Add a Nagios check to monitor IPA ID ranges

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>

roles/nagios_client/files/scripts/check_ipa_free_ids.py

@@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+
+"""
+Check for available IDs in IPA's ID ranges.
+
+See pagure.io/fedora-infrastructure/issue/12641
+
+Author: abompard@fedoraproject.org
+"""
+
+import sys
+from configparser import ConfigParser
+
+import ldap
+
+
+def get_config():
+    config = ConfigParser(interpolation=None)
+    config.read("/etc/ipa/default.conf")
+    return {key: config.get("global", key) for key in ("host", "basedn")}
+
+
+def get_free_ids(config):
+    ldap.set_option(ldap.OPT_REFERRALS, 0)
+    conn = ldap.ldapobject.SimpleLDAPObject(f"ldaps://{config['host']}")
+    conn.protocol_version = 3
+    conn.timeout = 10
+    conn.sasl_gssapi_bind_s()
+    results = conn.search_s(
+        base=f"cn=posix-ids,cn=dna,cn=ipa,cn=etc,{config['basedn']}",
+        scope=ldap.SCOPE_ONELEVEL,
+        filterstr="(dnaPortNum=389)",
+        attrlist=["dnaHostname", "dnaRemainingValues"],
+    )
+    free_ids = {}
+    for dn, attrs in results:
+        hostname = attrs["dnaHostname"][0].decode("ascii")
+        value = int(attrs["dnaRemainingValues"][0].decode("ascii"))
+        free_ids[hostname] = value
+    return free_ids
+
+
+def main():
+    config = get_config()
+    free_ids = get_free_ids(config)
+
+    # Testcases:
+    # free_ids={"host1": 0, "host2": 0, "host3": 20}
+    # free_ids={"host1": 10, "host2": 0, "host3": 20}
+    # free_ids={"host1": 10000, "host2": 10000, "host3": 20}
+
+    perfdata = " ".join(f"{host}={free_ids[host]}" for host in sorted(free_ids))
+    if set(free_ids.values()) == {0}:
+        msg = "CRITICAL: no free ID left"
+        exit_code = 2
+    elif 0 in set(free_ids.values()):
+        full_servers = [host for host in sorted(free_ids) if free_ids[host] == 0]
+        msg = " ".join(
+            [
+                "WARNING:",
+                str(len(full_servers)),
+                "server has" if len(full_servers) == 1 else "servers have",
+                "no free ID left:",
+                ", ".join(full_servers),
+            ]
+        )
+        exit_code = 1
+    elif any(value < 1000 for value in free_ids.values()):
+        full_servers = [host for host in sorted(free_ids) if free_ids[host] < 1000]
+        msg = " ".join(
+            [
+                "WARNING:",
+                str(len(full_servers)),
+                "server has" if len(full_servers) == 1 else "servers have",
+                "almost no free ID left:",
+                ", ".join(full_servers),
+            ]
+        )
+        exit_code = 1
+    else:
+        msg = "OK: there are free IDs left"
+        exit_code = 0
+    return f"{msg}|{perfdata}", exit_code
+
+
+if __name__ == "__main__":
+    output, exit_code = main()
+    print(output)
+    sys.exit(exit_code)

roles/nagios_client/tasks/main.yml

@@ -56,6 +56,7 @@
   - check_lock_file_age
   - check_testcloud
   - check_ipa_replication
+  - check_ipa_free_ids.py
   - check_redis_queue.sh
   - check_timestamp_from_file
   - check_crl_next_update

roles/nagios_client/templates/check_ipa.cfg.j2

@@ -1 +1,2 @@
 command[check_ipa_replication]={{ libdir }}/nagios/plugins/check_ipa_replication -u ldaps://localhost/
+command[check_ipa_free_ids]={{ libdir }}/nagios/plugins/check_ipa_free_ids.py

roles/nagios_server/templates/nagios/services/ipa.cfg.j2

@@ -4,5 +4,13 @@ define service {
   service_description   IPA Replication Status
   check_command         check_by_nrpe!check_ipa_replication
   use                   lighttemplate
-  servicegroups		ipa
+  servicegroups         ipa
+}
+
+define service {
+  host_name             {{ groups['ipa'][0] }}
+  service_description   IPA Free IDs
+  check_command         check_by_nrpe!check_ipa_free_ids
+  use                   lighttemplate
+  servicegroups         ipa
 }