From 9c9590a1ab293e32707f9177414f0d7a46c4d1f5 Mon Sep 17 00:00:00 2001 From: Pavlos Daoglou Date: Mon, 28 Mar 2016 16:37:56 +0300 Subject: [PATCH] ARGO-389 ansible and nagios configs Added template for apache ssl configuration Added conditional for apache ssl configuration with default option. Changed soft link dir --- group_vars/monitoring_engine | 1 + private_files | 1 + roles/monitoring_engine/defaults/main.yml | 14 ++-- roles/monitoring_engine/tasks/main.yml | 74 ++++++++++++++++--- .../templates/argo-msg-cache.conf.j2 | 2 +- roles/monitoring_engine/templates/cgi.cfg.j2 | 1 + .../templates/nagios_apache.conf.j2 | 1 + .../templates/ncg.conf.eudat.j2 | 2 +- roles/monitoring_engine/templates/ncg.conf.j2 | 11 +-- roles/monitoring_engine/templates/ssl.conf.j2 | 1 + roles/repos/tasks/main.yml | 2 +- 11 files changed, 83 insertions(+), 27 deletions(-) create mode 120000 private_files create mode 100644 roles/monitoring_engine/templates/nagios_apache.conf.j2 create mode 100644 roles/monitoring_engine/templates/ssl.conf.j2 diff --git a/group_vars/monitoring_engine b/group_vars/monitoring_engine index 9ddf7bb..fb2eac8 100644 --- a/group_vars/monitoring_engine +++ b/group_vars/monitoring_engine @@ -1,6 +1,7 @@ --- cert_path: /etc/pki/tls/certs/localhost.crt key_path: /etc/pki/tls/private/localhost.key +ca_path: /etc/pki/tls/certs/ca-bundle.crt iptables_rules: input: diff --git a/private_files b/private_files new file mode 120000 index 0000000..c8c1fb9 --- /dev/null +++ b/private_files @@ -0,0 +1 @@ +../private_files \ No newline at end of file diff --git a/roles/monitoring_engine/defaults/main.yml b/roles/monitoring_engine/defaults/main.yml index 62f29af..cfd5431 100644 --- a/roles/monitoring_engine/defaults/main.yml +++ b/roles/monitoring_engine/defaults/main.yml @@ -2,6 +2,7 @@ nagios_components: - { name: argo-ncg , repo: argo-prod } - { name: argo-msg-nagios , repo: argo-prod } + - { name: perl-Crypt-SSLeay , repo: "" } ## NCG vars ## nagios_server: localhost @@ -17,7 +18,7 @@ include_empty_hosts: "0" enable_notifications: "0" local_metric_store: "0" check_hosts: "0" -tenant_name: TENANT_A +tenant_name: tenant_a poem_root_url: http://localhost/poem include_proxy_checks: "0" include_msg_checks_recv: "0" @@ -25,11 +26,11 @@ backup_instance: "false" ## CGI vars ## authorized_for_all_service_commands: - - /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=SomeCN_1 - - /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=SomeCN_2 + - "/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=SomeCN_1" + - "/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=SomeCN_2" authorized_for_all_host_commands: - - /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=SomeCN_1 - - /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=SomeCN_2 + - "/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=SomeCN_1" + - "/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=SomeCN_2" ## Nagios.cfg vars ## host_perfdata_file_processing_command: ncg-process-host-perfdata-file @@ -49,5 +50,6 @@ process_performance_data: "1" ## Other vars ca_bundle_install: false - +configure_apache_ssl: false +configure_nagios_apache: false diff --git a/roles/monitoring_engine/tasks/main.yml b/roles/monitoring_engine/tasks/main.yml index d1ebfca..0dd7ded 100644 --- a/roles/monitoring_engine/tasks/main.yml +++ b/roles/monitoring_engine/tasks/main.yml @@ -2,65 +2,71 @@ - name: Install Nagios yum: name=nagios state=latest enablerepo=nagios + tags: install - name: Install pnp4nagios yum: name=pnp4nagios state=latest + tags: install - name: Install Apache and mod_ssl yum: name={{ item }} state=latest with_items: - httpd - mod_ssl + tags: install - name: Install fetch-crl yum: name=fetch-crl state=latest when: ca_bundle_install + tags: install - name: Install NCG and MSG conponents yum: name={{ item.name }} state=latest enablerepo={{ item.repo }} with_items: nagios_components + tags: install - name: Install Nagios plugins yum: name={{ item.name }} state=latest enablerepo={{ item.repo }} with_items: nagios_plugins - -- name: Install Nagios UMD plugins - yum: name={{ item }} state=latest - with_items: nagios_plugins_umd - when: nagios_plugins_umd is defined + tags: install - name: Copy nagios.cfg file template: src=nagios.cfg.j2 dest=/etc/nagios/nagios.cfg owner=nagios group=nagios mode=0644 notify: reload nagios + tags: config - name: Copy cgi.cfg file template: src=cgi.cfg.j2 dest=/etc/nagios/cgi.cfg owner=nagios group=nagios mode=0644 notify: reload nagios + tags: config #FIXME: Make this tenant unaware - name: Copy ncg.conf file for EGI template: src=ncg.conf.j2 dest=/etc/argo-ncg/ncg.conf owner=root group=root - when: tenant_name == "EGI" + when: tenant_name|lower == "egi" notify: reload nagios + tags: config - name: Copy ncg.conf file for EUDAT template: src=ncg.conf.eudat.j2 dest=/etc/ncg/ncg.conf owner=root group=root - when: tenant_name == "EUDAT" + when: tenant_name|lower == "eudat" notify: reload nagios + tags: config - name: Copy argo-voms-htpasswd.conf file template: src=argo-voms-htpasswd.conf.j2 dest=/etc/argo-voms-htpasswd/argo-voms-htpasswd.conf owner=root group=root when: voms_htpasswd is defined + tags: config #FIXME: Temp workaround for tenants without BDII infrastructure. - name: Copy broker-list file @@ -68,6 +74,7 @@ dest=/var/cache/msg/broker-cache-file/broker-list owner=root group=root mode=0644 when: broker_host is defined + tags: config ## - name: Copy argo-msg-cache file @@ -75,12 +82,21 @@ dest=/etc/argo-msg-cache.conf owner=root group=root when: lcg_gfal_infosys is defined and broker_network is defined + tags: config + +- name: Create unicore log dir + file: path=/var/log/unicore + state=directory + owner=nagios group=nagios mode=0755 + when: enable_unicore_probes is defined and enable_unicore_probes == "1" + tags: config - name: Create vomses dir -- file: path=/etc/vomses + file: path=/etc/vomses state=directory owner=root group=root mode=0755 when: vomses is defined + tags: config - name: Copy vomses files template: src=vomses.j2 @@ -88,56 +104,92 @@ owner=root group=root mode=0644 when: vomses is defined with_items: vomses + tags: config - name: Create voms lsc dir -- file: path=/etc/grid-security/vomsdir/{{ item.vo }} + file: path=/etc/grid-security/vomsdir/{{ item.vo }} state=directory owner=root group=root mode=0755 when: vomses is defined with_items: vomses + tags: config - name: Create voms lsc files -- template: src=voms_lsc.j2 + template: src=voms_lsc.j2 dest=/etc/grid-security/vomsdir/{{ item.vo }}/{{ item.server }}.lsc owner=root group=root mode=0644 when: vomses is defined with_items: vomses + tags: config - name: Create sha checksum for dashboard config shell: echo -n {{ nagios_server }} | sha1sum | cut -f1 -d' ' register: sha + tags: config - name: Create dashboard config for msg-to-handler template: src=dashboard.conf.j2 dest=/etc/msg-to-handler.d/DASHBOARD.conf owner=root group=root mode=0644 when: send_to_dashboard is defined and send_to_dashboard == "1" + tags: config - name: Create apel config for msg-to-handler template: src=apel.conf.j2 dest=/etc/msg-to-handler.d/APEL.conf owner=root group=root mode=0644 when: send_to_apel is defined and send_to_apel == "1" + tags: config + +- name: Create a cron job to restart apache + cron: name=restart_httpd + user="root" + minute="53" hour="2,8,14,20" + job="( /sbin/service httpd status && /sbin/service httpd graceful ) > /dev/null 2>&1" + when: ca_bundle_install + tags: config + +- name: create apache nagios conf + template: src=nagios_apache.conf.j2 + dest=/etc/httpd/conf.d/nagios.conf + owner=root group=root mode=0644 + notify: reload httpd + when: configure_nagios_apache + tags: config + +- name: create apache ssl conf + template: src=ssl.conf.j2 + dest=/etc/httpd/conf.d/ssl.conf + owner=root group=root mode=0644 + notify: reload httpd + when: configure_apache_ssl + tags: config - name: Enable nagios and httpd on boot and start service service: name={{ item }} state=started enabled=yes with_items: - nagios - httpd + tags: config - name: Start fetch-crl cron service: name=fetch-crl-cron state=started enabled=yes when: ca_bundle_install + tags: config - name: Start fetch-crl boot service: name=fetch-crl-boot state=started enabled=no when: ca_bundle_install ignore_errors: yes + tags: config - name: Enable argo-voms-htpasswd on boot and start service service: name=argo-voms-htpasswd state=started enabled=yes when: voms_htpasswd is defined + tags: config - name: Enable argo-msg-cache on boot and start service service: name=argo-msg-cache state=started enabled=yes - when: lcg_gfal_infosys is defined \ No newline at end of file + when: lcg_gfal_infosys is defined + tags: config + diff --git a/roles/monitoring_engine/templates/argo-msg-cache.conf.j2 b/roles/monitoring_engine/templates/argo-msg-cache.conf.j2 index cf47988..98ea2bb 100644 --- a/roles/monitoring_engine/templates/argo-msg-cache.conf.j2 +++ b/roles/monitoring_engine/templates/argo-msg-cache.conf.j2 @@ -9,4 +9,4 @@ LCG_GFAL_INFOSYS={% for bdii in lcg_gfal_infosys %}{{ bdii }}{% if not loop.last %},{% endif %}{% endfor %} # BROKER_NETWORK=PROD -BROKER_NETWORK={{ broker_network }} \ No newline at end of file +BROKER_NETWORK={{ broker_network }} diff --git a/roles/monitoring_engine/templates/cgi.cfg.j2 b/roles/monitoring_engine/templates/cgi.cfg.j2 index f056a23..d2e95a6 100644 --- a/roles/monitoring_engine/templates/cgi.cfg.j2 +++ b/roles/monitoring_engine/templates/cgi.cfg.j2 @@ -168,6 +168,7 @@ authorized_for_all_hosts=* # user who has authenticated to the web server. authorized_for_all_service_commands={% for dn in authorized_for_all_service_commands %}{{ dn }}{% if not loop.last %},{% endif %}{% endfor %} + authorized_for_all_host_commands={% for dn in authorized_for_all_host_commands %}{{ dn }}{% if not loop.last %},{% endif %}{% endfor %} diff --git a/roles/monitoring_engine/templates/nagios_apache.conf.j2 b/roles/monitoring_engine/templates/nagios_apache.conf.j2 new file mode 100644 index 0000000..072bb8a --- /dev/null +++ b/roles/monitoring_engine/templates/nagios_apache.conf.j2 @@ -0,0 +1 @@ +{% include "private_files/" + ansible_fqdn + "/files/etc/httpd/conf.d/nagios.conf" %} \ No newline at end of file diff --git a/roles/monitoring_engine/templates/ncg.conf.eudat.j2 b/roles/monitoring_engine/templates/ncg.conf.eudat.j2 index 38b69ae..5b411de 100644 --- a/roles/monitoring_engine/templates/ncg.conf.eudat.j2 +++ b/roles/monitoring_engine/templates/ncg.conf.eudat.j2 @@ -35,7 +35,7 @@ BACKUP_INSTANCE = {{ backup_instance }} INCLUDE_EMPTY_HOSTS = {{ include_empty_hosts }} ENABLE_NOTIFICATIONS = {{ enable_notifications }} CHECK_HOSTS = {{ check_hosts }} - TENANT = {{ tenant_name }} + TENANT = {{ tenant_name|lower }} diff --git a/roles/monitoring_engine/templates/ncg.conf.j2 b/roles/monitoring_engine/templates/ncg.conf.j2 index b01094a..ed1ed63 100644 --- a/roles/monitoring_engine/templates/ncg.conf.j2 +++ b/roles/monitoring_engine/templates/ncg.conf.j2 @@ -14,12 +14,9 @@ VO = {{ vo }} ENABLE_UNICORE_PROBES= {{ enable_unicore_probes }} MYPROXY_SERVER = {{ myproxy_server }} -BACKUP_INSTANCE = {{ backup_instance }} - GOCDB_ROOT_URL={{ gocdb_root_url }} - CERT_STATUS={{ cert_status }} ENABLE_UNICORE_PROBES=$ENABLE_UNICORE_PROBES @@ -61,10 +58,10 @@ BACKUP_INSTANCE = {{ backup_instance }} ENABLE_UNICORE_PROBES=$ENABLE_UNICORE_PROBES BDII_HOST={{ bdii_host }} INCLUDE_PROXY_CHECKS = {{ include_proxy_checks }} - LOCAL_METRIC_STORE = {{ local_metric_store }} LDAP_ADDRESS={{ bdii_host }} + BDII_LEVEL={{ bdii_level }} DB_FILE=/etc/argo-ncg/ncg.localdb @@ -74,12 +71,12 @@ BACKUP_INSTANCE = {{ backup_instance }} - NAGIOS_ROLE = {{ nagios_role }} + NAGIOS_ROLE = {{ nagios_role|lower }} INCLUDE_EMPTY_HOSTS = {{ include_empty_hosts }} ENABLE_NOTIFICATIONS = {{ enable_notifications }} SEND_TO_DASHBOARD = {{ send_to_dashboard }} CHECK_HOSTS = {{ check_hosts }} - TENANT = {{ tenant_name }} + TENANT = {{ tenant_name|lower }} @@ -90,7 +87,7 @@ BACKUP_INSTANCE = {{ backup_instance }} POEM_ROOT_URL = {{ poem_root_url }} - POEM_PROFILES = {% for poem in poem_profiles %}{{ poem }}{% if not loop.last %},{% endif %}{% endfor %} + POEM_PROFILES = {% for poem in poem_profiles %}{{ poem|upper }}{% if not loop.last %},{% endif %}{% endfor %} diff --git a/roles/monitoring_engine/templates/ssl.conf.j2 b/roles/monitoring_engine/templates/ssl.conf.j2 new file mode 100644 index 0000000..4990266 --- /dev/null +++ b/roles/monitoring_engine/templates/ssl.conf.j2 @@ -0,0 +1 @@ +{% include "private_files/" + ansible_fqdn + "/templates/ssl.conf.j2" %} \ No newline at end of file diff --git a/roles/repos/tasks/main.yml b/roles/repos/tasks/main.yml index 0890ff9..62a5ce7 100644 --- a/roles/repos/tasks/main.yml +++ b/roles/repos/tasks/main.yml @@ -24,7 +24,7 @@ copy: src=etc/yum.repos.d/EGI-trustanchors.repo dest=/etc/yum.repos.d/EGI-trustanchors.repo backup=no owner=root group=root mode=0644 - when: inventory_hostname in groups.standalone or inventory_hostname in groups.webui + when: inventory_hostname in groups.standalone or inventory_hostname in groups.webui or ca_bundle_install==true - name: Install cloudera-cdh5 repo tags: cloudera-cdh5_repo -- GitLab