hostname.yml @@ -1,4 +1,9 @@ --- +- name: dbus is installed + apt: + name: dbus + state: installed + - name: Set hostname "{{ evolinux_hostname }}" hostname: name: "{{ evolinux_hostname }}" From 375c3e676086fb77c8cc03488ea30e5928088c7b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 25 Nov 2017 14:13:06 +0100 Subject: [PATCH 03/42] evoacme: crontab management * simply rename certbot script to disable it * use "evoacme" as file name for our custom cron script --- evoacme/files/{certbot.cron => evoacme.cron} | 0 evoacme/tasks/certbot.yml | 28 ++++++-------------- 2 files changed, 8 insertions(+), 20 deletions(-) rename evoacme/files/{certbot.cron => evoacme.cron} (100%) diff --git a/evoacme/files/certbot.cron b/evoacme/files/evoacme.cron similarity index 100% rename from evoacme/files/certbot.cron rename to evoacme/files/evoacme.cron diff --git a/evoacme/tasks/certbot.yml b/evoacme/tasks/certbot.yml index f01cc668..f4038ce3 100644 --- a/evoacme/tasks/certbot.yml +++ b/evoacme/tasks/certbot.yml @@ -28,26 +28,14 @@ path: /usr/local/bin/certbot state: absent -- name: stat /etc/cron.d/certbot - stat: - path: /etc/cron.d/certbot - register: etc_cron_d_certbot +- name: Disable /etc/cron.d/certbot + command: mv /etc/cron.d/certbot /etc/cron.d/certbot.disabled + args: + removes: /etc/cron.d/certbot + creates: /etc/cron.d/certbot.disabled -- name: Rename certbot dpkg cron to .disabled +- name: Install evoacme custom cron copy: - remote_src: True - src: /etc/cron.d/certbot - dest: /etc/cron.d/certbot.disabled - when: etc_cron_d_certbot.stat.exists - -- name: Remove certbot dpkg cron - file: - path: /etc/cron.d/certbot - state: absent - -- name: Install certbot custom cron - copy: - src: certbot.cron - dest: /etc/cron.daily/certbot + src: evoacme.cron + dest: /etc/cron.daily/evoacme mode: "0755" - From 708428d0889d9e064d982a09c920fdaa34c80556 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 25 Nov 2017 14:13:57 +0100 Subject: [PATCH 04/42] evoacme: store Nginx letsencrypt config file in snippets --- evoacme/tasks/nginx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evoacme/tasks/nginx.yml b/evoacme/tasks/nginx.yml index 024e60ce..ea63284a 100644 --- a/evoacme/tasks/nginx.yml +++ b/evoacme/tasks/nginx.yml @@ -1,7 +1,7 @@ - name: Copy acme challenge conf template: src: templates/nginx.conf.j2 - dest: /etc/nginx/letsencrypt.conf + dest: /etc/nginx/snippets/letsencrypt.conf owner: root group: root mode: "0644" From 2ac7b60a39b0432155b9f29fab47304780d4089e Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 25 Nov 2017 14:14:09 +0100 Subject: [PATCH 05/42] evoacme: better documentation --- evoacme/README.md | 56 ++++++++++++++++++++++++----------------------- 1 file changed, 29 insertions(+), 27 deletions(-) diff --git a/evoacme/README.md b/evoacme/README.md index b5d8e2cb..cada7e08 100644 --- a/evoacme/README.md +++ b/evoacme/README.md @@ -1,51 +1,57 @@ -# Evoacme 1.5 +# Evoacme 2.0 EvoAcme is an [Ansible](https://www.ansible.com/) role and a [Certbot](https://certbot.eff.org) wrapper for generate [Let's Encrypt](https://letsencrypt.org/) certificates. It is a project hosted at [Evolix's forge](https://forge.evolix.org/projects/ansible-roles/repository/) -# How to install +Evoacme is open source software licensed under the AGPLv3 License. -1 - Create a playbook with evoacme role +## Install + +### 1 - Create a playbook with evoacme role ~~~ --- - - hosts: hostname - become: yes - roles: - - role: evoacme +- hosts: hostname + become: yes + roles: + - evoacme ~~~ -2 - Install evoacme prerequisite with ansible +### 2 - Install evoacme prerequisite with ansible ~~~ -ansible-playbook playbook.yml -Kl hostname +# ansible-playbook playbook.yml -K --limit hostname ~~~ -3 - Include letsencrypt.conf in your webserver +### 3 - Include letsencrypt.conf in your webserver For Apache, you just need to ensure that you don't overwrite "/.well-known/acme-challenge" Alias with a Redirect or Rewrite directive. -For Nginx, you must include letsencrypt.conf in all wanted vhost : +For Nginx, you must include `/etc/nginx/snippets/letsencrypt.conf` in all wanted vhosts : ~~~ -include /etc/nginx/letsencrypt.conf; -nginx -t -service nginx reload +server { + […] + include /etc/nginx/snippets/letsencrypt.conf; + […] +} ~~~ -4 - Create a CSR for a vhost with make-csr +then reload the Nginx configuration : ~~~ -# make-csr look for this file : -# /etc/nginx/sites-enabled/vhostname -# /etc/nginx/sites-enabled/vhostname.conf -# /etc/apache2/sites-enabled/vhostname -# /etc/apache2/sites-enabled/vhostname.conf -make-csr vhostname +# nginx -t +# service nginx reload ~~~ -5 - Generate the certificate with evoacme +### 4 - Create a CSR for a vhost with make-csr + +~~~ +# make-csr vhostname domain... +~~~ + +### 5 - Generate the certificate with evoacme ~~~ # evoacme look for /etc/ssl/requests/vhostname @@ -53,7 +59,7 @@ make-csr vhostname evoacme vhostname ~~~ -6 - Include ssl configuration +### 6 - Include ssl configuration Sll configuration has generated, you must include it in your vhost. @@ -68,7 +74,3 @@ For Nginx : ~~~ include /etc/nginx/ssl/vhost.conf; ~~~ - -# License - -Evoacme is open source software licensed under the AGPLv3 License. From cf47d40b7903336041f8e992fa2c356b90dd3bb1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 26 Nov 2017 12:32:12 +0100 Subject: [PATCH 06/42] elastic: option for stack main version --- elasticsearch/defaults/main.yml | 2 ++ elasticsearch/tasks/packages.yml | 2 +- filebeat/defaults/main.yml | 2 ++ filebeat/tasks/main.yml | 2 +- kibana/defaults/main.yml | 1 + kibana/tasks/main.yml | 44 ++++++++++++++++---------------- logstash/defaults/main.yml | 2 ++ logstash/tasks/main.yml | 2 +- 8 files changed, 32 insertions(+), 25 deletions(-) diff --git a/elasticsearch/defaults/main.yml b/elasticsearch/defaults/main.yml index 5fce4ef6..33310a2f 100644 --- a/elasticsearch/defaults/main.yml +++ b/elasticsearch/defaults/main.yml @@ -1,4 +1,6 @@ --- +elastic_stack_version: "5.x" + elasticsearch_cluster_name: Null elasticsearch_node_name: "${HOSTNAME}" elasticsearch_network_host: "[_site_, _local_]" diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml index ff395cb5..1a0ad8dc 100644 --- a/elasticsearch/tasks/packages.yml +++ b/elasticsearch/tasks/packages.yml @@ -19,7 +19,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb https://artifacts.elastic.co/packages/5.x/apt stable main" + repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes diff --git a/filebeat/defaults/main.yml b/filebeat/defaults/main.yml index 6a950e17..89b6e753 100644 --- a/filebeat/defaults/main.yml +++ b/filebeat/defaults/main.yml @@ -1,3 +1,5 @@ --- +elastic_stack_version: "5.x" + filebeat_kibana_dashboards: False filebeat_logstash_plugin: False diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml index 75f4bc2b..89c0f7ab 100644 --- a/filebeat/tasks/main.yml +++ b/filebeat/tasks/main.yml @@ -19,7 +19,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb https://artifacts.elastic.co/packages/5.x/apt stable main" + repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes diff --git a/kibana/defaults/main.yml b/kibana/defaults/main.yml index 6fd7e16f..e167c21f 100644 --- a/kibana/defaults/main.yml +++ b/kibana/defaults/main.yml @@ -1,4 +1,5 @@ --- +elastic_stack_version: "5.x" kibana_server_host: "127.0.0.1" kibana_server_basepath: "" diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index 6803568a..55e0c848 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -19,7 +19,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb https://artifacts.elastic.co/packages/5.x/apt stable main" + repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes @@ -64,27 +64,27 @@ owner: root group: root -- name: Get mount options for /usr partition - shell: "mount | grep 'on /usr type'" - args: - warn: no - register: mount - changed_when: False - failed_when: False - when: not ansible_check_mode - -- block: - - include_role: - name: remount-usr - - - name: Move kibana optimize directory - shell: "mv /usr/share/kibana/{{ item }} /var/lib/kibana/{{ item }} && ln -s /var/lib/kibana/{{ item }} /usr/share/kibana/{{ item }}" - args: - creates: "/var/lib/kibana/{{ item }}" - notify: restart kibana - with_items: - - optimize - - data +# - name: Get mount options for /usr partition +# shell: "mount | grep 'on /usr type'" +# args: +# warn: no +# register: mount +# changed_when: False +# failed_when: False +# when: not ansible_check_mode +# +# - block: +# - include_role: +# name: remount-usr +# +# - name: Move kibana optimize directory +# shell: "mv /usr/share/kibana/{{ item }} /var/lib/kibana/{{ item }} && ln -s /var/lib/kibana/{{ item }} /usr/share/kibana/{{ item }}" +# args: +# creates: "/var/lib/kibana/{{ item }}" +# notify: restart kibana +# with_items: +# - optimize +# - data - include: proxy_nginx.yml when: kibana_proxy_nginx diff --git a/logstash/defaults/main.yml b/logstash/defaults/main.yml index e563f517..38b7f85f 100644 --- a/logstash/defaults/main.yml +++ b/logstash/defaults/main.yml @@ -1,4 +1,6 @@ --- +elastic_stack_version: "5.x" + logstash_jvm_xms: 256m logstash_jvm_xmx: 1g logstash_log_rotate_days: 365 diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml index 71be5614..61c585bf 100644 --- a/logstash/tasks/main.yml +++ b/logstash/tasks/main.yml @@ -19,7 +19,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb https://artifacts.elastic.co/packages/5.x/apt stable main" + repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes From bcd3553cbbb64a71ef7b3f4b73432a8022d6d425 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 26 Nov 2017 12:32:33 +0100 Subject: [PATCH 07/42] minifirewall: add debug for variables --- minifirewall/tasks/config.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index ea6b1a9e..7ed07a91 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -1,5 +1,12 @@ --- +- debug: + var: minifirewall_trusted_ips + verbosity: 1 +- debug: + var: minifirewall_privilegied_ips + verbosity: 1 + - name: Check if minifirewall is running shell: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" changed_when: False From cc12f15b231e19b7e17a86ca80fcd72424f13131 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 26 Nov 2017 12:38:59 +0100 Subject: [PATCH 08/42] elasticsearch: update curator debian repository --- elasticsearch/tasks/curator.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/elasticsearch/tasks/curator.yml b/elasticsearch/tasks/curator.yml index e2546c7a..c7c44259 100644 --- a/elasticsearch/tasks/curator.yml +++ b/elasticsearch/tasks/curator.yml @@ -1,9 +1,13 @@ --- +- name: Use the correct debian repository + set_fact: + curator_debian_repository: '{% if ansible_distribution_release == "jessie" %}debian{% else %}debian9{% endif %}' + - name: Curator sources list is available apt_repository: - repo: "deb http://packages.elastic.co/curator/4/debian stable main" - filename: elastic + repo: "deb https://packages.elastic.co/curator/5/{{ curator_debian_repository }} stable main" + filename: curator update_cache: yes state: present tags: From 19b6773b18505b7303a0b00cebdf367c2517e5b2 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 26 Nov 2017 12:44:41 +0100 Subject: [PATCH 09/42] nginx: adjust apt preferences for backports All variants of nginx and libssl are used from backports --- nginx/files/apt/nginx_preferences | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/files/apt/nginx_preferences b/nginx/files/apt/nginx_preferences index e8f693bd..1c8275d1 100644 --- a/nginx/files/apt/nginx_preferences +++ b/nginx/files/apt/nginx_preferences @@ -1,3 +1,3 @@ -Package: nginx nginx-common nginx-doc nginx-extras nginx-extras-dbg nginx-full nginx-full-dbg nginx-light nginx-light-dbg libnginx-mod-* libssl1.0.0 +Package: nginx nginx-* libnginx-* libssl* Pin: release a=jessie-backports Pin-Priority: 999 From 690e44ac5de97ff177fecf2051ce7d58cac12abd Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 26 Nov 2017 18:58:39 +0100 Subject: [PATCH 10/42] mysql: check_mode for nrpe password --- mysql/tasks/nrpe.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/mysql/tasks/nrpe.yml b/mysql/tasks/nrpe.yml index 88765193..c02fc007 100644 --- a/mysql/tasks/nrpe.yml +++ b/mysql/tasks/nrpe.yml @@ -22,6 +22,7 @@ - name: Create a password for NRPE command: "apg -n 1 -m 16 -M lcN" register: mysql_nrpe_password + check_mode: no changed_when: False - name: Create nrpe user From f21ce97903e6ea837a2596c35303ba9072bd8ba5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 26 Nov 2017 19:29:56 +0100 Subject: [PATCH 11/42] jenkins: remember squid whitelist --- jenkins/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index 19496958..a2e7c0aa 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -1,5 +1,10 @@ --- +## TODO: add those URLs or domains to the proxy whitelist +# http://pkg.jenkins-ci.org/.* +# http://mirrors.jenkins.io/.* +# http://jenkins.mirror.isppower.de/.* + - name: Add jenkins GPG key apt_key: # url: https://jenkins-ci.org/debian/jenkins-ci.org.key From f1063cce9497116c54c3e8b928758dcd13604b37 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 26 Nov 2017 19:30:24 +0100 Subject: [PATCH 12/42] rabbitmq: NRPE check and config --- rabbitmq/defaults/main.yml | 4 + rabbitmq/files/check_rabbitmq | 226 ++++++++++++++++++++++++++++++++++ rabbitmq/handlers/main.yml | 5 + rabbitmq/tasks/main.yml | 11 ++ rabbitmq/tasks/nrpe.yml | 31 +++++ 5 files changed, 277 insertions(+) create mode 100644 rabbitmq/defaults/main.yml create mode 100644 rabbitmq/files/check_rabbitmq create mode 100644 rabbitmq/tasks/nrpe.yml diff --git a/rabbitmq/defaults/main.yml b/rabbitmq/defaults/main.yml new file mode 100644 index 00000000..f08eeed9 --- /dev/null +++ b/rabbitmq/defaults/main.yml @@ -0,0 +1,4 @@ +--- + +rabbitmq_connections_critical: 200 +rabbitmq_connections_warning: 150 diff --git a/rabbitmq/files/check_rabbitmq b/rabbitmq/files/check_rabbitmq new file mode 100644 index 00000000..4969cc5a --- /dev/null +++ b/rabbitmq/files/check_rabbitmq @@ -0,0 +1,226 @@ +#!/usr/bin/env python2 +from optparse import OptionParser +import shlex +import subprocess +import sys +import requests +import json + +if "check_output" not in dir( subprocess ): # duck punch it in! + def f(*popenargs, **kwargs): + if 'stdout' in kwargs: + raise ValueError('stdout argument not allowed, it will be overridden.') + process = subprocess.Popen(stdout=subprocess.PIPE, *popenargs, **kwargs) + output, unused_err = process.communicate() + retcode = process.poll() + if retcode: + cmd = kwargs.get("args") + if cmd is None: + cmd = popenargs[0] + raise subprocess.CalledProcessError(retcode, cmd) + return output + subprocess.check_output = f + + +class RabbitCmdWrapper(object): + """So basically this just runs rabbitmqctl commands and returns parsed output. + Typically this means you need root privs for this to work. + Made this it's own class so it could be used in other monitoring tools + if desired.""" + + @classmethod + def list_connections(cls): + args = shlex.split("sudo rabbitmqctl list_connections") + cmd_result = subprocess.check_output(args).strip() + results = cls._parse_list_results(cmd_result) + return results + + @classmethod + def list_queues(cls): + args = shlex.split('sudo rabbitmqctl list_queues') + cmd_result = subprocess.check_output(args).strip() + results = cls._parse_list_results(cmd_result) + return results + + @classmethod + def status(cls): + args = shlex.split('sudo rabbitmqctl status') + cmd_result = subprocess.check_output(args).strip() + results = cls._parse_list_results(cmd_result) + return results + + @classmethod + def _parse_list_results(cls, result_string): + results = result_string.strip().split('\n') + #remove text fluff + if "Listing connections ..." in results: results.remove("Listing connections ...") + if "Listing queues ..." in results: results.remove("Listing queues ...") + return_data = [] + for row in results: + return_data.append(row.split('\t')) + return return_data + + +def check_connection_count(critical=0, warning=0): + """Checks to make sure the numbers of connections are within parameters.""" + try: + count = len(RabbitCmdWrapper.list_connections()) + if count >= critical: + print "CRITICAL - Connection Count %d" % count + sys.exit(2) + elif count >= warning: + print "WARNING - Connection Count %d" % count + sys.exit(1) + else: + print "OK - Connection Count %d" % count + except Exception, err: + print "CRITICAL - %s" % err + + +def check_queues_count(critical=1000, warning=1000): + """ + A blanket check to make sure all queues are within count parameters. + TODO: Possibly break this out so test can be done on individual queues. + """ + try: + critical_q = [] + warning_q = [] + results = RabbitCmdWrapper.list_queues() + for queue in results: + if queue.count == 2: + count = int(queue[1]) + if count >= critical: + critical_q.append("%s: %s" % (queue[0], count)) + elif count >= warning: + warning_q.append("%s: %s" % (queue[0], count)) + if critical_q: + print "CRITICAL - %s" % ", ".join(critical_q) + sys.exit(2) + elif warning_q: + print "WARNING - %s" % ", ".join(warning_q) + sys.exit(1) + else: + print "OK - NO QUEUES EXCEED THRESHOLDS" + sys.exit(0) + except Exception, err: + print "CRITICAL - %s" % err + sys.exit(2) + +def check_mem_usage(critical=75, warning=50): + """Check to make sure the RAM usage of rabbitmq process does not exceed 50%% of its max""" + try: + results = RabbitCmdWrapper.status() + + for idx,val in enumerate(results): + if "memory," in str(val): + mem_used_raw = str(results[idx + 1]) + if "vm_memory_limit" in str(val): + mem_limit_raw = str(val) + + memory_used = float(filter(str.isdigit, mem_used_raw)) + memory_limit = float(filter(str.isdigit, mem_limit_raw)) + percent_usage = int(memory_used/memory_limit * 100) + + if percent_usage > critical: + print "CRITICAL - RABBITMQ RAM USAGE at %s%% of max" % percent_usage + sys.exit(2) + elif percent_usage > warning: + print "WARNING - RABBITMQ RAM USAGE at %s%% of max" % percent_usage + sys.exit(1) + else: + print "OK - RABBITMQ RAM USAGE OK at %s%% of max" % percent_usage + sys.exit(0) + except Exception, err: + print "Critical - %s" % err + sys.exit(2) + +def check_aliveness(username, password, timeout, cluster): + """Declares a test queue, then publishes and consumes a message. Intended for use by monitoring tools. If everything is working correctly, will return HTTP status 200 with body""" + try: + r = requests.get("http://%s:15672/api/aliveness-test/%%2F" % cluster, auth=(username, password), timeout=timeout) + except requests.exceptions.RequestException as e: # Throw error if rabbitmq is down + print "Critical - %s" % e + sys.exit(2) + if r.status_code == 200: + print "OK - RABBITMQ Aliveness Test Returns: %s" % r + sys.exit(0) + elif r.status_code != 200: + print "CRITICAL - RabbitMQ Error: %s" % r.content + sys.exit(2) + else: + print "UNKNOWN - RABBITMQ Aliveness Test" + sys.ext(1) + +def check_cluster(username, password, timeout, cluster): + """Checks the health of a cluster, if a node is not running mark as offline """ + try: + url = "http://%s:15672/api/nodes" % cluster + r = requests.get(url, auth=(username, password), timeout=timeout) + except requests.exceptions.RequestException as e: # Throw error if no response + print "Critical - %s" % e + sys.exit(2) + text = r.text + nodes = json.loads(text) + + running_nodes = [] + failed_nodes = [] + for node in nodes: + if not node['running']: + failed_nodes.append(node['name']) + if node['running']: + running_nodes.append(node['name']) + if len(failed_nodes) == 1: + print "WARNING: RabbitMQ cluster is degraged: Not running %s" % failed_nodes[0] + sys.exit(1) + elif len(failed_nodes) >= 2: + print "CRITICAL: RabbitMQ cluster is critical: Not running %s" % failed_nodes + sys.exit(2) + else: + print "OK: RabbitMQ cluster members: %s" % (" ".join(running_nodes)) + sys.exit(0) + + +USAGE = """Usage: ./check_rabbitmq -a [action] -C [critical] -W [warning] + Actions: + - connection_count + checks the number of connection in rabbitmq's list_connections + - queues_count + checks the count in each of the queues in rabbitmq's list_queues + - mem_usage + checks to ensure mem usage of rabbitmq process does not exceed 50% + - aliveness + Use the /api/aliveness-test API to send/receive a message. (requires -u username -p password args) + - cluster_status + Parse /api/nodes to check the cluster status. (requires -u username -p password""" + +if __name__ == "__main__": + parser = OptionParser(USAGE) + parser.add_option("-a", "--action", dest="action", + help="Action to Check") + parser.add_option("-C", "--critical", dest="critical", + type="int", help="Critical Threshold") + parser.add_option("-W", "--warning", dest="warning", + type="int", help="Warning Threshold") + parser.add_option("-u", "--username", dest="username", default="guest", + type="string", help="RabbitMQ username, Default guest") + parser.add_option("-p", "--password", dest="password", default="guest", + type="string", help="RabbitMQ password, Default guest") + parser.add_option("-t", "--timeout", dest="timeout", default=1, + type="int", help="Request Timeout, defaults to 1 second") + parser.add_option("-c", "--cluster", dest="cluster", default="localhost", + type="string", help="Cluster IP/DNS name, defaults to localhost") + (options, args) = parser.parse_args() + + if options.action == "connection_count": + check_connection_count(options.critical, options.warning) + elif options.action == "queues_count": + check_queues_count(options.critical, options.warning) + elif options.action == "mem_usage": + check_mem_usage(options.critical, options.warning) + elif options.action == "aliveness": + check_aliveness(options.username, options.password, options.timeout, options.cluster) + elif options.action == "cluster_status": + check_cluster(options.username, options.password, options.timeout, options.cluster) + else: + print "Invalid action: %s" % options.action + print USAGE diff --git a/rabbitmq/handlers/main.yml b/rabbitmq/handlers/main.yml index ee19e00e..4163ca25 100644 --- a/rabbitmq/handlers/main.yml +++ b/rabbitmq/handlers/main.yml @@ -4,3 +4,8 @@ name: rabbitmq-server state: restarted + +- name: restart nagios-nrpe-server + service: + name: nagios-nrpe-server + state: restarted diff --git a/rabbitmq/tasks/main.yml b/rabbitmq/tasks/main.yml index 336af58e..0002ed26 100644 --- a/rabbitmq/tasks/main.yml +++ b/rabbitmq/tasks/main.yml @@ -27,3 +27,14 @@ lineinfile: dest: /etc/default/rabbitmq-server line: ulimit -n 2048 + +- name: is NRPE present ? + stat: + path: /etc/nagios/nrpe.d/evolix.cfg + check_mode: no + register: nrpe_evolix_config + tags: + - nrpe + +- include: nrpe.yml + when: nrpe_evolix_config.stat.exists diff --git a/rabbitmq/tasks/nrpe.yml b/rabbitmq/tasks/nrpe.yml new file mode 100644 index 00000000..e0efe8fb --- /dev/null +++ b/rabbitmq/tasks/nrpe.yml @@ -0,0 +1,31 @@ +--- + +- name: check_rabbitmq dependencies + apt: + name: python-requests + state: installed + +# https://raw.githubusercontent.com/CaptPhunkosis/check_rabbitmq/master/check_rabbitmq +- name: check_rabbitmq is installed + copy: + src: check_rabbitmq + dest: /usr/local/lib/nagios/plugins/check_rabbitmq + owner: root + group: root + mode: "0755" + force: yes + +- name: check_rabbitmq is available for NRPE + lineinfile: + dest: /etc/nagios/nrpe.d/evolix.cfg + regexp: 'command\[check_rab_connection_count\]' + line: 'command[check_rab_connection_count]=sudo /usr/local/lib/nagios/plugins/check_rabbitmq -a connection_count -C {{ rabbitmq_connections_critical }} -W {{ rabbitmq_connections_warning }}' + notify: restart nagios-nrpe-server + +- name: sudo without password for nagios + lineinfile: + dest: /etc/sudoers.d/evolinux + regexp: 'check_rabbitmq' + line: 'nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_rabbitmq' + insertafter: '^nagios' + validate: "visudo -cf %s" From 0dfc66683a805b892fb4ab410d7e36fcf456e11b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 27 Nov 2017 10:19:04 +0100 Subject: [PATCH 13/42] remove zidane.evolix.net from minifirewall --- minifirewall/files/minifirewall.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/minifirewall/files/minifirewall.conf b/minifirewall/files/minifirewall.conf index 12ea853f..a15f78b2 100644 --- a/minifirewall/files/minifirewall.conf +++ b/minifirewall/files/minifirewall.conf @@ -50,7 +50,7 @@ DNSSERVEURS='0.0.0.0/0' # HTTP authorizations # (you can use DNS names but set cron to reload minifirewall regularly) # (if you have HTTP proxy, set 0.0.0.0/0) -HTTPSITES='security.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net zidane.evolix.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org' +HTTPSITES='security.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org' # HTTPS authorizations HTTPSSITES='0.0.0.0/0' From 4c0fe3577fef68c2196f2e9dd06263ebc2e63539 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 27 Nov 2017 11:14:10 +0100 Subject: [PATCH 14/42] rbenv: Rbenv v1.1.1 and Ruby v2.4.2 --- rbenv/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rbenv/defaults/main.yml b/rbenv/defaults/main.yml index a3391737..096bb4ac 100644 --- a/rbenv/defaults/main.yml +++ b/rbenv/defaults/main.yml @@ -1,6 +1,6 @@ --- -rbenv_version: v1.1.0 -rbenv_ruby_version: 2.4.1 +rbenv_version: v1.1.1 +rbenv_ruby_version: 2.4.2 rbenv_root: "~/.rbenv" rbenv_repo: "https://github.com/rbenv/rbenv.git" rbenv_plugins: From 98029388d95da7a82e43bd2bdaa751450c5827fe Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Mon, 27 Nov 2017 14:21:36 +0100 Subject: [PATCH 15/42] remount-usr: Add README --- remount-usr/README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 remount-usr/README.md diff --git a/remount-usr/README.md b/remount-usr/README.md new file mode 100644 index 00000000..8457200c --- /dev/null +++ b/remount-usr/README.md @@ -0,0 +1,13 @@ +# remount-usr + +This is a role for mount /usr partition in rw and remount it with a handler. +Usefull when you use ro option in your /etc/fstab for /usr partition. + +## Usage + +Include this role in task before write on /usr partition (eg. copy a file) : + +~~~ +- include_role: + name: remount-usr +~~~ From fcdb92dc56f1f172e7d89fee09fa79e209d86552 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 27 Nov 2017 14:27:13 +0100 Subject: [PATCH 16/42] listupgrade: remount /usr as rw --- listupgrade/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/listupgrade/tasks/main.yml b/listupgrade/tasks/main.yml index de9fdb2c..9bfe764e 100644 --- a/listupgrade/tasks/main.yml +++ b/listupgrade/tasks/main.yml @@ -1,4 +1,8 @@ --- + +- include_role: + name: remount-usr + - name: Scripts dir is present file: path: "/usr/share/scripts" From 33c4d54edcd4994e0e6f406a9583745bb6a7c6a5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 28 Nov 2017 10:43:15 +0100 Subject: [PATCH 17/42] rabbitmq: remount /usr before installing the check --- rabbitmq/tasks/nrpe.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rabbitmq/tasks/nrpe.yml b/rabbitmq/tasks/nrpe.yml index e0efe8fb..116bd75d 100644 --- a/rabbitmq/tasks/nrpe.yml +++ b/rabbitmq/tasks/nrpe.yml @@ -5,6 +5,9 @@ name: python-requests state: installed +- include_role: + name: remount-usr + # https://raw.githubusercontent.com/CaptPhunkosis/check_rabbitmq/master/check_rabbitmq - name: check_rabbitmq is installed copy: From 635aa5f8a1c2d22b26b62495cb96c94116c6c396 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 28 Nov 2017 15:17:36 +0100 Subject: [PATCH 18/42] php.ini custom file permissions Thanks to root's umask, the copied file doesn't ave the proper permissions : 0600 (actual) instead of 0644 (expected) --- php/tasks/php_jessie.yml | 2 +- php/tasks/php_stretch.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/php/tasks/php_jessie.yml b/php/tasks/php_jessie.yml index 12f3a4f8..10d1c6f7 100644 --- a/php/tasks/php_jessie.yml +++ b/php/tasks/php_jessie.yml @@ -48,6 +48,7 @@ - name: Custom php.ini for CLI copy: dest: "{{ phpini_cli_custom_file }}" + mode: "0644" content: | ; Put customized values here. force: no @@ -62,4 +63,3 @@ with_items: - { option: "date.timezone", value: "Europe/Paris" } when: php_symfony_requirements - diff --git a/php/tasks/php_stretch.yml b/php/tasks/php_stretch.yml index 4ed4c8b5..31ba2798 100644 --- a/php/tasks/php_stretch.yml +++ b/php/tasks/php_stretch.yml @@ -49,6 +49,7 @@ - name: "Custom php.ini for CLI (Debian 9 or later)" copy: dest: "{{ phpini_cli_custom_file }}" + mode: "0644" content: | ; Put customized values here. ; default_charset = "ISO-8859-1" From 3d5c004d8a522b654df2d28b8517a9998904f864 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 29 Nov 2017 10:02:02 +0100 Subject: [PATCH 19/42] mysql: parameterize evolinux config files The tmpdir task was not using the right file. We use a variable for those files, to hemp with maintenance ans customization. --- mysql/defaults/main.yml | 3 +++ mysql/tasks/config_jessie.yml | 8 ++++++-- mysql/tasks/config_stretch.yml | 8 ++++++-- mysql/tasks/datadir.yml | 5 ++++- mysql/tasks/tmpdir.yml | 2 +- 5 files changed, 20 insertions(+), 6 deletions(-) diff --git a/mysql/defaults/main.yml b/mysql/defaults/main.yml index d56e5999..ff40c88a 100644 --- a/mysql/defaults/main.yml +++ b/mysql/defaults/main.yml @@ -22,3 +22,6 @@ mysql_cron_mysqltuner: True mysql_cron_mysqltuner_frequency: monthly mysql_force_new_nrpe_password: False + +mysql_evolinux_defaults_file: z-evolinux-defaults.cnf +mysql_evolinux_custom_file: zzz-evolinux-custom.cnf diff --git a/mysql/tasks/config_jessie.yml b/mysql/tasks/config_jessie.yml index dcb83a61..9fe11bb7 100644 --- a/mysql/tasks/config_jessie.yml +++ b/mysql/tasks/config_jessie.yml @@ -1,8 +1,12 @@ --- + +- set_fact: + mysql_config_directory: /etc/mysql/conf.d + - name: "Copy MySQL defaults config file (jessie)" copy: src: evolinux-defaults.cnf - dest: /etc/mysql/conf.d/z-evolinux-defaults.cnf + dest: "{{ mysql_config_directory }}/{{ mysql_evolinux_defaults_file }}" owner: root group: root mode: "0644" @@ -13,7 +17,7 @@ - name: "Copy MySQL custom config file (jessie)" template: src: evolinux-custom.cnf.j2 - dest: /etc/mysql/conf.d/zzz-evolinux-custom.cnf + dest: "{{ mysql_config_directory }}/{{ mysql_evolinux_custom_file }}" owner: root group: root mode: "0644" diff --git a/mysql/tasks/config_stretch.yml b/mysql/tasks/config_stretch.yml index 22b2d312..eb31086e 100644 --- a/mysql/tasks/config_stretch.yml +++ b/mysql/tasks/config_stretch.yml @@ -1,8 +1,12 @@ --- + +- set_fact: + mysql_config_directory: /etc/mysql/mariadb.conf.d + - name: "Copy MySQL defaults config file (Debian 9 or later)" copy: src: evolinux-defaults.cnf - dest: /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf + dest: "{{ mysql_config_directory }}/{{ mysql_evolinux_defaults_file }}" owner: root group: root mode: "0644" @@ -13,7 +17,7 @@ - name: "Copy MySQL custom config file (Debian 9 or later)" template: src: evolinux-custom.cnf.j2 - dest: /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf + dest: "{{ mysql_config_directory }}/{{ mysql_evolinux_custom_file }}" owner: root group: root mode: "0644" diff --git a/mysql/tasks/datadir.yml b/mysql/tasks/datadir.yml index b8d39aac..28beb1ed 100644 --- a/mysql/tasks/datadir.yml +++ b/mysql/tasks/datadir.yml @@ -39,4 +39,7 @@ state: started tags: - mysql - when: mysql_custom_datadir != '' and mysql_custom_datadir != mysql_current_real_datadir_test.stdout and not mysql_custom_datadir_test.stat.exists + when: + - mysql_custom_datadir != '' + - mysql_custom_datadir != mysql_current_real_datadir_test.stdout + - not mysql_custom_datadir_test.stat.exists diff --git a/mysql/tasks/tmpdir.yml b/mysql/tasks/tmpdir.yml index 7cbd7de8..35942612 100644 --- a/mysql/tasks/tmpdir.yml +++ b/mysql/tasks/tmpdir.yml @@ -13,7 +13,7 @@ - name: Configure tmpdir ini_file: - dest: /etc/mysql/conf.d/zzz_evolinux.cnf + dest: "{{ mysql_config_directory }}/{{ mysql_evolinux_custom_file }}" section: mysqld option: tmpdir value: "{{ mysql_custom_tmpdir }}" From b7d4f92ad22336b417ebe6ef471c0fd1229a993e Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 29 Nov 2017 14:17:38 +0100 Subject: [PATCH 20/42] rabbitmq: add a munin plugin --- rabbitmq/files/rabbitmq_connections | 66 +++++++++++++++++++++++++++++ rabbitmq/handlers/main.yml | 6 ++- rabbitmq/tasks/main.yml | 11 +++++ rabbitmq/tasks/munin.yml | 45 ++++++++++++++++++++ 4 files changed, 127 insertions(+), 1 deletion(-) create mode 100644 rabbitmq/files/rabbitmq_connections create mode 100644 rabbitmq/tasks/munin.yml diff --git a/rabbitmq/files/rabbitmq_connections b/rabbitmq/files/rabbitmq_connections new file mode 100644 index 00000000..fb254604 --- /dev/null +++ b/rabbitmq/files/rabbitmq_connections @@ -0,0 +1,66 @@ +#!/bin/sh +# +# Plugin to monitor the number of connections to RabbitMQ +# +# Usage: Link or copy into /etc/munin/node.d/ +# +# Parameters +# env.conn_warn +# env.conn_crit +# +# Magic markers (optional - only used by munin-config and some +# installation scripts): +# +#%# family=auto +#%# capabilities=autoconf + +# If run with the "autoconf"-parameter, give our opinion on wether we +# should be run on this system or not. This is optinal, and only used by +# munin-config. In the case of this plugin, we should most probably +# always be included. + +if [ "$1" = "autoconf" ]; then + echo yes + exit 0 +fi + +HOME=/tmp/ + +# If run with the "config"-parameter, give out information on how the +# graphs should look. + +if [ "$1" = "config" ]; then + CONN_WARN=${queue_warn:-500} + CONN_CRIT=${queue_crit:-1000} + + # The host name this plugin is for. (Can be overridden to have + # one machine answer for several) + + # The title of the graph + echo 'graph_title RabbitMQ connections' + # Arguments to "rrdtool graph". In this case, tell it that the + # lower limit of the graph is '0', and that 1k=1000 (not 1024) + echo 'graph_args --base 1000 -l 0' + # The Y-axis label + echo 'graph_vlabel connections' + # We want Cur/Min/Avg/Max unscaled (i.e. 0.42 load instead of + # 420 milliload) + #echo 'graph_scale no' + echo 'graph_category RabbitMQ' + + echo "connections.label Connections" + echo "connections.warning $CONN_WARN" + echo "connections.critical $CONN_CRIT" + echo "connections.info Number of active connections" + + echo 'graph_info Shows the number of connections to RabbitMQ' + # Last, if run with the "config"-parameter, quit here (don't + # display any data) + exit 0 +fi + +# If not run with any parameters at all (or only unknown ones), do the +# real work - i.e. display the data. Almost always this will be +# "value" subfield for every data field. + +echo "connections.value $(HOME=$HOME rabbitmqctl list_connections | grep -v "^Listing" | grep -v "done.$" | wc -l)" diff --git a/rabbitmq/handlers/main.yml b/rabbitmq/handlers/main.yml index 4163ca25..9f73baa6 100644 --- a/rabbitmq/handlers/main.yml +++ b/rabbitmq/handlers/main.yml @@ -4,8 +4,12 @@ name: rabbitmq-server state: restarted - - name: restart nagios-nrpe-server service: name: nagios-nrpe-server state: restarted + +- name: restart munin-node + service: + name: munin-node + state: restarted diff --git a/rabbitmq/tasks/main.yml b/rabbitmq/tasks/main.yml index 0002ed26..b251276d 100644 --- a/rabbitmq/tasks/main.yml +++ b/rabbitmq/tasks/main.yml @@ -38,3 +38,14 @@ - include: nrpe.yml when: nrpe_evolix_config.stat.exists + +- name: is Munin present ? + stat: + path: /etc/munin + check_mode: no + register: etc_munin_directory + tags: + - nrpe + +- include: munin.yml + when: etc_munin_directory.stat.exists diff --git a/rabbitmq/tasks/munin.yml b/rabbitmq/tasks/munin.yml new file mode 100644 index 00000000..1b410d37 --- /dev/null +++ b/rabbitmq/tasks/munin.yml @@ -0,0 +1,45 @@ +--- + +- include_role: + name: remount-usr + tags: + - rabbitmq + - munin + +- name: Create local munin directory + file: + name: /usr/local/share/munin/ + state: directory + mode: "0755" + tags: + - rabbitmq + - munin + +- name: Create local plugins directory + file: + name: /usr/local/share/munin/plugins/ + state: directory + mode: "0755" + tags: + - rabbitmq + - munin + +- name: Copy rabbitmq_connections munin plugin + copy: + src: rabbitmq_connections + dest: /usr/local/share/munin/plugins/rabbitmq_connections + mode: "0755" + notify: restart munin-node + tags: + - rabbitmq + - munin + +- name: Enable rabbitmq_connections munin plugin + file: + src: /usr/local/share/munin/plugins/rabbitmq_connections + dest: "/etc/munin/plugins/rabbitmq_connections" + state: link + notify: restart munin-node + tags: + - rabbitmq + - munin From 6588ee937f9e6562511db27d661771c8441e5f75 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Thu, 30 Nov 2017 16:02:41 +0100 Subject: [PATCH 21/42] nagios-nrpe: use check_procs for clamd check --- nagios-nrpe/templates/evolix.cfg.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index 38e29b27..b92c6db8 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -44,7 +44,7 @@ command[check_tomcat-http]=/usr/lib/nagios/plugins/check_tcp -p 8080 command[check_tomcat-ajp13]=/usr/lib/nagios/plugins/check_tcp -p 8009 command[check_proxy]=/usr/lib/nagios/plugins/check_http -H {{ nagios_nrpe_check_proxy_host }} command[check_redis]=/usr/lib/nagios/plugins/check_tcp -p 6379 -command[check_clamd]=/usr/lib/nagios/plugins/check_clamd -H /var/run/clamav/clamd.ctl -v +command[check_clamd]=/usr/lib/nagios/plugins/check_procs -C clamd command[check_clamav_db]=/usr/lib/nagios/plugins/check_file_age -w 86400 -c 172800 -f /var/lib/clamav/evolix.ndb command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S -p 443 -H ssl.evolix.net -C 15,5 command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex From a8cd567731895a453fabc29a936474e2a99961a8 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Thu, 30 Nov 2017 16:13:55 +0100 Subject: [PATCH 22/42] generate-ldif: add clamd service instead of clamav_db Because clamd and clamav_db services was merged. --- generate-ldif/templates/generateldif.sh.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/generate-ldif/templates/generateldif.sh.j2 b/generate-ldif/templates/generateldif.sh.j2 index 0f3abcf2..0b45bc1c 100755 --- a/generate-ldif/templates/generateldif.sh.j2 +++ b/generate-ldif/templates/generateldif.sh.j2 @@ -507,12 +507,12 @@ fi if [ -n "${clamav_version}" ]; then cat <> "${ldif_file}" -dn: ServiceName=clamav_db,${computer_dn} +dn: ServiceName=clamd,${computer_dn} NagiosEnabled: TRUE objectClass: EvoService -ServiceName: clamav_db +ServiceName: clamd ServiceType: antivirus -ServiceVersion: ClamAV ${clamav_version} +ServiceVersion: Clamd ${clamav_version} EOT fi From a1898f77053675913661415a05eec55cd375d19e Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Thu, 30 Nov 2017 18:11:03 +0100 Subject: [PATCH 23/42] Revert "nagios-nrpe: use check_procs for clamd check" This reverts commit 6588ee937f9e6562511db27d661771c8441e5f75. --- nagios-nrpe/templates/evolix.cfg.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index b92c6db8..38e29b27 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -44,7 +44,7 @@ command[check_tomcat-http]=/usr/lib/nagios/plugins/check_tcp -p 8080 command[check_tomcat-ajp13]=/usr/lib/nagios/plugins/check_tcp -p 8009 command[check_proxy]=/usr/lib/nagios/plugins/check_http -H {{ nagios_nrpe_check_proxy_host }} command[check_redis]=/usr/lib/nagios/plugins/check_tcp -p 6379 -command[check_clamd]=/usr/lib/nagios/plugins/check_procs -C clamd +command[check_clamd]=/usr/lib/nagios/plugins/check_clamd -H /var/run/clamav/clamd.ctl -v command[check_clamav_db]=/usr/lib/nagios/plugins/check_file_age -w 86400 -c 172800 -f /var/lib/clamav/evolix.ndb command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S -p 443 -H ssl.evolix.net -C 15,5 command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex From 419416b53107cb32de0d91c7750ef267e29ecf08 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 30 Nov 2017 23:51:18 +0100 Subject: [PATCH 24/42] Varnish : reload or restart if needed --- varnish/tasks/main.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index ffd80889..72884655 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -14,6 +14,7 @@ - /etc/default/varnish - /etc/default/varnishncsa - /etc/default/varnishlog + notify: reload varnish tags: - varnish @@ -24,6 +25,7 @@ mode: "0700" owner: root group: root + notify: reload varnish tags: - varnish @@ -39,7 +41,9 @@ src: varnish.conf.j2 dest: /etc/systemd/system/varnish.service.d/evolinux.conf force: yes - notify: reload systemd + notify: + - reload systemd + - restart varnish tags: - varnish From 1c4aa084216130bce158410fa23aad971afe0c45 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 1 Dec 2017 12:06:13 +0100 Subject: [PATCH 25/42] packmail (postfix + spamassassin): fix cron.d spam and sa-update --- postfix/tasks/packmail.yml | 2 +- spamassasin/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/postfix/tasks/packmail.yml b/postfix/tasks/packmail.yml index de9ee7ad..67853643 100644 --- a/postfix/tasks/packmail.yml +++ b/postfix/tasks/packmail.yml @@ -103,7 +103,7 @@ - name: enable spam.sh cron lineinfile: dest: /etc/cron.d/spam - line: "42 * * * * /usr/share/scripts/spam.sh" + line: "42 * * * * root /usr/share/scripts/spam.sh" create: yes state: present mode: "0640" diff --git a/spamassasin/tasks/main.yml b/spamassasin/tasks/main.yml index cfcfa09b..59619ce9 100644 --- a/spamassasin/tasks/main.yml +++ b/spamassasin/tasks/main.yml @@ -43,7 +43,7 @@ - name: enable sa-update.sh cron lineinfile: dest: /etc/cron.d/sa-update - line: "42 6 5 1,4,7,10 * /usr/share/scripts/sa-update.sh" + line: "42 6 5 1,4,7,10 * root /usr/share/scripts/sa-update.sh" create: yes state: present mode: "0640" From 23325df316c9043f5a678b9eb1e4c68d87f29f15 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Mon, 4 Dec 2017 11:08:41 +0100 Subject: [PATCH 26/42] nagios-nrpe: add bkctld check in evolix.cfg --- nagios-nrpe/templates/evolix.cfg.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index 38e29b27..33ad9c51 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -50,6 +50,7 @@ command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex command[check_memcached]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 11211 command[check_opendkim]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 54321 +command[check_bkctld]=/usr/lib/nagios/plugins/check_bkctld # Local checks (not packaged) command[check_mem]={{ nagios_plugins_directory }}/check_mem -f -C -w 20 -c 10 From 7a6b8451a93ba5b678dbacffcff4995b54e26d87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Mon, 4 Dec 2017 11:22:03 +0100 Subject: [PATCH 27/42] Added "The total blob data length" pattern This will detect this error: [ERROR] InnoDB: The total blob data length (10066388) is greater than 10% of the total redo log size (100663296). Please increase total redo log size. --- mysql/templates/log2mail.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/mysql/templates/log2mail.j2 b/mysql/templates/log2mail.j2 index 948c7f07..d9269788 100644 --- a/mysql/templates/log2mail.j2 +++ b/mysql/templates/log2mail.j2 @@ -22,3 +22,8 @@ file = /var/log/syslog pattern = "as a STORAGE ENGINE failed" mailto = {{ log2mail_alert_email or general_alert_email | mandatory }} template = /etc/log2mail/mail + +file = /var/log/syslog +pattern = "The total blob data length" +mailto = {{ log2mail_alert_email or general_alert_email | mandatory }} +template = /etc/log2mail/mail From d34ade44938c41c8c815ff03519e3498a54d06f6 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 4 Dec 2017 13:50:21 +0100 Subject: [PATCH 28/42] whitespaces --- proftpd/tasks/account.yml | 16 ++++++++-------- proftpd/tasks/main.yml | 14 +++++++------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/proftpd/tasks/account.yml b/proftpd/tasks/account.yml index c64ddc2e..7f3cbe58 100644 --- a/proftpd/tasks/account.yml +++ b/proftpd/tasks/account.yml @@ -6,7 +6,7 @@ changed_when: check_ftp_account.rc != 0 register: check_ftp_account tags: - - proftpd + - proftpd - name: Generate FTP password command: apg -n1 @@ -14,14 +14,14 @@ check_mode: no when: check_ftp_account.rc != 0 tags: - - proftpd + - proftpd - name: Print generated password debug: msg: "{{ ftp_password.stdout }}" when: check_ftp_account.rc != 0 tags: - - proftpd + - proftpd - name: Hash generated FTP password set_fact: @@ -29,7 +29,7 @@ check_mode: no when: check_ftp_account.rc != 0 tags: - - proftpd + - proftpd - name: Get current FTP password shell: grep "^{{ proftpd_name }}:" /etc/proftpd/vpasswd | cut -d':' -f2 @@ -38,7 +38,7 @@ when: check_ftp_account.rc == 0 changed_when: false tags: - - proftpd + - proftpd - name: Get current FTP password set_fact: @@ -47,7 +47,7 @@ when: check_ftp_account.rc == 0 changed_when: false tags: - - proftpd + - proftpd - name: Create FTP account lineinfile: @@ -58,7 +58,7 @@ line: "{{ proftpd_name }}:{{ proftpd_password }}:{{ proftpd_uid }}:{{ proftpd_gid }}::{{ proftpd_home }}:/bin/false" notify: restart proftpd tags: - - proftpd + - proftpd - name: Allow FTP account lineinfile: @@ -68,4 +68,4 @@ insertbefore: "DenyAll" notify: restart proftpd tags: - - proftpd + - proftpd diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml index a0c5fbb2..a48c9836 100644 --- a/proftpd/tasks/main.yml +++ b/proftpd/tasks/main.yml @@ -4,8 +4,8 @@ name: proftpd-basic state: present tags: - - proftpd - - packages + - proftpd + - packages - name: ftpusers groupe exists group: @@ -13,7 +13,7 @@ state: present notify: restart proftpd tags: - - proftpd + - proftpd - name: local jail is installed template: @@ -23,7 +23,7 @@ force: no notify: restart proftpd tags: - - proftpd + - proftpd - name: mod_tls_memcache is disabled replace: @@ -32,7 +32,7 @@ replace: '#LoadModule mod_tls_memcache.c' notify: restart proftpd tags: - - proftpd + - proftpd - name: Put empty vpasswd file if missing copy: @@ -41,7 +41,7 @@ force: no notify: restart proftpd tags: - - proftpd + - proftpd # Why 440? Because should be edited with ftpasswd. # So, readonly when opened with vim. @@ -54,4 +54,4 @@ group: root notify: restart proftpd tags: - - proftpd + - proftpd From 12808feeffef8091a08480bccef6e163f28ff511 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 4 Dec 2017 14:59:34 +0100 Subject: [PATCH 29/42] varnish: add a restart handler --- varnish/handlers/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/varnish/handlers/main.yml b/varnish/handlers/main.yml index 25e0d5a5..7f9fd3ff 100644 --- a/varnish/handlers/main.yml +++ b/varnish/handlers/main.yml @@ -5,6 +5,12 @@ state: reloaded daemon_reload: yes +- name: restart varnish + systemd: + name: varnish + state: restarted + daemon_reload: yes + - name: reload systemd command: systemctl daemon-reload From 70a1dfa4dc147830195ea3a13b27a9b4bda7ffbd Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 4 Dec 2017 16:01:33 +0100 Subject: [PATCH 30/42] logstash: fix permissions on pipeline configuration --- logstash/tasks/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml index 61c585bf..8f740424 100644 --- a/logstash/tasks/main.yml +++ b/logstash/tasks/main.yml @@ -59,6 +59,9 @@ template: src: "{{ item }}" dest: /etc/logstash/conf.d/logstash.conf + owner: logstash + group: logstash + mode: "0640" force: yes with_first_found: - "templates/logstash/logstash.{{ inventory_hostname }}.conf.j2" From 5e1268ad653c02ba1eff3aa68055a721c655df01 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 5 Dec 2017 14:42:07 +0100 Subject: [PATCH 31/42] Install traceroute --- evolinux-base/tasks/packages.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index effa7c0c..ce0e2a1d 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -32,6 +32,7 @@ - mtr-tiny - curl - telnet + - traceroute when: evolinux_packages_diagnostic - name: Install/Update hardware tools From b3ad23fcc66bf6a7302319a118bb1127c2653c3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Tue, 5 Dec 2017 23:07:13 +0100 Subject: [PATCH 32/42] Nginx: fix fcgi Munin graphs fixes https://forge.evolix.org/issues/2371 --- nginx/files/init.d/spawn-fcgi-munin-graph | 130 ------------------ .../systemd/spawn-fcgi-munin-graph.service | 10 ++ nginx/tasks/munin_vhost.yml | 16 +-- 3 files changed, 16 insertions(+), 140 deletions(-) delete mode 100644 nginx/files/init.d/spawn-fcgi-munin-graph create mode 100644 nginx/files/systemd/spawn-fcgi-munin-graph.service diff --git a/nginx/files/init.d/spawn-fcgi-munin-graph b/nginx/files/init.d/spawn-fcgi-munin-graph deleted file mode 100644 index 7d5d6055..00000000 --- a/nginx/files/init.d/spawn-fcgi-munin-graph +++ /dev/null @@ -1,130 +0,0 @@ -#! /bin/sh - -### BEGIN INIT INFO -# Provides: spawn-fcgi-munin-graph -# Required-Start: $all -# Required-Stop: $all -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Description: starts FastCGI for Munin-Graph -### END INIT INFO -# -------------------------------------------------------------- -# Munin-CGI-Graph Spawn-FCGI Startscript by Julien Schmidt -# eMail: munin-trac at julienschmidt.com -# www: http://www.julienschmidt.com -# -------------------------------------------------------------- -# Install: -# 1. Copy this file to /etc/init.d -# 2. Edit the variables below -# 3. run "update-rc.d spawn-fcgi-munin-graph defaults" -# -------------------------------------------------------------- -# Special thanks for their help to: -# Frantisek Princ -# J�r�me Warnier -# -------------------------------------------------------------- -# Last Update: 14. February 2013 -# -# Please change the following variables: - -PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin -NAME=spawn-fcgi-munin-graph -PID_FILE=/var/run/munin/$NAME.pid -SOCK_FILE=/var/run/munin/$NAME.sock -SOCK_USER=www-data -FCGI_USER=munin -FCGI_GROUP=munin -FCGI_WORKERS=2 -DAEMON=/usr/bin/spawn-fcgi -DAEMON_OPTS="-s $SOCK_FILE -F $FCGI_WORKERS -U $SOCK_USER -u $FCGI_USER -g $FCGI_GROUP -P $PID_FILE -- /usr/lib/munin/cgi/munin-cgi-graph" - -# -------------------------------------------------------------- -# No edits necessary beyond this line -# -------------------------------------------------------------- - -if [ ! -x $DAEMON ]; then - echo "File not found or is not executable: $DAEMON!" - exit 0 -fi - -status() { - if [ ! -r $PID_FILE ]; then - return 1 - fi - - for FCGI_PID in `cat $PID_FILE`; do - if [ -z "${FCGI_PID}" ]; then - return 1 - fi - - FCGI_RUNNING=`ps -p ${FCGI_PID} | grep ${FCGI_PID}` - if [ -z "${FCGI_RUNNING}" ]; then - return 1 - fi - done; - - return 0 -} - -start() { - if status; then - echo "FCGI is already running!" - exit 1 - else - $DAEMON $DAEMON_OPTS - fi -} - -stop () { - if ! status; then - echo "No PID-file at $PID_FILE found or PID not valid. Maybe not running" - exit 1 - fi - - # Kill processes - for PID_RUNNING in `cat $PID_FILE`; do - kill -9 $PID_RUNNING - done - - # Remove PID-file - rm -f $PID_FILE - - # Remove Sock-File - rm -f $SOCK_FILE -} - -case "$1" in - start) - echo "Starting $NAME: " - start - echo "... DONE" - ;; - - stop) - echo "Stopping $NAME: " - stop - echo "... DONE" - ;; - - force-reload|restart) - echo "Stopping $NAME: " - stop - echo "Starting $NAME: " - start - echo "... DONE" - ;; - - status) - if status; then - echo "FCGI is RUNNING" - else - echo "FCGI is NOT RUNNING" - fi - ;; - - *) - echo "Usage: $0 {start|stop|force-reload|restart|status}" - exit 1 - ;; -esac - -exit 0 diff --git a/nginx/files/systemd/spawn-fcgi-munin-graph.service b/nginx/files/systemd/spawn-fcgi-munin-graph.service new file mode 100644 index 00000000..103d25c5 --- /dev/null +++ b/nginx/files/systemd/spawn-fcgi-munin-graph.service @@ -0,0 +1,10 @@ +[Unit] +Description=Munin zoom for nginx. +After=network.target + +[Service] +ExecStart=/usr/bin/spawn-fcgi -s /var/run/munin/spawn-fcgi-munin-graph.sock -U www-data -u munin -g munin /usr/lib/munin/cgi/munin-cgi-graph +Type=forking + +[Install] +WantedBy=default.target diff --git a/nginx/tasks/munin_vhost.yml b/nginx/tasks/munin_vhost.yml index d45353c0..3ff20c09 100644 --- a/nginx/tasks/munin_vhost.yml +++ b/nginx/tasks/munin_vhost.yml @@ -12,6 +12,7 @@ state: present with_items: - liblwp-useragent-determined-perl + - libcgi-fast-perl - spawn-fcgi - name: Adjust rights for munin-cgi @@ -24,17 +25,12 @@ - name: Install Init script for Munin-fcgi copy: - src: init.d/spawn-fcgi-munin-graph - dest: /etc/init.d/ - mode: "0755" - register: install_spawn_fcgi_munin_graph + src: systemd/spawn-fcgi-munin-graph.service + dest: /etc/systemd/system/spawn-fcgi-munin-graph.service -- name: Reload systemd - command: systemctl daemon-reload - when: install_spawn_fcgi_munin_graph | changed - -- name: Ensure that Munin-fcgi is started/stopped correctly - service: +- name: Enable and start Munin-fcgi + systemd: name: spawn-fcgi-munin-graph + daemon_reload: yes enabled: yes state: started From f0bc63e02ec9cc2cf1c88b217799f822cb304897 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Tue, 5 Dec 2017 23:30:51 +0100 Subject: [PATCH 33/42] Nginx: fix permissions for munin-cgi log files --- nginx/tasks/munin_vhost.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/nginx/tasks/munin_vhost.yml b/nginx/tasks/munin_vhost.yml index 3ff20c09..b4145724 100644 --- a/nginx/tasks/munin_vhost.yml +++ b/nginx/tasks/munin_vhost.yml @@ -18,8 +18,9 @@ - name: Adjust rights for munin-cgi file: path: '{{ item }}' - owner: munin - group: adm + owner: www-data + group: munin + mode: "0660" with_fileglob: - /var/log/munin/munin-cgi-* From 3a3708e9a6d4a46790b338dcd7d723a03fc463fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Tue, 5 Dec 2017 23:44:59 +0100 Subject: [PATCH 34/42] Nginx: really fix munin-cgi log files permission with_fileglob is executed locally, not remotely. It is useless here. Instead, let's explicitely chown all files with a shell command. --- nginx/tasks/munin_vhost.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/nginx/tasks/munin_vhost.yml b/nginx/tasks/munin_vhost.yml index b4145724..bd6c5ee6 100644 --- a/nginx/tasks/munin_vhost.yml +++ b/nginx/tasks/munin_vhost.yml @@ -16,13 +16,11 @@ - spawn-fcgi - name: Adjust rights for munin-cgi - file: - path: '{{ item }}' - owner: www-data - group: munin - mode: "0660" - with_fileglob: - - /var/log/munin/munin-cgi-* + shell: "chown --verbose www-data:munin /var/log/munin/munin-cgi-*" + register: command_result + changed_when: "'changed' in command_result.stdout" + args: + warn: no - name: Install Init script for Munin-fcgi copy: From 1faf0faa6bf51e08aba6a8a77e8a343c92de89a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Wed, 6 Dec 2017 00:09:08 +0100 Subject: [PATCH 35/42] Remove openntpd before installing serveur-base --- evolinux-base/tasks/packages.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index ce0e2a1d..bc419454 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -60,12 +60,6 @@ - pinentry-curses when: evolinux_packages_common -- name: Install/Update serveur-base meta-package - apt: - name: serveur-base - allow_unauthenticated: yes - when: evolinux_packages_serveur_base - - name: Be sure that openntpd package is absent/purged apt: name: openntpd @@ -73,6 +67,12 @@ purge: yes when: evolinux_packages_purge_openntpd +- name: Install/Update serveur-base meta-package + apt: + name: serveur-base + allow_unauthenticated: yes + when: evolinux_packages_serveur_base + - name: Install/Update packages for Stretch and later apt: name: "{{ item }}" From ce837d5cfd2f5c9d443396625e1f1b3be3962280 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Wed, 6 Dec 2017 00:09:31 +0100 Subject: [PATCH 36/42] Remove openntpd before installing ntp --- ntpd/tasks/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ntpd/tasks/main.yml b/ntpd/tasks/main.yml index 8536149e..2d66d765 100644 --- a/ntpd/tasks/main.yml +++ b/ntpd/tasks/main.yml @@ -1,4 +1,11 @@ --- +- name: Remove openntpd package + apt: + name: openntpd + state: absent + tags: + - ntp + - name: Install ntp package apt: name: ntp From 0da21a5ac6661edf15917185883632a3e59ebcdb Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 6 Dec 2017 16:06:18 +0100 Subject: [PATCH 37/42] ntpd: fix default configuration --- ntpd/defaults/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ntpd/defaults/main.yml b/ntpd/defaults/main.yml index 61a0846f..163b3c2d 100644 --- a/ntpd/defaults/main.yml +++ b/ntpd/defaults/main.yml @@ -2,7 +2,6 @@ ntpd_servers: - 'ntp.evolix.net' ntpd_acls: +- 'default ignore' - '127.0.0.1' - '::1' -- '-4 ignore' -- '-6 ignore' From 49fff767a9a8ac4755cf4455aa505cbf1209e802 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 6 Dec 2017 20:38:25 +0100 Subject: [PATCH 38/42] Fix #2345 : apply fix for v4 *and* v6 for syntax bug in conf file --- ntpd/defaults/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ntpd/defaults/main.yml b/ntpd/defaults/main.yml index 163b3c2d..5b86419e 100644 --- a/ntpd/defaults/main.yml +++ b/ntpd/defaults/main.yml @@ -2,6 +2,8 @@ ntpd_servers: - 'ntp.evolix.net' ntpd_acls: -- 'default ignore' - '127.0.0.1' - '::1' +- '-4 default ignore' +- '-6 default ignore' + From 762d2d7152797057b3bdcf444ef11fdb945c0219 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 7 Dec 2017 15:58:39 +0100 Subject: [PATCH 39/42] mongodb: fix log/lock files paths for Jessie --- mongodb/templates/mongod_jessie.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mongodb/templates/mongod_jessie.conf.j2 b/mongodb/templates/mongod_jessie.conf.j2 index 612819b6..bebb88d5 100644 --- a/mongodb/templates/mongod_jessie.conf.j2 +++ b/mongodb/templates/mongod_jessie.conf.j2 @@ -17,7 +17,7 @@ systemLog: destination: file logRotate: reopen logAppend: true - path: {{ mongodb_logfile_path }} + path: /var/log/mongodb/mongod.log # network interfaces net: @@ -25,7 +25,7 @@ net: bindIp: {{ mongodb_bind }} processManagement: - pidFilePath: {{ mongodb_pidfile_path }} + pidFilePath: /var/lib/mongodb/mongod.lock #security: From 5980593470b0c0d5166e62f5939dc22bf4e594a2 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 8 Dec 2017 09:46:16 +0100 Subject: [PATCH 40/42] evoacme: move nginx acme challenge conf --- evoacme/tasks/nginx.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/evoacme/tasks/nginx.yml b/evoacme/tasks/nginx.yml index ea63284a..e55374c8 100644 --- a/evoacme/tasks/nginx.yml +++ b/evoacme/tasks/nginx.yml @@ -1,3 +1,11 @@ +--- + +- name: move acme challenge conf if missplaced + command: mv /etc/nginx/letsencrypt.conf /etc/nginx/snippets/letsencrypt.conf + args: + removes: /etc/nginx/letsencrypt.conf + creates: /etc/nginx/snippets/letsencrypt.conf + - name: Copy acme challenge conf template: src: templates/nginx.conf.j2 From 37f701eb541cc12f2ced947dbf86296cbd9f7be5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 8 Dec 2017 10:22:32 +0100 Subject: [PATCH 41/42] evoacme: typos --- evoacme/tasks/certbot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evoacme/tasks/certbot.yml b/evoacme/tasks/certbot.yml index f4038ce3..5288f5fd 100644 --- a/evoacme/tasks/certbot.yml +++ b/evoacme/tasks/certbot.yml @@ -6,7 +6,7 @@ name: apt tasks_from: backports.yml - - name: Add exceptions for certbot dependances + - name: Add exceptions for certbot dependencies copy: src: backports-certbot dest: /etc/apt/preferences.d/z-backports-certbot From 02719d93fd083d204de8c00ee0db5b4d853e2bff Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 8 Dec 2017 10:33:33 +0100 Subject: [PATCH 42/42] tomcat: compatible with Tomcat7 and Tomcat8 --- tomcat/README.md | 4 +-- .../{tomcat.service => tomcat_jessie.service} | 0 tomcat/files/tomcat_stretch.service | 15 ++++++++++ tomcat/tasks/main.yml | 7 ++++- .../{packages.yml => packages_jessie.yml} | 4 +-- tomcat/tasks/packages_stretch.yml | 29 +++++++++++++++++++ 6 files changed, 54 insertions(+), 5 deletions(-) rename tomcat/files/{tomcat.service => tomcat_jessie.service} (100%) create mode 100644 tomcat/files/tomcat_stretch.service rename tomcat/tasks/{packages.yml => packages_jessie.yml} (89%) create mode 100644 tomcat/tasks/packages_stretch.yml diff --git a/tomcat/README.md b/tomcat/README.md index 3f0a1de0..b969f526 100644 --- a/tomcat/README.md +++ b/tomcat/README.md @@ -1,7 +1,7 @@ # tomcat -Install a Tomcat depndancies for multiple tomcat instance. +Install Tomcat and its dependencies for multiple instances. ## Available variables -**tomcat_instance_root:** Root dir for Tomcat instance (default: /srv/tomcat) +**tomcat_instance_root**: Root dir for Tomcat instance (default: /srv/tomcat) diff --git a/tomcat/files/tomcat.service b/tomcat/files/tomcat_jessie.service similarity index 100% rename from tomcat/files/tomcat.service rename to tomcat/files/tomcat_jessie.service diff --git a/tomcat/files/tomcat_stretch.service b/tomcat/files/tomcat_stretch.service new file mode 100644 index 00000000..88d5b059 --- /dev/null +++ b/tomcat/files/tomcat_stretch.service @@ -0,0 +1,15 @@ +[Unit] +Description=Tomcat %u. +After=network.target + +[Service] +WorkingDirectory=%h +Environment="CATALINA_BASE=%h" +EnvironmentFile=%h/conf/env +UMask=0002 +ExecStart=/usr/share/tomcat8/bin/startup.sh +ExecStop=/usr/share/tomcat8/bin/shutdown.sh +Type=forking + +[Install] +WantedBy=default.target diff --git a/tomcat/tasks/main.yml b/tomcat/tasks/main.yml index d6e0947b..661c9651 100644 --- a/tomcat/tasks/main.yml +++ b/tomcat/tasks/main.yml @@ -1,3 +1,8 @@ --- -- include: packages.yml +- include: packages_jessie.yml + when: ansible_distribution_release == "jessie" + +- include: packages_stretch.yml + when: ansible_distribution_major_version | version_compare('9', '>=') + - include: nagios.yml diff --git a/tomcat/tasks/packages.yml b/tomcat/tasks/packages_jessie.yml similarity index 89% rename from tomcat/tasks/packages.yml rename to tomcat/tasks/packages_jessie.yml index 033d4f0e..6e618e24 100644 --- a/tomcat/tasks/packages.yml +++ b/tomcat/tasks/packages_jessie.yml @@ -1,5 +1,5 @@ --- -- name: Install dependancy +- name: Install packages apt: name: "{{ item }}" state: present @@ -18,7 +18,7 @@ - name: Copy systemd unit copy: - src: 'tomcat.service' + src: 'tomcat_jessie.service' dest: "/etc/systemd/user/tomcat.service" mode: "0755" diff --git a/tomcat/tasks/packages_stretch.yml b/tomcat/tasks/packages_stretch.yml new file mode 100644 index 00000000..abce4aae --- /dev/null +++ b/tomcat/tasks/packages_stretch.yml @@ -0,0 +1,29 @@ +--- +- name: Install packages + apt: + name: "{{ item }}" + state: present + with_items: + - 'tomcat8' + - 'tomcat8-user' + - 'libpam-systemd' + +- name: Create tomcat root dir + file: + path: "{{ tomcat_instance_root }}" + state: directory + owner: 'root' + group: 'root' + mode: "0755" + +- name: Copy systemd unit + copy: + src: 'tomcat_stretch.service' + dest: "/etc/systemd/user/tomcat.service" + mode: "0755" + +- name: Disable default tomcat8 service + service: + name: tomcat8 + state: stopped + enabled: false