confdroid/confdroid_nrpe
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

included service and pointed to files

Browse Source
This commit is contained in:
Arne Teuke
2017-07-28 16:42:50 +01:00
parent bcfcbb0072
commit a6974bf41b
7 changed files with 309 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
README.md
View File

@@ -30,10 +30,12 @@ NRPE allows monitoring tools like NAGIOS or ICINGA to connect to clients for mon
### Features
INSTALLATION
* install binaries
* install nrpe binaries
CONFIGURATION
* manage NRPE service user properties
* manage directory structure (file system permissions, selinux context)
*
SERVICE
@@ -44,8 +46,11 @@ Repostructure has moved to REPOSTRUCTURE.md in repo.
All dependencies must be included in the catalogue.
* [cd_resources](https://gitlab.puppetsoft.com/12WW1160/cd_resources) to manage YUM repositories.
* [cd_stdlib](https://gitlab.puppetsoft.com/12WW1160/cd_stdlib) or [puppetlabs stdlib](https://github.com/puppetlabs/puppetlabs-stdlib) to facilitate concat
* [cd_concat](https://gitlab.puppetsoft.com/12WW1160/cd_stdlib) or [puppetlabs concat](https://github.com/puppetlabs/puppetlabs-concat) for concatenating files
### Deployment
`cd_nrpe` does typically not need to be specifically declared. It will be auto-required by `cd_nagios` with default settings. Only if you want to override settings declare it specifically.
##### native Puppet deployment
@@ -57,7 +62,7 @@ node 'example.example.net' {
}
```
#### through Foreman:
In order to apply parameters through Foreman, **__cd_nrpe::params__** must be added to the host or hostgroup in question.
In order to apply parameters through Foreman, **__cd_nrpe::params__** must be added to the host or hostgroup in question, unless the defaults are fully acceptable across the estate.
See [more details about class deployment on Confdroid.com](https://confdroid.com/2017/05/deploying-our-puppet-modules/).

2
manifests/main/config.pp
View File

@@ -26,6 +26,6 @@ class cd_nrpe::main::config (
) inherits cd_nrpe::params {
include cd_nrpe::main::user
include cd_nrpe::main::service
}

56
manifests/main/dirs.pp Normal file
View File

@@ -0,0 +1,56 @@
## cd_nrpe::main::dirs.pp
# Module name: cd_nrpe
# Author: Arne Teuke (arne_teuke@ConfDroid.com)
# # License:
# This file is part of cd_nrpe.
#
# cd_nrpe is used for providing automatic configuration of
# <service / purpose>
# Copyright (C) 2016 ConfDroid (copyright@ConfDroid.com)
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# @summary Class manages all directories required for cd_nrpe.
###############################################################################
class cd_nrpe::main::dirs (
) inherits cd_nrpe::params {
require cd_nrpe::main::user
# manage main conf_d_dir
file { $ne_main_conf_d_dir:
ensure => directory,
path => $ne_main_conf_d_dir,
owner => 'root',
group => 'root',
mode => '0755',
selrange => s0,
selrole => object_r,
seltype => etc_t,
seluser => system_u,
}
file { $ne_run_dir:
ensure => directory,
path => $ne_run_dir,
owner => $ne_user,
group => $ne_user,
mode => '0755',
selrange => s0,
selrole => object_r,
seltype => var_run_t,
seluser => system_u,
}
}

44
manifests/main/files.pp Normal file
View File

@@ -0,0 +1,44 @@
## cd_nrpe::main::files.pp
# Module name: cd_nrpe
# Author: Arne Teuke (arne_teuke@ConfDroid.com)
# # License:
# This file is part of cd_nrpe.
#
# cd_nrpe is used for providing automatic configuration of
# <service / purpose>
# Copyright (C) 2016 ConfDroid (copyright@ConfDroid.com)
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# @summary Class manages all configuration files required for cd_nrpe.
##############################################################################
class cd_nrpe::main::files (
) inherits cd_nrpe::params {
require cd_nrpe::main::dirs
file { $ne_main_conf_file:
ensure => file,
path => ne_main_conf_file,
owner => 'root',
group => 'root',
mode => '0640',
selrange => s0,
selrole => object_r,
seltype => nrpe_etc_t,
seluser => system_u,
content => template($ne_main_conf_file),
notify => Service[$ne_service],
}
}

37
manifests/main/service.pp Normal file
View File

@@ -0,0 +1,37 @@
## cd_nrpe::main::service.pp
# Module name: cd_nrpe
# Author: Arne Teuke (arne_teuke@ConfDroid.com)
# # License:
# This file is part of cd_nrpe.
#
# cd_nrpe is used for providing automatic configuration of
# <service / purpose>
# Copyright (C) 2016 ConfDroid (copyright@ConfDroid.com)
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# @summary Class manages the service(s) for cd_nrpe.
#############################################################################
class cd_nrpe::main::service (
) inherits cd_nrpe::params {
require cd_nrpe::main::files
service { $ne_service:
ensure => running,
hasstatus => true,
hasrestart => true,
enable => true,
}
}

107
manifests/params.pp
View File

@@ -24,7 +24,66 @@
# @param [string] pkg_ensure
# which [package type](https://confdroid.com/2017/05/puppet-type-package/)
# to choose, i.e. `latest` or `present`.
##############################################################################
# @param [string] ne_log_facility the log facility to use.
# @param [string] ne_log_file If a log file is specified in this option,
# nrpe will write to that file instead of using syslog. i.e. /var/run/nrpe.log
# @param [string] ne_debug Whether debugging messages are logged to the
# syslog facility.
# @param [string] ne_nrpe_port the NRPE port. used in firewall ( optional)
# and configuration file.
# @param [string] ne_listen_queue_size Listen queue size (backlog) for
# serving incoming connections.
# @param [string] ne_nagios_server ipaddress of the nagios server to be allowed
# to connect to NRPE service. Default is to look up a global parameter from
# ENC.
# @param [string] ne_dont_blame_nrpe whether or not the NRPE daemon will
# allow clients to specify arguments to commands that are executed.
# @param [string] ne_allow_bash_cmd_subst whether or not the NRPE daemon will
# allow clients to specify arguments that contain bash command substitutions
# of the form $(...).
# @param [boolean] ne_allow_sudo Whether to allow sudo access. used in nrpe.cfg
# as well as for creating a sudo role.
# @param [string] command_prefix allows you to prefix all commands with a
# user-defined string.
# @param [string] ne_incl_fw Whether to include firewall rules
# @param [string] ne_command_timeout maximum number of seconds that the NRPE
# daemon will allow plugins to finish executing before killing them off.
# @param [string] ne_connection_timeout maximum number of seconds that the
# NRPE daemon will wait for a connection to be established before exiting.
# @param [string] ne_ssl_version These directives allow you to specify how to
# use SSL/TLS.
# @param [string] ne_ssl_use_adh This is for backward compatibility and is
# DEPRECATED. Set to 1 to enable ADH or 2 to require ADH. 1 is currently the
# default but will be changed in a later version.
# @param [string] ne_ssl_cipher_list ciphers can be used. For backward
# compatibility, this defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in
# this version but will be changed in a later version of NRPE.
# @param [string] ne_ssl_cacert_file path and name of the ssl certificate
# authority ( ca) file / chain. must be full path.
# @param [string] ne_ssl_cert_file path and name of the server ssl certificate.
# must include full path.
# @param [string] ne_ssl_privatekey_filepath and name of the server ssl
# private key. Must include full path.
# @param [string] ne_ssl_client_certs determines client certificate usage.
# Values: 0 = Don't ask for or require client certificates
# 1 = Ask for client certificates
# 2 = Require client certificates
# @param [string] ne_ssl_logging determines which SSL messages are send to
# syslog. OR values together to specify multiple options.
# Values: 0x00 (0) = No additional logging (default)
# 0x01 (1) = Log startup SSL/TLS parameters
# 0x02 (2) = Log remote IP address
# 0x04 (4) = Log SSL/TLS version of connections
# 0x08 (8) = Log which cipher is being used for the connection
# 0x10 (16) = Log if client has a certificate
# 0x20 (32) = Log details of client's certificate if it has one
# -1 or 0xff or 0x2f = All of the above
# @param [string] ne_nasty_metachars list of characters that cannot
# be passed to the NRPE daemon.
# @param [string] ne_include_file include definitions from an external
# config file.
# @param [string] ne_include_dir
###############################################################################
class cd_nrpe::params (
$pkg_ensure = 'latest',
@@ -33,10 +92,42 @@ $pkg_ensure = 'latest',
$ne_user = 'nrpe',
$ne_user_comment = 'NRPE service user',
$ne_user_uid = '1005',
$ne_user_home = '/var/run/nagios',
$ne_user_home = '/var/run/nrpe',
$ne_user_groups = undef,
$ne_user_shell = '/sbin/nologin',
# nrpe.cfg
$ne_log_facility = 'daemon'
$ne_log_file = '',
$ne_debug = '0',
$ne_nrpe_port = '5666',
$ne_server_address = '127.0.0.1',
$ne_listen_queue_size = '5',
$ne_nagios_server = $::nagios_server,
$ne_dont_blame_nrpe = '1',
$ne_allow_bash_cmd_subst = '1',
$ne_allow_sudo = true,
$ne_command_prefix = '/usr/bin/sudo',
$ne_command_timeout = '60',
$ne_connection_timeout = '300',
$ne_allow_weak_rnd_seed = '1',
$ne_ssl_version = 'TLSv1.1+',
$ne_ssl_use_adh = '1',
$ne_ssl_cipher_list = 'ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH',
$ne_ssl_cacert_file = '/etc/pki/tls/certs/ca-chain.crt.pem',
$ne_ssl_cert_file = "/etc/pki/tls/certs/${::fqdn}.crt.pem",
$ne_ssl_privatekey_file = "/etc/pki/tls/private/${::fqdn}.key.pem",
$ne_ssl_client_certs = '2',
$ne_ssl_logging = '0x00',
$ne_nasty_metachars = '\"|`&><\'\\[]{};\r\n\"',
$ne_include_file = '',
# firewall
$ne_incl_fw = true,
) {
# installation section
@@ -44,6 +135,18 @@ $reqpackages = $::operatingsystem ? {
/(?i-mx:centos|fedora|redhat)/ => ['nrpe'],
}
# service
$ne_service = 'nrpe'
# directories
$ne_main_conf_d_dir = '/etc/nrpe.d'
$ne_run_dir = '/var/run/nrpe'
# files
$ne_main_conf_file = '/etc/nagios/nrpe.cfg'
$ne_nrpe_conf_head_erb = 'cd_nrpe/nrpe_cfg_head.erb'
$ne_nrpe_pid_file = "${ne_run_dir}/nrpe.pid"
# includes must be last
include cd_nrpe::main::config

59
templates/nrpe_cfg_head.erb Normal file
View File

@@ -0,0 +1,59 @@
################################################################################
########## nrpe.cfg managed by Puppet ##########
########## manual changes will be overwritten !!! ##########
################################################################################
########## full reference is available at ##########
########## https://confdroid.com/2017/07/nrpe-nrpe-cfg/ ##########
################################################################################
log_facility=<%= @ne_log_facility %>
<% unless @ne_log_file.empty ? %>
log_file=<%= @ne_log_file %>
<% end %>
debug=<%= @ne_debug %>
pid_file=<% @ne_nrpe_pid_file %>
server_port=<%= @ne_nrpe_port %>
server_address=<%= @ne_server_address %>
listen_queue_size=<%= @ne_listen_queue_size %>
nrpe_user=<%= @ne_user %>
nrpe_group=<%= @ne_user %>
allowed_hosts=127.0.0.1,::1,<%= @ne_nagios_server %>
dont_blame_nrpe=<%= @ne_dont_blame_nrpe %>
allow_bash_command_substitution=<%= @ne_allow_bash_cmd_subst %>
<%= if @$ne_allow_sudo == true %>
command_prefix=<%= @ne_command_prefix %>
<% end %>
command_timeout=<%= @ne_command_timeout %>
connection_timeout=<%= @ne_connection_timeout %>
allow_weak_random_seed=<%= @ne_allow_weak_rnd_seed %>
ssl_version=<%= @ne_ssl_version %>
ssl_use_adh=<%= @ne_ssl_use_adh %>
ssl_cipher_list=<%= @ne_ssl_cipher_list %>
ssl_cacert_file=<%= @ne_ssl_cacert_file %>
ssl_cert_file=<%= @ne_ssl_cert_file %>
ssl_privatekey_file=<%= @ne_ssl_privatekey_file %>
ssl_client_certs=<%= @ne_ssl_client_certs %>
ssl_logging=<%= @ne_ssl_logging %>
nasty_metachars=<$= @ne_nasty_metachars %>
<% unless @ne_include_file.empty? %>
include=<%= @ne_include_file %>
<% end %>
include_dir=<%= @ne_main_conf_d_dir %>
### command definitions have been moved to include_dir for easier external
# management