bundles/icinga2: introduce, install checks, install sources.list, create postgres database

2020-11-10 12:40:12 +01:00 · 2020-11-10 12:40:12 +01:00 · a176a1aa65
parent a9c00409b4
commit a176a1aa65
7 changed files with 288 additions and 0 deletions
--- a/bundles/icinga2/files/check_bl
+++ b/bundles/icinga2/files/check_bl
@ -0,0 +1,162 @@
+#!/usr/bin/perl -w
+#
+# check_bl plugin for nagios
+# $Revision: 1.0 $
+#
+# Nagios plugin designed to warn you if you mail servers appear in one of the
+# many anti-spam 'blacklists'
+#
+# By Sam Bashton, Bashton Ltd
+# bashton.com/content/nagios-plugins
+#
+#    This program is free software; you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation; either version 2 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program; if not, write to the Free Software
+#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+use strict;
+use lib "/usr/lib/nagios/plugins";
+use utils qw($TIMEOUT %ERRORS &print_revision &support);
+use Net::DNS;
+use vars qw($PROGNAME);
+my ($verbose,$host),;
+my ($opt_V,$opt_h,$opt_B,$opt_H,$opt_c);
+$opt_V = $opt_h = $opt_B = $opt_H = $opt_c = '';
+my $state = 'UNKNOWN';
+sub print_help();
+sub print_usage();
+
+$PROGNAME = "check_bl";
+
+$ENV{'BASH_ENV'}='';
+$ENV{'ENV'}='';
+$ENV{'PATH'}='';
+$ENV{'LC_ALL'}='C';
+
+use Getopt::Long;
+Getopt::Long::Configure('bundling');
+GetOptions(
+  "V"   => \$opt_V,   "version"       => \$opt_V,
+  "h"   => \$opt_h,   "help"          => \$opt_h,
+  "H=s" => \$opt_H,   "hostname=s"    => \$opt_H,
+  "B=s" => \$opt_B,   "blacklists=s"  => \$opt_B,
+  "c=s" => \$opt_c,   "critical=s"    => \$opt_c
+);
+
+# -h means display verbose help screen
+if ($opt_h) { print_help(); exit $ERRORS{'OK'}; }
+
+# -V means display version number
+if ($opt_V) {
+  print_revision($PROGNAME,'$Revision: 1.0 $ ');
+  exit $ERRORS{'OK'};
+}
+
+# First check the hostname is OK..
+unless ($opt_H) { print_usage(); exit $ERRORS{'UNKNOWN'}; }
+
+if (! utils::is_hostname($opt_H)){
+  print "$opt_H is not a valid host name\n";
+  print_usage();
+  exit $ERRORS{"UNKNOWN"};
+}else{
+  if ($opt_H =~ /[a-zA-Z]/ )
+  # If the host contains letters we assume it's a hostname, not an IP
+  {
+    $host = lookup($opt_H);
+  }
+  else { $host = $opt_H }
+}
+
+
+# $opt_c is a count of the blacklists a mail server is in,
+# after which state will be CRITICAL rather than WARNING
+# By default any listing is CRITICAL
+my $critcount = 0;
+if ($opt_c) { $critcount = $opt_c };
+
+# $opt_B is a comma seperated list of blacklists
+$opt_B = shift unless ($opt_B);
+unless ($opt_B) { print_usage(); exit -1 }
+my @bls = split(/,/, $opt_B);
+
+
+# Just in case of problems, let's not hang Nagios
+$SIG{'ALRM'} = sub {
+  print ("ERROR: No response from BL server (alarm)\n");
+  exit $ERRORS{"UNKNOWN"};
+};
+# XXX Originally, $TIMEOUT was used here. However, that's a static 15
+# seconds whereas our actual timeout is much longer. Hence, adjust it.
+alarm(240 - 10);
+
+my %listed; # Hash of blacklists we're listed in.
+foreach(@bls)
+{
+  if (blcheck($host,$_)) { $listed{$_} = 1 }
+}
+
+if (scalar(keys(%listed)) == 0) { $state = 'OK' }
+elsif (scalar(keys(%listed)) < $critcount) { $state = 'WARNING' }
+else { $state = 'CRITICAL' }
+
+if (%listed)
+{
+  print "Listed at";
+  foreach (keys(%listed)) { print " $_" }
+  print "\n";
+}
+else { print "Not black-listed\n" }
+
+exit $ERRORS{$state};
+
+
+########  Subroutines ==========================
+
+
+sub print_help() {
+  print_revision($PROGNAME,'$Revision: 1.0 $ ');
+  print "\n";
+  support();
+}
+
+sub print_usage () {
+  print "Usage: \n";
+  print " $PROGNAME -H host -B [blacklist1],[blacklist2] [-c critnum]\n";
+  print " $PROGNAME [-h | --help]\n";
+  print " $PROGNAME [-V | --version]\n";
+}
+
+sub blcheck
+{
+  my ($ip, $bl) = @_;
+  my $lookupip = $ip;
+  $lookupip =~
+  s/([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})/$4.$3.$2.$1.$bl/;
+  if (lookup($lookupip)) { return 1 }
+  else { return 0 }
+}
+
+sub lookup
+{
+  my $tolookup = shift;
+  my $res = Net::DNS::Resolver->new;
+  my $query = $res->search($tolookup);
+  if ($query)
+  {
+    foreach my $rr ($query->answer)
+    {
+      next unless $rr->type eq "A"; # We're not interested in TXT records
+      return $rr->address;
+    }
+  }
+}
--- a/bundles/icinga2/files/check_by_sshmon
+++ b/bundles/icinga2/files/check_by_sshmon
@ -0,0 +1,51 @@
+#!/bin/sh
+
+UNKNOWN=3
+
+cmd=
+hostname=
+timeout=10
+
+while getopts c:h:t: name
+do
+    case $name in
+        c) cmd=$OPTARG ;;
+        h) hostname=$OPTARG ;;
+        t) timeout=$OPTARG ;;
+    esac
+done
+
+if [ -z "$cmd" ]
+then
+    echo 'check_by_sshmon: Option "-c $cmd" missing' >&2
+    exit $UNKNOWN
+fi
+
+if [ -z "$hostname" ]
+then
+    echo 'check_by_sshmon: Option "-h $hostname" missing' >&2
+    exit $UNKNOWN
+fi
+
+timeout "$timeout" \
+    ssh sshmon@"$hostname" \
+        -o IdentityFile=/etc/sshmon.priv \
+        -o StrictHostKeyChecking=accept-new \
+        -o ControlMaster=auto \
+        -o ControlPath=~/master-%C \
+        -o ControlPersist=30m \
+        -o HashKnownHosts=no \
+        "$cmd"
+exitcode=$?
+
+if [ "$exitcode" = 124 ]
+then
+    echo 'check_by_sshmon: Timeout while running check remotely' >&2
+    exit $UNKNOWN
+elif [ "$exitcode" = 255 ]
+then
+    echo 'check_by_sshmon: SSH error' >&2
+    exit $UNKNOWN
+else
+    exit $exitcode
+fi
--- a/bundles/icinga2/files/systemd_override.conf
+++ b/bundles/icinga2/files/systemd_override.conf
@ -0,0 +1,9 @@
+[Service]
+# Icinga's default for this is "mixed". It assumes that check commands
+# spawned by icinga will exit quickly.
+#
+# sshmon tells openssh to spawn a master process for each node. Those
+# won't quit by themselves for a long time (this is the point). In order
+# to avoid a long waiting period while shutting down icinga, just kill all
+# processes in the cgroup.
+KillMode=control-group
--- a/bundles/icinga2/items.py
+++ b/bundles/icinga2/items.py
@ -0,0 +1,11 @@
+assert node.has_bundle('postgresql')
+assert node.has_bundle('sshmon')
+
+files = {
+    '/usr/local/share/icinga/plugins/check_bl': {
+        'mode': '0755',
+    },
+    '/usr/local/share/icinga/plugins/check_by_sshmon': {
+        'mode': '0755',
+    },
+}
--- a/bundles/icinga2/metadata.py
+++ b/bundles/icinga2/metadata.py
@ -0,0 +1,24 @@
+defaults = {
+    'apt': {
+        'repos': {
+            'icinga2': {
+                'items': {
+                    'deb http://packages.icinga.com/{os} icinga-{os_release} main',
+                    'deb-src http://packages.icinga.com/{os} icinga-{os_release} main',
+                },
+            },
+        },
+    },
+    'postgresql': {
+        'roles': {
+            'icinga2': {
+                'password': repo.vault.password_for(f'{node.name} postgresql icinga2'),
+            },
+        },
+        'databases': {
+            'icinga2': {
+                'owner': 'icinga2',
+            },
+        },
+    },
+}
--- a/data/apt/files/gpg-keys/icinga2.asc
+++ b/data/apt/files/gpg-keys/icinga2.asc
@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.19 (GNU/Linux)
+
+mQGiBFKHzk4RBACSHMIFTtfw4ZsNKAA03Gf5t7ovsKWnS7kcMYleAidypqhOmkGg
+0petiYsMPYT+MOepCJFGNzwQwJhZrdLUxxMSWay4Xj0ArgpD9vbvU+gj8Tb02l+x
+SqNGP8jXMV5UnK4gZsrYGLUPvx47uNNYRIRJAGOPYTvohhnFJiG402dzlwCg4u5I
+1RdFplkp9JM6vNM9VBIAmcED/2jr7UQGsPs8YOiPkskGHLh/zXgO8SvcNAxCLgbp
+BjGcF4Iso/A2TAI/2KGJW6kBW/Paf722ltU6s/6mutdXJppgNAz5nfpEt4uZKZyu
+oSWf77179B2B/Wl1BsX/Oc3chscAgQb2pD/qPF/VYRJU+hvdQkq1zfi6cVsxyREV
+k+IwA/46nXh51CQxE29ayuy1BoIOxezvuXFUXZ8rP6aCh4KaiN9AJoy7pBieCzsq
+d7rPEeGIzBjI+yhEu8p92W6KWzL0xduWfYg9I7a2GTk8CaLX2OCLuwnKd7RVDyyZ
+yzRjWs0T5U7SRAWspLStYxMdKert9lLyQiRHtLwmlgBPqa0gh7Q+SWNpbmdhIE9w
+ZW4gU291cmNlIE1vbml0b3JpbmcgKEJ1aWxkIHNlcnZlcikgPGluZm9AaWNpbmdh
+Lm9yZz6IYAQTEQIAIAUCUofOTgIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJ
+EMbjGcM0QQaCgSQAnRjXdbsyqziqhmxfAKffNJYuMPwdAKCS/IRCVyQzApFBtIBQ
+1xuoym/4C7kCDQRSh85OEAgAvPwjlURCi8z6+7i60no4n16dNcSzd6AT8Kizpv2r
+9BmNBff/GNYGnHyob/DMtmO2esEuVG8w62rO9m1wzzXzjbtmtU7NZ1Tg+C+reU2I
+GNVu3SYtEVK/UTJHAhLcgry9yD99610tYPN2Fx33Efse94mXOreBfCvDsmFGSc7j
+GVNCWXpMR3jTYyGj1igYd5ztOzG63D8gPyOucTTl+RWN/G9EoGBv6sWqk5eCd1Fs
+JlWyQX4BJn3YsCZx3uj1DWL0dAl2zqcn6m1M4oj1ozW47MqM/efKOcV6VvCs9SL8
+F/NFvZcH4LKzeupCQ5jEONqcTlVlnLlIqId95Z4DI4AV9wADBQf/S6sKA4oH49tD
+Yb5xAfUyEp5ben05TzUJbXs0Z7hfRQzy9+vQbWGamWLgg3QRUVPx1e4IT+W5vEm5
+dggNTMEwlLMI7izCPDcD32B5oxNVxlfj428KGllYWCFj+edY+xKTvw/PHnn+drKs
+LE65Gwx4BPHm9EqWHIBX6aPzbgbJZZ06f6jWVBi/N7e/5n8lkxXqS23DBKemapyu
+S1i56sH7mQSMaRZP/iiOroAJemPNxv1IQkykxw2woWMmTLKLMCD/i+4DxejE50tK
+dxaOLTc4HDCsattw/RVJO6fwE414IXHMv330z4HKWJevMQ+CmQGfswvCwgeBP9n8
+PItLjBQAXIhJBBgRAgAJBQJSh85OAhsMAAoJEMbjGcM0QQaCzpAAmwUNoRyySf9p
+5G3/2UD1PMueIwOtAKDVVDXEq5LJPVg4iafNu0SRMwgP0Q==
+=icbY
+-----END PGP PUBLIC KEY BLOCK-----
--- a/nodes/ovh/icinga2.py
+++ b/nodes/ovh/icinga2.py
@ -1,5 +1,6 @@
 nodes['ovh.icinga2'] = {
    'bundles': {
+        'icinga2',
        'postgresql',
        'zfs',
    },