├── README ├── apt ├── files │ ├── repo │ │ ├── canonical │ │ │ ├── canonical.key │ │ │ └── canonical.list │ │ └── cloudera │ │ │ ├── cloudera.key │ │ │ └── cloudera.list │ ├── sanity.apt.conf │ ├── stripdeb.apt.conf │ └── stripdeb.sh └── manifests │ ├── init.pp │ ├── refresh.pp │ ├── repo │ ├── canonical.pp │ └── cloudera.pp │ └── repos.pp ├── buildserver ├── README.md ├── files │ ├── distributions │ ├── genrepo.sh │ ├── gpg │ │ ├── pubring.gpg │ │ ├── secring.gpg │ │ └── trustdb.gpg │ ├── jenkins.nginx.conf │ ├── publish.sh │ ├── rebuild-repo.sh │ └── repo.nginx.conf └── manifests │ └── init.pp ├── debian ├── manifests │ ├── package.pp │ └── preseed.pp └── templates │ └── preseed.erb ├── graphite ├── files │ ├── carbon.conf │ ├── graphite.wsgi │ ├── local_settings.py │ ├── storage-schemas.conf │ └── tools │ │ └── json-to-graphite.js ├── manifests │ ├── curljson.pp │ ├── package.pp │ ├── server.pp │ └── tools.pp └── templates │ ├── graphite.httpd.conf.erb │ └── tools │ └── curl-json-to-graphite.sh.erb ├── iptables ├── example-usage │ └── apache.pp ├── files │ ├── 1.basic │ ├── 1000.drop-unexpected │ ├── 999.iptables-logging │ └── build-iptables.rb ├── manifests │ ├── enable.pp │ ├── init.pp │ └── rule.pp └── templates │ └── rule.erb ├── java └── manifests │ ├── jdk.pp │ └── jre.pp ├── nagios ├── files │ ├── cgi.cfg │ ├── contacts.cfg │ ├── hosts-base.cfg │ ├── nagios-to-loggly.rb │ ├── nagios.cfg │ ├── nrpe │ │ └── nrpe.cfg │ ├── pagerduty │ │ ├── pagerduty.cfg │ │ └── pagerduty_nagios.pl │ ├── services-base.cfg │ └── timeperiods.cfg ├── manifests │ ├── check.pp │ ├── check │ │ └── log.pp │ ├── command.pp │ ├── config.pp │ ├── host.pp │ ├── init.pp │ ├── nrpe │ │ ├── package.pp │ │ └── server.pp │ ├── nsca.pp │ ├── nsca │ │ └── server.pp │ ├── package.pp │ ├── pagerduty.pp │ ├── plugin │ │ ├── basic.pp │ │ ├── check_check.pp │ │ ├── nrpe.pp │ │ └── nsca.pp │ ├── server.pp │ ├── user.pp │ └── user │ │ └── logwatcher.pp └── templates │ ├── check │ └── log.grok.erb │ ├── hosts-deployment.cfg.erb │ ├── nsca │ ├── nsca.cfg.erb │ └── send_nsca.cfg.erb │ └── services-deployment.cfg.erb ├── truth ├── files │ ├── query-rightscale.py │ └── update-zerigo.py ├── manifests │ ├── enforcer.pp │ └── init.pp └── plugins │ ├── facter │ ├── rightscale.rb │ └── truth.rb │ └── puppet │ └── parser │ └── functions │ ├── has_feature.rb │ ├── has_role.rb │ ├── role_addresses.rb │ └── role_enabled.rb └── user ├── README.md ├── files └── publickeys │ └── README └── manifests ├── groups.pp ├── humans.pp ├── managed.pp └── robots.pp /README: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/loggly/puppet-modules/d5ac48ea4883e3515408b3bc361cabc19aeab92b/README -------------------------------------------------------------------------------- /apt/files/repo/canonical/canonical.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PUBLIC KEY BLOCK----- 2 | Version: GnuPG v1.4.9 (GNU/Linux) 3 | 4 | mQGiBEnvgi0RBADLx1qQlXlrvHOo13dUvoWL97Ny/0s0S/GcMEgAqYvZzUPVcq8H 5 | GUsOb4PLTfcL1H7Ptq9fqr02uIb5Bc/ltdwE9GFaT2nvdfBx9T8jr8LrW9JE2xJq 6 | dCyFO5yP9YbZeFAxNO3yBxeP85lQ9CdWWLvyYdtQ+T84EYerqkcVbSvYRwCg6zyx 7 | EE3jWYvyVv/3HTrVTYpgHgMD/2kMR1Z2vEYOSM7h4cnRnxiadhefqJ2WCm4L30Rx 8 | /F9JBLAEuIuUndiOShoB043iDY+rrqCHqHQ/uI2D4piW9cDYMo7EJlsFtQ5g2SFg 9 | PcS4+DLhU464dTQsTGAhvcv+F0VQV4iu1HdD2/kKJkCS/MZL4rr4emqsh6VIBDdG 10 | ytPaA/9cyRJZe2BrBM2pECGncE5RUaM3g37Ka+VnmMVOXgZdzgCxwFZyVhyxzssD 11 | kB4jcm75UEZx8BiaoPQDQEsBongdx5M4Vwv5XnvUq7sK7eZLmUzW9hmkPjgLea0/ 12 | znchvPsLeTNqSfIcH14TbFt6B2y1G3Vbi5/6UiAaIqLrqjZlCrQXQ2xvdWRlcmEg 13 | QXB0IFJlcG9zaXRvcnmIYAQTEQIAIAUCSe+CLQIbAwYLCQgHAwIEFQIIAwQWAgMB 14 | Ah4BAheAAAoJEDJ1dO4CqBjdGQUAnitydC/NGEh0aZXDN1v22pWFpRzTAJ46N4gT 15 | Zx25oWfyppX3R7fSH+7TPrkCDQRJ74ItEAgAq8s4iMsGhk9nnMF6wlarqHjws4Dw 16 | NFZBzA1Ah8KnMtrdr8t99OfzY1b7PNzHXujcaTTqL6L881ezdsls9aHp2kr24Btr 17 | 8nqEZJHSjCnQscAGu+NrhoH2KvK+tMRCHGRcy5UNQbLTJi4Hf8Lo+zv0WUy9BCDu 18 | 7HoDlwrrh1Rw5oOwLFc2UXSTEB6BwYna0mZcNjVpfKNHa//wJcKR0AtsCwRT9znP 19 | GS0Hpqi1l0/iU7sJhNWyyF427ANg+Jv2n4IP+dd734ZiFeJ9tWCtBjfc3MZJKETk 20 | tiCtX7FVIIqBAmYLwPqcvZMGJMrNzLBtRuuiBv5bFcPpMEhoD40oQEG8uwADBQf/ 21 | f3NpQbuAcZLMzbrHYu3FB/+4ETvDJXJIEUiQUdobWancSBUhuNPOqIgLzIWM1jRu 22 | jWGIpkeP6iqNW9kDrq26CuMFP2CoVvnaMiLXUvyf62HWAiYXXlZle5O97bvhYMtM 23 | Y4o5sMo2ktI9IcgYIFicFwcmuGyGL7nJ3Bo9FAUV2LvMe++O/f13jsPpygoTZgGT 24 | 6w0erglWgrgf5pXt8ajlI4TUrlMVg9Iy/tB9ZzVHnpk21o4vLHwZkgXe1WlK/Rze 25 | ZCruXyXHaFyEJN2zlP2xNj2F2WisL+/HEnl/qzU4IpNI2LQV2aiY9Nt8MBXgSHAh 26 | gWKWkjiB+tswgzuNsBOTM4hJBBgRAgAJBQJJ74ItAhsMAAoJEDJ1dO4CqBjd988A 27 | oJ1WlEx2BcFA7W1RMyErejcvB6thAKCf3t0thSQvkoGi3AOJ4Haj/C3yUQ== 28 | =H6IR 29 | -----END PGP PUBLIC KEY BLOCK----- 30 | -------------------------------------------------------------------------------- /apt/files/repo/canonical/canonical.list: -------------------------------------------------------------------------------- 1 | deb http://archive.canonical.com/ lucid partner 2 | -------------------------------------------------------------------------------- /apt/files/repo/cloudera/cloudera.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PUBLIC KEY BLOCK----- 2 | Version: GnuPG v1.4.9 (GNU/Linux) 3 | 4 | mQGiBEnvgi0RBADLx1qQlXlrvHOo13dUvoWL97Ny/0s0S/GcMEgAqYvZzUPVcq8H 5 | GUsOb4PLTfcL1H7Ptq9fqr02uIb5Bc/ltdwE9GFaT2nvdfBx9T8jr8LrW9JE2xJq 6 | dCyFO5yP9YbZeFAxNO3yBxeP85lQ9CdWWLvyYdtQ+T84EYerqkcVbSvYRwCg6zyx 7 | EE3jWYvyVv/3HTrVTYpgHgMD/2kMR1Z2vEYOSM7h4cnRnxiadhefqJ2WCm4L30Rx 8 | /F9JBLAEuIuUndiOShoB043iDY+rrqCHqHQ/uI2D4piW9cDYMo7EJlsFtQ5g2SFg 9 | PcS4+DLhU464dTQsTGAhvcv+F0VQV4iu1HdD2/kKJkCS/MZL4rr4emqsh6VIBDdG 10 | ytPaA/9cyRJZe2BrBM2pECGncE5RUaM3g37Ka+VnmMVOXgZdzgCxwFZyVhyxzssD 11 | kB4jcm75UEZx8BiaoPQDQEsBongdx5M4Vwv5XnvUq7sK7eZLmUzW9hmkPjgLea0/ 12 | znchvPsLeTNqSfIcH14TbFt6B2y1G3Vbi5/6UiAaIqLrqjZlCrQXQ2xvdWRlcmEg 13 | QXB0IFJlcG9zaXRvcnmIYAQTEQIAIAUCSe+CLQIbAwYLCQgHAwIEFQIIAwQWAgMB 14 | Ah4BAheAAAoJEDJ1dO4CqBjdGQUAnitydC/NGEh0aZXDN1v22pWFpRzTAJ46N4gT 15 | Zx25oWfyppX3R7fSH+7TPrkCDQRJ74ItEAgAq8s4iMsGhk9nnMF6wlarqHjws4Dw 16 | NFZBzA1Ah8KnMtrdr8t99OfzY1b7PNzHXujcaTTqL6L881ezdsls9aHp2kr24Btr 17 | 8nqEZJHSjCnQscAGu+NrhoH2KvK+tMRCHGRcy5UNQbLTJi4Hf8Lo+zv0WUy9BCDu 18 | 7HoDlwrrh1Rw5oOwLFc2UXSTEB6BwYna0mZcNjVpfKNHa//wJcKR0AtsCwRT9znP 19 | GS0Hpqi1l0/iU7sJhNWyyF427ANg+Jv2n4IP+dd734ZiFeJ9tWCtBjfc3MZJKETk 20 | tiCtX7FVIIqBAmYLwPqcvZMGJMrNzLBtRuuiBv5bFcPpMEhoD40oQEG8uwADBQf/ 21 | f3NpQbuAcZLMzbrHYu3FB/+4ETvDJXJIEUiQUdobWancSBUhuNPOqIgLzIWM1jRu 22 | jWGIpkeP6iqNW9kDrq26CuMFP2CoVvnaMiLXUvyf62HWAiYXXlZle5O97bvhYMtM 23 | Y4o5sMo2ktI9IcgYIFicFwcmuGyGL7nJ3Bo9FAUV2LvMe++O/f13jsPpygoTZgGT 24 | 6w0erglWgrgf5pXt8ajlI4TUrlMVg9Iy/tB9ZzVHnpk21o4vLHwZkgXe1WlK/Rze 25 | ZCruXyXHaFyEJN2zlP2xNj2F2WisL+/HEnl/qzU4IpNI2LQV2aiY9Nt8MBXgSHAh 26 | gWKWkjiB+tswgzuNsBOTM4hJBBgRAgAJBQJJ74ItAhsMAAoJEDJ1dO4CqBjd988A 27 | oJ1WlEx2BcFA7W1RMyErejcvB6thAKCf3t0thSQvkoGi3AOJ4Haj/C3yUQ== 28 | =H6IR 29 | -----END PGP PUBLIC KEY BLOCK----- 30 | -------------------------------------------------------------------------------- /apt/files/repo/cloudera/cloudera.list: -------------------------------------------------------------------------------- 1 | deb http://archive.cloudera.com/debian lucid-cdh3 contrib 2 | deb-src http://archive.cloudera.com/debian lucid-cdh3 contrib 3 | -------------------------------------------------------------------------------- /apt/files/sanity.apt.conf: -------------------------------------------------------------------------------- 1 | APT::Install-Recommends "false"; 2 | APT::Install-Suggests "false"; 3 | 4 | -------------------------------------------------------------------------------- /apt/files/stripdeb.apt.conf: -------------------------------------------------------------------------------- 1 | DPkg::Pre-Install-Pkgs {"xargs -rL1 bash /usr/local/bin/stripdeb.sh 2>&1 | logger -t stripdeb; true"} 2 | 3 | -------------------------------------------------------------------------------- /apt/files/stripdeb.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Usage: stripdeb.sh something.deb 3 | 4 | echo "Stripping $1 of pre/post maintainer scripts" 5 | tmpdir=$(mktemp -d) 6 | 7 | [ ! -f $1 ] && exit 1 8 | 9 | genldconfigscript() { 10 | # Maybe we should just make the always run 'ldconfig' 11 | cat << EOF 12 | #!/bin/sh 13 | [ "\$1" = "configure" ] && ldconfig 14 | [ "\$1" = "remove" ] && ldconfig 15 | true 16 | EOF 17 | } 18 | 19 | # The .deb is an 'ar' archive, grab the control files. 20 | ar -p $1 control.tar.gz | tar -C $tmpdir -zxf - 21 | 22 | # Kill the stupid package scripts, but log what we do. 23 | for i in $tmpdir/{post,pre}{rm,inst} ; do 24 | if [ -f $i ] ; then 25 | 26 | # Linux sucks, so we have to run ldconfig on any library changes. 27 | # So if the post/pre script includes ldconfig 28 | if grep -q ldconfig $i ; then 29 | echo "$1: Replacing $i with a generic 'ldconfig' script" 30 | genldconfigscript > $i 31 | chmod 755 $i 32 | else 33 | echo "$1: Stripping $(basename $i)" 34 | rm $i 35 | fi 36 | fi 37 | done 38 | 39 | # Rebuild the control tarball 40 | tar -C $tmpdir -zcf control.tar.gz . 41 | 42 | # And replace the old one with the stripped one back into the .deb 43 | ar -r $1 control.tar.gz 44 | 45 | # Clean up 46 | rm control.tar.gz 47 | 48 | 49 | -------------------------------------------------------------------------------- /apt/manifests/init.pp: -------------------------------------------------------------------------------- 1 | class apt { 2 | file { 3 | "/etc/apt/apt.conf.d/90sanity": 4 | ensure => file, 5 | source => "puppet:///modules/apt/sanity.apt.conf"; 6 | "/usr/local/bin/stripdeb.sh": 7 | ensure => file, 8 | source => "puppet:///modules/apt/stripdeb.sh", 9 | mode => 755; 10 | "/etc/apt/apt.conf.d/90stripdeb": 11 | ensure => absent, # TODO(sissel): Want a better way to selectively strip packages 12 | source => "puppet:///modules/apt/stripdeb.apt.conf"; 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /apt/manifests/refresh.pp: -------------------------------------------------------------------------------- 1 | class apt::refresh { 2 | exec { 3 | "fetch latest apt data": 4 | command => "apt-get update -qqy", 5 | returns => [0, 100], 6 | refreshonly => true; 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /apt/manifests/repo/canonical.pp: -------------------------------------------------------------------------------- 1 | class apt::repo::canonical { 2 | include ::apt::refresh 3 | 4 | file { 5 | "/etc/apt/sources.list.d/canonical.list": 6 | ensure => file, 7 | source => "puppet:///modules/apt/repo/canonical/canonical.list"; 8 | "/etc/apt/canonical.key": 9 | ensure => file, 10 | source => "puppet:///modules/apt/repo/canonical/canonical.key", 11 | notify => Exec["add canonical apt key"]; 12 | } 13 | 14 | exec { 15 | "add canonical apt key": 16 | command => "apt-key add /etc/apt/canonical.key", 17 | refreshonly => true; 18 | } 19 | 20 | } 21 | -------------------------------------------------------------------------------- /apt/manifests/repo/cloudera.pp: -------------------------------------------------------------------------------- 1 | class apt::repo::cloudera { 2 | file { 3 | "/etc/apt/sources.list.d/cloudera.list": 4 | ensure => file, 5 | source => "puppet:///modules/apt/repo/cloudera/cloudera.list"; 6 | 7 | # apt key downloaded from http://archive.cloudera.com/debian/archive.key 8 | "/etc/apt/sources.list.d/cloudera.key": 9 | ensure => file, 10 | source => "puppet:///modules/apt/repo/cloudera/cloudera.key"; 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /apt/manifests/repos.pp: -------------------------------------------------------------------------------- 1 | class apt::repos { 2 | include ::apt::repo::cloudera 3 | include ::apt::repo::canonical 4 | } 5 | -------------------------------------------------------------------------------- /buildserver/README.md: -------------------------------------------------------------------------------- 1 | # 'buildserver' 2 | 3 | This manifest deploys our build server. 4 | 5 | It's not fancy, but it hosts our apt repo. 6 | 7 | The script 'publish.sh' is run like this: 8 | 9 | publish.sh mynewpackage.deb 10 | 11 | It puts the package into your apt repo and rebuilds the repo. 12 | 13 | ## Apt repo details 14 | 15 | I use a combination of apt-ftparchive + custom scripts to manage our apt repo. 16 | 17 | I used to use reprepro, but that tool is a pile of shit. It is completely 18 | infected with debian policies - stuff that gets in my way and enforces opinions 19 | about things in the code. Do not want. 20 | 21 | Publishing packages is done with 'publish.sh' and genrepo.sh manages 22 | apt-ftparchive and gpg invocations. 23 | -------------------------------------------------------------------------------- /buildserver/files/distributions: -------------------------------------------------------------------------------- 1 | Origin: loggly 2 | Label: loggly 3 | Suite: stable 4 | Codename: loggly-production 5 | Version: 1.0 6 | Architectures: amd64 i386 7 | Components: main 8 | Description: Loggly production packages 9 | SignWith: nobody@loggly.com 10 | -------------------------------------------------------------------------------- /buildserver/files/genrepo.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | cd /mnt/loggly/repo 4 | export GNUPGHOME=/opt/loggly/repo/gpg 5 | 6 | echo "Generating new repo" 7 | RELEASE="loggly-production" 8 | PACKAGES="dists/$RELEASE/main/binary-amd64/Packages" 9 | 10 | echo "Generating packages list" 11 | apt-ftparchive --db apt-ftparchive.db packages pool > $PACKAGES 12 | gzip -c $PACKAGES > $PACKAGES.gz 13 | 14 | echo "Generating Release file" 15 | ( 16 | cat dists/$RELEASE/main/binary-amd64/Release 17 | echo "Codename: $RELEASE" 18 | apt-ftparchive release dists/$RELEASE 19 | ) > dists/$RELEASE/Release 20 | 21 | rm -f dists/$RELEASE/Release.gpg 22 | echo "Signing Release file" 23 | gpg --output dists/$RELEASE/Release.gpg -ba dists/$RELEASE/Release 24 | echo "Done" 25 | -------------------------------------------------------------------------------- /buildserver/files/gpg/pubring.gpg: -------------------------------------------------------------------------------- 1 | Empty file, your gpg crap goes here 2 | -------------------------------------------------------------------------------- /buildserver/files/gpg/secring.gpg: -------------------------------------------------------------------------------- 1 | Empty file, your gpg crap goes here 2 | -------------------------------------------------------------------------------- /buildserver/files/gpg/trustdb.gpg: -------------------------------------------------------------------------------- 1 | Empty file, your gpg crap goes here 2 | -------------------------------------------------------------------------------- /buildserver/files/jenkins.nginx.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | server_name build.* build; 4 | access_log /var/log/nginx/build.access.log; 5 | server_name_in_redirect off; 6 | 7 | location / { 8 | proxy_pass http://localhost:8080/; 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /buildserver/files/publish.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | REPODIR=/mnt/loggly/repo 4 | REPONAME=loggly-production 5 | 6 | if [ $(whoami) != "pkgrepo" ] ; then 7 | echo "Switching users to 'pkgrepo'" 8 | exec sudo -u pkgrepo $0 "$@" 9 | fi 10 | 11 | if [ -z "$GOT_LOCK" ] ; then 12 | echo "Grabbing lockfile..." 13 | exec flock -w 10 -x "$REPODIR/publish.lock" env GOT_LOCK=1 $0 "$@" 14 | fi 15 | 16 | if [ -z "$1" ] ; then 17 | echo "Usage: $0 " 18 | exit 1 19 | fi 20 | 21 | for i in $@ ; do 22 | package_name="$(dpkg-deb --show --showformat='${Package}\n' "$i")" 23 | if echo "$package_name" | grep '/^lib' ; then 24 | subdir=lib$(echo "$package_name" | cut -b1) 25 | else 26 | subdir=$(echo "$package_name" | cut -b1) 27 | fi 28 | 29 | dir="$REPODIR/pool/main/$subdir/$package_name" 30 | target="${dir}/$(basename $i)" 31 | echo "Target: $target" 32 | if [ -f "$target" ] ; then 33 | echo "A package with the same file name is already in this repository. Aborting copy." 34 | exit 1 35 | else 36 | echo "Copying $i to apt repo..." 37 | mkdir -p "$dir" 38 | cp -v "$i" "$target" 39 | fi 40 | done 41 | 42 | env GNUPGHOME=/opt/loggly/repo/gpg genrepo.sh 43 | -------------------------------------------------------------------------------- /buildserver/files/rebuild-repo.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Recreate the reprepro db from existing debs. 3 | 4 | REPODIR=/mnt/loggly/repo 5 | REPONAME=loggly-production 6 | 7 | 8 | mv $REPODIR/db $REPODIR/db.$(date +%Y.%m.%d) 9 | 10 | find $REPODIR -name '*.deb' -type f \ 11 | | xargs -n1 stat -c "%Y %n" \ 12 | | sort -n \ 13 | | awk '{$1=""; print}' \ 14 | | xargs -n50 sudo -u pkgrepo \ 15 | env GNUPGHOME=/opt/loggly/repo/gpg \ 16 | reprepro --keepunusednewfiles --keepunreferencedfiles -Vb $REPODIR includedeb $REPONAME 17 | 18 | -------------------------------------------------------------------------------- /buildserver/files/repo.nginx.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | server_name repo.* repo; 4 | access_log /var/log/nginx/repo.access.log; 5 | server_name_in_redirect off; 6 | 7 | index index.html; 8 | root /var/empty; 9 | location /repo { 10 | root /mnt/loggly; # /repo 11 | autoindex on; 12 | } 13 | 14 | location /repo/gpg { 15 | deny all; 16 | } 17 | 18 | location /repo/db { 19 | deny all; 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /buildserver/manifests/init.pp: -------------------------------------------------------------------------------- 1 | class buildserver { 2 | include ::ubuntu::packagebuilding 3 | include ::loggly::common 4 | include ::jenkins 5 | include ::java::jdk 6 | 7 | # TODO(sissel): make this allow only known hosts? 8 | iptables::rule { 9 | "allow http": 10 | ports => 80; 11 | } 12 | 13 | package { 14 | "reprepro": ensure => latest; 15 | "gnupg": ensure => latest; 16 | "ant": ensure => latest; 17 | } 18 | 19 | user { 20 | "pkgrepo": ensure => present; 21 | } 22 | 23 | nginx::vhost { 24 | "repo": 25 | source => "puppet:///modules/loggly/buildserver/repo.nginx.conf"; 26 | "jenkins": 27 | source => "puppet:///modules/loggly/buildserver/jenkins.nginx.conf"; 28 | } 29 | 30 | file { 31 | "/mnt/loggly/repo": 32 | ensure => directory, 33 | owner => "pkgrepo"; 34 | "/opt/loggly/repo": 35 | ensure => link, 36 | target => "/mnt/loggly/repo"; 37 | "/opt/loggly/repo/conf": 38 | ensure => directory; 39 | "/opt/loggly/repo/conf/distributions": 40 | ensure => file, 41 | source => "puppet:///modules/loggly/buildserver/distributions"; 42 | "/opt/loggly/repo/gpg": 43 | ensure => directory, 44 | owner => "pkgrepo", 45 | mode => 700; 46 | "/opt/loggly/repo/gpg/pubring.gpg": 47 | ensure => file, 48 | source => "puppet:///modules/loggly/buildserver/gpg/pubring.gpg", 49 | owner => "pkgrepo", 50 | mode => 600; 51 | "/opt/loggly/repo/gpg/secring.gpg": 52 | ensure => file, 53 | source => "puppet:///modules/loggly/buildserver/gpg/secring.gpg", 54 | owner => "pkgrepo", 55 | mode => 600; 56 | "/opt/loggly/repo/gpg/trustdb.gpg": 57 | ensure => file, 58 | source => "puppet:///modules/loggly/buildserver/gpg/trustdb.gpg", 59 | owner => "pkgrepo", 60 | mode => 600; 61 | "/usr/local/bin/publish.sh": 62 | ensure => file, 63 | source => "puppet:///modules/loggly/buildserver/publish.sh", 64 | mode => 755; 65 | "/usr/local/bin/genrepo.sh": 66 | ensure => file, 67 | source => "puppet:///modules/loggly/buildserver/genrepo.sh", 68 | mode => 755; 69 | } 70 | } 71 | -------------------------------------------------------------------------------- /debian/manifests/package.pp: -------------------------------------------------------------------------------- 1 | define debian::package($ensure="present", $config) { 2 | include ::debian::preseed 3 | 4 | $responsefile = "$debian::preseed::basepath/$name.preseed" 5 | package { 6 | "$name": 7 | ensure => $ensure, 8 | responsefile => $responsefile, 9 | require => File[$responsefile]; 10 | } 11 | 12 | file { 13 | $responsefile: 14 | ensure => file, 15 | content => template("debian/preseed.erb"); 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /debian/manifests/preseed.pp: -------------------------------------------------------------------------------- 1 | class debian::preseed { 2 | $basepath = "/var/lib/puppet-preseed" 3 | 4 | file { 5 | $basepath: 6 | ensure => directory; 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /debian/templates/preseed.erb: -------------------------------------------------------------------------------- 1 | # Preseed file generated by puppet 2 | # Package: <%= name %> 3 | <% if String === config -%> 4 | <%= config %> 5 | <% elsif Array === config -%> 6 | <%= config.join("\n") %> 7 | <% else -%> 8 | # Unexpected type for 'config': <%= config.class %> 9 | <% end -%> 10 | -------------------------------------------------------------------------------- /graphite/files/carbon.conf: -------------------------------------------------------------------------------- 1 | [cache] 2 | LOCAL_DATA_DIR = /mnt/graphite/storage/whisper/ 3 | 4 | # Specify the user to drop privileges to 5 | # If this is blank carbon runs as the user that invokes it 6 | # This user must have write access to the local data directory 7 | USER = 8 | 9 | # Limit the size of the cache to avoid swapping or becoming CPU bound. 10 | # Sorts and serving cache queries gets more expensive as the cache grows. 11 | # Use the value "inf" (infinity) for an unlimited cache size. 12 | MAX_CACHE_SIZE = inf 13 | 14 | # Limits the number of whisper update_many() calls per second, which effectively 15 | # means the number of write requests sent to the disk. This is intended to 16 | # prevent over-utilizing the disk and thus starving the rest of the system. 17 | # When the rate of required updates exceeds this, then carbon's caching will 18 | # take effect and increase the overall throughput accordingly. 19 | MAX_UPDATES_PER_SECOND = 1000 20 | 21 | # Softly limits the number of whisper files that get created each minute. 22 | # Setting this value low (like at 50) is a good way to ensure your graphite 23 | # system will not be adversely impacted when a bunch of new metrics are 24 | # sent to it. The trade off is that it will take much longer for those metrics' 25 | # database files to all get created and thus longer until the data becomes usable. 26 | # Setting this value high (like "inf" for infinity) will cause graphite to create 27 | # the files quickly but at the risk of slowing I/O down considerably for a while. 28 | MAX_CREATES_PER_MINUTE = inf 29 | 30 | LINE_RECEIVER_INTERFACE = 0.0.0.0 31 | LINE_RECEIVER_PORT = 2003 32 | 33 | PICKLE_RECEIVER_INTERFACE = 0.0.0.0 34 | PICKLE_RECEIVER_PORT = 2004 35 | 36 | CACHE_QUERY_INTERFACE = 0.0.0.0 37 | CACHE_QUERY_PORT = 7002 38 | 39 | # By default, carbon-cache will log every whisper update. This can be excessive and 40 | # degrade performance if logging on the same volume as the whisper data is stored. 41 | LOG_UPDATES = True 42 | 43 | 44 | # Enable AMQP if you want to receve metrics using an amqp broker 45 | # ENABLE_AMQP = False 46 | 47 | # Verbose means a line will be logged for every metric received 48 | # useful for testing 49 | # AMQP_VERBOSE = False 50 | 51 | # AMQP_HOST = localhost 52 | # AMQP_PORT = 5672 53 | # AMQP_VHOST = / 54 | # AMQP_USER = guest 55 | # AMQP_PASSWORD = guest 56 | # AMQP_EXCHANGE = graphite 57 | 58 | # Patterns for all of the metrics this machine will store. Read more at 59 | # http://en.wikipedia.org/wiki/Advanced_Message_Queuing_Protocol#Bindings 60 | # 61 | # Example: store all sales, linux servers, and utilization metrics 62 | # BIND_PATTERNS = sales.#, servers.linux.#, #.utilization 63 | # 64 | # Example: store everything 65 | # BIND_PATTERNS = # 66 | 67 | # NOTE: you cannot run both a cache and a relay on the same server 68 | # with the default configuration, you have to specify a distinict 69 | # interfaces and ports for the listeners. 70 | 71 | [relay] 72 | LINE_RECEIVER_INTERFACE = 0.0.0.0 73 | LINE_RECEIVER_PORT = 2003 74 | 75 | PICKLE_RECEIVER_INTERFACE = 0.0.0.0 76 | PICKLE_RECEIVER_PORT = 2004 77 | 78 | CACHE_SERVERS = server1, server2, server3 79 | MAX_QUEUE_SIZE = 10000 80 | -------------------------------------------------------------------------------- /graphite/files/graphite.wsgi: -------------------------------------------------------------------------------- 1 | # You may need to manually edit this file to fit your needs. 2 | # This configuration assumes the default installation prefix 3 | # of /opt/graphite/, if you installed graphite somewhere else 4 | # you will need to change all the occurances of /opt/graphite/ 5 | # in this file to your chosen install location. 6 | 7 | import os 8 | import sys 9 | sys.path.insert(0, '/opt/graphite/webapp/') 10 | os.environ['DJANGO_SETTINGS_MODULE'] = 'graphite.settings' 11 | 12 | import django.core.handlers.wsgi 13 | 14 | _application = django.core.handlers.wsgi.WSGIHandler() 15 | 16 | def application(environ, start_response): 17 | environ['PATH_INFO'] = environ['SCRIPT_NAME'] + environ['PATH_INFO'] 18 | return _application(environ, start_response) 19 | 20 | -------------------------------------------------------------------------------- /graphite/files/local_settings.py: -------------------------------------------------------------------------------- 1 | DATABASE_NAME = "/opt/graphite/storage/webapp/graphite.db" 2 | 3 | -------------------------------------------------------------------------------- /graphite/files/storage-schemas.conf: -------------------------------------------------------------------------------- 1 | # Assume 60 second metrics by default 2 | [everything] 3 | priority = 150 4 | pattern = .* 5 | retentions = 60:1728000,300:5184000,3600:62208000 6 | 7 | # Host metrics are every 10 seconds 8 | [host] 9 | priority = 100 10 | pattern = host\..*\.system\..* 11 | retentions = 60:1728000,300:5184000,3600:62208000 12 | 13 | # App metrics are every 10 seconds 14 | [app] 15 | priority = 90 16 | pattern = host\..*\.app\..* 17 | retentions = 60:1728000,300:5184000,3600:62208000 18 | -------------------------------------------------------------------------------- /graphite/files/tools/json-to-graphite.js: -------------------------------------------------------------------------------- 1 | var net = require("net"); 2 | var url = require("url"); 3 | 4 | function to_dotted_notation(obj, parent_key, result) { 5 | if (typeof(parent_key) == 'undefined') parent_key = ""; 6 | if (typeof(result) == 'undefined') result = {}; 7 | 8 | if (typeof(obj) == 'object') { 9 | for (var i in obj) { 10 | var key = parent_key ? (parent_key + "." + i) : i; 11 | to_dotted_notation(obj[i], key, result); 12 | } 13 | } else if (typeof(obj) == 'number') { 14 | result[parent_key] = obj; 15 | } 16 | return result; 17 | } 18 | 19 | var stdin = process.openStdin(); 20 | var input = ""; 21 | stdin.on("data", function(chunk) { 22 | input += chunk; 23 | }); 24 | stdin.on("end", function() { 25 | data = JSON.parse(input); 26 | results = to_dotted_notation(data); 27 | 28 | /* TODO(sissel): validate args */ 29 | var targeturl = url.parse(process.argv[2]); 30 | var host = targeturl.hostname; 31 | var port = targeturl.port || 2003; 32 | var prefix = targeturl.pathname.slice(1); /* trim leading '/' */ 33 | 34 | /* Only fetch matching keys */ 35 | var args = process.argv.slice(3); /* argv[0] == 'node', argv[1] is script name */ 36 | 37 | /* Create a regexp of (arg)|(arg)|(arg)... */ 38 | var pattern = args.map(function(arg) { return "(" + arg + ")" }).join("|"); 39 | var re = new RegExp(pattern); 40 | 41 | var now = Math.floor((new Date()).getTime() / 1000); 42 | var messages = [] 43 | for (var key in results) { 44 | if (re.test(key)) { 45 | var fullkey = key; 46 | if (prefix) { 47 | fullkey = prefix + "." + key; 48 | } 49 | messages.push([fullkey, results[key], now].join(" ")); 50 | } 51 | } 52 | 53 | var graphite = net.createConnection(port, host); 54 | console.log("Sending to " + host + ":" + port); 55 | graphite.on('connect', function() { 56 | for (var i in messages) { 57 | var m = messages[i].toLowerCase(); 58 | graphite.write(m + "\n"); 59 | console.log(m); 60 | } 61 | graphite.end(); 62 | }); 63 | }); 64 | -------------------------------------------------------------------------------- /graphite/manifests/curljson.pp: -------------------------------------------------------------------------------- 1 | define graphite::curljson($url, $filter=[], $metric_prefix="", 2 | $interval=10) { 3 | require ::graphite::tools 4 | 5 | file { 6 | "/usr/local/bin/curljson-$name.sh": 7 | ensure => file, 8 | content => template("graphite/tools/curl-json-to-graphite.sh.erb"), 9 | notify => Supervisor::Program["curljson-$name"], 10 | mode => 755; 11 | } 12 | 13 | supervisor::program { 14 | "curljson-$name": 15 | command => "/usr/local/bin/curljson-$name.sh", 16 | user => "nobody"; 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /graphite/manifests/package.pp: -------------------------------------------------------------------------------- 1 | class graphite::package { 2 | include ::python::package::django 3 | include ::python::package::django::tagging 4 | include ::python::package::sqlite 5 | 6 | python::package { 7 | "python-whisper": ensure => latest; 8 | "python-carbon": ensure => latest; 9 | "python-graphite-web": ensure => latest; 10 | "python-zope.interface": ensure => latest; 11 | #"python-sqlite3": ensure => latest; 12 | 13 | # Use our own version of cairo 14 | "python-cairo": ensure => absent; 15 | } 16 | 17 | # We built these, not ubuntu native. 18 | package { 19 | "python-twisted": ensure => latest; 20 | "python-pycairo": ensure => latest; 21 | } 22 | } 23 | 24 | -------------------------------------------------------------------------------- /graphite/manifests/server.pp: -------------------------------------------------------------------------------- 1 | class graphite::server { 2 | include ::graphite::package 3 | include ::apache::mod::wsgi 4 | 5 | user { 6 | "graphite": ensure => present; 7 | } 8 | 9 | iptables::rule { 10 | "allow http (for graphite)": ports => 80; 11 | "allow https (for graphite)": ports => 443; 12 | } 13 | 14 | file { 15 | "/mnt/graphite": 16 | ensure => directory, 17 | owner => "graphite"; 18 | "/mnt/graphite/storage": 19 | ensure => directory, 20 | owner => "graphite"; 21 | "/mnt/graphite/storage/whisper": 22 | ensure => directory, 23 | owner => "graphite", 24 | recurse => "true"; 25 | "/mnt/graphite/storage/log": 26 | ensure => directory, 27 | owner => "graphite"; 28 | "/opt/graphite/conf/carbon.conf": 29 | ensure => file, 30 | owner => "graphite", 31 | source => "puppet:///modules/graphite/carbon.conf", 32 | require => Class["graphite::package"], 33 | notify => Supervisor::Program["graphite-carbon"]; 34 | "/opt/graphite/conf/storage-schemas.conf": 35 | ensure => file, 36 | owner => "graphite", 37 | source => "puppet:///modules/graphite/storage-schemas.conf", 38 | require => Class["graphite::package"], 39 | notify => Supervisor::Program["graphite-carbon"]; 40 | "/opt/graphite/webapp": 41 | ensure => directory; 42 | "/opt/graphite/webapp/graphite/graphite.wsgi": 43 | ensure => file, 44 | source => "puppet:///modules/graphite/graphite.wsgi"; 45 | "/opt/graphite": 46 | ensure => directory, 47 | owner => "graphite", 48 | recurse => true; 49 | "/opt/graphite/storage/whisper": 50 | ensure => link, 51 | force => true, 52 | target => "/mnt/graphite/storage/whisper"; 53 | "/opt/graphite/storage/log": 54 | ensure => link, 55 | force => true, 56 | target => "/mnt/graphite/storage/log"; 57 | "/opt/graphite/storage/log/webapp": 58 | ensure => directory, 59 | owner => "www-data"; 60 | [ "/opt/graphite/storage/log/webapp/exception.log", 61 | "/opt/graphite/storage/log/webapp/info.log" ]: 62 | ensure => file, 63 | owner => "www-data"; 64 | 65 | "/opt/graphite/storage/webapp": 66 | ensure => directory, 67 | owner => "www-data"; 68 | "/opt/graphite/webapp/graphite/local_settings.py": 69 | ensure => file, 70 | source => "puppet:///modules/graphite/local_settings.py"; 71 | 72 | # graphite-web likes to have write access to this file, but it doesn't 73 | # actually write to it? Confusing. -jordan 74 | "/mnt/graphite/storage/index": 75 | ensure => file, 76 | owner => "www-data"; 77 | } 78 | 79 | iptables::rule { 80 | "allow metric pushes to graphite": 81 | ports => [ 2003 ], 82 | roles => [ "solr", "proxy", "frontend", "graphite", "monitor" ]; 83 | } 84 | 85 | supervisor::program { 86 | "grophite-web": 87 | user => "graphite", 88 | command => "python /opt/graphite/bin/run-graphite-devel-server.py /opt/graphite", 89 | ensure => absent; # Don't need this anymore, remove after 2011/12/01 90 | "graphite-carbon": 91 | user => "graphite", 92 | command => "python /opt/graphite/bin/carbon-cache.py --debug start", 93 | require => [Class["graphite::package"], File["/mnt/graphite/storage/whisper"]]; 94 | } 95 | 96 | apache::site { 97 | "graphite": 98 | content => template("graphite/graphite.httpd.conf.erb"); 99 | } 100 | } 101 | -------------------------------------------------------------------------------- /graphite/manifests/tools.pp: -------------------------------------------------------------------------------- 1 | class graphite::tools { 2 | include ::nodejs 3 | 4 | file { 5 | "/usr/local/bin/json-to-graphite.js": 6 | source => "puppet:///modules/graphite/tools/json-to-graphite.js", 7 | require => Class["nodejs"]; 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /graphite/templates/graphite.httpd.conf.erb: -------------------------------------------------------------------------------- 1 | # This configuration assumes the default installation prefix 2 | # of /opt/graphite/, if you installed graphite somewhere else 3 | # you will need to change all the occurances of /opt/graphite/ 4 | # in this file to your chosen install location. 5 | 6 | 7 | ServerName graphite.example.com 8 | ServerAlias graphite.<%= deployment_hostname %> 9 | ServerAlias graphite.<%= deployment %>.example.com 10 | ServerAlias graphite 11 | 12 | WSGIDaemonProcess graphite user=www-data group=www-data threads=25 13 | WSGIProcessGroup graphite 14 | WSGIScriptAlias / /opt/graphite/webapp/graphite/graphite.wsgi 15 | 16 | 17 | Order deny,allow 18 | Allow from all 19 | 20 | 21 | # NOTE: In order for the django admin site media to work you 22 | # must change @DJANGO_ROOT@ to be the path to your django 23 | # installation, which is probably something like: 24 | # /usr/lib/python2.6/site-packages/django 25 | Alias /media/ "/usr/lib/pymodules/python2.6/django/contrib/admin/media/" 26 | 27 | Order deny,allow 28 | Allow from all 29 | 30 | 31 | 32 | SetHandler None 33 | 34 | 35 | 36 | SetHandler None 37 | 38 | 39 | -------------------------------------------------------------------------------- /graphite/templates/tools/curl-json-to-graphite.sh.erb: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | 4 | while true; do 5 | curl "<%= url %>" \ 6 | | node /usr/local/bin/json-to-graphite.js \ 7 | graphite://monitor:2003/<%= metric_prefix %> \ 8 | <%= filter.join(" ") %> 9 | sleep <%= interval %> 10 | done 11 | 12 | -------------------------------------------------------------------------------- /iptables/example-usage/apache.pp: -------------------------------------------------------------------------------- 1 | class apache { 2 | iptables::rule { 3 | "allow http/https from anywhere": 4 | ports => [ 80, 443 ], 5 | sources => [ "0.0.0.0/8" ]; 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /iptables/files/1.basic: -------------------------------------------------------------------------------- 1 | # allow established connections 2 | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 3 | 4 | # Allow icmp and loopback 5 | -A INPUT -p icmp -j ACCEPT 6 | -A INPUT -i lo -j ACCEPT 7 | 8 | # Drop multicast and major broadcast, for now. 9 | -A INPUT -d 255.255.255.255 -j DROP 10 | -A INPUT -d 224.0.0.0/8 -j DROP 11 | -------------------------------------------------------------------------------- /iptables/files/1000.drop-unexpected: -------------------------------------------------------------------------------- 1 | -A INPUT -j DROP 2 | -------------------------------------------------------------------------------- /iptables/files/999.iptables-logging: -------------------------------------------------------------------------------- 1 | # log almost anything else 2 | -A INPUT -j LOG -p udp --log-prefix "blocked inbound " -m limit --limit 6/min 3 | -A INPUT -j LOG -p tcp --syn --log-prefix "blocked inbound " -m limit --limit 6/min 4 | -------------------------------------------------------------------------------- /iptables/files/build-iptables.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | Dir["/etc/iptables.d/*"].each do |tablepath| 4 | table = File.basename(tablepath) 5 | rules = Dir["#{tablepath}/*"].collect { |path| File.basename(path) } 6 | 7 | if rules.length > 0 8 | puts "*#{table}" # like '*filter' 9 | rules.sort { |a,b| a.to_i <=> b.to_i }.each do |rule| 10 | puts File.new("#{tablepath}/#{rule}").read() 11 | end 12 | puts "COMMIT" 13 | end 14 | 15 | end 16 | -------------------------------------------------------------------------------- /iptables/manifests/enable.pp: -------------------------------------------------------------------------------- 1 | class iptables::enable { 2 | include iptables 3 | 4 | exec { 5 | "configure iptables": 6 | command => "build-iptables.rb | iptables-restore", 7 | require => Class["iptables"]; 8 | } 9 | 10 | Iptables::Rule <| |> { 11 | before +> Exec["configure iptables"] 12 | } 13 | 14 | } 15 | -------------------------------------------------------------------------------- /iptables/manifests/init.pp: -------------------------------------------------------------------------------- 1 | class iptables { 2 | package { 3 | "conntrack": ensure => latest; 4 | } 5 | 6 | file { 7 | [ "/etc/iptables.d", "/etc/iptables.d/nat", "/etc/iptables.d/filter" ]: 8 | ensure => directory; 9 | "/usr/local/bin/build-iptables.rb": 10 | ensure => file, 11 | source => "puppet:///modules/iptables/build-iptables.rb", 12 | mode => 755; 13 | 14 | "/etc/iptables.d/filter/1.basic": 15 | ensure => file, 16 | source => "puppet:///modules/iptables/1.basic"; 17 | "/etc/iptables.d/filter/1000.drop-unexpected": 18 | ensure => file, 19 | source => "puppet:///modules/iptables/1000.drop-unexpected"; 20 | "/etc/iptables.d/filter/999.iptables-logging": 21 | ensure => file, 22 | source => "puppet:///modules/iptables/999.iptables-logging"; 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /iptables/manifests/rule.pp: -------------------------------------------------------------------------------- 1 | define iptables::rule($ports, $protocol="tcp", $ensure="permit", $roles=undef, 2 | $sources=undef, $priority=10) { 3 | include ::iptables 4 | 5 | # Validate $ensure 6 | case $ensure { 7 | "permit": { $target = "ACCEPT" } 8 | "reject": { $target = "REJECT" } 9 | "drop": { $target = "DROP" } 10 | default: { fail("Invalid value ensure => '$ensure' for Iptables::Rule[$name]. Must be permit, reject, or drop") } 11 | } 12 | 13 | # Validate $protocol 14 | case $protocol { 15 | "tcp", "icmp", "udp": { } 16 | default: { fail("Invalid value protocol => '$protocol' for Iptables::Rule[$name]. Must be tcp, icmp, or udp") } 17 | } 18 | 19 | # If no roles or sources are specified, default to 'any' 20 | if $roles == undef and $sources == undef { 21 | $any_source = true 22 | } else { 23 | $any_source = false 24 | } 25 | 26 | $file_name = inline_template("<%= priority + '.' + name.gsub(' ', '_') %>") 27 | file { 28 | [ "/etc/iptables.d/iptables.$name", 29 | "/etc/iptables.d/filter/iptables.$name", 30 | "/etc/iptables.d/filter/$priority.$name" ]: 31 | ensure => absent; 32 | "/etc/iptables.d/filter/$file_name": 33 | ensure => file, 34 | content => template("iptables/rule.erb"); 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /iptables/templates/rule.erb: -------------------------------------------------------------------------------- 1 | <% 2 | Puppet::Parser::Functions.autoloader.loadall 3 | 4 | ports_list = ports.is_a?(String) ? [ports] : ports 5 | roles_list = roles.is_a?(String) ? [roles] : roles 6 | sources_list = sources.is_a?(String) ? [sources] : sources 7 | 8 | # These are :undef by default, assume empty strings if empty. 9 | roles_list = [] if roles_list == :undef 10 | sources_list = [] if sources_list == :undef 11 | 12 | protocol_flags = { 13 | "udp" => "", 14 | "tcp" => "--syn", 15 | "icmp" => "", 16 | } 17 | 18 | -%> 19 | # Rule: <%= name %> 20 | <% ports.each do |port| -%> 21 | <% if !roles_list.empty? -%> 22 | <% roles_list.each do |role| -%> 23 | <% scope.function_role_addresses(role).each do |address| -%> 24 | -A INPUT -s <%= address %> -p <%= protocol %> <%= protocol_flags[protocol] %> --dport <%= port %> -j <%= target %> -m comment --comment "<%= name %> (role: <%= role %>)" 25 | <% end -%> 26 | <% end -%> 27 | <% end -%> 28 | <% if !sources_list.empty? -%> 29 | <% sources_list.each do |address| -%> 30 | -A INPUT -s <%= address %> -p <%= protocol %> <%= protocol_flags[protocol ] %> --dport <%= port %> -j <%= target %> -m comment --comment "<%= name %>" 31 | <% end -%> 32 | <% end -%> 33 | <% if any_source -%> 34 | -A INPUT -s 0.0.0.0/0 -p <%= protocol %> <%= protocol_flags[protocol ] %> --dport <%= port %> -j <%= target %> -m comment --comment "<%= name %> (any source)" 35 | <% end -%> 36 | <% end -%> 37 | -------------------------------------------------------------------------------- /java/manifests/jdk.pp: -------------------------------------------------------------------------------- 1 | class java::jdk { 2 | include ::java::jre 3 | 4 | debian::package { 5 | "sun-java6-jdk": 6 | ensure => latest, 7 | config => "sun-java6-jdk shared/accepted-sun-dlj-v1-1 boolean true", 8 | require => Class["java::jre"]; 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /java/manifests/jre.pp: -------------------------------------------------------------------------------- 1 | class java::jre { 2 | debian::package { 3 | "sun-java6-jre": 4 | ensure => latest, 5 | config => "sun-java6-jre shared/accepted-sun-dlj-v1-1 boolean true", 6 | require => Package["sun-java6-bin"], 7 | notify => Exec["use sun java"]; 8 | "sun-java6-bin": 9 | ensure => latest, 10 | config => "sun-java6-bin shared/accepted-sun-dlj-v1-1 boolean true", 11 | notify => Exec["use sun java"]; 12 | } 13 | 14 | exec { 15 | "use sun java": 16 | command => "update-alternatives --set java /usr/lib/jvm/java-6-sun/jre/bin/java", 17 | refreshonly => true; 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /nagios/files/cgi.cfg: -------------------------------------------------------------------------------- 1 | ################################################################# 2 | # 3 | # CGI.CFG - Sample CGI Configuration File for Nagios 4 | # 5 | ################################################################# 6 | 7 | 8 | # MAIN CONFIGURATION FILE 9 | # This tells the CGIs where to find your main configuration file. 10 | # The CGIs will read the main and host config files for any other 11 | # data they might need. 12 | 13 | main_config_file=/etc/nagios3/nagios.cfg 14 | 15 | 16 | 17 | # PHYSICAL HTML PATH 18 | # This is the path where the HTML files for Nagios reside. This 19 | # value is used to locate the logo images needed by the statusmap 20 | # and statuswrl CGIs. 21 | 22 | physical_html_path=/usr/share/nagios3/htdocs 23 | 24 | 25 | 26 | # URL HTML PATH 27 | # This is the path portion of the URL that corresponds to the 28 | # physical location of the Nagios HTML files (as defined above). 29 | # This value is used by the CGIs to locate the online documentation 30 | # and graphics. If you access the Nagios pages with an URL like 31 | # http://www.myhost.com/nagios, this value should be '/nagios' 32 | # (without the quotes). 33 | 34 | url_html_path=/nagios3 35 | 36 | 37 | 38 | # CONTEXT-SENSITIVE HELP 39 | # This option determines whether or not a context-sensitive 40 | # help icon will be displayed for most of the CGIs. 41 | # Values: 0 = disables context-sensitive help 42 | # 1 = enables context-sensitive help 43 | 44 | show_context_help=1 45 | 46 | 47 | 48 | # PENDING STATES OPTION 49 | # This option determines what states should be displayed in the web 50 | # interface for hosts/services that have not yet been checked. 51 | # Values: 0 = leave hosts/services that have not been check yet in their original state 52 | # 1 = mark hosts/services that have not been checked yet as PENDING 53 | 54 | use_pending_states=1 55 | 56 | # NAGIOS PROCESS CHECK COMMAND 57 | # This is the full path and filename of the program used to check 58 | # the status of the Nagios process. It is used only by the CGIs 59 | # and is completely optional. However, if you don't use it, you'll 60 | # see warning messages in the CGIs about the Nagios process 61 | # not running and you won't be able to execute any commands from 62 | # the web interface. The program should follow the same rules 63 | # as plugins; the return codes are the same as for the plugins, 64 | # it should have timeout protection, it should output something 65 | # to STDIO, etc. 66 | # 67 | # Note: The command line for the check_nagios plugin below may 68 | # have to be tweaked a bit, as different versions of the plugin 69 | # use different command line arguments/syntaxes. 70 | 71 | nagios_check_command=/usr/lib/nagios/plugins/check_nagios /var/cache/nagios3/status.dat 5 '/usr/sbin/nagios3' 72 | 73 | 74 | # AUTHENTICATION USAGE 75 | # This option controls whether or not the CGIs will use any 76 | # authentication when displaying host and service information, as 77 | # well as committing commands to Nagios for processing. 78 | # 79 | # Read the HTML documentation to learn how the authorization works! 80 | # 81 | # NOTE: It is a really *bad* idea to disable authorization, unless 82 | # you plan on removing the command CGI (cmd.cgi)! Failure to do 83 | # so will leave you wide open to kiddies messing with Nagios and 84 | # possibly hitting you with a denial of service attack by filling up 85 | # your drive by continuously writing to your command file! 86 | # 87 | # Setting this value to 0 will cause the CGIs to *not* use 88 | # authentication (bad idea), while any other value will make them 89 | # use the authentication functions (the default). 90 | 91 | use_authentication=1 92 | 93 | 94 | 95 | 96 | # x509 CERT AUTHENTICATION 97 | # When enabled, this option allows you to use x509 cert (SSL) 98 | # authentication in the CGIs. This is an advanced option and should 99 | # not be enabled unless you know what you're doing. 100 | 101 | use_ssl_authentication=0 102 | 103 | 104 | 105 | 106 | # DEFAULT USER 107 | # Setting this variable will define a default user name that can 108 | # access pages without authentication. This allows people within a 109 | # secure domain (i.e., behind a firewall) to see the current status 110 | # without authenticating. You may want to use this to avoid basic 111 | # authentication if you are not using a secure server since basic 112 | # authentication transmits passwords in the clear. 113 | # 114 | # Important: Do not define a default username unless you are 115 | # running a secure web server and are sure that everyone who has 116 | # access to the CGIs has been authenticated in some manner! If you 117 | # define this variable, anyone who has not authenticated to the web 118 | # server will inherit all rights you assign to this user! 119 | 120 | #default_user_name=guest 121 | 122 | 123 | 124 | # SYSTEM/PROCESS INFORMATION ACCESS 125 | # This option is a comma-delimited list of all usernames that 126 | # have access to viewing the Nagios process information as 127 | # provided by the Extended Information CGI (extinfo.cgi). By 128 | # default, *no one* has access to this unless you choose to 129 | # not use authorization. You may use an asterisk (*) to 130 | # authorize any user who has authenticated to the web server. 131 | 132 | authorized_for_system_information=hoover 133 | 134 | 135 | 136 | # CONFIGURATION INFORMATION ACCESS 137 | # This option is a comma-delimited list of all usernames that 138 | # can view ALL configuration information (hosts, commands, etc). 139 | # By default, users can only view configuration information 140 | # for the hosts and services they are contacts for. You may use 141 | # an asterisk (*) to authorize any user who has authenticated 142 | # to the web server. 143 | 144 | authorized_for_configuration_information=hoover 145 | 146 | 147 | 148 | # SYSTEM/PROCESS COMMAND ACCESS 149 | # This option is a comma-delimited list of all usernames that 150 | # can issue shutdown and restart commands to Nagios via the 151 | # command CGI (cmd.cgi). Users in this list can also change 152 | # the program mode to active or standby. By default, *no one* 153 | # has access to this unless you choose to not use authorization. 154 | # You may use an asterisk (*) to authorize any user who has 155 | # authenticated to the web server. 156 | 157 | authorized_for_system_commands=hoover 158 | 159 | 160 | 161 | # GLOBAL HOST/SERVICE VIEW ACCESS 162 | # These two options are comma-delimited lists of all usernames that 163 | # can view information for all hosts and services that are being 164 | # monitored. By default, users can only view information 165 | # for hosts or services that they are contacts for (unless you 166 | # you choose to not use authorization). You may use an asterisk (*) 167 | # to authorize any user who has authenticated to the web server. 168 | 169 | 170 | authorized_for_all_services=hoover 171 | authorized_for_all_hosts=hoover 172 | 173 | 174 | 175 | # GLOBAL HOST/SERVICE COMMAND ACCESS 176 | # These two options are comma-delimited lists of all usernames that 177 | # can issue host or service related commands via the command 178 | # CGI (cmd.cgi) for all hosts and services that are being monitored. 179 | # By default, users can only issue commands for hosts or services 180 | # that they are contacts for (unless you you choose to not use 181 | # authorization). You may use an asterisk (*) to authorize any 182 | # user who has authenticated to the web server. 183 | 184 | authorized_for_all_service_commands=hoover 185 | authorized_for_all_host_commands=hoover 186 | 187 | 188 | 189 | # READ-ONLY USERS 190 | # A comma-delimited list of usernames that have read-only rights in 191 | # the CGIs. This will block any service or host commands normally shown 192 | # on the extinfo CGI pages. It will also block comments from being shown 193 | # to read-only users. 194 | 195 | #authorized_for_read_only=user1,user2 196 | 197 | 198 | 199 | 200 | # STATUSMAP BACKGROUND IMAGE 201 | # This option allows you to specify an image to be used as a 202 | # background in the statusmap CGI. It is assumed that the image 203 | # resides in the HTML images path (i.e. /usr/local/nagios/share/images). 204 | # This path is automatically determined by appending "/images" 205 | # to the path specified by the 'physical_html_path' directive. 206 | # Note: The image file may be in GIF, PNG, JPEG, or GD2 format. 207 | # However, I recommend that you convert your image to GD2 format 208 | # (uncompressed), as this will cause less CPU load when the CGI 209 | # generates the image. 210 | 211 | #statusmap_background_image=smbackground.gd2 212 | 213 | 214 | 215 | 216 | # STATUSMAP TRANSPARENCY INDEX COLOR 217 | # These options set the r,g,b values of the background color used the statusmap CGI, 218 | # so normal browsers that can't show real png transparency set the desired color as 219 | # a background color instead (to make it look pretty). 220 | # Defaults to white: (R,G,B) = (255,255,255). 221 | 222 | #color_transparency_index_r=255 223 | #color_transparency_index_g=255 224 | #color_transparency_index_b=255 225 | 226 | 227 | 228 | 229 | # DEFAULT STATUSMAP LAYOUT METHOD 230 | # This option allows you to specify the default layout method 231 | # the statusmap CGI should use for drawing hosts. If you do 232 | # not use this option, the default is to use user-defined 233 | # coordinates. Valid options are as follows: 234 | # 0 = User-defined coordinates 235 | # 1 = Depth layers 236 | # 2 = Collapsed tree 237 | # 3 = Balanced tree 238 | # 4 = Circular 239 | # 5 = Circular (Marked Up) 240 | 241 | default_statusmap_layout=5 242 | 243 | 244 | 245 | # DEFAULT STATUSWRL LAYOUT METHOD 246 | # This option allows you to specify the default layout method 247 | # the statuswrl (VRML) CGI should use for drawing hosts. If you 248 | # do not use this option, the default is to use user-defined 249 | # coordinates. Valid options are as follows: 250 | # 0 = User-defined coordinates 251 | # 2 = Collapsed tree 252 | # 3 = Balanced tree 253 | # 4 = Circular 254 | 255 | default_statuswrl_layout=4 256 | 257 | 258 | 259 | # STATUSWRL INCLUDE 260 | # This option allows you to include your own objects in the 261 | # generated VRML world. It is assumed that the file 262 | # resides in the HTML path (i.e. /usr/local/nagios/share). 263 | 264 | #statuswrl_include=myworld.wrl 265 | 266 | 267 | 268 | # PING SYNTAX 269 | # This option determines what syntax should be used when 270 | # attempting to ping a host from the WAP interface (using 271 | # the statuswml CGI. You must include the full path to 272 | # the ping binary, along with all required options. The 273 | # $HOSTADDRESS$ macro is substituted with the address of 274 | # the host before the command is executed. 275 | # Please note that the syntax for the ping binary is 276 | # notorious for being different on virtually ever *NIX 277 | # OS and distribution, so you may have to tweak this to 278 | # work on your system. 279 | 280 | ping_syntax=/bin/ping -n -U -c 5 $HOSTADDRESS$ 281 | 282 | 283 | 284 | # REFRESH RATE 285 | # This option allows you to specify the refresh rate in seconds 286 | # of various CGIs (status, statusmap, extinfo, and outages). 287 | 288 | refresh_rate=90 289 | 290 | 291 | 292 | # ESCAPE HTML TAGS 293 | # This option determines whether HTML tags in host and service 294 | # status output is escaped in the web interface. If enabled, 295 | # your plugin output will not be able to contain clickable links. 296 | 297 | escape_html_tags=1 298 | 299 | 300 | 301 | 302 | # SOUND OPTIONS 303 | # These options allow you to specify an optional audio file 304 | # that should be played in your browser window when there are 305 | # problems on the network. The audio files are used only in 306 | # the status CGI. Only the sound for the most critical problem 307 | # will be played. Order of importance (higher to lower) is as 308 | # follows: unreachable hosts, down hosts, critical services, 309 | # warning services, and unknown services. If there are no 310 | # visible problems, the sound file optionally specified by 311 | # 'normal_sound' variable will be played. 312 | # 313 | # 314 | # = 315 | # 316 | # Note: All audio files must be placed in the /media subdirectory 317 | # under the HTML path (i.e. /usr/local/nagios/share/media/). 318 | 319 | #host_unreachable_sound=hostdown.wav 320 | #host_down_sound=hostdown.wav 321 | #service_critical_sound=critical.wav 322 | #service_warning_sound=warning.wav 323 | #service_unknown_sound=warning.wav 324 | #normal_sound=noproblem.wav 325 | 326 | 327 | 328 | # URL TARGET FRAMES 329 | # These options determine the target frames in which notes and 330 | # action URLs will open. 331 | 332 | action_url_target=_blank 333 | notes_url_target=_blank 334 | 335 | 336 | 337 | 338 | # LOCK AUTHOR NAMES OPTION 339 | # This option determines whether users can change the author name 340 | # when submitting comments, scheduling downtime. If disabled, the 341 | # author names will be locked into their contact name, as defined in Nagios. 342 | # Values: 0 = allow editing author names 343 | # 1 = lock author names (disallow editing) 344 | 345 | lock_author_names=1 346 | 347 | 348 | 349 | 350 | # SPLUNK INTEGRATION OPTIONS 351 | # These options allow you to enable integration with Splunk 352 | # in the web interface. If enabled, you'll be presented with 353 | # "Splunk It" links in various places in the CGIs (log file, 354 | # alert history, host/service detail, etc). Useful if you're 355 | # trying to research why a particular problem occurred. 356 | # For more information on Splunk, visit http://www.splunk.com/ 357 | 358 | # This option determines whether the Splunk integration is enabled 359 | # Values: 0 = disable Splunk integration 360 | # 1 = enable Splunk integration 361 | 362 | #enable_splunk_integration=1 363 | 364 | 365 | # This option should be the URL used to access your instance of Splunk 366 | 367 | #splunk_url=http://127.0.0.1:8000/ 368 | 369 | 370 | 371 | -------------------------------------------------------------------------------- /nagios/files/contacts.cfg: -------------------------------------------------------------------------------- 1 | define contact { 2 | name base-contact 3 | service_notification_period 24x7 4 | host_notification_period 24x7 5 | service_notification_options w,u,c,f,s 6 | host_notification_options d,u,f,s 7 | service_notification_commands notify-nobody 8 | host_notification_commands notify-nobody 9 | 10 | register 0 # This is a template. 11 | } 12 | 13 | define contact { 14 | use base-contact 15 | contact_name default 16 | } 17 | 18 | define command { 19 | command_name notify-nobody 20 | command_line /bin/true 21 | } 22 | -------------------------------------------------------------------------------- /nagios/files/hosts-base.cfg: -------------------------------------------------------------------------------- 1 | define host { 2 | name base-host 3 | register 0 4 | check_command check-host-alive 5 | 6 | contacts default 7 | event_handler_enabled 1 8 | failure_prediction_enabled 1 9 | flap_detection_enabled 1 10 | max_check_attempts 4 11 | notification_period 24x7 12 | notifications_enabled 1 13 | process_perf_data 1 14 | retain_nonstatus_information 1 15 | retain_status_information 1 16 | } 17 | -------------------------------------------------------------------------------- /nagios/files/nagios-to-loggly.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | require "rubygems" 3 | require "eventmachine-tail" 4 | require "em-http-request" 5 | require "optparse" 6 | require "json" 7 | 8 | def main(args) 9 | url = nil 10 | 11 | opts = OptionParser.new do |opts| 12 | opts.banner = "Usage: #{$0} [options]" 13 | 14 | opts.on("-u URL", "--url URL", 15 | "(required) The input key for the http input you configured on loggly") do |x| 16 | url = x 17 | end # -i / --input-key 18 | end # OptionParser.new 19 | 20 | opts.parse!(args) 21 | 22 | if !url 23 | $stderr.puts opts.banner 24 | $stderr.puts "No url specified (-u flag missing)" 25 | return 1 26 | end 27 | 28 | data = ENV.to_hash.reject { |k,value| k !~ /^NAGIOS_/ }.to_json 29 | 30 | EventMachine.run do 31 | http = EventMachine::HttpRequest.new(url) 32 | 33 | p :data => data 34 | req = http.post :body => data 35 | 36 | start = Time.now 37 | req.callback do 38 | # TODO(sissel): Parse the json response and report errors, if any. 39 | duration = Time.now - start 40 | puts "(#{duration} secs) #{req.response}" 41 | EventMachine::stop_event_loop 42 | end # req.callback 43 | req.errback do 44 | $stderr.puts "Error while sending '#{line}' to '#{url}' {#{req}}" 45 | end # req.errback 46 | end # EventMachine.run 47 | end # def main 48 | 49 | main(ARGV) 50 | -------------------------------------------------------------------------------- /nagios/files/nagios.cfg: -------------------------------------------------------------------------------- 1 | ############################################################################## 2 | # 3 | # NAGIOS.CFG - Sample Main Config File for Nagios 4 | # 5 | # 6 | ############################################################################## 7 | 8 | 9 | # LOG FILE 10 | # This is the main log file where service and host events are logged 11 | # for historical purposes. This should be the first option specified 12 | # in the config file!!! 13 | 14 | log_file=/var/log/nagios3/nagios.log 15 | 16 | # Commands definitions 17 | cfg_file=/etc/nagios3/commands.cfg 18 | 19 | # Debian also defaults to using the check commands defined by the debian 20 | # nagios-plugins package 21 | cfg_dir=/etc/nagios-plugins/config 22 | 23 | # Debian uses by default a configuration directory where nagios3-common, 24 | # other packages and the local admin can dump or link configuration 25 | # files into. 26 | cfg_dir=/etc/nagios3/conf.d 27 | cfg_dir=/etc/nagios3/hosts.d 28 | cfg_dir=/etc/nagios3/checks.d 29 | 30 | # OBJECT CONFIGURATION FILE(S) 31 | # These are the object configuration files in which you define hosts, 32 | # host groups, contacts, contact groups, services, etc. 33 | # You can split your object definitions across several config files 34 | # if you wish (as shown below), or keep them all in a single config file. 35 | 36 | # You can specify individual object config files as shown below: 37 | #cfg_file=/etc/nagios3/objects/commands.cfg 38 | #cfg_file=/etc/nagios3/objects/contacts.cfg 39 | #cfg_file=/etc/nagios3/objects/timeperiods.cfg 40 | #cfg_file=/etc/nagios3/objects/templates.cfg 41 | 42 | # Definitions for monitoring a Windows machine 43 | #cfg_file=/etc/nagios3/objects/windows.cfg 44 | 45 | # Definitions for monitoring a router/switch 46 | #cfg_file=/etc/nagios3/objects/switch.cfg 47 | 48 | # Definitions for monitoring a network printer 49 | #cfg_file=/etc/nagios3/objects/printer.cfg 50 | 51 | 52 | # You can also tell Nagios to process all config files (with a .cfg 53 | # extension) in a particular directory by using the cfg_dir 54 | # directive as shown below: 55 | 56 | #cfg_dir=/etc/nagios3/servers 57 | #cfg_dir=/etc/nagios3/printers 58 | #cfg_dir=/etc/nagios3/switches 59 | #cfg_dir=/etc/nagios3/routers 60 | 61 | 62 | 63 | 64 | # OBJECT CACHE FILE 65 | # This option determines where object definitions are cached when 66 | # Nagios starts/restarts. The CGIs read object definitions from 67 | # this cache file (rather than looking at the object config files 68 | # directly) in order to prevent inconsistencies that can occur 69 | # when the config files are modified after Nagios starts. 70 | 71 | object_cache_file=/var/cache/nagios3/objects.cache 72 | 73 | 74 | 75 | # PRE-CACHED OBJECT FILE 76 | # This options determines the location of the precached object file. 77 | # If you run Nagios with the -p command line option, it will preprocess 78 | # your object configuration file(s) and write the cached config to this 79 | # file. You can then start Nagios with the -u option to have it read 80 | # object definitions from this precached file, rather than the standard 81 | # object configuration files (see the cfg_file and cfg_dir options above). 82 | # Using a precached object file can speed up the time needed to (re)start 83 | # the Nagios process if you've got a large and/or complex configuration. 84 | # Read the documentation section on optimizing Nagios to find our more 85 | # about how this feature works. 86 | 87 | precached_object_file=/var/lib/nagios3/objects.precache 88 | 89 | 90 | 91 | # RESOURCE FILE 92 | # This is an optional resource file that contains $USERx$ macro 93 | # definitions. Multiple resource files can be specified by using 94 | # multiple resource_file definitions. The CGIs will not attempt to 95 | # read the contents of resource files, so information that is 96 | # considered to be sensitive (usernames, passwords, etc) can be 97 | # defined as macros in this file and restrictive permissions (600) 98 | # can be placed on this file. 99 | 100 | resource_file=/etc/nagios3/resource.cfg 101 | 102 | 103 | 104 | # STATUS FILE 105 | # This is where the current status of all monitored services and 106 | # hosts is stored. Its contents are read and processed by the CGIs. 107 | # The contents of the status file are deleted every time Nagios 108 | # restarts. 109 | 110 | status_file=/var/cache/nagios3/status.dat 111 | 112 | 113 | 114 | # STATUS FILE UPDATE INTERVAL 115 | # This option determines the frequency (in seconds) that 116 | # Nagios will periodically dump program, host, and 117 | # service status data. 118 | 119 | status_update_interval=10 120 | 121 | 122 | 123 | # NAGIOS USER 124 | # This determines the effective user that Nagios should run as. 125 | # You can either supply a username or a UID. 126 | 127 | nagios_user=nagios 128 | 129 | 130 | 131 | # NAGIOS GROUP 132 | # This determines the effective group that Nagios should run as. 133 | # You can either supply a group name or a GID. 134 | 135 | nagios_group=nagios 136 | 137 | 138 | 139 | # EXTERNAL COMMAND OPTION 140 | # This option allows you to specify whether or not Nagios should check 141 | # for external commands (in the command file defined below). By default 142 | # Nagios will *not* check for external commands, just to be on the 143 | # cautious side. If you want to be able to use the CGI command interface 144 | # you will have to enable this. 145 | # Values: 0 = disable commands, 1 = enable commands 146 | 147 | check_external_commands=1 148 | 149 | 150 | 151 | # EXTERNAL COMMAND CHECK INTERVAL 152 | # This is the interval at which Nagios should check for external commands. 153 | # This value works of the interval_length you specify later. If you leave 154 | # that at its default value of 60 (seconds), a value of 1 here will cause 155 | # Nagios to check for external commands every minute. If you specify a 156 | # number followed by an "s" (i.e. 15s), this will be interpreted to mean 157 | # actual seconds rather than a multiple of the interval_length variable. 158 | # Note: In addition to reading the external command file at regularly 159 | # scheduled intervals, Nagios will also check for external commands after 160 | # event handlers are executed. 161 | # NOTE: Setting this value to -1 causes Nagios to check the external 162 | # command file as often as possible. 163 | 164 | #command_check_interval=15s 165 | command_check_interval=-1 166 | 167 | 168 | 169 | # EXTERNAL COMMAND FILE 170 | # This is the file that Nagios checks for external command requests. 171 | # It is also where the command CGI will write commands that are submitted 172 | # by users, so it must be writeable by the user that the web server 173 | # is running as (usually 'nobody'). Permissions should be set at the 174 | # directory level instead of on the file, as the file is deleted every 175 | # time its contents are processed. 176 | # Debian Users: In case you didn't read README.Debian yet, _NOW_ is the 177 | # time to do it. 178 | 179 | command_file=/var/lib/nagios3/rw/nagios.cmd 180 | 181 | 182 | 183 | # EXTERNAL COMMAND BUFFER SLOTS 184 | # This settings is used to tweak the number of items or "slots" that 185 | # the Nagios daemon should allocate to the buffer that holds incoming 186 | # external commands before they are processed. As external commands 187 | # are processed by the daemon, they are removed from the buffer. 188 | 189 | external_command_buffer_slots=4096 190 | 191 | 192 | 193 | # LOCK FILE 194 | # This is the lockfile that Nagios will use to store its PID number 195 | # in when it is running in daemon mode. 196 | 197 | lock_file=/var/run/nagios3/nagios3.pid 198 | 199 | 200 | 201 | # TEMP FILE 202 | # This is a temporary file that is used as scratch space when Nagios 203 | # updates the status log, cleans the comment file, etc. This file 204 | # is created, used, and deleted throughout the time that Nagios is 205 | # running. 206 | 207 | temp_file=/var/cache/nagios3/nagios.tmp 208 | 209 | 210 | 211 | # TEMP PATH 212 | # This is path where Nagios can create temp files for service and 213 | # host check results, etc. 214 | 215 | temp_path=/tmp 216 | 217 | 218 | 219 | # EVENT BROKER OPTIONS 220 | # Controls what (if any) data gets sent to the event broker. 221 | # Values: 0 = Broker nothing 222 | # -1 = Broker everything 223 | # = See documentation 224 | 225 | event_broker_options=-1 226 | 227 | 228 | 229 | # EVENT BROKER MODULE(S) 230 | # This directive is used to specify an event broker module that should 231 | # by loaded by Nagios at startup. Use multiple directives if you want 232 | # to load more than one module. Arguments that should be passed to 233 | # the module at startup are seperated from the module path by a space. 234 | # 235 | #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 236 | # WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING 237 | #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 238 | # 239 | # Do NOT overwrite modules while they are being used by Nagios or Nagios 240 | # will crash in a fiery display of SEGFAULT glory. This is a bug/limitation 241 | # either in dlopen(), the kernel, and/or the filesystem. And maybe Nagios... 242 | # 243 | # The correct/safe way of updating a module is by using one of these methods: 244 | # 1. Shutdown Nagios, replace the module file, restart Nagios 245 | # 2. Delete the original module file, move the new module file into place, restart Nagios 246 | # 247 | # Example: 248 | # 249 | # broker_module= [moduleargs] 250 | 251 | #broker_module=/somewhere/module1.o 252 | #broker_module=/somewhere/module2.o arg1 arg2=3 debug=0 253 | 254 | 255 | 256 | # LOG ROTATION METHOD 257 | # This is the log rotation method that Nagios should use to rotate 258 | # the main log file. Values are as follows.. 259 | # n = None - don't rotate the log 260 | # h = Hourly rotation (top of the hour) 261 | # d = Daily rotation (midnight every day) 262 | # w = Weekly rotation (midnight on Saturday evening) 263 | # m = Monthly rotation (midnight last day of month) 264 | 265 | log_rotation_method=d 266 | 267 | 268 | 269 | # LOG ARCHIVE PATH 270 | # This is the directory where archived (rotated) log files should be 271 | # placed (assuming you've chosen to do log rotation). 272 | 273 | log_archive_path=/var/log/nagios3/archives 274 | 275 | 276 | 277 | # LOGGING OPTIONS 278 | # If you want messages logged to the syslog facility, as well as the 279 | # Nagios log file set this option to 1. If not, set it to 0. 280 | 281 | use_syslog=1 282 | 283 | 284 | 285 | # NOTIFICATION LOGGING OPTION 286 | # If you don't want notifications to be logged, set this value to 0. 287 | # If notifications should be logged, set the value to 1. 288 | 289 | log_notifications=1 290 | 291 | 292 | 293 | # SERVICE RETRY LOGGING OPTION 294 | # If you don't want service check retries to be logged, set this value 295 | # to 0. If retries should be logged, set the value to 1. 296 | 297 | log_service_retries=1 298 | 299 | 300 | 301 | # HOST RETRY LOGGING OPTION 302 | # If you don't want host check retries to be logged, set this value to 303 | # 0. If retries should be logged, set the value to 1. 304 | 305 | log_host_retries=1 306 | 307 | 308 | 309 | # EVENT HANDLER LOGGING OPTION 310 | # If you don't want host and service event handlers to be logged, set 311 | # this value to 0. If event handlers should be logged, set the value 312 | # to 1. 313 | 314 | log_event_handlers=1 315 | 316 | 317 | 318 | # INITIAL STATES LOGGING OPTION 319 | # If you want Nagios to log all initial host and service states to 320 | # the main log file (the first time the service or host is checked) 321 | # you can enable this option by setting this value to 1. If you 322 | # are not using an external application that does long term state 323 | # statistics reporting, you do not need to enable this option. In 324 | # this case, set the value to 0. 325 | 326 | log_initial_states=0 327 | 328 | 329 | 330 | # EXTERNAL COMMANDS LOGGING OPTION 331 | # If you don't want Nagios to log external commands, set this value 332 | # to 0. If external commands should be logged, set this value to 1. 333 | # Note: This option does not include logging of passive service 334 | # checks - see the option below for controlling whether or not 335 | # passive checks are logged. 336 | 337 | log_external_commands=1 338 | 339 | 340 | 341 | # PASSIVE CHECKS LOGGING OPTION 342 | # If you don't want Nagios to log passive host and service checks, set 343 | # this value to 0. If passive checks should be logged, set 344 | # this value to 1. 345 | 346 | log_passive_checks=1 347 | 348 | 349 | 350 | # GLOBAL HOST AND SERVICE EVENT HANDLERS 351 | # These options allow you to specify a host and service event handler 352 | # command that is to be run for every host or service state change. 353 | # The global event handler is executed immediately prior to the event 354 | # handler that you have optionally specified in each host or 355 | # service definition. The command argument is the short name of a 356 | # command definition that you define in your host configuration file. 357 | # Read the HTML docs for more information. 358 | 359 | global_host_event_handler=log-to-loggly 360 | global_service_event_handler=log-to-loggly 361 | 362 | 363 | 364 | # SERVICE INTER-CHECK DELAY METHOD 365 | # This is the method that Nagios should use when initially 366 | # "spreading out" service checks when it starts monitoring. The 367 | # default is to use smart delay calculation, which will try to 368 | # space all service checks out evenly to minimize CPU load. 369 | # Using the dumb setting will cause all checks to be scheduled 370 | # at the same time (with no delay between them)! This is not a 371 | # good thing for production, but is useful when testing the 372 | # parallelization functionality. 373 | # n = None - don't use any delay between checks 374 | # d = Use a "dumb" delay of 1 second between checks 375 | # s = Use "smart" inter-check delay calculation 376 | # x.xx = Use an inter-check delay of x.xx seconds 377 | 378 | service_inter_check_delay_method=s 379 | 380 | 381 | 382 | # MAXIMUM SERVICE CHECK SPREAD 383 | # This variable determines the timeframe (in minutes) from the 384 | # program start time that an initial check of all services should 385 | # be completed. Default is 30 minutes. 386 | 387 | max_service_check_spread=30 388 | 389 | 390 | 391 | # SERVICE CHECK INTERLEAVE FACTOR 392 | # This variable determines how service checks are interleaved. 393 | # Interleaving the service checks allows for a more even 394 | # distribution of service checks and reduced load on remote 395 | # hosts. Setting this value to 1 is equivalent to how versions 396 | # of Nagios previous to 0.0.5 did service checks. Set this 397 | # value to s (smart) for automatic calculation of the interleave 398 | # factor unless you have a specific reason to change it. 399 | # s = Use "smart" interleave factor calculation 400 | # x = Use an interleave factor of x, where x is a 401 | # number greater than or equal to 1. 402 | 403 | service_interleave_factor=s 404 | 405 | 406 | 407 | # HOST INTER-CHECK DELAY METHOD 408 | # This is the method that Nagios should use when initially 409 | # "spreading out" host checks when it starts monitoring. The 410 | # default is to use smart delay calculation, which will try to 411 | # space all host checks out evenly to minimize CPU load. 412 | # Using the dumb setting will cause all checks to be scheduled 413 | # at the same time (with no delay between them)! 414 | # n = None - don't use any delay between checks 415 | # d = Use a "dumb" delay of 1 second between checks 416 | # s = Use "smart" inter-check delay calculation 417 | # x.xx = Use an inter-check delay of x.xx seconds 418 | 419 | host_inter_check_delay_method=s 420 | 421 | 422 | 423 | # MAXIMUM HOST CHECK SPREAD 424 | # This variable determines the timeframe (in minutes) from the 425 | # program start time that an initial check of all hosts should 426 | # be completed. Default is 30 minutes. 427 | 428 | max_host_check_spread=30 429 | 430 | 431 | 432 | # MAXIMUM CONCURRENT SERVICE CHECKS 433 | # This option allows you to specify the maximum number of 434 | # service checks that can be run in parallel at any given time. 435 | # Specifying a value of 1 for this variable essentially prevents 436 | # any service checks from being parallelized. A value of 0 437 | # will not restrict the number of concurrent checks that are 438 | # being executed. 439 | 440 | max_concurrent_checks=0 441 | 442 | 443 | 444 | # HOST AND SERVICE CHECK REAPER FREQUENCY 445 | # This is the frequency (in seconds!) that Nagios will process 446 | # the results of host and service checks. 447 | 448 | check_result_reaper_frequency=10 449 | 450 | 451 | 452 | 453 | # MAX CHECK RESULT REAPER TIME 454 | # This is the max amount of time (in seconds) that a single 455 | # check result reaper event will be allowed to run before 456 | # returning control back to Nagios so it can perform other 457 | # duties. 458 | 459 | max_check_result_reaper_time=30 460 | 461 | 462 | 463 | 464 | # CHECK RESULT PATH 465 | # This is directory where Nagios stores the results of host and 466 | # service checks that have not yet been processed. 467 | # 468 | # Note: Make sure that only one instance of Nagios has access 469 | # to this directory! 470 | 471 | check_result_path=/var/lib/nagios3/spool/checkresults 472 | 473 | 474 | 475 | 476 | # MAX CHECK RESULT FILE AGE 477 | # This option determines the maximum age (in seconds) which check 478 | # result files are considered to be valid. Files older than this 479 | # threshold will be mercilessly deleted without further processing. 480 | 481 | max_check_result_file_age=3600 482 | 483 | 484 | 485 | 486 | # CACHED HOST CHECK HORIZON 487 | # This option determines the maximum amount of time (in seconds) 488 | # that the state of a previous host check is considered current. 489 | # Cached host states (from host checks that were performed more 490 | # recently that the timeframe specified by this value) can immensely 491 | # improve performance in regards to the host check logic. 492 | # Too high of a value for this option may result in inaccurate host 493 | # states being used by Nagios, while a lower value may result in a 494 | # performance hit for host checks. Use a value of 0 to disable host 495 | # check caching. 496 | 497 | cached_host_check_horizon=15 498 | 499 | 500 | 501 | # CACHED SERVICE CHECK HORIZON 502 | # This option determines the maximum amount of time (in seconds) 503 | # that the state of a previous service check is considered current. 504 | # Cached service states (from service checks that were performed more 505 | # recently that the timeframe specified by this value) can immensely 506 | # improve performance in regards to predictive dependency checks. 507 | # Use a value of 0 to disable service check caching. 508 | 509 | cached_service_check_horizon=15 510 | 511 | 512 | 513 | # ENABLE PREDICTIVE HOST DEPENDENCY CHECKS 514 | # This option determines whether or not Nagios will attempt to execute 515 | # checks of hosts when it predicts that future dependency logic test 516 | # may be needed. These predictive checks can help ensure that your 517 | # host dependency logic works well. 518 | # Values: 519 | # 0 = Disable predictive checks 520 | # 1 = Enable predictive checks (default) 521 | 522 | enable_predictive_host_dependency_checks=1 523 | 524 | 525 | 526 | # ENABLE PREDICTIVE SERVICE DEPENDENCY CHECKS 527 | # This option determines whether or not Nagios will attempt to execute 528 | # checks of service when it predicts that future dependency logic test 529 | # may be needed. These predictive checks can help ensure that your 530 | # service dependency logic works well. 531 | # Values: 532 | # 0 = Disable predictive checks 533 | # 1 = Enable predictive checks (default) 534 | 535 | enable_predictive_service_dependency_checks=1 536 | 537 | 538 | 539 | # SOFT STATE DEPENDENCIES 540 | # This option determines whether or not Nagios will use soft state 541 | # information when checking host and service dependencies. Normally 542 | # Nagios will only use the latest hard host or service state when 543 | # checking dependencies. If you want it to use the latest state (regardless 544 | # of whether its a soft or hard state type), enable this option. 545 | # Values: 546 | # 0 = Don't use soft state dependencies (default) 547 | # 1 = Use soft state dependencies 548 | 549 | soft_state_dependencies=0 550 | 551 | 552 | 553 | # TIME CHANGE ADJUSTMENT THRESHOLDS 554 | # These options determine when Nagios will react to detected changes 555 | # in system time (either forward or backwards). 556 | 557 | #time_change_threshold=900 558 | 559 | 560 | 561 | # AUTO-RESCHEDULING OPTION 562 | # This option determines whether or not Nagios will attempt to 563 | # automatically reschedule active host and service checks to 564 | # "smooth" them out over time. This can help balance the load on 565 | # the monitoring server. 566 | # WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE 567 | # PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY 568 | 569 | auto_reschedule_checks=0 570 | 571 | 572 | 573 | # AUTO-RESCHEDULING INTERVAL 574 | # This option determines how often (in seconds) Nagios will 575 | # attempt to automatically reschedule checks. This option only 576 | # has an effect if the auto_reschedule_checks option is enabled. 577 | # Default is 30 seconds. 578 | # WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE 579 | # PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY 580 | 581 | auto_rescheduling_interval=30 582 | 583 | 584 | 585 | # AUTO-RESCHEDULING WINDOW 586 | # This option determines the "window" of time (in seconds) that 587 | # Nagios will look at when automatically rescheduling checks. 588 | # Only host and service checks that occur in the next X seconds 589 | # (determined by this variable) will be rescheduled. This option 590 | # only has an effect if the auto_reschedule_checks option is 591 | # enabled. Default is 180 seconds (3 minutes). 592 | # WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE 593 | # PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY 594 | 595 | auto_rescheduling_window=180 596 | 597 | 598 | 599 | # SLEEP TIME 600 | # This is the number of seconds to sleep between checking for system 601 | # events and service checks that need to be run. 602 | 603 | sleep_time=0.25 604 | 605 | 606 | 607 | # TIMEOUT VALUES 608 | # These options control how much time Nagios will allow various 609 | # types of commands to execute before killing them off. Options 610 | # are available for controlling maximum time allotted for 611 | # service checks, host checks, event handlers, notifications, the 612 | # ocsp command, and performance data commands. All values are in 613 | # seconds. 614 | 615 | service_check_timeout=600 616 | host_check_timeout=30 617 | event_handler_timeout=30 618 | notification_timeout=30 619 | ocsp_timeout=5 620 | perfdata_timeout=5 621 | 622 | 623 | 624 | # RETAIN STATE INFORMATION 625 | # This setting determines whether or not Nagios will save state 626 | # information for services and hosts before it shuts down. Upon 627 | # startup Nagios will reload all saved service and host state 628 | # information before starting to monitor. This is useful for 629 | # maintaining long-term data on state statistics, etc, but will 630 | # slow Nagios down a bit when it (re)starts. Since its only 631 | # a one-time penalty, I think its well worth the additional 632 | # startup delay. 633 | 634 | retain_state_information=1 635 | 636 | 637 | 638 | # STATE RETENTION FILE 639 | # This is the file that Nagios should use to store host and 640 | # service state information before it shuts down. The state 641 | # information in this file is also read immediately prior to 642 | # starting to monitor the network when Nagios is restarted. 643 | # This file is used only if the preserve_state_information 644 | # variable is set to 1. 645 | 646 | state_retention_file=/var/lib/nagios3/retention.dat 647 | 648 | 649 | 650 | # RETENTION DATA UPDATE INTERVAL 651 | # This setting determines how often (in minutes) that Nagios 652 | # will automatically save retention data during normal operation. 653 | # If you set this value to 0, Nagios will not save retention 654 | # data at regular interval, but it will still save retention 655 | # data before shutting down or restarting. If you have disabled 656 | # state retention, this option has no effect. 657 | 658 | retention_update_interval=60 659 | 660 | 661 | 662 | # USE RETAINED PROGRAM STATE 663 | # This setting determines whether or not Nagios will set 664 | # program status variables based on the values saved in the 665 | # retention file. If you want to use retained program status 666 | # information, set this value to 1. If not, set this value 667 | # to 0. 668 | 669 | use_retained_program_state=1 670 | 671 | 672 | 673 | # USE RETAINED SCHEDULING INFO 674 | # This setting determines whether or not Nagios will retain 675 | # the scheduling info (next check time) for hosts and services 676 | # based on the values saved in the retention file. If you 677 | # If you want to use retained scheduling info, set this 678 | # value to 1. If not, set this value to 0. 679 | 680 | use_retained_scheduling_info=1 681 | 682 | 683 | 684 | # RETAINED ATTRIBUTE MASKS (ADVANCED FEATURE) 685 | # The following variables are used to specify specific host and 686 | # service attributes that should *not* be retained by Nagios during 687 | # program restarts. 688 | # 689 | # The values of the masks are bitwise ANDs of values specified 690 | # by the "MODATTR_" definitions found in include/common.h. 691 | # For example, if you do not want the current enabled/disabled state 692 | # of flap detection and event handlers for hosts to be retained, you 693 | # would use a value of 24 for the host attribute mask... 694 | # MODATTR_EVENT_HANDLER_ENABLED (8) + MODATTR_FLAP_DETECTION_ENABLED (16) = 24 695 | 696 | # This mask determines what host attributes are not retained 697 | retained_host_attribute_mask=0 698 | 699 | # This mask determines what service attributes are not retained 700 | retained_service_attribute_mask=0 701 | 702 | # These two masks determine what process attributes are not retained. 703 | # There are two masks, because some process attributes have host and service 704 | # options. For example, you can disable active host checks, but leave active 705 | # service checks enabled. 706 | retained_process_host_attribute_mask=0 707 | retained_process_service_attribute_mask=0 708 | 709 | # These two masks determine what contact attributes are not retained. 710 | # There are two masks, because some contact attributes have host and 711 | # service options. For example, you can disable host notifications for 712 | # a contact, but leave service notifications enabled for them. 713 | retained_contact_host_attribute_mask=0 714 | retained_contact_service_attribute_mask=0 715 | 716 | 717 | 718 | # INTERVAL LENGTH 719 | # This is the seconds per unit interval as used in the 720 | # host/contact/service configuration files. Setting this to 60 means 721 | # that each interval is one minute long (60 seconds). Other settings 722 | # have not been tested much, so your mileage is likely to vary... 723 | 724 | interval_length=60 725 | 726 | 727 | 728 | # CHECK FOR UPDATES 729 | # This option determines whether Nagios will automatically check to 730 | # see if new updates (releases) are available. It is recommend that you 731 | # enable this option to ensure that you stay on top of the latest critical 732 | # patches to Nagios. Nagios is critical to you - make sure you keep it in 733 | # good shape. Nagios will check once a day for new updates. Data collected 734 | # by Nagios Enterprises from the update check is processed in accordance 735 | # with our privacy policy - see http://api.nagios.org for details. 736 | 737 | check_for_updates=1 738 | 739 | 740 | 741 | # BARE UPDATE CHECK 742 | # This option deterines what data Nagios will send to api.nagios.org when 743 | # it checks for updates. By default, Nagios will send information on the 744 | # current version of Nagios you have installed, as well as an indicator as 745 | # to whether this was a new installation or not. Nagios Enterprises uses 746 | # this data to determine the number of users running specific version of 747 | # Nagios. Enable this option if you do not want this information to be sent. 748 | 749 | bare_update_check=0 750 | 751 | 752 | 753 | # AGGRESSIVE HOST CHECKING OPTION 754 | # If you don't want to turn on aggressive host checking features, set 755 | # this value to 0 (the default). Otherwise set this value to 1 to 756 | # enable the aggressive check option. Read the docs for more info 757 | # on what aggressive host check is or check out the source code in 758 | # base/checks.c 759 | 760 | use_aggressive_host_checking=0 761 | 762 | 763 | 764 | # SERVICE CHECK EXECUTION OPTION 765 | # This determines whether or not Nagios will actively execute 766 | # service checks when it initially starts. If this option is 767 | # disabled, checks are not actively made, but Nagios can still 768 | # receive and process passive check results that come in. Unless 769 | # you're implementing redundant hosts or have a special need for 770 | # disabling the execution of service checks, leave this enabled! 771 | # Values: 1 = enable checks, 0 = disable checks 772 | 773 | execute_service_checks=1 774 | 775 | 776 | 777 | # PASSIVE SERVICE CHECK ACCEPTANCE OPTION 778 | # This determines whether or not Nagios will accept passive 779 | # service checks results when it initially (re)starts. 780 | # Values: 1 = accept passive checks, 0 = reject passive checks 781 | 782 | accept_passive_service_checks=1 783 | 784 | 785 | 786 | # HOST CHECK EXECUTION OPTION 787 | # This determines whether or not Nagios will actively execute 788 | # host checks when it initially starts. If this option is 789 | # disabled, checks are not actively made, but Nagios can still 790 | # receive and process passive check results that come in. Unless 791 | # you're implementing redundant hosts or have a special need for 792 | # disabling the execution of host checks, leave this enabled! 793 | # Values: 1 = enable checks, 0 = disable checks 794 | 795 | execute_host_checks=1 796 | 797 | 798 | 799 | # PASSIVE HOST CHECK ACCEPTANCE OPTION 800 | # This determines whether or not Nagios will accept passive 801 | # host checks results when it initially (re)starts. 802 | # Values: 1 = accept passive checks, 0 = reject passive checks 803 | 804 | accept_passive_host_checks=1 805 | 806 | 807 | 808 | # NOTIFICATIONS OPTION 809 | # This determines whether or not Nagios will sent out any host or 810 | # service notifications when it is initially (re)started. 811 | # Values: 1 = enable notifications, 0 = disable notifications 812 | 813 | enable_notifications=1 814 | 815 | 816 | 817 | # EVENT HANDLER USE OPTION 818 | # This determines whether or not Nagios will run any host or 819 | # service event handlers when it is initially (re)started. Unless 820 | # you're implementing redundant hosts, leave this option enabled. 821 | # Values: 1 = enable event handlers, 0 = disable event handlers 822 | 823 | enable_event_handlers=1 824 | 825 | 826 | 827 | # PROCESS PERFORMANCE DATA OPTION 828 | # This determines whether or not Nagios will process performance 829 | # data returned from service and host checks. If this option is 830 | # enabled, host performance data will be processed using the 831 | # host_perfdata_command (defined below) and service performance 832 | # data will be processed using the service_perfdata_command (also 833 | # defined below). Read the HTML docs for more information on 834 | # performance data. 835 | # Values: 1 = process performance data, 0 = do not process performance data 836 | 837 | process_performance_data=0 838 | 839 | 840 | 841 | # HOST AND SERVICE PERFORMANCE DATA PROCESSING COMMANDS 842 | # These commands are run after every host and service check is 843 | # performed. These commands are executed only if the 844 | # enable_performance_data option (above) is set to 1. The command 845 | # argument is the short name of a command definition that you 846 | # define in your host configuration file. Read the HTML docs for 847 | # more information on performance data. 848 | 849 | #host_perfdata_command=process-host-perfdata 850 | #service_perfdata_command=process-service-perfdata 851 | 852 | 853 | 854 | # HOST AND SERVICE PERFORMANCE DATA FILES 855 | # These files are used to store host and service performance data. 856 | # Performance data is only written to these files if the 857 | # enable_performance_data option (above) is set to 1. 858 | 859 | #host_perfdata_file=/tmp/host-perfdata 860 | #service_perfdata_file=/tmp/service-perfdata 861 | 862 | 863 | 864 | # HOST AND SERVICE PERFORMANCE DATA FILE TEMPLATES 865 | # These options determine what data is written (and how) to the 866 | # performance data files. The templates may contain macros, special 867 | # characters (\t for tab, \r for carriage return, \n for newline) 868 | # and plain text. A newline is automatically added after each write 869 | # to the performance data file. Some examples of what you can do are 870 | # shown below. 871 | 872 | #host_perfdata_file_template=[HOSTPERFDATA]\t$TIMET$\t$HOSTNAME$\t$HOSTEXECUTIONTIME$\t$HOSTOUTPUT$\t$HOSTPERFDATA$ 873 | #service_perfdata_file_template=[SERVICEPERFDATA]\t$TIMET$\t$HOSTNAME$\t$SERVICEDESC$\t$SERVICEEXECUTIONTIME$\t$SERVICELATENCY$\t$SERVICEOUTPUT$\t$SERVICEPERFDATA$ 874 | 875 | 876 | 877 | # HOST AND SERVICE PERFORMANCE DATA FILE MODES 878 | # This option determines whether or not the host and service 879 | # performance data files are opened in write ("w") or append ("a") 880 | # mode. If you want to use named pipes, you should use the special 881 | # pipe ("p") mode which avoid blocking at startup, otherwise you will 882 | # likely want the defult append ("a") mode. 883 | 884 | #host_perfdata_file_mode=a 885 | #service_perfdata_file_mode=a 886 | 887 | 888 | 889 | # HOST AND SERVICE PERFORMANCE DATA FILE PROCESSING INTERVAL 890 | # These options determine how often (in seconds) the host and service 891 | # performance data files are processed using the commands defined 892 | # below. A value of 0 indicates the files should not be periodically 893 | # processed. 894 | 895 | #host_perfdata_file_processing_interval=0 896 | #service_perfdata_file_processing_interval=0 897 | 898 | 899 | 900 | # HOST AND SERVICE PERFORMANCE DATA FILE PROCESSING COMMANDS 901 | # These commands are used to periodically process the host and 902 | # service performance data files. The interval at which the 903 | # processing occurs is determined by the options above. 904 | 905 | #host_perfdata_file_processing_command=process-host-perfdata-file 906 | #service_perfdata_file_processing_command=process-service-perfdata-file 907 | 908 | 909 | 910 | # OBSESS OVER SERVICE CHECKS OPTION 911 | # This determines whether or not Nagios will obsess over service 912 | # checks and run the ocsp_command defined below. Unless you're 913 | # planning on implementing distributed monitoring, do not enable 914 | # this option. Read the HTML docs for more information on 915 | # implementing distributed monitoring. 916 | # Values: 1 = obsess over services, 0 = do not obsess (default) 917 | 918 | obsess_over_services=0 919 | 920 | 921 | 922 | # OBSESSIVE COMPULSIVE SERVICE PROCESSOR COMMAND 923 | # This is the command that is run for every service check that is 924 | # processed by Nagios. This command is executed only if the 925 | # obsess_over_services option (above) is set to 1. The command 926 | # argument is the short name of a command definition that you 927 | # define in your host configuration file. Read the HTML docs for 928 | # more information on implementing distributed monitoring. 929 | 930 | #ocsp_command=somecommand 931 | 932 | 933 | 934 | # OBSESS OVER HOST CHECKS OPTION 935 | # This determines whether or not Nagios will obsess over host 936 | # checks and run the ochp_command defined below. Unless you're 937 | # planning on implementing distributed monitoring, do not enable 938 | # this option. Read the HTML docs for more information on 939 | # implementing distributed monitoring. 940 | # Values: 1 = obsess over hosts, 0 = do not obsess (default) 941 | 942 | obsess_over_hosts=0 943 | 944 | 945 | 946 | # OBSESSIVE COMPULSIVE HOST PROCESSOR COMMAND 947 | # This is the command that is run for every host check that is 948 | # processed by Nagios. This command is executed only if the 949 | # obsess_over_hosts option (above) is set to 1. The command 950 | # argument is the short name of a command definition that you 951 | # define in your host configuration file. Read the HTML docs for 952 | # more information on implementing distributed monitoring. 953 | 954 | #ochp_command=somecommand 955 | 956 | 957 | 958 | # TRANSLATE PASSIVE HOST CHECKS OPTION 959 | # This determines whether or not Nagios will translate 960 | # DOWN/UNREACHABLE passive host check results into their proper 961 | # state for this instance of Nagios. This option is useful 962 | # if you have distributed or failover monitoring setup. In 963 | # these cases your other Nagios servers probably have a different 964 | # "view" of the network, with regards to the parent/child relationship 965 | # of hosts. If a distributed monitoring server thinks a host 966 | # is DOWN, it may actually be UNREACHABLE from the point of 967 | # this Nagios instance. Enabling this option will tell Nagios 968 | # to translate any DOWN or UNREACHABLE host states it receives 969 | # passively into the correct state from the view of this server. 970 | # Values: 1 = perform translation, 0 = do not translate (default) 971 | 972 | translate_passive_host_checks=0 973 | 974 | 975 | 976 | # PASSIVE HOST CHECKS ARE SOFT OPTION 977 | # This determines whether or not Nagios will treat passive host 978 | # checks as being HARD or SOFT. By default, a passive host check 979 | # result will put a host into a HARD state type. This can be changed 980 | # by enabling this option. 981 | # Values: 0 = passive checks are HARD, 1 = passive checks are SOFT 982 | 983 | passive_host_checks_are_soft=0 984 | 985 | 986 | 987 | # ORPHANED HOST/SERVICE CHECK OPTIONS 988 | # These options determine whether or not Nagios will periodically 989 | # check for orphaned host service checks. Since service checks are 990 | # not rescheduled until the results of their previous execution 991 | # instance are processed, there exists a possibility that some 992 | # checks may never get rescheduled. A similar situation exists for 993 | # host checks, although the exact scheduling details differ a bit 994 | # from service checks. Orphaned checks seem to be a rare 995 | # problem and should not happen under normal circumstances. 996 | # If you have problems with service checks never getting 997 | # rescheduled, make sure you have orphaned service checks enabled. 998 | # Values: 1 = enable checks, 0 = disable checks 999 | 1000 | check_for_orphaned_services=1 1001 | check_for_orphaned_hosts=1 1002 | 1003 | 1004 | 1005 | # SERVICE FRESHNESS CHECK OPTION 1006 | # This option determines whether or not Nagios will periodically 1007 | # check the "freshness" of service results. Enabling this option 1008 | # is useful for ensuring passive checks are received in a timely 1009 | # manner. 1010 | # Values: 1 = enabled freshness checking, 0 = disable freshness checking 1011 | 1012 | check_service_freshness=1 1013 | 1014 | 1015 | 1016 | # SERVICE FRESHNESS CHECK INTERVAL 1017 | # This setting determines how often (in seconds) Nagios will 1018 | # check the "freshness" of service check results. If you have 1019 | # disabled service freshness checking, this option has no effect. 1020 | 1021 | service_freshness_check_interval=60 1022 | 1023 | 1024 | 1025 | # HOST FRESHNESS CHECK OPTION 1026 | # This option determines whether or not Nagios will periodically 1027 | # check the "freshness" of host results. Enabling this option 1028 | # is useful for ensuring passive checks are received in a timely 1029 | # manner. 1030 | # Values: 1 = enabled freshness checking, 0 = disable freshness checking 1031 | 1032 | check_host_freshness=0 1033 | 1034 | 1035 | 1036 | # HOST FRESHNESS CHECK INTERVAL 1037 | # This setting determines how often (in seconds) Nagios will 1038 | # check the "freshness" of host check results. If you have 1039 | # disabled host freshness checking, this option has no effect. 1040 | 1041 | host_freshness_check_interval=60 1042 | 1043 | 1044 | 1045 | 1046 | # ADDITIONAL FRESHNESS THRESHOLD LATENCY 1047 | # This setting determines the number of seconds that Nagios 1048 | # will add to any host and service freshness thresholds that 1049 | # it calculates (those not explicitly specified by the user). 1050 | 1051 | additional_freshness_latency=15 1052 | 1053 | 1054 | 1055 | 1056 | # FLAP DETECTION OPTION 1057 | # This option determines whether or not Nagios will try 1058 | # and detect hosts and services that are "flapping". 1059 | # Flapping occurs when a host or service changes between 1060 | # states too frequently. When Nagios detects that a 1061 | # host or service is flapping, it will temporarily suppress 1062 | # notifications for that host/service until it stops 1063 | # flapping. Flap detection is very experimental, so read 1064 | # the HTML documentation before enabling this feature! 1065 | # Values: 1 = enable flap detection 1066 | # 0 = disable flap detection (default) 1067 | 1068 | enable_flap_detection=1 1069 | 1070 | 1071 | 1072 | # FLAP DETECTION THRESHOLDS FOR HOSTS AND SERVICES 1073 | # Read the HTML documentation on flap detection for 1074 | # an explanation of what this option does. This option 1075 | # has no effect if flap detection is disabled. 1076 | 1077 | low_service_flap_threshold=5.0 1078 | high_service_flap_threshold=20.0 1079 | low_host_flap_threshold=5.0 1080 | high_host_flap_threshold=20.0 1081 | 1082 | 1083 | 1084 | # DATE FORMAT OPTION 1085 | # This option determines how short dates are displayed. Valid options 1086 | # include: 1087 | # us (MM-DD-YYYY HH:MM:SS) 1088 | # euro (DD-MM-YYYY HH:MM:SS) 1089 | # iso8601 (YYYY-MM-DD HH:MM:SS) 1090 | # strict-iso8601 (YYYY-MM-DDTHH:MM:SS) 1091 | # 1092 | 1093 | date_format=iso8601 1094 | 1095 | 1096 | 1097 | 1098 | # TIMEZONE OFFSET 1099 | # This option is used to override the default timezone that this 1100 | # instance of Nagios runs in. If not specified, Nagios will use 1101 | # the system configured timezone. 1102 | # 1103 | # NOTE: In order to display the correct timezone in the CGIs, you 1104 | # will also need to alter the Apache directives for the CGI path 1105 | # to include your timezone. Example: 1106 | # 1107 | # 1108 | # SetEnv TZ "Australia/Brisbane" 1109 | # ... 1110 | # 1111 | 1112 | #use_timezone=US/Mountain 1113 | #use_timezone=Australia/Brisbane 1114 | 1115 | 1116 | 1117 | 1118 | # P1.PL FILE LOCATION 1119 | # This value determines where the p1.pl perl script (used by the 1120 | # embedded Perl interpreter) is located. If you didn't compile 1121 | # Nagios with embedded Perl support, this option has no effect. 1122 | 1123 | p1_file=/usr/lib/nagios3/p1.pl 1124 | 1125 | 1126 | 1127 | # EMBEDDED PERL INTERPRETER OPTION 1128 | # This option determines whether or not the embedded Perl interpreter 1129 | # will be enabled during runtime. This option has no effect if Nagios 1130 | # has not been compiled with support for embedded Perl. 1131 | # Values: 0 = disable interpreter, 1 = enable interpreter 1132 | 1133 | enable_embedded_perl=1 1134 | 1135 | 1136 | 1137 | # EMBEDDED PERL USAGE OPTION 1138 | # This option determines whether or not Nagios will process Perl plugins 1139 | # and scripts with the embedded Perl interpreter if the plugins/scripts 1140 | # do not explicitly indicate whether or not it is okay to do so. Read 1141 | # the HTML documentation on the embedded Perl interpreter for more 1142 | # information on how this option works. 1143 | 1144 | use_embedded_perl_implicitly=1 1145 | 1146 | 1147 | 1148 | # ILLEGAL OBJECT NAME CHARACTERS 1149 | # This option allows you to specify illegal characters that cannot 1150 | # be used in host names, service descriptions, or names of other 1151 | # object types. 1152 | 1153 | illegal_object_name_chars=`~!$%^&*|'"<>?,()= 1154 | 1155 | 1156 | 1157 | # ILLEGAL MACRO OUTPUT CHARACTERS 1158 | # This option allows you to specify illegal characters that are 1159 | # stripped from macros before being used in notifications, event 1160 | # handlers, etc. This DOES NOT affect macros used in service or 1161 | # host check commands. 1162 | # The following macros are stripped of the characters you specify: 1163 | # $HOSTOUTPUT$ 1164 | # $HOSTPERFDATA$ 1165 | # $HOSTACKAUTHOR$ 1166 | # $HOSTACKCOMMENT$ 1167 | # $SERVICEOUTPUT$ 1168 | # $SERVICEPERFDATA$ 1169 | # $SERVICEACKAUTHOR$ 1170 | # $SERVICEACKCOMMENT$ 1171 | 1172 | illegal_macro_output_chars=`~$&|'"<> 1173 | 1174 | 1175 | 1176 | # REGULAR EXPRESSION MATCHING 1177 | # This option controls whether or not regular expression matching 1178 | # takes place in the object config files. Regular expression 1179 | # matching is used to match host, hostgroup, service, and service 1180 | # group names/descriptions in some fields of various object types. 1181 | # Values: 1 = enable regexp matching, 0 = disable regexp matching 1182 | 1183 | use_regexp_matching=0 1184 | 1185 | 1186 | 1187 | # "TRUE" REGULAR EXPRESSION MATCHING 1188 | # This option controls whether or not "true" regular expression 1189 | # matching takes place in the object config files. This option 1190 | # only has an effect if regular expression matching is enabled 1191 | # (see above). If this option is DISABLED, regular expression 1192 | # matching only occurs if a string contains wildcard characters 1193 | # (* and ?). If the option is ENABLED, regexp matching occurs 1194 | # all the time (which can be annoying). 1195 | # Values: 1 = enable true matching, 0 = disable true matching 1196 | 1197 | use_true_regexp_matching=0 1198 | 1199 | 1200 | 1201 | # ADMINISTRATOR EMAIL/PAGER ADDRESSES 1202 | # The email and pager address of a global administrator (likely you). 1203 | # Nagios never uses these values itself, but you can access them by 1204 | # using the $ADMINEMAIL$ and $ADMINPAGER$ macros in your notification 1205 | # commands. 1206 | 1207 | admin_email=root@localhost 1208 | admin_pager=pageroot@localhost 1209 | 1210 | 1211 | 1212 | # DAEMON CORE DUMP OPTION 1213 | # This option determines whether or not Nagios is allowed to create 1214 | # a core dump when it runs as a daemon. Note that it is generally 1215 | # considered bad form to allow this, but it may be useful for 1216 | # debugging purposes. Enabling this option doesn't guarantee that 1217 | # a core file will be produced, but that's just life... 1218 | # Values: 1 - Allow core dumps 1219 | # 0 - Do not allow core dumps (default) 1220 | 1221 | daemon_dumps_core=0 1222 | 1223 | 1224 | 1225 | # LARGE INSTALLATION TWEAKS OPTION 1226 | # This option determines whether or not Nagios will take some shortcuts 1227 | # which can save on memory and CPU usage in large Nagios installations. 1228 | # Read the documentation for more information on the benefits/tradeoffs 1229 | # of enabling this option. 1230 | # Values: 1 - Enabled tweaks 1231 | # 0 - Disable tweaks (default) 1232 | 1233 | use_large_installation_tweaks=0 1234 | 1235 | 1236 | 1237 | # ENABLE ENVIRONMENT MACROS 1238 | # This option determines whether or not Nagios will make all standard 1239 | # macros available as environment variables when host/service checks 1240 | # and system commands (event handlers, notifications, etc.) are 1241 | # executed. Enabling this option can cause performance issues in 1242 | # large installations, as it will consume a bit more memory and (more 1243 | # importantly) consume more CPU. 1244 | # Values: 1 - Enable environment variable macros (default) 1245 | # 0 - Disable environment variable macros 1246 | 1247 | enable_environment_macros=1 1248 | 1249 | 1250 | 1251 | # CHILD PROCESS MEMORY OPTION 1252 | # This option determines whether or not Nagios will free memory in 1253 | # child processes (processed used to execute system commands and host/ 1254 | # service checks). If you specify a value here, it will override 1255 | # program defaults. 1256 | # Value: 1 - Free memory in child processes 1257 | # 0 - Do not free memory in child processes 1258 | 1259 | #free_child_process_memory=1 1260 | 1261 | 1262 | 1263 | # CHILD PROCESS FORKING BEHAVIOR 1264 | # This option determines how Nagios will fork child processes 1265 | # (used to execute system commands and host/service checks). Normally 1266 | # child processes are fork()ed twice, which provides a very high level 1267 | # of isolation from problems. Fork()ing once is probably enough and will 1268 | # save a great deal on CPU usage (in large installs), so you might 1269 | # want to consider using this. If you specify a value here, it will 1270 | # program defaults. 1271 | # Value: 1 - Child processes fork() twice 1272 | # 0 - Child processes fork() just once 1273 | 1274 | #child_processes_fork_twice=1 1275 | 1276 | 1277 | 1278 | # DEBUG LEVEL 1279 | # This option determines how much (if any) debugging information will 1280 | # be written to the debug file. OR values together to log multiple 1281 | # types of information. 1282 | # Values: 1283 | # -1 = Everything 1284 | # 0 = Nothing 1285 | # 1 = Functions 1286 | # 2 = Configuration 1287 | # 4 = Process information 1288 | # 8 = Scheduled events 1289 | # 16 = Host/service checks 1290 | # 32 = Notifications 1291 | # 64 = Event broker 1292 | # 128 = External commands 1293 | # 256 = Commands 1294 | # 512 = Scheduled downtime 1295 | # 1024 = Comments 1296 | # 2048 = Macros 1297 | 1298 | debug_level=0 1299 | 1300 | 1301 | 1302 | # DEBUG VERBOSITY 1303 | # This option determines how verbose the debug log out will be. 1304 | # Values: 0 = Brief output 1305 | # 1 = More detailed 1306 | # 2 = Very detailed 1307 | 1308 | debug_verbosity=1 1309 | 1310 | 1311 | 1312 | # DEBUG FILE 1313 | # This option determines where Nagios should write debugging information. 1314 | 1315 | debug_file=/var/log/nagios3/nagios.debug 1316 | 1317 | 1318 | 1319 | # MAX DEBUG FILE SIZE 1320 | # This option determines the maximum size (in bytes) of the debug file. If 1321 | # the file grows larger than this size, it will be renamed with a .old 1322 | # extension. If a file already exists with a .old extension it will 1323 | # automatically be deleted. This helps ensure your disk space usage doesn't 1324 | # get out of control when debugging Nagios. 1325 | 1326 | max_debug_file_size=1000000 1327 | 1328 | 1329 | -------------------------------------------------------------------------------- /nagios/files/nrpe/nrpe.cfg: -------------------------------------------------------------------------------- 1 | ############################################################################# 2 | # Sample NRPE Config File 3 | # Written by: Ethan Galstad (nagios@nagios.org) 4 | # 5 | # 6 | # NOTES: 7 | # This is a sample configuration file for the NRPE daemon. It needs to be 8 | # located on the remote host that is running the NRPE daemon, not the host 9 | # from which the check_nrpe client is being executed. 10 | ############################################################################# 11 | 12 | 13 | # LOG FACILITY 14 | # The syslog facility that should be used for logging purposes. 15 | 16 | log_facility=daemon 17 | 18 | 19 | 20 | # PID FILE 21 | # The name of the file in which the NRPE daemon should write it's process ID 22 | # number. The file is only written if the NRPE daemon is started by the root 23 | # user and is running in standalone mode. 24 | 25 | pid_file=/var/run/nagios/nrpe.pid 26 | 27 | 28 | 29 | # PORT NUMBER 30 | # Port number we should wait for connections on. 31 | # NOTE: This must be a non-priviledged port (i.e. > 1024). 32 | # NOTE: This option is ignored if NRPE is running under either inetd or xinetd 33 | 34 | server_port=5666 35 | 36 | 37 | 38 | # SERVER ADDRESS 39 | # Address that nrpe should bind to in case there are more than one interface 40 | # and you do not want nrpe to bind on all interfaces. 41 | # NOTE: This option is ignored if NRPE is running under either inetd or xinetd 42 | 43 | #server_address=127.0.0.1 44 | 45 | 46 | 47 | # NRPE USER 48 | # This determines the effective user that the NRPE daemon should run as. 49 | # You can either supply a username or a UID. 50 | # 51 | # NOTE: This option is ignored if NRPE is running under either inetd or xinetd 52 | 53 | nrpe_user=nagios 54 | 55 | 56 | 57 | # NRPE GROUP 58 | # This determines the effective group that the NRPE daemon should run as. 59 | # You can either supply a group name or a GID. 60 | # 61 | # NOTE: This option is ignored if NRPE is running under either inetd or xinetd 62 | 63 | nrpe_group=nagios 64 | 65 | 66 | 67 | # ALLOWED HOST ADDRESSES 68 | # This is an optional comma-delimited list of IP address or hostnames 69 | # that are allowed to talk to the NRPE daemon. 70 | # 71 | # Note: The daemon only does rudimentary checking of the client's IP 72 | # address. I would highly recommend adding entries in your /etc/hosts.allow 73 | # file to allow only the specified host to connect to the port 74 | # you are running this daemon on. 75 | # 76 | # NOTE: This option is ignored if NRPE is running under either inetd or xinetd 77 | 78 | #allowed_hosts= 79 | 80 | 81 | 82 | # COMMAND ARGUMENT PROCESSING 83 | # This option determines whether or not the NRPE daemon will allow clients 84 | # to specify arguments to commands that are executed. This option only works 85 | # if the daemon was configured with the --enable-command-args configure script 86 | # option. 87 | # 88 | # *** ENABLING THIS OPTION IS A SECURITY RISK! *** 89 | # Read the SECURITY file for information on some of the security implications 90 | # of enabling this variable. 91 | # 92 | # Values: 0=do not allow arguments, 1=allow command arguments 93 | 94 | dont_blame_nrpe=0 95 | 96 | 97 | 98 | # COMMAND PREFIX 99 | # This option allows you to prefix all commands with a user-defined string. 100 | # A space is automatically added between the specified prefix string and the 101 | # command line from the command definition. 102 | # 103 | # *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! *** 104 | # Usage scenario: 105 | # Execute restricted commmands using sudo. For this to work, you need to add 106 | # the nagios user to your /etc/sudoers. An example entry for alllowing 107 | # execution of the plugins from might be: 108 | # 109 | # nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/ 110 | # 111 | # This lets the nagios user run all commands in that directory (and only them) 112 | # without asking for a password. If you do this, make sure you don't give 113 | # random users write access to that directory or its contents! 114 | 115 | # command_prefix=/usr/bin/sudo 116 | 117 | 118 | 119 | # DEBUGGING OPTION 120 | # This option determines whether or not debugging messages are logged to the 121 | # syslog facility. 122 | # Values: 0=debugging off, 1=debugging on 123 | 124 | debug=0 125 | 126 | 127 | 128 | # COMMAND TIMEOUT 129 | # This specifies the maximum number of seconds that the NRPE daemon will 130 | # allow plugins to finish executing before killing them off. 131 | 132 | command_timeout=60 133 | 134 | 135 | 136 | # CONNECTION TIMEOUT 137 | # This specifies the maximum number of seconds that the NRPE daemon will 138 | # wait for a connection to be established before exiting. This is sometimes 139 | # seen where a network problem stops the SSL being established even though 140 | # all network sessions are connected. This causes the nrpe daemons to 141 | # accumulate, eating system resources. Do not set this too low. 142 | 143 | connection_timeout=300 144 | 145 | 146 | 147 | # WEEK RANDOM SEED OPTION 148 | # This directive allows you to use SSL even if your system does not have 149 | # a /dev/random or /dev/urandom (on purpose or because the necessary patches 150 | # were not applied). The random number generator will be seeded from a file 151 | # which is either a file pointed to by the environment valiable $RANDFILE 152 | # or $HOME/.rnd. If neither exists, the pseudo random number generator will 153 | # be initialized and a warning will be issued. 154 | # Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness 155 | 156 | #allow_weak_random_seed=1 157 | 158 | 159 | 160 | # INCLUDE CONFIG FILE 161 | # This directive allows you to include definitions from an external config file. 162 | 163 | #include= 164 | 165 | 166 | 167 | # INCLUDE CONFIG DIRECTORY 168 | # This directive allows you to include definitions from config files (with a 169 | # .cfg extension) in one or more directories (with recursion). 170 | 171 | #include_dir= 172 | #include_dir= 173 | 174 | 175 | 176 | # COMMAND DEFINITIONS 177 | # Command definitions that this daemon will run. Definitions 178 | # are in the following format: 179 | # 180 | # command[]= 181 | # 182 | # When the daemon receives a request to return the results of 183 | # it will execute the command specified by the argument. 184 | # 185 | # Unlike Nagios, the command line cannot contain macros - it must be 186 | # typed exactly as it should be executed. 187 | # 188 | # Note: Any plugins that are used in the command lines must reside 189 | # on the machine that this daemon is running on! The examples below 190 | # assume that you have plugins installed in a /usr/local/nagios/libexec 191 | # directory. Also note that you will have to modify the definitions below 192 | # to match the argument format the plugins expect. Remember, these are 193 | # examples only! 194 | 195 | 196 | # The following examples use hardcoded command arguments... 197 | 198 | command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10 199 | command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20 200 | command[check_hda1]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p /dev/hda1 201 | command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z 202 | command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 150 -c 200 203 | 204 | 205 | # The following examples allow user-supplied arguments and can 206 | # only be used if the NRPE daemon was compiled with support for 207 | # command arguments *AND* the dont_blame_nrpe directive in this 208 | # config file is set to '1'. This poses a potential security risk, so 209 | # make sure you read the SECURITY file before doing this. 210 | 211 | #command[check_users]=/usr/lib/nagios/plugins/check_users -w $ARG1$ -c $ARG2$ 212 | #command[check_load]=/usr/lib/nagios/plugins/check_load -w $ARG1$ -c $ARG2$ 213 | #command[check_disk]=/usr/lib/nagios/plugins/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$ 214 | #command[check_procs]=/usr/lib/nagios/plugins/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$ 215 | 216 | # 217 | # local configuration: 218 | # if you'd prefer, you can instead place directives here 219 | include=/etc/nagios/nrpe_local.cfg 220 | 221 | # 222 | # you can place your config snipplets into nrpe.d/ 223 | include_dir=/etc/nagios/nrpe.d/ 224 | 225 | 226 | -------------------------------------------------------------------------------- /nagios/files/pagerduty/pagerduty.cfg: -------------------------------------------------------------------------------- 1 | define contact { 2 | contact_name pagerduty 3 | alias PagerDuty Pseudo-Contact 4 | service_notification_period 24x7 5 | host_notification_period 24x7 6 | service_notification_options w,u,c,r 7 | host_notification_options d,r 8 | service_notification_commands notify-service-by-pagerduty 9 | host_notification_commands notify-host-by-pagerduty 10 | pager XXXXXAPIKEYGOESHEREXXXXXXXXXXXXX 11 | } 12 | 13 | define command { 14 | command_name notify-service-by-pagerduty 15 | command_line /usr/local/bin/pagerduty_nagios.pl enqueue -f pd_nagios_object=service 16 | } 17 | 18 | define command { 19 | command_name notify-host-by-pagerduty 20 | command_line /usr/local/bin/pagerduty_nagios.pl enqueue -f pd_nagios_object=host 21 | } 22 | -------------------------------------------------------------------------------- /nagios/files/pagerduty/pagerduty_nagios.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env perl 2 | 3 | use Pod::Usage; 4 | use Getopt::Long; 5 | use Sys::Syslog; 6 | use HTTP::Request::Common qw(POST); 7 | use HTTP::Status qw(is_client_error); 8 | use LWP::UserAgent; 9 | use File::Path; 10 | use Fcntl qw(:flock); 11 | 12 | 13 | =head1 NAME 14 | 15 | pagerduty_nagios -- Send Nagios events to the PagerDuty alert system 16 | 17 | =head1 SYNOPSIS 18 | 19 | pagerduty_nagios enqueue [options] 20 | 21 | pagerduty_nagios flush [options] 22 | 23 | =head1 DESCRIPTION 24 | 25 | This script passes events from Nagios to the PagerDuty alert system. It's 26 | meant to be run as a Nagios notification plugin. For more details, please see 27 | the PagerDuty Nagios integration docs at: 28 | http://www.pagerduty.com/docs/nagios-integration. 29 | 30 | When called in the "enqueue" mode, the script loads a Nagios notification out 31 | of the environment and into the event queue. It then tries to flush the 32 | queue by sending any enqueued events to the PagerDuty server. The script is 33 | typically invoked in this mode from a Nagios notification handler. 34 | 35 | When called in the "flush" mode, the script simply tries to send any enqueued 36 | events to the PagerDuty server. This mode is typically invoked by cron. The 37 | purpose of this mode is to retry any events that couldn't be sent to the 38 | PagerDuty server for whatever reason when they were initially enqueued. 39 | 40 | =head1 OPTIONS 41 | 42 | --api-base URL 43 | The base URL used to communicate with PagerDuty. The default option here 44 | should be fine, but adjusting it may make sense if your firewall doesn't 45 | pass HTTPS traffic for some reason. See the PagerDuty Nagios integration 46 | docs for details. 47 | 48 | --field KEY=VALUE 49 | Add this key-value pair to the event being passed to PagerDuty. The script 50 | automatically gathers Nagios macros out of the environment, so there's no 51 | need to specify these explicitly. This option can be repeated as many 52 | times as necessary to pass multiple key-value pairs. This option is only 53 | useful when an event is being enqueued.0 54 | 55 | --help 56 | Display documentation for the script. 57 | 58 | --queue-dir DIR 59 | Path to the directory to use to store the event queue. By default, we use 60 | /tmp/pagerduty_nagios. 61 | 62 | --verbose 63 | Turn on extra debugging information. Useful for debugging. 64 | 65 | =cut 66 | 67 | # This release tested on: 68 | # Debian Sarge (Perl 5.8.4) 69 | # Ubuntu 9.04 (Perl 5.10.0) 70 | 71 | my $opt_api_base = "http://events.pagerduty.com/nagios/2010-04-15"; 72 | my %opt_fields; 73 | my $opt_help; 74 | my $opt_queue_dir = "/tmp/pagerduty_nagios"; 75 | my $opt_verbose; 76 | 77 | 78 | sub get_queue_from_dir { 79 | my $dh; 80 | 81 | unless (opendir($dh, $opt_queue_dir)) { 82 | syslog(LOG_ERR, "opendir %s failed: %s", $opt_queue_dir, $!); 83 | die $!; 84 | } 85 | 86 | my @files; 87 | while (my $f = readdir($dh)) { 88 | next unless $f =~ /^pd_(\d+)_\d+\.txt$/; 89 | push @files, [int($1), $f]; 90 | } 91 | 92 | closedir($dh); 93 | 94 | @files = sort { @{$a}[0] <=> @{$b}[0] } @files; 95 | return map { @{$_}[1] } @files; 96 | } 97 | 98 | 99 | sub flush_queue { 100 | my @files = get_queue_from_dir(); 101 | my $ua = LWP::UserAgent->new; 102 | 103 | # It's not a big deal if we don't get the message through the first time. 104 | # It will get sent the next time cron fires. 105 | $ua->timeout(15); 106 | 107 | foreach (@files) { 108 | my $filename = "$opt_queue_dir/$_"; 109 | my $fd; 110 | my %event; 111 | 112 | print STDERR "==== Now processing: $filename\n" if $opt_verbose; 113 | 114 | unless (open($fd, "<", $filename)) { 115 | syslog(LOG_ERR, "open %s for read failed: %s", $filename, $!); 116 | die $!; 117 | } 118 | 119 | while (<$fd>) { 120 | chomp; 121 | my @fields = split("=", $_, 2); 122 | $event{$fields[0]} = $fields[1]; 123 | } 124 | 125 | close($fd); 126 | 127 | my $req = POST("$opt_api_base/create_event", \%event); 128 | 129 | if ($opt_verbose) { 130 | my $s = $req->as_string; 131 | print STDERR "Request:\n$s\n"; 132 | } 133 | 134 | my $resp = $ua->request($req); 135 | 136 | if ($opt_verbose) { 137 | my $s = $resp->as_string; 138 | print STDERR "Response:\n$s\n"; 139 | } 140 | 141 | if ($resp->is_success) { 142 | syslog(LOG_INFO, "Nagios event in file %s ACCEPTED by the PagerDuty server.", $filename); 143 | unlink($filename); 144 | } 145 | elsif (is_client_error($resp->code)) { 146 | syslog(LOG_WARNING, "Nagios event in file %s REJECTED by the PagerDuty server. Server says: %s", $filename, $resp->content); 147 | unlink($filename); 148 | } 149 | else { 150 | # Something else went wrong. 151 | syslog(LOG_WARNING, "Nagios event in file %s DEFERRED due to network/server problems.", $filename); 152 | return 0; 153 | } 154 | } 155 | 156 | # Everything that needed to be sent was sent. 157 | return 1; 158 | } 159 | 160 | 161 | sub lock_and_flush_queue { 162 | # Serialize access to the queue directory while we flush. 163 | # (We don't want more than one flush at once.) 164 | 165 | my $lock_filename = "$opt_queue_dir/lockfile"; 166 | my $lock_fd; 167 | 168 | unless (open($lock_fd, ">", $lock_filename)) { 169 | syslog(LOG_ERR, "open %s for write failed: %s", $lock_filename, $!); 170 | die $!; 171 | } 172 | 173 | unless (flock($lock_fd, LOCK_EX)) { 174 | syslog(LOG_ERR, "flock %s failed: %s", $lock_filename, $!); 175 | die $!; 176 | } 177 | 178 | my $ret = flush_queue(); 179 | 180 | close($lock_fd); 181 | 182 | return $ret; 183 | } 184 | 185 | 186 | sub enqueue_event { 187 | my %event; 188 | 189 | # Scoop all the Nagios related stuff out of the environment. 190 | while ((my $k, my $v) = each %ENV) { 191 | next unless $k =~ /^NAGIOS_(.*)$/; 192 | $event{$1} = $v; 193 | } 194 | 195 | # Apply any other variables that were passed in. 196 | %event = (%event, %opt_fields); 197 | 198 | $event{"pd_version"} = "1.0"; 199 | 200 | # Right off the bat, enqueue the event. Nothing tiem consuming should come 201 | # before here (i.e. no locks or remote connections), because we want to 202 | # make sure we get the event written out within the Nagios notification 203 | # timeout. If we get killed off after that, it isn't a big deal. 204 | 205 | my $filename = sprintf("$opt_queue_dir/pd_%u_%u.txt", time(), $$); 206 | my $fd; 207 | 208 | unless (open($fd, ">", $filename)) { 209 | syslog(LOG_ERR, "open %s for write failed: %s", $filename, $!); 210 | die $!; 211 | } 212 | 213 | while ((my $k, my $v) = each %event) { 214 | # "=" can't occur in the keyname, and "\n" can't occur anywhere. 215 | # (Nagios follows this already, so I think we're safe) 216 | print $fd "$k=$v\n"; 217 | } 218 | 219 | close($fd); 220 | } 221 | 222 | ########### 223 | 224 | GetOptions("api-base=s" => \$opt_api_base, 225 | "field=s%" => \%opt_fields, 226 | "help" => \$opt_help, 227 | "queue-dir=s" => \$opt_queue_dir, 228 | "verbose" => \$opt_verbose 229 | ) || pod2usage(2); 230 | 231 | pod2usage(2) if @ARGV < 1 || 232 | (($ARGV[0] ne "enqueue") && ($ARGV[0] ne "flush")); 233 | 234 | pod2usage(-verbose => 3) if $opt_help; 235 | 236 | my @log_mode = ("nofatal", "pid"); 237 | push(@log_mode, "perror") if $opt_verbose; 238 | 239 | openlog("pagerduty_nagios", join(",", @log_mode), LOG_LOCAL0); 240 | 241 | # This function automatically terminates the program on things like permission 242 | # errors. 243 | mkpath($opt_queue_dir); 244 | 245 | if ($ARGV[0] eq "enqueue") { 246 | enqueue_event(); 247 | lock_and_flush_queue(); 248 | } 249 | elsif ($ARGV[0] eq "flush") { 250 | lock_and_flush_queue(); 251 | } 252 | -------------------------------------------------------------------------------- /nagios/files/services-base.cfg: -------------------------------------------------------------------------------- 1 | define service { 2 | name base-service 3 | register 0 4 | 5 | active_checks_enabled 1 6 | check_freshness 0 7 | check_period 24x7 8 | contacts default 9 | event_handler_enabled 1 10 | failure_prediction_enabled 1 11 | flap_detection_enabled 1 12 | is_volatile 0 13 | max_check_attempts 3 14 | normal_check_interval 4 15 | notification_interval 60 16 | notification_options w,u,c 17 | notification_period 24x7 18 | notifications_enabled 1 19 | obsess_over_service 1 20 | parallelize_check 1 21 | passive_checks_enabled 1 22 | process_perf_data 1 23 | retain_nonstatus_information 1 24 | retain_status_information 1 25 | retry_check_interval 2 26 | } 27 | -------------------------------------------------------------------------------- /nagios/files/timeperiods.cfg: -------------------------------------------------------------------------------- 1 | define timeperiod { 2 | timeperiod_name 24x7 3 | alias 24x7 4 | sunday 00:00-24:00 5 | monday 00:00-24:00 6 | tuesday 00:00-24:00 7 | wednesday 00:00-24:00 8 | thursday 00:00-24:00 9 | friday 00:00-24:00 10 | saturday 00:00-24:00 11 | } 12 | 13 | define timeperiod { 14 | timeperiod_name daylight 15 | alias daylight 16 | # Times are in UTC (aka, time zone on the systems) 17 | # 09:00-1800 Pacific 18 | sunday 17:00-02:00 19 | monday 17:00-02:00 20 | tuesday 17:00-02:00 21 | wednesday 17:00-02:00 22 | thursday 17:00-02:00 23 | friday 17:00-02:00 24 | saturday 17:00-02:00 25 | } 26 | 27 | 28 | -------------------------------------------------------------------------------- /nagios/manifests/check.pp: -------------------------------------------------------------------------------- 1 | # This vim modeline is needed because otherwise vim thinks this file is a bindzone. 2 | # vim:set ft=puppet: 3 | 4 | define nagios::check($command=undef, $host, $remote=false, $contacts="default", 5 | $passive=false, $volatile=false, $max_failures=3) { 6 | $safe_name = inline_template("<%= name.gsub(/[ '\"]/, ' ') %>") 7 | $file = "/etc/nagios3/checks.d/check-$host-$safe_name.cfg" 8 | 9 | if $command == undef and $passive == false { 10 | fail("A command is required if passive false.") 11 | } 12 | 13 | if $remote { 14 | include ::nagios::plugin::nrpe 15 | $check_command = "remotecheck!$command" 16 | 17 | Nagios_service <| title == $name |> { 18 | require +> Class["nagios::plugin::nrpe"] 19 | } 20 | $notes = "NRPE: check_nrpe -H $fqdn -t 600 -c $command" 21 | } elsif $passive { 22 | $check_command = "noop" 23 | $notes = "Passive check. No command." 24 | } else { 25 | $check_command = $command 26 | $notes = "Command: $command" 27 | } 28 | 29 | nagios_service { 30 | "$name": 31 | target => "$file", 32 | check_command => $check_command, 33 | host_name => "$host", 34 | require => File["/etc/nagios3/checks.d"], 35 | notes => $notes, 36 | contacts => $contacts, 37 | service_description => "$name", 38 | notification_period => extlookup("nagios/notificationperiod", "24x7"), 39 | active_checks_enabled => $passive ? { true => 0, false => 1 }, 40 | passive_checks_enabled => $passive ? { true => 1, false => 0 }, 41 | is_volatile => $volatile ? { true => 1, false => 0 }, 42 | max_check_attempts => $max_failures, 43 | use => "base-service"; 44 | } 45 | 46 | file { 47 | "$file": 48 | ensure => file, 49 | require => Nagios_service[$name], 50 | owner => nagios, 51 | mode => 644; 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /nagios/manifests/check/log.pp: -------------------------------------------------------------------------------- 1 | define nagios::check::log($files, $patterns, $user="logwatcher", 2 | $contacts=undef, $ensure="present") { 3 | include ::nagios::nsca 4 | include ::nagios::user::logwatcher 5 | include ::grok::package 6 | include ::ruby::gem::eventmachine-tail 7 | 8 | $host = $fqdn 9 | $monitor_host = "monitor" 10 | $check_name = "$name on $fqdn" 11 | 12 | $safename = regsubst($name, " ", "-", "G") 13 | $grok_config = "/etc/grok.d/${safename}.grok" 14 | $procname = "monitor-$safename" 15 | 16 | file { 17 | # TODO(sissel): Safe to remove after 2011/01/01 18 | "/etc/grok.d/${name}.grok": 19 | ensure => absent; 20 | $grok_config: 21 | ensure => $ensure ? { "present" => "file", "absent" => "absent" }, 22 | notify => Supervisor::Program[$procname], 23 | content => template("nagios/check/log.grok.erb"); 24 | } 25 | 26 | if ($ensure == "present") { 27 | @@nagios::check { 28 | $check_name: 29 | passive => true, 30 | volatile => true, 31 | contacts => $contacts, 32 | max_failures => 1, 33 | host => $fqdn, 34 | tag => "deployment::$deployment"; 35 | } 36 | } 37 | 38 | supervisor::program { 39 | $procname: 40 | ensure => $ensure, 41 | command => "grok -f '$grok_config'", 42 | user => $user, 43 | require => [File[$grok_config], Class["grok::package", "nagios::nsca"]]; 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /nagios/manifests/command.pp: -------------------------------------------------------------------------------- 1 | define nagios::command($command, $remote, $ensure="present") { 2 | if ($ensure == "present") { 3 | $file_ensure = "file" 4 | } else { 5 | $file_ensure = "absent" 6 | } 7 | 8 | 9 | if $remote { 10 | # Use NRPE 11 | include ::nagios::nrpe::package 12 | include ::nagios::nrpe::server 13 | 14 | file { 15 | "/etc/nagios/nrpe.d/$name.cfg": 16 | ensure => $file_ensure, 17 | require => Class["nagios::nrpe::package"], 18 | notify => Class["nagios::nrpe::server"], 19 | content => "command[$name]=$command\n"; 20 | } 21 | } else { 22 | # Not remote, we're a nagios server so add a specific command. 23 | 24 | $command_template = " 25 | # Generated by puppet from Nagios::Command[$name] 26 | define command { 27 | command_name <%= name %> 28 | command_line <%= command %> 29 | } 30 | " 31 | 32 | nagios::config { 33 | "command-$name": 34 | ensure => $ensure, 35 | content => inline_template($command_template); 36 | } 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /nagios/manifests/config.pp: -------------------------------------------------------------------------------- 1 | define nagios::config($source = undef, $content = undef, $ensure = "present") { 2 | include ::nagios::server 3 | include ::nagios::package 4 | 5 | if ($ensure != "absent") { 6 | if ($content == undef and $source == undef) { 7 | error("You must specify only one of 'content' or 'source' for $class[$name]") 8 | } 9 | if ($content != undef and $source != undef) { 10 | error("You must specify only one of 'content' or 'source' for $class[$name]") 11 | } 12 | } 13 | 14 | file { 15 | "/etc/nagios3/conf.d/$name.cfg": 16 | ensure => $ensure ? { "present" => file, default => absent }, 17 | source => $source, 18 | content => $content, 19 | require => Class["nagios::package"], 20 | notify => Class["nagios::server"]; 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /nagios/manifests/host.pp: -------------------------------------------------------------------------------- 1 | define nagios::host($address) { 2 | $file = "/etc/nagios3/hosts.d/$name.cfg" 3 | nagios_host { 4 | "$name": 5 | target => $file, 6 | use => "base-host", 7 | require => File["/etc/nagios3/hosts.d"], 8 | address => "$address", 9 | alias => "$name ($address)", 10 | } 11 | 12 | file { 13 | $file: 14 | ensure => file, 15 | require => Nagios_host[$name], 16 | owner => nagios, 17 | mode => 644; 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /nagios/manifests/init.pp: -------------------------------------------------------------------------------- 1 | class nagios { 2 | include ::nagios::package 3 | include ::nagios::server 4 | include ::nagios::user 5 | include ::nagios::pagerduty 6 | include ::nagios::nsca::server 7 | 8 | nagios::config { 9 | "hosts": ensure => absent; 10 | "services": ensure => absent; 11 | 12 | "contacts": source => "puppet:///modules/nagios/contacts.cfg"; 13 | "timeperiods": source => "puppet:///modules/nagios/timeperiods.cfg"; 14 | 15 | "hosts-base": source => "puppet:///modules/nagios/hosts-base.cfg"; 16 | "services-base": source => "puppet:///modules/nagios/services-base.cfg"; 17 | #"hosts-$deployment": content => template("nagios/hosts-deployment.cfg.erb"); 18 | #"services-$deployment": content => template("nagios/hosts-deployment.cfg.erb"); 19 | } 20 | 21 | $loggly_nagios_input = extlookup("nagios/loggly-input", "undefined") 22 | 23 | file { 24 | "/usr/local/bin/nagios-to-loggly.rb": 25 | ensure => file, 26 | source => "puppet:///modules/nagios/nagios-to-loggly.rb", 27 | mode => 755; 28 | } 29 | 30 | nagios::command { 31 | "noop": 32 | command => "/bin/true", 33 | remote => false; 34 | "log-to-loggly": 35 | command => "/usr/local/bin/nagios-to-loggly.rb -u $loggly_nagios_input", 36 | require => File["/usr/local/bin/nagios-to-loggly.rb"], 37 | remote => false; 38 | } 39 | 40 | Nagios::Host <<| tag == "deployment::$deployment" |>> { 41 | notify => Class["nagios::server"] 42 | } 43 | 44 | Nagios::Check <<| tag == "deployment::$deployment" |>> { 45 | notify => Class["nagios::server"] 46 | } 47 | 48 | # Clean up any files that haven't been touched in a day. 49 | tidy { 50 | [ "/etc/nagios3/hosts.d", "/etc/nagios3/checks.d" ]: 51 | age => 1d, 52 | notify => Class["nagios::server"], 53 | recurse => true, 54 | matches => [ "*.cfg" ]; 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /nagios/manifests/nrpe/package.pp: -------------------------------------------------------------------------------- 1 | class nagios::nrpe::package { 2 | package { 3 | "nagios-nrpe-server": 4 | ensure => latest; 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /nagios/manifests/nrpe/server.pp: -------------------------------------------------------------------------------- 1 | class nagios::nrpe::server { 2 | include ::nagios::nrpe::package 3 | include ::nagios::user 4 | 5 | file { 6 | "/etc/nagios/nrpe.cfg": 7 | ensure => file, 8 | source => "puppet:///modules/nagios/nrpe/nrpe.cfg", 9 | notify => Service["nagios-nrpe-server"]; 10 | } 11 | 12 | service { 13 | "nagios-nrpe-server": 14 | ensure => running, 15 | enable => true, 16 | status => "pgrep -f '/usr/sbin/nrpe -c '"; 17 | } 18 | 19 | iptables::rule { 20 | "allow nrpe": 21 | ports => 5666, 22 | roles => ["monitor"]; 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /nagios/manifests/nsca.pp: -------------------------------------------------------------------------------- 1 | class nagios::nsca { 2 | package { 3 | "nsca": ensure => latest; 4 | } 5 | 6 | # Disable nsca by default. 7 | service { 8 | "nsca": 9 | ensure => stopped, 10 | enable => true, 11 | require => Package["nsca"]; 12 | } 13 | 14 | file { 15 | "/etc/send_nsca.cfg": 16 | ensure => file, 17 | content => template("nagios/nsca/send_nsca.cfg.erb"); 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /nagios/manifests/nsca/server.pp: -------------------------------------------------------------------------------- 1 | class nagios::nsca::server { 2 | include ::nagios::nsca 3 | 4 | # Enable nsca (service defined in nagios::nsca) 5 | Service <| title == "nsca" |> { 6 | ensure => running, 7 | enable => true, 8 | } 9 | 10 | file { 11 | "/etc/nsca.cfg": 12 | ensure => file, 13 | content => template("nagios/nsca/nsca.cfg.erb"), 14 | notify => Service["nsca"]; 15 | } 16 | 17 | iptables::rule { 18 | # TODO(sissel): allow specifying 'all known hosts' 19 | # For now, allowing any private net to submit is fine since 20 | # NSCA uses encryption with a pre-shared key. 21 | "allow nsca submission": 22 | ports => [ 5667 ], 23 | sources => [ "10.0.0.0/8" ]; 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /nagios/manifests/package.pp: -------------------------------------------------------------------------------- 1 | class nagios::package { 2 | include ::apache::server 3 | package { 4 | "nagios3": 5 | ensure => latest, 6 | notify => Class["apache::server"]; 7 | } 8 | 9 | file { 10 | "/etc/nagios3/hosts.d": 11 | ensure => directory; 12 | "/etc/nagios3/checks.d": 13 | ensure => directory; 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /nagios/manifests/pagerduty.pp: -------------------------------------------------------------------------------- 1 | class nagios::pagerduty { 2 | package { 3 | "libwww-perl": 4 | ensure => latest; 5 | "libcrypt-ssleay-perl": 6 | ensure => latest; 7 | } 8 | 9 | nagios::config { 10 | "pagerduty": 11 | source => "puppet:///modules/nagios/pagerduty/pagerduty.cfg"; 12 | } 13 | 14 | file { 15 | "/usr/local/bin/pagerduty_nagios.pl": 16 | ensure => file, 17 | source => "puppet:///modules/nagios/pagerduty/pagerduty_nagios.pl", 18 | mode => 755; 19 | } 20 | 21 | file { 22 | "/etc/cron.d/pagerdutynagios": 23 | ensure => file, 24 | content => "* * * * * nagios /usr/local/bin/pagerduty_nagios.pl flush\n"; 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /nagios/manifests/plugin/basic.pp: -------------------------------------------------------------------------------- 1 | class nagios::plugin::basic { 2 | package { 3 | "nagios-plugins-basic": 4 | ensure => latest; 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /nagios/manifests/plugin/check_check.pp: -------------------------------------------------------------------------------- 1 | class nagios::plugin::check_check { 2 | package { 3 | "nagios-manage": 4 | ensure => latest, 5 | provider => "gem"; 6 | } 7 | 8 | nagios::command { 9 | "check_check": 10 | command => "/usr/bin/check_check.rb -s \$ARG1\$", 11 | remote => false; # this command runs on the nagios server 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /nagios/manifests/plugin/nrpe.pp: -------------------------------------------------------------------------------- 1 | class nagios::plugin::nrpe { 2 | package { 3 | "nagios-nrpe-plugin": 4 | ensure => latest; 5 | } 6 | 7 | nagios::command { 8 | "remotecheck": 9 | command => "/usr/lib/nagios/plugins/check_nrpe -H \$HOSTADDRESS\$ -t 600 -c \$ARG1\$", 10 | remote => false; # this command runs on the nagios server 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /nagios/manifests/plugin/nsca.pp: -------------------------------------------------------------------------------- 1 | class nagios::plugin::nsca { 2 | include ::nagios::nsca::server 3 | 4 | nagios::command { 5 | "remotecheck": 6 | command => "/usr/lib/nagios/plugins/check_nrpe -H \$HOSTADDRESS\$ -t 600 -c \$ARG1\$", 7 | remote => false; # this command runs on the nagios server 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /nagios/manifests/server.pp: -------------------------------------------------------------------------------- 1 | class nagios::server { 2 | include ::apache::server 3 | include ::nagios::package 4 | 5 | service { 6 | "nagios3": 7 | ensure => running, 8 | enable => true, 9 | require => Package["nagios3"], 10 | hasrestart => true, 11 | hasstatus => true; 12 | } 13 | 14 | file { 15 | # Remove the crap installed by the nagios3 ubuntu package 16 | [ "/etc/nagios3/conf.d/host-gateway_nagios3.cfg", 17 | "/etc/nagios3/conf.d/localhost_nagios2.cfg", 18 | "/etc/nagios3/conf.d/services_nagios2.cfg", 19 | "/etc/nagios3/conf.d/hostgroups_nagios2.cfg", 20 | "/etc/nagios3/conf.d/timeperiods_nagios2.cfg", 21 | "/etc/nagios3/conf.d/contacts_nagios2.cfg", 22 | "/etc/nagios3/conf.d/extinfo_nagios2.cfg", 23 | "/etc/nagios3/conf.d/generic-host_nagios2.cfg", 24 | "/etc/nagios3/conf.d/generic-service_nagios2.cfg"]: 25 | ensure => absent, 26 | notify => Service["nagios3"]; 27 | "/etc/nagios3/htpasswd.users": 28 | ensure => file, 29 | content => extlookup("nagios/htpasswd"); 30 | "/etc/nagios3/cgi.cfg": 31 | ensure => file, 32 | notify => Service["nagios3"], 33 | source => "puppet:///modules/nagios/cgi.cfg"; 34 | "/etc/nagios3/nagios.cfg": 35 | ensure => file, 36 | notify => Service["nagios3"], 37 | source => "puppet:///modules/nagios/nagios.cfg"; 38 | "/var/lib/nagios3": 39 | ensure => directory, 40 | owner => "nagios", 41 | group => "www-data", 42 | mode => 751; 43 | "/var/lib/nagios3/rw": 44 | ensure => directory, 45 | owner => "nagios", 46 | group => "www-data", 47 | mode => 2771; 48 | } 49 | 50 | exec { 51 | # https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/387069 52 | # Debian/Ubuntu have a wontfix bug that requires manual intervention to use 53 | # a common nagios feature. 54 | "fix nagios.cmd permissions": 55 | command => "dpkg-statoverride --update --add nagios www-data 2710 /var/lib/nagios3/rw; dpkg-statoverride --update --add nagios nagios 751 /var/lib/nagios3; true", 56 | before => Service["nagios3"]; 57 | "really fix nagios.cmd permissions": 58 | command => "chown nagios:www-data /var/lib/nagios3/rw; 59 | chmod 2710 /var/lib/nagios3/rw; 60 | chown nagios:www-data /var/lib/nagios3/rw/nagios.cmd; 61 | chmod 0660 /var/lib/nagios3/rw/nagios.cmd; true", 62 | before => Service["nagios3"]; 63 | } 64 | 65 | apache::config { 66 | "nagios3": 67 | source => "file:///etc/nagios3/apache2.conf", 68 | require => File["/var/lib/nagios3/rw"]; 69 | } 70 | 71 | iptables::rule { 72 | "allow nagios": 73 | ports => 80; 74 | } 75 | 76 | } 77 | -------------------------------------------------------------------------------- /nagios/manifests/user.pp: -------------------------------------------------------------------------------- 1 | class nagios::user { 2 | user { 3 | "nagios": 4 | groups => ["supervisorctl"]; 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /nagios/manifests/user/logwatcher.pp: -------------------------------------------------------------------------------- 1 | class nagios::user::logwatcher { 2 | # Add to user 'adm' so it can read files generated by syslog on Ubuntu. 3 | user { 4 | "logwatcher": 5 | ensure => present, 6 | groups => [ "adm" ]; 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /nagios/templates/check/log.grok.erb: -------------------------------------------------------------------------------- 1 | program { 2 | <% files.each do |file| -%> 3 | #exec "tail -n0 -F <%= file %>" { 4 | exec "rtail -n '<%= file %>'" { 5 | restart-on-exit: true 6 | minimum-restart-delay: 5 7 | } 8 | <% end -%> 9 | 10 | match { 11 | <% patterns.each do |pattern| -%> 12 | pattern: "<%= pattern.gsub(/"/, "\\\"") %>" 13 | <% end -%> 14 | 15 | # NSCA doesn't take events on stdin properly, so hack around it. 16 | #shell: "send_nsca -H <%= monitor_host %>" 17 | #reaction: "<%= host %> <%= check_name %> 2 %{@LINE}" 18 | 19 | shell: "/bin/sh -c 'while read line ; do echo \"$line\" | send_nsca -H monitor; done'" 20 | reaction: "<%= host %> <%= check_name %> 2 %{@LINE}" 21 | flush: yes 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /nagios/templates/hosts-deployment.cfg.erb: -------------------------------------------------------------------------------- 1 | <% require "json" -%> 2 | <% data = JSON::load(File.new("/etc/truth.json").read) -%> 3 | <% data["servers"].each do |name, info| -%> 4 | define host { 5 | use base-host 6 | host_name <%= name %>.<%= deployment_domain %> 7 | address <%= info["private_ip_address"] %> 8 | alias <%= name %> (<%= info["tags"].grep(/^role:/).collect{|r| r.split(/[:=]/)[1]}.sort.join(", ") %>) 9 | } 10 | <% end -%> 11 | 12 | define hostgroup { 13 | hostgroup_name hostgroup:all 14 | alias all servers in <%= deployment %> 15 | members <%= data["servers"].keys.collect { |s| "#{s}.#{deployment_domain}" }.join(",") %> 16 | } 17 | -------------------------------------------------------------------------------- /nagios/templates/nsca/nsca.cfg.erb: -------------------------------------------------------------------------------- 1 | <% Puppet::Parser::Functions.autoloader.loadall -%> 2 | # PID FILE 3 | # The name of the file in which the NSCA daemon should write it's process ID 4 | # number. The file is only written if the NSCA daemon is started by the root 5 | # user as a single- or multi-process daemon. 6 | 7 | pid_file=/var/run/nsca.pid 8 | 9 | 10 | 11 | # PORT NUMBER 12 | # Port number we should wait for connections on. 13 | # This must be a non-priveledged port (i.e. > 1024). 14 | 15 | server_port=5667 16 | 17 | 18 | 19 | # SERVER ADDRESS 20 | # Address that NSCA has to bind to in case there are 21 | # more as one interface and we do not want NSCA to bind 22 | # (thus listen) on all interfaces. 23 | 24 | #server_address=192.168.1.1 25 | 26 | 27 | 28 | # NSCA USER 29 | # This determines the effective user that the NSCA daemon should run as. 30 | # You can either supply a username or a UID. 31 | # 32 | # NOTE: This option is ignored if NSCA is running under either inetd or xinetd 33 | 34 | nsca_user=nagios 35 | 36 | 37 | 38 | # NSCA GROUP 39 | # This determines the effective group that the NSCA daemon should run as. 40 | # You can either supply a group name or a GID. 41 | # 42 | # NOTE: This option is ignored if NSCA is running under either inetd or xinetd 43 | 44 | nsca_group=nogroup 45 | 46 | 47 | 48 | # NSCA CHROOT 49 | # If specified, determines a directory into which the nsca daemon 50 | # will perform a chroot(2) operation before dropping its privileges. 51 | # for the security conscious this can add a layer of protection in 52 | # the event that the nagios daemon is compromised. 53 | # 54 | # NOTE: if you specify this option, the command file will be opened 55 | # relative to this directory. 56 | 57 | #nsca_chroot=/var/run/nagios/rw 58 | 59 | 60 | 61 | # DEBUGGING OPTION 62 | # This option determines whether or not debugging 63 | # messages are logged to the syslog facility. 64 | # Values: 0 = debugging off, 1 = debugging on 65 | 66 | debug=0 67 | 68 | 69 | 70 | # COMMAND FILE 71 | # This is the location of the Nagios command file that the daemon 72 | # should write all service check results that it receives. 73 | # Note to debian users: nagios 1.x and nagios 2.x have 74 | # different default locations for this file. this is the 75 | # default location for nagios 1.x: 76 | #command_file=/var/run/nagios/nagios.cmd 77 | # and this is the default location for nagios2: 78 | #command_file=/var/lib/nagios2/rw/nagios.cmd 79 | # and this is the default location for nagios3: 80 | command_file=/var/lib/nagios3/rw/nagios.cmd 81 | 82 | # ALTERNATE DUMP FILE 83 | # This is used to specify an alternate file the daemon should 84 | # write service check results to in the event the command file 85 | # does not exist. It is important to note that the command file 86 | # is implemented as a named pipe and only exists when Nagios is 87 | # running. You may want to modify the startup script for Nagios 88 | # to dump the contents of this file into the command file after 89 | # it starts Nagios. Or you may simply choose to ignore any 90 | # check results received while Nagios was not running... 91 | 92 | alternate_dump_file=/var/run/nagios/nsca.dump 93 | 94 | 95 | # AGGREGATED WRITES OPTION 96 | # This option determines whether or not the nsca daemon will 97 | # aggregate writes to the external command file for client 98 | # connections that contain multiple check results. If you 99 | # are queueing service check results on remote hosts and 100 | # sending them to the nsca daemon in bulk, you will probably 101 | # want to enable bulk writes, as this will be a bit more 102 | # efficient. 103 | # Values: 0 = do not aggregate writes, 1 = aggregate writes 104 | 105 | aggregate_writes=0 106 | 107 | 108 | 109 | # APPEND TO FILE OPTION 110 | # This option determines whether or not the nsca daemon will 111 | # will open the external command file for writing or appending. 112 | # This option should almost *always* be set to 0! 113 | # Values: 0 = open file for writing, 1 = open file for appending 114 | 115 | append_to_file=0 116 | 117 | 118 | 119 | # MAX PACKET AGE OPTION 120 | # This option is used by the nsca daemon to determine when client 121 | # data is too old to be valid. Keeping this value as small as 122 | # possible is recommended, as it helps prevent the possibility of 123 | # "replay" attacks. This value needs to be at least as long as 124 | # the time it takes your clients to send their data to the server. 125 | # Values are in seconds. The max packet age cannot exceed 15 126 | # minutes (900 seconds). If this variable is set to zero (0), no 127 | # packets will be rejected based on their age. 128 | 129 | max_packet_age=30 130 | 131 | 132 | 133 | # DECRYPTION PASSWORD 134 | # This is the password/passphrase that should be used to descrypt the 135 | # incoming packets. Note that all clients must encrypt the packets 136 | # they send using the same password! 137 | # IMPORTANT: You don't want all the users on this system to be able 138 | # to read the password you specify here, so make sure to set 139 | # restrictive permissions on this config file! 140 | 141 | password=<%= scope.function_extlookup(["monitoring/nsca_password"]) %> 142 | 143 | 144 | 145 | # DECRYPTION METHOD 146 | # This option determines the method by which the nsca daemon will 147 | # decrypt the packets it receives from the clients. The decryption 148 | # method you choose will be a balance between security and performance, 149 | # as strong encryption methods consume more processor resources. 150 | # You should evaluate your security needs when choosing a decryption 151 | # method. 152 | # 153 | # Note: The decryption method you specify here must match the 154 | # encryption method the nsca clients use (as specified in 155 | # the send_nsca.cfg file)!! 156 | # Values: 157 | # 158 | # 0 = None (Do NOT use this option) 159 | # 1 = Simple XOR (No security, just obfuscation, but very fast) 160 | # 161 | # 2 = DES 162 | # 3 = 3DES (Triple DES) 163 | # 4 = CAST-128 164 | # 5 = CAST-256 165 | # 6 = xTEA 166 | # 7 = 3WAY 167 | # 8 = BLOWFISH 168 | # 9 = TWOFISH 169 | # 10 = LOKI97 170 | # 11 = RC2 171 | # 12 = ARCFOUR 172 | # 173 | # 14 = RIJNDAEL-128 174 | # 15 = RIJNDAEL-192 175 | # 16 = RIJNDAEL-256 176 | # 177 | # 19 = WAKE 178 | # 20 = SERPENT 179 | # 180 | # 22 = ENIGMA (Unix crypt) 181 | # 23 = GOST 182 | # 24 = SAFER64 183 | # 25 = SAFER128 184 | # 26 = SAFER+ 185 | # 186 | 187 | decryption_method=8 188 | 189 | -------------------------------------------------------------------------------- /nagios/templates/nsca/send_nsca.cfg.erb: -------------------------------------------------------------------------------- 1 | <% Puppet::Parser::Functions.autoloader.loadall -%> 2 | # ENCRYPTION PASSWORD 3 | # This is the password/passphrase that should be used to encrypt the 4 | # outgoing packets. Note that the nsca daemon must use the same 5 | # password when decrypting the packet! 6 | # IMPORTANT: You don't want all the users on this system to be able 7 | # to read the password you specify here, so make sure to set 8 | # restrictive permissions on this config file! 9 | 10 | password=<%= scope.function_extlookup(["monitoring/nsca_password"]) %> 11 | 12 | 13 | 14 | # ENCRYPTION METHOD 15 | # This option determines the method by which the send_nsca client will 16 | # encrypt the packets it sends to the nsca daemon. The encryption 17 | # method you choose will be a balance between security and performance, 18 | # as strong encryption methods consume more processor resources. 19 | # You should evaluate your security needs when choosing an encryption 20 | # method. 21 | # 22 | # Note: The encryption method you specify here must match the 23 | # decryption method the nsca daemon uses (as specified in 24 | # the nsca.cfg file)!! 25 | # Values: 26 | # 0 = None (Do NOT use this option) 27 | # 1 = Simple XOR (No security, just obfuscation, but very fast) 28 | # 29 | # 2 = DES 30 | # 3 = 3DES (Triple DES) 31 | # 4 = CAST-128 32 | # 5 = CAST-256 33 | # 6 = xTEA 34 | # 7 = 3WAY 35 | # 8 = BLOWFISH 36 | # 9 = TWOFISH 37 | # 10 = LOKI97 38 | # 11 = RC2 39 | # 12 = ARCFOUR 40 | # 41 | # 14 = RIJNDAEL-128 42 | # 15 = RIJNDAEL-192 43 | # 16 = RIJNDAEL-256 44 | # 45 | # 19 = WAKE 46 | # 20 = SERPENT 47 | # 48 | # 22 = ENIGMA (Unix crypt) 49 | # 23 = GOST 50 | # 24 = SAFER64 51 | # 25 = SAFER128 52 | # 26 = SAFER+ 53 | # 54 | 55 | encryption_method=8 56 | 57 | -------------------------------------------------------------------------------- /nagios/templates/services-deployment.cfg.erb: -------------------------------------------------------------------------------- 1 | <% require "json" -%> 2 | <% data = JSON::load(File.new("/etc/truth.json").read) -%> 3 | 4 | define service { 5 | use base-service 6 | hostgroup_name hostgroup:all 7 | service_description host ssh tcp check 8 | check_command check_tcp!22 9 | } 10 | -------------------------------------------------------------------------------- /truth/files/query-rightscale.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from rightscale import RightScale 3 | import sys 4 | rsapi = RightScale(ACCOUNTID, USERNAME, PASSWORD) 5 | 6 | myself = rsapi.whoami() 7 | 8 | if myself is None: 9 | print >>sys.stderr, "This system is not found in RightScale." 10 | exit(1) 11 | 12 | 13 | # Find all servers (including myself) in my deployment. 14 | servers = [s for s in rsapi.servers if s.deployment_href == myself.deployment_href] 15 | 16 | tagged = dict() 17 | for server in servers: 18 | #print server 19 | #print server.tags 20 | for tag in server.tags: 21 | #print tag 22 | tagged.setdefault(tag.name, list()) 23 | tagged[tag.name].append(server) 24 | 25 | data = dict() 26 | 27 | data["deployment"] = myself.deployment.nickname 28 | data["name"] = myself.nickname 29 | data["servers"] = dict() 30 | for server in servers: 31 | data["servers"][server.nickname] = { 32 | "ip_address": server.settings.ip_address, 33 | "private_ip_address": server.settings.private_ip_address, 34 | "tags": [t.name for t in server.tags], 35 | } 36 | 37 | #data["tags"] = dict() 38 | #for tag,tagged_servers in tagged.iteritems(): 39 | #data["tags"][tag] = [s.nickname for s in tagged_servers] 40 | 41 | import json 42 | # Pretty-print the json so it's easily human-readable 43 | print json.dumps(data, indent=2) 44 | -------------------------------------------------------------------------------- /truth/files/update-zerigo.py: -------------------------------------------------------------------------------- 1 | import zerigodns 2 | import json 3 | import re 4 | import sys 5 | 6 | def safe_hostname(value): 7 | return re.compile("[^A-Za-z0-9-]").sub("_", value).lower() 8 | 9 | class ZerigoUpdater(object): 10 | api_user = "zerigo_api_user" 11 | api_key = "zerigo_api_key" 12 | def __init__(self, api_user, api_key): 13 | self.api_user = api_user 14 | self.api_key = api_key 15 | self.zerigo = zerigodns.NSZone(self.api_user, self.api_key) 16 | # def __init__ 17 | 18 | def zone(self, domain): 19 | try: 20 | return self.zerigo.find_by_domain(domain) 21 | except zerigodns.api.ZerigoNotFound, e: 22 | return self.zerigo.create({ "domain": domain }) 23 | # def zone 24 | 25 | def update(self, domain, truthdata): 26 | zone = self.zone(domain) 27 | self.update_hosts(zone, truthdata) 28 | #self.update_roles(zone, truthdata) 29 | # def update 30 | 31 | def update_hosts(self, zone, truthdata): 32 | oldhosts = {} 33 | notes = "host" 34 | ttl = 60 35 | 36 | for host in zone.hosts: 37 | if host.host_type == "A" and host.hostname is not None: 38 | oldhosts[host.hostname] = host 39 | 40 | for name, info in truth["servers"].iteritems(): 41 | if "ip_address" not in info: 42 | print "%s has no public ip, skipping" % (name) 43 | continue 44 | public_ip = info["ip_address"] 45 | real_hostname = "%s" % (safe_hostname(name)) 46 | 47 | # Give wildcards for all. 48 | hostnames = [real_hostname] 49 | #if "role:frontend=true" in info["tags"]: 50 | hostnames.append("*.%s" % real_hostname) 51 | for hostname in hostnames: 52 | if hostname in oldhosts: 53 | current = oldhosts[hostname] 54 | tainted = False 55 | if current.data != public_ip: 56 | print "%s.%s: IP updated" % (hostname, zone.domain) 57 | current.data = public_ip 58 | tainted = True 59 | if current.notes != notes: 60 | print "%s.%s: notes updated" % (hostname, zone.domain) 61 | current.notes = notes 62 | tainted = True 63 | if current.ttl != ttl: 64 | print "%s.%s: ttl updated" % (hostname, zone.domain) 65 | current.ttl = ttl 66 | tainted = True 67 | 68 | if tainted: 69 | print "Updating: %s.%s" % (hostname, zone.domain) 70 | current.save() 71 | del oldhosts[hostname] 72 | else: 73 | print "Creating: %s.%s" % (hostname, zone.domain) 74 | zone.create_host({ "hostname": hostname, "ttl": 60, 75 | "host-type": "A", "data": public_ip, 76 | "notes": notes }) 77 | 78 | for missing in oldhosts.itervalues(): 79 | # Skipp non-host entries 80 | if missing.notes != "host": 81 | continue 82 | print "Removing unknown host in '%s' deployment: %s" % (deployment, missing.hostname) 83 | missing.destroy() 84 | # def update_hosts 85 | 86 | def update_roles(self, zone, truthdata): 87 | oldhosts = {} 88 | notes = "role" 89 | ttl = 60 90 | 91 | # In these cases, 'host' is often 'role' 92 | for host in zone.hosts: 93 | if host.host_type == "A" and host.hostname is not None: 94 | oldhosts.setdefault(host.hostname, list()) 95 | oldhosts[host.hostname].append(host) 96 | 97 | # build list of roles for all servers 98 | role_re = re.compile("^role:([^=]+)=true$") 99 | for name, info in truth["servers"].iteritems(): 100 | for tag in info.tags: 101 | m = role_re.match(tag) 102 | if m: 103 | role = m.groups()[0] 104 | roles.setdefault(role, {}) 105 | roles[role][name] = info 106 | 107 | for role, servers in roles.iteritems(): 108 | seen_ips = self.update_role(role, zone, servers) 109 | for ip in seen_ips: 110 | oldhosts[role].remove(ip) 111 | # def update_roles 112 | 113 | def update_role(self, role, zone, servers): 114 | seen = list() 115 | hostname = role 116 | # servers is a 117 | for name, info in servers.iteritems(): 118 | # See if this dns entry is defined, update or create as necessary 119 | public_ip = info["ip_address"] 120 | 121 | current = oldhosts[hostname] 122 | tainted = False 123 | if current.data != public_ip: 124 | print "%s.%s: IP updated" % (hostname, zone.domain) 125 | current.data = public_ip 126 | tainted = True 127 | if current.notes != notes: 128 | print "%s.%s: notes updated" % (hostname, zone.domain) 129 | current.notes = notes 130 | tainted = True 131 | if current.ttl != ttl: 132 | print "%s.%s: ttl updated" % (hostname, zone.domain) 133 | current.ttl = ttl 134 | tainted = True 135 | 136 | if tainted: 137 | print "Updating: %s.%s" % (hostname, zone.domain) 138 | current.save() 139 | del oldhosts[hostname] 140 | else: 141 | # If the entry was not found, create it. 142 | print "Creating: %s.%s" % (hostname, zone.domain) 143 | zone.create_host({ "hostname": hostname, "ttl": 60, 144 | "host-type": "A", "data": public_ip, 145 | "notes": notes }) 146 | for missing in oldhosts.itervalues(): 147 | # Skipp non-host entries 148 | if missing.notes != "host": 149 | continue 150 | print "Removing unknown host in '%s' deployment: %s" % (deployment, missing.hostname) 151 | missing.destroy() 152 | # def update_role 153 | # class ZerigoUpdater 154 | 155 | truth = json.loads(file("/etc/truth.json").read()) 156 | deployment = truth["deployment"] 157 | 158 | domain = "%s.example.com" % safe_hostname(deployment) 159 | zup = ZerigoUpdater("USER", "APIKEY") 160 | zup.update(domain, truth) 161 | -------------------------------------------------------------------------------- /truth/manifests/enforcer.pp: -------------------------------------------------------------------------------- 1 | class truth::enforcer { 2 | if has_role("proxy") { 3 | include ::loggly::proxy 4 | } 5 | 6 | if has_role("membase") { 7 | include ::membase 8 | } 9 | 10 | if has_role("zookeeper") { 11 | include ::loggly::zookeeper 12 | } 13 | 14 | if has_role("solr") { 15 | include ::loggly::solrserver 16 | } 17 | 18 | if has_role("buildserver") { 19 | include ::loggly::buildserver 20 | } 21 | 22 | if has_role("monitor") { 23 | include ::loggly::monitoring 24 | } 25 | 26 | if has_role("activemq") { 27 | include ::activemq 28 | include ::rabbitmq 29 | } 30 | 31 | if has_role("frontend") { 32 | include ::loggly::frontend 33 | } 34 | 35 | if has_role("mongodb") { 36 | include ::mongodb::server 37 | } 38 | 39 | if has_role("graphite") { 40 | include ::graphite::server 41 | } 42 | 43 | if extlookup("config/infrastructure/iptables-management") == "true" { include ::loggly::firewall 44 | } 45 | } 46 | 47 | -------------------------------------------------------------------------------- /truth/manifests/init.pp: -------------------------------------------------------------------------------- 1 | class truth { 2 | include ::loggly::rightscale 3 | include ::loggly::common 4 | 5 | package { 6 | "libjson-ruby": 7 | ensure => latest; 8 | "python-zerigodns": 9 | ensure => latest; 10 | } 11 | 12 | file { 13 | "/opt/loggly/truth": 14 | ensure => directory; 15 | "/opt/loggly/truth/bin": 16 | ensure => directory; 17 | "/opt/loggly/truth/bin/query-rightscale.py": 18 | ensure => file, 19 | source => "puppet:///modules/truth/query-rightscale.py", 20 | mode => 755; 21 | } 22 | 23 | exec { 24 | "update zerigo dns": 25 | command => "python /opt/puppet/modules/truth/files/update-zerigo.py", 26 | require => Package["python-zerigodns"]; 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /truth/plugins/facter/rightscale.rb: -------------------------------------------------------------------------------- 1 | # These files below appear automatically on all rightscale machines. 2 | # Parse them and make facts like 'ec2_instance_id' etc 3 | paths = [ "/var/spool/ec2/meta-data-cache.rb", "/var/spool/ec2/user-data.rb" ] 4 | 5 | paths.each do |path| 6 | if File.exists?(path) 7 | require path 8 | ENV.each do |name, value| 9 | next unless name =~ /^(EC2_|RS_)/ 10 | Facter.add(name) do 11 | setcode do 12 | value 13 | end # setcode 14 | end # Facter.add 15 | end # ENV.each 16 | end # if !File.exists? 17 | end # paths.each 18 | -------------------------------------------------------------------------------- /truth/plugins/facter/truth.rb: -------------------------------------------------------------------------------- 1 | require "rubygems" 2 | require "json" 3 | require "csv" 4 | 5 | if File.exists?("/var/spool/ec2/meta-data-cache") 6 | truth_source = "rightscale" 7 | else 8 | # Default truth source is local. 9 | truth_source = "local" 10 | end 11 | 12 | def safe_hostname(value) 13 | return value.downcase.gsub(/[^A-Za-z0-9-]/, "") 14 | end 15 | 16 | DOMAIN = "example.com" 17 | 18 | Facter.add("truth_source") do 19 | setcode do 20 | truth_source 21 | end # setcode 22 | end 23 | 24 | begin 25 | data = JSON.parse(File.open("/etc/truth.json").read) 26 | 27 | # Write truth to csv so extlookup() can use it. 28 | # This is in response to puppet issue #5212. 29 | truthcsv_path = "/opt/loggly/deployment/truth.csv" 30 | truthcsv_file = File.open(truthcsv_path + ".new", "w") 31 | truthcsv = CSV::Writer.create(truthcsv_file) 32 | 33 | by_tag = Hash.new { |h,k| h[k] = Array.new() } 34 | data["servers"].each do |name, settings| 35 | settings["tags"].each do |tag| 36 | if settings["private_ip_address"] 37 | by_tag[tag] << settings["private_ip_address"] 38 | end 39 | end # settings["tags"].each 40 | end # data["servers"].each 41 | 42 | myself = data["servers"][data["name"]] 43 | Facter.add("server_tags") do 44 | setcode do 45 | myself["tags"].sort.join(",") 46 | end # setcode 47 | end # Facter.add("server_tags") 48 | truthcsv << [ "truth/server_tags", *myself["tags"] ] 49 | 50 | myself["tags"].each do |tag| 51 | key, value = tag.split("=") 52 | if value == nil 53 | value = "true" 54 | end 55 | truthcsv << [ "truth/#{key}", value ] 56 | 57 | Facter.add(key) do 58 | setcode do 59 | value 60 | end 61 | end 62 | end # myself["tags"].each 63 | 64 | Facter.add("deployment") do 65 | setcode do 66 | data["deployment"] 67 | end # setcode 68 | end # Facter.add("deployment") 69 | truthcsv << [ "truth/deployment", data["deployment"] ] 70 | 71 | Facter.add("deployment_domain") do 72 | setcode do 73 | safe_hostname(data["deployment"]) + ".#{DOMAIN}" 74 | end # setcode 75 | end # Facter.add("deployment_domain") 76 | truthcsv << [ "truth/deployment_domain", safe_hostname(data["deployment"]) + ".#{DOMAIN}" ] 77 | 78 | Facter.add("deployment_hostname") do 79 | setcode do 80 | begin 81 | Facter.deployment_domain 82 | rescue 83 | Facter.loadfacts() 84 | end 85 | "#{safe_hostname(data["name"])}.#{Facter.value("deployment_domain")}" 86 | end # setcode 87 | end # Facter.add("deployment_hostname") 88 | truthcsv << [ 89 | "truth/deployment_hostname", 90 | [ safe_hostname(data["name"]), safe_hostname(data["deployment"]), DOMAIN ].join(".") 91 | ] 92 | 93 | Facter.add("roles_list") do 94 | setcode do 95 | by_tag.keys.grep(/^role:/).collect { |tag| tag.split(/[:=]/)[1] }.join(",") 96 | end 97 | end 98 | truthcsv << [ 99 | "truth/roles_list", 100 | by_tag.keys.grep(/^role:/).collect { |tag| tag.split(/[:=]/)[1] } 101 | ] 102 | 103 | by_tag.each do |tag, servers| 104 | next unless tag =~ /^role:/ 105 | role = tag.split(/[:=]/)[1] 106 | Facter.add("role_#{role}") do 107 | setcode do 108 | servers.sort.join(",") 109 | end # setcode 110 | end # Facter.add 111 | truthcsv << [ "truth/role_#{role}", *servers.sort ] 112 | end # by_tag.each 113 | 114 | truthcsv.close 115 | truthcsv_file.close 116 | File.rename(truthcsv_path + ".new", truthcsv_path) 117 | rescue => e 118 | $stderr.puts "Failed loading /tmp/truth.json, #{e}" 119 | $stderr.puts "Backtrace" 120 | $stderr.puts e.backtrace 121 | end 122 | -------------------------------------------------------------------------------- /truth/plugins/puppet/parser/functions/has_feature.rb: -------------------------------------------------------------------------------- 1 | 2 | module Puppet::Parser::Functions 3 | newfunction(:has_feature, :type => :rvalue) do |args| 4 | Puppet::Parser::Functions.autoloader.loadall 5 | if (args.is_a? String) 6 | args = [args] 7 | end 8 | feature = args[0] 9 | _has_feature = function_extlookup(["feature/#{feature}", "false"]) 10 | return (_has_feature == "true") 11 | end # puppet function role_addresses 12 | end # module Puppet::Parser::Functions 13 | -------------------------------------------------------------------------------- /truth/plugins/puppet/parser/functions/has_role.rb: -------------------------------------------------------------------------------- 1 | # Add a puppet parser function called 'has_role' 2 | # * Takes 1 argument, the role name. 3 | # * Expects a fact 'server_tags' to be a comma-delimited string containing roles 4 | # 5 | # We use rightscale, which supports "tagging" a server with any number of tags 6 | # The tags are of the format: namespace:predicate=value 7 | # http://support.rightscale.com/12-Guides/RightScale_Methodologies/Tagging 8 | # 9 | # This function expects the fact 'server_tags' to be comma-delimited 10 | # Each value in server_tags must be of the format described above. 11 | # Roles are expected to be of format: "role:=true" 12 | # For example, the role 'loadbalancer' is "role:loadbalancer=true" 13 | # 14 | 15 | module Puppet::Parser::Functions 16 | newfunction(:has_role, :type => :rvalue) do |args| 17 | Puppet::Parser::Functions.autoloader.loadall 18 | if (args.is_a? String) 19 | args = [args] 20 | end 21 | role = args[0] 22 | #roles = lookupvar("server_tags").split(",").grep(/^role:/) 23 | roles = function_extlookup(["truth/server_tags"]).grep(/^role:/) 24 | roletag_re = /^role:#{role}(?:=.+)?$/ 25 | has_role = (roles.grep(roletag_re).length > 0) 26 | return has_role 27 | end # puppet function has_role 28 | end # module Puppet::Parser::Functions 29 | -------------------------------------------------------------------------------- /truth/plugins/puppet/parser/functions/role_addresses.rb: -------------------------------------------------------------------------------- 1 | 2 | module Puppet::Parser::Functions 3 | newfunction(:role_addresses, :type => :rvalue) do |args| 4 | Puppet::Parser::Functions.autoloader.loadall 5 | if (args.is_a? String) 6 | args = [args] 7 | end 8 | role = args[0] 9 | #addresses = lookupvar("role_#{role}").split(",") 10 | addresses = function_extlookup(["truth/role_#{role}", []]) 11 | return addresses 12 | end # puppet function role_addresses 13 | end # module Puppet::Parser::Functions 14 | -------------------------------------------------------------------------------- /truth/plugins/puppet/parser/functions/role_enabled.rb: -------------------------------------------------------------------------------- 1 | # Add a puppet parser function called 'role_enabled' 2 | # * Takes 1 argument, the role name. 3 | # * Expects a extlookup value truth/server_tags to be an array of tags 4 | # 5 | # We use rightscale, which supports "tagging" a server with any number of tags 6 | # The tags are of the format: namespace:predicate=value 7 | # http://support.rightscale.com/12-Guides/RightScale_Methodologies/Tagging 8 | # 9 | # Each value in server_tags must be of the format described above. 10 | # Roles are expected to be of format: "role:=true" 11 | # For example, the role 'loadbalancer' is "role:loadbalancer=true" 12 | # 13 | 14 | module Puppet::Parser::Functions 15 | newfunction(:role_enabled, :type => :rvalue) do |args| 16 | Puppet::Parser::Functions.autoloader.loadall 17 | if (args.is_a? String) 18 | args = [args] 19 | end 20 | role = args[0] 21 | roles = function_extlookup(["truth/server_tags"]).grep(/^role:/) 22 | roletag_re = /^role:#{role}(?:=.+)?$/ 23 | roletag = roles.grep(roletag_re).first 24 | return false if roletag.nil? 25 | 26 | key, value = roletag.split("=") 27 | return value == "true" 28 | end # puppet function role_enabled 29 | end # module Puppet::Parser::Functions 30 | -------------------------------------------------------------------------------- /user/README.md: -------------------------------------------------------------------------------- 1 | # User module 2 | 3 | This module assumes ssh keys go in /etc/ssh/authorized-keys/.pub - not 4 | the defualt of $HOME/.ssh/authorized_keys 5 | 6 | The gist of things is you add a user (typically a human) and their public key file. 7 | 8 | Humans go in manifests/humans.pp - 9 | 10 | class user::humans { 11 | user::managed { 12 | "jls": ensure => present, root => true; 13 | } 14 | } 15 | 16 | Then put the authorized_key file in files/publickeys/jls.pub 17 | -------------------------------------------------------------------------------- /user/files/publickeys/README: -------------------------------------------------------------------------------- 1 | Public keys go here named '.pub' 2 | -------------------------------------------------------------------------------- /user/manifests/groups.pp: -------------------------------------------------------------------------------- 1 | class user::groups { 2 | group { 3 | "sudo": ensure => present; 4 | "human": ensure => present; 5 | "supervisorctl": ensure => present; 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /user/manifests/humans.pp: -------------------------------------------------------------------------------- 1 | class user::humans { 2 | user::managed { 3 | "someuser": ensure => present, root => true; 4 | "anotherguy": ensure => present, root => true; 5 | "an_ex_employee": ensure => present, shell => "/usr/sbin/nologin", root => false; 6 | } 7 | 8 | package { 9 | "loggly-homedirs": 10 | ensure => latest, 11 | notify => Exec["refresh homedirs"]; 12 | } 13 | 14 | exec { 15 | "refresh homedirs": 16 | command => "sh /opt/homedirs/postinst configure", 17 | refreshonly => true; 18 | } 19 | 20 | # Only update/install loggly-homedirs package after we have 21 | # handled all users. Otherwise some user homedirs won't exist 22 | # on the first run. 23 | User <| |> { 24 | before +> [Package["loggly-homedirs"], Exec["refresh homedirs"]], 25 | } 26 | } 27 | 28 | -------------------------------------------------------------------------------- /user/manifests/managed.pp: -------------------------------------------------------------------------------- 1 | define user::managed($ensure="present", $home="present", $root=false, $groups=["human"], $shell="/bin/bash") { 2 | include ::ssh::server 3 | include ::user::groups 4 | 5 | user { 6 | "$name": 7 | ensure => $ensure, 8 | shell => $shell, 9 | groups => $groups; 10 | } 11 | 12 | case $home { 13 | /^\//: { $_home = $home } 14 | "present": { $_home = "/home/$name" } 15 | default: { err("Invalid home directory for user $name: '$home'") } 16 | } 17 | 18 | if ($ensure == "present") { 19 | file { 20 | "$_home": 21 | ensure => directory, 22 | require => User[$name], 23 | owner => $name, 24 | group => "human", 25 | mode => 755; 26 | } 27 | 28 | if ($root) { 29 | User <| title == $name |> { 30 | groups +> ["sudo", "adm", "supervisorctl"] 31 | } 32 | } 33 | } 34 | 35 | file { 36 | "/etc/ssh/authorized-keys/$name.pub": 37 | ensure => $ensure, 38 | source => "puppet:///modules/user/publickeys/$name.pub", 39 | require => Class["ssh::server"]; 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /user/manifests/robots.pp: -------------------------------------------------------------------------------- 1 | class user::robots { 2 | user::managed { 3 | "appserver": ensure => present; 4 | } 5 | } 6 | 7 | --------------------------------------------------------------------------------