[MediaWiki-commits] [Gerrit] operations/puppet[production]: salt: add Icinga plugin to check for unaccepted keys

2016-09-16 Thread Dzahn (Code Review) 
Dzahn has submitted this change and it was merged.

Change subject: salt: add Icinga plugin to check for unaccepted keys
..


salt: add Icinga plugin to check for unaccepted keys

Add an Icinga plugin script to check for unaccepted
salt keys and install it on the master via the salt module.

Needs sudo to run salt-key. Fails if it can't get the key list,
otherwise counts them and alerts if >= 1.

Bug: T144801
Change-Id: If15055ca58673b12dfa0f64f214fece7335d1085
---
A modules/salt/files/check_unaccepted_keys
M modules/salt/manifests/master.pp
A modules/salt/manifests/monitoring.pp
3 files changed, 52 insertions(+), 0 deletions(-)

Approvals:
  jenkins-bot: Verified
  Dzahn: Looks good to me, approved



diff --git a/modules/salt/files/check_unaccepted_keys 
b/modules/salt/files/check_unaccepted_keys
new file mode 100755
index 000..bcc1520
--- /dev/null
+++ b/modules/salt/files/check_unaccepted_keys
@@ -0,0 +1,27 @@
+#!/bin/bash
+# Icinga plugin to check for unaccepted salt keys (T144801)
+# Daniel Zahn - Wikimedia Foundation Inc.
+
+key_list=$(sudo /usr/bin/salt-key -l un)
+
+if ! echo $key_list | grep -q Unaccepted ; then
+echo "UNKNOWN - failed to get key list"
+exit 3
+fi
+
+num_keys=$(echo $key_list | grep -v Unaccepted | wc -l)
+
+# echo $key_list
+# echo "There are ${num_keys} unaccepted keys"
+
+if [[ $num_keys -gt 0 ]] ; then
+echo "CRITICAL - ${num_keys} unaccepted salt keys"
+exit 2
+elif [[ $num_keys -eq 0 ]] ; then
+echo "OK - No unaccepted salt keys"
+exit 0
+fi
+
+echo "UNKOWN - check plugin script"
+exit 3
+
diff --git a/modules/salt/manifests/master.pp b/modules/salt/manifests/master.pp
index c3d0e25..ed85cbc 100644
--- a/modules/salt/manifests/master.pp
+++ b/modules/salt/manifests/master.pp
@@ -90,4 +90,5 @@
 }
 
 include salt::orchestration
+include salt::monitoring
 }
diff --git a/modules/salt/manifests/monitoring.pp 
b/modules/salt/manifests/monitoring.pp
new file mode 100644
index 000..c2974e1
--- /dev/null
+++ b/modules/salt/manifests/monitoring.pp
@@ -0,0 +1,24 @@
+# Let Icinga check for unaccepted salt keys (T144801)
+class salt::monitoring() {
+
+$check_unaccepted_keys = 
'/usr/local/lib/nagios/plugins/check_unaccepted_keys'
+
+file { $check_unaccepted_keys:
+ensure => present,
+mode   => '0550',
+owner  => 'root',
+group  => 'root',
+source => 'puppet:///modules/salt/check_unaccepted_keys',
+}
+
+sudo::user { 'nagios_unaccepted_keys':
+user   => 'nagios',
+privileges => ["ALL = NOPASSWD: ${check_unaccepted_keys}"],
+}
+
+nrpe::monitor_service { 'salt_unaccepted_keys':
+description  => 'unaccepted salt keys',
+nrpe_command => $check_unaccepted_keys,
+}
+
+}

-- 
To view, visit https://gerrit.wikimedia.org/r/311079
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: If15055ca58673b12dfa0f64f214fece7335d1085
Gerrit-PatchSet: 5
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn 
Gerrit-Reviewer: Dzahn 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: salt: add Icinga plugin to check for unaccepted keys

2016-09-15 Thread Dzahn (Code Review) 
Dzahn has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/311079

Change subject: salt: add Icinga plugin to check for unaccepted keys
..

salt: add Icinga plugin to check for unaccepted keys

Add a simple Icinga plugin script to check for unaccepted
salt keys and install it on the master via the salt module.

Bug: T144801
Change-Id: If15055ca58673b12dfa0f64f214fece7335d1085
---
A modules/salt/files/check_unaccepted_keys
M modules/salt/manifests/master.pp
2 files changed, 29 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/79/311079/1

diff --git a/modules/salt/files/check_unaccepted_keys 
b/modules/salt/files/check_unaccepted_keys
new file mode 100755
index 000..afde985
--- /dev/null
+++ b/modules/salt/files/check_unaccepted_keys
@@ -0,0 +1,20 @@
+#!/bin/bash
+# Icinga plugin to check for unaccepted salt keys (T144801)
+# Daniel Zahn - Wikimedia Foundation Inc.
+
+num_keys=$(sudo /usr/bin/salt-key -l un | wc -l)
+let num_keys=num_keys-1
+
+# echo "There are ${num_keys} unaccepted keys"
+
+if [[ $num_keys -gt 0 ]] ; then
+echo "CRITICAL- ${num_keys} unaccepted salt keys"
+exit 2
+elif [[ $num_keys -eq 0 ]] ; then
+echo "OK- No unaccepted salt keys"
+exit 0
+fi
+
+echo "UNKOWN- check plugin script"
+exit 3
+
diff --git a/modules/salt/manifests/master.pp b/modules/salt/manifests/master.pp
index c3d0e25..251bc3b 100644
--- a/modules/salt/manifests/master.pp
+++ b/modules/salt/manifests/master.pp
@@ -89,5 +89,14 @@
 group  => 'root',
 }
 
+# Icinga plugin to check for unaccepted keys (T144801)
+file { '/usr/local/lib/nagios/plugins/check_unaccepted_keys':
+ensure => present,
+mode   => '0550',
+owner  => 'root',
+group  => 'root',
+source => 'puppet:///modules/salt/check_unaccepted_keys',
+}
+
 include salt::orchestration
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/311079
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: If15055ca58673b12dfa0f64f214fece7335d1085
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits