parallelvirtualcluster/pvc-ansible
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: parallelvirtualcluster:b90717e25a5a7eebe52505e49525c937bebbcf8e
Branches Tags
parallelvirtualcluster:master
..
compare: parallelvirtualcluster:0a8b1bfa6ed76105a0d334983cb229c75ab16b33
Branches Tags
parallelvirtualcluster:master

No commits in common. "b90717e25a5a7eebe52505e49525c937bebbcf8e" and "0a8b1bfa6ed76105a0d334983cb229c75ab16b33" have entirely different histories.
b90717e25a ... 0a8b1bfa6e

5 changed files with 75 additions and 108 deletions
Show Stats Expand all files Collapse all files

12
oneshot/update-pvc-cluster.yml
View File

@ -48,12 +48,18 @@
state: "absent" state: "absent"
force: "yes" force: "yes"
- name: check freshness - name: check library freshness
command: /usr/sbin/needrestart -p command: /usr/lib/check_mk_agent/plugins/freshness
register: freshness register: freshness
changed_when: freshness.rc == 1 changed_when: freshness.rc == 1
failed_when: false failed_when: false
- name: check kernel version
command: /usr/lib/check_mk_agent/plugins/kernelversion
register: kernelversion
changed_when: kernelversion.rc == 1
failed_when: false
- name: restart system cleanly - name: restart system cleanly
block: block:
- name: secondary node - name: secondary node
@ -198,7 +204,7 @@
- name: reset any systemd failures - name: reset any systemd failures
command: systemctl reset-failed command: systemctl reset-failed
when: freshness.changed when: freshness.changed or kernelversion.changed
- name: wait 30 seconds for system to stabilize - name: wait 30 seconds for system to stabilize
pause: pause:

145
roles/base/files/usr/lib/check_mk_agent/plugins/freshness
View File

@ -1,103 +1,52 @@
#!/usr/bin/env python #!/bin/bash
# Check for freshness of various components using needrestart # Open file handle freshness check for Check_MK
# Installed by PVC ansible
import subprocess OK=0
import re WARNING=1
import json
try: FRESHNESS="$( lsof -Fcftn / 2>/dev/null | grep -v '/tmp' | \
nrout = subprocess.run(["/usr/sbin/needrestart", "-b"], timeout=5, stdout=subprocess.PIPE, stderr=subprocess.PIPE) awk '
except subprocess.TimeoutExpired: {
exit(2) field=substr($0,1,1);
except Exception: data=substr($0,2);
exit(1) if (field=="f") {
file_descriptor=data;
stdout = nrout.stdout.decode("ascii").split('\n') } else if (field=="t") {
stderr = nrout.stdout.decode("ascii").split('\n') file_type=data;
} else if (field=="c") {
# Output data structure after parsing needrestart output command_name=data;
data = { } else if (field=="n" && file_descriptor=="DEL" && file_type=="REG") {
'kernel': { name=data;
'current': None, file[command_name]++;
'pending': None,
'state': 0,
},
'microcode': {
'current': None,
'pending': None,
'state': 0,
},
'services': {
'count': 0,
'list': list(),
},
'containers': {
'count': 0,
'list': list(),
},
'sessions': {
'count': 0,
'list': list(),
},
} }
}
END {
for (name in file) {
error++;
# Skip these problematic programs
if (name=="systemd-udevd") { continue; }
if (name=="pulseaudio") { continue; }
if (name=="light-locker") { continue; }
if (name=="at-spi-bus-laun") { continue; }
if (name=="node") { continue; }
if (error_name) { error_name=error_name " " };
error_name=error_name name;
}
if (error_name) {
print error_name;
exit error;
} else {
exit;
}
}' )";
# NEEDRESTART-VER: 3.4 echo "<<<freshness>>>"
# NEEDRESTART-KCUR: 4.19.0-6-amd64 if [ "$FRESHNESS" ]; then
# NEEDRESTART-KEXP: 4.19.0-20-amd64 echo "Applications needing restart: $FRESHNESS"
# NEEDRESTART-KSTA: 3 exit $WARNING
# NEEDRESTART-UCSTA: 2 else
# NEEDRESTART-UCCUR: 0xb000038 echo "No applications needing restart"
# NEEDRESTART-UCEXP: 0xb000040 exit $OK
# NEEDRESTART-SVC: acpid fi
# NEEDRESTART-SVC: cron
# NEEDRESTART-SVC: irqbalance
# NEEDRESTART-SVC: mcelog
# NEEDRESTART-SVC: munin-node
# NEEDRESTART-SVC: ntp
# NEEDRESTART-SVC: ssh
# NEEDRESTART-SVC: syslog-ng
# NEEDRESTART-SVC: trousers
# NEEDRESTART-SVC: watchdog
# NEEDRESTART-SVC: wd_keepalive
# NEEDRESTART-CONT: LXC web1
# NEEDRESTART-SESS: metabase @ user manager service
# NEEDRESTART-SESS: root @ session #28017
# STA:
# 0: unknown or failed to detect
# 1: no pending upgrade
# 2: ABI compatible upgrade pending
# 3: version upgrade pending
for line in stdout:
# Kernel version
if re.match(r'^NEEDRESTART-KSTA', line):
data['kernel']['state'] = int(line.split(': ')[-1])
elif re.match(r'^NEEDRESTART-KCUR', line):
data['kernel']['current'] = line.split(': ')[-1]
elif re.match(r'^NEEDRESTART-KEXP', line):
data['kernel']['pending'] = line.split(': ')[-1]
# Microcode version
elif re.match(r'^NEEDRESTART-UCSTA', line):
data['microcode']['state'] = int(line.split(': ')[-1])
elif re.match(r'^NEEDRESTART-UCCUR', line):
data['microcode']['current'] = line.split(': ')[-1]
elif re.match(r'^NEEDRESTART-UCEXP', line):
data['microcode']['pending'] = line.split(': ')[-1]
# Services needing restart
elif re.match(r'^NEEDRESTART-SVC', line):
data['services']['count'] += 1
data['services']['list'].append(' '.join(line.split(': ')[1:]))
# Containers needing restart
elif re.match(f'^NEEDRESTART-CONT', line):
data['containers']['count'] += 1
data['containers']['list'].append(' '.join(line.split(': ')[1:]))
# Sessions needing restart
elif re.match(f'^NEEDRESTART-SESS', line):
data['sessions']['count'] += 1
data['sessions']['list'].append(' '.join(line.split(': ')[1:]))
print("<<<freshness>>>")
print(json.dumps(data))
exit(0)

14
roles/base/files/usr/lib/check_mk_agent/plugins/kernelversion Executable file
View File

@ -0,0 +1,14 @@
#!/bin/bash
OK=0
WARNING=1
echo "<<<kernelversion>>>"
ACTIVE="$( uname -v | awk '{ print $4" "$5 }' )"
ONDISK="$( strings /vmlinuz | grep 'Debian' | head -1 | awk '{ print $6" "$7 }' )"
echo ${ACTIVE}
echo ${ONDISK}
if [[ ${ACTIVE} != ${ONDISK} ]]; then
exit $WARNING
else
exit $OK
fi

10
roles/base/files/usr/lib/check_mk_agent/plugins/ownership
View File

@ -1,18 +1,16 @@
#!/bin/bash #!/bin/bash
# File ownership check for Check_MK # File ownership check for Check_MK
# Ensures that no files outside of homedirs are owned by administrative users
# Installed by PVC ansible # Installed by PVC ansible
ADMIN_UID_MIN=200 UID_MAX=199
ADMIN_UID_MAX=599
# http://www.debian.org/doc/debian-policy/ch-opersys.html # http://www.debian.org/doc/debian-policy/ch-opersys.html
# 0-99: Globally allocated by the Debian project # 0-99: Globally allocated by the Debian project
# 100-199: (PVC) Dynamically allocated system users # 100-199: (PVC) Dynamically allocated system users and groups
# 200-299: (PVC) provisioning users # 200-299: (PVC) provisioning users
# 300-499: (PVC) reserved # 300-499: (PVC) reserved
# 500-599: (PVC) system administrators # 500-599: (PVC) system administrators
# 600-999: (PVC) Dynamically allocated service users # 600-999: (PVC) reserved
# 64045: (PVC) ceph # 64045: (PVC) ceph
function is_element_of { function is_element_of {
@ -45,7 +43,7 @@ for FILESYSTEM in ${FILESYSTEMs[@]}; do
fi fi
fi fi
FILEs+=($FILE) FILEs+=($FILE)
done < <( find ${FILESYSTEM} -xdev -uid +${ADMIN_UID_MIN} -uid -${ADMIN_UID_MAX} \ done < <( find ${FILESYSTEM} -xdev -uid +$UID_MAX -not -uid +64000 -not -uid 2000 \
-not \( -type d -a \( -path /media -o -path /mnt \) \) \ -not \( -type d -a \( -path /media -o -path /mnt \) \) \
-not \( -name '.*.swp' -a -mtime -3 \) \ -not \( -name '.*.swp' -a -mtime -3 \) \
-not \( -path '*/.git' -o -path '*/.git/*' \) \ -not \( -path '*/.git' -o -path '*/.git/*' \) \

2
roles/base/tasks/main.yml
View File

@ -238,7 +238,6 @@
- sysstat - sysstat
- binutils - binutils
- deborphan - deborphan
- needrestart
- wget - wget
- curl - curl
- gawk - gawk
@ -620,6 +619,7 @@
- entropy - entropy
- freshness - freshness
- ipmi - ipmi
- kernelversion
- ownership - ownership
tags: base-cmkagent tags: base-cmkagent