Alexandros Kosiaris has submitted this change and it was merged. Change subject: monitoring: detect saturation of nf_conntrack table ......................................................................
monitoring: detect saturation of nf_conntrack table bug: T105154 Change-Id: Idf21587618d76dc0fb685f17320c4004cd37c05c --- A modules/base/files/firewall/check_conntrack.py M modules/base/manifests/firewall.pp 2 files changed, 67 insertions(+), 1 deletion(-) Approvals: Alexandros Kosiaris: Verified; Looks good to me, approved diff --git a/modules/base/files/firewall/check_conntrack.py b/modules/base/files/firewall/check_conntrack.py new file mode 100644 index 0000000..19ba2b0 --- /dev/null +++ b/modules/base/files/firewall/check_conntrack.py @@ -0,0 +1,53 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +from __future__ import division +import sys +import os + + +def get_sysctl(name): + + path = os.path.join('/proc/sys', name) + + try: + with open(path) as f: + value = f.read().rstrip('\n') + return int(value) + except IOError: + return None + + +def main(): + if len(sys.argv) != 3: + print "Usage:" + print "check_conntrack WARNING CRITICAL" + sys.exit(-1) + + w = int(sys.argv[1]) + c = int(sys.argv[2]) + + # get the values and verify they are not None + max_value = get_sysctl('net/netfilter/nf_conntrack_max') + if max_value is None or max_value < 0: + print("WARNING: could not read sysctl settings") + sys.exit(1) + + count_value = get_sysctl('net/netfilter/nf_conntrack_count') + full = int(count_value/max_value*100) + + # check what is the value of full and act upon it + if full >= c: + print("CRITICAL: nf_conntrack is %d %% full" % full) + sys.exit(2) + elif full >= w and full < c: + print("WARNING: nf_conntrack is %d %% full" % full) + sys.exit(1) + elif full < w: + print("OK: nf_conntrack is %d %% full" % full) + sys.exit(0) + else: + print("UNKNOWN: error reading nf_conntrack") + sys.exit(3) + +if __name__ == '__main__': + main() diff --git a/modules/base/manifests/firewall.pp b/modules/base/manifests/firewall.pp index 561a061..b894656 100644 --- a/modules/base/manifests/firewall.pp +++ b/modules/base/manifests/firewall.pp @@ -31,4 +31,17 @@ ensure => $ensure, rule => 'saddr $MONITORING_HOSTS ACCEPT;', } -} \ No newline at end of file + + file { '/usr/lib/nagios/plugins/check_conntrack': + source => 'puppet:///modules/base/firewall/check_conntrack.py', + mode => '0755', + } + + nrpe::monitor_service { 'conntrack_table_size': + ensure => 'present', + description => 'Check size of conntrack table', + nrpe_command => '/usr/lib/nagios/plugins/check_conntrack -w 80 -c 90', + require => File['/usr/lib/nagios/plugins/check_conntrack'], + contact_group => 'admins', + } +} -- To view, visit https://gerrit.wikimedia.org/r/223560 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Idf21587618d76dc0fb685f17320c4004cd37c05c Gerrit-PatchSet: 14 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Matanya <mata...@foss.co.il> Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org> Gerrit-Reviewer: Dzahn <dz...@wikimedia.org> Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org> Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org> Gerrit-Reviewer: Muehlenhoff <mmuhlenh...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits