Role refactor

parent b228e5f2
exclude_paths:
- ./.venv
*.sw[po]
image: alpine:3.7
cache:
key: ${CI_COMMIT_REF_SLUG}
stages:
- test
variables:
MIRROR_VALUES_FILE: tests/triumf-mirror-values.yml
centos7_test_install:
stage: test
image: centos:centos7
before_script:
- yum -y update && yum -y install ansible git sudo
- echo "localhost" > tests/inventory
- mkdir -p tests/roles
- ln -s $(pwd) tests/roles/nagios-nrpe-agent
after_script:
- rm -rf tests/roles
- rm -f $MIRROR_VALUES_FILE
script:
- set -ex
# Basic role syntax check
- [ -f requirements.yml ] && ansible-galaxy install --force --role-file=requirements.yml
- ansible-playbook --list-hosts tests/test-playbook.yml --inventory tests/inventory --connection local
- ansible-playbook tests/test-playbook.yml --inventory tests/inventory --syntax-check
# Run the first time
- ansible-playbook tests/test-playbook.yml --inventory tests/inventory --connection local --extra-vars @${MIRROR_VALUES_FILE}
- >
ansible-playbook tests/test-playbook.yml --inventory tests/inventory --connection local --extra-vars @${MIRROR_VALUES_FILE}
| grep -q 'changed=0.*failed=0'
&& (echo 'Idempotence test: pass' && exit 0)
|| (echo 'Idempotence test: fail' && exit 1)
# Molecule test
include:
- project: 'gitlab/ci/templates'
ref: 'master'
file: 'ansible/Molecule.gitlab-ci.yml'
molecule:
tags:
- gitlab-runner
---
# Based on ansible-lint config
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
colons:
max-spaces-after: -1
level: error
commas:
max-spaces-after: -1
level: error
comments: disable
comments-indentation: disable
document-start: disable
empty-lines:
max: 3
level: error
hyphens:
level: error
indentation: disable
key-duplicates: enable
line-length: disable
new-line-at-end-of-file: disable
new-lines:
type: unix
trailing-spaces: disable
truthy: disable
# General role defaults
############# GENERAL ROLE-BASED OPTIONS
nagios_nrpe_agent_service_state: started
nagios_nrpe_agent_service_enabled: true
# Specify a custom value here to override the packages determined
# in this role per-distro/release
nagios_nrpe_agent_packages: []
nagios_nrpe_agent_config_path: /etc/nrpe.d
# Relative paths will be placed under nagios_nrpe_agent_config_path
# and absolute paths will be placed in the absolute path location
nagios_nrpe_agent_config_file_dest: nrpe.cfg
# Relative 'dest' paths are placed under nagios_nrpe_agent_config_path
# just like the nagios_nrpe_agent_config_file_dest value
nagios_nrpe_agent_extra_config_files: []
# eg.
# - src: commands.cfg.j2
# dest: commands.cfg
############# NRPE CONFIG FILE OPTIONS
nagios_nrpe_agent_config:
#
# BASH COMMAND SUBSTITUTION
# This option determines whether or not the NRPE daemon will allow clients
......@@ -14,7 +35,7 @@
#
# Values: 0=do not allow bash command substitutions,
# 1=allow bash command substitutions
allow_bash_command_substitution: 0
allow_bash_command_substitution: 0
# WEAK RANDOM SEED OPTION
# This directive allows you to use SSL even if your system does not have
......@@ -24,7 +45,7 @@ allow_bash_command_substitution: 0
# or $HOME/.rnd. If neither exists, the pseudo random number generator will
# be initialized and a warning will be issued.
# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness
allow_weak_random_seed: 0
allow_weak_random_seed: 0
# ALLOWED HOST ADDRESSES
# This is an optional comma-delimited list of IP address or hostnames
......@@ -39,23 +60,23 @@ allow_weak_random_seed: 0
#
# NOTE: This option is ignored if NRPE is running under either inetd
# or xinetd or systemd
allowed_hosts:
- 127.0.0.1
- ::1
allowed_hosts:
- 127.0.0.1
- ::1
# The following examples use hardcoded command arguments...
# This is by far the most secure method of using NRPE
commands:
- name: check_users
command: /usr/lib64/nagios/plugins/check_users -w 5 -c 10
- name: check_load
command: /usr/lib64/nagios/plugins/check_load -r -w .15,.10,.05 -c .30,.25,.20
- name: check_hda1
command: /usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /dev/hda1
- name: check_zombie_procs
command: /usr/lib64/nagios/plugins/check_procs -w 5 -c 10 -s Z
- name: check_total_procs
command: /usr/lib64/nagios/plugins/check_procs -w 150 -c 200
commands:
- name: check_users
command: /usr/lib64/nagios/plugins/check_users -w 5 -c 10
- name: check_load
command: /usr/lib64/nagios/plugins/check_load -r -w .15,.10,.05 -c .30,.25,.20
- name: check_hda1
command: /usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /dev/hda1
- name: check_zombie_procs
command: /usr/lib64/nagios/plugins/check_procs -w 5 -c 10 -s Z
- name: check_total_procs
command: /usr/lib64/nagios/plugins/check_procs -w 150 -c 200
# The following examples allow user-supplied arguments and can
# only be used if the NRPE daemon was compiled with support for
# command arguments *AND* the dont_blame_nrpe directive in this
......@@ -129,13 +150,13 @@ commands:
# This lets the nagios user run all commands in that directory (and only them)
# without asking for a password. If you do this, make sure you don't give
# random users write access to that directory or its contents!
command_prefix: null
command_prefix: null
# COMMAND TIMEOUT
# This specifies the maximum number of seconds that the NRPE daemon will
# allow plugins to finish executing before killing them off.
#
command_timeout: 60
command_timeout: 60
# CONNECTION TIMEOUT
# This specifies the maximum number of seconds that the NRPE daemon will
# wait for a connection to be established before exiting. This is sometimes
......@@ -143,12 +164,12 @@ command_timeout: 60
# all network sessions are connected. This causes the nrpe daemons to
# accumulate, eating system resources. Do not set this too low.
#
connection_timeout: 300
connection_timeout: 300
# DEBUGGING OPTION
# This option determines whether or not debugging messages are logged to the
# syslog facility.
# Values: 0=debugging off, 1=debugging on
debug: 0
debug: 0
# Do not allow command arguments for security reasons
# COMMAND ARGUMENT PROCESSING
......@@ -162,36 +183,36 @@ debug: 0
# of enabling this variable.
#
# Values: 0=do not allow arguments, 1=allow command arguments
dont_blame_nrpe: 0
dont_blame_nrpe: 0
# INCLUDE CONFIG FILE
# This directive allows you to include definitions from an external config file.
include: []
include: []
# INCLUDE CONFIG DIRECTORY
# This directive allows you to include definitions from config files (with a
# .cfg extension) in one or more directories (with recursion).
include_dir:
- /etc/nrpe.d
include_dir:
- /etc/nrpe.d
# LISTEN QUEUE SIZE
# Listen queue size (backlog) for serving incoming connections.
# You may want to increase this value under high load.
listen_queue_size: 5
listen_queue_size: 5
# LOG FACILITY
# The syslog facility that should be used for logging purposes.
log_facility: daemon
log_facility: daemon
# LOG FILE
# If a log file is specified in this option, nrpe will write to
# that file instead of using syslog.
log_file: null
log_file: null
# NASTY METACHARACTERS
# This option allows you to override the list of characters that cannot
# be passed to the NRPE daemon.
nasty_metachars: null
nasty_metachars: null
# NRPE USER
# This determines the effective user that the NRPE daemon should run as.
......@@ -201,7 +222,7 @@ nasty_metachars: null
# or xinetd or via systemd. [In systemd please use
# systemctl edit nrpe.service
# to set up the group.
nrpe_user: nrpe
nrpe_user: nrpe
# NRPE GROUP
# This determines the effective group that the NRPE daemon should run as.
......@@ -211,27 +232,27 @@ nrpe_user: nrpe
# or xinetd or via systemd. [In systemd please use
# systemctl edit nrpe.service
# to set up the user.
nrpe_group: nrpe
nrpe_group: nrpe
# MAX COMMANDS
# This specifies how many children processes may be spawned at any one
# time, essentially limiting the fork()s that occur.
# Default (0) is set to unlimited
max_commands: 0
max_commands: 0
packages: []
packages: []
# PID FILE
# The name of the file in which the NRPE daemon should write it's process ID
# number. The file is only written if the NRPE daemon is started by the root
# user and is running in standalone mode.
pid_file: /var/run/nrpe/nrpe.pid
pid_file: /var/run/nrpe/nrpe.pid
# SERVER ADDRESS
# Address that nrpe should bind to in case there are more than one interface
# and you do not want nrpe to bind on all interfaces.
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
# or with systemd. Please start by hand.
server_address: 127.0.0.1
server_address: 127.0.0.1
# PORT NUMBER
# Port number we should wait for connections on.
......@@ -240,26 +261,26 @@ server_address: 127.0.0.1
# or xinetd or via systemd. [In systemd please use
# systemctl edit nrpe.service
# to set up the port.
server_port: 5666
server_port: 5666
# SSL Certificate and Private Key Files
ssl_cacert_file: null
ssl_cert_file: null
ssl_privatekey_file: null
ssl_cacert_file: null
ssl_cert_file: null
ssl_privatekey_file: null
# SSL CIPHER LIST
# This lists which ciphers can be used. For backward compatibility, this
# defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' for < OpenSSL 1.1.0,
# and 'ssl_cipher_list=ALL:!MD5:@STRENGTH:@SECLEVEL=0' for OpenSSL 1.1.0 and
# greater.
ssl_cipher_list: null
# greater.
ssl_cipher_list: null
# SSL USE CLIENT CERTS
# This options determines client certificate usage.
# Values: 0 = Don't ask for or require client certificates (default)
# 1 = Ask for client certificates
# 2 = Require client certificates
ssl_client_certs: 0
ssl_client_certs: 0
# SSL LOGGING
# This option determines which SSL messages are send to syslog. OR values
......@@ -273,13 +294,13 @@ ssl_client_certs: 0
# 0x10 (16) = Log if client has a certificate
# 0x20 (32) = Log details of client's certificate if it has one
# -1 or 0xff or 0x2f = All of the above
ssl_logging: 0
ssl_logging: 0
# SSL USE ADH
# This is for backward compatibility and is DEPRECATED. Set to 1 to enable
# ADH or 2 to require ADH. 1 is currently the default but will be changed
# in a later version.
ssl_use_adh: 1
ssl_use_adh: 1
# SSL VERSION
# This can be any of: SSLv2 (only use SSLv2), SSLv2+ (use any version),
......@@ -290,10 +311,4 @@ ssl_use_adh: 1
# If an "or above" version is used, the best will be negotiated. So if both
# ends are able to do TLSv1.2 and use specify SSLv2, you will get TLSv1.2.
# If you are using openssl 1.1.0 or above, the SSLv2 options are not available.
ssl_version: TLSv1+
############# OTHER ROLE-BASED OPTIONS
extra_config_files:
- etc/nrpe.d/commands.cfg
nrpe_autostart: True
ssl_version: TLSv1+
---
- name: Restart nrpe
service:
name: nrpe
state: restarted
listen: restart nrpe
tags:
- service
when:
- "ansible_service_mgr != 'sysvinit'"
- "nagios_nrpe_agent_service_state == 'started'"
......@@ -3,13 +3,16 @@ galaxy_info:
author: Dan Thomson
description: Nagios NRPE RPC module installer
company: TRIUMF
min_ansible_version: 2.0
min_ansible_version: 2.5
platforms:
- name: CentOS
- name: EL
versions:
- 8
- 7
dependencies:
- src: git+https://gitlab.triumf.ca/ansible/roles/triumf-mirror-repo.git
version: v0.1
name: triumf-mirror-repo
# - 6
galaxy_tags:
- nagios
- nagios-nrpe
- centos
- centos7
dependencies: []
*******
Docker driver installation guide
*******
Requirements
============
* Docker Engine
Install
=======
Please refer to the `Virtual environment`_ documentation for installation best
practices. If not using a virtual environment, please consider passing the
widely recommended `'--user' flag`_ when invoking ``pip``.
.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
.. code-block:: bash
$ python3 -m pip install 'molecule[docker]'
---
- name: Converge
hosts: all
tasks:
- name: "Include nagios-nrpe-agent"
include_role:
name: "nagios-nrpe-agent"
---
dependency:
name: galaxy
driver:
name: docker
platforms:
- name: nagios-nrpe-agent-molecule-centos8
image: "centos:centos8"
pre_build_image: true
tmpfs:
- /run
- /tmp
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- name: nagios-nrpe-agent-molecule-centos7
image: "centos:centos7"
pre_build_image: true
tmpfs:
- /run
- /tmp
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
# - name: nagios-nrpe-agent-molecule-centos6
# image: "centos:centos6"
# pre_build_image: true
# tmpfs:
# - /run
# - /tmp
# volumes:
# - /sys/fs/cgroup:/sys/fs/cgroup:ro
provisioner:
name: ansible
verifier:
name: testinfra
---
# This is an example playbook to execute Ansible tests.
- name: Verify
hosts: all
tasks:
- name: Example assertion
assert:
that: true
---
- name: Install EPEL
package:
name: epel-release
state: installed
- name: Install dependencies
package:
name: >
{{ (nagios_nrpe_agent_packages|length > 0) |
ternary(
nagios_nrpe_agent_packages,
lookup('vars', 'nagios_nrpe_agent_packages_'+ansible_distribution|lower+ansible_distribution_major_version|string)
)
}}
state: installed
- name: Load {{ ansible_distribution }} {{ ansible_distribution_major_version }} variables
include_vars: "{{ file | basename }}" # This include_vars module is kind of dumb, so we need to test the full path but only include basename
with_first_found:
- files:
- "{{ role_path }}/vars/{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version }}.yml"
- "{{ role_path }}/vars/{{ ansible_distribution | lower }}.yml"
- "{{ role_path }}/vars/{{ ansible_os_family | lower }}.yml"
- "{{ role_path }}/vars/default.yml"
skip: true
---
# tasks file for ansible-role-nagios-nrpe-agent
- name: Load platform variables
include_vars: "{{ filename }}"
vars:
vars_files:
files:
- "{{ role_path }}/vars/{{ ansible_distribution | lower }}/\
{{ ansible_distribution_major_version }}.yml"
- "{{ role_path }}/vars/{{ ansible_distribution | lower }}/\
main.yml"
- "{{ role_path }}/vars/{{ ansible_os_family | lower }}/\
main.yml"
- "{{ role_path }}/vars/main.yml"
loop: "{{ q('first_found', vars_files, errors='ignore') }}"
loop_control:
loop_var: file
loop_var: filename
- name: Load {{ ansible_distribution }} {{ ansible_distribution_major_version }} dependencies
include_tasks: "{{ file }}"
with_first_found:
- files:
- "tasks/{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version }}-dependencies.yml"
- "tasks/{{ ansible_distribution | lower }}-dependencies.yml"
- "tasks/{{ ansible_os_family | lower }}-dependencies.yml"
- "tasks/default-dependencies.yml"
skip: true
- name: Load platform dependencies
vars:
tasks:
files:
- "{{ role_path }}/tasks/dependencies/\
{{ ansible_distribution | lower }}/\
{{ ansible_distribution_major_version }}.yml"
- "{{ role_path }}/tasks/dependencies/\
{{ ansible_distribution | lower }}/\
main.yml"
- "{{ role_path }}/tasks/dependencies/\
{{ ansible_os_family | lower }}.yml"
- "{{ role_path }}/tasks/dependencies/main.yml"
include_tasks: "{{ filename }}"
loop: "{{ q('first_found', tasks, errors='ignore') }}"
loop_control:
loop_var: file
loop_var: filename
- name: Install triumf mirror repo
import_role:
name: triumf-mirror-repo
- name: Install triumf nagios package dependencies
yum:
name:
- triumf-epel-release
- triumf-server
state: latest
become: yes
- name: Install triumf-nagios-client pkg
yum:
name: triumf-nagios-client
state: latest
update_cache: yes
become: yes
- name: Install nrpe config template
template:
src: "etc/nagios/nrpe.cfg.j2"
dest: >
{{ nagios_nrpe_agent_config_file_dest.startswith('/') |
ternary(
nagios_nrpe_agent_config_file_dest,
nagios_nrpe_agent_config_path + "/" + nagios_nrpe_agent_config_file_dest
)
}}
owner: "{{ nagios_nrpe_agent_config.nrpe_user | default(root) }}"
group: "{{ nagios_nrpe_agent_config.nrpe_group | default(root) }}"
mode: "0644"
- name: Install extra config files
template:
src: "{{ config_file }}.j2"
dest: "/etc/nrpe.d/{{ config_file | basename }}"
owner: root
group: root
mode: 0644
loop: "{{ extra_config_files }}"
src: "{{ config_file.src }}"
dest: >
{{ config_file.dest.startswith('/') |
ternary(
config_file.dest,
nagios_nrpe_agent_config_path + "/" + config_file.dest
)
}}
owner: "{{ nagios_nrpe_agent_config.nrpe_user | default(root) }}"
group: "{{ nagios_nrpe_agent_config.nrpe_group | default(root) }}"
mode: "0644"
loop: "{{ nagios_nrpe_agent_extra_config_files }}"
loop_control:
loop_var: config_file
register: nrpe_extra_cfg_file
notify:
- restart nrpe
become: yes
- name: Ensure nrpe has started
- name: Set nrpe service state
service:
name: nrpe
state: started
enabled: yes
when: ansible_virtualization_type != "docker" and nrpe_autostart
become: yes
- name: Restart nrpe if the config has changed
service:
name: nrpe
state: restarted
when: >
ansible_virtualization_type != "docker" and
nrpe_autostart and
nrpe_extra_cfg_file.changed
become: yes
state: "{{ nagios_nrpe_agent_service_state }}"
enabled: "{{ nagios_nrpe_agent_service_enabled }}"
tags:
- service
when:
- "ansible_service_mgr != 'sysvinit'"
#############################################################################
#
# NRPE Config File
#
# This file is was installed with Ansible and could be overwritten at any
# time, so please don't make changes to this file if you want them to
# persist!
#
#############################################################################
# LOG FACILITY
log_facility={{ log_facility }}
# LOG FILE
{% if log_file %}
log_file={{ log_file }}
{% endif %}