[MediaWiki-commits] [Gerrit] monitoring: detect saturation of nf_conntrack table - change (operations/puppet)

[Matanya (Code Review)]

Matanya has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/223560

Change subject: monitoring: detect saturation of nf_conntrack table
......................................................................

monitoring: detect saturation of nf_conntrack table

bug: T105154
Change-Id: Idf21587618d76dc0fb685f17320c4004cd37c05c
---
A modules/base/files/firewall/check_conntrack.py
M modules/base/manifests/firewall.pp
M modules/nagios_common/files/checkcommands.cfg
3 files changed, 54 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/60/223560/1

diff --git a/modules/base/files/firewall/check_conntrack.py 
b/modules/base/files/firewall/check_conntrack.py
new file mode 100644
index 0000000..fe86fc5
--- /dev/null
+++ b/modules/base/files/firewall/check_conntrack.py
@@ -0,0 +1,34 @@
+#!/usr/bin/python
+import string
+
+def _get_sysctl(self, name):
+
+    path = '/proc/sys/' + name.translate(string.maketrans('.', '/'))
+
+    try:
+        with open(path) as f:
+            value = f.read().rstrip('\n')
+        return value
+
+    except IOError:
+        return None
+
+def collect(self):
+
+    max_value = self._get_sysctl('net.netfilter.nf_conntrack_max')
+    if max_value is not None and max_value > 0:
+        count_value = self._get_sysctl('net.netfilter.nf_conntrack_count')
+        full = count_value/max_value*100
+    if int(full) >= 80 and <= 90:
+        print "Warning: nf_conntrack is %s % full" % (full)
+        sys.exit(1)
+    elif int(full) >= 90:
+        print "Critical: nf_conntrack is %s % full" % (full)
+        sys.exit(2)
+    elif int(full) < 80:
+        print "OK: nf_conntrack is %s % full" % (full)
+        sys.exit(0)
+    else:
+        print "UNKNOWN: error reading nf_conntrack"
+        sys.exit(3)
+
diff --git a/modules/base/manifests/firewall.pp 
b/modules/base/manifests/firewall.pp
index 561a061..68f3fbf 100644
--- a/modules/base/manifests/firewall.pp
+++ b/modules/base/manifests/firewall.pp
@@ -31,4 +31,17 @@
         ensure => $ensure,
         rule   => 'saddr $MONITORING_HOSTS ACCEPT;',
     }
-}
\ No newline at end of file
+
+    file { '/usr/lib/nagios/plugins/check_conntrack':
+        source => 'puppet:///modules/base/firewall/check_conntrack.py',
+        mode   => '0755',
+    }
+
+    nrpe::monitor_service { 'conntrack_table_size':
+        ensure        => 'present',
+        description   => 'Check size of conntrack table',
+        nrpe_command  => '/usr/lib/nagios/plugins/check_conntrack',
+        require       => File['/usr/lib/nagios/plugins/check_conntrack'],
+        contact_group => 'admins',
+    }
+}
diff --git a/modules/nagios_common/files/checkcommands.cfg 
b/modules/nagios_common/files/checkcommands.cfg
index 866f949..44b16f5 100644
--- a/modules/nagios_common/files/checkcommands.cfg
+++ b/modules/nagios_common/files/checkcommands.cfg
@@ -482,3 +482,9 @@
     command_name    check_http_zotero_lvs_on_port
     command_line    $USER1$/check_http -I $HOSTADDRESS$ -H $ARG1$ -p $ARG2$ -P 
'[{"itemType":"journalArticle"}]' -T 'application/json' -u "$ARG3$"
 }
+
+define command {
+    command_name    nrpe_check_conntrack
+    command_line    $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_conntrack
+}
+

-- 
To view, visit https://gerrit.wikimedia.org/r/223560
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Idf21587618d76dc0fb685f17320c4004cd37c05c
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Matanya <mata...@foss.co.il>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits