Faidon Liambotis has submitted this change and it was merged. Change subject: Revert "Initial commit of pmacct module" ......................................................................
Revert "Initial commit of pmacct module" This reverts commit 2e7954be2d24fe2ed6d246ce0b30f8b24750a8fa. This violates a bunch of our conventions and really needs to go via a proper code review process. It's also a broken pmacct configuration (no /opt/maxmind, among others). More importantly, it's also a doubly broken ferm configuration that would break all other netmon1001 services if it was otherwise non-broken. Change-Id: I1865d1f2c69302eca83e29eb09a17105d21590e1 --- M manifests/site.pp D modules/pmacct/manifests/devices.pp D modules/pmacct/manifests/init.pp D modules/pmacct/manifests/makeconfig.pp D modules/pmacct/templates/config.erb 5 files changed, 1 insertion(+), 222 deletions(-) Approvals: Faidon Liambotis: Looks good to me, approved jenkins-bot: Verified diff --git a/manifests/site.pp b/manifests/site.pp index f6fcfac..6ec6549 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -1886,10 +1886,7 @@ misc::rancid, smokeping, smokeping::web, - role::librenms, - geoip, - pmacct, - ferm + role::librenms interface::add_ip6_mapped { "main": } } diff --git a/modules/pmacct/manifests/devices.pp b/modules/pmacct/manifests/devices.pp deleted file mode 100644 index a9f4339..0000000 --- a/modules/pmacct/manifests/devices.pp +++ /dev/null @@ -1,61 +0,0 @@ -# Class: pmacct -# -# List of devices speaking netflow/ipfix -# -# IP is needed for iptables rules changes -# port is needed for flow and bpg config -# samplerate is to adjust for sampling - -class pmacct::devices { - # Device Listing - $list = { - # tpa - as65001 - cr1-sdtpa => { - port => '6511', - ip => '208.80.152.196', - samplerate => '200', - }, - # Currently running old JunOS and will not sample correctly - #cr2-pmtpa => { - # port => '6512', - # ip => '208.80.152.197', - # samplerate => '1000', - #}, - - # eqiad - as65002 - cr1-eqiad => { - port => '6521', - ip => '208.80.154.196', - samplerate => '1000', - }, - cr2-eqiad => { - port => '6522', - ip => '208.80.154.197', - samplerate => '1000', - }, - - # ulsfo - as65003 - cr1-ulsfo => { - port => '6531', - ip => '198.35.26.192', - samplerate => '1000', - }, - cr2-ulsfo => { - port => '6532', - ip => '198.35.26.193', - samplerate => '1000', - }, - - # ams - as43821 - cr1-esams => { - port => '4381', - ip => '91.198.174.245', - samplerate => '1000', - }, - cr2-knams => { - port => '4382', - ip => '91.198.174.246', - samplerate => '1000', - }, - } -} diff --git a/modules/pmacct/manifests/init.pp b/modules/pmacct/manifests/init.pp deleted file mode 100644 index 3d1d098..0000000 --- a/modules/pmacct/manifests/init.pp +++ /dev/null @@ -1,73 +0,0 @@ -# Class: pmacct -# -# This installs and mangages pmacct configuraiton -# http://www.pmacct.net/ -# -# Will initially be added to node 'netmon1001' - -class pmacct { - - # Note: $pmacct::home does not work here... ? - $home = '/srv/pmacct' - - # mysql - $mysqlhost = '127.0.0.1' - $mysqluser = 'pmacct' - $mysqlpass = $passwords::pmacct::mysqlpass - - # Package (have a fresh one built by Faidon) - # --enable-mysql --enable-64bit --enable-threads --enable-geoip - # and added to our repo? - package { 'pmacct': - ensure => installed, - } - - # User creation (not done by package) - generic::systemuser { 'pmacct': - name => 'pmacct', - home => $pmacct::home, - shell => '/bin/sh', - } - - # Home directory - file { $pmacct::home: - ensure => 'directory', - owner => 'pmacct', - group => 'pmacct', - mode => '0750', - } - - # Log directory - file { "${pmacct::home}/logs": - ensure => 'directory', - owner => 'pmacct', - group => 'pmacct', - mode => '0750', - require => File[ $pmacct::home ], - } - - # Config directory - file { "${pmacct::home}/configs": - ensure => 'directory', - owner => 'pmacct', - group => 'pmacct', - mode => '0750', - require => File[ $pmacct::home ], - } - - # Device list (nice to keep it in it's own world) - require 'pmacct::devices' - - # Iterate over the device list to create new configs - # FIXME: Review daniel's different method for iterating over a hash.. - create_resources('pmacct::makeconfig', $pmacct::devices::list) - - # Iterate over the device list to verify/check iptables redirects - # FIXME: ferm (should probably happen in one iterate... - - - # FIXME: make sure services are running (not start/stop scripts) - # ... -} - - diff --git a/modules/pmacct/manifests/makeconfig.pp b/modules/pmacct/manifests/makeconfig.pp deleted file mode 100644 index 65a207e..0000000 --- a/modules/pmacct/manifests/makeconfig.pp +++ /dev/null @@ -1,21 +0,0 @@ -# pmacct::makeconfig -# Generates a unique config file per device - -define pmacct::makeconfig ($name, $port, $ip, $samplerate) { - # Single confile file per device - file { "${pmacct::home}/configs/config-${name}.cfg": - ensure => 'file', - owner => 'pmacct', - group => 'pmacct', - mode => '0750', - content => template('pmacct/config.erb'), - require => File [ "${pmacct::home}/configs" ], - } - - # Corresponding ferm rule for firewall redirect - ferm::rule {"${name}-BGP": - rule => "proto tcp dport 179 source ${ip} REDIRECT to-ports ${port};", - table => 'nat', - chain => 'PREROUTING', - } -} diff --git a/modules/pmacct/templates/config.erb b/modules/pmacct/templates/config.erb deleted file mode 100644 index 370ee3e..0000000 --- a/modules/pmacct/templates/config.erb +++ /dev/null @@ -1,63 +0,0 @@ -!# Wikimedia pmacct netflow collector configuration file (one daemon per collector) -!# This file is managed by Puppet! -!# -!# Note: '!' is used for comments, '#' added for better syntax highlighting -!# -!# Custom configuration made from template for <%= @name %> - -daemonize: true -syslog: daemon -pidfile: /var/run/nfacctd-<%= @name %>.pid - -!# Maxmind Country Database -!# FIXME: Production location variable? -geoip_ipv4_file: /opt/maxmind/GeoIP.dat - -plugins: print[asn], print[country], print[port], print[iface], print[src] - -print_output: csv -print_refresh_time: 300 - -!# Enforce 5m boundaries on time windows eg 00,05,10 -print_time_roundoff: m - -aggregate[asn]: dst_as,as_path,peer_dst_as -print_output_file[asn]: <%= @home %>/logs/<%= @name %>-asn-%Y%m%d-%H%M.txt - -aggregate[country]: dst_host_country -print_output_file[country]: <%= @home %>/logs/<%= @name %>-country-%Y%m%d-%H%M.txt - -aggregate[port]: src_port -print_output_file[port]: <%= @home %>/logs/<%= @name %>-src_port-%Y%m%d-%H%M.txt - -aggregate[iface]: out_iface -print_output_file[iface]: <%= @home %>/logs/<%= @name %>-interface-%Y%m%d-%H%M.txt - -aggregate[src]: src_host -print_output_file[src]: <%= @home %>/logs/<%= @name %>-src_host-%Y%m%d-%H%M.txt - -!# Netflow UDP Port -nfacctd_port: <%= @port %> - -!# Disable some warnings due to JunOS bugs -nfacctd_disable_checks: true - -!# FIXME: Use a map file, which can be relaoded with a SIGUSR2 -!# Correct for sampling rate by upscaling byte counts -nfacctd_ext_sampling_rate: <%= @samplerate %> -nfacctd_renormalize: true - -!# BGP Config -bgp_daemon: true -bgp_daemon_max_peers: 1 - -!# Note: JunOS does not support custom bgp ports, so we are using iptables NAT redirect to accomplish the same locally -!# eg. iptables --table nat --append PREROUTING --proto tcp --source 208.80.152.196 --dport 179 --jump REDIRECT --to-ports 6001 -!# Using same port number as Flow, but BGP is TCP and Flow is UDP -bgp_daemon_port: <%= @port %> - -!# Rely on BGP for destination ASN (IPFIX buggy) -nfacctd_as_new: bgp - -! Strip as-path to first 3 hops -!bgp_aspath_radius: 3 -- To view, visit https://gerrit.wikimedia.org/r/107550 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I1865d1f2c69302eca83e29eb09a17105d21590e1 Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Faidon Liambotis <fai...@wikimedia.org> Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org> Gerrit-Reviewer: jenkins-bot _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits