From a6974bf41b23de45110075d68d1f38a65677b715 Mon Sep 17 00:00:00 2001 From: Arne Teuke Date: Fri, 28 Jul 2017 16:42:50 +0100 Subject: [PATCH] included service and pointed to files --- README.md | 9 ++- manifests/main/config.pp | 2 +- manifests/main/dirs.pp | 56 +++++++++++++++++++ manifests/main/files.pp | 44 +++++++++++++++ manifests/main/service.pp | 37 +++++++++++++ manifests/params.pp | 107 +++++++++++++++++++++++++++++++++++- templates/nrpe_cfg_head.erb | 59 ++++++++++++++++++++ 7 files changed, 309 insertions(+), 5 deletions(-) create mode 100644 manifests/main/dirs.pp create mode 100644 manifests/main/files.pp create mode 100644 manifests/main/service.pp create mode 100644 templates/nrpe_cfg_head.erb diff --git a/README.md b/README.md index 5ddc9ef..188d2c3 100644 --- a/README.md +++ b/README.md @@ -30,10 +30,12 @@ NRPE allows monitoring tools like NAGIOS or ICINGA to connect to clients for mon ### Features INSTALLATION -* install binaries +* install nrpe binaries CONFIGURATION +* manage NRPE service user properties * manage directory structure (file system permissions, selinux context) +* SERVICE @@ -44,8 +46,11 @@ Repostructure has moved to REPOSTRUCTURE.md in repo. All dependencies must be included in the catalogue. * [cd_resources](https://gitlab.puppetsoft.com/12WW1160/cd_resources) to manage YUM repositories. +* [cd_stdlib](https://gitlab.puppetsoft.com/12WW1160/cd_stdlib) or [puppetlabs stdlib](https://github.com/puppetlabs/puppetlabs-stdlib) to facilitate concat +* [cd_concat](https://gitlab.puppetsoft.com/12WW1160/cd_stdlib) or [puppetlabs concat](https://github.com/puppetlabs/puppetlabs-concat) for concatenating files ### Deployment +`cd_nrpe` does typically not need to be specifically declared. It will be auto-required by `cd_nagios` with default settings. Only if you want to override settings declare it specifically. ##### native Puppet deployment @@ -57,7 +62,7 @@ node 'example.example.net' { } ``` #### through Foreman: -In order to apply parameters through Foreman, **__cd_nrpe::params__** must be added to the host or hostgroup in question. +In order to apply parameters through Foreman, **__cd_nrpe::params__** must be added to the host or hostgroup in question, unless the defaults are fully acceptable across the estate. See [more details about class deployment on Confdroid.com](https://confdroid.com/2017/05/deploying-our-puppet-modules/). diff --git a/manifests/main/config.pp b/manifests/main/config.pp index 10a358b..5de9f5c 100644 --- a/manifests/main/config.pp +++ b/manifests/main/config.pp @@ -26,6 +26,6 @@ class cd_nrpe::main::config ( ) inherits cd_nrpe::params { - include cd_nrpe::main::user + include cd_nrpe::main::service } diff --git a/manifests/main/dirs.pp b/manifests/main/dirs.pp new file mode 100644 index 0000000..cf50cee --- /dev/null +++ b/manifests/main/dirs.pp @@ -0,0 +1,56 @@ +## cd_nrpe::main::dirs.pp +# Module name: cd_nrpe +# Author: Arne Teuke (arne_teuke@ConfDroid.com) +# # License: +# This file is part of cd_nrpe. +# +# cd_nrpe is used for providing automatic configuration of +# +# Copyright (C) 2016 ConfDroid (copyright@ConfDroid.com) +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# @summary Class manages all directories required for cd_nrpe. +############################################################################### +class cd_nrpe::main::dirs ( + +) inherits cd_nrpe::params { + + require cd_nrpe::main::user + + # manage main conf_d_dir + + file { $ne_main_conf_d_dir: + ensure => directory, + path => $ne_main_conf_d_dir, + owner => 'root', + group => 'root', + mode => '0755', + selrange => s0, + selrole => object_r, + seltype => etc_t, + seluser => system_u, + } + + file { $ne_run_dir: + ensure => directory, + path => $ne_run_dir, + owner => $ne_user, + group => $ne_user, + mode => '0755', + selrange => s0, + selrole => object_r, + seltype => var_run_t, + seluser => system_u, + } + +} diff --git a/manifests/main/files.pp b/manifests/main/files.pp new file mode 100644 index 0000000..cc817b8 --- /dev/null +++ b/manifests/main/files.pp @@ -0,0 +1,44 @@ +## cd_nrpe::main::files.pp +# Module name: cd_nrpe +# Author: Arne Teuke (arne_teuke@ConfDroid.com) +# # License: +# This file is part of cd_nrpe. +# +# cd_nrpe is used for providing automatic configuration of +# +# Copyright (C) 2016 ConfDroid (copyright@ConfDroid.com) +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# @summary Class manages all configuration files required for cd_nrpe. +############################################################################## +class cd_nrpe::main::files ( + +) inherits cd_nrpe::params { + + require cd_nrpe::main::dirs + + file { $ne_main_conf_file: + ensure => file, + path => ne_main_conf_file, + owner => 'root', + group => 'root', + mode => '0640', + selrange => s0, + selrole => object_r, + seltype => nrpe_etc_t, + seluser => system_u, + content => template($ne_main_conf_file), + notify => Service[$ne_service], + } + +} diff --git a/manifests/main/service.pp b/manifests/main/service.pp new file mode 100644 index 0000000..782b110 --- /dev/null +++ b/manifests/main/service.pp @@ -0,0 +1,37 @@ +## cd_nrpe::main::service.pp +# Module name: cd_nrpe +# Author: Arne Teuke (arne_teuke@ConfDroid.com) +# # License: +# This file is part of cd_nrpe. +# +# cd_nrpe is used for providing automatic configuration of +# +# Copyright (C) 2016 ConfDroid (copyright@ConfDroid.com) +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# @summary Class manages the service(s) for cd_nrpe. +############################################################################# +class cd_nrpe::main::service ( + +) inherits cd_nrpe::params { + + require cd_nrpe::main::files + + service { $ne_service: + ensure => running, + hasstatus => true, + hasrestart => true, + enable => true, + } + +} diff --git a/manifests/params.pp b/manifests/params.pp index 35343cf..0c8add9 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -24,7 +24,66 @@ # @param [string] pkg_ensure # which [package type](https://confdroid.com/2017/05/puppet-type-package/) # to choose, i.e. `latest` or `present`. -############################################################################## +# @param [string] ne_log_facility the log facility to use. +# @param [string] ne_log_file If a log file is specified in this option, +# nrpe will write to that file instead of using syslog. i.e. /var/run/nrpe.log +# @param [string] ne_debug Whether debugging messages are logged to the +# syslog facility. +# @param [string] ne_nrpe_port the NRPE port. used in firewall ( optional) +# and configuration file. +# @param [string] ne_listen_queue_size Listen queue size (backlog) for +# serving incoming connections. +# @param [string] ne_nagios_server ipaddress of the nagios server to be allowed +# to connect to NRPE service. Default is to look up a global parameter from +# ENC. +# @param [string] ne_dont_blame_nrpe whether or not the NRPE daemon will +# allow clients to specify arguments to commands that are executed. +# @param [string] ne_allow_bash_cmd_subst whether or not the NRPE daemon will +# allow clients to specify arguments that contain bash command substitutions +# of the form $(...). +# @param [boolean] ne_allow_sudo Whether to allow sudo access. used in nrpe.cfg +# as well as for creating a sudo role. +# @param [string] command_prefix allows you to prefix all commands with a +# user-defined string. +# @param [string] ne_incl_fw Whether to include firewall rules +# @param [string] ne_command_timeout maximum number of seconds that the NRPE +# daemon will allow plugins to finish executing before killing them off. +# @param [string] ne_connection_timeout maximum number of seconds that the +# NRPE daemon will wait for a connection to be established before exiting. +# @param [string] ne_ssl_version These directives allow you to specify how to +# use SSL/TLS. +# @param [string] ne_ssl_use_adh This is for backward compatibility and is +# DEPRECATED. Set to 1 to enable ADH or 2 to require ADH. 1 is currently the +# default but will be changed in a later version. +# @param [string] ne_ssl_cipher_list ciphers can be used. For backward +# compatibility, this defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in +# this version but will be changed in a later version of NRPE. +# @param [string] ne_ssl_cacert_file path and name of the ssl certificate +# authority ( ca) file / chain. must be full path. +# @param [string] ne_ssl_cert_file path and name of the server ssl certificate. +# must include full path. +# @param [string] ne_ssl_privatekey_filepath and name of the server ssl +# private key. Must include full path. +# @param [string] ne_ssl_client_certs determines client certificate usage. +# Values: 0 = Don't ask for or require client certificates +# 1 = Ask for client certificates +# 2 = Require client certificates +# @param [string] ne_ssl_logging determines which SSL messages are send to +# syslog. OR values together to specify multiple options. +# Values: 0x00 (0) = No additional logging (default) +# 0x01 (1) = Log startup SSL/TLS parameters +# 0x02 (2) = Log remote IP address +# 0x04 (4) = Log SSL/TLS version of connections +# 0x08 (8) = Log which cipher is being used for the connection +# 0x10 (16) = Log if client has a certificate +# 0x20 (32) = Log details of client's certificate if it has one +# -1 or 0xff or 0x2f = All of the above +# @param [string] ne_nasty_metachars list of characters that cannot +# be passed to the NRPE daemon. +# @param [string] ne_include_file include definitions from an external +# config file. +# @param [string] ne_include_dir +############################################################################### class cd_nrpe::params ( $pkg_ensure = 'latest', @@ -33,10 +92,42 @@ $pkg_ensure = 'latest', $ne_user = 'nrpe', $ne_user_comment = 'NRPE service user', $ne_user_uid = '1005', -$ne_user_home = '/var/run/nagios', +$ne_user_home = '/var/run/nrpe', $ne_user_groups = undef, $ne_user_shell = '/sbin/nologin', +# nrpe.cfg +$ne_log_facility = 'daemon' +$ne_log_file = '', +$ne_debug = '0', +$ne_nrpe_port = '5666', +$ne_server_address = '127.0.0.1', +$ne_listen_queue_size = '5', +$ne_nagios_server = $::nagios_server, +$ne_dont_blame_nrpe = '1', +$ne_allow_bash_cmd_subst = '1', +$ne_allow_sudo = true, +$ne_command_prefix = '/usr/bin/sudo', +$ne_command_timeout = '60', +$ne_connection_timeout = '300', +$ne_allow_weak_rnd_seed = '1', +$ne_ssl_version = 'TLSv1.1+', +$ne_ssl_use_adh = '1', +$ne_ssl_cipher_list = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH', +$ne_ssl_cacert_file = '/etc/pki/tls/certs/ca-chain.crt.pem', +$ne_ssl_cert_file = "/etc/pki/tls/certs/${::fqdn}.crt.pem", +$ne_ssl_privatekey_file = "/etc/pki/tls/private/${::fqdn}.key.pem", +$ne_ssl_client_certs = '2', +$ne_ssl_logging = '0x00', +$ne_nasty_metachars = '\"|`&><\'\\[]{};\r\n\"', +$ne_include_file = '', + + +# firewall +$ne_incl_fw = true, + + + ) { # installation section @@ -44,6 +135,18 @@ $reqpackages = $::operatingsystem ? { /(?i-mx:centos|fedora|redhat)/ => ['nrpe'], } +# service +$ne_service = 'nrpe' + +# directories +$ne_main_conf_d_dir = '/etc/nrpe.d' +$ne_run_dir = '/var/run/nrpe' + +# files +$ne_main_conf_file = '/etc/nagios/nrpe.cfg' +$ne_nrpe_conf_head_erb = 'cd_nrpe/nrpe_cfg_head.erb' +$ne_nrpe_pid_file = "${ne_run_dir}/nrpe.pid" + # includes must be last include cd_nrpe::main::config diff --git a/templates/nrpe_cfg_head.erb b/templates/nrpe_cfg_head.erb new file mode 100644 index 0000000..896d7e8 --- /dev/null +++ b/templates/nrpe_cfg_head.erb @@ -0,0 +1,59 @@ +################################################################################ +########## nrpe.cfg managed by Puppet ########## +########## manual changes will be overwritten !!! ########## +################################################################################ +########## full reference is available at ########## +########## https://confdroid.com/2017/07/nrpe-nrpe-cfg/ ########## +################################################################################ + +log_facility=<%= @ne_log_facility %> + +<% unless @ne_log_file.empty ? %> +log_file=<%= @ne_log_file %> +<% end %> + +debug=<%= @ne_debug %> + +pid_file=<% @ne_nrpe_pid_file %> +server_port=<%= @ne_nrpe_port %> + +server_address=<%= @ne_server_address %> +listen_queue_size=<%= @ne_listen_queue_size %> + +nrpe_user=<%= @ne_user %> +nrpe_group=<%= @ne_user %> + +allowed_hosts=127.0.0.1,::1,<%= @ne_nagios_server %> +dont_blame_nrpe=<%= @ne_dont_blame_nrpe %> +allow_bash_command_substitution=<%= @ne_allow_bash_cmd_subst %> + +<%= if @$ne_allow_sudo == true %> +command_prefix=<%= @ne_command_prefix %> +<% end %> + +command_timeout=<%= @ne_command_timeout %> +connection_timeout=<%= @ne_connection_timeout %> + +allow_weak_random_seed=<%= @ne_allow_weak_rnd_seed %> + +ssl_version=<%= @ne_ssl_version %> +ssl_use_adh=<%= @ne_ssl_use_adh %> +ssl_cipher_list=<%= @ne_ssl_cipher_list %> + +ssl_cacert_file=<%= @ne_ssl_cacert_file %> +ssl_cert_file=<%= @ne_ssl_cert_file %> +ssl_privatekey_file=<%= @ne_ssl_privatekey_file %> + +ssl_client_certs=<%= @ne_ssl_client_certs %> +ssl_logging=<%= @ne_ssl_logging %> + +nasty_metachars=<$= @ne_nasty_metachars %> + +<% unless @ne_include_file.empty? %> +include=<%= @ne_include_file %> +<% end %> + +include_dir=<%= @ne_main_conf_d_dir %> + +### command definitions have been moved to include_dir for easier external +# management