Alexandros Kosiaris has submitted this change and it was merged.
Change subject: monitoring: detect saturation of nf_conntrack table
......................................................................
monitoring: detect saturation of nf_conntrack table
bug: T105154
Change-Id: Idf21587618d76dc0fb685f17320c4004cd37c05c
---
A modules/base/files/firewall/check_conntrack.py
M modules/base/manifests/firewall.pp
2 files changed, 67 insertions(+), 1 deletion(-)
Approvals:
Alexandros Kosiaris: Verified; Looks good to me, approved
diff --git a/modules/base/files/firewall/check_conntrack.py
b/modules/base/files/firewall/check_conntrack.py
new file mode 100644
index 0000000..19ba2b0
--- /dev/null
+++ b/modules/base/files/firewall/check_conntrack.py
@@ -0,0 +1,53 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+from __future__ import division
+import sys
+import os
+
+
+def get_sysctl(name):
+
+ path = os.path.join('/proc/sys', name)
+
+ try:
+ with open(path) as f:
+ value = f.read().rstrip('\n')
+ return int(value)
+ except IOError:
+ return None
+
+
+def main():
+ if len(sys.argv) != 3:
+ print "Usage:"
+ print "check_conntrack WARNING CRITICAL"
+ sys.exit(-1)
+
+ w = int(sys.argv[1])
+ c = int(sys.argv[2])
+
+ # get the values and verify they are not None
+ max_value = get_sysctl('net/netfilter/nf_conntrack_max')
+ if max_value is None or max_value < 0:
+ print("WARNING: could not read sysctl settings")
+ sys.exit(1)
+
+ count_value = get_sysctl('net/netfilter/nf_conntrack_count')
+ full = int(count_value/max_value*100)
+
+ # check what is the value of full and act upon it
+ if full >= c:
+ print("CRITICAL: nf_conntrack is %d %% full" % full)
+ sys.exit(2)
+ elif full >= w and full < c:
+ print("WARNING: nf_conntrack is %d %% full" % full)
+ sys.exit(1)
+ elif full < w:
+ print("OK: nf_conntrack is %d %% full" % full)
+ sys.exit(0)
+ else:
+ print("UNKNOWN: error reading nf_conntrack")
+ sys.exit(3)
+
+if __name__ == '__main__':
+ main()
diff --git a/modules/base/manifests/firewall.pp
b/modules/base/manifests/firewall.pp
index 561a061..b894656 100644
--- a/modules/base/manifests/firewall.pp
+++ b/modules/base/manifests/firewall.pp
@@ -31,4 +31,17 @@
ensure => $ensure,
rule => 'saddr $MONITORING_HOSTS ACCEPT;',
}
-}
\ No newline at end of file
+
+ file { '/usr/lib/nagios/plugins/check_conntrack':
+ source => 'puppet:///modules/base/firewall/check_conntrack.py',
+ mode => '0755',
+ }
+
+ nrpe::monitor_service { 'conntrack_table_size':
+ ensure => 'present',
+ description => 'Check size of conntrack table',
+ nrpe_command => '/usr/lib/nagios/plugins/check_conntrack -w 80 -c 90',
+ require => File['/usr/lib/nagios/plugins/check_conntrack'],
+ contact_group => 'admins',
+ }
+}
--
To view, visit https://gerrit.wikimedia.org/r/223560
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Idf21587618d76dc0fb685f17320c4004cd37c05c
Gerrit-PatchSet: 14
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Matanya <mata...@foss.co.il>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: Dzahn <dz...@wikimedia.org>
Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org>
Gerrit-Reviewer: Muehlenhoff <mmuhlenh...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
