From b408390ae9311b7d703ce57c25a78dce23c31b16 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 10 Jun 2015 15:35:13 +0200 Subject: Configure munin nodes & master. Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI. --- .../munin-master/templates/etc/munin/munin.conf.j2 | 115 +++++++++++++++++++++ .../templates/etc/stunnel/munin-master.conf.j2 | 62 +++++++++++ 2 files changed, 177 insertions(+) create mode 100644 roles/munin-master/templates/etc/munin/munin.conf.j2 create mode 100644 roles/munin-master/templates/etc/stunnel/munin-master.conf.j2 (limited to 'roles/munin-master/templates') diff --git a/roles/munin-master/templates/etc/munin/munin.conf.j2 b/roles/munin-master/templates/etc/munin/munin.conf.j2 new file mode 100644 index 0000000..8273a83 --- /dev/null +++ b/roles/munin-master/templates/etc/munin/munin.conf.j2 @@ -0,0 +1,115 @@ +# Example configuration file for Munin, generated by 'make build' + +# The next three variables specifies where the location of the RRD +# databases, the HTML output, logs and the lock/pid files. They all +# must be writable by the user running munin-cron. They are all +# defaulted to the values you see here. +# +#dbdir /var/lib/munin +#htmldir /var/cache/munin/www +#logdir /var/log/munin +#rundir /var/run/munin + +# Where to look for the HTML templates +# +#tmpldir /etc/munin/templates + +# Where to look for the static www files +# +#staticdir /etc/munin/static + +# temporary cgi files are here. note that it has to be writable by +# the cgi user (usually nobody or httpd). +# +# cgitmpdir /var/lib/munin/cgi-tmp + +# (Exactly one) directory to include all files from. +includedir /etc/munin/munin-conf.d + +# You can choose the time reference for "DERIVE" like graphs, and show +# "per minute", "per hour" values instead of the default "per second" +# +#graph_period second + +# Graphics files are generated either via cron or by a CGI process. +# See http://munin-monitoring.org/wiki/CgiHowto2 for more +# documentation. +# Since 2.0, munin-graph has been rewritten to use the cgi code. +# It is single threaded *by design* now. +# +graph_strategy cgi + +# munin-cgi-graph is invoked by the web server up to very many times at the +# same time. This is not optimal since it results in high CPU and memory +# consumption to the degree that the system can thrash. Again the default is +# 6. Most likely the optimal number for max_cgi_graph_jobs is the same as +# max_graph_jobs. +# +#munin_cgi_graph_jobs 6 + +# If the automatic CGI url is wrong for your system override it here: +# +#cgiurl_graph /munin-cgi/munin-cgi-graph + +# max_size_x and max_size_y are the max size of images in pixel. +# Default is 4000. Do not make it too large otherwise RRD might use all +# RAM to generate the images. +# +#max_size_x 4000 +#max_size_y 4000 + +# HTML files are normally generated by munin-html, no matter if the +# files are used or not. You can change this to on-demand generation +# by following the instructions in http://munin-monitoring.org/wiki/CgiHowto2 +# +# Notes: +# - moving to CGI for HTML means you cannot have graph generated by cron. +# - cgi html has some bugs, mostly you still have to launch munin-html by hand +# +html_strategy cgi + +# munin-update runs in parallel. +# +# The default max number of processes is 16, and is probably ok for you. +# +# If set too high, it might hit some process/ram/filedesc limits. +# If set too low, munin-update might take more than 5 min. +# +# If you want munin-update to not be parallel set it to 0. +# +#max_processes 16 + +# RRD updates are per default, performed directly on the rrd files. +# To reduce IO and enable the use of the rrdcached, uncomment it and set it to +# the location of the socket that rrdcached uses. +# +rrdcached_socket /var/run/rrdcached.sock + +# Drop somejuser@fnord.comm and anotheruser@blibb.comm an email everytime +# something changes (OK -> WARNING, CRITICAL -> OK, etc) +contact.admin.command mail -s "Munin notification" admin@fripost.org +# +# For those with Nagios, the following might come in handy. In addition, +# the services must be defined in the Nagios server as well. +#contact.nagios.command /usr/bin/send_nsca nagios.host.comm -c /etc/nsca.conf + +local_address 127.0.0.1 + +{% set n = 0 %} +{% for node in groups.all | sort %} +{% set n = n + 1 %} +[all;{{ hostvars[node].inventory_hostname_short }}] +{% if node == inventory_hostname %} + address 127.0.0.1 +{% else %} + address 127.0.{{ n }}.1 +{% endif %} + port 4994 + +{% for g in hostvars[node].group_names | sort %} +[{{ g }};{{ hostvars[node].inventory_hostname_short }}] + update no + +{% endfor %} + +{% endfor %} diff --git a/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2 b/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2 new file mode 100644 index 0000000..c025183 --- /dev/null +++ b/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2 @@ -0,0 +1,62 @@ +; ************************************************************************** +; * Global options * +; ************************************************************************** + +; setuid()/setgid() to the specified user/group in daemon mode +setuid = stunnel4 +setgid = stunnel4 + +; PID is created inside the chroot jail +pid = /var/run/stunnel4/munin-master.pid + +; Only log messages at severity warning (4) and higher +debug = 4 + +; ************************************************************************** +; * Service defaults may also be specified in individual service sections * +; ************************************************************************** + +; Certificate/key is needed in server mode and optional in client mode +cert = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem +key = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key +client = yes +socket = a:SO_BINDTODEVICE=lo + +; Some performance tunings +socket = l:TCP_NODELAY=1 +socket = r:TCP_NODELAY=1 + +; Prevent MITM attacks +verify = 4 + +; Disable support for insecure protocols +options = NO_SSLv2 +options = NO_SSLv3 +options = NO_TLSv1 +options = NO_TLSv1.1 + +; These options provide additional security at some performance degradation +options = SINGLE_ECDH_USE +options = SINGLE_DH_USE + +; Select permitted SSL ciphers +ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1 + +; ************************************************************************** +; * Service definitions (remove all services for inetd mode) * +; ************************************************************************** + +{% set n = 0 %} +{% for node in groups.all | sort %} +{% set n = n + 1 %} +{% if node != inventory_hostname %} +[{{ hostvars[node].inventory_hostname_short }}] +accept = 127.0.{{ n }}.1:4994 +connect = {{ node }}:4949 +delay = yes +CAfile = /etc/stunnel/certs/munin-{{ hostvars[node].inventory_hostname_short }}.pem +{% endif %} + +{% endfor %} + +; vim:ft=dosini -- cgit v1.2.3