Gehel has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/402095 )
Change subject: elasticsearch / prometheus: enable prometheus jmx_exporter ...................................................................... elasticsearch / prometheus: enable prometheus jmx_exporter Bug: T181627 Change-Id: Ib2de51b15676c4607e2a4c6ab21e9f402f9751b6 --- M modules/elasticsearch/manifests/init.pp M modules/elasticsearch/templates/jvm.options.erb A modules/profile/files/prometheus/elasticsearch_prometheus_jmx_exporter.java.policy A modules/profile/files/prometheus/elasticsearch_prometheus_jmx_exporter.yaml M modules/profile/manifests/elasticsearch.pp A modules/profile/manifests/prometheus/elasticsearch_jmx_exporter.pp M modules/role/manifests/elasticsearch/beta.pp M modules/role/manifests/elasticsearch/cirrus.pp M modules/role/manifests/elasticsearch/relforge.pp 9 files changed, 56 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/95/402095/1 diff --git a/modules/elasticsearch/manifests/init.pp b/modules/elasticsearch/manifests/init.pp index e711aa1..6119e36 100644 --- a/modules/elasticsearch/manifests/init.pp +++ b/modules/elasticsearch/manifests/init.pp @@ -120,6 +120,7 @@ $curator_uses_unicast_hosts = true, $reindex_remote_whitelist = undef, $script_max_compilations_per_minute = undef, + $additional_jvm_options = [], ) { # Check arguments diff --git a/modules/elasticsearch/templates/jvm.options.erb b/modules/elasticsearch/templates/jvm.options.erb index e4e6345..953fc92 100644 --- a/modules/elasticsearch/templates/jvm.options.erb +++ b/modules/elasticsearch/templates/jvm.options.erb @@ -126,3 +126,7 @@ <% @gc_log_flags.each do |gc_log_flag| -%> <%= gc_log_flag %> <% end -%> + +<% @additional_jvm_options.each do |flag| -%> + <%= flag %> +<% end -%> diff --git a/modules/profile/files/prometheus/elasticsearch_prometheus_jmx_exporter.java.policy b/modules/profile/files/prometheus/elasticsearch_prometheus_jmx_exporter.java.policy new file mode 100644 index 0000000..7fab013 --- /dev/null +++ b/modules/profile/files/prometheus/elasticsearch_prometheus_jmx_exporter.java.policy @@ -0,0 +1,9 @@ +grant codeBase "file:/usr/share/java/prometheus/-" { + + permission javax.management.MBeanServerPermission "createMBeanServer"; + permission javax.management.MBeanPermission "*", "*"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.management"; + permission java.io.FilePermission "/etc/elasticsearch/prometheus_jmx_exporter.yaml", "read"; + permission java.io.FilePermission "/proc/self/status", "read"; + +}; diff --git a/modules/profile/files/prometheus/elasticsearch_prometheus_jmx_exporter.yaml b/modules/profile/files/prometheus/elasticsearch_prometheus_jmx_exporter.yaml new file mode 100644 index 0000000..b8cf8c9 --- /dev/null +++ b/modules/profile/files/prometheus/elasticsearch_prometheus_jmx_exporter.yaml @@ -0,0 +1,7 @@ +--- +lowercaseOutputLabelNames: true +lowercaseOutputName: true +# to ensure we only load a minimum number of MBeans, let's define a dummy whitelist +whitelistObjectNames: [ 'java.lang:type=ClassLoading' ] +# and since we are only interested in the DefaultExports, let's blacklist everything +blacklistObjectNames: [ '*:*' ] diff --git a/modules/profile/manifests/elasticsearch.pp b/modules/profile/manifests/elasticsearch.pp index aa873c8..1e966c9 100644 --- a/modules/profile/manifests/elasticsearch.pp +++ b/modules/profile/manifests/elasticsearch.pp @@ -36,6 +36,10 @@ ) { $master_eligible = $::fqdn in $unicast_hosts + $jmx_exporter_path = '/usr/share/java/prometheus/jmx_prometheus_javaagent.jar' + $jmx_exporter_port = '9109' + $jmx_exporter_config = '/etc/elasticsearch/prometheus_jmx_exporter.yaml' + ferm::service { 'elastic-http': proto => 'tcp', port => '9200', @@ -78,6 +82,8 @@ before => Class['::elasticsearch'], } + + # Install class { '::elasticsearch': # Production elasticsearch needs these plugins to be loaded in order @@ -112,6 +118,7 @@ search_shard_count_limit => $search_shard_count_limit, reindex_remote_whitelist => $reindex_remote_whitelist, script_max_compilations_per_minute => 10000, + additional_jvm_options => [ "-javaagent:$jmx_exporter_path=${jmx_exporter_port}:${jmx_exporter_config}" ], } class { '::elasticsearch::https': diff --git a/modules/profile/manifests/prometheus/elasticsearch_jmx_exporter.pp b/modules/profile/manifests/prometheus/elasticsearch_jmx_exporter.pp new file mode 100644 index 0000000..2bac681 --- /dev/null +++ b/modules/profile/manifests/prometheus/elasticsearch_jmx_exporter.pp @@ -0,0 +1,25 @@ +class profile::prometheus::elasticsearch_jmx_exporter ( + $prometheus_nodes = hiera('prometheus_nodes'), +) { + + $prometheus_jmx_exporter_port = 9109 + + ::profile::prometheus::jmx_exporter { 'elasticsearch_${::hostname}': + hostname => $::hostname, + port => $prometheus_jmx_exporter_port, + prometheus_nodes => $prometheus_nodes, + config_file => '/etc/elasticsearch/prometheus_jmx_exporter.yaml', + content => 'puppet:///modules/profile/prometheus/elasticsearch_prometheus_jmx_exporter.yaml', + } + + # since elasticsearch installs a restrictive security manager, we need to + # configure some exceptions for the jmx_exporter + file { '/home/elasticsearch/.java.policy': + ensure => present, + content => 'puppet:///modules/profile/prometheus/elasticsearch_prometheus_jmx_exporter.java.policy', + mode => '0644', + owner => 'root', + group => 'root', + } + +} diff --git a/modules/role/manifests/elasticsearch/beta.pp b/modules/role/manifests/elasticsearch/beta.pp index 7717ccd..c1adb7e 100644 --- a/modules/role/manifests/elasticsearch/beta.pp +++ b/modules/role/manifests/elasticsearch/beta.pp @@ -6,6 +6,7 @@ class role::elasticsearch::beta { include ::profile::elasticsearch include ::profile::prometheus::elasticsearch_exporter + include ::profile::prometheus::elasticsearch_jmx_exporter system::role { 'elasticsearch::beta': ensure => 'present', diff --git a/modules/role/manifests/elasticsearch/cirrus.pp b/modules/role/manifests/elasticsearch/cirrus.pp index f91f910..2df7a39 100644 --- a/modules/role/manifests/elasticsearch/cirrus.pp +++ b/modules/role/manifests/elasticsearch/cirrus.pp @@ -8,6 +8,7 @@ include ::role::lvs::realserver include ::profile::elasticsearch include ::profile::prometheus::elasticsearch_exporter + include ::profile::prometheus::elasticsearch_jmx_exporter system::role { 'elasticsearch::cirrus': ensure => 'present', diff --git a/modules/role/manifests/elasticsearch/relforge.pp b/modules/role/manifests/elasticsearch/relforge.pp index 80cbccd..6559530 100644 --- a/modules/role/manifests/elasticsearch/relforge.pp +++ b/modules/role/manifests/elasticsearch/relforge.pp @@ -7,6 +7,7 @@ include ::base::firewall include ::profile::elasticsearch include ::profile::prometheus::elasticsearch_exporter + include ::profile::prometheus::elasticsearch_jmx_exporter include ::elasticsearch::nagios::check include ::profile::mjolnir::kafka_daemon -- To view, visit https://gerrit.wikimedia.org/r/402095 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ib2de51b15676c4607e2a4c6ab21e9f402f9751b6 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Gehel <guillaume.leder...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits