put in many changes for new nagios server

2017-04-06 23:50:44 +00:00 · 2017-04-06 23:50:44 +00:00 · dfd088ab5e
commit dfd088ab5e
parent 8cd3f46eb2
23 changed files with 52 additions and 11 deletions
--- a/inventory/group_vars/value
+++ b/inventory/group_vars/value
@ -18,6 +18,7 @@ custom_rules: [
    '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
    # Needed to let nagios on noc01 and noc02 pipe alerts to zodbot here
    '-A INPUT -p tcp -m tcp -s 10.5.126.41 --dport 5050 -j ACCEPT',
    '-A INPUT -p tcp -m tcp -s 10.5.126.241 --dport 5050 -j ACCEPT',
    '-A INPUT -p tcp -m tcp -s 192.168.1.20 --dport 5050 -j ACCEPT',
    # batcave01 also needs access to announce commits.
    '-A INPUT -p tcp -m tcp -s 10.5.126.23 --dport 5050 -j ACCEPT',
--- a/inventory/group_vars/value-stg
+++ b/inventory/group_vars/value-stg
@ -16,8 +16,10 @@ custom_rules: [
    # Neeed for rsync from log01 for logs.
    '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
    '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
-    # Needed to let nagios on noc01 and noc02 pipe alerts to zodbot here
+    # Needed to let nagios on noc01 and noc02 (nagios01/noc01.stg) pipe alerts to zodbot here
    '-A INPUT -p tcp -m tcp -s 10.5.126.41 --dport 5050 -j ACCEPT',
    '-A INPUT -p tcp -m tcp -s 10.5.126.241 --dport 5050 -j ACCEPT',
    '-A INPUT -p tcp -m tcp -s 10.5.126.2 --dport 5050 -j ACCEPT',
    '-A INPUT -p tcp -m tcp -s 152.19.134.192 --dport 5050 -j ACCEPT',
    # batcave01 also needs access to announce commits.
    '-A INPUT -p tcp -m tcp -s 10.5.126.23 --dport 5050 -j ACCEPT',
--- a/inventory/host_vars/db-fas01.phx2.fedoraproject.org
+++ b/inventory/host_vars/db-fas01.phx2.fedoraproject.org
@ -40,8 +40,9 @@ custom_rules: [
    # basset01
    '-A INPUT -p tcp -m tcp -s 10.5.126.194  --dport 5432 -j ACCEPT',
-    # sundries02...
+    # sundries ??? but this is noc01?
    '-A INPUT -p tcp -m tcp -s 10.5.126.41   --dport 5432 -j ACCEPT',
    '-A INPUT -p tcp -m tcp -s 10.5.126.241   --dport 5432 -j ACCEPT',
    # hosted03 and hosted04 (over the vpn)
    '-A INPUT -p tcp -m tcp -s 192.168.1.16  --dport 5432 -j ACCEPT',
--- a/inventory/host_vars/db-koji01.phx2.fedoraproject.org
+++ b/inventory/host_vars/db-koji01.phx2.fedoraproject.org
@ -30,7 +30,13 @@ kernel_shmmax: 68719476736
 #
 # Only allow postgresql access from the frontend node.
 #
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.125.59 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.5.125.60 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.5.125.61 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.5.125.62 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.5.126.41 --dport 5432 -j ACCEPT' ]
+custom_rules: [ 
 '-A INPUT -p tcp -m tcp -s 10.5.125.59 --dport 5432 -j ACCEPT', 
 '-A INPUT -p tcp -m tcp -s 10.5.125.60 --dport 5432 -j ACCEPT', 
 '-A INPUT -p tcp -m tcp -s 10.5.125.61 --dport 5432 -j ACCEPT', 
 '-A INPUT -p tcp -m tcp -s 10.5.125.62 --dport 5432 -j ACCEPT', 
 '-A INPUT -p tcp -m tcp -s 10.5.126.41 --dport 5432 -j ACCEPT', 
 ]
 #
 # Large updates pushes cause lots of db threads doing the tag moves, so up this from default. 
--- a/playbooks/groups/nagios-new.yml
+++ b/playbooks/groups/nagios-new.yml
@ -22,6 +22,8 @@
  - fas_client
  - collectd/base
  - sudo
  - { role: openvpn/client,
      when: env != "staging" }
  - mod_wsgi
  - role: keytab/service
    owner_user: apache
@ -37,7 +39,7 @@
  - include: "{{ handlers }}/restart_services.yml"
 - name: deploy nagios service config
-  hosts: nagios-stg
+  hosts: nagios-new-stg:nagios-new
  user:
  gather_facts: True
--- a/playbooks/groups/osbs-cluster.yml
+++ b/playbooks/groups/osbs-cluster.yml
@ -722,5 +722,8 @@
      shell: "oc import-image fedora --all"
      when: env == "production" and hostvars[groups["osbs-masters"][0]]["docker_pull_fedora"]|changed
-    - name: enable nrpe for monitoring
+    - name: enable nrpe for monitoring (noc01)
      iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
    - name: enable nrpe for monitoring (nagios01)
      iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.241 state=present jump=ACCEPT
--- a/roles/base/templates/iptables/iptables
+++ b/roles/base/templates/iptables/iptables
@ -26,10 +26,12 @@
 # for nrpe - allow it from nocs
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT
 # FIXME - this is the global nat-ip and we need the noc01-specific ip
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT
 {% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging-friendly'] %}
 #
--- a/roles/base/templates/iptables/iptables.download-phx2
+++ b/roles/base/templates/iptables/iptables.download-phx2
@ -19,10 +19,12 @@
 # for nrpe - allow it from nocs
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT
 # FIXME - this is the global nat-ip and we need the noc01-specific ip
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT
 {% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging-friendly'] %}
 #
--- a/roles/base/templates/iptables/iptables.jenkins.fedorainfracloud.org
+++ b/roles/base/templates/iptables/iptables.jenkins.fedorainfracloud.org
@ -42,10 +42,12 @@ COMMIT
 # for nrpe - allow it from nocs
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT
 # FIXME - this is the global nat-ip and we need the noc01-specific ip
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT
 {% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging-friendly'] %}
 #
--- a/roles/base/templates/iptables/iptables.ns03.phx2.fedoraproject.org
+++ b/roles/base/templates/iptables/iptables.ns03.phx2.fedoraproject.org
@ -26,10 +26,12 @@
 # for nrpe - allow it from nocs
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT
 # FIXME - this is the global nat-ip and we need the noc01-specific ip
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT
 {% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging-friendly'] %}
 #
--- a/roles/base/templates/iptables/iptables.ns04.phx2.fedoraproject.org
+++ b/roles/base/templates/iptables/iptables.ns04.phx2.fedoraproject.org
@ -26,10 +26,12 @@
 # for nrpe - allow it from nocs
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT
 # FIXME - this is the global nat-ip and we need the noc01-specific ip
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT
 {% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging-friendly'] %}
 #
--- a/roles/base/templates/iptables/iptables.openqa-tap-workers
+++ b/roles/base/templates/iptables/iptables.openqa-tap-workers
@ -26,10 +26,12 @@
 # for nrpe - allow it from nocs
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT
 # FIXME - this is the global nat-ip and we need the noc01-specific ip
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT
 {% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging-friendly'] %}
 #
--- a/roles/base/templates/iptables/iptables.openstack-compute
+++ b/roles/base/templates/iptables/iptables.openstack-compute
@ -33,10 +33,12 @@
 # for nrpe - allow it from nocs
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT
 # FIXME - this is the global nat-ip and we need the noc01-specific ip
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT
 # if the host/group defines incoming tcp_ports - allow them
 {% if tcp_ports is defined %}
--- a/roles/base/templates/iptables/iptables.osuosl
+++ b/roles/base/templates/iptables/iptables.osuosl
@ -31,10 +31,12 @@
 # for nrpe - allow it from nocs
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT
 # FIXME - this is the global nat-ip and we need the noc01-specific ip
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT
 # if the host/group defines incoming tcp_ports - allow them
 {% if tcp_ports is defined %}
--- a/roles/base/templates/iptables/iptables.pgbdr01.stg.phx2.fedoraproject.org
+++ b/roles/base/templates/iptables/iptables.pgbdr01.stg.phx2.fedoraproject.org
@ -38,10 +38,12 @@ COMMIT
 # for nrpe - allow it from nocs
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT
 # FIXME - this is the global nat-ip and we need the noc01-specific ip
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.2 -j ACCEPT
 # if the host declares a fedmsg-enabled wsgi app, open ports for it
--- a/roles/base/templates/iptables/iptables.pgbdr02.stg.phx2.fedoraproject.org
+++ b/roles/base/templates/iptables/iptables.pgbdr02.stg.phx2.fedoraproject.org
@ -38,10 +38,12 @@ COMMIT
 # for nrpe - allow it from nocs
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT
 # FIXME - this is the global nat-ip and we need the noc01-specific ip
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.2 -j ACCEPT
 # if the host declares a fedmsg-enabled wsgi app, open ports for it
--- a/roles/base/templates/iptables/iptables.releng
+++ b/roles/base/templates/iptables/iptables.releng
@ -29,10 +29,12 @@ COMMIT
 # Overwrite any global rules
 # for nrpe - allow it from nocs
 -A INPUT -p tcp -m tcp -s 192.168.1.10 --dport 5666 -j ACCEPT
 -A INPUT -p tcp -m tcp -s 192.168.1.166 --dport 5666 -j ACCEPT
 # FIXME - this is the global nat-ip and we need the noc01-specific ip
 -A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 5666 -j ACCEPT
 -A INPUT -p tcp -m tcp -s 209.132.181.35 --dport 5666 -j ACCEPT
 -A INPUT -p tcp -m tcp -s 10.5.126.41  --dport 5666 -j ACCEPT
 -A INPUT -p tcp -m tcp -s 10.5.126.241  --dport 5666 -j ACCEPT
 # if the blocked_ips is defined - drop them
 {% if blocked_ips is defined %}
--- a/roles/base/templates/iptables/iptables.staging
+++ b/roles/base/templates/iptables/iptables.staging
@ -40,10 +40,12 @@ COMMIT
 # for nrpe - allow it from nocs
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT
 # FIXME - this is the global nat-ip and we need the noc01-specific ip
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.2 -j ACCEPT
 # if the host declares a fedmsg-enabled wsgi app, open ports for it
--- a/roles/base/templates/iptables/iptables.torrent02.fedoraproject.org
+++ b/roles/base/templates/iptables/iptables.torrent02.fedoraproject.org
@ -26,10 +26,12 @@
 # for nrpe - allow it from nocs
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT
 # FIXME - this is the global nat-ip and we need the noc01-specific ip
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT
 {% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging-friendly'] %}
 #
--- a/roles/nagios/client/templates/nrpe.cfg.j2
+++ b/roles/nagios/client/templates/nrpe.cfg.j2
@ -80,9 +80,9 @@ nrpe_group=nrpe
 {% if env == "staging" %}
-allowed_hosts=10.5.126.2,10.5.126.41,192.168.1.10,192.168.1.20,209.132.181.35
+allowed_hosts=10.5.126.2,10.5.126.41,10.5.126.241,192.168.1.10,192.168.1.20,209.132.181.35,192.168.1.166
 {% else %}
-allowed_hosts=10.5.126.41,192.168.1.10,192.168.1.20,209.132.181.35
+allowed_hosts=10.5.126.41,192.168.1.10,192.168.1.20,209.132.181.35,10.5.126.241,192.168.1.166
 {% endif %} 
--- a/roles/nagios/server/files/nrpe.cfg
+++ b/roles/nagios/server/files/nrpe.cfg
@ -70,7 +70,7 @@ nrpe_group=nrpe
 # NOTE: This option is ignored if NRPE is running under either inetd or xinetd
 #allowed_hosts=127.0.0.1,192.168.0.2
-allowed_hosts=10.5.126.41,127.0.0.1,192.168.1.10,192.168.1.20,209.132.181.35
+allowed_hosts=10.5.126.41,10.5.126.241,127.0.0.1,192.168.1.10,192.168.1.20,209.132.181.35,192.168.1.166
--- a/roles/nagios_client/templates/nrpe.cfg.j2
+++ b/roles/nagios_client/templates/nrpe.cfg.j2
@ -79,9 +79,9 @@ nrpe_group=nrpe
 # NOTE: This option is ignored if NRPE is running under either inetd or xinetd
 {% if env == "staging" %}
-allowed_hosts=10.5.126.2,10.5.126.41,192.168.1.10,192.168.1.20,209.132.181.35
+allowed_hosts=10.5.126.2,10.5.126.41,10.5.126.241,192.168.1.10,192.168.1.20,209.132.181.35,192.168.1.166
 {% else %}
-allowed_hosts=10.5.126.41,192.168.1.10,192.168.1.20,209.132.181.35
+allowed_hosts=10.5.126.41,10.5.126.241,192.168.1.10,192.168.1.20,209.132.181.35,192.168.1.166
 {% endif %} 
--- a/roles/nagios_server/files/nrpe/nrpe.cfg
+++ b/roles/nagios_server/files/nrpe/nrpe.cfg
@ -96,7 +96,7 @@ nrpe_group=nrpe
 # NOTE: This option is ignored if NRPE is running under either inetd or xinetd
 #allowed_hosts=127.0.0.1,192.168.0.2
-allowed_hosts=10.5.126.2,10.5.126.41,127.0.0.1,192.168.1.10,192.168.1.20,209.132.181.35
+allowed_hosts=10.5.126.2,10.5.126.41,10.5.126.241,127.0.0.1,192.168.1.10,192.168.1.20,192.168.1.166,209.132.181.35