Ensure the friendly coexistence with other Fuel plugins
* use hard coded HTTP port 8001 to allow coexistence with other fuel plugins * use Apache Puppet module to configure Virtualhost implements blueprint lma-infra-alerting-plugin Change-Id: Id82ef1a580d4e39f3dd207b725900d70570ba539
This commit is contained in:
parent
ead82e25c3
commit
0339412735
|
@ -0,0 +1,57 @@
|
|||
# Copyright 2015 Mirantis, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
$plugin = hiera('lma_infrastructure_alerting')
|
||||
$user_node_name = hiera('user_node_name')
|
||||
|
||||
if $plugin['node_name'] == $user_node_name {
|
||||
|
||||
class {'::firewall':}
|
||||
|
||||
firewall { '000 accept all icmp requests':
|
||||
proto => 'icmp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall { '001 accept all to lo interface':
|
||||
proto => 'all',
|
||||
iniface => 'lo',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall { '002 accept related established rules':
|
||||
proto => 'all',
|
||||
state => ['RELATED', 'ESTABLISHED'],
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall {'020 ssh':
|
||||
port => 22,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall { '300 nagios cgi':
|
||||
# Important: must match the $lma_infra_alerting::params::nagios_http_port
|
||||
port => 8001,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall { '999 drop all other requests':
|
||||
proto => 'all',
|
||||
chain => 'INPUT',
|
||||
action => 'drop',
|
||||
}
|
||||
}
|
|
@ -18,7 +18,6 @@
|
|||
class lma_infra_alerting (
|
||||
$openstack_management_vip = undef,
|
||||
$openstack_deployment_name = '',
|
||||
$user = $lma_infra_alerting::params::nagios_http_user,
|
||||
$password = $lma_infra_alerting::params::nagios_http_password,
|
||||
$additional_services = [],
|
||||
$contact_email = $lma_infra_alerting::params::nagios_contact_email,
|
||||
|
@ -38,7 +37,6 @@ class lma_infra_alerting (
|
|||
|
||||
# Install and configure nagios server
|
||||
class { 'lma_infra_alerting::nagios':
|
||||
http_user => $user,
|
||||
http_password => $password,
|
||||
}
|
||||
|
||||
|
|
|
@ -20,6 +20,7 @@
|
|||
class lma_infra_alerting::nagios (
|
||||
$http_user = $lma_infra_alerting::params::nagios_http_user,
|
||||
$http_password = $lma_infra_alerting::params::nagios_http_password,
|
||||
$http_port = $lma_infra_alerting::params::nagios_http_port,
|
||||
) inherits lma_infra_alerting::params {
|
||||
|
||||
class { '::nagios':
|
||||
|
@ -40,7 +41,9 @@ class lma_infra_alerting::nagios (
|
|||
}
|
||||
|
||||
class { '::nagios::cgi':
|
||||
cgi_user => $http_user,
|
||||
cgi_password => $http_password,
|
||||
user => $http_user,
|
||||
password => $http_password,
|
||||
http_port => $http_port,
|
||||
require => Class[nagios],
|
||||
}
|
||||
}
|
||||
|
|
|
@ -18,6 +18,7 @@ class lma_infra_alerting::params {
|
|||
#
|
||||
$nagios_http_user = 'nagiosadmin'
|
||||
$nagios_http_password = ''
|
||||
$nagios_http_port = 8001
|
||||
$nagios_cmd_check_ssh = 'check_ssh'
|
||||
|
||||
$nagios_contactgroup = 'openstack'
|
||||
|
|
|
@ -17,61 +17,75 @@
|
|||
# Install and configure Nagios web interface
|
||||
#
|
||||
class nagios::cgi (
|
||||
$cgi_user = $nagios::params::cgi_user,
|
||||
$cgi_password = $nagios::params::cgi_password,
|
||||
$cgi_htpasswd_file = $nagios::params::cgi_htpasswd_file,
|
||||
){
|
||||
$user = $nagios::params::cgi_user,
|
||||
$password = $nagios::params::cgi_password,
|
||||
$htpasswd_file = $nagios::params::cgi_htpasswd_file,
|
||||
$http_port = $nagios::params::cgi_http_port,
|
||||
$vhost_listen_ip = '*',
|
||||
) inherits nagios::params {
|
||||
|
||||
include nagios::params
|
||||
#TODO: use apache puppet module
|
||||
$apache_service_name = $nagios::params::apache_service_name
|
||||
|
||||
$package_name = $nagios::params::nagios_cgi_package
|
||||
package { $package_name:
|
||||
ensure => present,
|
||||
## Configure apache
|
||||
class { 'apache':
|
||||
# be good citizen by not erasing other configurations
|
||||
purge_configs => false,
|
||||
default_confd_files => false,
|
||||
default_vhost => false,
|
||||
# prerequists for Nagios CGI
|
||||
mpm_module => 'prefork',
|
||||
default_mods => ['php', 'cgi'],
|
||||
# allow to use the Puppet user resource later in the manifest
|
||||
manage_group => false,
|
||||
manage_user => false,
|
||||
}
|
||||
|
||||
# Configure apache
|
||||
# TODO http port and vhost
|
||||
package {$apache_service_name:
|
||||
ensure => present,
|
||||
apache::listen { $http_port: }
|
||||
|
||||
# Template uses these variables: http_port, vhost_listen_ip, cgi_htpasswd_file
|
||||
apache::custom_config { 'nagios':
|
||||
content => template("nagios/${nagios::params::apache_vhost_config_tpl}"),
|
||||
}
|
||||
|
||||
service {$apache_service_name:
|
||||
ensure => running,
|
||||
require => Package[$apache_service_name],
|
||||
}
|
||||
case $::osfamily {
|
||||
'Debian': {
|
||||
# Nagios CGI is provided by a dedicated package
|
||||
$package_name = $nagios::params::nagios_cgi_package
|
||||
package { $package_name:
|
||||
ensure => present,
|
||||
require => Class[apache],
|
||||
}
|
||||
htpasswd { $user:
|
||||
# TODO randomize salt?
|
||||
cryptpasswd => ht_md5($password, 'salt'),
|
||||
target => $htpasswd_file,
|
||||
require => Package[$package_name],
|
||||
}
|
||||
|
||||
# TODO: update cgi config to allow this specific user to access UI
|
||||
htpasswd { $cgi_user:
|
||||
# TODO randomize salt?
|
||||
cryptpasswd => ht_md5($cgi_password, 'salt'),
|
||||
target => $cgi_htpasswd_file,
|
||||
# notify => Service[$apache_service_name],
|
||||
require => Package[$package_name],
|
||||
}
|
||||
# Fix a permission issue with Ubuntu
|
||||
# to allow using external commands through the web UI
|
||||
$apache_user = $apache::user
|
||||
user { $apache_user:
|
||||
groups => 'nagios',
|
||||
require => Class[apache],
|
||||
}
|
||||
file { '/var/lib/nagios3/rw':
|
||||
ensure => directory,
|
||||
mode => '0650',
|
||||
require => Package[$package_name],
|
||||
}
|
||||
|
||||
# TODO: CentOS compatibility
|
||||
$apache_user = 'www-data'
|
||||
|
||||
user { $apache_user:
|
||||
groups => 'nagios',
|
||||
require => Package[$apache_service_name],
|
||||
}
|
||||
|
||||
# fix a permission issue with Ubuntu
|
||||
# TODO: CentOS compatibility
|
||||
file { '/var/lib/nagios3/rw':
|
||||
ensure => directory,
|
||||
mode => '0650',
|
||||
require => Package[$package_name],
|
||||
}
|
||||
|
||||
file { $cgi_htpasswd_file:
|
||||
owner => root,
|
||||
group => $apache_user,
|
||||
mode => '0640',
|
||||
require => Htpasswd[$cgi_user],
|
||||
file { $cgi_htpasswd_file:
|
||||
owner => root,
|
||||
group => $apache_user,
|
||||
mode => '0640',
|
||||
require => Htpasswd[$user],
|
||||
}
|
||||
}
|
||||
'Redhat': {
|
||||
htpasswd { $user:
|
||||
# TODO randomize salt?
|
||||
cryptpasswd => ht_md5($password, 'salt'),
|
||||
target => $htpasswd_file,
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -24,9 +24,10 @@ class nagios::params {
|
|||
# CGI
|
||||
$nagios_cgi_package = 'nagios3-cgi'
|
||||
$cgi_htpasswd_file = '/etc/nagios3/htpasswd.users'
|
||||
$apache_service_name = 'apache2'
|
||||
$cgi_user = 'nagiosadmin'
|
||||
$cgi_password = undef
|
||||
$cgi_http_port = '80'
|
||||
$apache_vhost_config_tpl = 'apache_vhost_ubuntu.conf.erb'
|
||||
|
||||
# Nagios server configurations
|
||||
$nagios_debug = false
|
||||
|
|
|
@ -19,6 +19,7 @@
|
|||
],
|
||||
"description": "Puppet module for configuring Nagios server and Nagios CGI",
|
||||
"dependencies": [
|
||||
{"name": "puppetlabs/apache", "version_requirement": "1.5.0"},
|
||||
{"name": "puppetlabs/stdlib", "version_requirement": "4.x"},
|
||||
{"name": "leinaddm/htpasswd", "version_requirement": ">= 0.0.3"}
|
||||
]
|
||||
|
|
|
@ -0,0 +1,38 @@
|
|||
# ************************************
|
||||
# Vhost template in module nagios
|
||||
# Managed by Puppet
|
||||
# ************************************
|
||||
|
||||
<VirtualHost <%= @vhost_listen_ip %>:<%= @http_port %>>
|
||||
ServerName nagios
|
||||
|
||||
DocumentRoot "/usr/share/nagios3/htdocs"
|
||||
# Alias for UI
|
||||
ScriptAlias /cgi-bin/nagios3 /usr/lib/cgi-bin/nagios3
|
||||
# Alias for HTTP commands
|
||||
ScriptAlias /cgi-bin /usr/lib/cgi-bin/nagios3
|
||||
# Aliases for static content
|
||||
Alias /stylesheets /etc/nagios3/stylesheets
|
||||
Alias /nagios3/images /usr/share/nagios3/htdocs/images
|
||||
Alias /nagios3/js /usr/share/nagios3/htdocs/js
|
||||
Alias /nagios3/stylesheets /etc/nagios3/stylesheets
|
||||
<DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets)>
|
||||
Options FollowSymLinks
|
||||
DirectoryIndex index.php index.html
|
||||
AllowOverride AuthConfig
|
||||
Order Allow,Deny
|
||||
Allow From All
|
||||
AuthName "Nagios Access"
|
||||
AuthType Basic
|
||||
AuthUserFile <%= @cgi_htpasswd_file %>
|
||||
require valid-user
|
||||
</DirectoryMatch>
|
||||
|
||||
<Directory /usr/share/nagios3/htdocs>
|
||||
Options +ExecCGI
|
||||
|
||||
</Directory>
|
||||
ErrorLog "/var/log/apache2/nagios_error.log"
|
||||
ServerSignature Off
|
||||
CustomLog "/var/log/apache2/nagios_access.log" combined
|
||||
</VirtualHost>
|
|
@ -8,7 +8,8 @@ HTPASSWD_TARBALL_URL="https://forgeapi.puppetlabs.com/v3/files/leinaddm-htpasswd
|
|||
# This is the commit id for the current stable/6.1 branch
|
||||
FUEL_LIB_COMMIT="be44e9ea792fe4314ac8c1b7596742ceb5163f61"
|
||||
FUEL_LIB_TARBALL_URL="https://github.com/stackforge/fuel-library/archive/${FUEL_LIB_COMMIT}.tar.gz"
|
||||
|
||||
APACHE_TARBALL_URL="https://forgeapi.puppetlabs.com/v3/files/puppetlabs-apache-1.4.0.tar.gz"
|
||||
CONCAT_TARBALL_URL="https://forgeapi.puppetlabs.com/v3/files/puppetlabs-concat-1.2.3.tar.gz"
|
||||
|
||||
function download_packages {
|
||||
while [ $# -gt 0 ]; do
|
||||
|
@ -55,11 +56,13 @@ download_packages \
|
|||
http://mirrors.kernel.org/ubuntu/pool/main/w/whois/whois_5.1.1_amd64.deb
|
||||
|
||||
|
||||
rm -rf "${MODULES_DIR:?}"/{openstack,stdlib,htpasswd}
|
||||
mkdir -p "${MODULES_DIR}"/{openstack,stdlib,htpasswd}
|
||||
rm -rf "${MODULES_DIR:?}"/{openstack,stdlib,htpasswd,apache,concat}
|
||||
mkdir -p "${MODULES_DIR}"/{openstack,stdlib,htpasswd,apache,concat}
|
||||
|
||||
wget -qO- "${FUEL_LIB_TARBALL_URL}" | \
|
||||
tar -C "${MODULES_DIR}" --strip-components=3 -zxvf - \
|
||||
fuel-library-${FUEL_LIB_COMMIT}/deployment/puppet/{openstack,stdlib}
|
||||
|
||||
wget -qO- "${HTPASSWD_TARBALL_URL}" | tar -C "${MODULES_DIR}/htpasswd" --strip-components=1 -xz
|
||||
wget -qO- "${APACHE_TARBALL_URL}" | tar -C "${MODULES_DIR}/apache" --strip-components=1 -xz
|
||||
wget -qO- "${CONCAT_TARBALL_URL}" | tar -C "${MODULES_DIR}/concat" --strip-components=1 -xz
|
||||
|
|
|
@ -8,6 +8,15 @@
|
|||
puppet_modules: /etc/puppet/modules
|
||||
timeout: 720
|
||||
|
||||
# The following tasks are executed in the order they are declared
|
||||
- role: ['base-os']
|
||||
stage: post_deployment/8100
|
||||
type: puppet
|
||||
parameters:
|
||||
puppet_manifest: puppet/manifests/firewall.pp
|
||||
puppet_modules: /etc/puppet/modules
|
||||
timeout: 600
|
||||
|
||||
- role: ['base-os']
|
||||
stage: post_deployment/8100
|
||||
type: puppet
|
||||
|
|
Loading…
Reference in New Issue