Ori.livneh has submitted this change and it was merged.
Change subject: Add Icinga checks for important sysctl params
......................................................................
Add Icinga checks for important sysctl params
Add 'check_sysctl', an Icinga plug-in that issues alerts whenever the actual
and expected values of sysctl parameters are not the same.
I made two additional changes that were prompted by rereading the README of the
Debian procps package:
"In general, files in the 10-*.conf range come from the procps package and
serve as system defaults. Other packages install their files in the
30-*.conf range, to override system defaults. End-users can use 60-*.conf
and above, or use /etc/sysctl.conf directly, which overrides anything in
this directory."
Thus:
* Make the default priority of sysctl::conffile and sysctl::parameters
resources 60, rather than 10. Any additional sysctl::parameters resources
won't come from the procps package itself, so the default priority of 10 is
neither sensible nor safe.
* Change priority of Sysctl::Parameters['lvs'] to 60 so that it conforms with
the priority namespacing policy of the package. (The 50 range is not
defined.)
Change-Id: If004835fb369810bba553dce2d2b8df7b8d364ac
---
A files/icinga/check_sysctl
M manifests/misc/icinga.pp
M modules/base/manifests/sysctl.pp
M modules/lvs/manifests/balancer.pp
M modules/sysctl/manifests/conffile.pp
M modules/sysctl/manifests/parameters.pp
M templates/icinga/checkcommands.cfg.erb
7 files changed, 43 insertions(+), 3 deletions(-)
Approvals:
Ori.livneh: Looks good to me, approved
jenkins-bot: Verified
diff --git a/files/icinga/check_sysctl b/files/icinga/check_sysctl
new file mode 100755
index 0000000..39ca825
--- /dev/null
+++ b/files/icinga/check_sysctl
@@ -0,0 +1,28 @@
+#!/bin/bash
+# Icinga plugin that compares reference and actual values of sysctl
+# parameters and emits an alert if the values don't match.
+
+if [ "$1" = "-h" ] || [ "$1" = "--help" ] || [ "$#" != "1" ]; then
+ echo "Icinga check for tunable kernel parameters (sysctl)."
+ echo "Usage: $0 param1=value1[,param2=value2,...]"
+ exit 0
+fi
+
+bad=()
+IFS=',' read -a items <<< "$1"
+for item in "${items[@]}"; do
+ parameter=${item%=*}
+ expected=$(sed 's/\s\+/ /g' <<< ${item#*=})
+ actual=$(/sbin/sysctl -b $parameter 2>/dev/null | sed 's/\s\+/ /g')
+ if [ "$actual" != "$expected" ]; then
+ bad+=("$parameter")
+ fi
+done
+
+if [ "${#bad[@]}" = 0 ]; then
+ echo "OK: kernel parameters are set to expected value."
+ exit 0
+else
+ IFS=','; echo "WARNING: kernel parameter(s) ${bad[*]} have unexpected
value(s)."
+ exit 1
+fi
diff --git a/manifests/misc/icinga.pp b/manifests/misc/icinga.pp
index eae45f5..5a69af7 100644
--- a/manifests/misc/icinga.pp
+++ b/manifests/misc/icinga.pp
@@ -617,6 +617,12 @@
group => 'root',
mode => '0755',
}
+ file { '/usr/lib/nagios/plugins/check_sysctl':
+ source => 'puppet:///files/icinga/check_sysctl',
+ owner => 'root',
+ group => 'root',
+ mode => '0755',
+ }
# Include check_elasticsearch from elasticsearch module
include elasticsearch::nagios::plugin
diff --git a/modules/base/manifests/sysctl.pp b/modules/base/manifests/sysctl.pp
index b77c3dd..b28a3c5 100644
--- a/modules/base/manifests/sysctl.pp
+++ b/modules/base/manifests/sysctl.pp
@@ -22,6 +22,7 @@
# We don't want 10-ipv6-privacy.conf, so skip it.
},
+ priority => 10,
}
sysctl::parameters { 'wikimedia base':
diff --git a/modules/lvs/manifests/balancer.pp
b/modules/lvs/manifests/balancer.pp
index 2737c0c..4e06071 100644
--- a/modules/lvs/manifests/balancer.pp
+++ b/modules/lvs/manifests/balancer.pp
@@ -53,7 +53,7 @@
# removed in >= 3.6 kernels.
'net.ipv4.rt_cache_rebuild_count' => -1,
},
- priority => 50,
+ priority => 60,
}
generic::upstart_job { "enable-rps": install => "true", start => "true" }
diff --git a/modules/sysctl/manifests/conffile.pp
b/modules/sysctl/manifests/conffile.pp
index ffb5d32..ff25c8a 100644
--- a/modules/sysctl/manifests/conffile.pp
+++ b/modules/sysctl/manifests/conffile.pp
@@ -7,7 +7,7 @@
$file = $title,
$content = undef,
$source = undef,
- $priority = '10'
+ $priority = 60
) {
include sysctl
diff --git a/modules/sysctl/manifests/parameters.pp
b/modules/sysctl/manifests/parameters.pp
index 66ed44c..980a516 100644
--- a/modules/sysctl/manifests/parameters.pp
+++ b/modules/sysctl/manifests/parameters.pp
@@ -7,7 +7,7 @@
$values,
$ensure = present,
$file = $title,
- $priority = '10'
+ $priority = 60
) {
sysctl::conffile { $file:
ensure => $ensure,
diff --git a/templates/icinga/checkcommands.cfg.erb
b/templates/icinga/checkcommands.cfg.erb
index 0e77103..6cc8a8d 100644
--- a/templates/icinga/checkcommands.cfg.erb
+++ b/templates/icinga/checkcommands.cfg.erb
@@ -514,6 +514,11 @@
command_line $USER1$/check_graphite -U $ARG1$ --from $ARG2$ -t
reqstats.5xx -W $ARG3$ -C $ARG4$
}
+define command{
+ command_name check_sysctl
+ command_line $USER1$/check_sysctl $ARG1$
+}
+
# Checks whether a host belongs to given dsh group(s)
define command{
--
To view, visit https://gerrit.wikimedia.org/r/111163
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: If004835fb369810bba553dce2d2b8df7b8d364ac
Gerrit-PatchSet: 4
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ori.livneh <[email protected]>
Gerrit-Reviewer: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: Andrew Bogott <[email protected]>
Gerrit-Reviewer: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: Mark Bergsma <[email protected]>
Gerrit-Reviewer: Nemo bis <[email protected]>
Gerrit-Reviewer: Ori.livneh <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
