From 9927aff8d345776ca5ca4b53e6f6a190933da81d Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Tue, 2 Jul 2013 23:34:49 +0300 Subject: [PATCH] nagios: Deploy nrpe.cfg from template Fixes #3. --- nagios/manifests/target.pp | 59 ++++++----- nagios/templates/nrpe.cfg.erb | 192 ++++++++++++++++++++++++++++++++++ 2 files changed, 224 insertions(+), 27 deletions(-) create mode 100644 nagios/templates/nrpe.cfg.erb diff --git a/nagios/manifests/target.pp b/nagios/manifests/target.pp index a83410f..7d5e679 100644 --- a/nagios/manifests/target.pp +++ b/nagios/manifests/target.pp @@ -194,38 +194,55 @@ class nagios::target::nrpe inherits nagios::target { case $operatingsystem { "centos","redhat","fedora": { + $package = "nrpe" $service = "nrpe" + $nrpecfg = "/etc/nagios/nrpe.cfg" $nrpedir = "/etc/nrpe.d" + $nrpepid = "/var/run/nrpe/nrpe.pid" + $nrpeuser = "nrpe" + $nrpegroup = "nrpe" } "ubuntu","debian": { + $package = "nagios-nrpe-server" $service = "nagios-nrpe-server" + $nrpecfg = "/etc/nagios/nrpe.cfg" $nrpedir = "/etc/nagios/nrpe.d" + $nrpepid = "/var/run/nagios/nrpe.pid" + $nrpeuser = "nagios" + $nrpegroup = "nagios" } "openbsd": { + $package = "nrpe" $service = "nrpe" + $nrpecfg = "/etc/nrpe.cfg" $nrpedir = "/etc/nrpe.d" - exec { "add-nrpe-include-dir": - command => "echo 'include_dir=${nrpedir}/' >> /etc/nrpe.cfg", - path => "/bin:/usr/bin:/sbin:/usr/sbin", - user => "root", - unless => "egrep '^include_dir=${nrpedir}/' /etc/nrpe.cfg", - require => Package["nrpe"], - notify => Service[$service], - before => File[$nrpedir], - } + $nrpepid = "/var/run/nrpe.pid" + $nrpeuser = "_nrpe" + $nrpegroup = "_nrpe" } } package { "nrpe": + name => $package, ensure => installed, - name => $::operatingsystem ? { - "debian" => "nagios-nrpe-server", - "ubuntu" => "nagios-nrpe-server", - default => "nrpe", - } + } + + file { "/etc/nrpe.cfg": + name => $nrpecfg, + ensure => present, + mode => "0644", + owner => "root", + group => $::operatingsystem ? { + "openbsd" => "wheel", + default => "root", + }, + content => template("nagios/nrpe.cfg.erb"), + require => Package["nrpe"], + notify => Service["nrpe"], } file { "/etc/nrpe.d": + name => $nrpedir, ensure => directory, mode => "0644", owner => "root", @@ -237,6 +254,7 @@ class nagios::target::nrpe inherits nagios::target { force => true, recurse => true, source => "puppet:///modules/custom/empty", + require => Package["nrpe"], } service { "nrpe": @@ -245,19 +263,6 @@ class nagios::target::nrpe inherits nagios::target { enable => true, } - file { "${nrpedir}/allowed_hosts.cfg": - ensure => present, - mode => "0644", - owner => "root", - group => $::operatingsystem ? { - "openbsd" => "wheel", - default => "root", - }, - content => inline_template("allowed_hosts=<%= @nagios_allow.join(',') %>\n"), - require => File["/etc/nrpe.d"], - notify => Service["nrpe"], - } - nagios::target::nrpe::service { "check_disk -w 10% -c 5% -p /": description => "Disk", package => $::operatingsystem ? { diff --git a/nagios/templates/nrpe.cfg.erb b/nagios/templates/nrpe.cfg.erb new file mode 100644 index 0000000..363fb39 --- /dev/null +++ b/nagios/templates/nrpe.cfg.erb @@ -0,0 +1,192 @@ +############################################################################# +# Sample NRPE Config File +# Written by: Ethan Galstad (nagios@nagios.org) +# +# Last Modified: 11-23-2007 +# +# NOTES: +# This is a sample configuration file for the NRPE daemon. It needs to be +# located on the remote host that is running the NRPE daemon, not the host +# from which the check_nrpe client is being executed. +############################################################################# + + +# LOG FACILITY +# The syslog facility that should be used for logging purposes. + +log_facility=daemon + + + +# PID FILE +# The name of the file in which the NRPE daemon should write it's process ID +# number. The file is only written if the NRPE daemon is started by the root +# user and is running in standalone mode. + +pid_file=<%= @nrpepid %> + + + +# PORT NUMBER +# Port number we should wait for connections on. +# NOTE: This must be a non-priviledged port (i.e. > 1024). +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd + +server_port=5666 + + + +# SERVER ADDRESS +# Address that nrpe should bind to in case there are more than one interface +# and you do not want nrpe to bind on all interfaces. +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd + +#server_address=127.0.0.1 + + + +# NRPE USER +# This determines the effective user that the NRPE daemon should run as. +# You can either supply a username or a UID. +# +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd + +nrpe_user=<%= @nrpeuser %> + + + +# NRPE GROUP +# This determines the effective group that the NRPE daemon should run as. +# You can either supply a group name or a GID. +# +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd + +nrpe_group=<%= @nrpegroup %> + + + +# ALLOWED HOST ADDRESSES +# This is an optional comma-delimited list of IP address or hostnames +# that are allowed to talk to the NRPE daemon. Network addresses with a bit mask +# (i.e. 192.168.1.0/24) are also supported. Hostname wildcards are not currently +# supported. +# +# Note: The daemon only does rudimentary checking of the client's IP +# address. I would highly recommend adding entries in your /etc/hosts.allow +# file to allow only the specified host to connect to the port +# you are running this daemon on. +# +# NOTE: This option is ignored if NRPE is running under either inetd or xinetd + +allowed_hosts=<%= @nagios_allow.join(',') %> + + + +# COMMAND ARGUMENT PROCESSING +# This option determines whether or not the NRPE daemon will allow clients +# to specify arguments to commands that are executed. This option only works +# if the daemon was configured with the --enable-command-args configure script +# option. +# +# *** ENABLING THIS OPTION IS A SECURITY RISK! *** +# Read the SECURITY file for information on some of the security implications +# of enabling this variable. +# +# Values: 0=do not allow arguments, 1=allow command arguments + +dont_blame_nrpe=0 + + + +# BASH COMMAND SUBTITUTION +# This option determines whether or not the NRPE daemon will allow clients +# to specify arguments that contain bash command substitutions of the form +# $(...). This option only works if the daemon was configured with both +# the --enable-command-args and --enable-bash-command-substitution configure +# script options. +# +# *** ENABLING THIS OPTION IS A HIGH SECURITY RISK! *** +# Read the SECURITY file for information on some of the security implications +# of enabling this variable. +# +# Values: 0=do not allow bash command substitutions, +# 1=allow bash command substitutions + +allow_bash_command_substitution=0 + + + +# COMMAND PREFIX +# This option allows you to prefix all commands with a user-defined string. +# A space is automatically added between the specified prefix string and the +# command line from the command definition. +# +# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! *** +# Usage scenario: +# Execute restricted commmands using sudo. For this to work, you need to add +# the nagios user to your /etc/sudoers. An example entry for alllowing +# execution of the plugins from might be: +# +# nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/ +# +# This lets the nagios user run all commands in that directory (and only them) +# without asking for a password. If you do this, make sure you don't give +# random users write access to that directory or its contents! + +# command_prefix=/usr/bin/sudo + + + +# DEBUGGING OPTION +# This option determines whether or not debugging messages are logged to the +# syslog facility. +# Values: 0=debugging off, 1=debugging on + +debug=0 + + + +# COMMAND TIMEOUT +# This specifies the maximum number of seconds that the NRPE daemon will +# allow plugins to finish executing before killing them off. + +command_timeout=60 + + + +# CONNECTION TIMEOUT +# This specifies the maximum number of seconds that the NRPE daemon will +# wait for a connection to be established before exiting. This is sometimes +# seen where a network problem stops the SSL being established even though +# all network sessions are connected. This causes the nrpe daemons to +# accumulate, eating system resources. Do not set this too low. + +connection_timeout=300 + + + +# WEEK RANDOM SEED OPTION +# This directive allows you to use SSL even if your system does not have +# a /dev/random or /dev/urandom (on purpose or because the necessary patches +# were not applied). The random number generator will be seeded from a file +# which is either a file pointed to by the environment valiable $RANDFILE +# or $HOME/.rnd. If neither exists, the pseudo random number generator will +# be initialized and a warning will be issued. +# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness + +#allow_weak_random_seed=1 + + + +# INCLUDE CONFIG FILE +# This directive allows you to include definitions from an external config file. + +#include= + + + +# INCLUDE CONFIG DIRECTORY +# This directive allows you to include definitions from config files (with a +# .cfg extension) in one or more directories (with recursion). + +include_dir=<%= @nrpedir %>