Kapitel 09: monitored

.gitmodules

@@ -14,3 +14,9 @@
 	path = roles.extern/dokuwiki_inventory.devel
 	url = https://git.velt.biz/Ansible/dokuwiki_inventory.git
 	branch = devel
+[submodule "roles.extern/monitored"]
+	path = roles.extern/monitored
+	url = https://git.velt.biz/Ansible/monitored.git
+[submodule "09/ssh-wrapper-for-monitoring"]
+	path = 09/ssh-wrapper-for-monitoring
+	url = https://git.velt.biz/Monitoring/ssh-wrapper-for-monitoring.git

09/get_distri_os.j2

@@ -0,0 +1,9 @@
+{{ "%-20s" % "Hostname" }} - {{ "%-20s" % "Distribution" }} - {{ "%-15s" % "OS family" }} - {{ "%-10s" % "MajorVer" }} - {{ "%-10s" % "Version" }}
+{% for h in hostvars %}
+{{ "%-20s" % h }} - {{ "%-20s" % hostvars[h]['ansible_distribution']
+}} - {{ "%-15s" % hostvars[h]['ansible_os_family']
+}} - {{ "%-10s" % hostvars[h]['ansible_distribution_major_version']
+}} - {{ "%-10s" % hostvars[h]['ansible_distribution_version']
+}}
+{% endfor %}
+

09/get_distri_os.txt

@@ -0,0 +1,25 @@
+Hostname             - Distribution         - OS family       - MajorVer   - Version   
+tn00-alpine3h        - Alpine               - Alpine          - 3          - 3.17.9    
+tn00-alpine3i        - Alpine               - Alpine          - 3          - 3.18.9    
+tn00-alpine3j        - Alpine               - Alpine          - 3          - 3.19.4    
+tn00-alpine3k        - Alpine               - Alpine          - 3          - 3.20.3    
+tn00-debian11        - Debian               - Debian          - 11         - 11.11     
+tn00-debian12        - Debian               - Debian          - 12         - 12.7      
+tn00-devuan11        - Devuan               - Debian          - 4          - 4         
+tn00-devuan12        - Devuan               - Debian          - 5          - 5         
+tn00-fedora40        - Fedora               - RedHat          - 40         - 40        
+tn00-fedora41        - Fedora               - RedHat          - 41         - 41        
+tn00-oracle7         - OracleLinux          - RedHat          - 7          - 7.9       
+tn00-oracle9         - OracleLinux          - RedHat          - 9          - 9.5       
+tn00-rocky8          - Rocky                - RedHat          - 8          - 8.10      
+tn00-rocky9          - Rocky                - RedHat          - 9          - 9.4       
+tn00-suse-t          - openSUSE Tumbleweed  - Suse            - 20241104   - 20241104  
+tn00-suse155         - openSUSE Leap        - Suse            - 15         - 15.5      
+tn00-ubu2004a        - Ubuntu               - Debian          - 20         - 20.04     
+tn00-ubu2004b        - Ubuntu               - Debian          - 20         - 20.04     
+tn00-ubu2004c        - Ubuntu               - Debian          - 20         - 20.04     
+tn00-ubu2004d        - Ubuntu               - Debian          - 20         - 20.04     
+tn00-ubu2204         - Ubuntu               - Debian          - 22         - 22.04     
+tn00-ubu2404         - Ubuntu               - Debian          - 24         - 24.04     
+tn00-void            - Void                 - Void            - rolling    - rolling   
+

09/get_distri_os.yml

@@ -0,0 +1,10 @@
+---
+- hosts: all
+  tasks:
+    - template:
+        src: get_distri_os.j2
+        dest: get_distri_os.txt
+      delegate_to: localhost
+      run_once: yes
+
+

09/kurs_ansible_monitored.pub

@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBILuL4SgXrfi40nguCVDrnDeft/bRDDEjigN6ZgaxvAyAdyEo17F1TCkDrx6t/p0vp2b0adWSe/XRLRbEgSe6KA= svelt@pixy

09/monitored.yml

@@ -0,0 +1 @@
+../roles.extern/monitored/monitored.yml

09/ssh-wrapper-for-monitoring

@@ -0,0 +1 @@
+Subproject commit baa916df811870506a7196c1de339ccbb0d14624

09/ssh-wrapper.py

@@ -0,0 +1,93 @@
+#!/bin/sh
+'''':
+for pyint in /usr/libexec/platform-python python3 python python2; do
+	command -v $pyint >/dev/null 2>&1 && exec $pyint "$0" "$@"
+done
+echo "$0: No python could be found" >&2
+exit 1
+# '''
+
+import argparse
+import os
+import re
+import shlex
+import subprocess
+import sys
+import syslog
+
+parser = argparse.ArgumentParser()
+parser.add_argument('--verbose', '-v', action='count', default=0)
+parser.add_argument('--silent', action='store_true', default=False)
+args = parser.parse_args()
+
+if args.silent:
+	args.verbose = -1
+
+if args.verbose >= 0:
+	syslog.openlog(
+			ident=sys.argv[0],
+			logoption=syslog.LOG_PID,
+			facility=syslog.LOG_LOCAL3 | syslog.LOG_ERR
+		)
+
+allowed = [
+		##### System informations
+		r'^/usr/bin/lsb_release\s+-d$',		# Linux
+		r'^/(usr/)?bin/uname\s+-mrs$',		# Linux, BSD & others
+		r'''^/(usr/)?s?bin/awk -F'"' (-e\s*)?'/PRETTY_NAME/{ print \$2; }' /etc/os-release''',		# Linux: /etc/os-release via awk for get_os.py
+
+		##### Complete command lines (Monitoring-Plugins on Debian)
+		r'^/usr/lib/nagios/plugins/check_disk -w \d+% -c \d+% -p /[/a-z]*$',
+		r'^/usr/lib/nagios/plugins/check_load -w \d+(,\d+,\d+)? -c \d+(,\d+,\d+)?$',
+		r'^/usr/lib/nagios/plugins/check_mysql -u [a-z]+ -p [0-9a-zA-Z]+',
+		r'^/usr/lib/nagios/plugins/check_mysql_health --user(name)?=[a-z]+ --pass(word)?=[0-9a-zA-Z]+ --mode=[a-z-]+$',
+
+		##### Simplified/combined (and a little bit less secure)
+
+		### most Linux distributions (with "sudo" and "doas")
+		r'^/usr/lib(64)?/(nagios/plugins|monitoring-plugins)/check_',
+		r'^sudo\s+/usr/lib(64)?/(nagios/plugins|monitoring-plugins)/check_',
+		r'^doas\s+/usr/lib(64)?/(nagios/plugins|monitoring-plugins)/check_',
+
+		### *BSD (with "sudo" and "doas")
+		# r'^/usr/local/libexec/nagios/check_',
+		# r'^sudo\s+/usr/local/libexec/nagios/check_',
+		# r'^doas\s+/usr/local/libexec/nagios/check_',
+	]
+
+cmdline = os.getenv('SSH_ORIGINAL_COMMAND')
+if not cmdline:
+	print('This is just a wrapper, no command specified!')
+	if args.verbose >= 0:
+		syslog.syslog('Called without SSH_ORIGINAL_COMMAND')
+	sys.exit(3)
+
+for maybe in allowed:
+	if re.match(maybe, cmdline):
+		if args.verbose >= 2:
+			syslog.syslog(syslog.LOG_INFO, 'Found command line >%s< with regexp >%s<' % ( cmdline, maybe ) )
+		cmdlinelist = shlex.split(cmdline)
+
+		try:
+			cmd = subprocess.Popen(cmdlinelist, stdout=subprocess.PIPE)
+		except Exception as exc:
+			print('Could not execute plugin: %s' % exc)
+			if args.verbose >= 0:
+				syslog.syslog('Could not execute plugin >%s<' % cmdline)
+			sys.exit(3)
+		else:
+			(out, outerr) = cmd.communicate()
+			out = out.rstrip().decode('utf-8')
+			outerr = (outerr or b'').rstrip().decode('utf-8')
+			print(out)
+			if args.verbose >= 1:
+				syslog.syslog('Executed command line >%s<' % cmdline)
+			if args.verbose >= 3:
+				syslog.syslog('Output >%s<, Error >%s<' % (out, outerr))
+			sys.exit(cmd.returncode)
+
+print('%s: No allowed command found!' % sys.argv[0])
+if args.verbose >= 0:
+	syslog.syslog('No allowed command found for >%s<' % cmdline)
+sys.exit(3)
+

group_vars/all/monitored.yml

@@ -0,0 +1,17 @@
+---
+monitored_by_nrpe: True
+monitored_by_ssh: True
+
+monitored_server_ips:
+  - 192.168.0.1
+  - 192.168.1.1
+  - 10.128.16.8
+  - 10.128.17.13
+  - 192.168.54.250
+
+monitored_ssh_key_files:
+  - kurs_ansible_monitored.pub
+
+monitored_ssh_key_wrapper_src: ssh-wrapper.py
+monitored_ssh_key_wrapper: /usr/local/bin/ssh-wrapper.py
+

helper/09_gitmodules.sh

@@ -0,0 +1,8 @@
+#!/bin/bash -ex
+
+mkdir -p roles.extern
+rm -fr 09/ssh-wrapper-for-monitoring
+
+git submodule add https://git.velt.biz/Ansible/monitored.git roles.extern/monitored
+git submodule add https://git.velt.biz/Monitoring/ssh-wrapper-for-monitoring.git 09/ssh-wrapper-for-monitoring
+

host_vars/tn00-rocky8/monitored.yml

@@ -0,0 +1,2 @@
+---
+monitored_dont: true

hosts.ini

@@ -24,6 +24,7 @@ tn00-fedora41
 
 [oracle]
 tn00-oracle7
+tn00-oracle9		ansible_host=10.128.17.89
 
 [rockylinux]
 tn00-rocky8		ansible_host=10.128.17.163

roles.extern/monitored

@@ -0,0 +1 @@
+Subproject commit 3cd78266311eb4c1cf369b6767504176786e63d4