From 5075df2bf57feb9dcde8e483a81031b08e5c1f49 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Mon, 13 Feb 2017 07:11:36 +0100 Subject: [PATCH 01/34] Remove unneeded variables --- defaults/main.yml | 39 +++++++++++++++++++++------------------ 1 file changed, 21 insertions(+), 18 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 43ed018..ca52f29 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -239,14 +239,14 @@ checkmk_server__ssh_arguments: '-o BatchMode=yes -o StrictHostKeyChecking=no -o # # Indicate if this site is a distributed monitoring slave which receives the # Check_MK configuration from another Check_MK server instance. -checkmk_server__multisite_slave: False +#checkmk_server__multisite_slave: False # ]]] # .. envvar:: checkmk_server__multisite_livestatus [[[ # # Enable multisite Livestatus service. This is required for distributed # monitoring of this site. -checkmk_server__multisite_livestatus: '{{ True if checkmk_server__multisite_slave|d() else False }}' +#checkmk_server__multisite_livestatus: '{{ True if checkmk_server__multisite_slave|d() else False }}' # ]]] # .. envvar:: checkmk_server__multisite_config_path [[[ @@ -450,27 +450,30 @@ checkmk_server__multisite_user_connection_defaults: # # Distributed monitoring sites configuration. For more details see # :ref:`checkmk_server__ref_distributed_sites` -checkmk_server__distributed_sites: {} +#checkmk_server__distributed_sites: {} +# name: site_name +# inventory_host: slavehost +# tls # ]]] # .. envvar:: checkmk_server__distributed_sites_defaults [[[ # # Default sites properties for distributed monitoring. -checkmk_server__distributed_sites_defaults: - username: 'sitesync' - password: '{{ lookup("password", secret + "/credentials/" + ansible_fqdn + "/checkmk_server/" + checkmk_server__site + "/sitesync/password") }}' - disabled: False - disable_wato: True - insecure: False - multisiteurl: '' - persist: False - replicate_ec: False - replicate_mkps: True - replication: '' - status_host: None - timeout: 10 - url_prefix: '' - user_login: True +#checkmk_server__distributed_sites_defaults: + #username: 'sitesync' + #password: '{{ lookup("password", secret + "/credentials/" + ansible_fqdn + "/checkmk_server/" + checkmk_server__site + "/sitesync/password") }}' + #disabled: False + #disable_wato: True + #insecure: False + #multisiteurl: '' + #persist: False + #replicate_ec: False + #replicate_mkps: True + #replication: '' + #status_host: None + #timeout: 10 + #url_prefix: '' + #user_login: True # ]]] # ]]] # Monitoring Rules [[[ From 66259aa9a32982464cec3c5bf3101a8afe1c0cca Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Wed, 29 Mar 2017 08:09:42 +0200 Subject: [PATCH 02/34] Add current status of site creation --- defaults/main.yml | 63 ++-- tasks/main.yml | 60 ++-- tasks/site.yml | 367 +++++++++++----------- templates/lookup/checkmk_server__sites.j2 | 150 +++++++++ 4 files changed, 397 insertions(+), 243 deletions(-) create mode 100644 templates/lookup/checkmk_server__sites.j2 diff --git a/defaults/main.yml b/defaults/main.yml index ca52f29..d857328 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -19,10 +19,11 @@ checkmk_server__version: '1.2.8p21' # ]]] -# .. envvar:: checkmk_server__version_label [[[ +# .. envvar:: checkmk_server__version_suffix [[[ # -# Check_MK version label used with the :command:`omd` tool. -checkmk_server__version_label: '{{ checkmk_server__version }}.cre' +# Check_MK version suffix to :envvar:`checkmk_server__version` used with the +# :command:`omd` tool. +checkmk_server__version_suffix: '.cre' # ]]] # .. envvar:: checkmk_server__site_update [[[ @@ -37,9 +38,9 @@ checkmk_server__site_update: False # Custom patches to apply after installing Check_MK package checkmk_server__patches: - patch: 'check-mk-raw-1.2.8-set-https-proxy-header.patch' - file: '/omd/versions/{{ checkmk_server__version_label }}/skel/etc/apache/apache-own.conf' + file: '/omd/versions/{{ checkmk_server__version }}{{ checkmk_version__suffix }}/skel/etc/apache/apache-own.conf' - patch: 'check-mk-raw-1.2.8p4-read-X-Forwarded-Port-header.patch' - file: '/omd/versions/{{ checkmk_server__version_label }}/skel/etc/apache/conf.d/omd.conf' + file: '/omd/versions/{{ checkmk_server__version }}{{ checkmk_version__suffix }}/skel/etc/apache/conf.d/omd.conf' # ]]] # .. envvar:: checkmk_server__ferm_dependent_rules [[[ @@ -171,10 +172,9 @@ checkmk_server__webapi_url: '{{ checkmk_server__site_url + "/check_mk/webapi.py" # :ref:`checkmk_server__ref_omd_config` for more details. checkmk_server__omd_config: '{{ checkmk_server__omd_config_email + - checkmk_server__omd_config_core + - (checkmk_server__omd_config_livestatus if checkmk_server__multisite_livestatus|d() else []) + checkmk_server__omd_config_core }}' - # ]]] + # .. envvar:: checkmk_server__omd_config_email [[[ # @@ -191,16 +191,6 @@ checkmk_server__omd_config_core: - var: 'CORE' value: 'icinga' - # ]]] -# .. envvar:: checkmk_server__omd_config_livestatus [[[ -# -# Livestatus service configuration via OMD. -checkmk_server__omd_config_livestatus: - - var: 'LIVESTATUS_TCP' - value: 'on' - - var: 'LIVESTATUS_TCP_PORT' - value: '{{ checkmk_server__livestatus_port }}' - # ]]] # .. envvar:: checkmk_server__sshkeys [[[ # @@ -450,34 +440,33 @@ checkmk_server__multisite_user_connection_defaults: # # Distributed monitoring sites configuration. For more details see # :ref:`checkmk_server__ref_distributed_sites` -#checkmk_server__distributed_sites: {} +checkmk_server__distributed_sites: [] # name: site_name # inventory_host: slavehost # tls + # ]]] +# .. envvar:: checkmk_server__sites [[[ +# +# List of expanded sites configuration used for distributed sites setup. +checkmk_server__sites: '{{ lookup("template", "lookup/checkmk_server__sites.j2", convert_data=False) | from_yaml }}' + # ]]] # .. envvar:: checkmk_server__distributed_sites_defaults [[[ # # Default sites properties for distributed monitoring. -#checkmk_server__distributed_sites_defaults: - #username: 'sitesync' +checkmk_server__distributed_sites_defaults: + multisite_username: 'sitesync' #password: '{{ lookup("password", secret + "/credentials/" + ansible_fqdn + "/checkmk_server/" + checkmk_server__site + "/sitesync/password") }}' - #disabled: False - #disable_wato: True - #insecure: False - #multisiteurl: '' - #persist: False - #replicate_ec: False - #replicate_mkps: True - #replication: '' - #status_host: None - #timeout: 10 - #url_prefix: '' - #user_login: True - # ]]] - # ]]] -# Monitoring Rules [[[ -# -------------------- + multisite_disable_wato: True + multisite_insecure: False + multisite_persist: False + multisite_replicate_ec: False + multisite_replicate_mkps: True + multisite_replication: True + multisite_status_host: None + multisite_timeout: 10 + multisite_user_login: True # .. envvar:: checkmk_server__site_config_path [[[ # diff --git a/tasks/main.yml b/tasks/main.yml index 974a786..0c339cf 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,6 +1,11 @@ --- # vim: foldmarker=[[[,]]]:foldmethod=marker +#- debug: +# var: checkmk_server__sites +#- fail: +# msg: 'bla' + - name: Install prerequisite packages apt: name: '{{ item }}' @@ -98,19 +103,24 @@ - name: Manage Check_MK site include: site.yml - when: checkmk_server__site|d() + with_items: '{{ checkmk_server__sites }}' + loop_control: + loop_var: site_item -- name: Check distributed site state - stat: - path: '{{ checkmk_server__site_home }}/{{ checkmk_server__site_config_path }}/distributed_wato.mk' - register: checkmk_server__multisite_distributed_wato_mk +- fail: + msg: 'Check what happend so far' -- name: Monitoring site user authentication - include: users.yml - when: checkmk_server__site|d() and - ((checkmk_server__multisite_slave|d() and - not checkmk_server__multisite_distributed_wato_mk.stat.exists) or - not checkmk_server__multisite_slave|d()) +#- name: Check distributed site state +# stat: +# path: '{{ checkmk_server__site_home }}/{{ checkmk_server__site_config_path }}/distributed_wato.mk' +# register: checkmk_server__multisite_distributed_wato_mk + +#- name: Monitoring site user authentication +# include: users.yml +# when: checkmk_server__site|d() and +# ((checkmk_server__multisite_slave|d() and +# not checkmk_server__multisite_distributed_wato_mk.stat.exists) or +# not checkmk_server__multisite_slave|d()) - name: Manage WATO and monitoring rules include: wato.yml @@ -124,17 +134,17 @@ group: 'root' mode: '0755' -- name: Save Check_MK server local facts - template: - src: 'etc/ansible/facts.d/checkmk_server.fact.j2' - dest: '/etc/ansible/facts.d/checkmk_server.fact' - owner: 'root' - group: 'root' - mode: '0644' - register: checkmk_server_register_local_facts - when: checkmk_server__sshkeys|d() - -- name: Gather facts if they were modified - action: setup - when: checkmk_server_register_local_facts|d() and - (checkmk_server_register_local_facts | changed) +#- name: Save Check_MK server local facts +# template: +# src: 'etc/ansible/facts.d/checkmk_server.fact.j2' +# dest: '/etc/ansible/facts.d/checkmk_server.fact' +# owner: 'root' +# group: 'root' +# mode: '0644' +# register: checkmk_server_register_local_facts +# when: checkmk_server__sshkeys|d() + +#- name: Gather facts if they were modified +# action: setup +# when: checkmk_server_register_local_facts|d() and +# (checkmk_server_register_local_facts | changed) diff --git a/tasks/site.yml b/tasks/site.yml index 9cbd60d..679ef73 100644 --- a/tasks/site.yml +++ b/tasks/site.yml @@ -2,184 +2,189 @@ # vim: foldmarker=[[[,]]]:foldmethod=marker # Check_MK site configuration [[[1 -- name: Get Check_MK default version - stat: - path: '/omd/versions/default' - register: checkmk_server_register_default - always_run: True - -- name: Set new default version - command: omd setversion '{{ checkmk_server__version_label }}' - ignore_errors: '{{ ansible_check_mode }}' - when: (checkmk_server_register_default.stat.lnk_source | - basename) != checkmk_server__version_label - -- name: Create Check_MK site - command: omd create '{{ checkmk_server__site }}' - args: - creates: '/omd/sites/{{ checkmk_server__site }}/etc/omd/site.conf' - -- name: Get Check_MK site version - command: omd version '{{ checkmk_server__site }}' - register: checkmk_server_register_site_version - changed_when: False - always_run: True - ignore_errors: '{{ ansible_check_mode }}' - -- name: Trigger site version update - set_fact: - checkmk_server__fact_update: True - always_run: True - ignore_errors: '{{ ansible_check_mode }}' - when: checkmk_server__site_update|bool and - ((checkmk_server_register_site_version.stdout.split(" ")[-1] | splitext)[0] | - version_compare(checkmk_server__version, "<")) - -- name: Check cron.allow file - stat: - path: '/etc/cron.allow' - register: checkmk_server_register_cron - -- name: Grant cron permissions to Check_MK user - lineinfile: - dest: '/etc/cron.allow' - line: '{{ checkmk_server__user }}' - regexp: '^{{ checkmk_server__user }}$' - when: checkmk_server_register_cron.stat.exists - notify: [ 'Restart Check_MK' ] - -- name: Query OMD configuration - command: omd config '{{ checkmk_server__site }}' show '{{ item.var }}' - with_items: '{{ checkmk_server__omd_config }}' - register: checkmk_server__register_omd_config - changed_when: False - always_run: True - ignore_errors: '{{ ansible_check_mode }}' - -- name: Shutdown Check_MK site (if required) - command: omd stop '{{ checkmk_server__site }}' - when: (not (item.item.value|string) == item.stdout) or - checkmk_server__fact_update|d(False) - with_items: '{{ checkmk_server__register_omd_config.results - if not "failed" in checkmk_server__register_omd_config else [] }}' - register: checkmk_server__register_omd_stop - -- name: Run Check_MK site update - command: omd --force update '{{ checkmk_server__site }}' - ignore_errors: '{{ ansible_check_mode }}' - when: checkmk_server__fact_update|d(False) - -- name: Set OMD site properties - command: omd config '{{ checkmk_server__site }}' set '{{ item.item.var }}' '{{ item.item.value }}' - when: not item.stdout == (item.item.value|string) - with_items: '{{ checkmk_server__register_omd_config.results - if not "failed" in checkmk_server__register_omd_config else [] }}' - -- name: Enable Check_MK service - service: - name: 'check-mk-raw-{{ checkmk_server__version if checkmk_server__fact_update|d() else (checkmk_server_register_site_version.stdout.split(" ")[-1] | splitext)[0] }}' - enabled: yes - ignore_errors: '{{ ansible_check_mode }}' - -- name: Start Check_MK site (if required) - command: omd start '{{ checkmk_server__site }}' - when: checkmk_server__register_omd_stop | changed - -- name: Create .ssh directory - file: - path: '{{ checkmk_server__site_home }}/.ssh' - state: directory - owner: '{{ checkmk_server__user }}' - group: '{{ checkmk_server__group }}' - mode: '0700' - when: checkmk_server__sshkeys|d() - -- name: Generate SSH keypair - command: 'ssh-keygen {{ "-b " + checkmk_server__sshkeys.keysize if "keysize" in checkmk_server__sshkeys else "-b 4096" }} -f {{ checkmk_server__site_home }}/.ssh/id_rsa -N ""' - args: - creates: '{{ checkmk_server__site_home }}/.ssh/id_rsa' - when: checkmk_server__sshkeys|d() and - ("generate_keypair" in checkmk_server__sshkeys|d() and - checkmk_server__sshkeys.generate_keypair) - -- name: Fix SSH keypair ownership - file: - path: '{{ checkmk_server__site_home }}/.ssh/{{ item }}' - owner: '{{ checkmk_server__user }}' - group: '{{ checkmk_server__group }}' - ignore_errors: '{{ ansible_check_mode }}' - with_items: [ 'id_rsa', 'id_rsa.pub' ] - when: checkmk_server__sshkeys|d() and - ("generate_keypair" in checkmk_server__sshkeys|d() and - checkmk_server__sshkeys.generate_keypair) - -- name: Copy SSH private key - copy: - src: '{{ checkmk_server__sshkeys.privatekey_file }}' - dest: '{{ checkmk_server__site_home }}/.ssh/id_rsa' - owner: '{{ checkmk_server__user }}' - group: '{{ checkmk_server__group }}' - mode: '0600' - when: checkmk_server__sshkeys|d() and - "privatekey_file" in checkmk_server__sshkeys|d() - -- name: Copy SSH public key - copy: - src: '{{ checkmk_server__sshkeys.publickey_file }}' - dest: '{{ checkmk_server__site_home }}/.ssh/id_rsa.pub' - owner: '{{ checkmk_server__user }}' - group: '{{ checkmk_server__group }}' - mode: '0644' - when: checkmk_server__sshkeys|d() and - "publickey_file" in checkmk_server__sshkeys|d() - -- name: Read SSH public key - command: 'cat {{ checkmk_server__site_home }}/.ssh/id_rsa.pub' - changed_when: False - ignore_errors: '{{ ansible_check_mode }}' - register: checkmk_server__register_ssh_public_key - when: checkmk_server__sshkeys|d() - -- name: Query installed Check_MK packages - command: mkp list - become_user: '{{ checkmk_server__user }}' - become_flags: '-i' - changed_when: False - always_run: True - register: checkmk_server__register_mkp - tags: - - 'role::checkmk_server:mkp' - -- name: Download Check_MK packages - get_url: - url: '{{ item.url }}' - dest: '{{ checkmk_server__site_home }}/tmp' - checksum: '{{ item.checksum|d(omit) }}' - when: ('url' in item) and - (item.name not in checkmk_server__register_mkp.stdout_lines) - register: checkmk_server__register_mkp_download - with_items: '{{ checkmk_server__site_packages }}' - tags: - - 'role::checkmk_server:mkp' - -- name: Upload Check_MK packages - copy: - src: '{{ item.path }}' - dest: '{{ checkmk_server__site_home }}/tmp' - when: ('path' in item) and - (item.name not in checkmk_server__register_mkp.stdout_lines) - register: checkmk_server__register_mkp_upload - with_items: '{{ checkmk_server__site_packages }}' - tags: - - 'role::checkmk_server:mkp' - -- name: Install Check_MK packages - command: mkp install '{{ item.dest|d() }}' - become_user: '{{ checkmk_server__user }}' - become_flags: '-i' - when: not (item | skipped) - with_flattened: - - '{{ checkmk_server__register_mkp_download.results }}' - - '{{ checkmk_server__register_mkp_upload.results }}' - tags: - - 'role::checkmk_server:mkp' +- name: Run site setup + block: + + - name: Get Check_MK default version + stat: + path: '/omd/versions/default' + register: checkmk_server__register_default + check_mode: no + + - name: Set new default version + command: omd setversion '{{ site_item.version }}{{ checkmk_server__version_suffix }}' + when: (checkmk_server__register_default.stat.lnk_source | + basename) != (site_item.version + checkmk_server__version_suffix) + + - name: Create Check_MK site + command: omd create '{{ site_item.name }}' + args: + creates: '{{ site_item.home }}/etc/omd/site.conf' + + - name: Get Check_MK site version + command: omd version '{{ site_item.name }}' + register: checkmk_server__register_site_version + changed_when: False + check_mode: no + + - name: Trigger site version update + set_fact: + checkmk_server__fact_update: '{{ site_item.update and + ((checkmk_server__register_site_version.stdout.split(" ")[-1] | splitext)[0] | + version_compare(site_item.version, "<")) }}' + check_mode: no + + - name: Check cron.allow file + stat: + path: '/etc/cron.allow' + register: checkmk_server__register_cron + + - name: Grant cron permissions to Check_MK user + lineinfile: + dest: '/etc/cron.allow' + line: '{{ site_item.user }}' + regexp: '^{{ site_item.user }}$' + when: checkmk_server__register_cron.stat.exists + notify: [ 'Restart Check_MK' ] + + - name: Query OMD configuration + command: omd config '{{ site_item.name }}' show '{{ item.var }}' + with_items: '{{ site_item.omd_config }}' + register: checkmk_server__register_omd_config + changed_when: False + check_mode: no + + - name: Shutdown Check_MK site (if required) + command: omd stop '{{ site_item.name }}' + when: (not (item.item.value|string) == item.stdout) or + checkmk_server__fact_update|d(False) + with_items: '{{ checkmk_server__register_omd_config.results + if not "failed" in checkmk_server__register_omd_config else [] }}' + register: checkmk_server__register_omd_stop + + - name: Run Check_MK site update + command: omd --force update '{{ site_item.name }}' + when: checkmk_server__fact_update|d(False) + + - name: Set OMD site properties + command: omd config '{{ site_item.name }}' set '{{ item.item.var }}' '{{ item.item.value }}' + when: not item.stdout == (item.item.value|string) + with_items: '{{ checkmk_server__register_omd_config.results + if not "failed" in checkmk_server__register_omd_config else [] }}' + + - name: Enable Check_MK service + service: + name: 'check-mk-raw-{{ site_item.version + if checkmk_server__fact_update|d() + else (checkmk_server__register_site_version.stdout.split(" ")[-1] | splitext)[0] }}' + enabled: yes + ignore_errors: '{{ ansible_check_mode }}' + + - name: Start Check_MK site (if required) + command: omd start '{{ site_item.name }}' + when: checkmk_server__register_omd_stop | changed + + - name: Create .ssh directory + file: + path: '{{ site_item.home }}/.ssh' + state: directory + owner: '{{ site_item.user }}' + group: '{{ site_item.group }}' + mode: '0700' + when: site_item.sshkeys + + - name: Generate SSH keypair + become_user: '{{ site_item.user }}' + command: 'ssh-keygen {{ "-b " + site_item.sshkeys.keysize if "keysize" in site_item.sshkeys else "-b 4096" }} -f {{ site_item.home }}/.ssh/id_rsa -N ""' + args: + creates: '{{ site_item.home }}/.ssh/id_rsa' + when: site_item.sshkeys and site_item.sshkeys.generate_keypair|d(False) + +# - name: Fix SSH keypair ownership +# file: +# path: '{{ checkmk_server__site_home }}/.ssh/{{ item }}' +# owner: '{{ checkmk_server__user }}' +# group: '{{ checkmk_server__group }}' +# ignore_errors: '{{ ansible_check_mode }}' +# with_items: [ 'id_rsa', 'id_rsa.pub' ] +# when: checkmk_server__sshkeys|d() and +# ("generate_keypair" in checkmk_server__sshkeys|d() and +# checkmk_server__sshkeys.generate_keypair) + + - name: Copy SSH private key + copy: + src: '{{ site_item.sshkeys.privatekey_file }}' + dest: '{{ site_item.home }}/.ssh/id_rsa' + owner: '{{ site_item.user }}' + group: '{{ site_item.group }}' + mode: '0600' + when: site_item.sshkeys and site_item.sshkeys.privatekey_file|d(False) + + - name: Copy SSH public key + copy: + src: '{{ site_item.sshkeys.publickey_file }}' + dest: '{{ site_item.home }}/.ssh/id_rsa.pub' + owner: '{{ site_item.user }}' + group: '{{ site_item.group }}' + mode: '0644' + when: site_item.sshkeys and site_item.sshkeys.publickey_file|d(False) + +# - name: Read SSH public key +# command: 'cat {{ checkmk_server__site_home }}/.ssh/id_rsa.pub' +# changed_when: False +# ignore_errors: '{{ ansible_check_mode }}' +# register: checkmk_server__register_ssh_public_key +# when: checkmk_server__sshkeys|d() + +# - name: Query installed Check_MK packages +# command: mkp list +# become_user: '{{ checkmk_server__user }}' +# become_flags: '-i' +# changed_when: False +# always_run: True +# register: checkmk_server__register_mkp +# tags: +# - 'role::checkmk_server:mkp' + +# - name: Download Check_MK packages +# get_url: +# url: '{{ item.url }}' +# dest: '{{ checkmk_server__site_home }}/tmp' +# checksum: '{{ item.checksum|d(omit) }}' +# when: ('url' in item) and +# (item.name not in checkmk_server__register_mkp.stdout_lines) +# register: checkmk_server__register_mkp_download +# with_items: '{{ checkmk_server__site_packages }}' +# tags: +# - 'role::checkmk_server:mkp' + +# - name: Upload Check_MK packages +# copy: +# src: '{{ item.path }}' +# dest: '{{ checkmk_server__site_home }}/tmp' +# when: ('path' in item) and +# (item.name not in checkmk_server__register_mkp.stdout_lines) +# register: checkmk_server__register_mkp_upload +# with_items: '{{ checkmk_server__site_packages }}' +# tags: +# - 'role::checkmk_server:mkp' + +# - name: Install Check_MK packages +# command: mkp install '{{ item.dest|d() }}' +# become_user: '{{ checkmk_server__user }}' +# become_flags: '-i' +# when: not (item | skipped) +# with_flattened: +# - '{{ checkmk_server__register_mkp_download.results }}' +# - '{{ checkmk_server__register_mkp_upload.results }}' +# tags: +# - 'role::checkmk_server:mkp' + + rescue: + - name: Print current site configuration + debug: + var: site_item + + # delegate block + delegate_to: '{{ site_item.delegate_to + if (not site_item.delegate_to == inventory_hostname) else omit }}' diff --git a/templates/lookup/checkmk_server__sites.j2 b/templates/lookup/checkmk_server__sites.j2 new file mode 100644 index 0000000..93799ce --- /dev/null +++ b/templates/lookup/checkmk_server__sites.j2 @@ -0,0 +1,150 @@ +{# + # Get site configuration + # + # This Jinja templates requires at least Ansible 2.1.4, 2.2.2, 2.3.0, see: + # https://github.com/ansible/ansible/issues/14542 + #} + +{% if not checkmk_server__distributed_sites %} +[] +{% else %} +{% set _sites = [] %} +{% set _local_site = {} %} +{% set _ = _local_site.update({'connection': 'local'}) %} +{% set _ = _local_site.update({'delegate_to': inventory_hostname}) %} +{% set _ = _local_site.update({'group': checkmk_server__site}) %} +{% set _ = _local_site.update({'home': checkmk_server__site_home}) %} +{% set _ = _local_site.update({'name': checkmk_server__site}) %} +{% set _ = _local_site.update({'omd_config': checkmk_server__omd_config}) %} +{% set _ = _local_site.update({'sshkeys': checkmk_server__sshkeys}) %} +{% set _ = _local_site.update({'update': checkmk_server__site_update}) %} +{% set _ = _local_site.update({'user': checkmk_server__site}) %} +{% set _ = _local_site.update({'version': checkmk_server__version}) %} +{% set _ = _sites.append(_local_site) %} +{% for _site_config in checkmk_server__distributed_sites %} +{# + # Set default values if undefined + #} +{% for _key, _value in checkmk_server__distributed_sites_defaults.iteritems() %} +{% if not _key in _site_config.keys() %} +{% set _ = _site_config.update({_key: _value}) %} +{% endif %} +{% endfor %} +{# + # If version is not defined, use global definition + #} +{% if not 'version' in _site_config.keys() %} +{% set _ = _site_config.update({'version': checkmk_server__version}) %} +{% endif %} +{% if not 'update' in _site_config.keys() %} +{% set _ = _site_config.update({'update': checkmk_server__site_update}) %} +{% endif %} +{# + # Auto-detect master site. Use the first site with 'connection=local' + #} +{% if not 'master_site' in _site_config.keys() %} +{% for _site in _sites %} +{% if ('connection' in _site.keys()) and (_site.connection == 'local') %} +{% set _ = _site_config.update({'master_site': _site.name}) %} +{% endif %} +{% endfor %} +{% endif %} +{% if not 'master_delegate_to' in _site_config.keys() %} +{% set _ = _site_config.update({'master_delegate_to': inventory_hostname}) %} +{% endif %} +{# + # If hostname for the site is not defined, query server facts + #} +{% if not 'hostname' in _site_config %} +{% if 'checkmk_server__hostname' in hostvars[_site_config.delegate_to].keys() %} +{% set _ = _site_config.update({'hostname': hostvars[_site_config.delegate_to].checkmk_server__hostname}) %} +{% elif 'ansible_fqdn' in hostvars[_site_config.delegate_to].keys() %} +{% set _ = _site_config.update({'hostname': hostvars[_site_config.delegate_to].ansible_fqdn}) %} +{% else %} +{% set _ = _site_config.update({'hostname': _site_config.delegate_to + "." + ansible_domain}) %} +{% endif %} +{% endif %} +{# + # Set some fix installation defaults + #} +{% set _ = _site_config.update({'user': _site_config.name}) %} +{% set _ = _site_config.update({'group': _site_config.name}) %} +{% set _ = _site_config.update({'home': checkmk_server__site_home|dirname + '/' + _site_config.name}) %} +{# + # SSH keypair setup + #} +{% if not 'sshkeys' in _site_config %} +{% if 'checkmk_server__sshkeys' in hostvars[_site_config.delegate_to].keys() %} +{% set _ = _site_config.update({'sshkeys': hostvars[_site_config.delegate_to].checkmk_server__sshkeys}) %} +{% else %} +{% set _ = _site_config.update({'sshkeys': checkmk_server__sshkeys}) %} +{% endif %} +{% endif %} +{# + # Define TCP livestatus connection + #} +{% if not 'livestatus_port' in _site_config %} +{% if 'checkmk_server__livestatus_port' in hostvars[_site_config.delegate_to].keys() %} +{% set _ = _site_config.update({'livestatus_port': hostvars[_site_config.delegate_to].checkmk_server__livestatus_port}) %} +{% else %} +{% set _ = _site_config.update({'livestatus_port': (checkmk_server__livestatus_port | string)}) %} +{% endif %} +{% endif %} +{% if not 'livestatus_socket' in _site_config.keys() %} +{% set _ = _site_config.update({'livestatus_socket': 'tcp:' + _site_config.hostname + ':' + (checkmk_server__livestatus_port | string)}) %} +{% endif %} +{# + # Define OMD configuration + #} +{% if not 'omd_config' in _site_config.keys() %} +{% if 'checkmk_server__omd_config' in hostvars[_site_config.delegate_to].keys() %} +{% set _omd_config_origin = hostvars[_site_config.delegate_to].checkmk_server__omd_config %} +{% else %} +{% set _omd_config_origin = checkmk_server__omd_config %} +{% endif %} +{% set _omd_config = [] %} +{% for _list_item in _omd_config_origin %} +{% set _ = _omd_config.append(_list_item) %} +{% endfor %} +{% if _site_config.livestatus_port %} +{% set _ = _omd_config.extend([{'var': 'LIVESTATUS_TCP', 'value': 'on'}, {'var': 'LIVESTATUS_TCP_PORT', 'value': _site_config.livestatus_port}]) %} +{% endif %} +{% set _ = _site_config.update({'omd_config': _omd_config}) %} +{% endif %} +{# + # Define multisite user password + #} +{% if (not 'multisite_password' in _site_config.keys()) and + ((_site_config.multisite_replication == True) or (_site_config.connection == 'local')) %} +{% set _ = _site_config.update({'multisite_password': lookup('password', secret + '/credentials/' + (_site_config.master_delegate_to|d(inventory_hostname)) + '/checkmk_server/' + _site_config.name + '/' + _site_config.multisite_username + '/password')}) %} +{% endif %} +{# + # Define relative URL prefix for access via mod_proxy + #} +{% if not 'multisite_url_prefix' in _site_config.keys() %} +{% set _ = _site_config.update({'multisite_url_prefix': '/' + _site_config.name + '/'}) %} +{% endif %} +{# + # Define Multisite Web access + #} +{% if not 'multisite_url' in _site_config.keys() %} +{# TODO: properly set http/https #} +{% set _ = _site_config.update({'multisite_url': 'https://' + _site_config.hostname + _site_config.multisite_url_prefix + 'check_mk/'}) %} +{% endif %} +{# + # Make sure 'disabled' is defined + #} +{% if ('state' in _site_config.keys()) and (not 'multisite_disabled' in _site_config.keys()) %} +{% if _site_config.state == 'disabled' %} +{% set _is_disabled = True %} +{% else %} +{% set _is_disabled = False %} +{% endif %} +{% set _ = _site_config.update({'multisite_disabled': _is_disabled}) %} +{% else %} +{% set _ = _site_config.update({'multisite_disabled': False}) %} +{% endif %} +{% set _ = _sites.append(_site_config) %} +{% endfor %} +{{ _sites | to_yaml }} +{% endif %} From ee665afce29738af0e8aea9fccaae16d44864c63 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Thu, 30 Mar 2017 12:48:45 +0200 Subject: [PATCH 03/34] Fix 'multisite_password', set required 'multisite_alias' --- templates/lookup/checkmk_server__sites.j2 | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/templates/lookup/checkmk_server__sites.j2 b/templates/lookup/checkmk_server__sites.j2 index 93799ce..6a10051 100644 --- a/templates/lookup/checkmk_server__sites.j2 +++ b/templates/lookup/checkmk_server__sites.j2 @@ -30,6 +30,12 @@ {% set _ = _site_config.update({_key: _value}) %} {% endif %} {% endfor %} +{# + # Alias must be set + #} +{% if not 'multisite_alias' in _site_config.keys() %} +{% set _ = _site_config.update({'multisite_alias': 'Remote site ' + _site_config.name}) %} +{% endif %} {# # If version is not defined, use global definition #} @@ -116,7 +122,7 @@ #} {% if (not 'multisite_password' in _site_config.keys()) and ((_site_config.multisite_replication == True) or (_site_config.connection == 'local')) %} -{% set _ = _site_config.update({'multisite_password': lookup('password', secret + '/credentials/' + (_site_config.master_delegate_to|d(inventory_hostname)) + '/checkmk_server/' + _site_config.name + '/' + _site_config.multisite_username + '/password')}) %} +{% set _ = _site_config.update({'multisite_password': lookup('password', secret + '/credentials/' + (_site_config.master_delegate_to|d(inventory_hostname)) + '/checkmk_server/' + _site_config.master_site + '/' + _site_config.multisite_username + '/password')}) %} {% endif %} {# # Define relative URL prefix for access via mod_proxy From 7b8dbc26a13ec00248e1edb71634b1ded5d5d414 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Thu, 30 Mar 2017 12:53:42 +0200 Subject: [PATCH 04/34] Set credential paths related to the inventory name instead of fqdn This allows easier access from the slave sites without a forced dependency on the hostname of the master. --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d857328..658781d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -382,11 +382,11 @@ checkmk_server__multisite_users: '{{ checkmk_server__multisite_debops_users | checkmk_server__multisite_debops_users: ansible: alias: 'Automation User used by Ansible' - automation_secret: '{{ lookup("password", secret + "/credentials/" + ansible_fqdn + "/checkmk_server/" + checkmk_server__site + "/ansible/secret") }}' + automation_secret: '{{ lookup("password", secret + "/credentials/" + inventory_hostname + "/checkmk_server/" + checkmk_server__site + "/ansible/secret") }}' roles: [ 'api' ] sitesync: alias: 'Synchronization User for Multisite' - password: '{{ lookup("password", secret + "/credentials/" + ansible_fqdn + "/checkmk_server/" + checkmk_server__site + "/sitesync/password") }}' + password: '{{ lookup("password", secret + "/credentials/" + inventory_hostname + "/checkmk_server/" + checkmk_server__site + "/sitesync/password") }}' roles: [ 'admin' ] # ]]] From 821688ed74c079aa8f2c331729e4465d0edefeca Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Thu, 30 Mar 2017 12:56:16 +0200 Subject: [PATCH 05/34] Convert user setup to run for distributed sites in 'checkmk_servers__sites' --- tasks/users.yml | 153 +++++++++++++++++++++++++++--------------------- 1 file changed, 86 insertions(+), 67 deletions(-) diff --git a/tasks/users.yml b/tasks/users.yml index 20ea697..0e8135c 100644 --- a/tasks/users.yml +++ b/tasks/users.yml @@ -1,78 +1,97 @@ --- # vim: foldmarker=[[[,]]]:foldmethod=marker -# Read existing Check_MK configuration [[[1 -- name: Wait for the site to be started - wait_for: - path: '{{ checkmk_server__site_home }}/{{ checkmk_server__multisite_config_path }}/wato/users.mk' - timeout: 60 +# Check if distributed site is already initialized [[[1 +- name: Check distributed site state + stat: + path: '{{ site_item.home }}/{{ checkmk_server__site_config_path }}/distributed_wato.mk' + register: checkmk_server__register_distributed_wato_mk + delegate_to: '{{ site_item.delegate_to + if (not site_item.delegate_to == inventory_hostname) else omit }}' -- name: Read local multisite users definition - command: 'sed -e "1,/^multisite_users\s*=/d" {{ checkmk_server__site_home }}/{{ checkmk_server__multisite_config_path }}/wato/users.mk' - register: checkmk_server__register_users_mk - changed_when: False - always_run: True - ignore_errors: '{{ ansible_check_mode }}' - tags: [ 'role::checkmk_server:multisite' ] +- name: Configure local multisite users + block: -- name: Read local contacts definition - command: 'sed -e "1,/^contacts.update(/d" -e "$d" {{ checkmk_server__site_home }}/{{ checkmk_server__site_config_path }}/wato/contacts.mk' - register: checkmk_server__register_contacts_mk - changed_when: False - always_run: True - ignore_errors: '{{ ansible_check_mode }}' - tags: [ 'role::checkmk_server:multisite' ] + # Read existing Check_MK configuration [[[1 + - name: Wait for the site to be started + wait_for: + path: '{{ site_item.home }}/{{ checkmk_server__multisite_config_path }}/wato/users.mk' + timeout: 60 -- name: Set local Check_MK configuration facts - set_fact: - checkmk_server__fact_local_users: '{{ checkmk_server__register_users_mk.stdout - if checkmk_server__register_users_mk.stdout|length > 0 - else {} }}' - checkmk_server__fact_local_contacts: '{{ checkmk_server__register_contacts_mk.stdout - if checkmk_server__register_contacts_mk.stdout|length > 0 - else {} }}' - always_run: True - tags: [ 'role::checkmk_server:multisite' ] + - name: Read local multisite users definition + command: 'sed -e "1,/^multisite_users\s*=/d" {{ site_item.home }}/{{ checkmk_server__multisite_config_path }}/wato/users.mk' + register: checkmk_server__register_users_mk + changed_when: False + check_mode: no + - name: Read local contacts definition + command: 'sed -e "1,/^contacts.update(/d" -e "$d" {{ site_item.home }}/{{ checkmk_server__site_config_path }}/wato/contacts.mk' + register: checkmk_server__register_contacts_mk + changed_when: False + check_mode: no -# Check_MK Multisite authentication [[[1 -- name: Set local httpd user passwords - htpasswd: - path: '{{ checkmk_server__site_home }}/etc/htpasswd' - name: '{{ item }}' - password: '{{ checkmk_server__multisite_users[item]["password"] - if "password" in checkmk_server__multisite_users[item] - else checkmk_server__multisite_users[item]["automation_secret"] }}' - crypt_scheme: md5_crypt - ignore_errors: '{{ ansible_check_mode }}' - when: ("password" in checkmk_server__multisite_users[item]) or - ("automation_secret" in checkmk_server__multisite_users[item]) - with_items: '{{ checkmk_server__multisite_users|d({})|list }}' - tags: [ 'role::checkmk_server:multisite' ] + - name: Set local Check_MK configuration facts + set_fact: + checkmk_server__fact_local_users: '{{ checkmk_server__register_users_mk.stdout + if checkmk_server__register_users_mk.stdout|length > 0 + else {} }}' + checkmk_server__fact_local_contacts: '{{ checkmk_server__register_contacts_mk.stdout + if checkmk_server__register_contacts_mk.stdout|length > 0 + else {} }}' + check_mode: no -- name: Create Web directory for Multisite users - file: - path: '{{ checkmk_server__site_home }}/var/check_mk/web/{{ item }}' - state: directory - owner: '{{ checkmk_server__user }}' - group: '{{ checkmk_server__group }}' - mode: '0770' - with_items: '{{ checkmk_server__multisite_users|d({})|list }}' + # Check_MK multisite authentication [[[1 + - name: Set local httpd user passwords + htpasswd: + path: '{{ site_item.home }}/etc/htpasswd' + name: '{{ item }}' + password: '{{ checkmk_server__multisite_users[item]["password"] + if "password" in checkmk_server__multisite_users[item] + else checkmk_server__multisite_users[item]["automation_secret"] }}' + crypt_scheme: md5_crypt + when: ("password" in checkmk_server__multisite_users[item]) or + ("automation_secret" in checkmk_server__multisite_users[item]) + with_items: '{{ checkmk_server__multisite_users|d({})|list }}' -- name: Create automation.secret - template: - src: 'var/check_mk/web/user/automation.secret.j2' - dest: '{{ checkmk_server__site_home }}/var/check_mk/web/{{ item }}/automation.secret' - owner: '{{ checkmk_server__user }}' - group: '{{ checkmk_server__group }}' - mode: '0660' - when: ("automation_secret" in checkmk_server__multisite_users[item]) - with_items: '{{ checkmk_server__multisite_users|d({})|list }}' + - name: Create Web directory for multisite users + file: + path: '{{ site_item.home }}/var/check_mk/web/{{ item }}' + state: directory + owner: '{{ site_item.user }}' + group: '{{ site_item.group }}' + mode: '0770' + with_items: '{{ checkmk_server__multisite_users|d({})|list }}' -- name: Generate Check_MK Multisite user definitions - template: - src: 'etc/check_mk/multisite.d/wato/users.mk.j2' - dest: '{{ checkmk_server__site_home }}/{{ checkmk_server__multisite_config_path }}/wato/users.mk' - owner: '{{ checkmk_server__user }}' - group: '{{ checkmk_server__group }}' - mode: '0660' + - name: Create automation.secret + template: + src: 'var/check_mk/web/user/automation.secret.j2' + dest: '{{ site_item.home }}/var/check_mk/web/{{ item }}/automation.secret' + owner: '{{ site_item.user }}' + group: '{{ site_item.group }}' + mode: '0660' + when: ("automation_secret" in checkmk_server__multisite_users[item]) + with_items: '{{ checkmk_server__multisite_users|d({})|list }}' + + - name: Generate Check_MK multisite user definitions + template: + src: 'etc/check_mk/multisite.d/wato/users.mk.j2' + dest: '{{ site_item.home }}/{{ checkmk_server__multisite_config_path }}/wato/users.mk' + owner: '{{ site_item.user }}' + group: '{{ site_item.group }}' + mode: '0660' + + rescue: + - name: Print current site configuration + debug: + var: site_item + + # Only run this block if the site is either a local master site or a slave + # site which hasn't been synchronized yet + when: (site_item.connection|d('remote') == 'local') or + (('multisite_replication' in site_item.keys() and + site_item.multisite_replication|bool == True) and + (not checkmk_server__register_distributed_wato_mk.stat.exists)) + + # Delegate tasks to server of current site item + delegate_to: '{{ site_item.delegate_to + if (not site_item.delegate_to == inventory_hostname) else omit }}' From 21a2bfac4af92ba8cdf6b0d673e82f38453274b5 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Thu, 30 Mar 2017 12:58:00 +0200 Subject: [PATCH 06/34] Iterate user setup tasks over all distributed sites --- tasks/main.yml | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 0c339cf..a4c35d1 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -107,21 +107,18 @@ loop_control: loop_var: site_item +- name: Monitoring site user authentication + include: users.yml + with_items: '{{ checkmk_server__sites }}' + loop_control: + loop_var: site_item + tags: + - 'role::checkmk_server:multisite' + - 'role::checkmk_server:users' + - fail: msg: 'Check what happend so far' -#- name: Check distributed site state -# stat: -# path: '{{ checkmk_server__site_home }}/{{ checkmk_server__site_config_path }}/distributed_wato.mk' -# register: checkmk_server__multisite_distributed_wato_mk - -#- name: Monitoring site user authentication -# include: users.yml -# when: checkmk_server__site|d() and -# ((checkmk_server__multisite_slave|d() and -# not checkmk_server__multisite_distributed_wato_mk.stat.exists) or -# not checkmk_server__multisite_slave|d()) - - name: Manage WATO and monitoring rules include: wato.yml when: not checkmk_server__multisite_slave|d() From 2954cc2b22b601bec900f2d93fcc945246c33195 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Fri, 31 Mar 2017 18:59:42 +0200 Subject: [PATCH 07/34] Make distributed site login and config work with new site definition --- defaults/main.yml | 2 +- tasks/login.yml | 44 ++++++++++++++++ tasks/main.yml | 6 +++ tasks/users.yml | 2 +- tasks/wato.yml | 51 +----------------- .../etc/check_mk/multisite.d/sites.mk.j2 | 52 ++++++++----------- templates/lookup/checkmk_server__sites.j2 | 33 +++++++++++- templates/macros/checkmk_config.j2 | 2 +- vars/main.yml | 10 +++- 9 files changed, 114 insertions(+), 88 deletions(-) create mode 100644 tasks/login.yml diff --git a/defaults/main.yml b/defaults/main.yml index 658781d..a119c99 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -463,7 +463,7 @@ checkmk_server__distributed_sites_defaults: multisite_persist: False multisite_replicate_ec: False multisite_replicate_mkps: True - multisite_replication: True + multisite_replication: 'slave' multisite_status_host: None multisite_timeout: 10 multisite_user_login: True diff --git a/tasks/login.yml b/tasks/login.yml new file mode 100644 index 0000000..f486fe1 --- /dev/null +++ b/tasks/login.yml @@ -0,0 +1,44 @@ +--- + +- name: Login on remote site + uri: + url: '{{ item.multisite_url }}/login.py' + method: POST + body: '{{ [ "_login=1", + "_username=" + item.multisite_username, + "_password=" + item.multisite_password, + "_origtarget=automation_login.py", + "_plain_error=1" ] | join("&") }}' + force_basic_auth: yes + user: '{{ item.multisite_username }}' + password: '{{ item.multisite_password }}' + status_code: 302 + validate_certs: '{{ not item.multisite_insecure|bool }}' + register: checkmk_server__register_multisite_login + when: (not item.connection|d('remote') == 'local') + with_items: '{{ checkmk_server__sites }}' + +- debug: var=checkmk_server__register_multisite_login + +- name: Get Multisite distribution secrets + uri: + url: '{{ item.location }}' + HEADER_Cookie: '{{ item.set_cookie }}' + return_content: True + validate_certs: '{{ item.invocation.module_args.validate_certs }}' + register: checkmk_server__register_multisite_automation_login + no_log: True + when: not item | skipped + with_items: '{{ checkmk_server__register_multisite_login.results + if "results" in checkmk_server__register_multisite_login else [] }}' + +- debug: var=checkmk_server__register_multisite_automation_login + +- name: Generate distributed sites configuration + template: + src: 'etc/check_mk/multisite.d/sites.mk.j2' + dest: '{{ item.home }}/{{ checkmk_server__multisite_config_path }}/sites.mk' + owner: '{{ item.user }}' + group: '{{ item.group }}' + when: (item.connection|d('remote') == 'local') + with_items: '{{ checkmk_server__sites }}' diff --git a/tasks/main.yml b/tasks/main.yml index a4c35d1..e4b6df7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -116,6 +116,12 @@ - 'role::checkmk_server:multisite' - 'role::checkmk_server:users' +- name: Login on distributed sites + include: login.yml + when: (checkmk_server__sites | length) > 1 + tags: + - 'role::checkmk_server:login' + - fail: msg: 'Check what happend so far' diff --git a/tasks/users.yml b/tasks/users.yml index 0e8135c..4f5beca 100644 --- a/tasks/users.yml +++ b/tasks/users.yml @@ -89,7 +89,7 @@ # site which hasn't been synchronized yet when: (site_item.connection|d('remote') == 'local') or (('multisite_replication' in site_item.keys() and - site_item.multisite_replication|bool == True) and + site_item.multisite_replication == 'slave') and (not checkmk_server__register_distributed_wato_mk.stat.exists)) # Delegate tasks to server of current site item diff --git a/tasks/wato.yml b/tasks/wato.yml index 2a28ea1..c4ddb11 100644 --- a/tasks/wato.yml +++ b/tasks/wato.yml @@ -1,56 +1,7 @@ --- # vim: foldmarker=[[[,]]]:foldmethod=marker -# Check_MK Multisite/WATO configuration [[[ -- name: Login on slave sites - uri: - url: '{{ checkmk_server__distributed_sites[item].multisiteurl }}/login.py' - method: POST - body: '{{ [ "_login=1", - "_username=" + (checkmk_server__distributed_sites[item].username - if "username" in checkmk_server__distributed_sites[item] - else checkmk_server__distributed_sites_defaults.username), - "_password=" + (checkmk_server__distributed_sites[item].password - if "password" in checkmk_server__distributed_sites[item] - else checkmk_server__distributed_sites_defaults.password), - "_origtarget=automation_login.py", - "_plain_error=1" ] | join("&") }}' - force_basic_auth: True - user: '{{ checkmk_server__distributed_sites[item].username - if "username" in checkmk_server__distributed_sites[item] - else checkmk_server__distributed_sites_defaults.username }}' - password: '{{ checkmk_server__distributed_sites[item].password - if "password" in checkmk_server__distributed_sites[item] - else checkmk_server__distributed_sites_defaults.password }}' - status_code: 302 - validate_certs: '{{ not checkmk_server__distributed_sites[item].insecure - if "insecure" in checkmk_server__distributed_sites[item] - else checkmk_server__distributed_sites_defaults.insecure }}' - register: checkmk_server__register_multisite_login - ignore_errors: '{{ ansible_check_mode }}' - when: item != checkmk_server__site - with_items: '{{ checkmk_server__distributed_sites|d([]) }}' - -- name: Get Multisite distribution secrets - uri: - url: '{{ item.location }}' - HEADER_Cookie: '{{ item.set_cookie }}' - return_content: True - validate_certs: '{{ item.invocation.module_args.validate_certs }}' - register: checkmk_server__register_multisite_automation_login - no_log: True - when: not item | skipped - with_items: '{{ checkmk_server__register_multisite_login.results - if "results" in checkmk_server__register_multisite_login else [] }}' - -- name: Generate distributed monitoring configuration - template: - src: 'etc/check_mk/multisite.d/sites.mk.j2' - dest: '{{ checkmk_server__site_home }}/{{ checkmk_server__multisite_config_path }}/sites.mk' - owner: '{{ checkmk_server__user }}' - group: '{{ checkmk_server__group }}' - tags: [ 'role::checkmk_server:multisite' ] - +# Check_MK multisite/WATO configuration [[[ - name: Generate Check_MK WATO Multisite definitions template: src: '{{ lookup("template_src", "etc/check_mk/multisite.d/wato/" + item | basename) }}' diff --git a/templates/etc/check_mk/multisite.d/sites.mk.j2 b/templates/etc/check_mk/multisite.d/sites.mk.j2 index d33da56..832f5b1 100644 --- a/templates/etc/check_mk/multisite.d/sites.mk.j2 +++ b/templates/etc/check_mk/multisite.d/sites.mk.j2 @@ -2,44 +2,34 @@ # {{ ansible_managed }} # encoding: utf-8 -{% set _sites = {} %} -{% if checkmk_server__distributed_sites|d({}) %} -{% if not checkmk_server__site in checkmk_server__distributed_sites %} -{% set _ = _sites.update({checkmk_server__site: {}}) %} -{% set _ = _sites[checkmk_server__site].update({ 'alias': 'Local site ' + checkmk_server__site }) %} -{% for _prop in checkmk_server__local_site_properties|d([]) %} -{% set _ = _sites[checkmk_server__site].update({ _prop: checkmk_server__distributed_sites_defaults[_prop] }) %} -{% endfor %} +{% set _sites_mk = {} %} +{% for _site in checkmk_server__sites %} +{% set _ = _sites_mk.update({_site.name: {}}) %} +{% if _site.connection|d('remote') == 'local' %} +{% set _property_list = checkmk_server__local_site_properties %} +{% else %} +{% set _property_list = checkmk_server__remote_site_properties %} {% endif %} -{% for _site in checkmk_server__distributed_sites %} -{% if not _site in _sites %} -{% set _ = _sites.update({_site: {}}) %} -{% for _key, _value in checkmk_server__distributed_sites[_site].items() %} -{% if _key not in [ 'username', 'password' ] %} -{% set _ = _sites[_site].update({ _key: _value }) %} -{% endif %} -{% endfor %} -{% if _site == checkmk_server__site %} -{% set _site_properties = checkmk_server__local_site_properties %} -{% else %} -{% set _site_properties = checkmk_server__distributed_sites_defaults | difference([ 'username', 'password' ]) %} -{% endif %} -{% for _prop in _site_properties %} -{% if _prop not in _sites[_site] %} -{% set _ = _sites[_site].update({ _prop: checkmk_server__distributed_sites_defaults[_prop] }) %} -{% endif %} -{% endfor %} +{% for _prop in (_property_list | difference(['password'])) %} +{% if ('multisite_' + _prop) in _site.keys() %} +{% set _ = _sites_mk[_site.name].update({_prop: _site['multisite_' + _prop]}) %} +{% endif %} +{% if ('livestatus_' + _prop) in _site.keys() %} +{% set _ = _sites_mk[_site.name].update({_prop: _site['livestatus_' + _prop]}) %} +{% endif %} +{% if (_prop == 'multisiteurl') and ('multisite_url' in _site.keys()) %} +{% set _ = _sites_mk[_site.name].update({_prop: _site['multisite_url']}) %} {% endif %} {% endfor %} {% if 'results' in checkmk_server__register_multisite_automation_login %} {% for _result in checkmk_server__register_multisite_automation_login.results|d({}) %} -{% if not _result | skipped %} -{% set _ = _sites[_result.item.item].update({ 'secret': _result.content|replace("'", "") }) %} +{% if (not _result | skipped) and (_result.item.item.name == _site.name) %} +{% set _ = _sites_mk[_site.name].update({'secret': _result.content|replace("'", "")}) %} {% endif %} {% endfor %} {% endif %} -{% endif %} -{% if _sites %} +{% endfor %} +{% if _sites_mk %} sites = \ -{{ macros.tmpl_format__dict_multiline(_sites) }} +{{ macros.tmpl_format__dict_multiline(_sites_mk) }} {% endif %} diff --git a/templates/lookup/checkmk_server__sites.j2 b/templates/lookup/checkmk_server__sites.j2 index 6a10051..9d31ae7 100644 --- a/templates/lookup/checkmk_server__sites.j2 +++ b/templates/lookup/checkmk_server__sites.j2 @@ -14,13 +14,42 @@ {% set _ = _local_site.update({'delegate_to': inventory_hostname}) %} {% set _ = _local_site.update({'group': checkmk_server__site}) %} {% set _ = _local_site.update({'home': checkmk_server__site_home}) %} +{% set _ = _local_site.update({'hostname': checkmk_server__hostname}) %} +{% set _ = _local_site.update({'multisite_replication': ''}) %} {% set _ = _local_site.update({'name': checkmk_server__site}) %} {% set _ = _local_site.update({'omd_config': checkmk_server__omd_config}) %} {% set _ = _local_site.update({'sshkeys': checkmk_server__sshkeys}) %} {% set _ = _local_site.update({'update': checkmk_server__site_update}) %} {% set _ = _local_site.update({'user': checkmk_server__site}) %} {% set _ = _local_site.update({'version': checkmk_server__version}) %} +{% for _key, _value in checkmk_server__distributed_sites_defaults.iteritems() %} +{% if not _key in _local_site.keys() %} +{% set _ = _local_site.update({_key: _value}) %} +{% endif %} +{% endfor %} +{% if not 'multisite_alias' in _local_site.keys() %} +{% set _ = _local_site.update({'multisite_alias': 'Local site ' + _local_site.name}) %} +{% endif %} +{% if not 'multisite_url' in _local_site.keys() %} +{% set _ = _local_site.update({'multisite_url': ''}) %} +{% endif %} +{# + # Make sure 'disabled' is defined + #} +{% if ('state' in _local_site.keys()) and (not 'multisite_disabled' in _local_site.keys()) %} +{% if _local_site.state == 'disabled' %} +{% set _is_disabled = True %} +{% else %} +{% set _is_disabled = False %} +{% endif %} +{% set _ = _local_site.update({'multisite_disabled': _is_disabled}) %} +{% else %} +{% set _ = _local_site.update({'multisite_disabled': False}) %} +{% endif %} {% set _ = _sites.append(_local_site) %} +{# + # Configure remote distributed sites + #} {% for _site_config in checkmk_server__distributed_sites %} {# # Set default values if undefined @@ -97,7 +126,7 @@ {% endif %} {% endif %} {% if not 'livestatus_socket' in _site_config.keys() %} -{% set _ = _site_config.update({'livestatus_socket': 'tcp:' + _site_config.hostname + ':' + (checkmk_server__livestatus_port | string)}) %} +{% set _ = _site_config.update({'livestatus_socket': 'tcp:' + _site_config.hostname + ':' + _site_config.livestatus_port}) %} {% endif %} {# # Define OMD configuration @@ -121,7 +150,7 @@ # Define multisite user password #} {% if (not 'multisite_password' in _site_config.keys()) and - ((_site_config.multisite_replication == True) or (_site_config.connection == 'local')) %} + ((_site_config.multisite_replication == 'slave') or (_site_config.connection == 'local')) %} {% set _ = _site_config.update({'multisite_password': lookup('password', secret + '/credentials/' + (_site_config.master_delegate_to|d(inventory_hostname)) + '/checkmk_server/' + _site_config.master_site + '/' + _site_config.multisite_username + '/password')}) %} {% endif %} {# diff --git a/templates/macros/checkmk_config.j2 b/templates/macros/checkmk_config.j2 index 9d1f108..5033af9 100644 --- a/templates/macros/checkmk_config.j2 +++ b/templates/macros/checkmk_config.j2 @@ -279,7 +279,7 @@ if {{ _name }} == None: {% macro tmpl_format__dict_multiline(_dict) %}{{ _dict | pprint | replace(" '", " '") | - replace("u'None'", "None") | + replace("'None'", "None") | replace("u''", "''") | regex_replace("([\[\{])u'", "\\1'") | regex_replace("(: )u'", "\\1'") | diff --git a/vars/main.yml b/vars/main.yml index 7b86372..1600bf7 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -105,7 +105,13 @@ checkmk_server__multisite_variable_map: # user_connections.mk checkmk_server__ansible_user_connections_properties: [ 'binddn', 'bindpw' ] -# Distributed monitoring properties for local site -checkmk_server__local_site_properties: [ 'disable_wato', 'disabled', +# Distributed sites properties for local site in sites.mk +checkmk_server__local_site_properties: [ 'alias', 'disable_wato', 'disabled', 'insecure', 'multisiteurl', 'persist', 'replicate_ec', 'replication', 'timeout', 'user_login' ] + +# Distributed sites properties for remote sites in sites.mk +checkmk_server__remote_site_properties: [ 'alias', 'disable_wato', 'disabled', + 'insecure', 'multisiteurl', 'persist', 'replicate_ec', 'replicate_mkps', + 'replication', 'socket', 'status_host', 'timeout', 'url_prefix', + 'user_login' ] From 231d06e5a3c33a1b8185a039e9efaa67ea97682d Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Mon, 3 Apr 2017 07:23:33 +0200 Subject: [PATCH 08/34] Remove unused variables --- defaults/main.yml | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index a119c99..1d61f73 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -175,7 +175,7 @@ checkmk_server__omd_config: '{{ checkmk_server__omd_config_core }}' - + # ]]] # .. envvar:: checkmk_server__omd_config_email [[[ # # Administrator email address set via OMD. @@ -225,20 +225,6 @@ checkmk_server__ssh_arguments: '-o BatchMode=yes -o StrictHostKeyChecking=no -o # Multisite Web Configuration [[[ # ------------------------------- -# .. envvar:: checkmk_server__multisite_slave [[[ -# -# Indicate if this site is a distributed monitoring slave which receives the -# Check_MK configuration from another Check_MK server instance. -#checkmk_server__multisite_slave: False - - # ]]] -# .. envvar:: checkmk_server__multisite_livestatus [[[ -# -# Enable multisite Livestatus service. This is required for distributed -# monitoring of this site. -#checkmk_server__multisite_livestatus: '{{ True if checkmk_server__multisite_slave|d() else False }}' - - # ]]] # .. envvar:: checkmk_server__multisite_config_path [[[ # # Configuration path for Check_MK multisite configurations. Relative to the @@ -684,3 +670,4 @@ checkmk_server__tls_options: # ]]] # ]]] # ]]] + # ]]] From 9128633c4a3239ec035e33aa34e939bf40a61340 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Mon, 10 Apr 2017 07:24:12 +0200 Subject: [PATCH 09/34] Create new env sub-role for site setup, write site facts --- env/defaults | 1 + env/tasks/create_sites.yml | 8 ++ env/tasks/facts.yml | 32 +++++++ env/tasks/main.yml | 77 ++++++++++++++++ env/templates | 1 + tasks/main.yml | 87 +++---------------- .../ansible/facts.d/checkmk_server.fact.j2 | 51 +++++++++-- templates/lookup/checkmk_server__sites.j2 | 24 +++++ 8 files changed, 200 insertions(+), 81 deletions(-) create mode 120000 env/defaults create mode 100644 env/tasks/create_sites.yml create mode 100644 env/tasks/facts.yml create mode 100644 env/tasks/main.yml create mode 120000 env/templates diff --git a/env/defaults b/env/defaults new file mode 120000 index 0000000..37aebd7 --- /dev/null +++ b/env/defaults @@ -0,0 +1 @@ +../defaults \ No newline at end of file diff --git a/env/tasks/create_sites.yml b/env/tasks/create_sites.yml new file mode 100644 index 0000000..1ed1662 --- /dev/null +++ b/env/tasks/create_sites.yml @@ -0,0 +1,8 @@ +--- + +- name: Create Check_MK site + command: omd create '{{ site_item.name }}' + args: + creates: '{{ site_item.home }}/etc/omd/site.conf' + delegate_to: '{{ site_item.delegate_to + if (not site_item.delegate_to == inventory_hostname) else omit }}' diff --git a/env/tasks/facts.yml b/env/tasks/facts.yml new file mode 100644 index 0000000..411c407 --- /dev/null +++ b/env/tasks/facts.yml @@ -0,0 +1,32 @@ +--- +# +# Set site facts so that later tasks can depend on it +# + +- name: Persist site facts + block: + + - name: Make sure that local fact directory exists + file: + dest: '/etc/ansible/facts.d' + state: 'directory' + owner: 'root' + group: 'root' + mode: '0755' + + - name: Save Check_MK server local facts + template: + src: 'etc/ansible/facts.d/checkmk_server.fact.j2' + dest: '/etc/ansible/facts.d/checkmk_server.fact' + owner: 'root' + group: 'root' + mode: '0644' + register: checkmk_server__register_local_facts + + - name: Re-read local facts if they have been changed + action: setup + when: checkmk_server__register_local_facts | changed + + # Delegate entire block to corresponding host + delegate_to: '{{ site_item.delegate_to + if (not site_item.delegate_to == inventory_hostname) else omit }}' diff --git a/env/tasks/main.yml b/env/tasks/main.yml new file mode 100644 index 0000000..440f47c --- /dev/null +++ b/env/tasks/main.yml @@ -0,0 +1,77 @@ +--- + +- debug: + var: checkmk_server__sites + +- name: Install prerequisite packages + apt: + name: '{{ item }}' + state: present + with_items: '{{ checkmk_server__prerequisite_packages }}' + +- name: Check check-mk-raw package version + shell: dpkg-query -W -f='${Version}\n' check-mk-raw-{{ checkmk_server__version }} | cut -d- -f1 + register: checkmk_server__register_version + changed_when: False + failed_when: False + check_mode: no + +- name: Download Check_MK RAW package + get_url: + url: '{{ checkmk_server__raw_package }}' + dest: '/var/cache/apt/archives/{{ checkmk_server__raw_package | basename }}' + register: checkmk_server__register_download + when: (not checkmk_server__register_version.stdout) and + (checkmk_server__raw_package | match('^http')) + +- name: Install local Check_MK RAW package + apt: + deb: '{{ "/var/cache/apt/archives/" + (checkmk_server__raw_package | basename) + if (not checkmk_server__register_download | skipped) + else checkmk_server__raw_package }}' + state: present + ignore_errors: '{{ ansible_check_mode }}' + register: checkmk_server__register_deb_install + when: (not checkmk_server__register_version.stdout) and + ((checkmk_server__raw_package | splitext)[1] == '.deb') + +- name: Install Check_MK RAW package from repository + apt: + name: '{{ checkmk_server__raw_package }}' + state: present + register: checkmk_server__register_apt_install + when: (not checkmk_server__register_version.stdout) and + (not checkmk_server__register_deb_install|d()) + +- name: Apply patches + patch: + src: '{{ item.patch }}' + dest: '{{ item.file }}' + basedir: '/' + ignore_errors: '{{ ansible_check_mode }}' + with_items: '{{ checkmk_server__patches }}' + when: (checkmk_server__register_apt_install | changed) or + (checkmk_server__register_deb_install | changed) + +- name: Get Check_MK default version + stat: + path: '/omd/versions/default' + register: checkmk_server__register_default + check_mode: no + +- name: Set new default version + command: omd setversion '{{ checkmk_server__version }}{{ checkmk_server__version_suffix }}' + when: (checkmk_server__register_default.stat.lnk_source | + basename) != (checkmk_server__version + checkmk_server__version_suffix) + +- name: Create Check_MK sites + include: create_sites.yml + with_items: '{{ checkmk_server__sites }}' + loop_control: + loop_var: site_item + +- name: Set site facts + include: facts.yml + with_items: '{{ checkmk_server__sites }}' + loop_control: + loop_var: site_item diff --git a/env/templates b/env/templates new file mode 120000 index 0000000..564a409 --- /dev/null +++ b/env/templates @@ -0,0 +1 @@ +../templates \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index e4b6df7..d1bb1b9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -6,56 +6,6 @@ #- fail: # msg: 'bla' -- name: Install prerequisite packages - apt: - name: '{{ item }}' - state: present - with_items: '{{ checkmk_server__prerequisite_packages }}' - -- name: Check check-mk-raw package version - shell: dpkg-query -W -f='${Version}\n' check-mk-raw-{{ checkmk_server__version }} | cut -d- -f1 - register: checkmk_server_register_version - changed_when: False - failed_when: False - always_run: True - -- name: Download Check_MK RAW package - get_url: - url: '{{ checkmk_server__raw_package }}' - dest: '/var/cache/apt/archives/{{ checkmk_server__raw_package | basename }}' - register: checkmk_server_register_download - when: (not checkmk_server_register_version.stdout) and - (checkmk_server__raw_package | match('^http')) - -- name: Install local Check_MK RAW package - apt: - deb: '{{ ("/var/cache/apt/archives/" + (checkmk_server__raw_package | basename)) - if checkmk_server_register_download|d() - else checkmk_server__raw_package }}' - state: present - ignore_errors: '{{ ansible_check_mode }}' - register: checkmk_server_register_deb_install - when: (not checkmk_server_register_version.stdout) and - ((checkmk_server__raw_package | splitext)[1] == '.deb') - -- name: Install Check_MK RAW package from repository - apt: - name: '{{ checkmk_server__raw_package }}' - state: present - register: checkmk_server_register_apt_install - when: (not checkmk_server_register_version.stdout) and - (not checkmk_server_register_deb_install|d()) - -- name: Apply patches - patch: - src: '{{ item.patch }}' - dest: '{{ item.file }}' - basedir: '/' - ignore_errors: '{{ ansible_check_mode }}' - with_items: '{{ checkmk_server__patches }}' - when: (checkmk_server_register_apt_install | changed) or - (checkmk_server_register_deb_install | changed) - - name: Set TLS options template: src: 'etc/apache2/mods-available/ssl.conf.j2' @@ -122,32 +72,21 @@ tags: - 'role::checkmk_server:login' -- fail: - msg: 'Check what happend so far' - - name: Manage WATO and monitoring rules include: wato.yml - when: not checkmk_server__multisite_slave|d() + when: checkmk_server__site != False -- name: Make sure that local fact directory exists - file: - dest: '/etc/ansible/facts.d' - state: 'directory' - owner: 'root' - group: 'root' - mode: '0755' +- name: Upload configuration to slave sites + include: sync.yml + when: ('multisite_replication' in site_item) and + (site_item.multisite_replication == 'slave') + with_items: '{{ checkmk_server__sites }}' + loop_control: + loop_var: site_item + tags: + - 'role::checkmk_server:multisite' + - 'debug' -#- name: Save Check_MK server local facts -# template: -# src: 'etc/ansible/facts.d/checkmk_server.fact.j2' -# dest: '/etc/ansible/facts.d/checkmk_server.fact' -# owner: 'root' -# group: 'root' -# mode: '0644' -# register: checkmk_server_register_local_facts -# when: checkmk_server__sshkeys|d() +- fail: + msg: 'Check what happend so far' -#- name: Gather facts if they were modified -# action: setup -# when: checkmk_server_register_local_facts|d() and -# (checkmk_server_register_local_facts | changed) diff --git a/templates/etc/ansible/facts.d/checkmk_server.fact.j2 b/templates/etc/ansible/facts.d/checkmk_server.fact.j2 index cf0e367..71d34a9 100644 --- a/templates/etc/ansible/facts.d/checkmk_server.fact.j2 +++ b/templates/etc/ansible/facts.d/checkmk_server.fact.j2 @@ -1,10 +1,47 @@ -{% set _site_facts = {} %} -{% if checkmk_server__site|d() %} -{% set _ = _site_facts.update({checkmk_server__site: {"version": checkmk_server__version_label}}) %} -{% set _ = _site_facts[checkmk_server__site].update({"site_url": checkmk_server__site_url}) %} -{% set _ = _site_facts[checkmk_server__site].update({"webapi_url": checkmk_server__webapi_url}) %} -{% if checkmk_server__register_ssh_public_key.stdout|d() %} -{% set _ = _site_facts[checkmk_server__site].update({"ssh_public_key": checkmk_server__register_ssh_public_key.stdout}) %} +{# + # Create a facts file with the sites hosted on the involved host. + # + # Distributed slaves sites are defined on the master server, therefore + # it may happen, that the facts file is merged from multiple configuration + # sources. Sites which are about to be deleted must not be listed in the + # resulting facts file. + #} +{% set _site_facts = [] %} +{% if ansible_local|d({}) and ('checkmk_server' in ansible_local) and + (not ansible_local.checkmk_server is string) and + (ansible_local.checkmk_server | length > 0) %} +{% for _local_site in ansible_local.checkmk_server %} +{# + # Site has been configured before but is not currently handled. Simply + # add it again. + #} +{% if ('name' in _local_site) and (not _local_site.name == site_item.name) and + _local_site.delegate_to == site_item.delegate_to %} +{# HACK: to make sure only sites from the same delegate_to host are added #} +{% set _ = _site_facts.append(_local_site) %} +{# + # Site has been configured before and matches the currently handled. + # If it's not marked to be absent, add it again. + # TODO: merge _local_site and site_item + #} +{% elif (not ('state' in site_item.keys() and site_item.state == 'absent')) %} +{% set _ = _site_facts.append(site_item) %} +{% endif %} +{% endfor %} +{# + # There are already sites defined, but none of them match the site + # currently handled. Add it to the facts if it's not meant to be + # deleted. + #} +{% if (not site_item.name in (ansible_local.checkmk_server | map(attribute="name") | list)) and + (not site_item.name in (_site_facts | map(attribute="name") | list)) and + not ('state' in site_item.keys() and site_item.state == 'absent') %} +{% set _ = _site_facts.append(site_item) %} {% endif %} +{% else %} +{# + # There are no sites defined. Simply add the current site to the facts. + #} +{% set _ = _site_facts.append(site_item) %} {% endif %} {{ _site_facts | to_nice_json }} diff --git a/templates/lookup/checkmk_server__sites.j2 b/templates/lookup/checkmk_server__sites.j2 index 9d31ae7..7e147ba 100644 --- a/templates/lookup/checkmk_server__sites.j2 +++ b/templates/lookup/checkmk_server__sites.j2 @@ -27,9 +27,24 @@ {% set _ = _local_site.update({_key: _value}) %} {% endif %} {% endfor %} +{# + # Set dependent role variables + #} +{% set _ = _local_site.update({'dependent_vars': {}}) %} +{% set _user = {'name': _local_site.user} %} +{% set _ = _user.update({'comment': 'OMD site ' + _local_site.name}) %} +{% set _ = _user.update({'shell': '/bin/bash'}) %} +{% set _ = _user.update({'home': _local_site.home}) %} +{% set _ = _local_site.dependent_vars.update({'users__accounts': [ _user ]}) %} +{# + # The site alias must be set + #} {% if not 'multisite_alias' in _local_site.keys() %} {% set _ = _local_site.update({'multisite_alias': 'Local site ' + _local_site.name}) %} {% endif %} +{# + # Make sure multisite url is properly defined + #} {% if not 'multisite_url' in _local_site.keys() %} {% set _ = _local_site.update({'multisite_url': ''}) %} {% endif %} @@ -105,6 +120,15 @@ {% set _ = _site_config.update({'user': _site_config.name}) %} {% set _ = _site_config.update({'group': _site_config.name}) %} {% set _ = _site_config.update({'home': checkmk_server__site_home|dirname + '/' + _site_config.name}) %} +{# + # Set dependent role variables + #} +{% set _ = _site_config.update({'dependent_vars': {}}) %} +{% set _user = {'name': _site_config.user} %} +{% set _ = _user.update({'comment': 'OMD site ' + _site_config.name}) %} +{% set _ = _user.update({'shell': '/bin/bash'}) %} +{% set _ = _user.update({'home': _site_config.home}) %} +{% set _ = _site_config.dependent_vars.update({'users__accounts': [ _user ]}) %} {# # SSH keypair setup #} From 3ea77231f9817c7114fd88e86e594cad3a6ef828 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Mon, 10 Apr 2017 18:01:36 +0200 Subject: [PATCH 10/34] Adjust home that it matches the user created by 'omd' --- vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/main.yml b/vars/main.yml index 1600bf7..ebbddad 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -7,7 +7,7 @@ checkmk_server__user: '{{ checkmk_server__site }}' checkmk_server__group: '{{ checkmk_server__site }}' # Check_MK site chroot directory -checkmk_server__site_home: '/opt/omd/sites/{{ checkmk_server__site }}' +checkmk_server__site_home: '/omd/sites/{{ checkmk_server__site }}' # User properties used for user definition in users.mk checkmk_server__user_properties: [ 'alias', 'automation_secret', 'connector', From 333b001bb5fcef2965813cb7f57d9be6851895b6 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Mon, 10 Apr 2017 18:27:57 +0200 Subject: [PATCH 11/34] Use user__dependent_accounts and etc_services__dependent_list from facts --- defaults/main.yml | 13 +--------- templates/lookup/checkmk_server__sites.j2 | 29 +++++++++++++++-------- 2 files changed, 20 insertions(+), 22 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 1d61f73..0ef1d32 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -51,7 +51,6 @@ checkmk_server__ferm_dependent_rules: '{{ (checkmk_server__ferm_livestatus_rules if checkmk_server__multisite_livestatus else []) }}' # ]]] - # .. envvar:: checkmk_server__ferm_web_rules [[[ # # Firewall configuration for WATO Web access. @@ -89,16 +88,6 @@ checkmk_server__web_allow: [] # Check_MK Livestatus TCP socket. If list is empty, anyone can connect. checkmk_server__livestatus_allow: [] - # ]]] -# .. envvar:: checkmk_server__etc_services__dependent_list [[[ -# -# Add entry for Livestatus to :file:`/etc/services` using the -# ``debops.etc_services`` role. -checkmk_server__etc_services__dependent_list: - - name: 'check-mk-livestatus' - port: '{{ checkmk_server__livestatus_port }}' - comment: 'Check_MK server Livestatus' - # ]]] # .. envvar:: checkmk_server__livestatus_port [[[ # @@ -454,6 +443,7 @@ checkmk_server__distributed_sites_defaults: multisite_timeout: 10 multisite_user_login: True + # ]]] # .. envvar:: checkmk_server__site_config_path [[[ # # Configuration path for Check_MK main configurations. Relative to the site's @@ -670,4 +660,3 @@ checkmk_server__tls_options: # ]]] # ]]] # ]]] - # ]]] diff --git a/templates/lookup/checkmk_server__sites.j2 b/templates/lookup/checkmk_server__sites.j2 index 7e147ba..51d9d26 100644 --- a/templates/lookup/checkmk_server__sites.j2 +++ b/templates/lookup/checkmk_server__sites.j2 @@ -35,7 +35,11 @@ {% set _ = _user.update({'comment': 'OMD site ' + _local_site.name}) %} {% set _ = _user.update({'shell': '/bin/bash'}) %} {% set _ = _user.update({'home': _local_site.home}) %} -{% set _ = _local_site.dependent_vars.update({'users__accounts': [ _user ]}) %} +{% if ('generate_keypair' in checkmk_server__sshkeys) and (not checkmk_server__sshkeys.generate_keypair == False) %} +{% set _ = _user.update({'generate_ssh_key': True }) %} +{% endif %} +{% set _ = _local_site.dependent_vars.update({'users__dependent_accounts': [ _user ]}) %} +{% set _ = _local_site.dependent_vars.update({'etc_services__dependent_list': []}) %} {# # The site alias must be set #} @@ -120,15 +124,6 @@ {% set _ = _site_config.update({'user': _site_config.name}) %} {% set _ = _site_config.update({'group': _site_config.name}) %} {% set _ = _site_config.update({'home': checkmk_server__site_home|dirname + '/' + _site_config.name}) %} -{# - # Set dependent role variables - #} -{% set _ = _site_config.update({'dependent_vars': {}}) %} -{% set _user = {'name': _site_config.user} %} -{% set _ = _user.update({'comment': 'OMD site ' + _site_config.name}) %} -{% set _ = _user.update({'shell': '/bin/bash'}) %} -{% set _ = _user.update({'home': _site_config.home}) %} -{% set _ = _site_config.dependent_vars.update({'users__accounts': [ _user ]}) %} {# # SSH keypair setup #} @@ -139,6 +134,19 @@ {% set _ = _site_config.update({'sshkeys': checkmk_server__sshkeys}) %} {% endif %} {% endif %} +{# + # Set dependent role variables + #} +{% set _ = _site_config.update({'dependent_vars': {}}) %} +{% set _user = {'name': _site_config.user} %} +{% set _ = _user.update({'comment': 'OMD site ' + _site_config.name}) %} +{% set _ = _user.update({'shell': '/bin/bash'}) %} +{% set _ = _user.update({'home': _site_config.home}) %} +{% if 'generate_keypair' in _site_config.sshkeys %} +{% set _ = _user.update({'generate_ssh_key': _site_config.sshkeys.generate_keypair }) %} +{% set _ = _site_config.pop('sshkeys') %} +{% endif %} +{% set _ = _site_config.dependent_vars.update({'users__dependent_accounts': [ _user ]}) %} {# # Define TCP livestatus connection #} @@ -152,6 +160,7 @@ {% if not 'livestatus_socket' in _site_config.keys() %} {% set _ = _site_config.update({'livestatus_socket': 'tcp:' + _site_config.hostname + ':' + _site_config.livestatus_port}) %} {% endif %} +{% set _ = _site_config.dependent_vars.update({'etc_services__dependent_list': [{'name': 'check-mk-livestatus-' + _site_config.name, 'port': _site_config.livestatus_port, 'comment': 'Check_MK server Livestatus'}]}) %} {# # Define OMD configuration #} From 6b8fd58a2d2a0f243ec5ac41511c4780e1112d35 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Tue, 11 Apr 2017 18:10:47 +0200 Subject: [PATCH 12/34] Make sure the checkmk_server/env tasks are run by all play hosts --- env/tasks/main.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/env/tasks/main.yml b/env/tasks/main.yml index 440f47c..847aba6 100644 --- a/env/tasks/main.yml +++ b/env/tasks/main.yml @@ -1,8 +1,12 @@ --- - - debug: var: checkmk_server__sites +- name: Check that involved distributed sites servers are play hosts + assert: + that: checkmk_server__sites | map(attribute="delegate_to") | list | issubset(play_hosts) + msg: 'Make sure that playbook is run on all servers included in distributed sites. Not doing so might result in wrong variable defaults.' + - name: Install prerequisite packages apt: name: '{{ item }}' @@ -75,3 +79,6 @@ with_items: '{{ checkmk_server__sites }}' loop_control: loop_var: site_item + +- debug: + var: ansible_local.checkmk_server From 1737762b2fadfefd5cc7e404f4407f1127e94534 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Tue, 11 Apr 2017 18:25:46 +0200 Subject: [PATCH 13/34] Leverage ssh key setup from debops.users role, set public key local fact --- env/tasks/facts.yml | 33 +---- tasks/facts.yml | 32 +++++ tasks/main.yml | 6 + tasks/site.yml | 117 ------------------ tasks/ssh.yml | 50 ++++++++ .../ansible/facts.d/checkmk_server.fact.j2 | 5 + 6 files changed, 94 insertions(+), 149 deletions(-) mode change 100644 => 120000 env/tasks/facts.yml create mode 100644 tasks/facts.yml create mode 100644 tasks/ssh.yml diff --git a/env/tasks/facts.yml b/env/tasks/facts.yml deleted file mode 100644 index 411c407..0000000 --- a/env/tasks/facts.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -# -# Set site facts so that later tasks can depend on it -# - -- name: Persist site facts - block: - - - name: Make sure that local fact directory exists - file: - dest: '/etc/ansible/facts.d' - state: 'directory' - owner: 'root' - group: 'root' - mode: '0755' - - - name: Save Check_MK server local facts - template: - src: 'etc/ansible/facts.d/checkmk_server.fact.j2' - dest: '/etc/ansible/facts.d/checkmk_server.fact' - owner: 'root' - group: 'root' - mode: '0644' - register: checkmk_server__register_local_facts - - - name: Re-read local facts if they have been changed - action: setup - when: checkmk_server__register_local_facts | changed - - # Delegate entire block to corresponding host - delegate_to: '{{ site_item.delegate_to - if (not site_item.delegate_to == inventory_hostname) else omit }}' diff --git a/env/tasks/facts.yml b/env/tasks/facts.yml new file mode 120000 index 0000000..22d68dc --- /dev/null +++ b/env/tasks/facts.yml @@ -0,0 +1 @@ +../../tasks/facts.yml \ No newline at end of file diff --git a/tasks/facts.yml b/tasks/facts.yml new file mode 100644 index 0000000..411c407 --- /dev/null +++ b/tasks/facts.yml @@ -0,0 +1,32 @@ +--- +# +# Set site facts so that later tasks can depend on it +# + +- name: Persist site facts + block: + + - name: Make sure that local fact directory exists + file: + dest: '/etc/ansible/facts.d' + state: 'directory' + owner: 'root' + group: 'root' + mode: '0755' + + - name: Save Check_MK server local facts + template: + src: 'etc/ansible/facts.d/checkmk_server.fact.j2' + dest: '/etc/ansible/facts.d/checkmk_server.fact' + owner: 'root' + group: 'root' + mode: '0644' + register: checkmk_server__register_local_facts + + - name: Re-read local facts if they have been changed + action: setup + when: checkmk_server__register_local_facts | changed + + # Delegate entire block to corresponding host + delegate_to: '{{ site_item.delegate_to + if (not site_item.delegate_to == inventory_hostname) else omit }}' diff --git a/tasks/main.yml b/tasks/main.yml index d1bb1b9..eb6b760 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -51,6 +51,12 @@ when: not checkmk_server__pki|d(False) and checkmk_server_register_mod_ssl.stat.exists notify: [ 'Reload apache2' ] +- name: Manage SSH keys for monitoring and site synchronization + include: ssh.yml + with_items: '{{ checkmk_server__sites }}' + loop_control: + loop_var: site_item + - name: Manage Check_MK site include: site.yml with_items: '{{ checkmk_server__sites }}' diff --git a/tasks/site.yml b/tasks/site.yml index 679ef73..a1cc677 100644 --- a/tasks/site.yml +++ b/tasks/site.yml @@ -5,22 +5,6 @@ - name: Run site setup block: - - name: Get Check_MK default version - stat: - path: '/omd/versions/default' - register: checkmk_server__register_default - check_mode: no - - - name: Set new default version - command: omd setversion '{{ site_item.version }}{{ checkmk_server__version_suffix }}' - when: (checkmk_server__register_default.stat.lnk_source | - basename) != (site_item.version + checkmk_server__version_suffix) - - - name: Create Check_MK site - command: omd create '{{ site_item.name }}' - args: - creates: '{{ site_item.home }}/etc/omd/site.conf' - - name: Get Check_MK site version command: omd version '{{ site_item.name }}' register: checkmk_server__register_site_version @@ -84,107 +68,6 @@ command: omd start '{{ site_item.name }}' when: checkmk_server__register_omd_stop | changed - - name: Create .ssh directory - file: - path: '{{ site_item.home }}/.ssh' - state: directory - owner: '{{ site_item.user }}' - group: '{{ site_item.group }}' - mode: '0700' - when: site_item.sshkeys - - - name: Generate SSH keypair - become_user: '{{ site_item.user }}' - command: 'ssh-keygen {{ "-b " + site_item.sshkeys.keysize if "keysize" in site_item.sshkeys else "-b 4096" }} -f {{ site_item.home }}/.ssh/id_rsa -N ""' - args: - creates: '{{ site_item.home }}/.ssh/id_rsa' - when: site_item.sshkeys and site_item.sshkeys.generate_keypair|d(False) - -# - name: Fix SSH keypair ownership -# file: -# path: '{{ checkmk_server__site_home }}/.ssh/{{ item }}' -# owner: '{{ checkmk_server__user }}' -# group: '{{ checkmk_server__group }}' -# ignore_errors: '{{ ansible_check_mode }}' -# with_items: [ 'id_rsa', 'id_rsa.pub' ] -# when: checkmk_server__sshkeys|d() and -# ("generate_keypair" in checkmk_server__sshkeys|d() and -# checkmk_server__sshkeys.generate_keypair) - - - name: Copy SSH private key - copy: - src: '{{ site_item.sshkeys.privatekey_file }}' - dest: '{{ site_item.home }}/.ssh/id_rsa' - owner: '{{ site_item.user }}' - group: '{{ site_item.group }}' - mode: '0600' - when: site_item.sshkeys and site_item.sshkeys.privatekey_file|d(False) - - - name: Copy SSH public key - copy: - src: '{{ site_item.sshkeys.publickey_file }}' - dest: '{{ site_item.home }}/.ssh/id_rsa.pub' - owner: '{{ site_item.user }}' - group: '{{ site_item.group }}' - mode: '0644' - when: site_item.sshkeys and site_item.sshkeys.publickey_file|d(False) - -# - name: Read SSH public key -# command: 'cat {{ checkmk_server__site_home }}/.ssh/id_rsa.pub' -# changed_when: False -# ignore_errors: '{{ ansible_check_mode }}' -# register: checkmk_server__register_ssh_public_key -# when: checkmk_server__sshkeys|d() - -# - name: Query installed Check_MK packages -# command: mkp list -# become_user: '{{ checkmk_server__user }}' -# become_flags: '-i' -# changed_when: False -# always_run: True -# register: checkmk_server__register_mkp -# tags: -# - 'role::checkmk_server:mkp' - -# - name: Download Check_MK packages -# get_url: -# url: '{{ item.url }}' -# dest: '{{ checkmk_server__site_home }}/tmp' -# checksum: '{{ item.checksum|d(omit) }}' -# when: ('url' in item) and -# (item.name not in checkmk_server__register_mkp.stdout_lines) -# register: checkmk_server__register_mkp_download -# with_items: '{{ checkmk_server__site_packages }}' -# tags: -# - 'role::checkmk_server:mkp' - -# - name: Upload Check_MK packages -# copy: -# src: '{{ item.path }}' -# dest: '{{ checkmk_server__site_home }}/tmp' -# when: ('path' in item) and -# (item.name not in checkmk_server__register_mkp.stdout_lines) -# register: checkmk_server__register_mkp_upload -# with_items: '{{ checkmk_server__site_packages }}' -# tags: -# - 'role::checkmk_server:mkp' - -# - name: Install Check_MK packages -# command: mkp install '{{ item.dest|d() }}' -# become_user: '{{ checkmk_server__user }}' -# become_flags: '-i' -# when: not (item | skipped) -# with_flattened: -# - '{{ checkmk_server__register_mkp_download.results }}' -# - '{{ checkmk_server__register_mkp_upload.results }}' -# tags: -# - 'role::checkmk_server:mkp' - - rescue: - - name: Print current site configuration - debug: - var: site_item - # delegate block delegate_to: '{{ site_item.delegate_to if (not site_item.delegate_to == inventory_hostname) else omit }}' diff --git a/tasks/ssh.yml b/tasks/ssh.yml new file mode 100644 index 0000000..db77526 --- /dev/null +++ b/tasks/ssh.yml @@ -0,0 +1,50 @@ +--- + +- name: Handle SSH keys + block: + + - name: Create .ssh directory + file: + path: '{{ site_item.home }}/.ssh' + state: directory + owner: '{{ site_item.user }}' + group: '{{ site_item.group }}' + mode: '0700' + when: ('sshkeys' in site_item) and site_item.sshkeys + + - name: Copy SSH private key + copy: + src: '{{ site_item.sshkeys.privatekey_file }}' + dest: '{{ site_item.home }}/.ssh/id_rsa' + owner: '{{ site_item.user }}' + group: '{{ site_item.group }}' + mode: '0600' + when: ('sshkeys' in site_item) and + site_item.sshkeys.privatekey_file|d(False) + + - name: Copy SSH public key + copy: + src: '{{ site_item.sshkeys.publickey_file }}' + dest: '{{ site_item.home }}/.ssh/id_rsa.pub' + owner: '{{ site_item.user }}' + group: '{{ site_item.group }}' + mode: '0644' + when: ('sshkeys' in site_item) and + site_item.sshkeys.publickey_file|d(False) + + - name: Read SSH public key + command: 'cat {{ site_item.home }}/.ssh/id_rsa.pub' + register: checkmk_server__register_ssh_public_key + changed_when: False + + - name: Show SSH public key of site '{{ site_item.name }}' + debug: + var: checkmk_server__register_ssh_public_key.stdout + verbosity: 1 + + - name: Re-generate local facts + include: facts.yml + + # delegate block + delegate_to: '{{ site_item.delegate_to + if (not site_item.delegate_to == inventory_hostname) else omit }}' diff --git a/templates/etc/ansible/facts.d/checkmk_server.fact.j2 b/templates/etc/ansible/facts.d/checkmk_server.fact.j2 index 71d34a9..5a836c4 100644 --- a/templates/etc/ansible/facts.d/checkmk_server.fact.j2 +++ b/templates/etc/ansible/facts.d/checkmk_server.fact.j2 @@ -25,6 +25,11 @@ # TODO: merge _local_site and site_item #} {% elif (not ('state' in site_item.keys() and site_item.state == 'absent')) %} +{% if checkmk_server__register_ssh_public_key|d() and + 'stdout' in checkmk_server__register_ssh_public_key and + checkmk_server__register_ssh_public_key.stdout | length > 0 %} +{% set _ = site_item.update({'ssh_public_key': checkmk_server__register_ssh_public_key.stdout}) %} +{% endif %} {% set _ = _site_facts.append(site_item) %} {% endif %} {% endfor %} From 81f078ae443bfcafb1050adfcf48f171d559b9bd Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Wed, 12 Apr 2017 07:08:55 +0200 Subject: [PATCH 14/34] Read correct facts after changes, add SSH authorized_keys setup --- env/tasks/create_sites.yml | 6 ++++ env/tasks/main.yml | 3 ++ tasks/facts.yml | 10 +++--- tasks/main.yml | 3 -- tasks/site.yml | 9 +++++- tasks/ssh.yml | 62 +++++++++----------------------------- tasks/ssh_keys.yml | 56 ++++++++++++++++++++++++++++++++++ tasks/ssh_login.yml | 21 +++++++++++++ 8 files changed, 114 insertions(+), 56 deletions(-) create mode 100644 tasks/ssh_keys.yml create mode 100644 tasks/ssh_login.yml diff --git a/env/tasks/create_sites.yml b/env/tasks/create_sites.yml index 1ed1662..f81379f 100644 --- a/env/tasks/create_sites.yml +++ b/env/tasks/create_sites.yml @@ -1,4 +1,10 @@ --- +# IMPORTANT: +# These tasks are run for each Check_MK site defined +# in `checkmk_server__sites`. This means they can run multiple +# times per server. If the monitoring site is a remote slave, +# they might even run on a different server. The site configuration +# is available through `site_item`. - name: Create Check_MK site command: omd create '{{ site_item.name }}' diff --git a/env/tasks/main.yml b/env/tasks/main.yml index 847aba6..d4f74c5 100644 --- a/env/tasks/main.yml +++ b/env/tasks/main.yml @@ -80,5 +80,8 @@ loop_control: loop_var: site_item +- name: Re-read local facts + action: setup + - debug: var: ansible_local.checkmk_server diff --git a/tasks/facts.yml b/tasks/facts.yml index 411c407..5c9225a 100644 --- a/tasks/facts.yml +++ b/tasks/facts.yml @@ -2,6 +2,12 @@ # # Set site facts so that later tasks can depend on it # +# IMPORTANT: +# These tasks are run for each Check_MK site defined +# in `checkmk_server__sites`. This means they can run multiple +# times per server. If the monitoring site is a remote slave, +# they might even run on a different server. The site configuration +# is available through `site_item`. - name: Persist site facts block: @@ -23,10 +29,6 @@ mode: '0644' register: checkmk_server__register_local_facts - - name: Re-read local facts if they have been changed - action: setup - when: checkmk_server__register_local_facts | changed - # Delegate entire block to corresponding host delegate_to: '{{ site_item.delegate_to if (not site_item.delegate_to == inventory_hostname) else omit }}' diff --git a/tasks/main.yml b/tasks/main.yml index eb6b760..672f54a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -53,9 +53,6 @@ - name: Manage SSH keys for monitoring and site synchronization include: ssh.yml - with_items: '{{ checkmk_server__sites }}' - loop_control: - loop_var: site_item - name: Manage Check_MK site include: site.yml diff --git a/tasks/site.yml b/tasks/site.yml index a1cc677..1dbeac3 100644 --- a/tasks/site.yml +++ b/tasks/site.yml @@ -1,8 +1,15 @@ --- # vim: foldmarker=[[[,]]]:foldmethod=marker +# IMPORTANT: +# These tasks are run for each Check_MK site defined +# in `checkmk_server__sites`. This means they can run multiple +# times per server. If the monitoring site is a remote slave, +# they might even run on a different server. The site configuration +# is available through `site_item`. + # Check_MK site configuration [[[1 -- name: Run site setup +- name: Site configuration via omd block: - name: Get Check_MK site version diff --git a/tasks/ssh.yml b/tasks/ssh.yml index db77526..604cb7b 100644 --- a/tasks/ssh.yml +++ b/tasks/ssh.yml @@ -1,50 +1,16 @@ --- -- name: Handle SSH keys - block: - - - name: Create .ssh directory - file: - path: '{{ site_item.home }}/.ssh' - state: directory - owner: '{{ site_item.user }}' - group: '{{ site_item.group }}' - mode: '0700' - when: ('sshkeys' in site_item) and site_item.sshkeys - - - name: Copy SSH private key - copy: - src: '{{ site_item.sshkeys.privatekey_file }}' - dest: '{{ site_item.home }}/.ssh/id_rsa' - owner: '{{ site_item.user }}' - group: '{{ site_item.group }}' - mode: '0600' - when: ('sshkeys' in site_item) and - site_item.sshkeys.privatekey_file|d(False) - - - name: Copy SSH public key - copy: - src: '{{ site_item.sshkeys.publickey_file }}' - dest: '{{ site_item.home }}/.ssh/id_rsa.pub' - owner: '{{ site_item.user }}' - group: '{{ site_item.group }}' - mode: '0644' - when: ('sshkeys' in site_item) and - site_item.sshkeys.publickey_file|d(False) - - - name: Read SSH public key - command: 'cat {{ site_item.home }}/.ssh/id_rsa.pub' - register: checkmk_server__register_ssh_public_key - changed_when: False - - - name: Show SSH public key of site '{{ site_item.name }}' - debug: - var: checkmk_server__register_ssh_public_key.stdout - verbosity: 1 - - - name: Re-generate local facts - include: facts.yml - - # delegate block - delegate_to: '{{ site_item.delegate_to - if (not site_item.delegate_to == inventory_hostname) else omit }}' +- name: Manage SSH keys for monitoring and site synchronization + include: ssh_keys.yml + with_items: '{{ checkmk_server__sites }}' + loop_control: + loop_var: site_item + +- name: Re-read local facts + action: setup + +- name: Setup SSH public key login on slave sites + include: ssh_login.yml + with_items: '{{ checkmk_server__sites }}' + loop_control: + loop_var: site_item diff --git a/tasks/ssh_keys.yml b/tasks/ssh_keys.yml new file mode 100644 index 0000000..a80c8c0 --- /dev/null +++ b/tasks/ssh_keys.yml @@ -0,0 +1,56 @@ +--- +# IMPORTANT: +# These tasks are run for each Check_MK site defined +# in `checkmk_server__sites`. This means they can run multiple +# times per server. If the monitoring site is a remote slave, +# they might even run on a different server. The site configuration +# is available through `site_item`. + +- name: Upload and read SSH key + block: + + - name: Create .ssh directory + file: + path: '{{ site_item.home }}/.ssh' + state: directory + owner: '{{ site_item.user }}' + group: '{{ site_item.group }}' + mode: '0700' + when: ('sshkeys' in site_item) and site_item.sshkeys + + - name: Copy SSH private key + copy: + src: '{{ site_item.sshkeys.privatekey_file }}' + dest: '{{ site_item.home }}/.ssh/id_rsa' + owner: '{{ site_item.user }}' + group: '{{ site_item.group }}' + mode: '0600' + when: ('sshkeys' in site_item) and + site_item.sshkeys.privatekey_file|d(False) + + - name: Copy SSH public key + copy: + src: '{{ site_item.sshkeys.publickey_file }}' + dest: '{{ site_item.home }}/.ssh/id_rsa.pub' + owner: '{{ site_item.user }}' + group: '{{ site_item.group }}' + mode: '0644' + when: ('sshkeys' in site_item) and + site_item.sshkeys.publickey_file|d(False) + + - name: Read SSH public key + command: 'cat {{ site_item.home }}/.ssh/id_rsa.pub' + register: checkmk_server__register_ssh_public_key + changed_when: False + + - name: Show SSH public key of site '{{ site_item.name }}' + debug: + var: checkmk_server__register_ssh_public_key.stdout + verbosity: 1 + + - name: Re-generate local facts + include: facts.yml + + # delegate block + delegate_to: '{{ site_item.delegate_to + if (not site_item.delegate_to == inventory_hostname) else omit }}' diff --git a/tasks/ssh_login.yml b/tasks/ssh_login.yml new file mode 100644 index 0000000..c3796f6 --- /dev/null +++ b/tasks/ssh_login.yml @@ -0,0 +1,21 @@ +--- +# IMPORTANT: +# These tasks are run for each Check_MK site defined +# in `checkmk_server__sites`. This means they can run multiple +# times per server. If the monitoring site is a remote slave, +# they might even run on a different server. The site configuration +# is available through `site_item`. + +- block: + + - name: Allow SSH login from master site + authorized_key: + user: '{{ site_item.user }}' + key: '{{ item.ssh_public_key }}' + when: item.name == site_item.master_site + with_items: '{{ hostvars[site_item.master_delegate_to].ansible_local.checkmk_server + if ("master_delegate_to" in site_item.keys()) else [] }}' + + # delegate block + delegate_to: '{{ site_item.delegate_to + if (not site_item.delegate_to == inventory_hostname) else omit }}' From a726abff91497114451deeaf4097673179740539 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Wed, 12 Apr 2017 07:26:49 +0200 Subject: [PATCH 15/34] Add users to 'sshusers' group which allows SSH login --- templates/lookup/checkmk_server__sites.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/templates/lookup/checkmk_server__sites.j2 b/templates/lookup/checkmk_server__sites.j2 index 51d9d26..7e1886d 100644 --- a/templates/lookup/checkmk_server__sites.j2 +++ b/templates/lookup/checkmk_server__sites.j2 @@ -18,7 +18,6 @@ {% set _ = _local_site.update({'multisite_replication': ''}) %} {% set _ = _local_site.update({'name': checkmk_server__site}) %} {% set _ = _local_site.update({'omd_config': checkmk_server__omd_config}) %} -{% set _ = _local_site.update({'sshkeys': checkmk_server__sshkeys}) %} {% set _ = _local_site.update({'update': checkmk_server__site_update}) %} {% set _ = _local_site.update({'user': checkmk_server__site}) %} {% set _ = _local_site.update({'version': checkmk_server__version}) %} @@ -35,11 +34,13 @@ {% set _ = _user.update({'comment': 'OMD site ' + _local_site.name}) %} {% set _ = _user.update({'shell': '/bin/bash'}) %} {% set _ = _user.update({'home': _local_site.home}) %} +{% set _ = _user.update({'groups': 'sshusers'}) %} {% if ('generate_keypair' in checkmk_server__sshkeys) and (not checkmk_server__sshkeys.generate_keypair == False) %} {% set _ = _user.update({'generate_ssh_key': True }) %} {% endif %} {% set _ = _local_site.dependent_vars.update({'users__dependent_accounts': [ _user ]}) %} {% set _ = _local_site.dependent_vars.update({'etc_services__dependent_list': []}) %} + {# # The site alias must be set #} @@ -142,6 +143,7 @@ {% set _ = _user.update({'comment': 'OMD site ' + _site_config.name}) %} {% set _ = _user.update({'shell': '/bin/bash'}) %} {% set _ = _user.update({'home': _site_config.home}) %} +{% set _ = _user.update({'groups': 'sshusers'}) %} {% if 'generate_keypair' in _site_config.sshkeys %} {% set _ = _user.update({'generate_ssh_key': _site_config.sshkeys.generate_keypair }) %} {% set _ = _site_config.pop('sshkeys') %} From 81810fd0a9dbf5b8b3e6553b097465d44a816f76 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Wed, 12 Apr 2017 18:54:26 +0200 Subject: [PATCH 16/34] Run config synchronization to slave site via rsync --- tasks/main.yml | 10 +++------- tasks/sync.yml | 23 +++++++++++++++++++++++ 2 files changed, 26 insertions(+), 7 deletions(-) create mode 100644 tasks/sync.yml diff --git a/tasks/main.yml b/tasks/main.yml index 672f54a..1a60629 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -77,7 +77,7 @@ - name: Manage WATO and monitoring rules include: wato.yml - when: checkmk_server__site != False + when: (checkmk_server__sites | length) > 0 - name: Upload configuration to slave sites include: sync.yml @@ -87,9 +87,5 @@ loop_control: loop_var: site_item tags: - - 'role::checkmk_server:multisite' - - 'debug' - -- fail: - msg: 'Check what happend so far' - + - role::checkmk_server:rules + - role::checkmk_server:multisite diff --git a/tasks/sync.yml b/tasks/sync.yml new file mode 100644 index 0000000..d9575fe --- /dev/null +++ b/tasks/sync.yml @@ -0,0 +1,23 @@ +--- +# IMPORTANT: +# These tasks are run for each Check_MK site defined +# in `checkmk_server__sites`. This means they can run multiple +# times per server. If the monitoring site is a remote slave, +# they might even run on a different server. The site configuration +# is available through `site_item`. + +- name: Synchronize multisite configuration to slave sites + become_user: '{{ site_item.master_site }}' + command: 'rsync --archive --verbose --rsh="ssh -o BatchMode=yes -o StrictHostKeyChecking=no" {{ checkmk_server__site_home }}/{{ item }}/. {{ site_item.user }}@{{ site_item.hostname }}:{{ site_item.home }}/{{ item }}/' + delegate_to: '{{ site_item.master_delegate_to }}' + with_items: + - [ '{{ checkmk_server__multisite_config_path }}/wato', '{{ checkmk_server__site_config_path }}/wato' ] + register: checkmk_server__register_site_sync + changed_when: ('stdout_lines' in checkmk_server__register_site_sync) and + (checkmk_server__register_site_sync.stdout_lines | length > 4) + +- name: Reload slave site configuration + command: '{{ site_item.home }}/bin/cmk --reload' + environment: + OMD_ROOT: '/omd/sites/{{ site_item.name }}' + delegate_to: '{{ site_item.delegate_to }}' From e51f79ff17cceb4e4d4bc95c66c3c40cc0b356fa Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Thu, 13 Apr 2017 07:17:54 +0200 Subject: [PATCH 17/34] Update playbook to use the 'checkmk_server/env' and 'debops.users' roles --- docs/playbooks/checkmk_server.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/docs/playbooks/checkmk_server.yml b/docs/playbooks/checkmk_server.yml index e169df7..209c5af 100644 --- a/docs/playbooks/checkmk_server.yml +++ b/docs/playbooks/checkmk_server.yml @@ -6,11 +6,16 @@ roles: + - role: debops-contrib.checkmk_server/env + tags: [ 'role::checkmk_server', 'role::checkmk_server:env' ] + + - role: debops.users + tags: [ 'role::users' ] + users__dependent_accounts: '{{ ansible_local.checkmk_server | map(attribute="dependent_vars.users__dependent_accounts") | list }}' + - role: debops.etc_services tags: [ 'role::etc_services' ] - etc_services__dependent_list: - - '{{ checkmk_server__etc_services__dependent_list }}' - when: checkmk_server__multisite_livestatus|d() + etc_services__dependent_list: '{{ ansible_local.checkmk_server | map(attribute="dependent_vars.etc_services__dependent_list") | list }}' - role: debops.ferm tags: [ 'role::ferm' ] From 0d0a2fb954b43591bab45617a033546494e49c31 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Thu, 20 Apr 2017 08:19:29 +0200 Subject: [PATCH 18/34] Rename 'checkmk_server__hostname' to 'checkmk_server__fqdn' for consistency --- defaults/main.yml | 14 ++++++-------- tasks/sync.yml | 2 +- templates/lookup/checkmk_server__sites.j2 | 18 +++++++++--------- 3 files changed, 16 insertions(+), 18 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0ef1d32..9771d55 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -128,22 +128,20 @@ checkmk_server__prerequisite_packages: [ 'apache2', 'python-passlib' ] checkmk_server__site: 'debops' # ]]] -# .. envvar:: checkmk_server__hostname [[[ +# .. envvar:: checkmk_server__fqdn [[[ # # Set Check_MK server DNS hostname (e. g. for agent download, API calls, ...). -# FIXME: Rename to checkmk_server__fqdn. -checkmk_server__hostname: '{{ ansible_local.core.fqdn - if (ansible_local|d() and ansible_local.core|d() and - ansible_local.core.fqdn|d()) - else ansible_fqdn }}' +checkmk_server__fqdn: '{{ ansible_local.core.fqdn + if (ansible_local|d() and ansible_local.core|d() and + ansible_local.core.fqdn|d()) + else ansible_fqdn }}' # ]]] # .. envvar:: checkmk_server__site_url [[[ # # Check_MK server site URL. checkmk_server__site_url: '{{ ("https://" if checkmk_server__pki else "http://") + - checkmk_server__hostname + "/" + - checkmk_server__site + checkmk_server__fqdn + "/" + checkmk_server__site if checkmk_server__site|d() else "" }}' # ]]] diff --git a/tasks/sync.yml b/tasks/sync.yml index d9575fe..30252cd 100644 --- a/tasks/sync.yml +++ b/tasks/sync.yml @@ -8,7 +8,7 @@ - name: Synchronize multisite configuration to slave sites become_user: '{{ site_item.master_site }}' - command: 'rsync --archive --verbose --rsh="ssh -o BatchMode=yes -o StrictHostKeyChecking=no" {{ checkmk_server__site_home }}/{{ item }}/. {{ site_item.user }}@{{ site_item.hostname }}:{{ site_item.home }}/{{ item }}/' + command: 'rsync --archive --verbose --rsh="ssh -o BatchMode=yes -o StrictHostKeyChecking=no" {{ checkmk_server__site_home }}/{{ item }}/. {{ site_item.user }}@{{ site_item.fqdn }}:{{ site_item.home }}/{{ item }}/' delegate_to: '{{ site_item.master_delegate_to }}' with_items: - [ '{{ checkmk_server__multisite_config_path }}/wato', '{{ checkmk_server__site_config_path }}/wato' ] diff --git a/templates/lookup/checkmk_server__sites.j2 b/templates/lookup/checkmk_server__sites.j2 index 7e1886d..8944ce6 100644 --- a/templates/lookup/checkmk_server__sites.j2 +++ b/templates/lookup/checkmk_server__sites.j2 @@ -14,7 +14,7 @@ {% set _ = _local_site.update({'delegate_to': inventory_hostname}) %} {% set _ = _local_site.update({'group': checkmk_server__site}) %} {% set _ = _local_site.update({'home': checkmk_server__site_home}) %} -{% set _ = _local_site.update({'hostname': checkmk_server__hostname}) %} +{% set _ = _local_site.update({'fqdn': checkmk_server__fqdn}) %} {% set _ = _local_site.update({'multisite_replication': ''}) %} {% set _ = _local_site.update({'name': checkmk_server__site}) %} {% set _ = _local_site.update({'omd_config': checkmk_server__omd_config}) %} @@ -108,15 +108,15 @@ {% set _ = _site_config.update({'master_delegate_to': inventory_hostname}) %} {% endif %} {# - # If hostname for the site is not defined, query server facts + # If fqdn for the site is not defined, query server facts #} -{% if not 'hostname' in _site_config %} -{% if 'checkmk_server__hostname' in hostvars[_site_config.delegate_to].keys() %} -{% set _ = _site_config.update({'hostname': hostvars[_site_config.delegate_to].checkmk_server__hostname}) %} +{% if not 'fqdn' in _site_config %} +{% if 'checkmk_server__fqdn' in hostvars[_site_config.delegate_to].keys() %} +{% set _ = _site_config.update({'fqdn': hostvars[_site_config.delegate_to].checkmk_server__fqdn}) %} {% elif 'ansible_fqdn' in hostvars[_site_config.delegate_to].keys() %} -{% set _ = _site_config.update({'hostname': hostvars[_site_config.delegate_to].ansible_fqdn}) %} +{% set _ = _site_config.update({'fqdn': hostvars[_site_config.delegate_to].ansible_fqdn}) %} {% else %} -{% set _ = _site_config.update({'hostname': _site_config.delegate_to + "." + ansible_domain}) %} +{% set _ = _site_config.update({'fqdn': _site_config.delegate_to + "." + ansible_domain}) %} {% endif %} {% endif %} {# @@ -160,7 +160,7 @@ {% endif %} {% endif %} {% if not 'livestatus_socket' in _site_config.keys() %} -{% set _ = _site_config.update({'livestatus_socket': 'tcp:' + _site_config.hostname + ':' + _site_config.livestatus_port}) %} +{% set _ = _site_config.update({'livestatus_socket': 'tcp:' + _site_config.fqdn + ':' + _site_config.livestatus_port}) %} {% endif %} {% set _ = _site_config.dependent_vars.update({'etc_services__dependent_list': [{'name': 'check-mk-livestatus-' + _site_config.name, 'port': _site_config.livestatus_port, 'comment': 'Check_MK server Livestatus'}]}) %} {# @@ -199,7 +199,7 @@ #} {% if not 'multisite_url' in _site_config.keys() %} {# TODO: properly set http/https #} -{% set _ = _site_config.update({'multisite_url': 'https://' + _site_config.hostname + _site_config.multisite_url_prefix + 'check_mk/'}) %} +{% set _ = _site_config.update({'multisite_url': 'https://' + _site_config.fqdn + _site_config.multisite_url_prefix + 'check_mk/'}) %} {% endif %} {# # Make sure 'disabled' is defined From 5b01f6c7a638e70b86211890b62bd4cf265963b3 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Thu, 20 Apr 2017 22:39:21 +0200 Subject: [PATCH 19/34] Fix applying custom patches, remove env role debugging --- defaults/main.yml | 4 ++-- .../check-mk-raw-1.2.8-read-X-Forwarded-Port-header.patch | 0 .../check-mk-raw-1.2.8-set-https-proxy-header.patch | 0 ...heck-mk-raw-1.2.8p4-read-X-Forwarded-Port-header.patch | 0 env/tasks/main.yml | 8 -------- 5 files changed, 2 insertions(+), 10 deletions(-) rename {files => env/files}/check-mk-raw-1.2.8-read-X-Forwarded-Port-header.patch (100%) rename {files => env/files}/check-mk-raw-1.2.8-set-https-proxy-header.patch (100%) rename {files => env/files}/check-mk-raw-1.2.8p4-read-X-Forwarded-Port-header.patch (100%) diff --git a/defaults/main.yml b/defaults/main.yml index 9771d55..254abcf 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -38,9 +38,9 @@ checkmk_server__site_update: False # Custom patches to apply after installing Check_MK package checkmk_server__patches: - patch: 'check-mk-raw-1.2.8-set-https-proxy-header.patch' - file: '/omd/versions/{{ checkmk_server__version }}{{ checkmk_version__suffix }}/skel/etc/apache/apache-own.conf' + file: '/omd/versions/{{ checkmk_server__version }}{{ checkmk_server__version_suffix }}/skel/etc/apache/apache-own.conf' - patch: 'check-mk-raw-1.2.8p4-read-X-Forwarded-Port-header.patch' - file: '/omd/versions/{{ checkmk_server__version }}{{ checkmk_version__suffix }}/skel/etc/apache/conf.d/omd.conf' + file: '/omd/versions/{{ checkmk_server__version }}{{ checkmk_server__version_suffix }}/skel/etc/apache/conf.d/omd.conf' # ]]] # .. envvar:: checkmk_server__ferm_dependent_rules [[[ diff --git a/files/check-mk-raw-1.2.8-read-X-Forwarded-Port-header.patch b/env/files/check-mk-raw-1.2.8-read-X-Forwarded-Port-header.patch similarity index 100% rename from files/check-mk-raw-1.2.8-read-X-Forwarded-Port-header.patch rename to env/files/check-mk-raw-1.2.8-read-X-Forwarded-Port-header.patch diff --git a/files/check-mk-raw-1.2.8-set-https-proxy-header.patch b/env/files/check-mk-raw-1.2.8-set-https-proxy-header.patch similarity index 100% rename from files/check-mk-raw-1.2.8-set-https-proxy-header.patch rename to env/files/check-mk-raw-1.2.8-set-https-proxy-header.patch diff --git a/files/check-mk-raw-1.2.8p4-read-X-Forwarded-Port-header.patch b/env/files/check-mk-raw-1.2.8p4-read-X-Forwarded-Port-header.patch similarity index 100% rename from files/check-mk-raw-1.2.8p4-read-X-Forwarded-Port-header.patch rename to env/files/check-mk-raw-1.2.8p4-read-X-Forwarded-Port-header.patch diff --git a/env/tasks/main.yml b/env/tasks/main.yml index d4f74c5..8e245e9 100644 --- a/env/tasks/main.yml +++ b/env/tasks/main.yml @@ -1,7 +1,4 @@ --- -- debug: - var: checkmk_server__sites - - name: Check that involved distributed sites servers are play hosts assert: that: checkmk_server__sites | map(attribute="delegate_to") | list | issubset(play_hosts) @@ -34,7 +31,6 @@ if (not checkmk_server__register_download | skipped) else checkmk_server__raw_package }}' state: present - ignore_errors: '{{ ansible_check_mode }}' register: checkmk_server__register_deb_install when: (not checkmk_server__register_version.stdout) and ((checkmk_server__raw_package | splitext)[1] == '.deb') @@ -52,7 +48,6 @@ src: '{{ item.patch }}' dest: '{{ item.file }}' basedir: '/' - ignore_errors: '{{ ansible_check_mode }}' with_items: '{{ checkmk_server__patches }}' when: (checkmk_server__register_apt_install | changed) or (checkmk_server__register_deb_install | changed) @@ -82,6 +77,3 @@ - name: Re-read local facts action: setup - -- debug: - var: ansible_local.checkmk_server From bae122284ec3f568fe6ed9eda6d43f5920f1b03f Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Fri, 21 Apr 2017 08:17:05 +0200 Subject: [PATCH 20/34] Leverage 'debops.apache' role for local reverse proxy configuration --- defaults/main.yml | 62 ++++--------------------------- docs/playbooks/checkmk_server.yml | 16 ++++++-- tasks/main.yml | 55 ++------------------------- 3 files changed, 23 insertions(+), 110 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 254abcf..c9c42d7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -598,63 +598,15 @@ checkmk_server__site_cfg_netif_description: checkmk_server__site_packages: [] # ]]] # ]]] -# PKI Configuration [[[ -# --------------------- +# Configuration for other Ansible roles [[[ +# ----------------------------------------- -# .. envvar:: checkmk_server__pki [[[ +# .. envvar:: checkmk_server__apache__dependent_vhosts [[[ # -# Enable or disable support for HTTPS in Check_MK server (using -# debops.pki_). -checkmk_server__pki: '{{ (True - if (ansible_local|d() and ansible_local.pki|d() and - ansible_local.pki.enabled|d() | bool) - else False) | bool }}' - - # ]]] -# .. envvar:: checkmk_server__pki_path [[[ -# -# Base path for PKI directory. -checkmk_server__pki_path: '{{ ansible_local.pki.path - if (ansible_local|d() and ansible_local.pki|d() and - ansible_local.pki.path|d()) - else "/etc/pki/realms" }}' - - # ]]] -# .. envvar:: checkmk_server__pki_realm [[[ -# -# Default PKI realm used by Check_MK server. -checkmk_server__pki_realm: '{{ ansible_local.pki.realm - if (ansible_local|d() and ansible_local.pki|d() and - ansible_local.pki.realm|d()) - else "domain" }}' - - # ]]] -# .. envvar:: checkmk_server__pki_ca [[[ -# -# Root CA certificate, relative to :envvar:`checkmk_server__pki_realm`. -checkmk_server__pki_ca: 'CA.crt' - - # ]]] -# .. envvar:: checkmk_server__pki_crt [[[ -# -# Host certificate, relative to :envvar:`checkmk_server__pki_realm`. -checkmk_server__pki_crt: 'default.crt' - - # ]]] -# .. envvar:: checkmk_server__pki_key [[[ -# -# Host private key, relative to :envvar:`checkmk_server__pki_realm`. -checkmk_server__pki_key: 'default.key' - - # ]]] -# .. envvar:: checkmk_server__tls_options [[[ -# -# Additional Apache mod_ssl options. Valid configuration keys: -# ``SSLCipherSuite``, ``SSLHonorCipherOrder``, ``SSLProtocols``, -# ``SSLStrictSNIVHostCheck`` -checkmk_server__tls_options: - SSLHonorCipherOrder: 'On' - SSLCipherSuite: 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS' +# Configuration for debops.apache_ Ansible role. +checkmk_server__apache__dependent_vhosts: + - name: '{{ checkmk_server__fqdn }}' + by_role: 'debops-contrib.checkmk_server' # ]]] # ]]] # ]]] diff --git a/docs/playbooks/checkmk_server.yml b/docs/playbooks/checkmk_server.yml index 209c5af..fc89b93 100644 --- a/docs/playbooks/checkmk_server.yml +++ b/docs/playbooks/checkmk_server.yml @@ -6,13 +6,12 @@ roles: + - role: debops.apache/env + tags: [ 'role::apache', 'role::apache:env' ] + - role: debops-contrib.checkmk_server/env tags: [ 'role::checkmk_server', 'role::checkmk_server:env' ] - - role: debops.users - tags: [ 'role::users' ] - users__dependent_accounts: '{{ ansible_local.checkmk_server | map(attribute="dependent_vars.users__dependent_accounts") | list }}' - - role: debops.etc_services tags: [ 'role::etc_services' ] etc_services__dependent_list: '{{ ansible_local.checkmk_server | map(attribute="dependent_vars.etc_services__dependent_list") | list }}' @@ -20,7 +19,16 @@ - role: debops.ferm tags: [ 'role::ferm' ] ferm__dependent_rules: + - '{{ apache__ferm__dependent_rules }}' - '{{ checkmk_server__ferm_dependent_rules }}' + - role: debops.apache + tags: [ 'role::apache' ] + apache__dependent_vhosts: '{{ checkmk_server__apache__dependent_vhosts }}' + + - role: debops.users + tags: [ 'role::users' ] + users__dependent_accounts: '{{ ansible_local.checkmk_server | map(attribute="dependent_vars.users__dependent_accounts") | list }}' + - role: debops-contrib.checkmk_server tags: [ 'role::checkmk_server' ] diff --git a/tasks/main.yml b/tasks/main.yml index 1a60629..dff9a36 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,60 +1,10 @@ --- # vim: foldmarker=[[[,]]]:foldmethod=marker -#- debug: -# var: checkmk_server__sites -#- fail: -# msg: 'bla' - -- name: Set TLS options - template: - src: 'etc/apache2/mods-available/ssl.conf.j2' - dest: '/etc/apache2/mods-available/ssl.conf' - owner: 'root' - group: 'root' - mode: '0644' - when: checkmk_server__pki|d(False) - notify: [ 'Reload apache2' ] - -- name: Check apache2 mod_headers status - stat: - path: '/etc/apache2/mods-enabled/headers.load' - register: checkmk_server_register_mod_headers - changed_when: False - always_run: True - -- name: Enable apache2 mod_headers - command: 'a2enmod headers' - when: not checkmk_server_register_mod_headers.stat.exists - notify: [ 'Reload apache2' ] - -- name: Check apache2 mod_ssl status - stat: - path: '/etc/apache2/mods-enabled/ssl.load' - register: checkmk_server_register_mod_ssl - changed_when: False - always_run: True - -- name: Enable apache2 mod_ssl - command: '{{ item }}' - with_items: - - 'a2enmod ssl' - - 'a2ensite default-ssl' - when: checkmk_server__pki|d(False) and not checkmk_server_register_mod_ssl.stat.exists - notify: [ 'Reload apache2' ] - -- name: Disable apache2 mod_ssl - command: '{{ item }}' - with_items: - - 'a2dismod ssl' - - 'a2dissite default-ssl' - when: not checkmk_server__pki|d(False) and checkmk_server_register_mod_ssl.stat.exists - notify: [ 'Reload apache2' ] - - name: Manage SSH keys for monitoring and site synchronization include: ssh.yml -- name: Manage Check_MK site +- name: Manage Check_MK sites include: site.yml with_items: '{{ checkmk_server__sites }}' loop_control: @@ -69,6 +19,9 @@ - 'role::checkmk_server:multisite' - 'role::checkmk_server:users' +- name: Trigger reload/restart handlers + meta: flush_handlers + - name: Login on distributed sites include: login.yml when: (checkmk_server__sites | length) > 1 From 53c1e53c2c883ac0d696e304b0874aa178224c96 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Wed, 26 Apr 2017 18:58:13 +0200 Subject: [PATCH 21/34] Explicitly define Apache configuration includes provided by Check_MK --- defaults/main.yml | 15 ++++++++++++++- docs/playbooks/checkmk_server.yml | 1 + 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index c9c42d7..5b26321 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -603,10 +603,23 @@ checkmk_server__site_packages: [] # .. envvar:: checkmk_server__apache__dependent_vhosts [[[ # -# Configuration for debops.apache_ Ansible role. +# Configuration for debops.apache_ Ansible role. By default it will create +# a dedicated Apache virtual host which includes the reverse proxy +# configuration files provided by the `check-mk-raw` upstream package. checkmk_server__apache__dependent_vhosts: - name: '{{ checkmk_server__fqdn }}' + include: [ '/omd/apache/*.conf' ] by_role: 'debops-contrib.checkmk_server' + + # ]]] +# .. envvar:: checkmk_server__apache__dependent_snippets [[[ +# +# Configuration for debops.apache_ Ansible role. By default it will disable +# The Apache configuration snippet which is installed by the `check-mk-raw` +# upstream package. +checkmk_server__apache__dependent_snippets: + 'zzz_omd': + enabled: False # ]]] # ]]] # ]]] diff --git a/docs/playbooks/checkmk_server.yml b/docs/playbooks/checkmk_server.yml index fc89b93..6c48bc3 100644 --- a/docs/playbooks/checkmk_server.yml +++ b/docs/playbooks/checkmk_server.yml @@ -24,6 +24,7 @@ - role: debops.apache tags: [ 'role::apache' ] + apache__dependent_snippets: '{{ checkmk_server__apache__dependent_snippets }}' apache__dependent_vhosts: '{{ checkmk_server__apache__dependent_vhosts }}' - role: debops.users From 97aceb80ece063b640d1b6b86a27ac7a533eb640 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Fri, 21 Apr 2017 19:29:50 +0200 Subject: [PATCH 22/34] Remove HTTP-related ferm rules now handled by 'apache__ferm__dependent_rules' --- defaults/main.yml | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5b26321..c504d8a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -47,21 +47,8 @@ checkmk_server__patches: # # Firewall configuration using the debops.ferm_ Ansible role. checkmk_server__ferm_dependent_rules: '{{ - checkmk_server__ferm_web_rules + (checkmk_server__ferm_livestatus_rules if checkmk_server__multisite_livestatus else []) }}' - # ]]] -# .. envvar:: checkmk_server__ferm_web_rules [[[ -# -# Firewall configuration for WATO Web access. -checkmk_server__ferm_web_rules: - - type: 'accept' - dport: '{{ [ "http", "https" ] if checkmk_server__pki else [ "http" ] }}' - saddr: '{{ checkmk_server__web_allow }}' - accept_any: True - weight: '40' - role: 'checkmk_server' - # ]]] # .. envvar:: checkmk_server__ferm_livestatus_rules [[[ # @@ -74,13 +61,6 @@ checkmk_server__ferm_livestatus_rules: weight: '40' role: 'checkmk_server' - # ]]] -# .. envvar:: checkmk_server__web_allow [[[ -# -# List of IP addresses or network CIDR ranges allowed to connect to the -# Check_MK Web interface. If list is empty, anyone can connect. -checkmk_server__web_allow: [] - # ]]] # .. envvar:: checkmk_server__livestatus_allow [[[ # From 1924a7a74efc6e76e660167741ad03e1b90c97f7 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Tue, 2 May 2017 07:26:00 +0200 Subject: [PATCH 23/34] Generate ferm rules for livestatus according to the configured sites --- defaults/main.yml | 22 ++-------------------- docs/playbooks/checkmk_server.yml | 2 +- env/tasks/main.yml | 6 ++++++ templates/lookup/checkmk_server__sites.j2 | 12 ++++++++++++ 4 files changed, 21 insertions(+), 21 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index c504d8a..fa58652 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -42,30 +42,12 @@ checkmk_server__patches: - patch: 'check-mk-raw-1.2.8p4-read-X-Forwarded-Port-header.patch' file: '/omd/versions/{{ checkmk_server__version }}{{ checkmk_server__version_suffix }}/skel/etc/apache/conf.d/omd.conf' - # ]]] -# .. envvar:: checkmk_server__ferm_dependent_rules [[[ -# -# Firewall configuration using the debops.ferm_ Ansible role. -checkmk_server__ferm_dependent_rules: '{{ - (checkmk_server__ferm_livestatus_rules if checkmk_server__multisite_livestatus else []) - }}' - # ]]] -# .. envvar:: checkmk_server__ferm_livestatus_rules [[[ -# -# Firewall configuration for Multisite Livestatus access. -checkmk_server__ferm_livestatus_rules: - - type: 'accept' - dport: [ '{{ checkmk_server__livestatus_port|string }}' ] - saddr: '{{ checkmk_server__livestatus_allow }}' - accept_any: True - weight: '40' - role: 'checkmk_server' - # ]]] # .. envvar:: checkmk_server__livestatus_allow [[[ # # List of IP addresses or network CIDR ranges allowed to connect to the -# Check_MK Livestatus TCP socket. If list is empty, anyone can connect. +# Check_MK Livestatus TCP socket of every site running on this host. By default +# only the master of each site is allowed to connect. checkmk_server__livestatus_allow: [] # ]]] diff --git a/docs/playbooks/checkmk_server.yml b/docs/playbooks/checkmk_server.yml index 6c48bc3..ef55118 100644 --- a/docs/playbooks/checkmk_server.yml +++ b/docs/playbooks/checkmk_server.yml @@ -20,7 +20,7 @@ tags: [ 'role::ferm' ] ferm__dependent_rules: - '{{ apache__ferm__dependent_rules }}' - - '{{ checkmk_server__ferm_dependent_rules }}' + - '{{ ansible_local.checkmk_server | map(attribute="dependent_vars.ferm__dependent_rules") | list }}' - role: debops.apache tags: [ 'role::apache' ] diff --git a/env/tasks/main.yml b/env/tasks/main.yml index 8e245e9..60d3acb 100644 --- a/env/tasks/main.yml +++ b/env/tasks/main.yml @@ -77,3 +77,9 @@ - name: Re-read local facts action: setup + +- debug: + var: checkmk_server__sites + +- fail: + msg: check diff --git a/templates/lookup/checkmk_server__sites.j2 b/templates/lookup/checkmk_server__sites.j2 index 8944ce6..0961567 100644 --- a/templates/lookup/checkmk_server__sites.j2 +++ b/templates/lookup/checkmk_server__sites.j2 @@ -40,6 +40,7 @@ {% endif %} {% set _ = _local_site.dependent_vars.update({'users__dependent_accounts': [ _user ]}) %} {% set _ = _local_site.dependent_vars.update({'etc_services__dependent_list': []}) %} +{% set _ = _local_site.dependent_vars.update({'ferm__dependent_rules': []}) %} {# # The site alias must be set @@ -163,6 +164,17 @@ {% set _ = _site_config.update({'livestatus_socket': 'tcp:' + _site_config.fqdn + ':' + _site_config.livestatus_port}) %} {% endif %} {% set _ = _site_config.dependent_vars.update({'etc_services__dependent_list': [{'name': 'check-mk-livestatus-' + _site_config.name, 'port': _site_config.livestatus_port, 'comment': 'Check_MK server Livestatus'}]}) %} +{# + # Define livestatus firewall access + #} +{% if not 'livestatus_allow' in _site_config %} +{% if 'checkmk_server__livestatus_allow' in hostvars[_site_config.delegate_to].keys() %} +{% set _ = _site_config.update({'livestatus_allow': hostvars[_site_config.delegate_to].checkmk_server__livestatus_allow}) %} +{% else %} +{% set _ = _site_config.update({'livestatus_allow': hostvars[_site_config.master_delegate_to].ansible_all_ipv4_addresses}) %} +{% endif %} +{% endif %} +{% set _ = _site_config.dependent_vars.update({'ferm__dependent_rules': [{'type': 'accept', 'dport': [ _site_config.livestatus_port ], 'saddr': _site_config.livestatus_allow, 'accept_any': False, 'weight': '40', 'by_role': 'debops-contrib.checkmk_server'}]}) %} {# # Define OMD configuration #} From 5635218dd7151135e3b6304b9f49e49d806b6250 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Thu, 4 May 2017 19:07:10 +0200 Subject: [PATCH 24/34] Fix 'apache__dependent_snippets' configuration --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index fa58652..7e40ef7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -582,6 +582,7 @@ checkmk_server__apache__dependent_vhosts: checkmk_server__apache__dependent_snippets: 'zzz_omd': enabled: False + type: 'dont-create' # ]]] # ]]] # ]]] From b2c49512dfeb0e091c80c40bdb9da33f5c90bea0 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Fri, 5 May 2017 07:10:02 +0200 Subject: [PATCH 25/34] Remove some debugging code --- env/tasks/main.yml | 6 ------ tasks/login.yml | 4 ---- 2 files changed, 10 deletions(-) diff --git a/env/tasks/main.yml b/env/tasks/main.yml index 60d3acb..8e245e9 100644 --- a/env/tasks/main.yml +++ b/env/tasks/main.yml @@ -77,9 +77,3 @@ - name: Re-read local facts action: setup - -- debug: - var: checkmk_server__sites - -- fail: - msg: check diff --git a/tasks/login.yml b/tasks/login.yml index f486fe1..fa96686 100644 --- a/tasks/login.yml +++ b/tasks/login.yml @@ -18,8 +18,6 @@ when: (not item.connection|d('remote') == 'local') with_items: '{{ checkmk_server__sites }}' -- debug: var=checkmk_server__register_multisite_login - - name: Get Multisite distribution secrets uri: url: '{{ item.location }}' @@ -32,8 +30,6 @@ with_items: '{{ checkmk_server__register_multisite_login.results if "results" in checkmk_server__register_multisite_login else [] }}' -- debug: var=checkmk_server__register_multisite_automation_login - - name: Generate distributed sites configuration template: src: 'etc/check_mk/multisite.d/sites.mk.j2' From af9d305dfc5a9632a848a52f3c22073fbc6dec94 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Fri, 5 May 2017 07:43:48 +0200 Subject: [PATCH 26/34] Define dependent vars in defaults, don't fail with no facts --- defaults/main.yml | 37 +++++++++++++++++++++++++++++-- docs/playbooks/checkmk_server.yml | 6 ++--- 2 files changed, 38 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 7e40ef7..3431d23 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -565,7 +565,7 @@ checkmk_server__site_packages: [] # .. envvar:: checkmk_server__apache__dependent_vhosts [[[ # -# Configuration for debops.apache_ Ansible role. By default it will create +# Configuration for the debops.apache_ Ansible role. By default it will create # a dedicated Apache virtual host which includes the reverse proxy # configuration files provided by the `check-mk-raw` upstream package. checkmk_server__apache__dependent_vhosts: @@ -576,13 +576,46 @@ checkmk_server__apache__dependent_vhosts: # ]]] # .. envvar:: checkmk_server__apache__dependent_snippets [[[ # -# Configuration for debops.apache_ Ansible role. By default it will disable +# Configuration for the debops.apache_ Ansible role. By default it will disable # The Apache configuration snippet which is installed by the `check-mk-raw` # upstream package. checkmk_server__apache__dependent_snippets: 'zzz_omd': enabled: False type: 'dont-create' + + # ]]] +# .. envvar:: checkmk_server__etc_services__dependent_list [[[ +# +# Configuration for the debops.etc_services_ Ansible role. If this is a slave +# server this might be generated by the master site, therefore read it +# from the Ansible facts by default. +checkmk_server__etc_services__dependent_list: '{{ (ansible_local.checkmk_server + | map(attribute="dependent_vars.etc_services__dependent_list") + | list) + if ansible_local.checkmk_server|d() else [] }}' + + # ]]] +# .. envvar:: checkmk_server__ferm__dependent_rules [[[ +# +# Configuration for the debops.ferm_ Ansible role. If this is a slave +# server this might be generated by the master site, therefore read it +# from the Ansible facts by default. +checkmk_server__ferm__dependent_rules: '{{ (ansible_local.checkmk_server + | map(attribute="dependent_vars.ferm__dependent_rules") + | list) + if ansible_local.checkmk_server|d() else [] }}' + + # ]]] +# .. envvar:: checkmk_server__users__dependent_accounts [[[ +# +# Configuration for the debops.users_ Ansible role. If this is a slave +# server this might be generated by the master site, therefore read it +# from the Ansible facts by default. +checkmk_server__users__dependent_accounts: '{{ (ansible_local.checkmk_server + | map(attribute="dependent_vars.users__dependent_accounts") + | list) + if ansible_local.checkmk_server|d() else [] }}' # ]]] # ]]] # ]]] diff --git a/docs/playbooks/checkmk_server.yml b/docs/playbooks/checkmk_server.yml index ef55118..2a5d45a 100644 --- a/docs/playbooks/checkmk_server.yml +++ b/docs/playbooks/checkmk_server.yml @@ -14,13 +14,13 @@ - role: debops.etc_services tags: [ 'role::etc_services' ] - etc_services__dependent_list: '{{ ansible_local.checkmk_server | map(attribute="dependent_vars.etc_services__dependent_list") | list }}' + etc_services__dependent_list: '{{ checkmk_server__etc_services__dependent_list }}' - role: debops.ferm tags: [ 'role::ferm' ] ferm__dependent_rules: - '{{ apache__ferm__dependent_rules }}' - - '{{ ansible_local.checkmk_server | map(attribute="dependent_vars.ferm__dependent_rules") | list }}' + - '{{ checkmk_server__ferm__dependent_rules }}' - role: debops.apache tags: [ 'role::apache' ] @@ -29,7 +29,7 @@ - role: debops.users tags: [ 'role::users' ] - users__dependent_accounts: '{{ ansible_local.checkmk_server | map(attribute="dependent_vars.users__dependent_accounts") | list }}' + users__dependent_accounts: '{{ checkmk_server__users__dependent_accounts }}' - role: debops-contrib.checkmk_server tags: [ 'role::checkmk_server' ] From cdfb4e30c3384d3db0a28770abd87713d2e82c3f Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Fri, 5 May 2017 07:56:04 +0200 Subject: [PATCH 27/34] Run tests on Ubuntu trusty as precise is EOL --- .travis.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 3332e8f..0ca7101 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,7 @@ --- -sudo: True +sudo: required +dist: trusty language: 'python' python: '2.7' From c5717d4864ae7df18b75b9ffae6050778de8757b Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Fri, 5 May 2017 18:57:15 +0200 Subject: [PATCH 28/34] Create master site if 'checkmk_server__site' is defined --- templates/lookup/checkmk_server__sites.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lookup/checkmk_server__sites.j2 b/templates/lookup/checkmk_server__sites.j2 index 0961567..b910cf5 100644 --- a/templates/lookup/checkmk_server__sites.j2 +++ b/templates/lookup/checkmk_server__sites.j2 @@ -5,7 +5,7 @@ # https://github.com/ansible/ansible/issues/14542 #} -{% if not checkmk_server__distributed_sites %} +{% if (not checkmk_server__distributed_sites) and (not checkmk_server__site) %} [] {% else %} {% set _sites = [] %} From 35bc317dfae84825abaaf40728e57bea05f6840b Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Mon, 8 May 2017 18:04:54 +0200 Subject: [PATCH 29/34] Don't fail if 'mod_headers' is not (yet) enabled --- .../check-mk-raw-1.2.8-set-https-proxy-header.patch | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/env/files/check-mk-raw-1.2.8-set-https-proxy-header.patch b/env/files/check-mk-raw-1.2.8-set-https-proxy-header.patch index c7aaea0..3b3b78f 100644 --- a/env/files/check-mk-raw-1.2.8-set-https-proxy-header.patch +++ b/env/files/check-mk-raw-1.2.8-set-https-proxy-header.patch @@ -1,5 +1,5 @@ Author: Reto Gantenbein -Date: Tue Jun 21 06:51:23 2016 +0200 +Date: Tue May 8 17:57:28 2017 +0200 Set X-Forwarded headers when accessed via HTTPS @@ -14,15 +14,21 @@ Date: Tue Jun 21 06:51:23 2016 +0200 %{SERVER_PORT} in in the X-Forwarded-Port header failed because it seemed to be undefined "(null)". + v2: - Guard 'RequestHeader' statements with + to avoid errors if mod_headers + is not (yet) enabled + --- /omd/versions/default/skel/etc/apache/apache-own.conf.orig 2016-05-13 19:19:07.000000000 +0200 -+++ /omd/versions/default/skel/etc/apache/apache-own.conf 2016-06-21 06:50:03.169171120 +0200 -@@ -11,6 +11,10 @@ ++++ /omd/versions/default/skel/etc/apache/apache-own.conf 2017-05-08 17:56:25.342383031 +0200 +@@ -11,6 +11,12 @@ ProxyRequests Off ProxyPreserveHost On + # Indicate when the site was accessed via HTTPS ++ + RequestHeader set X-Forwarded-Proto https env=HTTPS + RequestHeader set X-Forwarded-Port 443 env=HTTPS ++ + # Include file created by 'omd config', which # sets the TCP port of the site local webserver From e641ae77512358c4b8449adeb482b9782dbe1bca Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Mon, 15 May 2017 17:55:09 +0200 Subject: [PATCH 30/34] Properly set and update local facts from the correct context --- env/tasks/facts.yml | 35 ++++++++++- env/tasks/main.yml | 2 + tasks/facts.yml | 34 ----------- tasks/ssh.yml | 8 +++ tasks/ssh_fact.yml | 23 ++++++++ tasks/ssh_keys.yml | 13 ---- .../ansible/facts.d/checkmk_server.fact.j2 | 59 +++++++++---------- 7 files changed, 94 insertions(+), 80 deletions(-) mode change 120000 => 100644 env/tasks/facts.yml delete mode 100644 tasks/facts.yml create mode 100644 tasks/ssh_fact.yml diff --git a/env/tasks/facts.yml b/env/tasks/facts.yml deleted file mode 120000 index 22d68dc..0000000 --- a/env/tasks/facts.yml +++ /dev/null @@ -1 +0,0 @@ -../../tasks/facts.yml \ No newline at end of file diff --git a/env/tasks/facts.yml b/env/tasks/facts.yml new file mode 100644 index 0000000..5c9225a --- /dev/null +++ b/env/tasks/facts.yml @@ -0,0 +1,34 @@ +--- +# +# Set site facts so that later tasks can depend on it +# +# IMPORTANT: +# These tasks are run for each Check_MK site defined +# in `checkmk_server__sites`. This means they can run multiple +# times per server. If the monitoring site is a remote slave, +# they might even run on a different server. The site configuration +# is available through `site_item`. + +- name: Persist site facts + block: + + - name: Make sure that local fact directory exists + file: + dest: '/etc/ansible/facts.d' + state: 'directory' + owner: 'root' + group: 'root' + mode: '0755' + + - name: Save Check_MK server local facts + template: + src: 'etc/ansible/facts.d/checkmk_server.fact.j2' + dest: '/etc/ansible/facts.d/checkmk_server.fact' + owner: 'root' + group: 'root' + mode: '0644' + register: checkmk_server__register_local_facts + + # Delegate entire block to corresponding host + delegate_to: '{{ site_item.delegate_to + if (not site_item.delegate_to == inventory_hostname) else omit }}' diff --git a/env/tasks/main.yml b/env/tasks/main.yml index 8e245e9..c39abb3 100644 --- a/env/tasks/main.yml +++ b/env/tasks/main.yml @@ -74,6 +74,8 @@ with_items: '{{ checkmk_server__sites }}' loop_control: loop_var: site_item + tags: [ 'role::checkmk_server:facts' ] - name: Re-read local facts action: setup + tags: [ 'role::checkmk_server:facts' ] diff --git a/tasks/facts.yml b/tasks/facts.yml deleted file mode 100644 index 5c9225a..0000000 --- a/tasks/facts.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -# -# Set site facts so that later tasks can depend on it -# -# IMPORTANT: -# These tasks are run for each Check_MK site defined -# in `checkmk_server__sites`. This means they can run multiple -# times per server. If the monitoring site is a remote slave, -# they might even run on a different server. The site configuration -# is available through `site_item`. - -- name: Persist site facts - block: - - - name: Make sure that local fact directory exists - file: - dest: '/etc/ansible/facts.d' - state: 'directory' - owner: 'root' - group: 'root' - mode: '0755' - - - name: Save Check_MK server local facts - template: - src: 'etc/ansible/facts.d/checkmk_server.fact.j2' - dest: '/etc/ansible/facts.d/checkmk_server.fact' - owner: 'root' - group: 'root' - mode: '0644' - register: checkmk_server__register_local_facts - - # Delegate entire block to corresponding host - delegate_to: '{{ site_item.delegate_to - if (not site_item.delegate_to == inventory_hostname) else omit }}' diff --git a/tasks/ssh.yml b/tasks/ssh.yml index 604cb7b..7b4bbcb 100644 --- a/tasks/ssh.yml +++ b/tasks/ssh.yml @@ -6,8 +6,16 @@ loop_control: loop_var: site_item +- name: Update facts with SSH key + include: ssh_fact.yml + with_items: '{{ ansible_local.checkmk_server.values() }}' + loop_control: + loop_var: site_item + tags: [ 'role::checkmk_server:facts' ] + - name: Re-read local facts action: setup + tags: [ 'role::checkmk_server:facts' ] - name: Setup SSH public key login on slave sites include: ssh_login.yml diff --git a/tasks/ssh_fact.yml b/tasks/ssh_fact.yml new file mode 100644 index 0000000..dcfb462 --- /dev/null +++ b/tasks/ssh_fact.yml @@ -0,0 +1,23 @@ +--- +# IMPORTANT: +# These tasks are run for each Check_MK site defined on the local +# server. This means they can run multiple times per server. The +# site configuration is available through `site_item`. + +- name: Read SSH public key + command: 'cat {{ site_item.home }}/.ssh/id_rsa.pub' + register: checkmk_server__register_ssh_public_key + changed_when: False + +- name: Show SSH public key of site '{{ site_item.name }}' + debug: + var: checkmk_server__register_ssh_public_key.stdout + verbosity: 1 + +- name: Save Check_MK server local facts + template: + src: 'etc/ansible/facts.d/checkmk_server.fact.j2' + dest: '/etc/ansible/facts.d/checkmk_server.fact' + owner: 'root' + group: 'root' + mode: '0644' diff --git a/tasks/ssh_keys.yml b/tasks/ssh_keys.yml index a80c8c0..3559e3c 100644 --- a/tasks/ssh_keys.yml +++ b/tasks/ssh_keys.yml @@ -38,19 +38,6 @@ when: ('sshkeys' in site_item) and site_item.sshkeys.publickey_file|d(False) - - name: Read SSH public key - command: 'cat {{ site_item.home }}/.ssh/id_rsa.pub' - register: checkmk_server__register_ssh_public_key - changed_when: False - - - name: Show SSH public key of site '{{ site_item.name }}' - debug: - var: checkmk_server__register_ssh_public_key.stdout - verbosity: 1 - - - name: Re-generate local facts - include: facts.yml - # delegate block delegate_to: '{{ site_item.delegate_to if (not site_item.delegate_to == inventory_hostname) else omit }}' diff --git a/templates/etc/ansible/facts.d/checkmk_server.fact.j2 b/templates/etc/ansible/facts.d/checkmk_server.fact.j2 index 5a836c4..f9f62fa 100644 --- a/templates/etc/ansible/facts.d/checkmk_server.fact.j2 +++ b/templates/etc/ansible/facts.d/checkmk_server.fact.j2 @@ -6,47 +6,42 @@ # sources. Sites which are about to be deleted must not be listed in the # resulting facts file. #} -{% set _site_facts = [] %} -{% if ansible_local|d({}) and ('checkmk_server' in ansible_local) and - (not ansible_local.checkmk_server is string) and - (ansible_local.checkmk_server | length > 0) %} -{% for _local_site in ansible_local.checkmk_server %} +{% set _site_facts = {} %} +{% if (site_item.delegate_to in hostvars) and + ('ansible_local' in hostvars[site_item.delegate_to]) and + ('checkmk_server' in hostvars[site_item.delegate_to].ansible_local) and + hostvars[site_item.delegate_to].ansible_local.checkmk_server %} {# - # Site has been configured before but is not currently handled. Simply - # add it again. + # Site currently handled was defined before #} -{% if ('name' in _local_site) and (not _local_site.name == site_item.name) and - _local_site.delegate_to == site_item.delegate_to %} -{# HACK: to make sure only sites from the same delegate_to host are added #} -{% set _ = _site_facts.append(_local_site) %} +{% set _cmk_server_facts = hostvars[site_item.delegate_to].ansible_local.checkmk_server %} +{% for _local_site in _cmk_server_facts.keys() %} +{% if _local_site == site_item.name %} {# - # Site has been configured before and matches the currently handled. - # If it's not marked to be absent, add it again. - # TODO: merge _local_site and site_item + # Site is not meant to be removed #} -{% elif (not ('state' in site_item.keys() and site_item.state == 'absent')) %} -{% if checkmk_server__register_ssh_public_key|d() and - 'stdout' in checkmk_server__register_ssh_public_key and - checkmk_server__register_ssh_public_key.stdout | length > 0 %} -{% set _ = site_item.update({'ssh_public_key': checkmk_server__register_ssh_public_key.stdout}) %} +{% if site_item.state|d('present') != 'absent' %} +{# + # Add the SSH public key if found as fact + #} +{% if checkmk_server__register_ssh_public_key|d() and + 'stdout' in checkmk_server__register_ssh_public_key and + checkmk_server__register_ssh_public_key.stdout | length > 0 %} +{% set _ = site_item.update({'ssh_public_key': checkmk_server__register_ssh_public_key.stdout}) %} +{% endif %} +{# + # Update site configuration + #} +{% set _ = _site_facts.update({_local_site: (_cmk_server_facts[_local_site] | combine(site_item, recursive=True))}) %} {% endif %} -{% set _ = _site_facts.append(site_item) %} {% endif %} {% endfor %} {# - # There are already sites defined, but none of them match the site - # currently handled. Add it to the facts if it's not meant to be - # deleted. + # No local facts found #} -{% if (not site_item.name in (ansible_local.checkmk_server | map(attribute="name") | list)) and - (not site_item.name in (_site_facts | map(attribute="name") | list)) and - not ('state' in site_item.keys() and site_item.state == 'absent') %} -{% set _ = _site_facts.append(site_item) %} -{% endif %} {% else %} -{# - # There are no sites defined. Simply add the current site to the facts. - #} -{% set _ = _site_facts.append(site_item) %} +{% if site_item.state|d('present') != 'absent' %} +{% set _ = _site_facts.update({site_item.name: site_item}) %} +{% endif %} {% endif %} {{ _site_facts | to_nice_json }} From 5bc3e41cb547029a2ff68b9d15afb23ab2e626b5 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Tue, 16 May 2017 07:01:25 +0200 Subject: [PATCH 31/34] Adjust the fact that local facts are stored as dict not lists --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3431d23..f87d604 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -590,7 +590,7 @@ checkmk_server__apache__dependent_snippets: # Configuration for the debops.etc_services_ Ansible role. If this is a slave # server this might be generated by the master site, therefore read it # from the Ansible facts by default. -checkmk_server__etc_services__dependent_list: '{{ (ansible_local.checkmk_server +checkmk_server__etc_services__dependent_list: '{{ (ansible_local.checkmk_server.values() | map(attribute="dependent_vars.etc_services__dependent_list") | list) if ansible_local.checkmk_server|d() else [] }}' @@ -601,7 +601,7 @@ checkmk_server__etc_services__dependent_list: '{{ (ansible_local.checkmk_server # Configuration for the debops.ferm_ Ansible role. If this is a slave # server this might be generated by the master site, therefore read it # from the Ansible facts by default. -checkmk_server__ferm__dependent_rules: '{{ (ansible_local.checkmk_server +checkmk_server__ferm__dependent_rules: '{{ (ansible_local.checkmk_server.values() | map(attribute="dependent_vars.ferm__dependent_rules") | list) if ansible_local.checkmk_server|d() else [] }}' @@ -612,7 +612,7 @@ checkmk_server__ferm__dependent_rules: '{{ (ansible_local.checkmk_server # Configuration for the debops.users_ Ansible role. If this is a slave # server this might be generated by the master site, therefore read it # from the Ansible facts by default. -checkmk_server__users__dependent_accounts: '{{ (ansible_local.checkmk_server +checkmk_server__users__dependent_accounts: '{{ (ansible_local.checkmk_server.values() | map(attribute="dependent_vars.users__dependent_accounts") | list) if ansible_local.checkmk_server|d() else [] }}' From 5c0a5dab8c7977dc08f7492cfbe09396b36eb6c5 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Tue, 16 May 2017 07:29:15 +0200 Subject: [PATCH 32/34] Adjust SSH public key lookup to new facts layout --- tasks/ssh_login.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/tasks/ssh_login.yml b/tasks/ssh_login.yml index c3796f6..e6253cd 100644 --- a/tasks/ssh_login.yml +++ b/tasks/ssh_login.yml @@ -11,10 +11,8 @@ - name: Allow SSH login from master site authorized_key: user: '{{ site_item.user }}' - key: '{{ item.ssh_public_key }}' - when: item.name == site_item.master_site - with_items: '{{ hostvars[site_item.master_delegate_to].ansible_local.checkmk_server - if ("master_delegate_to" in site_item.keys()) else [] }}' + key: '{{ hostvars[site_item.master_delegate_to].ansible_local.checkmk_server[site_item.master_site].ssh_public_key }}' + when: ('master_delegate_to' in site_item.keys()) # delegate block delegate_to: '{{ site_item.delegate_to From 6a5c4f555c413d653b401cd667c2dd6b69bed326 Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Thu, 18 May 2017 18:17:48 +0200 Subject: [PATCH 33/34] Update dependency to Ansible >=2.3.0 Lower Ansible versions might suffer from Ansible issue #14542. Version 2.3.0 has been tested to solve the issue. --- README.md | 2 +- meta/main.yml | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 02c9893..8041ffb 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ This role installs and manages [Check_MK](http://mathias-kettner.com/check_mk.ht ### Installation -This role requires at least Ansible `v2.1.5`. To install it, run: +This role requires at least Ansible `v2.3.0`. To install it, run: ```Shell ansible-galaxy install debops-contrib.checkmk_server diff --git a/meta/main.yml b/meta/main.yml index fc40342..a90ca10 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -11,7 +11,7 @@ galaxy_info: author: Reto Gantenbein description: 'Setup Check_MK monitoring server' license: 'GPL-3.0' - min_ansible_version: '2.1.5' + min_ansible_version: '2.3.0' platforms: @@ -19,6 +19,13 @@ galaxy_info: versions: - wheezy - jessie + - stretch + - name: Ubuntu + versions: + - trusty + - xenial + - yakkety + - zesty galaxy_tags: - debops From 4d0e8cab84fccc1e7702adab03cd0376100c0cec Mon Sep 17 00:00:00 2001 From: Reto Gantenbein Date: Fri, 19 May 2017 07:24:43 +0200 Subject: [PATCH 34/34] Clarify comments in the local facts template --- .../etc/ansible/facts.d/checkmk_server.fact.j2 | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/templates/etc/ansible/facts.d/checkmk_server.fact.j2 b/templates/etc/ansible/facts.d/checkmk_server.fact.j2 index f9f62fa..9eda84a 100644 --- a/templates/etc/ansible/facts.d/checkmk_server.fact.j2 +++ b/templates/etc/ansible/facts.d/checkmk_server.fact.j2 @@ -1,10 +1,13 @@ {# - # Create a facts file with the sites hosted on the involved host. + # Create a facts file containing the sites hosted on the involved host. # - # Distributed slaves sites are defined on the master server, therefore - # it may happen, that the facts file is merged from multiple configuration - # sources. Sites which are about to be deleted must not be listed in the - # resulting facts file. + # Distributed slaves sites are defined in the inventory of the master server, + # therefore it may happen, that the facts file is merged from multiple + # configuration sources (inventory from master host and local facts from + # slave host). + # + # Sites which are about to be deleted must not be listed in the resulting + # facts file. #} {% set _site_facts = {} %} {% if (site_item.delegate_to in hostvars) and