1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
#!/bin/bash
set -eux
# Suboridnate charm hooks can run in parallel with other charm hooks
# on the same unit Bug #1068624. So a hook may fail to get a apt-get lock.
COUNTER=0
APT_LOCKED=1
while true; do
lsof /var/lib/dpkg/lock > /dev/null 2>&1 || APT_LOCKED=0
if [[ $APT_LOCKED -eq 0 ]]; then
RET=0
# It's possible that if multiple subordinate charms attempt to install
# a package at exactly the same time neither will see the dpkg lock but
# then when attempting to actually install they'll conflict. If so, just
# ignore and try again in another minute, by which time hopefully it
# will have finished.
apt-get install -q -y nagios-nrpe-server \
nagios-plugins-basic \
nagios-plugins-standard \
rsync \
python-cheetah || RET=$? && [[ $RET -ne 100 ]] \
&& [[ $RET -ne 0 ]] && exit $RET
[[ $RET -eq 100 ]] || break
fi
if [[ $COUNTER -gt 5 ]]; then
echo "Failed to obtain apt lock"
exit 1
fi
sleep 60
COUNTER=$[$COUNTER+1]
done
mkdir -p /etc/nagios/nrpe.d/
mkdir -p /usr/local/lib/nagios/plugins
mkdir -p /var/lib/nagios/export/
cp files/nagios_plugin.py /usr/lib/nagios/plugins/nagios_plugin.py
ln -fs /usr/lib/nagios/plugins/nagios_plugin.py /usr/local/lib/nagios/plugins/nagios_plugin.py
cp files/default_rsync /etc/default/rsync
if [[ -d /etc/rsyncd.d ]]; then
export RSYNC_MODULE_ONLY=1
else
export RSYNC_MODULE_ONLY=0
fi
export NAGIOS_MASTER=$(config-get nagios_master)
cheetah fill --env --oext compiled templates/rsyncd.conf.tmpl
if [[ -d /etc/rsyncd.d ]]; then
cp templates/rsyncd.conf.compiled /etc/rsyncd.d/010-nrpe-external-master
concat_rsync_fragments || true
else
cp templates/rsyncd.conf.compiled /etc/rsyncd.conf
fi
service rsync restart
# WARNING: hloeung: I have left these commented out vs. removing intentionally
# as we don't want to expose rsync and NRPE to the world. open-port adds
# the following rules which is not what we want:
# $ nova secgroup-list-rules juju-prodstack-u1-r1-10
# +-------------+-----------+---------+-----------+--------------+
# | IP Protocol | From Port | To Port | IP Range | Source Group |
# +-------------+-----------+---------+-----------+--------------+
# | tcp | 80 | 80 | 0.0.0.0/0 | |
# | tcp | 443 | 443 | 0.0.0.0/0 | |
# | tcp | 873 | 873 | 0.0.0.0/0 | |
# | tcp | 5666 | 5666 | 0.0.0.0/0 | |
# +-------------+-----------+---------+-----------+--------------+
# Our deployment scripts will handle adding the appropriate rules to only allow
# the monitoring host (currently wekufe) to connect via rsync and NRPE.
#open-port 873/tcp
#open-port 5666/tcp
|