diff --git a/deployment_scripts/puppet/manifests/firewall.pp b/deployment_scripts/puppet/manifests/firewall.pp index 273ed18..8291249 100644 --- a/deployment_scripts/puppet/manifests/firewall.pp +++ b/deployment_scripts/puppet/manifests/firewall.pp @@ -12,46 +12,41 @@ # License for the specific language governing permissions and limitations # under the License. # -$plugin = hiera('lma_infrastructure_alerting') -$user_node_name = hiera('user_node_name') -if $plugin['node_name'] == $user_node_name { +class {'::firewall':} - class {'::firewall':} - - firewall { '000 accept all icmp requests': - proto => 'icmp', - action => 'accept', - } - - firewall { '001 accept all to lo interface': - proto => 'all', - iniface => 'lo', - action => 'accept', - } - - firewall { '002 accept related established rules': - proto => 'all', - state => ['RELATED', 'ESTABLISHED'], - action => 'accept', - } - - firewall {'020 ssh': - port => 22, - proto => 'tcp', - action => 'accept', - } - - firewall { '300 nagios cgi': - # Important: must match the $lma_infra_alerting::params::nagios_http_port - port => 8001, - proto => 'tcp', - action => 'accept', - } - - firewall { '999 drop all other requests': - proto => 'all', - chain => 'INPUT', - action => 'drop', - } +firewall { '000 accept all icmp requests': + proto => 'icmp', + action => 'accept', +} + +firewall { '001 accept all to lo interface': + proto => 'all', + iniface => 'lo', + action => 'accept', +} + +firewall { '002 accept related established rules': + proto => 'all', + state => ['RELATED', 'ESTABLISHED'], + action => 'accept', +} + +firewall {'020 ssh': + port => 22, + proto => 'tcp', + action => 'accept', +} + +firewall { '300 nagios cgi': + # Important: must match the $lma_infra_alerting::params::nagios_http_port + port => 8001, + proto => 'tcp', + action => 'accept', +} + +firewall { '999 drop all other requests': + proto => 'all', + chain => 'INPUT', + action => 'drop', } diff --git a/deployment_scripts/puppet/manifests/nagios.pp b/deployment_scripts/puppet/manifests/nagios.pp index 1c597be..7329b3a 100644 --- a/deployment_scripts/puppet/manifests/nagios.pp +++ b/deployment_scripts/puppet/manifests/nagios.pp @@ -43,139 +43,138 @@ if $storage_options['objects_ceph']{ $services['openstack.swift.status'] = true } -if $plugin['node_name'] == hiera('user_node_name') { - class { 'lma_infra_alerting': - openstack_deployment_name => $env_id, - openstack_management_vip => $management_vip, - additional_services => keys($services), - # UI password - password => $password, - } +class { 'lma_infra_alerting': + openstack_deployment_name => $env_id, + openstack_management_vip => $management_vip, + additional_services => keys($services), + # UI password + password => $password, +} - class { 'lma_infra_alerting::nagios::contact': - send_to => $send_to, - send_from => $send_from, - smtp_host => $smtp_host, - smtp_auth => $smtp_auth, - smtp_user => $smtp_user, - smtp_password => $smtp_password, - notify_warning => $notify_warning, - notify_critical => $notify_critical, - notify_recovery => $notify_recovery, - notify_unknown => $notify_unknown, - require => Class['lma_infra_alerting'], - } +class { 'lma_infra_alerting::nagios::contact': + send_to => $send_to, + send_from => $send_from, + smtp_host => $smtp_host, + smtp_auth => $smtp_auth, + smtp_user => $smtp_user, + smtp_password => $smtp_password, + notify_warning => $notify_warning, + notify_critical => $notify_critical, + notify_recovery => $notify_recovery, + notify_unknown => $notify_unknown, + require => Class['lma_infra_alerting'], +} - $nodes_hash = hiera('nodes', {}) - $primary_controller_nodes = filter_nodes($nodes_hash,'role','primary-controller') - $controller_nodes = filter_nodes($nodes_hash,'role','controller') - $all_controller_nodes = concat($primary_controller_nodes, $controller_nodes) +$nodes_hash = hiera('nodes', {}) +$primary_controller_nodes = filter_nodes($nodes_hash,'role','primary-controller') +$controller_nodes = filter_nodes($nodes_hash,'role','controller') +$all_controller_nodes = concat($primary_controller_nodes, $controller_nodes) - $compute_nodes = filter_nodes($nodes_hash,'role','compute') - $cinder_nodes = filter_nodes($nodes_hash,'role','cinder') - $base_os_nodes = filter_nodes($nodes_hash,'role','base-os') - $osd_nodes = filter_nodes($nodes_hash, 'role', 'ceph-osd') +$compute_nodes = filter_nodes($nodes_hash,'role','compute') +$cinder_nodes = filter_nodes($nodes_hash,'role','cinder') +$base_os_nodes = filter_nodes($nodes_hash,'role','base-os') +$osd_nodes = filter_nodes($nodes_hash, 'role', 'ceph-osd') - $all_nodes = {} - if !empty($all_controller_nodes){ - $all_nodes['controller'] = $all_controller_nodes - } +$all_nodes = {} +if !empty($all_controller_nodes){ + $all_nodes['controller'] = $all_controller_nodes +} - if !empty($compute_nodes){ - $all_nodes['compute'] = $compute_nodes - } - if !empty($cinder_nodes){ - $all_nodes['cinder'] = $cinder_nodes - } - if !empty($base_os_nodes){ - $all_nodes['base-os'] = $base_os_nodes - } - if !empty($osd_nodes){ - $all_nodes['ceph-osd'] = $osd_nodes - } +if !empty($compute_nodes){ + $all_nodes['compute'] = $compute_nodes +} +if !empty($cinder_nodes){ + $all_nodes['cinder'] = $cinder_nodes +} +if !empty($base_os_nodes){ + $all_nodes['base-os'] = $base_os_nodes +} +if !empty($osd_nodes){ + $all_nodes['ceph-osd'] = $osd_nodes +} - class { 'lma_infra_alerting::nagios::hosts': - hosts => $all_nodes, - host_name_key => 'name', - host_address_key => 'internal_address', - host_display_name_keys => ['name', 'user_node_name'], - host_custom_vars_keys => ['internal_address', 'private_address', - 'public_address', 'storage_address', - 'fqdn', 'role'], - require => Class[lma_infra_alerting], - } +class { 'lma_infra_alerting::nagios::hosts': + hosts => $all_nodes, + host_name_key => 'name', + host_address_key => 'internal_address', + host_display_name_keys => ['name', 'user_node_name'], + host_custom_vars_keys => ['internal_address', 'private_address', + 'public_address', 'storage_address', + 'fqdn', 'role'], + require => Class[lma_infra_alerting], +} - # Nodes have private IPs only with GRE segmentation - $network_config = hiera('quantum_settings') - $segmentation_type = $network_config['L2']['segmentation_type'] - if $segmentation_type == 'gre' { - $private_network = true - } else { - $private_network = false - } +# Nodes have private IPs only with GRE segmentation +$network_config = hiera('quantum_settings') +$segmentation_type = $network_config['L2']['segmentation_type'] +if $segmentation_type == 'gre' { + $private_network = true +} else { + $private_network = false +} - # Configure SSH checks - lma_infra_alerting::nagios::check_ssh { 'management': - hostgroups => keys($all_nodes), - require => Class[lma_infra_alerting], - } +# Configure SSH checks +lma_infra_alerting::nagios::check_ssh { 'management': + hostgroups => keys($all_nodes), + require => Class[lma_infra_alerting], +} - lma_infra_alerting::nagios::check_ssh { 'storage': +lma_infra_alerting::nagios::check_ssh { 'storage': + hostgroups => keys($all_nodes), + custom_var_address => 'storage_address', + require => Class[lma_infra_alerting], +} + +if $private_network { + lma_infra_alerting::nagios::check_ssh { 'private': hostgroups => keys($all_nodes), - custom_var_address => 'storage_address', + custom_var_address => 'private_address', require => Class[lma_infra_alerting], } +} - if $private_network { - lma_infra_alerting::nagios::check_ssh { 'private': - hostgroups => keys($all_nodes), - custom_var_address => 'private_address', - require => Class[lma_infra_alerting], - } +# Configure Grafana and InfluxDB checks +$influxdb_grafana = hiera('influxdb_grafana', {}) +$influxdb_node_name = $influxdb_grafana['node_name'] +$influxdb_nodes = filter_nodes(hiera('nodes'), 'user_node_name', $influxdb_node_name) +if ! empty($influxdb_nodes){ + lma_infra_alerting::nagios::check_http { 'Grafana': + host_name => $influxdb_nodes[0]['name'], + port => $lma_infra_alerting::params::grafana_port, + url => '/login', + custom_var_address => 'internal_address', + string_expected_in_content => 'grafana', } - - # Configure Grafana and InfluxDB checks - $influxdb_grafana = hiera('influxdb_grafana', {}) - $influxdb_node_name = $influxdb_grafana['node_name'] - $influxdb_nodes = filter_nodes(hiera('nodes'), 'user_node_name', $influxdb_node_name) - if ! empty($influxdb_nodes){ - lma_infra_alerting::nagios::check_http { 'Grafana': - host_name => $influxdb_nodes[0]['name'], - port => $lma_infra_alerting::params::grafana_port, - url => '/login', - custom_var_address => 'internal_address', - string_expected_in_content => 'grafana', - } - lma_infra_alerting::nagios::check_http { 'InfluxDB': - host_name => $influxdb_nodes[0]['name'], - port => $lma_infra_alerting::params::influxdb_port, - url => '/ping', - custom_var_address => 'internal_address', - string_expected_in_status => '204 No Content', - string_expected_in_headers => 'X-Influxdb-Version', - } - } - - # Configure Elasticsearch and Kibana checks - $es_kibana = hiera('elasticsearch_kibana', {}) - $es_node_name = $es_kibana['node_name'] - $es_kibana_nodes = filter_nodes(hiera('nodes'), 'user_node_name', $es_node_name) - if ! empty($es_kibana_nodes){ - lma_infra_alerting::nagios::check_http { 'Kibana': - host_name => $es_kibana_nodes[0]['name'], - port => $lma_infra_alerting::params::kibana_port, - url => '/', - custom_var_address => 'internal_address', - string_expected_in_content => 'Kibana 3', - } - - lma_infra_alerting::nagios::check_http { 'Elasticsearch': - host_name => $es_kibana_nodes[0]['name'], - port => $lma_infra_alerting::params::elasticserach_port, - url => '/', - custom_var_address => 'internal_address', - string_expected_in_content => '"status" : 200', - } + lma_infra_alerting::nagios::check_http { 'InfluxDB': + host_name => $influxdb_nodes[0]['name'], + port => $lma_infra_alerting::params::influxdb_port, + url => '/ping', + custom_var_address => 'internal_address', + string_expected_in_status => '204 No Content', + string_expected_in_headers => 'X-Influxdb-Version', } } + +# Configure Elasticsearch and Kibana checks +$es_kibana = hiera('elasticsearch_kibana', {}) +$es_node_name = $es_kibana['node_name'] +$es_kibana_nodes = filter_nodes(hiera('nodes'), 'user_node_name', $es_node_name) +if ! empty($es_kibana_nodes){ + lma_infra_alerting::nagios::check_http { 'Kibana': + host_name => $es_kibana_nodes[0]['name'], + port => $lma_infra_alerting::params::kibana_port, + url => '/', + custom_var_address => 'internal_address', + string_expected_in_content => 'Kibana 3', + } + + lma_infra_alerting::nagios::check_http { 'Elasticsearch': + host_name => $es_kibana_nodes[0]['name'], + port => $lma_infra_alerting::params::elasticserach_port, + url => '/', + custom_var_address => 'internal_address', + string_expected_in_content => '"status" : 200', + } +} + diff --git a/deployment_tasks.yaml b/deployment_tasks.yaml new file mode 100644 index 0000000..3c83f1e --- /dev/null +++ b/deployment_tasks.yaml @@ -0,0 +1,13 @@ +- id: infrastructure_alerting + type: group + role: [infrastructure_alerting] + tasks: + - hiera + - globals + - logging + - netconfig + required_for: [deploy_end] + requires: [deploy_start] + parameters: + strategy: + type: parallel diff --git a/environment_config.yaml b/environment_config.yaml index 1d79fad..d9edf6f 100644 --- a/environment_config.yaml +++ b/environment_config.yaml @@ -1,21 +1,13 @@ attributes: - node_name: - value: 'alerting' - label: "Node name" - description: 'The name of the node where the plugin will be deployed.' - weight: 30 - type: "text" - regex: ¬_empty - source: '\S' - error: "Invalid value" - nagios_password: value: 'r00tme' label: 'Nagios HTTP password' description: 'The password to access the Nagios Web Interface (username: "nagiosadmin")' weight: 42 type: "password" - regex: *not_empty + regex: + source: '\S' + error: "Invalid value" send_to: value: '' diff --git a/node_roles.yaml b/node_roles.yaml new file mode 100644 index 0000000..456c96d --- /dev/null +++ b/node_roles.yaml @@ -0,0 +1,13 @@ +infrastructure_alerting: + name: 'LMA Infrastructure Alerting' + description: 'Install services for the infrastructure alerting' + has_primary: false + public_ip_required: false + weight: 100 + limits: + max: 1 + conflicts: + - controller + - compute + - cinder + - ceph-osd diff --git a/tasks.yaml b/tasks.yaml index a7d1d77..cafcb52 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -1,24 +1,16 @@ -# TODO: check environment coherence # The following tasks are executed in the order they are declared -- role: ['base-os'] - stage: post_deployment/8100 - type: puppet - parameters: - puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/netconfig/netconfig.pp - puppet_modules: /etc/puppet/modules - timeout: 720 - -# The following tasks are executed in the order they are declared -- role: ['base-os'] - stage: post_deployment/8100 +# Priorities are important, this ensure that this plugin is deployed after +# LMA Collector, InfluxDB and Elasticsearch. +- role: [infrastructure_alerting] + stage: post_deployment/8101 type: puppet parameters: puppet_manifest: puppet/manifests/firewall.pp puppet_modules: /etc/puppet/modules timeout: 600 -- role: ['base-os'] - stage: post_deployment/8100 +- role: [infrastructure_alerting] + stage: post_deployment/8101 type: puppet parameters: puppet_manifest: puppet/manifests/nagios.pp