Gehel has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/402095 )
Change subject: elasticsearch / prometheus: enable prometheus jmx_exporter
......................................................................
elasticsearch / prometheus: enable prometheus jmx_exporter
Bug: T181627
Change-Id: Ib2de51b15676c4607e2a4c6ab21e9f402f9751b6
---
M modules/elasticsearch/manifests/init.pp
M modules/elasticsearch/templates/jvm.options.erb
A
modules/profile/files/prometheus/elasticsearch_prometheus_jmx_exporter.java.policy
A modules/profile/files/prometheus/elasticsearch_prometheus_jmx_exporter.yaml
M modules/profile/manifests/elasticsearch.pp
A modules/profile/manifests/prometheus/elasticsearch_jmx_exporter.pp
M modules/role/manifests/elasticsearch/beta.pp
M modules/role/manifests/elasticsearch/cirrus.pp
M modules/role/manifests/elasticsearch/relforge.pp
9 files changed, 56 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/95/402095/1
diff --git a/modules/elasticsearch/manifests/init.pp
b/modules/elasticsearch/manifests/init.pp
index e711aa1..6119e36 100644
--- a/modules/elasticsearch/manifests/init.pp
+++ b/modules/elasticsearch/manifests/init.pp
@@ -120,6 +120,7 @@
$curator_uses_unicast_hosts = true,
$reindex_remote_whitelist = undef,
$script_max_compilations_per_minute = undef,
+ $additional_jvm_options = [],
) {
# Check arguments
diff --git a/modules/elasticsearch/templates/jvm.options.erb
b/modules/elasticsearch/templates/jvm.options.erb
index e4e6345..953fc92 100644
--- a/modules/elasticsearch/templates/jvm.options.erb
+++ b/modules/elasticsearch/templates/jvm.options.erb
@@ -126,3 +126,7 @@
<% @gc_log_flags.each do |gc_log_flag| -%>
<%= gc_log_flag %>
<% end -%>
+
+<% @additional_jvm_options.each do |flag| -%>
+ <%= flag %>
+<% end -%>
diff --git
a/modules/profile/files/prometheus/elasticsearch_prometheus_jmx_exporter.java.policy
b/modules/profile/files/prometheus/elasticsearch_prometheus_jmx_exporter.java.policy
new file mode 100644
index 0000000..7fab013
--- /dev/null
+++
b/modules/profile/files/prometheus/elasticsearch_prometheus_jmx_exporter.java.policy
@@ -0,0 +1,9 @@
+grant codeBase "file:/usr/share/java/prometheus/-" {
+
+ permission javax.management.MBeanServerPermission "createMBeanServer";
+ permission javax.management.MBeanPermission "*", "*";
+ permission java.lang.RuntimePermission "accessClassInPackage.sun.management";
+ permission java.io.FilePermission
"/etc/elasticsearch/prometheus_jmx_exporter.yaml", "read";
+ permission java.io.FilePermission "/proc/self/status", "read";
+
+};
diff --git
a/modules/profile/files/prometheus/elasticsearch_prometheus_jmx_exporter.yaml
b/modules/profile/files/prometheus/elasticsearch_prometheus_jmx_exporter.yaml
new file mode 100644
index 0000000..b8cf8c9
--- /dev/null
+++
b/modules/profile/files/prometheus/elasticsearch_prometheus_jmx_exporter.yaml
@@ -0,0 +1,7 @@
+---
+lowercaseOutputLabelNames: true
+lowercaseOutputName: true
+# to ensure we only load a minimum number of MBeans, let's define a dummy
whitelist
+whitelistObjectNames: [ 'java.lang:type=ClassLoading' ]
+# and since we are only interested in the DefaultExports, let's blacklist
everything
+blacklistObjectNames: [ '*:*' ]
diff --git a/modules/profile/manifests/elasticsearch.pp
b/modules/profile/manifests/elasticsearch.pp
index aa873c8..1e966c9 100644
--- a/modules/profile/manifests/elasticsearch.pp
+++ b/modules/profile/manifests/elasticsearch.pp
@@ -36,6 +36,10 @@
) {
$master_eligible = $::fqdn in $unicast_hosts
+ $jmx_exporter_path =
'/usr/share/java/prometheus/jmx_prometheus_javaagent.jar'
+ $jmx_exporter_port = '9109'
+ $jmx_exporter_config = '/etc/elasticsearch/prometheus_jmx_exporter.yaml'
+
ferm::service { 'elastic-http':
proto => 'tcp',
port => '9200',
@@ -78,6 +82,8 @@
before => Class['::elasticsearch'],
}
+
+
# Install
class { '::elasticsearch':
# Production elasticsearch needs these plugins to be loaded in order
@@ -112,6 +118,7 @@
search_shard_count_limit => $search_shard_count_limit,
reindex_remote_whitelist => $reindex_remote_whitelist,
script_max_compilations_per_minute => 10000,
+ additional_jvm_options => [
"-javaagent:$jmx_exporter_path=${jmx_exporter_port}:${jmx_exporter_config}" ],
}
class { '::elasticsearch::https':
diff --git a/modules/profile/manifests/prometheus/elasticsearch_jmx_exporter.pp
b/modules/profile/manifests/prometheus/elasticsearch_jmx_exporter.pp
new file mode 100644
index 0000000..2bac681
--- /dev/null
+++ b/modules/profile/manifests/prometheus/elasticsearch_jmx_exporter.pp
@@ -0,0 +1,25 @@
+class profile::prometheus::elasticsearch_jmx_exporter (
+ $prometheus_nodes = hiera('prometheus_nodes'),
+) {
+
+ $prometheus_jmx_exporter_port = 9109
+
+ ::profile::prometheus::jmx_exporter { 'elasticsearch_${::hostname}':
+ hostname => $::hostname,
+ port => $prometheus_jmx_exporter_port,
+ prometheus_nodes => $prometheus_nodes,
+ config_file => '/etc/elasticsearch/prometheus_jmx_exporter.yaml',
+ content =>
'puppet:///modules/profile/prometheus/elasticsearch_prometheus_jmx_exporter.yaml',
+ }
+
+ # since elasticsearch installs a restrictive security manager, we need to
+ # configure some exceptions for the jmx_exporter
+ file { '/home/elasticsearch/.java.policy':
+ ensure => present,
+ content =>
'puppet:///modules/profile/prometheus/elasticsearch_prometheus_jmx_exporter.java.policy',
+ mode => '0644',
+ owner => 'root',
+ group => 'root',
+ }
+
+}
diff --git a/modules/role/manifests/elasticsearch/beta.pp
b/modules/role/manifests/elasticsearch/beta.pp
index 7717ccd..c1adb7e 100644
--- a/modules/role/manifests/elasticsearch/beta.pp
+++ b/modules/role/manifests/elasticsearch/beta.pp
@@ -6,6 +6,7 @@
class role::elasticsearch::beta {
include ::profile::elasticsearch
include ::profile::prometheus::elasticsearch_exporter
+ include ::profile::prometheus::elasticsearch_jmx_exporter
system::role { 'elasticsearch::beta':
ensure => 'present',
diff --git a/modules/role/manifests/elasticsearch/cirrus.pp
b/modules/role/manifests/elasticsearch/cirrus.pp
index f91f910..2df7a39 100644
--- a/modules/role/manifests/elasticsearch/cirrus.pp
+++ b/modules/role/manifests/elasticsearch/cirrus.pp
@@ -8,6 +8,7 @@
include ::role::lvs::realserver
include ::profile::elasticsearch
include ::profile::prometheus::elasticsearch_exporter
+ include ::profile::prometheus::elasticsearch_jmx_exporter
system::role { 'elasticsearch::cirrus':
ensure => 'present',
diff --git a/modules/role/manifests/elasticsearch/relforge.pp
b/modules/role/manifests/elasticsearch/relforge.pp
index 80cbccd..6559530 100644
--- a/modules/role/manifests/elasticsearch/relforge.pp
+++ b/modules/role/manifests/elasticsearch/relforge.pp
@@ -7,6 +7,7 @@
include ::base::firewall
include ::profile::elasticsearch
include ::profile::prometheus::elasticsearch_exporter
+ include ::profile::prometheus::elasticsearch_jmx_exporter
include ::elasticsearch::nagios::check
include ::profile::mjolnir::kafka_daemon
--
To view, visit https://gerrit.wikimedia.org/r/402095
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ib2de51b15676c4607e2a4c6ab21e9f402f9751b6
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Gehel <guillaume.leder...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
