x
/
fuel-plugin-lma-infrastructure-alerting
Code Issues Proposed changes

Use 2 Virtual IPs for Nagios 

One VIP is used for the Nagios UI and the other for the /status
location exclusively used by LMA collectors to report statuses.
This split will help to enable HTTPS for the Nagios UI and deploy it on
another network while LMA collectors continue to use HTTP over the
"monitoring" network.

These VIPs are allocated by default on the management network.

Change-Id: I3c0df769cb40b540b1afb74d4958e87b58daa12d
This commit is contained in:
Swann Croiset 2016-06-15 15:04:50 +02:00
parent aaf626dbe6
commit 51bffbc63c
13 changed files with 198 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
deployment_scripts/puppet/manifests/hiera.pp
View File

@ -19,8 +19,9 @@ $network_scheme = hiera_hash('network_scheme')
$network_metadata = hiera_hash('network_metadata')
prepare_network_config($network_scheme)
$hiera_file = '/etc/hiera/plugins/lma_infrastructure_alerting.yaml'
$alerting_vip = $network_metadata['vips']['infrastructure_alerting_mgmt_vip']['ipaddr']
$hiera_file = '/etc/hiera/plugins/lma_infrastructure_alerting.yaml'
$alerting_vip = $network_metadata['vips']['infrastructure_alerting_mgmt_vip']['ipaddr']
$alerting_ui_vip = $network_metadata['vips']['infrastructure_alerting_ui']['ipaddr']
$listen_address = get_network_role_property('infrastructure_alerting', 'ipaddr')
$kibana_port = hiera('lma::elasticsearch::kibana_port', 80)
@ -35,6 +36,7 @@ lma::corosync_roles:
lma::infrastructure_alerting::listen_address: <%= @listen_address %>
lma::infrastructure_alerting::apache_port: 8001
lma::infrastructure_alerting::vip: <%= @alerting_vip %>
lma::infrastructure_alerting::vip_ui: <%= @alerting_ui_vip %>
lma::infrastructure_alerting::vip_ns: infrastructure_alerting
lma::infrastructure_alerting::kibana_port: <%= @kibana_port %>
lma::infrastructure_alerting::es_port: <%= @es_port %>

53
deployment_scripts/puppet/manifests/nagios.pp
View File

@ -44,6 +44,8 @@ if $notify_warning == false and
$notify_recovery = $plugin['notify_recovery']
}
$apache_port = hiera('lma::infrastructure_alerting::apache_port')
$nagios_vip = hiera('lma::infrastructure_alerting::vip')
$nagios_ui_vip = hiera('lma::infrastructure_alerting::vip_ui')
$lma_collector = hiera_hash('lma_collector', {})
@ -59,13 +61,20 @@ if $lma_collector['gse_cluster_node'] {
$node_clusters = []
}
class { 'lma_infra_alerting':
# Install and configure nagios server for StackLight
class { 'lma_infra_alerting::nagios':
http_password => $password,
http_port => $apache_port,
nagios_ui_address => $nagios_ui_vip,
nagios_address => $nagios_vip,
}
class { 'lma_infra_alerting::nagios::vhost':
openstack_deployment_name => $env_id,
openstack_management_vip => $cluster_ip,
global_clusters => $service_clusters,
node_clusters => $node_clusters,
password => $password,
http_port => $apache_port,
require => Class['lma_infra_alerting::nagios'],
}
file { 'ocf-ns_apache':
@ -86,7 +95,7 @@ file { 'ocf-ns_nagios':
group => 'root',
}
# This is required so Apache and Nagios can bind to the VIP address
# This is required so Apache and Nagios can bind to the VIP addresses
exec { 'net.ipv4.ip_nonlocal_bind':
command => '/sbin/sysctl -w net.ipv4.ip_nonlocal_bind=1',
unless => '/sbin/sysctl -n net.ipv4.ip_nonlocal_bind | /bin/grep 1',
@ -98,7 +107,7 @@ if $fuel_version < 9.0 {
primitive_type => 'ocf-ns_apache',
parameters => {
'ns' => 'infrastructure_alerting',
'status_url' => "http://localhost:${apache_port}/server-status",
'status_url' => "http://${nagios_vip}:${apache_port}/server-status",
},
metadata => {
'migration-threshold' => '3',
@ -118,7 +127,7 @@ if $fuel_version < 9.0 {
},
prefix => false,
use_handler => false,
require => [File['ocf-ns_apache'], Exec['net.ipv4.ip_nonlocal_bind'], Class['lma_infra_alerting']],
require => [File['ocf-ns_apache'], Exec['net.ipv4.ip_nonlocal_bind'], Class['lma_infra_alerting::nagios']],
}
cs_rsc_colocation { 'infrastructure_alerting_vip-with-apache2':
@ -155,7 +164,7 @@ if $fuel_version < 9.0 {
},
prefix => false,
use_handler => false,
require => [File['ocf-ns_nagios'], Exec['net.ipv4.ip_nonlocal_bind'], Class['lma_infra_alerting']],
require => [File['ocf-ns_nagios'], Exec['net.ipv4.ip_nonlocal_bind'], Class['lma_infra_alerting::nagios']],
}
cs_rsc_colocation { 'infrastructure_alerting_vip-with-nagios':
@ -167,13 +176,24 @@ if $fuel_version < 9.0 {
],
require => Cs_resource['nagios3'],
}
# The two VIPs must be colocated
# This assumes that the VIPs have already been created
cs_rsc_colocation { 'ui_vip-with-wsgi_vip':
ensure => present,
score => 'INFINITY',
primitives => [
'vip__infrastructure_alerting_mgmt_vip',
'vip__infrastructure_alerting_ui'
],
}
} else {
# Apache2 resources for Pacemaker
pacemaker::service { 'apache2':
primitive_type => 'ocf-ns_apache',
parameters => {
'ns' => 'infrastructure_alerting',
'status_url' => "http://localhost:${apache_port}/server-status",
'status_url' => "http://${nagios_vip}:${apache_port}/server-status",
},
complex_type => 'clone',
complex_metadata => {
@ -194,7 +214,7 @@ if $fuel_version < 9.0 {
},
prefix => false,
use_handler => false,
require => [File['ocf-ns_apache'], Exec['net.ipv4.ip_nonlocal_bind'], Class['lma_infra_alerting']],
require => [File['ocf-ns_apache'], Exec['net.ipv4.ip_nonlocal_bind'], Class['lma_infra_alerting::nagios']],
}
pcmk_colocation { 'infrastructure_alerting_vip-with-apache2':
@ -230,7 +250,7 @@ if $fuel_version < 9.0 {
},
prefix => false,
use_handler => false,
require => [File['ocf-ns_nagios'], Exec['net.ipv4.ip_nonlocal_bind'], Class['lma_infra_alerting']],
require => [File['ocf-ns_nagios'], Exec['net.ipv4.ip_nonlocal_bind'], Class['lma_infra_alerting::nagios']],
}
pcmk_colocation { 'infrastructure_alerting_vip-with-nagios':
@ -240,6 +260,15 @@ if $fuel_version < 9.0 {
second => 'nagios3',
require => Pacemaker::Service['nagios3'],
}
# The two VIPs must be colocated
# This assumes VIPs are already created
pcmk_colocation { 'ui_vip-with-wsgi_vip':
ensure => present,
score => 'INFINITY',
first => 'vip__infrastructure_alerting_mgmt_vip',
second => 'vip__infrastructure_alerting_ui',
}
}
class { 'lma_infra_alerting::nagios::contact':
@ -253,7 +282,7 @@ class { 'lma_infra_alerting::nagios::contact':
notify_critical => $notify_critical,
notify_recovery => $notify_recovery,
notify_unknown => $notify_unknown,
require => Class['lma_infra_alerting'],
require => Class['lma_infra_alerting::nagios'],
}
if $lma_collector['node_cluster_roles'] {
@ -277,7 +306,7 @@ class { 'lma_infra_alerting::nagios::hosts':
host_custom_vars_keys => ['fqdn', 'node_roles'],
node_cluster_roles => $node_cluster_roles,
node_cluster_alarms => $node_cluster_alarms,
require => Class['lma_infra_alerting'],
require => Class['lma_infra_alerting::nagios'],
}
$influxdb_nodes = get_nodes_hash_by_roles($network_metadata, ['influxdb_grafana', 'primary-influxdb_grafana'])

2
deployment_scripts/puppet/manifests/nagios_dashboard_url.pp
View File

@ -16,7 +16,7 @@ notice('fuel-plugin-lma-infrastructure-alerting: nagios_dashboard_url.pp')
$deployment_id = hiera('deployment_id')
$master_ip = hiera('master_ip')
$vip = hiera('lma::infrastructure_alerting::vip')
$vip = hiera('lma::infrastructure_alerting::vip_ui')
$port = hiera('lma::infrastructure_alerting::apache_port')
$nagios_link_data = "{\"title\":\"Nagios\",\
\"description\":\"Dashboard for visualizing alerts\",\

19
deployment_scripts/puppet/modules/lma_infra_alerting/manifests/nagios.pp
View File

@ -18,12 +18,13 @@
#
class lma_infra_alerting::nagios (
$http_user = $lma_infra_alerting::params::http_user,
$http_password,
$http_user,
$http_port
) {
$http_port,
$nagios_ui_address,
$nagios_address,
) inherits lma_infra_alerting::params {
include lma_infra_alerting::params
include nagios::params
class { '::nagios':
@ -47,10 +48,12 @@ class lma_infra_alerting::nagios (
}
class { '::nagios::cgi':
user => $http_user,
password => $http_password,
http_port => $http_port,
require => Class[nagios],
user => $http_user,
password => $http_password,
http_port => $http_port,
vhost_listen_ip => $nagios_ui_address,
wsgi_vhost_listen_ip => $nagios_address,
require => Class[nagios],
}
$cron_bin = $lma_infra_alerting::params::update_configuration_script

17
deployment_scripts/puppet/modules/lma_infra_alerting/manifests/init.pp → deployment_scripts/puppet/modules/lma_infra_alerting/manifests/nagios/vhost.pp
View File

@ -12,12 +12,10 @@
# License for the specific language governing permissions and limitations
# under the License.
#
# Configure the Nagios server with the CGI service for passive checks.
# Configure virtual hosts for monitoring the clusters of global services and nodes
# Configure virtual Nagios hosts for monitoring the clusters of global services
# and nodes.
#
class lma_infra_alerting (
$password,
$http_port = $lma_infra_alerting::params::http_port,
class lma_infra_alerting::nagios::vhost (
$openstack_management_vip = undef,
$openstack_deployment_name = '',
$global_clusters = [],
@ -33,13 +31,6 @@ class lma_infra_alerting (
$lma_infra_alerting::params::nagios_node_vhostname_prefix,
'-env', $openstack_deployment_name], '')
# Install and configure nagios server
class { 'lma_infra_alerting::nagios':
http_user => $lma_infra_alerting::params::http_user,
http_password => $password,
http_port => $http_port,
}
if ! empty($global_clusters) {
# Configure the virtual host for the global clusters
lma_infra_alerting::nagios::vhost_cluster_status{ 'global':
@ -47,7 +38,6 @@ class lma_infra_alerting (
hostname => $vhostname_global,
services => $global_clusters,
notifications_enabled => 1,
require => Class['lma_infra_alerting::nagios'],
}
}
@ -58,7 +48,6 @@ class lma_infra_alerting (
hostname => $vhostname_node,
services => $node_clusters,
notifications_enabled => 0,
require => Class['lma_infra_alerting::nagios'],
}
}
}

36
deployment_scripts/puppet/modules/lma_infra_alerting/spec/classes/lma_infra_alerting_nagios_spec.rb Normal file
View File

@ -0,0 +1,36 @@
# Copyright 2016 Mirantis, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
require 'spec_helper'
describe 'lma_infra_alerting::nagios' do
let(:facts) do
{:kernel => 'Linux', :operatingsystem => 'Ubuntu',
:osfamily => 'Debian', :operatingsystemrelease => '12.4',
:concat_basedir => '/tmp'}
end
describe 'with global and node clusters' do
let(:params) do
{:http_password => 'foo', :http_port => '999',
:nagios_ui_address => '1.1.1.1',
:nagios_address => '2.3.3.3'
}
end
it { should contain_class('nagios') }
it { should create_class('nagios::cgi') }
it { should create_cron('update lma infra alerting') }
it { should create_file('/usr/local/bin/update-lma-configuration') }
end
end

9
deployment_scripts/puppet/modules/lma_infra_alerting/spec/classes/lma_infra_alerting_spec.rb → deployment_scripts/puppet/modules/lma_infra_alerting/spec/classes/lma_infra_alerting_nagios_vhost_spec.rb
View File

@ -13,7 +13,7 @@
# under the License.
require 'spec_helper'
describe 'lma_infra_alerting' do
describe 'lma_infra_alerting::nagios::vhost' do
let(:facts) do
{:kernel => 'Linux', :operatingsystem => 'Ubuntu',
:osfamily => 'Debian', :operatingsystemrelease => '12.4',
@ -24,13 +24,10 @@ describe 'lma_infra_alerting' do
let(:params) do
{:global_clusters => ['nova', 'cinder', 'keystone'],
:node_clusters => ['controller', 'compute', 'storage'],
:password => 'secrete'}
}
end
it { should contain_class('nagios') }
it { should create_class('nagios::cgi') }
it { should create_cron('update lma infra alerting') }
it { should create_file('/usr/local/bin/update-lma-configuration') }
it { should contain_lma_infra_alerting__nagios__vhost_cluster_status('global') }
it { should contain_lma_infra_alerting__nagios__vhost_cluster_status('nodes') }
end
end

43
deployment_scripts/puppet/modules/nagios/manifests/cgi.pp
View File

@ -17,11 +17,12 @@
# Install and configure Nagios web interface
#
class nagios::cgi (
$vhost_listen_ip,
$wsgi_vhost_listen_ip = undef,
$user = $nagios::params::cgi_user,
$password = $nagios::params::cgi_password,
$htpasswd_file = $nagios::params::cgi_htpasswd_file,
$http_port = $nagios::params::cgi_http_port,
$vhost_listen_ip = '*',
$wsgi_process_service_checks_location = '/status',
$wsgi_process_service_checks_script = '/usr/local/bin/nagios-process-service-checks.wsgi',
$wsgi_processes = 2,
@ -45,21 +46,35 @@ class nagios::cgi (
manage_user => false,
}
apache::listen { $http_port: }
# Template uses these variables: http_port, vhost_listen_ip, cgi_htpasswd_file
# nagios_command_file, wsgi_processes, wsgi_threads,
# wsgi_process_service_checks_script, wsgi_process_service_checks_location
$nagios_command_file = '/var/lib/nagios3/rw/nagios.cmd'
apache::custom_config { 'nagios':
content => template("nagios/${nagios::params::apache_vhost_config_tpl}"),
apache::listen { "${vhost_listen_ip}:${http_port}": }
if $wsgi_vhost_listen_ip {
apache::listen { "${wsgi_vhost_listen_ip}:${http_port}": }
}
file { 'wsgi_process_service_checks_script':
ensure => present,
path => $wsgi_process_service_checks_script,
source => 'puppet:///modules/nagios/process-service-checks.wsgi',
notify => Class['apache::service'],
# Template uses these variables: http_port, vhost_listen_ip, cgi_htpasswd_file
# nagios_command_file
$nagios_command_file = '/var/lib/nagios3/rw/nagios.cmd'
apache::custom_config { 'nagios-ui':
content => template("nagios/${nagios::params::apache_ui_vhost_config_tpl}"),
notify => Class['apache::service'],
require => Class['apache'],
}
if $wsgi_vhost_listen_ip {
# Template uses these variables: http_port, cgi_htpasswd_file
# nagios_command_file, wsgi_vhost_listen_ip, wsgi_processes, wsgi_threads,
# wsgi_process_service_checks_script, wsgi_process_service_checks_location
apache::custom_config { 'nagios-wsgi':
content => template("nagios/${nagios::params::apache_wsgi_vhost_config_tpl}"),
notify => Class['apache::service'],
require => Class['apache'],
}
file { 'wsgi_process_service_checks_script':
ensure => present,
path => $wsgi_process_service_checks_script,
source => 'puppet:///modules/nagios/process-service-checks.wsgi',
notify => Class['apache::service'],
require => Class['apache'],
}
}
$apache_user = $apache::user

6
deployment_scripts/puppet/modules/nagios/manifests/params.pp
View File

@ -25,7 +25,8 @@ class nagios::params {
$nagios_cgi_package = 'nagios3-cgi'
$cgi_htpasswd_file = '/etc/nagios3/htpasswd.users'
$apache_service_name = 'apache2'
$apache_vhost_config_tpl = 'apache_vhost_ubuntu.conf.erb'
$apache_ui_vhost_config_tpl = 'apache_vhost_ubuntu.conf.erb'
$apache_wsgi_vhost_config_tpl = 'apache_wsgi_vhost_ubuntu.conf.erb'
}
'RedHat': {
$config_dir = '/etc/nagios/conf.d'
@ -40,7 +41,8 @@ class nagios::params {
$nagios_cgi_package = $nagios_service_name # CGI is provided by the same package
$cgi_htpasswd_file = '/etc/nagios/htpasswd'
$apache_service_name = 'httpd'
$apache_vhost_config_tpl = 'apache_vhost_centos.conf.erb'
$apache_ui_vhost_config_tpl = 'apache_vhost_centos.conf.erb'
$apache_wsgi_vhost_config_tpl = 'apache_wsgi_vhost_centos.conf.erb'
}
default: {
fail("${::osfamily} not supported")

20
deployment_scripts/puppet/modules/nagios/spec/classes/nagios_cgi_spec.rb
View File

@ -21,6 +21,26 @@ describe 'nagios::cgi' do
end
describe 'with default' do
let(:params) do
{:vhost_listen_ip => '1.1.1.1',
:htpasswd_file => '/tmp/htpass',
:user => 'nagiosuser',
}
end
it { should contain_class('apache') }
it { should contain_file('/tmp/htpass') }
it { should contain_htpasswd('nagiosuser') }
it { should contain_apache__custom_config('nagios-ui') }
end
describe 'with default' do
let(:params) do
{:vhost_listen_ip => '1.1.1.1',
:wsgi_vhost_listen_ip => '2.2.2.2',
}
end
it { should contain_class('apache') }
it { should contain_apache__custom_config('nagios-ui') }
it { should contain_apache__custom_config('nagios-wsgi') }
it { should contain_file('wsgi_process_service_checks_script') }
end
end

14
deployment_scripts/puppet/modules/nagios/templates/apache_vhost_ubuntu.conf.erb
View File

@ -4,21 +4,9 @@
# ************************************
<VirtualHost <%= @vhost_listen_ip %>:<%= @http_port %>>
ServerName nagios
ServerName nagios-ui
DocumentRoot "/usr/share/nagios3/htdocs"
# WSGI implementation for the process_service_check command
SetEnv NAGIOS_CMD_FILE <%= @nagios_command_file %>
WSGIScriptAlias <%= @wsgi_process_service_checks_location %> <%= @wsgi_process_service_checks_script %>
WSGIDaemonProcess nagios_process_service_checks user=nagios group=nagios processes=<%= @wsgi_processes %> threads=<%= @wsgi_threads %> display-name='%{GROUP}' maximum-requests=10000
WSGIProcessGroup nagios_process_service_checks
<Location <%= @wsgi_process_service_checks_location %>>
AuthName "Nagios Access"
AuthType Basic
AuthUserFile <%= @cgi_htpasswd_file %>
require valid-user
</Location>
# Alias for UI
ScriptAlias /cgi-bin/nagios3 /usr/lib/cgi-bin/nagios3
# Alias for HTTP commands

25
deployment_scripts/puppet/modules/nagios/templates/apache_wsgi_vhost_ubuntu.conf.erb Normal file
View File

@ -0,0 +1,25 @@
# ************************************
# Vhost template in module nagios
# Managed by Puppet
# ************************************
<VirtualHost <%= @wsgi_vhost_listen_ip %>:<%= @http_port %>>
ServerName nagios
DocumentRoot "/usr/share/nagios3/htdocs"
# WSGI implementation for the process_service_check command
SetEnv NAGIOS_CMD_FILE <%= @nagios_command_file %>
WSGIScriptAlias <%= @wsgi_process_service_checks_location %> <%= @wsgi_process_service_checks_script %>
WSGIDaemonProcess nagios_process_service_checks user=nagios group=nagios processes=<%= @wsgi_processes %> threads=<%= @wsgi_threads %> display-name='%{GROUP}' maximum-requests=10000
WSGIProcessGroup nagios_process_service_checks
<Location <%= @wsgi_process_service_checks_location %>>
AuthName "Nagios Access"
AuthType Basic
AuthUserFile <%= @cgi_htpasswd_file %>
require valid-user
</Location>
ErrorLog "/var/log/apache2/nagios_wsgi_error.log"
ServerSignature Off
CustomLog "/var/log/apache2/nagios_wsgi_access.log" combined
</VirtualHost>

20
network_roles.yaml
View File

@ -1,3 +1,10 @@
# The plugin requires the allocation of 2 virtual IPs:
# One VIP is used for the Nagios UI and the other for the /status location
# exclusively used by LMA collectors to report statuses.
# This split will help to enable HTTPS for the Nagios UI and deploy it on
# another network while LMA collectors continue to use HTTP over the
# "monitoring" network.
- id: "infrastructure_alerting"
default_mapping: "management"
properties:
@ -10,3 +17,16 @@
node_roles:
- "primary-infrastructure_alerting"
- "infrastructure_alerting"
- id: "infrastructure_alerting_ui"
default_mapping: "management"
properties:
subnet: true
gateway: false
vip:
- name: "infrastructure_alerting_ui"
namespace: "infrastructure_alerting"
alias: "infrastructure_alerting_ui"
node_roles:
- "primary-infrastructure_alerting"
- "infrastructure_alerting"