From a176a1aa658fa85e293775ea42645a9a4d77ceb9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 10 Nov 2020 12:40:12 +0100 Subject: [PATCH] bundles/icinga2: introduce, install checks, install sources.list, create postgres database --- bundles/icinga2/files/check_bl | 162 ++++++++++++++++++++ bundles/icinga2/files/check_by_sshmon | 51 ++++++ bundles/icinga2/files/systemd_override.conf | 9 ++ bundles/icinga2/items.py | 11 ++ bundles/icinga2/metadata.py | 24 +++ data/apt/files/gpg-keys/icinga2.asc | 30 ++++ nodes/ovh/icinga2.py | 1 + 7 files changed, 288 insertions(+) create mode 100644 bundles/icinga2/files/check_bl create mode 100644 bundles/icinga2/files/check_by_sshmon create mode 100644 bundles/icinga2/files/systemd_override.conf create mode 100644 bundles/icinga2/items.py create mode 100644 bundles/icinga2/metadata.py create mode 100644 data/apt/files/gpg-keys/icinga2.asc diff --git a/bundles/icinga2/files/check_bl b/bundles/icinga2/files/check_bl new file mode 100644 index 0000000..cf22493 --- /dev/null +++ b/bundles/icinga2/files/check_bl @@ -0,0 +1,162 @@ +#!/usr/bin/perl -w +# +# check_bl plugin for nagios +# $Revision: 1.0 $ +# +# Nagios plugin designed to warn you if you mail servers appear in one of the +# many anti-spam 'blacklists' +# +# By Sam Bashton, Bashton Ltd +# bashton.com/content/nagios-plugins +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +use strict; +use lib "/usr/lib/nagios/plugins"; +use utils qw($TIMEOUT %ERRORS &print_revision &support); +use Net::DNS; +use vars qw($PROGNAME); +my ($verbose,$host),; +my ($opt_V,$opt_h,$opt_B,$opt_H,$opt_c); +$opt_V = $opt_h = $opt_B = $opt_H = $opt_c = ''; +my $state = 'UNKNOWN'; +sub print_help(); +sub print_usage(); + +$PROGNAME = "check_bl"; + +$ENV{'BASH_ENV'}=''; +$ENV{'ENV'}=''; +$ENV{'PATH'}=''; +$ENV{'LC_ALL'}='C'; + +use Getopt::Long; +Getopt::Long::Configure('bundling'); +GetOptions( + "V" => \$opt_V, "version" => \$opt_V, + "h" => \$opt_h, "help" => \$opt_h, + "H=s" => \$opt_H, "hostname=s" => \$opt_H, + "B=s" => \$opt_B, "blacklists=s" => \$opt_B, + "c=s" => \$opt_c, "critical=s" => \$opt_c +); + +# -h means display verbose help screen +if ($opt_h) { print_help(); exit $ERRORS{'OK'}; } + +# -V means display version number +if ($opt_V) { + print_revision($PROGNAME,'$Revision: 1.0 $ '); + exit $ERRORS{'OK'}; +} + +# First check the hostname is OK.. +unless ($opt_H) { print_usage(); exit $ERRORS{'UNKNOWN'}; } + +if (! utils::is_hostname($opt_H)){ + print "$opt_H is not a valid host name\n"; + print_usage(); + exit $ERRORS{"UNKNOWN"}; +}else{ + if ($opt_H =~ /[a-zA-Z]/ ) + # If the host contains letters we assume it's a hostname, not an IP + { + $host = lookup($opt_H); + } + else { $host = $opt_H } +} + + +# $opt_c is a count of the blacklists a mail server is in, +# after which state will be CRITICAL rather than WARNING +# By default any listing is CRITICAL +my $critcount = 0; +if ($opt_c) { $critcount = $opt_c }; + +# $opt_B is a comma seperated list of blacklists +$opt_B = shift unless ($opt_B); +unless ($opt_B) { print_usage(); exit -1 } +my @bls = split(/,/, $opt_B); + + +# Just in case of problems, let's not hang Nagios +$SIG{'ALRM'} = sub { + print ("ERROR: No response from BL server (alarm)\n"); + exit $ERRORS{"UNKNOWN"}; +}; +# XXX Originally, $TIMEOUT was used here. However, that's a static 15 +# seconds whereas our actual timeout is much longer. Hence, adjust it. +alarm(240 - 10); + +my %listed; # Hash of blacklists we're listed in. +foreach(@bls) +{ + if (blcheck($host,$_)) { $listed{$_} = 1 } +} + +if (scalar(keys(%listed)) == 0) { $state = 'OK' } +elsif (scalar(keys(%listed)) < $critcount) { $state = 'WARNING' } +else { $state = 'CRITICAL' } + +if (%listed) +{ + print "Listed at"; + foreach (keys(%listed)) { print " $_" } + print "\n"; +} +else { print "Not black-listed\n" } + +exit $ERRORS{$state}; + + +######## Subroutines ========================== + + +sub print_help() { + print_revision($PROGNAME,'$Revision: 1.0 $ '); + print "\n"; + support(); +} + +sub print_usage () { + print "Usage: \n"; + print " $PROGNAME -H host -B [blacklist1],[blacklist2] [-c critnum]\n"; + print " $PROGNAME [-h | --help]\n"; + print " $PROGNAME [-V | --version]\n"; +} + +sub blcheck +{ + my ($ip, $bl) = @_; + my $lookupip = $ip; + $lookupip =~ + s/([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})/$4.$3.$2.$1.$bl/; + if (lookup($lookupip)) { return 1 } + else { return 0 } +} + +sub lookup +{ + my $tolookup = shift; + my $res = Net::DNS::Resolver->new; + my $query = $res->search($tolookup); + if ($query) + { + foreach my $rr ($query->answer) + { + next unless $rr->type eq "A"; # We're not interested in TXT records + return $rr->address; + } + } +} diff --git a/bundles/icinga2/files/check_by_sshmon b/bundles/icinga2/files/check_by_sshmon new file mode 100644 index 0000000..e4dfc07 --- /dev/null +++ b/bundles/icinga2/files/check_by_sshmon @@ -0,0 +1,51 @@ +#!/bin/sh + +UNKNOWN=3 + +cmd= +hostname= +timeout=10 + +while getopts c:h:t: name +do + case $name in + c) cmd=$OPTARG ;; + h) hostname=$OPTARG ;; + t) timeout=$OPTARG ;; + esac +done + +if [ -z "$cmd" ] +then + echo 'check_by_sshmon: Option "-c $cmd" missing' >&2 + exit $UNKNOWN +fi + +if [ -z "$hostname" ] +then + echo 'check_by_sshmon: Option "-h $hostname" missing' >&2 + exit $UNKNOWN +fi + +timeout "$timeout" \ + ssh sshmon@"$hostname" \ + -o IdentityFile=/etc/sshmon.priv \ + -o StrictHostKeyChecking=accept-new \ + -o ControlMaster=auto \ + -o ControlPath=~/master-%C \ + -o ControlPersist=30m \ + -o HashKnownHosts=no \ + "$cmd" +exitcode=$? + +if [ "$exitcode" = 124 ] +then + echo 'check_by_sshmon: Timeout while running check remotely' >&2 + exit $UNKNOWN +elif [ "$exitcode" = 255 ] +then + echo 'check_by_sshmon: SSH error' >&2 + exit $UNKNOWN +else + exit $exitcode +fi diff --git a/bundles/icinga2/files/systemd_override.conf b/bundles/icinga2/files/systemd_override.conf new file mode 100644 index 0000000..78269d8 --- /dev/null +++ b/bundles/icinga2/files/systemd_override.conf @@ -0,0 +1,9 @@ +[Service] +# Icinga's default for this is "mixed". It assumes that check commands +# spawned by icinga will exit quickly. +# +# sshmon tells openssh to spawn a master process for each node. Those +# won't quit by themselves for a long time (this is the point). In order +# to avoid a long waiting period while shutting down icinga, just kill all +# processes in the cgroup. +KillMode=control-group diff --git a/bundles/icinga2/items.py b/bundles/icinga2/items.py new file mode 100644 index 0000000..f457d25 --- /dev/null +++ b/bundles/icinga2/items.py @@ -0,0 +1,11 @@ +assert node.has_bundle('postgresql') +assert node.has_bundle('sshmon') + +files = { + '/usr/local/share/icinga/plugins/check_bl': { + 'mode': '0755', + }, + '/usr/local/share/icinga/plugins/check_by_sshmon': { + 'mode': '0755', + }, +} diff --git a/bundles/icinga2/metadata.py b/bundles/icinga2/metadata.py new file mode 100644 index 0000000..48dfe9b --- /dev/null +++ b/bundles/icinga2/metadata.py @@ -0,0 +1,24 @@ +defaults = { + 'apt': { + 'repos': { + 'icinga2': { + 'items': { + 'deb http://packages.icinga.com/{os} icinga-{os_release} main', + 'deb-src http://packages.icinga.com/{os} icinga-{os_release} main', + }, + }, + }, + }, + 'postgresql': { + 'roles': { + 'icinga2': { + 'password': repo.vault.password_for(f'{node.name} postgresql icinga2'), + }, + }, + 'databases': { + 'icinga2': { + 'owner': 'icinga2', + }, + }, + }, +} diff --git a/data/apt/files/gpg-keys/icinga2.asc b/data/apt/files/gpg-keys/icinga2.asc new file mode 100644 index 0000000..901c78c --- /dev/null +++ b/data/apt/files/gpg-keys/icinga2.asc @@ -0,0 +1,30 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.19 (GNU/Linux) + +mQGiBFKHzk4RBACSHMIFTtfw4ZsNKAA03Gf5t7ovsKWnS7kcMYleAidypqhOmkGg +0petiYsMPYT+MOepCJFGNzwQwJhZrdLUxxMSWay4Xj0ArgpD9vbvU+gj8Tb02l+x +SqNGP8jXMV5UnK4gZsrYGLUPvx47uNNYRIRJAGOPYTvohhnFJiG402dzlwCg4u5I +1RdFplkp9JM6vNM9VBIAmcED/2jr7UQGsPs8YOiPkskGHLh/zXgO8SvcNAxCLgbp +BjGcF4Iso/A2TAI/2KGJW6kBW/Paf722ltU6s/6mutdXJppgNAz5nfpEt4uZKZyu +oSWf77179B2B/Wl1BsX/Oc3chscAgQb2pD/qPF/VYRJU+hvdQkq1zfi6cVsxyREV +k+IwA/46nXh51CQxE29ayuy1BoIOxezvuXFUXZ8rP6aCh4KaiN9AJoy7pBieCzsq +d7rPEeGIzBjI+yhEu8p92W6KWzL0xduWfYg9I7a2GTk8CaLX2OCLuwnKd7RVDyyZ +yzRjWs0T5U7SRAWspLStYxMdKert9lLyQiRHtLwmlgBPqa0gh7Q+SWNpbmdhIE9w +ZW4gU291cmNlIE1vbml0b3JpbmcgKEJ1aWxkIHNlcnZlcikgPGluZm9AaWNpbmdh +Lm9yZz6IYAQTEQIAIAUCUofOTgIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJ +EMbjGcM0QQaCgSQAnRjXdbsyqziqhmxfAKffNJYuMPwdAKCS/IRCVyQzApFBtIBQ +1xuoym/4C7kCDQRSh85OEAgAvPwjlURCi8z6+7i60no4n16dNcSzd6AT8Kizpv2r +9BmNBff/GNYGnHyob/DMtmO2esEuVG8w62rO9m1wzzXzjbtmtU7NZ1Tg+C+reU2I +GNVu3SYtEVK/UTJHAhLcgry9yD99610tYPN2Fx33Efse94mXOreBfCvDsmFGSc7j +GVNCWXpMR3jTYyGj1igYd5ztOzG63D8gPyOucTTl+RWN/G9EoGBv6sWqk5eCd1Fs +JlWyQX4BJn3YsCZx3uj1DWL0dAl2zqcn6m1M4oj1ozW47MqM/efKOcV6VvCs9SL8 +F/NFvZcH4LKzeupCQ5jEONqcTlVlnLlIqId95Z4DI4AV9wADBQf/S6sKA4oH49tD +Yb5xAfUyEp5ben05TzUJbXs0Z7hfRQzy9+vQbWGamWLgg3QRUVPx1e4IT+W5vEm5 +dggNTMEwlLMI7izCPDcD32B5oxNVxlfj428KGllYWCFj+edY+xKTvw/PHnn+drKs +LE65Gwx4BPHm9EqWHIBX6aPzbgbJZZ06f6jWVBi/N7e/5n8lkxXqS23DBKemapyu +S1i56sH7mQSMaRZP/iiOroAJemPNxv1IQkykxw2woWMmTLKLMCD/i+4DxejE50tK +dxaOLTc4HDCsattw/RVJO6fwE414IXHMv330z4HKWJevMQ+CmQGfswvCwgeBP9n8 +PItLjBQAXIhJBBgRAgAJBQJSh85OAhsMAAoJEMbjGcM0QQaCzpAAmwUNoRyySf9p +5G3/2UD1PMueIwOtAKDVVDXEq5LJPVg4iafNu0SRMwgP0Q== +=icbY +-----END PGP PUBLIC KEY BLOCK----- diff --git a/nodes/ovh/icinga2.py b/nodes/ovh/icinga2.py index 4d9e8fa..c48a918 100644 --- a/nodes/ovh/icinga2.py +++ b/nodes/ovh/icinga2.py @@ -1,5 +1,6 @@ nodes['ovh.icinga2'] = { 'bundles': { + 'icinga2', 'postgresql', 'zfs', },