Merge branch 'ubuntu2004-support' of kazu634/itamae into master
This commit is contained in:
commit
5b5fb26630
|
@ -1,44 +0,0 @@
|
||||||
# Install `cron-apt`:
|
|
||||||
package 'cron-apt'
|
|
||||||
|
|
||||||
# From here, we are going to set up `cron-apt` to
|
|
||||||
# install the important security updates every day.
|
|
||||||
remote_file '/etc/cron-apt/config' do
|
|
||||||
user 'root'
|
|
||||||
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '644'
|
|
||||||
end
|
|
||||||
|
|
||||||
remote_file '/etc/cron-apt/action.d/3-download' do
|
|
||||||
user 'root'
|
|
||||||
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '644'
|
|
||||||
end
|
|
||||||
|
|
||||||
execute 'grep security /etc/apt/sources.list > /etc/apt/security.sources.list' do
|
|
||||||
user 'root'
|
|
||||||
|
|
||||||
not_if 'test -e /etc/apt/security.sources.list'
|
|
||||||
end
|
|
||||||
|
|
||||||
file '/var/log/cron-apt/log' do
|
|
||||||
user 'root'
|
|
||||||
|
|
||||||
content 'foo\n'
|
|
||||||
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '666'
|
|
||||||
|
|
||||||
not_if 'test -e /var/log/cron-apt/log'
|
|
||||||
end
|
|
||||||
|
|
||||||
execute '/usr/sbin/logrotate -f /etc/logrotate.d/cron-apt' do
|
|
||||||
user 'root'
|
|
||||||
|
|
||||||
not_if 'test -e /var/log/cron-apt/log'
|
|
||||||
end
|
|
|
@ -39,8 +39,8 @@ include_recipe './packages.rb'
|
||||||
# Lang Setting:
|
# Lang Setting:
|
||||||
include_recipe './lang.rb'
|
include_recipe './lang.rb'
|
||||||
|
|
||||||
# `cron-apt` settings:
|
# `unattended-upgrade` settings:
|
||||||
include_recipe './cron-apt.rb'
|
include_recipe './unattended-upgrade.rb'
|
||||||
|
|
||||||
# `ufw` configurations:
|
# `ufw` configurations:
|
||||||
include_recipe './ufw.rb'
|
include_recipe './ufw.rb'
|
||||||
|
@ -54,17 +54,18 @@ include_recipe './fortune.rb'
|
||||||
# timezone configurations:
|
# timezone configurations:
|
||||||
include_recipe './timezone.rb'
|
include_recipe './timezone.rb'
|
||||||
|
|
||||||
# ntp configurations:
|
|
||||||
include_recipe './ntp.rb'
|
|
||||||
|
|
||||||
# kernel configurations:
|
# kernel configurations:
|
||||||
include_recipe './kernel.rb'
|
include_recipe './kernel.rb'
|
||||||
|
|
||||||
# Install mc command:
|
# Install mc command:
|
||||||
include_recipe './mc.rb'
|
include_recipe './mc.rb'
|
||||||
|
|
||||||
# unnecessary configurations:
|
# recipes for Ubuntu 16.04
|
||||||
if node['platform_version'].to_f == 16.04
|
if node['platform_version'].to_f == 16.04
|
||||||
|
# ntp configurations
|
||||||
|
include_recipe './ntp.rb'
|
||||||
|
|
||||||
|
# misc recipe
|
||||||
include_recipe './unnecessary.rb'
|
include_recipe './unnecessary.rb'
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,2 @@
|
||||||
|
APT::Periodic::Update-Package-Lists "1";
|
||||||
|
APT::Periodic::Unattended-Upgrade "1";
|
|
@ -0,0 +1,131 @@
|
||||||
|
// Automatically upgrade packages from these (origin:archive) pairs
|
||||||
|
//
|
||||||
|
// Note that in Ubuntu security updates may pull in new dependencies
|
||||||
|
// from non-security sources (e.g. chromium). By allowing the release
|
||||||
|
// pocket these get automatically pulled in.
|
||||||
|
Unattended-Upgrade::Allowed-Origins {
|
||||||
|
"${distro_id}:${distro_codename}";
|
||||||
|
"${distro_id}:${distro_codename}-security";
|
||||||
|
// Extended Security Maintenance; doesn't necessarily exist for
|
||||||
|
// every release and this system may not have it installed, but if
|
||||||
|
// available, the policy for updates is such that unattended-upgrades
|
||||||
|
// should also install from here by default.
|
||||||
|
"${distro_id}ESMApps:${distro_codename}-apps-security";
|
||||||
|
"${distro_id}ESM:${distro_codename}-infra-security";
|
||||||
|
// "${distro_id}:${distro_codename}-updates";
|
||||||
|
// "${distro_id}:${distro_codename}-proposed";
|
||||||
|
// "${distro_id}:${distro_codename}-backports";
|
||||||
|
};
|
||||||
|
|
||||||
|
// Python regular expressions, matching packages to exclude from upgrading
|
||||||
|
Unattended-Upgrade::Package-Blacklist {
|
||||||
|
// The following matches all packages starting with linux-
|
||||||
|
// "linux-";
|
||||||
|
|
||||||
|
// Use $ to explicitely define the end of a package name. Without
|
||||||
|
// the $, "libc6" would match all of them.
|
||||||
|
// "libc6$";
|
||||||
|
// "libc6-dev$";
|
||||||
|
// "libc6-i686$";
|
||||||
|
|
||||||
|
// Special characters need escaping
|
||||||
|
// "libstdc\+\+6$";
|
||||||
|
|
||||||
|
// The following matches packages like xen-system-amd64, xen-utils-4.1,
|
||||||
|
// xenstore-utils and libxenstore3.0
|
||||||
|
// "(lib)?xen(store)?";
|
||||||
|
|
||||||
|
// For more information about Python regular expressions, see
|
||||||
|
// https://docs.python.org/3/howto/regex.html
|
||||||
|
};
|
||||||
|
|
||||||
|
// This option controls whether the development release of Ubuntu will be
|
||||||
|
// upgraded automatically. Valid values are "true", "false", and "auto".
|
||||||
|
Unattended-Upgrade::DevRelease "auto";
|
||||||
|
|
||||||
|
// This option allows you to control if on a unclean dpkg exit
|
||||||
|
// unattended-upgrades will automatically run
|
||||||
|
// dpkg --force-confold --configure -a
|
||||||
|
// The default is true, to ensure updates keep getting installed
|
||||||
|
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
|
||||||
|
|
||||||
|
// Split the upgrade into the smallest possible chunks so that
|
||||||
|
// they can be interrupted with SIGTERM. This makes the upgrade
|
||||||
|
// a bit slower but it has the benefit that shutdown while a upgrade
|
||||||
|
// is running is possible (with a small delay)
|
||||||
|
//Unattended-Upgrade::MinimalSteps "true";
|
||||||
|
|
||||||
|
// Install all updates when the machine is shutting down
|
||||||
|
// instead of doing it in the background while the machine is running.
|
||||||
|
// This will (obviously) make shutdown slower.
|
||||||
|
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
|
||||||
|
// This allows more time for unattended-upgrades to shut down gracefully
|
||||||
|
// or even install a few packages in InstallOnShutdown mode, but is still a
|
||||||
|
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
|
||||||
|
// Users enabling InstallOnShutdown mode are advised to increase
|
||||||
|
// InhibitDelayMaxSec even further, possibly to 30 minutes.
|
||||||
|
//Unattended-Upgrade::InstallOnShutdown "false";
|
||||||
|
|
||||||
|
// Send email to this address for problems or packages upgrades
|
||||||
|
// If empty or unset then no email is sent, make sure that you
|
||||||
|
// have a working mail setup on your system. A package that provides
|
||||||
|
// 'mailx' must be installed. E.g. "user@example.com"
|
||||||
|
//Unattended-Upgrade::Mail "";
|
||||||
|
|
||||||
|
// Set this value to one of:
|
||||||
|
// "always", "only-on-error" or "on-change"
|
||||||
|
// If this is not set, then any legacy MailOnlyOnError (boolean) value
|
||||||
|
// is used to chose between "only-on-error" and "on-change"
|
||||||
|
//Unattended-Upgrade::MailReport "on-change";
|
||||||
|
|
||||||
|
// Remove unused automatically installed kernel-related packages
|
||||||
|
// (kernel images, kernel headers and kernel version locked tools).
|
||||||
|
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
|
||||||
|
|
||||||
|
// Do automatic removal of newly unused dependencies after the upgrade
|
||||||
|
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
|
||||||
|
|
||||||
|
// Do automatic removal of unused packages after the upgrade
|
||||||
|
// (equivalent to apt-get autoremove)
|
||||||
|
Unattended-Upgrade::Remove-Unused-Dependencies "true";
|
||||||
|
|
||||||
|
// Automatically reboot *WITHOUT CONFIRMATION* if
|
||||||
|
// the file /var/run/reboot-required is found after the upgrade
|
||||||
|
Unattended-Upgrade::Automatic-Reboot "false";
|
||||||
|
|
||||||
|
// Automatically reboot even if there are users currently logged in
|
||||||
|
// when Unattended-Upgrade::Automatic-Reboot is set to true
|
||||||
|
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
|
||||||
|
|
||||||
|
// If automatic reboot is enabled and needed, reboot at the specific
|
||||||
|
// time instead of immediately
|
||||||
|
// Default: "now"
|
||||||
|
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
|
||||||
|
|
||||||
|
// Use apt bandwidth limit feature, this example limits the download
|
||||||
|
// speed to 70kb/sec
|
||||||
|
//Acquire::http::Dl-Limit "70";
|
||||||
|
|
||||||
|
// Enable logging to syslog. Default is False
|
||||||
|
// Unattended-Upgrade::SyslogEnable "false";
|
||||||
|
|
||||||
|
// Specify syslog facility. Default is daemon
|
||||||
|
// Unattended-Upgrade::SyslogFacility "daemon";
|
||||||
|
|
||||||
|
// Download and install upgrades only on AC power
|
||||||
|
// (i.e. skip or gracefully stop updates on battery)
|
||||||
|
// Unattended-Upgrade::OnlyOnACPower "true";
|
||||||
|
|
||||||
|
// Download and install upgrades only on non-metered connection
|
||||||
|
// (i.e. skip or gracefully stop updates on a metered connection)
|
||||||
|
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
|
||||||
|
|
||||||
|
// Verbose logging
|
||||||
|
// Unattended-Upgrade::Verbose "false";
|
||||||
|
|
||||||
|
// Print debugging information both in unattended-upgrades and
|
||||||
|
// in unattended-upgrade-shutdown
|
||||||
|
// Unattended-Upgrade::Debug "false";
|
||||||
|
|
||||||
|
// Allow package downgrade if Pin-Priority exceeds 1000
|
||||||
|
// Unattended-Upgrade::Allow-downgrade "false";
|
|
@ -0,0 +1,124 @@
|
||||||
|
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
|
||||||
|
|
||||||
|
# This is the sshd server system-wide configuration file. See
|
||||||
|
# sshd_config(5) for more information.
|
||||||
|
|
||||||
|
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
|
||||||
|
|
||||||
|
# The strategy used for options in the default sshd_config shipped with
|
||||||
|
# OpenSSH is to specify options with their default value where
|
||||||
|
# possible, but leave them commented. Uncommented options override the
|
||||||
|
# default value.
|
||||||
|
|
||||||
|
Include /etc/ssh/sshd_config.d/*.conf
|
||||||
|
|
||||||
|
Port 10022
|
||||||
|
#AddressFamily any
|
||||||
|
#ListenAddress 0.0.0.0
|
||||||
|
#ListenAddress ::
|
||||||
|
|
||||||
|
#HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
|
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||||
|
#HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
|
|
||||||
|
# Ciphers and keying
|
||||||
|
#RekeyLimit default none
|
||||||
|
|
||||||
|
# Logging
|
||||||
|
#SyslogFacility AUTH
|
||||||
|
#LogLevel INFO
|
||||||
|
|
||||||
|
# Authentication:
|
||||||
|
|
||||||
|
#LoginGraceTime 2m
|
||||||
|
PermitRootLogin no
|
||||||
|
#StrictModes yes
|
||||||
|
#MaxAuthTries 6
|
||||||
|
#MaxSessions 10
|
||||||
|
|
||||||
|
#PubkeyAuthentication yes
|
||||||
|
|
||||||
|
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
|
||||||
|
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
|
||||||
|
|
||||||
|
#AuthorizedPrincipalsFile none
|
||||||
|
|
||||||
|
#AuthorizedKeysCommand none
|
||||||
|
#AuthorizedKeysCommandUser nobody
|
||||||
|
|
||||||
|
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||||
|
#HostbasedAuthentication no
|
||||||
|
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||||
|
# HostbasedAuthentication
|
||||||
|
#IgnoreUserKnownHosts no
|
||||||
|
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||||
|
#IgnoreRhosts yes
|
||||||
|
|
||||||
|
# To disable tunneled clear text passwords, change to no here!
|
||||||
|
PasswordAuthentication no
|
||||||
|
#PermitEmptyPasswords no
|
||||||
|
|
||||||
|
# Change to yes to enable challenge-response passwords (beware issues with
|
||||||
|
# some PAM modules and threads)
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
|
||||||
|
# Kerberos options
|
||||||
|
#KerberosAuthentication no
|
||||||
|
#KerberosOrLocalPasswd yes
|
||||||
|
#KerberosTicketCleanup yes
|
||||||
|
#KerberosGetAFSToken no
|
||||||
|
|
||||||
|
# GSSAPI options
|
||||||
|
#GSSAPIAuthentication no
|
||||||
|
#GSSAPICleanupCredentials yes
|
||||||
|
#GSSAPIStrictAcceptorCheck yes
|
||||||
|
#GSSAPIKeyExchange no
|
||||||
|
|
||||||
|
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||||
|
# and session processing. If this is enabled, PAM authentication will
|
||||||
|
# be allowed through the ChallengeResponseAuthentication and
|
||||||
|
# PasswordAuthentication. Depending on your PAM configuration,
|
||||||
|
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||||
|
# the setting of "PermitRootLogin without-password".
|
||||||
|
# If you just want the PAM account and session checks to run without
|
||||||
|
# PAM authentication, then enable this but set PasswordAuthentication
|
||||||
|
# and ChallengeResponseAuthentication to 'no'.
|
||||||
|
UsePAM yes
|
||||||
|
|
||||||
|
#AllowAgentForwarding yes
|
||||||
|
#AllowTcpForwarding yes
|
||||||
|
#GatewayPorts no
|
||||||
|
X11Forwarding yes
|
||||||
|
#X11DisplayOffset 10
|
||||||
|
#X11UseLocalhost yes
|
||||||
|
#PermitTTY yes
|
||||||
|
PrintMotd no
|
||||||
|
#PrintLastLog yes
|
||||||
|
#TCPKeepAlive yes
|
||||||
|
#PermitUserEnvironment no
|
||||||
|
#Compression delayed
|
||||||
|
#ClientAliveInterval 0
|
||||||
|
#ClientAliveCountMax 3
|
||||||
|
#UseDNS no
|
||||||
|
#PidFile /var/run/sshd.pid
|
||||||
|
#MaxStartups 10:30:100
|
||||||
|
#PermitTunnel no
|
||||||
|
#ChrootDirectory none
|
||||||
|
#VersionAddendum none
|
||||||
|
|
||||||
|
# no default banner path
|
||||||
|
#Banner none
|
||||||
|
|
||||||
|
# Allow client to pass locale environment variables
|
||||||
|
AcceptEnv LANG LC_*
|
||||||
|
|
||||||
|
# override default of no subsystems
|
||||||
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||||
|
|
||||||
|
# Example of overriding settings on a per-user basis
|
||||||
|
#Match User anoncvs
|
||||||
|
# X11Forwarding no
|
||||||
|
# AllowTcpForwarding no
|
||||||
|
# PermitTTY no
|
||||||
|
# ForceCommand cvs server
|
||||||
|
#PasswordAuthentication yes
|
|
@ -1,18 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
if [ "$2" = "" ]; then
|
|
||||||
mv $1 $1.tmp
|
|
||||||
|
|
||||||
ID=`git branch | grep ^\* | awk '{print $2}' | cut -f 2 -d "/"`
|
|
||||||
|
|
||||||
cat <<EOF > $1
|
|
||||||
|
|
||||||
|
|
||||||
This commit refs/fixes #${ID}.
|
|
||||||
# ^^^^^^^^^^
|
|
||||||
EOF
|
|
||||||
|
|
||||||
cat $1.tmp >> $1
|
|
||||||
fi
|
|
||||||
|
|
||||||
exit 0
|
|
|
@ -1,18 +1,13 @@
|
||||||
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
|
package 'ntp'
|
||||||
when "18.04"
|
|
||||||
# do nothing
|
|
||||||
else
|
|
||||||
package 'ntp'
|
|
||||||
|
|
||||||
remote_file '/etc/ntp.conf' do
|
remote_file '/etc/ntp.conf' do
|
||||||
owner 'root'
|
owner 'root'
|
||||||
group 'root'
|
group 'root'
|
||||||
mode '644'
|
mode '644'
|
||||||
|
|
||||||
notifies :restart, 'service[ntp]'
|
notifies :restart, 'service[ntp]'
|
||||||
end
|
end
|
||||||
|
|
||||||
service 'ntp' do
|
service 'ntp' do
|
||||||
action :nothing
|
action :nothing
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -9,11 +9,12 @@ end
|
||||||
# Install the extra kernel:
|
# Install the extra kernel:
|
||||||
unless node['is_ec2']
|
unless node['is_ec2']
|
||||||
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
|
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
|
||||||
when "18.04"
|
when "16.04"
|
||||||
package 'linux-image-extra-virtual'
|
|
||||||
else
|
|
||||||
KERNEL = run_command("uname -r").stdout.chomp
|
KERNEL = run_command("uname -r").stdout.chomp
|
||||||
package "linux-image-extra-#{KERNEL}"
|
package "linux-image-extra-#{KERNEL}"
|
||||||
|
|
||||||
|
when "18.04"
|
||||||
|
package 'linux-image-extra-virtual'
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -53,7 +54,6 @@ end
|
||||||
|
|
||||||
[
|
[
|
||||||
'/usr/share/git-core/templates/hooks/pre-commit',
|
'/usr/share/git-core/templates/hooks/pre-commit',
|
||||||
'/usr/share/git-core/templates/hooks/prepare-commit-msg',
|
|
||||||
].each do |conf|
|
].each do |conf|
|
||||||
remote_file conf do
|
remote_file conf do
|
||||||
user 'root'
|
user 'root'
|
||||||
|
|
|
@ -9,6 +9,16 @@ end
|
||||||
|
|
||||||
# Deploy the `sshd` configuration file:
|
# Deploy the `sshd` configuration file:
|
||||||
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
|
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
|
||||||
|
when "20.04"
|
||||||
|
remote_file '/etc/ssh/sshd_config' do
|
||||||
|
user 'root'
|
||||||
|
owner 'root'
|
||||||
|
group 'root'
|
||||||
|
mode '644'
|
||||||
|
|
||||||
|
source 'files/etc/ssh/sshd_config.2004'
|
||||||
|
end
|
||||||
|
|
||||||
when "18.04"
|
when "18.04"
|
||||||
remote_file '/etc/ssh/sshd_config' do
|
remote_file '/etc/ssh/sshd_config' do
|
||||||
user 'root'
|
user 'root'
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
|
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
|
||||||
when "18.04"
|
when "18.04", "20.04"
|
||||||
execute 'timedatectl set-timezone Asia/Tokyo' do
|
execute 'timedatectl set-timezone Asia/Tokyo' do
|
||||||
not_if 'timedatectl | grep Tokyo'
|
not_if 'timedatectl | grep Tokyo'
|
||||||
end
|
end
|
||||||
|
|
|
@ -0,0 +1,56 @@
|
||||||
|
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
|
||||||
|
when "18.04"
|
||||||
|
# Install `cron-apt`:
|
||||||
|
package 'cron-apt'
|
||||||
|
|
||||||
|
# From here, we are going to set up `cron-apt` to
|
||||||
|
# install the important security updates every day.
|
||||||
|
remote_file '/etc/cron-apt/config' do
|
||||||
|
user 'root'
|
||||||
|
|
||||||
|
owner 'root'
|
||||||
|
group 'root'
|
||||||
|
mode '644'
|
||||||
|
end
|
||||||
|
|
||||||
|
remote_file '/etc/cron-apt/action.d/3-download' do
|
||||||
|
user 'root'
|
||||||
|
|
||||||
|
owner 'root'
|
||||||
|
group 'root'
|
||||||
|
mode '644'
|
||||||
|
end
|
||||||
|
|
||||||
|
execute 'grep security /etc/apt/sources.list > /etc/apt/security.sources.list' do
|
||||||
|
user 'root'
|
||||||
|
|
||||||
|
not_if 'test -e /etc/apt/security.sources.list'
|
||||||
|
end
|
||||||
|
|
||||||
|
file '/var/log/cron-apt/log' do
|
||||||
|
user 'root'
|
||||||
|
|
||||||
|
content 'foo\n'
|
||||||
|
|
||||||
|
owner 'root'
|
||||||
|
group 'root'
|
||||||
|
mode '666'
|
||||||
|
|
||||||
|
not_if 'test -e /var/log/cron-apt/log'
|
||||||
|
end
|
||||||
|
|
||||||
|
execute '/usr/sbin/logrotate -f /etc/logrotate.d/cron-apt' do
|
||||||
|
user 'root'
|
||||||
|
|
||||||
|
not_if 'test -e /var/log/cron-apt/log'
|
||||||
|
end
|
||||||
|
|
||||||
|
when '20.04'
|
||||||
|
%w(20auto-upgrades 50unattended-upgrades).each do |conf|
|
||||||
|
remote_file "/etc/apt/apt.conf.d/#{conf}" do
|
||||||
|
owner 'root'
|
||||||
|
group 'root'
|
||||||
|
mode '644'
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -1,2 +0,0 @@
|
||||||
check file nginx-blog with path /var/log/nginx/blog.access.log
|
|
||||||
if timestamp > 2 minutes for 5 cycles then exec "/bin/systemctl restart nginx"
|
|
|
@ -30,19 +30,6 @@ remote_file '/etc/cron.d/blog' do
|
||||||
mode '644'
|
mode '644'
|
||||||
end
|
end
|
||||||
|
|
||||||
# Add monit configuration file for monitoring nginx logs:
|
|
||||||
remote_file '/etc/monit/conf.d/blog-log.conf' do
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '644'
|
|
||||||
|
|
||||||
notifies :reload, 'service[monit]'
|
|
||||||
end
|
|
||||||
|
|
||||||
service 'monit' do
|
|
||||||
action :nothing
|
|
||||||
end
|
|
||||||
|
|
||||||
# Create storage directory for blog data
|
# Create storage directory for blog data
|
||||||
directory '/home/webadm/works/public' do
|
directory '/home/webadm/works/public' do
|
||||||
owner 'webadm'
|
owner 'webadm'
|
||||||
|
|
|
@ -2,13 +2,20 @@
|
||||||
# Specifying the default settings:
|
# Specifying the default settings:
|
||||||
# -------------------------------------------
|
# -------------------------------------------
|
||||||
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
|
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
|
||||||
|
when "20.04"
|
||||||
|
cmd = 'LANG=C ip a | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f6 | perl -pe "s/\/.+//g"'
|
||||||
|
|
||||||
when "18.04"
|
when "18.04"
|
||||||
cmd = 'LANG=C /sbin/ifconfig | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f10'
|
cmd = 'LANG=C /sbin/ifconfig | grep "inet " | grep -v -E "(127|172)" | cut -d" " -f10'
|
||||||
|
|
||||||
else
|
else
|
||||||
cmd = 'LANG=C /sbin/ifconfig | grep "inet addr" | grep -v -E "(127|172)" | awk "{print $2;}" | cut -d: -f2 | cut -f 1 -d " " | tail -1'
|
cmd = 'LANG=C /sbin/ifconfig | grep "inet addr" | grep -v -E "(127|172)" | awk "{print $2;}" | cut -d: -f2 | cut -f 1 -d " " | tail -1'
|
||||||
end
|
end
|
||||||
ipaddr = run_command(cmd).stdout.chomp
|
ipaddr = run_command(cmd).stdout.chomp
|
||||||
|
|
||||||
|
cmd = 'grep nameserver /run/systemd/resolve/resolv.conf | grep -v 8.8.8.8 | grep -v 127.0.0.1 | perl -pe "s/nameserver //g" | perl -pe "s/\n/ /g"'
|
||||||
|
dns = run_command(cmd).stdout.chomp
|
||||||
|
|
||||||
node.reverse_merge!({
|
node.reverse_merge!({
|
||||||
'consul' => {
|
'consul' => {
|
||||||
'base_binary_url' => 'https://releases.hashicorp.com/consul/',
|
'base_binary_url' => 'https://releases.hashicorp.com/consul/',
|
||||||
|
@ -16,6 +23,7 @@ node.reverse_merge!({
|
||||||
'tmp_path' => '/tmp/itamae_tmp/consul.zip',
|
'tmp_path' => '/tmp/itamae_tmp/consul.zip',
|
||||||
'manager' => true,
|
'manager' => true,
|
||||||
'manager_hosts' => '["192.168.10.110", "192.168.10.101", "192.168.10.111", "192.168.10.115"]',
|
'manager_hosts' => '["192.168.10.110", "192.168.10.101", "192.168.10.111", "192.168.10.115"]',
|
||||||
'ipaddr' => ipaddr
|
'ipaddr' => ipaddr,
|
||||||
|
'dns' => dns
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
|
@ -5,29 +5,27 @@
|
||||||
end
|
end
|
||||||
|
|
||||||
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
|
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
|
||||||
when "18.04"
|
when "20.04"
|
||||||
|
template '/etc/systemd/resolved.conf' do
|
||||||
|
owner 'root'
|
||||||
|
group 'root'
|
||||||
|
mode '644'
|
||||||
|
|
||||||
|
variables(dns: node['consul']['dns'])
|
||||||
|
|
||||||
|
notifies :restart, 'service[systemd-resolved]', :immediately
|
||||||
|
end
|
||||||
|
|
||||||
remote_file '/etc/dnsmasq.conf' do
|
remote_file '/etc/dnsmasq.conf' do
|
||||||
owner 'root'
|
owner 'root'
|
||||||
group 'root'
|
group 'root'
|
||||||
mode '644'
|
mode '644'
|
||||||
|
|
||||||
source 'files/etc/dnsmasq.conf.1804'
|
source 'files/etc/dnsmasq.conf.2004'
|
||||||
|
|
||||||
notifies :reload, 'service[dnsmasq]'
|
notifies :restart, 'service[dnsmasq]', :immediately
|
||||||
end
|
end
|
||||||
else
|
|
||||||
remote_file '/etc/dnsmasq.conf' do
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '644'
|
|
||||||
|
|
||||||
source 'files/etc/dnsmasq.conf.1804'
|
|
||||||
|
|
||||||
notifies :reload, 'service[dnsmasq]'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
|
|
||||||
when "18.04"
|
when "18.04"
|
||||||
remote_file '/etc/systemd/resolved.conf' do
|
remote_file '/etc/systemd/resolved.conf' do
|
||||||
owner 'root'
|
owner 'root'
|
||||||
|
@ -36,7 +34,18 @@ when "18.04"
|
||||||
|
|
||||||
notifies :restart, 'service[systemd-resolved]'
|
notifies :restart, 'service[systemd-resolved]'
|
||||||
end
|
end
|
||||||
else
|
|
||||||
|
remote_file '/etc/dnsmasq.conf' do
|
||||||
|
owner 'root'
|
||||||
|
group 'root'
|
||||||
|
mode '644'
|
||||||
|
|
||||||
|
source 'files/etc/dnsmasq.conf.1804'
|
||||||
|
|
||||||
|
notifies :reload, 'service[dnsmasq]'
|
||||||
|
end
|
||||||
|
|
||||||
|
when '16.04'
|
||||||
remote_file '/etc/resolvconf/resolv.conf.d/head' do
|
remote_file '/etc/resolvconf/resolv.conf.d/head' do
|
||||||
owner 'root'
|
owner 'root'
|
||||||
group 'root'
|
group 'root'
|
||||||
|
@ -44,4 +53,15 @@ else
|
||||||
|
|
||||||
notifies :restart, 'service[resolvconf]'
|
notifies :restart, 'service[resolvconf]'
|
||||||
end
|
end
|
||||||
|
|
||||||
|
remote_file '/etc/dnsmasq.conf' do
|
||||||
|
owner 'root'
|
||||||
|
group 'root'
|
||||||
|
mode '644'
|
||||||
|
|
||||||
|
source 'files/etc/dnsmasq.conf.1804'
|
||||||
|
|
||||||
|
notifies :reload, 'service[dnsmasq]'
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,679 @@
|
||||||
|
# Configuration file for dnsmasq.
|
||||||
|
#
|
||||||
|
# Format is one option per line, legal options are the same
|
||||||
|
# as the long options legal on the command line. See
|
||||||
|
# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
|
||||||
|
|
||||||
|
# Listen on this specific port instead of the standard DNS port
|
||||||
|
# (53). Setting this to zero completely disables DNS function,
|
||||||
|
# leaving only DHCP and/or TFTP.
|
||||||
|
#port=5353
|
||||||
|
|
||||||
|
# The following two options make you a better netizen, since they
|
||||||
|
# tell dnsmasq to filter out queries which the public DNS cannot
|
||||||
|
# answer, and which load the servers (especially the root servers)
|
||||||
|
# unnecessarily. If you have a dial-on-demand link they also stop
|
||||||
|
# these requests from bringing up the link unnecessarily.
|
||||||
|
|
||||||
|
# Never forward plain names (without a dot or domain part)
|
||||||
|
#domain-needed
|
||||||
|
# Never forward addresses in the non-routed address spaces.
|
||||||
|
#bogus-priv
|
||||||
|
|
||||||
|
# Uncomment these to enable DNSSEC validation and caching:
|
||||||
|
# (Requires dnsmasq to be built with DNSSEC option.)
|
||||||
|
#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
|
||||||
|
#dnssec
|
||||||
|
|
||||||
|
# Replies which are not DNSSEC signed may be legitimate, because the domain
|
||||||
|
# is unsigned, or may be forgeries. Setting this option tells dnsmasq to
|
||||||
|
# check that an unsigned reply is OK, by finding a secure proof that a DS
|
||||||
|
# record somewhere between the root and the domain does not exist.
|
||||||
|
# The cost of setting this is that even queries in unsigned domains will need
|
||||||
|
# one or more extra DNS queries to verify.
|
||||||
|
#dnssec-check-unsigned
|
||||||
|
|
||||||
|
# Uncomment this to filter useless windows-originated DNS requests
|
||||||
|
# which can trigger dial-on-demand links needlessly.
|
||||||
|
# Note that (amongst other things) this blocks all SRV requests,
|
||||||
|
# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
|
||||||
|
# This option only affects forwarding, SRV records originating for
|
||||||
|
# dnsmasq (via srv-host= lines) are not suppressed by it.
|
||||||
|
#filterwin2k
|
||||||
|
|
||||||
|
# Change this line if you want dns to get its upstream servers from
|
||||||
|
# somewhere other that /etc/resolv.conf
|
||||||
|
resolv-file=/run/systemd/resolve/resolv.conf
|
||||||
|
|
||||||
|
# By default, dnsmasq will send queries to any of the upstream
|
||||||
|
# servers it knows about and tries to favour servers to are known
|
||||||
|
# to be up. Uncommenting this forces dnsmasq to try each query
|
||||||
|
# with each server strictly in the order they appear in
|
||||||
|
# /etc/resolv.conf
|
||||||
|
strict-order
|
||||||
|
|
||||||
|
# If you don't want dnsmasq to read /etc/resolv.conf or any other
|
||||||
|
# file, getting its servers from this file instead (see below), then
|
||||||
|
# uncomment this.
|
||||||
|
#no-resolv
|
||||||
|
|
||||||
|
# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
|
||||||
|
# files for changes and re-read them then uncomment this.
|
||||||
|
#no-poll
|
||||||
|
|
||||||
|
# Add other name servers here, with domain specs if they are for
|
||||||
|
# non-public domains.
|
||||||
|
server=/consul/127.0.0.1#8600
|
||||||
|
|
||||||
|
# Example of routing PTR queries to nameservers: this will send all
|
||||||
|
# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
|
||||||
|
#server=/3.168.192.in-addr.arpa/10.1.2.3
|
||||||
|
|
||||||
|
# Add local-only domains here, queries in these domains are answered
|
||||||
|
# from /etc/hosts or DHCP only.
|
||||||
|
#local=/localnet/
|
||||||
|
|
||||||
|
# Add domains which you want to force to an IP address here.
|
||||||
|
# The example below send any host in double-click.net to a local
|
||||||
|
# web-server.
|
||||||
|
#address=/double-click.net/127.0.0.1
|
||||||
|
|
||||||
|
# --address (and --server) work with IPv6 addresses too.
|
||||||
|
#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
|
||||||
|
|
||||||
|
# Add the IPs of all queries to yahoo.com, google.com, and their
|
||||||
|
# subdomains to the vpn and search ipsets:
|
||||||
|
#ipset=/yahoo.com/google.com/vpn,search
|
||||||
|
|
||||||
|
# You can control how dnsmasq talks to a server: this forces
|
||||||
|
# queries to 10.1.2.3 to be routed via eth1
|
||||||
|
# server=10.1.2.3@eth1
|
||||||
|
|
||||||
|
# and this sets the source (ie local) address used to talk to
|
||||||
|
# 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that
|
||||||
|
# IP on the machine, obviously).
|
||||||
|
# server=10.1.2.3@192.168.1.1#55
|
||||||
|
|
||||||
|
# If you want dnsmasq to change uid and gid to something other
|
||||||
|
# than the default, edit the following lines.
|
||||||
|
#user=
|
||||||
|
#group=
|
||||||
|
|
||||||
|
# If you want dnsmasq to listen for DHCP and DNS requests only on
|
||||||
|
# specified interfaces (and the loopback) give the name of the
|
||||||
|
# interface (eg eth0) here.
|
||||||
|
# Repeat the line for more than one interface.
|
||||||
|
#interface=
|
||||||
|
# Or you can specify which interface _not_ to listen on
|
||||||
|
#except-interface=
|
||||||
|
# Or which to listen on by address (remember to include 127.0.0.1 if
|
||||||
|
# you use this.)
|
||||||
|
#listen-address=
|
||||||
|
# If you want dnsmasq to provide only DNS service on an interface,
|
||||||
|
# configure it as shown above, and then use the following line to
|
||||||
|
# disable DHCP and TFTP on it.
|
||||||
|
#no-dhcp-interface=
|
||||||
|
|
||||||
|
# On systems which support it, dnsmasq binds the wildcard address,
|
||||||
|
# even when it is listening on only some interfaces. It then discards
|
||||||
|
# requests that it shouldn't reply to. This has the advantage of
|
||||||
|
# working even when interfaces come and go and change address. If you
|
||||||
|
# want dnsmasq to really bind only the interfaces it is listening on,
|
||||||
|
# uncomment this option. About the only time you may need this is when
|
||||||
|
# running another nameserver on the same machine.
|
||||||
|
#bind-interfaces
|
||||||
|
|
||||||
|
# If you don't want dnsmasq to read /etc/hosts, uncomment the
|
||||||
|
# following line.
|
||||||
|
#no-hosts
|
||||||
|
# or if you want it to read another file, as well as /etc/hosts, use
|
||||||
|
# this.
|
||||||
|
#addn-hosts=/etc/banner_add_hosts
|
||||||
|
|
||||||
|
# Set this (and domain: see below) if you want to have a domain
|
||||||
|
# automatically added to simple names in a hosts-file.
|
||||||
|
#expand-hosts
|
||||||
|
|
||||||
|
# Set the domain for dnsmasq. this is optional, but if it is set, it
|
||||||
|
# does the following things.
|
||||||
|
# 1) Allows DHCP hosts to have fully qualified domain names, as long
|
||||||
|
# as the domain part matches this setting.
|
||||||
|
# 2) Sets the "domain" DHCP option thereby potentially setting the
|
||||||
|
# domain of all systems configured by DHCP
|
||||||
|
# 3) Provides the domain part for "expand-hosts"
|
||||||
|
#domain=thekelleys.org.uk
|
||||||
|
|
||||||
|
# Set a different domain for a particular subnet
|
||||||
|
#domain=wireless.thekelleys.org.uk,192.168.2.0/24
|
||||||
|
|
||||||
|
# Same idea, but range rather then subnet
|
||||||
|
#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
|
||||||
|
|
||||||
|
# Uncomment this to enable the integrated DHCP server, you need
|
||||||
|
# to supply the range of addresses available for lease and optionally
|
||||||
|
# a lease time. If you have more than one network, you will need to
|
||||||
|
# repeat this for each network on which you want to supply DHCP
|
||||||
|
# service.
|
||||||
|
#dhcp-range=192.168.0.50,192.168.0.150,12h
|
||||||
|
|
||||||
|
# This is an example of a DHCP range where the netmask is given. This
|
||||||
|
# is needed for networks we reach the dnsmasq DHCP server via a relay
|
||||||
|
# agent. If you don't know what a DHCP relay agent is, you probably
|
||||||
|
# don't need to worry about this.
|
||||||
|
#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
|
||||||
|
|
||||||
|
# This is an example of a DHCP range which sets a tag, so that
|
||||||
|
# some DHCP options may be set only for this network.
|
||||||
|
#dhcp-range=set:red,192.168.0.50,192.168.0.150
|
||||||
|
|
||||||
|
# Use this DHCP range only when the tag "green" is set.
|
||||||
|
#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
|
||||||
|
|
||||||
|
# Specify a subnet which can't be used for dynamic address allocation,
|
||||||
|
# is available for hosts with matching --dhcp-host lines. Note that
|
||||||
|
# dhcp-host declarations will be ignored unless there is a dhcp-range
|
||||||
|
# of some type for the subnet in question.
|
||||||
|
# In this case the netmask is implied (it comes from the network
|
||||||
|
# configuration on the machine running dnsmasq) it is possible to give
|
||||||
|
# an explicit netmask instead.
|
||||||
|
#dhcp-range=192.168.0.0,static
|
||||||
|
|
||||||
|
# Enable DHCPv6. Note that the prefix-length does not need to be specified
|
||||||
|
# and defaults to 64 if missing/
|
||||||
|
#dhcp-range=1234::2, 1234::500, 64, 12h
|
||||||
|
|
||||||
|
# Do Router Advertisements, BUT NOT DHCP for this subnet.
|
||||||
|
#dhcp-range=1234::, ra-only
|
||||||
|
|
||||||
|
# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
|
||||||
|
# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
|
||||||
|
# hosts. Use the DHCPv4 lease to derive the name, network segment and
|
||||||
|
# MAC address and assume that the host will also have an
|
||||||
|
# IPv6 address calculated using the SLAAC algorithm.
|
||||||
|
#dhcp-range=1234::, ra-names
|
||||||
|
|
||||||
|
# Do Router Advertisements, BUT NOT DHCP for this subnet.
|
||||||
|
# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
|
||||||
|
#dhcp-range=1234::, ra-only, 48h
|
||||||
|
|
||||||
|
# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
|
||||||
|
# so that clients can use SLAAC addresses as well as DHCP ones.
|
||||||
|
#dhcp-range=1234::2, 1234::500, slaac
|
||||||
|
|
||||||
|
# Do Router Advertisements and stateless DHCP for this subnet. Clients will
|
||||||
|
# not get addresses from DHCP, but they will get other configuration information.
|
||||||
|
# They will use SLAAC for addresses.
|
||||||
|
#dhcp-range=1234::, ra-stateless
|
||||||
|
|
||||||
|
# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
|
||||||
|
# from DHCPv4 leases.
|
||||||
|
#dhcp-range=1234::, ra-stateless, ra-names
|
||||||
|
|
||||||
|
# Do router advertisements for all subnets where we're doing DHCPv6
|
||||||
|
# Unless overridden by ra-stateless, ra-names, et al, the router
|
||||||
|
# advertisements will have the M and O bits set, so that the clients
|
||||||
|
# get addresses and configuration from DHCPv6, and the A bit reset, so the
|
||||||
|
# clients don't use SLAAC addresses.
|
||||||
|
#enable-ra
|
||||||
|
|
||||||
|
# Supply parameters for specified hosts using DHCP. There are lots
|
||||||
|
# of valid alternatives, so we will give examples of each. Note that
|
||||||
|
# IP addresses DO NOT have to be in the range given above, they just
|
||||||
|
# need to be on the same network. The order of the parameters in these
|
||||||
|
# do not matter, it's permissible to give name, address and MAC in any
|
||||||
|
# order.
|
||||||
|
|
||||||
|
# Always allocate the host with Ethernet address 11:22:33:44:55:66
|
||||||
|
# The IP address 192.168.0.60
|
||||||
|
#dhcp-host=11:22:33:44:55:66,192.168.0.60
|
||||||
|
|
||||||
|
# Always set the name of the host with hardware address
|
||||||
|
# 11:22:33:44:55:66 to be "fred"
|
||||||
|
#dhcp-host=11:22:33:44:55:66,fred
|
||||||
|
|
||||||
|
# Always give the host with Ethernet address 11:22:33:44:55:66
|
||||||
|
# the name fred and IP address 192.168.0.60 and lease time 45 minutes
|
||||||
|
#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
|
||||||
|
|
||||||
|
# Give a host with Ethernet address 11:22:33:44:55:66 or
|
||||||
|
# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
|
||||||
|
# that these two Ethernet interfaces will never be in use at the same
|
||||||
|
# time, and give the IP address to the second, even if it is already
|
||||||
|
# in use by the first. Useful for laptops with wired and wireless
|
||||||
|
# addresses.
|
||||||
|
#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60
|
||||||
|
|
||||||
|
# Give the machine which says its name is "bert" IP address
|
||||||
|
# 192.168.0.70 and an infinite lease
|
||||||
|
#dhcp-host=bert,192.168.0.70,infinite
|
||||||
|
|
||||||
|
# Always give the host with client identifier 01:02:02:04
|
||||||
|
# the IP address 192.168.0.60
|
||||||
|
#dhcp-host=id:01:02:02:04,192.168.0.60
|
||||||
|
|
||||||
|
# Always give the InfiniBand interface with hardware address
|
||||||
|
# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the
|
||||||
|
# ip address 192.168.0.61. The client id is derived from the prefix
|
||||||
|
# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of
|
||||||
|
# hex digits of the hardware address.
|
||||||
|
#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61
|
||||||
|
|
||||||
|
# Always give the host with client identifier "marjorie"
|
||||||
|
# the IP address 192.168.0.60
|
||||||
|
#dhcp-host=id:marjorie,192.168.0.60
|
||||||
|
|
||||||
|
# Enable the address given for "judge" in /etc/hosts
|
||||||
|
# to be given to a machine presenting the name "judge" when
|
||||||
|
# it asks for a DHCP lease.
|
||||||
|
#dhcp-host=judge
|
||||||
|
|
||||||
|
# Never offer DHCP service to a machine whose Ethernet
|
||||||
|
# address is 11:22:33:44:55:66
|
||||||
|
#dhcp-host=11:22:33:44:55:66,ignore
|
||||||
|
|
||||||
|
# Ignore any client-id presented by the machine with Ethernet
|
||||||
|
# address 11:22:33:44:55:66. This is useful to prevent a machine
|
||||||
|
# being treated differently when running under different OS's or
|
||||||
|
# between PXE boot and OS boot.
|
||||||
|
#dhcp-host=11:22:33:44:55:66,id:*
|
||||||
|
|
||||||
|
# Send extra options which are tagged as "red" to
|
||||||
|
# the machine with Ethernet address 11:22:33:44:55:66
|
||||||
|
#dhcp-host=11:22:33:44:55:66,set:red
|
||||||
|
|
||||||
|
# Send extra options which are tagged as "red" to
|
||||||
|
# any machine with Ethernet address starting 11:22:33:
|
||||||
|
#dhcp-host=11:22:33:*:*:*,set:red
|
||||||
|
|
||||||
|
# Give a fixed IPv6 address and name to client with
|
||||||
|
# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
|
||||||
|
# Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
|
||||||
|
# Note also that the [] around the IPv6 address are obligatory.
|
||||||
|
#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5]
|
||||||
|
|
||||||
|
# Ignore any clients which are not specified in dhcp-host lines
|
||||||
|
# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
|
||||||
|
# This relies on the special "known" tag which is set when
|
||||||
|
# a host is matched.
|
||||||
|
#dhcp-ignore=tag:!known
|
||||||
|
|
||||||
|
# Send extra options which are tagged as "red" to any machine whose
|
||||||
|
# DHCP vendorclass string includes the substring "Linux"
|
||||||
|
#dhcp-vendorclass=set:red,Linux
|
||||||
|
|
||||||
|
# Send extra options which are tagged as "red" to any machine one
|
||||||
|
# of whose DHCP userclass strings includes the substring "accounts"
|
||||||
|
#dhcp-userclass=set:red,accounts
|
||||||
|
|
||||||
|
# Send extra options which are tagged as "red" to any machine whose
|
||||||
|
# MAC address matches the pattern.
|
||||||
|
#dhcp-mac=set:red,00:60:8C:*:*:*
|
||||||
|
|
||||||
|
# If this line is uncommented, dnsmasq will read /etc/ethers and act
|
||||||
|
# on the ethernet-address/IP pairs found there just as if they had
|
||||||
|
# been given as --dhcp-host options. Useful if you keep
|
||||||
|
# MAC-address/host mappings there for other purposes.
|
||||||
|
#read-ethers
|
||||||
|
|
||||||
|
# Send options to hosts which ask for a DHCP lease.
|
||||||
|
# See RFC 2132 for details of available options.
|
||||||
|
# Common options can be given to dnsmasq by name:
|
||||||
|
# run "dnsmasq --help dhcp" to get a list.
|
||||||
|
# Note that all the common settings, such as netmask and
|
||||||
|
# broadcast address, DNS server and default route, are given
|
||||||
|
# sane defaults by dnsmasq. You very likely will not need
|
||||||
|
# any dhcp-options. If you use Windows clients and Samba, there
|
||||||
|
# are some options which are recommended, they are detailed at the
|
||||||
|
# end of this section.
|
||||||
|
|
||||||
|
# Override the default route supplied by dnsmasq, which assumes the
|
||||||
|
# router is the same machine as the one running dnsmasq.
|
||||||
|
#dhcp-option=3,1.2.3.4
|
||||||
|
|
||||||
|
# Do the same thing, but using the option name
|
||||||
|
#dhcp-option=option:router,1.2.3.4
|
||||||
|
|
||||||
|
# Override the default route supplied by dnsmasq and send no default
|
||||||
|
# route at all. Note that this only works for the options sent by
|
||||||
|
# default (1, 3, 6, 12, 28) the same line will send a zero-length option
|
||||||
|
# for all other option numbers.
|
||||||
|
#dhcp-option=3
|
||||||
|
|
||||||
|
# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
|
||||||
|
#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
|
||||||
|
|
||||||
|
# Send DHCPv6 option. Note [] around IPv6 addresses.
|
||||||
|
#dhcp-option=option6:dns-server,[1234::77],[1234::88]
|
||||||
|
|
||||||
|
# Send DHCPv6 option for namservers as the machine running
|
||||||
|
# dnsmasq and another.
|
||||||
|
#dhcp-option=option6:dns-server,[::],[1234::88]
|
||||||
|
|
||||||
|
# Ask client to poll for option changes every six hours. (RFC4242)
|
||||||
|
#dhcp-option=option6:information-refresh-time,6h
|
||||||
|
|
||||||
|
# Set option 58 client renewal time (T1). Defaults to half of the
|
||||||
|
# lease time if not specified. (RFC2132)
|
||||||
|
#dhcp-option=option:T1,1m
|
||||||
|
|
||||||
|
# Set option 59 rebinding time (T2). Defaults to 7/8 of the
|
||||||
|
# lease time if not specified. (RFC2132)
|
||||||
|
#dhcp-option=option:T2,2m
|
||||||
|
|
||||||
|
# Set the NTP time server address to be the same machine as
|
||||||
|
# is running dnsmasq
|
||||||
|
#dhcp-option=42,0.0.0.0
|
||||||
|
|
||||||
|
# Set the NIS domain name to "welly"
|
||||||
|
#dhcp-option=40,welly
|
||||||
|
|
||||||
|
# Set the default time-to-live to 50
|
||||||
|
#dhcp-option=23,50
|
||||||
|
|
||||||
|
# Set the "all subnets are local" flag
|
||||||
|
#dhcp-option=27,1
|
||||||
|
|
||||||
|
# Send the etherboot magic flag and then etherboot options (a string).
|
||||||
|
#dhcp-option=128,e4:45:74:68:00:00
|
||||||
|
#dhcp-option=129,NIC=eepro100
|
||||||
|
|
||||||
|
# Specify an option which will only be sent to the "red" network
|
||||||
|
# (see dhcp-range for the declaration of the "red" network)
|
||||||
|
# Note that the tag: part must precede the option: part.
|
||||||
|
#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
|
||||||
|
|
||||||
|
# The following DHCP options set up dnsmasq in the same way as is specified
|
||||||
|
# for the ISC dhcpcd in
|
||||||
|
# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
|
||||||
|
# adapted for a typical dnsmasq installation where the host running
|
||||||
|
# dnsmasq is also the host running samba.
|
||||||
|
# you may want to uncomment some or all of them if you use
|
||||||
|
# Windows clients and Samba.
|
||||||
|
#dhcp-option=19,0 # option ip-forwarding off
|
||||||
|
#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
|
||||||
|
#dhcp-option=45,0.0.0.0 # netbios datagram distribution server
|
||||||
|
#dhcp-option=46,8 # netbios node type
|
||||||
|
|
||||||
|
# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
|
||||||
|
#dhcp-option=252,"\n"
|
||||||
|
|
||||||
|
# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
|
||||||
|
# probably doesn't support this......
|
||||||
|
#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
|
||||||
|
|
||||||
|
# Send RFC-3442 classless static routes (note the netmask encoding)
|
||||||
|
#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
|
||||||
|
|
||||||
|
# Send vendor-class specific options encapsulated in DHCP option 43.
|
||||||
|
# The meaning of the options is defined by the vendor-class so
|
||||||
|
# options are sent only when the client supplied vendor class
|
||||||
|
# matches the class given here. (A substring match is OK, so "MSFT"
|
||||||
|
# matches "MSFT" and "MSFT 5.0"). This example sets the
|
||||||
|
# mtftp address to 0.0.0.0 for PXEClients.
|
||||||
|
#dhcp-option=vendor:PXEClient,1,0.0.0.0
|
||||||
|
|
||||||
|
# Send microsoft-specific option to tell windows to release the DHCP lease
|
||||||
|
# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
|
||||||
|
# value as a four-byte integer - that's what microsoft wants. See
|
||||||
|
# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
|
||||||
|
#dhcp-option=vendor:MSFT,2,1i
|
||||||
|
|
||||||
|
# Send the Encapsulated-vendor-class ID needed by some configurations of
|
||||||
|
# Etherboot to allow is to recognise the DHCP server.
|
||||||
|
#dhcp-option=vendor:Etherboot,60,"Etherboot"
|
||||||
|
|
||||||
|
# Send options to PXELinux. Note that we need to send the options even
|
||||||
|
# though they don't appear in the parameter request list, so we need
|
||||||
|
# to use dhcp-option-force here.
|
||||||
|
# See http://syslinux.zytor.com/pxe.php#special for details.
|
||||||
|
# Magic number - needed before anything else is recognised
|
||||||
|
#dhcp-option-force=208,f1:00:74:7e
|
||||||
|
# Configuration file name
|
||||||
|
#dhcp-option-force=209,configs/common
|
||||||
|
# Path prefix
|
||||||
|
#dhcp-option-force=210,/tftpboot/pxelinux/files/
|
||||||
|
# Reboot time. (Note 'i' to send 32-bit value)
|
||||||
|
#dhcp-option-force=211,30i
|
||||||
|
|
||||||
|
# Set the boot filename for netboot/PXE. You will only need
|
||||||
|
# this if you want to boot machines over the network and you will need
|
||||||
|
# a TFTP server; either dnsmasq's built-in TFTP server or an
|
||||||
|
# external one. (See below for how to enable the TFTP server.)
|
||||||
|
#dhcp-boot=pxelinux.0
|
||||||
|
|
||||||
|
# The same as above, but use custom tftp-server instead machine running dnsmasq
|
||||||
|
#dhcp-boot=pxelinux,server.name,192.168.1.100
|
||||||
|
|
||||||
|
# Boot for iPXE. The idea is to send two different
|
||||||
|
# filenames, the first loads iPXE, and the second tells iPXE what to
|
||||||
|
# load. The dhcp-match sets the ipxe tag for requests from iPXE.
|
||||||
|
#dhcp-boot=undionly.kpxe
|
||||||
|
#dhcp-match=set:ipxe,175 # iPXE sends a 175 option.
|
||||||
|
#dhcp-boot=tag:ipxe,http://boot.ipxe.org/demo/boot.php
|
||||||
|
|
||||||
|
# Encapsulated options for iPXE. All the options are
|
||||||
|
# encapsulated within option 175
|
||||||
|
#dhcp-option=encap:175, 1, 5b # priority code
|
||||||
|
#dhcp-option=encap:175, 176, 1b # no-proxydhcp
|
||||||
|
#dhcp-option=encap:175, 177, string # bus-id
|
||||||
|
#dhcp-option=encap:175, 189, 1b # BIOS drive code
|
||||||
|
#dhcp-option=encap:175, 190, user # iSCSI username
|
||||||
|
#dhcp-option=encap:175, 191, pass # iSCSI password
|
||||||
|
|
||||||
|
# Test for the architecture of a netboot client. PXE clients are
|
||||||
|
# supposed to send their architecture as option 93. (See RFC 4578)
|
||||||
|
#dhcp-match=peecees, option:client-arch, 0 #x86-32
|
||||||
|
#dhcp-match=itanics, option:client-arch, 2 #IA64
|
||||||
|
#dhcp-match=hammers, option:client-arch, 6 #x86-64
|
||||||
|
#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
|
||||||
|
|
||||||
|
# Do real PXE, rather than just booting a single file, this is an
|
||||||
|
# alternative to dhcp-boot.
|
||||||
|
#pxe-prompt="What system shall I netboot?"
|
||||||
|
# or with timeout before first available action is taken:
|
||||||
|
#pxe-prompt="Press F8 for menu.", 60
|
||||||
|
|
||||||
|
# Available boot services. for PXE.
|
||||||
|
#pxe-service=x86PC, "Boot from local disk"
|
||||||
|
|
||||||
|
# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
|
||||||
|
#pxe-service=x86PC, "Install Linux", pxelinux
|
||||||
|
|
||||||
|
# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
|
||||||
|
# Beware this fails on old PXE ROMS.
|
||||||
|
#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
|
||||||
|
|
||||||
|
# Use bootserver on network, found my multicast or broadcast.
|
||||||
|
#pxe-service=x86PC, "Install windows from RIS server", 1
|
||||||
|
|
||||||
|
# Use bootserver at a known IP address.
|
||||||
|
#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
|
||||||
|
|
||||||
|
# If you have multicast-FTP available,
|
||||||
|
# information for that can be passed in a similar way using options 1
|
||||||
|
# to 5. See page 19 of
|
||||||
|
# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
|
||||||
|
|
||||||
|
|
||||||
|
# Enable dnsmasq's built-in TFTP server
|
||||||
|
#enable-tftp
|
||||||
|
|
||||||
|
# Set the root directory for files available via FTP.
|
||||||
|
#tftp-root=/var/ftpd
|
||||||
|
|
||||||
|
# Do not abort if the tftp-root is unavailable
|
||||||
|
#tftp-no-fail
|
||||||
|
|
||||||
|
# Make the TFTP server more secure: with this set, only files owned by
|
||||||
|
# the user dnsmasq is running as will be send over the net.
|
||||||
|
#tftp-secure
|
||||||
|
|
||||||
|
# This option stops dnsmasq from negotiating a larger blocksize for TFTP
|
||||||
|
# transfers. It will slow things down, but may rescue some broken TFTP
|
||||||
|
# clients.
|
||||||
|
#tftp-no-blocksize
|
||||||
|
|
||||||
|
# Set the boot file name only when the "red" tag is set.
|
||||||
|
#dhcp-boot=tag:red,pxelinux.red-net
|
||||||
|
|
||||||
|
# An example of dhcp-boot with an external TFTP server: the name and IP
|
||||||
|
# address of the server are given after the filename.
|
||||||
|
# Can fail with old PXE ROMS. Overridden by --pxe-service.
|
||||||
|
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
|
||||||
|
|
||||||
|
# If there are multiple external tftp servers having a same name
|
||||||
|
# (using /etc/hosts) then that name can be specified as the
|
||||||
|
# tftp_servername (the third option to dhcp-boot) and in that
|
||||||
|
# case dnsmasq resolves this name and returns the resultant IP
|
||||||
|
# addresses in round robin fashion. This facility can be used to
|
||||||
|
# load balance the tftp load among a set of servers.
|
||||||
|
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
|
||||||
|
|
||||||
|
# Set the limit on DHCP leases, the default is 150
|
||||||
|
#dhcp-lease-max=150
|
||||||
|
|
||||||
|
# The DHCP server needs somewhere on disk to keep its lease database.
|
||||||
|
# This defaults to a sane location, but if you want to change it, use
|
||||||
|
# the line below.
|
||||||
|
#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
|
||||||
|
|
||||||
|
# Set the DHCP server to authoritative mode. In this mode it will barge in
|
||||||
|
# and take over the lease for any client which broadcasts on the network,
|
||||||
|
# whether it has a record of the lease or not. This avoids long timeouts
|
||||||
|
# when a machine wakes up on a new network. DO NOT enable this if there's
|
||||||
|
# the slightest chance that you might end up accidentally configuring a DHCP
|
||||||
|
# server for your campus/company accidentally. The ISC server uses
|
||||||
|
# the same option, and this URL provides more information:
|
||||||
|
# http://www.isc.org/files/auth.html
|
||||||
|
#dhcp-authoritative
|
||||||
|
|
||||||
|
# Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039.
|
||||||
|
# In this mode it will respond to a DHCPDISCOVER message including a Rapid Commit
|
||||||
|
# option with a DHCPACK including a Rapid Commit option and fully committed address
|
||||||
|
# and configuration information. This must only be enabled if either the server is
|
||||||
|
# the only server for the subnet, or multiple servers are present and they each
|
||||||
|
# commit a binding for all clients.
|
||||||
|
#dhcp-rapid-commit
|
||||||
|
|
||||||
|
# Run an executable when a DHCP lease is created or destroyed.
|
||||||
|
# The arguments sent to the script are "add" or "del",
|
||||||
|
# then the MAC address, the IP address and finally the hostname
|
||||||
|
# if there is one.
|
||||||
|
#dhcp-script=/bin/echo
|
||||||
|
|
||||||
|
# Set the cachesize here.
|
||||||
|
#cache-size=150
|
||||||
|
|
||||||
|
# If you want to disable negative caching, uncomment this.
|
||||||
|
#no-negcache
|
||||||
|
|
||||||
|
# Normally responses which come from /etc/hosts and the DHCP lease
|
||||||
|
# file have Time-To-Live set as zero, which conventionally means
|
||||||
|
# do not cache further. If you are happy to trade lower load on the
|
||||||
|
# server for potentially stale date, you can set a time-to-live (in
|
||||||
|
# seconds) here.
|
||||||
|
#local-ttl=
|
||||||
|
|
||||||
|
# If you want dnsmasq to detect attempts by Verisign to send queries
|
||||||
|
# to unregistered .com and .net hosts to its sitefinder service and
|
||||||
|
# have dnsmasq instead return the correct NXDOMAIN response, uncomment
|
||||||
|
# this line. You can add similar lines to do the same for other
|
||||||
|
# registries which have implemented wildcard A records.
|
||||||
|
#bogus-nxdomain=64.94.110.11
|
||||||
|
|
||||||
|
# If you want to fix up DNS results from upstream servers, use the
|
||||||
|
# alias option. This only works for IPv4.
|
||||||
|
# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
|
||||||
|
#alias=1.2.3.4,5.6.7.8
|
||||||
|
# and this maps 1.2.3.x to 5.6.7.x
|
||||||
|
#alias=1.2.3.0,5.6.7.0,255.255.255.0
|
||||||
|
# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
|
||||||
|
#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
|
||||||
|
|
||||||
|
# Change these lines if you want dnsmasq to serve MX records.
|
||||||
|
|
||||||
|
# Return an MX record named "maildomain.com" with target
|
||||||
|
# servermachine.com and preference 50
|
||||||
|
#mx-host=maildomain.com,servermachine.com,50
|
||||||
|
|
||||||
|
# Set the default target for MX records created using the localmx option.
|
||||||
|
#mx-target=servermachine.com
|
||||||
|
|
||||||
|
# Return an MX record pointing to the mx-target for all local
|
||||||
|
# machines.
|
||||||
|
#localmx
|
||||||
|
|
||||||
|
# Return an MX record pointing to itself for all local machines.
|
||||||
|
#selfmx
|
||||||
|
|
||||||
|
# Change the following lines if you want dnsmasq to serve SRV
|
||||||
|
# records. These are useful if you want to serve ldap requests for
|
||||||
|
# Active Directory and other windows-originated DNS requests.
|
||||||
|
# See RFC 2782.
|
||||||
|
# You may add multiple srv-host lines.
|
||||||
|
# The fields are <name>,<target>,<port>,<priority>,<weight>
|
||||||
|
# If the domain part if missing from the name (so that is just has the
|
||||||
|
# service and protocol sections) then the domain given by the domain=
|
||||||
|
# config option is used. (Note that expand-hosts does not need to be
|
||||||
|
# set for this to work.)
|
||||||
|
|
||||||
|
# A SRV record sending LDAP for the example.com domain to
|
||||||
|
# ldapserver.example.com port 389
|
||||||
|
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
|
||||||
|
|
||||||
|
# A SRV record sending LDAP for the example.com domain to
|
||||||
|
# ldapserver.example.com port 389 (using domain=)
|
||||||
|
#domain=example.com
|
||||||
|
#srv-host=_ldap._tcp,ldapserver.example.com,389
|
||||||
|
|
||||||
|
# Two SRV records for LDAP, each with different priorities
|
||||||
|
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
|
||||||
|
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
|
||||||
|
|
||||||
|
# A SRV record indicating that there is no LDAP server for the domain
|
||||||
|
# example.com
|
||||||
|
#srv-host=_ldap._tcp.example.com
|
||||||
|
|
||||||
|
# The following line shows how to make dnsmasq serve an arbitrary PTR
|
||||||
|
# record. This is useful for DNS-SD. (Note that the
|
||||||
|
# domain-name expansion done for SRV records _does_not
|
||||||
|
# occur for PTR records.)
|
||||||
|
#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
|
||||||
|
|
||||||
|
# Change the following lines to enable dnsmasq to serve TXT records.
|
||||||
|
# These are used for things like SPF and zeroconf. (Note that the
|
||||||
|
# domain-name expansion done for SRV records _does_not
|
||||||
|
# occur for TXT records.)
|
||||||
|
|
||||||
|
#Example SPF.
|
||||||
|
#txt-record=example.com,"v=spf1 a -all"
|
||||||
|
|
||||||
|
#Example zeroconf
|
||||||
|
#txt-record=_http._tcp.example.com,name=value,paper=A4
|
||||||
|
|
||||||
|
# Provide an alias for a "local" DNS name. Note that this _only_ works
|
||||||
|
# for targets which are names from DHCP or /etc/hosts. Give host
|
||||||
|
# "bert" another name, bertrand
|
||||||
|
#cname=bertand,bert
|
||||||
|
|
||||||
|
# For debugging purposes, log each DNS query as it passes through
|
||||||
|
# dnsmasq.
|
||||||
|
#log-queries
|
||||||
|
|
||||||
|
# Log lots of extra information about DHCP transactions.
|
||||||
|
#log-dhcp
|
||||||
|
|
||||||
|
# Include another lot of configuration options.
|
||||||
|
#conf-file=/etc/dnsmasq.more.conf
|
||||||
|
#conf-dir=/etc/dnsmasq.d
|
||||||
|
|
||||||
|
# Include all the files in a directory except those ending in .bak
|
||||||
|
#conf-dir=/etc/dnsmasq.d,.bak
|
||||||
|
|
||||||
|
# Include all files in a directory which end in .conf
|
||||||
|
#conf-dir=/etc/dnsmasq.d/,*.conf
|
||||||
|
|
||||||
|
# If a DHCP client claims that its name is "wpad", ignore that.
|
||||||
|
# This fixes a security hole. see CERT Vulnerability VU#598349
|
||||||
|
#dhcp-name-match=set:wpad-ignore,wpad
|
||||||
|
#dhcp-ignore-names=tag:wpad-ignore
|
|
@ -1,10 +0,0 @@
|
||||||
check process consul
|
|
||||||
with pidfile /var/run/consul.pid
|
|
||||||
start program = "/usr/bin/supervisorctl start consul"
|
|
||||||
stop program = "/usr/bin/supervisorctl stop consul"
|
|
||||||
|
|
||||||
if failed
|
|
||||||
host localhost
|
|
||||||
port 8500
|
|
||||||
protocol HTTP
|
|
||||||
then restart
|
|
|
@ -13,6 +13,8 @@ template '/etc/consul.d/config.json' do
|
||||||
manager_hosts: node['consul']['manager_hosts'],
|
manager_hosts: node['consul']['manager_hosts'],
|
||||||
ipaddr: node['consul']['ipaddr'],
|
ipaddr: node['consul']['ipaddr'],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
notifies :restart, 'service[supervisor]'
|
||||||
end
|
end
|
||||||
|
|
||||||
remote_file '/etc/consul.d/service-consul.json' do
|
remote_file '/etc/consul.d/service-consul.json' do
|
||||||
|
@ -23,14 +25,6 @@ remote_file '/etc/consul.d/service-consul.json' do
|
||||||
only_if '{ node["consul"]["manager"]}'
|
only_if '{ node["consul"]["manager"]}'
|
||||||
end
|
end
|
||||||
|
|
||||||
remote_file '/etc/monit/conf.d/consul.conf' do
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '644'
|
|
||||||
|
|
||||||
notifies :restart, 'service[monit]'
|
|
||||||
end
|
|
||||||
|
|
||||||
execute 'Reload supervisor' do
|
execute 'Reload supervisor' do
|
||||||
user 'root'
|
user 'root'
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
# This file is part of systemd.
|
||||||
|
#
|
||||||
|
# systemd is free software; you can redistribute it and/or modify it
|
||||||
|
# under the terms of the GNU Lesser General Public License as published by
|
||||||
|
# the Free Software Foundation; either version 2.1 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# Entries in this file show the compile time defaults.
|
||||||
|
# You can change settings by editing this file.
|
||||||
|
# Defaults can be restored by simply deleting this file.
|
||||||
|
#
|
||||||
|
# See resolved.conf(5) for details
|
||||||
|
|
||||||
|
[Resolve]
|
||||||
|
DNS=127.0.0.1 <%= @dns %> 8.8.8.8
|
||||||
|
#FallbackDNS=
|
||||||
|
#Domains=
|
||||||
|
#LLMNR=no
|
||||||
|
#MulticastDNS=no
|
||||||
|
#DNSSEC=no
|
||||||
|
#DNSOverTLS=no
|
||||||
|
#Cache=yes
|
||||||
|
DNSStubListener=no
|
||||||
|
#ReadEtcHosts=yes
|
|
@ -8,12 +8,18 @@ package 'cifs-utils'
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
directory '/var/spool/apt-mirror' do
|
||||||
|
owner 'root'
|
||||||
|
group 'root'
|
||||||
|
mode '777'
|
||||||
|
end
|
||||||
|
|
||||||
# Add the fstab entry:
|
# Add the fstab entry:
|
||||||
file '/etc/fstab' do
|
file '/etc/fstab' do
|
||||||
action :edit
|
action :edit
|
||||||
|
|
||||||
block do |content|
|
block do |content|
|
||||||
content << "//192.168.10.200/Shared/shared /mnt/shared cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,defaults 0 0\n"
|
content << "//192.168.10.200/Shared/AppData /mnt/shared cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,vers=3.0,_netdev 0 0\n"
|
||||||
end
|
end
|
||||||
|
|
||||||
not_if 'grep shared /etc/fstab'
|
not_if 'grep shared /etc/fstab'
|
||||||
|
@ -23,12 +29,32 @@ file '/etc/fstab' do
|
||||||
action :edit
|
action :edit
|
||||||
|
|
||||||
block do |content|
|
block do |content|
|
||||||
content << "//192.168.10.200/homes/kazu634/Drive/Moments /mnt/img cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,defaults 0 0\n"
|
content << "//192.168.10.200/homes/kazu634/Drive/Moments /mnt/img cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,vers=3.0,_netdev 0 0\n"
|
||||||
end
|
end
|
||||||
|
|
||||||
not_if 'grep img /etc/fstab'
|
not_if 'grep img /etc/fstab'
|
||||||
end
|
end
|
||||||
|
|
||||||
|
file '/etc/fstab' do
|
||||||
|
action :edit
|
||||||
|
|
||||||
|
block do |content|
|
||||||
|
content << "//192.168.10.200/Shared/AppData /mnt/backup cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,vers=3.0,_netdev 0 0\n"
|
||||||
|
end
|
||||||
|
|
||||||
|
not_if 'grep backup /etc/fstab'
|
||||||
|
end
|
||||||
|
|
||||||
|
file '/etc/fstab' do
|
||||||
|
action :edit
|
||||||
|
|
||||||
|
block do |content|
|
||||||
|
content << "//192.168.10.200/Shared/PXEBoot/www/ubuntu/apt-mirror /var/spool/apt-mirror cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,vers=3.0,_netdev 0 0\n"
|
||||||
|
end
|
||||||
|
|
||||||
|
not_if 'grep apt-mirror /etc/fstab'
|
||||||
|
end
|
||||||
|
|
||||||
execute 'mount -a' do
|
execute 'mount -a' do
|
||||||
not_if 'df -h | grep shared'
|
not_if 'df -h | grep shared'
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,11 +0,0 @@
|
||||||
# -------------------------------------------
|
|
||||||
# Specifying the default settings:
|
|
||||||
# -------------------------------------------
|
|
||||||
node.reverse_merge!({
|
|
||||||
'td-agent' => {
|
|
||||||
'user' => 'td-agent',
|
|
||||||
'group' => 'td-agent',
|
|
||||||
'forward' => false,
|
|
||||||
'role' => 'primary'
|
|
||||||
}
|
|
||||||
})
|
|
|
@ -1,40 +0,0 @@
|
||||||
#####################################
|
|
||||||
# Common Settings:
|
|
||||||
#####################################
|
|
||||||
|
|
||||||
include_recipe './attributes.rb'
|
|
||||||
|
|
||||||
include_recipe './prerequisites.rb'
|
|
||||||
include_recipe './install.rb'
|
|
||||||
|
|
||||||
include_recipe './setup.rb'
|
|
||||||
|
|
||||||
#####################################
|
|
||||||
# Manager Settings:
|
|
||||||
#####################################
|
|
||||||
|
|
||||||
if node['td-agent']['forward']
|
|
||||||
include_recipe './processor.rb'
|
|
||||||
include_recipe './syslog.rb'
|
|
||||||
include_recipe './slack.rb'
|
|
||||||
end
|
|
||||||
|
|
||||||
#####################################
|
|
||||||
# monitoring Settings:
|
|
||||||
#####################################
|
|
||||||
|
|
||||||
include_recipe './nginx.rb'
|
|
||||||
|
|
||||||
%w( aptitude auth cron-apt monit consul ).each do |c|
|
|
||||||
remote_file "/etc/td-agent/conf.d/forwarder_#{c}.conf" do
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '644'
|
|
||||||
|
|
||||||
notifies :restart, 'service[td-agent]'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
service 'td-agent' do
|
|
||||||
action :restart
|
|
||||||
end
|
|
|
@ -1,4 +0,0 @@
|
||||||
check process td-agent
|
|
||||||
with pidfile /var/run/td-agent/td-agent.pid
|
|
||||||
start program = "/etc/init.d/td-agent start"
|
|
||||||
stop program = "/etc/init.d/td-agent stop"
|
|
|
@ -1,6 +0,0 @@
|
||||||
# - nofile - max number of open files
|
|
||||||
|
|
||||||
root soft nofile 65536
|
|
||||||
root hard nofile 65536
|
|
||||||
* soft nofile 65536
|
|
||||||
* hard nofile 65536
|
|
|
@ -1,38 +0,0 @@
|
||||||
<label @forward>
|
|
||||||
<match **>
|
|
||||||
@type copy
|
|
||||||
|
|
||||||
<store>
|
|
||||||
@type forward
|
|
||||||
send_timeout 60s
|
|
||||||
recover_wait 10s
|
|
||||||
transport tcp
|
|
||||||
heartbeat_interval 1s
|
|
||||||
phi_threshold 16
|
|
||||||
hard_timeout 60s
|
|
||||||
|
|
||||||
buffer_type file
|
|
||||||
buffer_path /var/log/td-agent/buffer/forward*.buffer
|
|
||||||
|
|
||||||
<server>
|
|
||||||
name primary.td-agent.service.consul
|
|
||||||
host primary.td-agent.service.consul
|
|
||||||
port 24224
|
|
||||||
weight 60
|
|
||||||
</server>
|
|
||||||
|
|
||||||
<server>
|
|
||||||
name backup.td-agent.service.consul
|
|
||||||
host backup.td-agent.service.consul
|
|
||||||
port 24224
|
|
||||||
weight 60
|
|
||||||
standby
|
|
||||||
</server>
|
|
||||||
</store>
|
|
||||||
|
|
||||||
<store>
|
|
||||||
@type file
|
|
||||||
path /tmp/forward.log
|
|
||||||
</store>
|
|
||||||
</match>
|
|
||||||
</label>
|
|
|
@ -1,20 +0,0 @@
|
||||||
<source>
|
|
||||||
@type tail
|
|
||||||
path /var/log/apt/history.log
|
|
||||||
pos_file /var/log/td-agent/aptitude.pos
|
|
||||||
format none
|
|
||||||
tag aptitude
|
|
||||||
</source>
|
|
||||||
|
|
||||||
<filter aptitude>
|
|
||||||
@type record_transformer
|
|
||||||
<record>
|
|
||||||
hostname ${hostname}
|
|
||||||
message ${hostname}: ${record["message"]}
|
|
||||||
</record>
|
|
||||||
</filter>
|
|
||||||
|
|
||||||
<match aptitude>
|
|
||||||
@type relabel
|
|
||||||
@label @forward
|
|
||||||
</match>
|
|
|
@ -1,28 +0,0 @@
|
||||||
<source>
|
|
||||||
@type tail
|
|
||||||
path /var/log/auth.log
|
|
||||||
pos_file /var/log/td-agent/auth.pos
|
|
||||||
format syslog
|
|
||||||
tag auth
|
|
||||||
</source>
|
|
||||||
|
|
||||||
<filter auth>
|
|
||||||
@type record_transformer
|
|
||||||
<record>
|
|
||||||
message ${hostname}: ${record["message"]}
|
|
||||||
</record>
|
|
||||||
</filter>
|
|
||||||
|
|
||||||
<filter auth>
|
|
||||||
@type grep
|
|
||||||
|
|
||||||
<exclude>
|
|
||||||
key message
|
|
||||||
pattern (CRON|Did not receive identification string from|sudo|pam_unix|seat|Removed session|Received disconnect|New session|Accepted publickey|Disconnected)
|
|
||||||
</exclude>
|
|
||||||
</filter>
|
|
||||||
|
|
||||||
<match auth>
|
|
||||||
@type relabel
|
|
||||||
@label @forward
|
|
||||||
</match>
|
|
|
@ -1,30 +0,0 @@
|
||||||
<source>
|
|
||||||
@type tail
|
|
||||||
path /var/log/supervisor/consul.log
|
|
||||||
pos_file /var/log/td-agent/consul.pos
|
|
||||||
format /^( (?<time>[0-9/]+ [0-9:]+) (?<message>.*$)|(?<message>.*))/
|
|
||||||
time_format %Y/%m/%d %H:%M:%S
|
|
||||||
time_key time
|
|
||||||
tag consul
|
|
||||||
</source>
|
|
||||||
|
|
||||||
<filter consul>
|
|
||||||
@type record_transformer
|
|
||||||
<record>
|
|
||||||
message ${hostname}: ${record["message"]}
|
|
||||||
</record>
|
|
||||||
</filter>
|
|
||||||
|
|
||||||
<filter consul>
|
|
||||||
@type grep
|
|
||||||
|
|
||||||
<exclude>
|
|
||||||
key message
|
|
||||||
pattern (raft|memberlist|serf|Synced|Adding|Removing|consul\.fsm: snapshot created|session shutdown|context deadline exceeded|last request still outstanding|INFO|server health)
|
|
||||||
</exclude>
|
|
||||||
</filter>
|
|
||||||
|
|
||||||
<match consul>
|
|
||||||
@type relabel
|
|
||||||
@label @forward
|
|
||||||
</match>
|
|
|
@ -1,29 +0,0 @@
|
||||||
<source>
|
|
||||||
@type tail
|
|
||||||
path /var/log/cron-apt/log
|
|
||||||
pos_file /var/log/td-agent/cron-apt.pos
|
|
||||||
format none
|
|
||||||
tag cron_apt
|
|
||||||
</source>
|
|
||||||
|
|
||||||
<filter cron_apt>
|
|
||||||
@type grep
|
|
||||||
|
|
||||||
<regexp>
|
|
||||||
key message
|
|
||||||
pattern (^CRON-APT RUN|not upgraded\.)
|
|
||||||
</regexp>
|
|
||||||
</filter>
|
|
||||||
|
|
||||||
<filter cron_apt>
|
|
||||||
@type record_transformer
|
|
||||||
<record>
|
|
||||||
hostname ${hostname}
|
|
||||||
message ${hostname}: ${record["message"]}
|
|
||||||
</record>
|
|
||||||
</filter>
|
|
||||||
|
|
||||||
<match cron_apt>
|
|
||||||
@type relabel
|
|
||||||
@label @forward
|
|
||||||
</match>
|
|
|
@ -1,20 +0,0 @@
|
||||||
<source>
|
|
||||||
@type tail
|
|
||||||
path /var/log/monit.log
|
|
||||||
pos_file /var/log/td-agent/monit.pos
|
|
||||||
format none
|
|
||||||
tag monit
|
|
||||||
</source>
|
|
||||||
|
|
||||||
<filter monit>
|
|
||||||
@type record_transformer
|
|
||||||
<record>
|
|
||||||
hostname ${hostname}
|
|
||||||
message ${hostname}: ${record["message"]}
|
|
||||||
</record>
|
|
||||||
</filter>
|
|
||||||
|
|
||||||
<match monit>
|
|
||||||
@type relabel
|
|
||||||
@label @forward
|
|
||||||
</match>
|
|
|
@ -1,21 +0,0 @@
|
||||||
<source>
|
|
||||||
@type tail
|
|
||||||
path /var/log/nginx/*access.log
|
|
||||||
pos_file /var/log/td-agent/nginx_logs.pos
|
|
||||||
format ltsv
|
|
||||||
time_format %d/%b/%Y:%H:%M:%S %z
|
|
||||||
time_key time
|
|
||||||
tag nginx
|
|
||||||
</source>
|
|
||||||
|
|
||||||
<filter nginx>
|
|
||||||
@type record_transformer
|
|
||||||
<record>
|
|
||||||
hostname ${hostname}
|
|
||||||
</record>
|
|
||||||
</filter>
|
|
||||||
|
|
||||||
<match nginx>
|
|
||||||
@type relabel
|
|
||||||
@label @forward
|
|
||||||
</match>
|
|
|
@ -1,29 +0,0 @@
|
||||||
<source>
|
|
||||||
@type tail
|
|
||||||
path /var/log/td-agent/td-agent.log
|
|
||||||
pos_file /var/log/td-agent/td-agent.pos
|
|
||||||
format none
|
|
||||||
tag td_agent
|
|
||||||
</source>
|
|
||||||
|
|
||||||
<filter td_agent>
|
|
||||||
@type grep
|
|
||||||
|
|
||||||
<exclude>
|
|
||||||
key message
|
|
||||||
pattern (openvpn|will be ignored|section <buffer> is not used)
|
|
||||||
</exclude>
|
|
||||||
</filter>
|
|
||||||
|
|
||||||
<filter td_agent>
|
|
||||||
@type record_transformer
|
|
||||||
<record>
|
|
||||||
hostname ${hostname}
|
|
||||||
message ${hostname}: ${record["message"]}
|
|
||||||
</record>
|
|
||||||
</filter>
|
|
||||||
|
|
||||||
<match td_agent>
|
|
||||||
@type relabel
|
|
||||||
@label @forward
|
|
||||||
</match>
|
|
|
@ -1,146 +0,0 @@
|
||||||
<label @forward>
|
|
||||||
<match consul>
|
|
||||||
@type relabel
|
|
||||||
@label @consul_branch
|
|
||||||
</match>
|
|
||||||
|
|
||||||
<match nginx>
|
|
||||||
@type relabel
|
|
||||||
@label @s3_upload
|
|
||||||
</match>
|
|
||||||
|
|
||||||
<match **>
|
|
||||||
@type relabel
|
|
||||||
@label @process
|
|
||||||
</match>
|
|
||||||
</label>
|
|
||||||
|
|
||||||
<label @received>
|
|
||||||
<match consul>
|
|
||||||
@type relabel
|
|
||||||
@label @consul_branch
|
|
||||||
</match>
|
|
||||||
|
|
||||||
<match nginx>
|
|
||||||
@type relabel
|
|
||||||
@label @s3_upload
|
|
||||||
</match>
|
|
||||||
|
|
||||||
<match **>
|
|
||||||
@type copy
|
|
||||||
|
|
||||||
<store>
|
|
||||||
@type relabel
|
|
||||||
@label @process
|
|
||||||
</store>
|
|
||||||
|
|
||||||
<store>
|
|
||||||
@type file
|
|
||||||
path /tmp/received.log
|
|
||||||
</store>
|
|
||||||
</match>
|
|
||||||
</label>
|
|
||||||
|
|
||||||
<label @process>
|
|
||||||
<match auth>
|
|
||||||
@type relabel
|
|
||||||
@label @good
|
|
||||||
</match>
|
|
||||||
|
|
||||||
<filter aptitude>
|
|
||||||
@type grep
|
|
||||||
|
|
||||||
<regexp>
|
|
||||||
key message
|
|
||||||
pattern (Commandline|Error|Install|Remove|Upgrade)
|
|
||||||
</regexp>
|
|
||||||
</filter>
|
|
||||||
|
|
||||||
<match aptitude>
|
|
||||||
@type copy
|
|
||||||
|
|
||||||
<store>
|
|
||||||
@type relabel
|
|
||||||
@label @good
|
|
||||||
</store>
|
|
||||||
|
|
||||||
<store>
|
|
||||||
@type file
|
|
||||||
path /tmp/aptitude.log
|
|
||||||
</store>
|
|
||||||
</match>
|
|
||||||
|
|
||||||
<filter monit>
|
|
||||||
@type grep
|
|
||||||
|
|
||||||
<exclude>
|
|
||||||
key message
|
|
||||||
pattern (error|ERROR)
|
|
||||||
</exclude>
|
|
||||||
</filter>
|
|
||||||
|
|
||||||
<match monit>
|
|
||||||
@type relabel
|
|
||||||
@label @danger
|
|
||||||
</match>
|
|
||||||
|
|
||||||
<match cron_apt>
|
|
||||||
@type copy
|
|
||||||
|
|
||||||
<store>
|
|
||||||
@type relabel
|
|
||||||
@label @good
|
|
||||||
</store>
|
|
||||||
|
|
||||||
<store>
|
|
||||||
@type file
|
|
||||||
path /tmp/cron-apt.log
|
|
||||||
</store>
|
|
||||||
</match>
|
|
||||||
|
|
||||||
<match consul>
|
|
||||||
@type relabel
|
|
||||||
@label @danger
|
|
||||||
</match>
|
|
||||||
|
|
||||||
<filter td_agent>
|
|
||||||
@type grep
|
|
||||||
|
|
||||||
<exclude>
|
|
||||||
key message
|
|
||||||
pattern (\[info\]|parameter '.*' in|suppressed same stacktrace|loop\.rb|in_tail\.rb| 0(6|7):25|from ASCII-8BIT to UTF-8|of buffered_slack plugin)
|
|
||||||
</exclude>
|
|
||||||
|
|
||||||
<regexp>
|
|
||||||
key message
|
|
||||||
pattern \[(warn|error)\]
|
|
||||||
</regexp>
|
|
||||||
</filter>
|
|
||||||
|
|
||||||
<match td_agent>
|
|
||||||
@type relabel
|
|
||||||
@label @danger
|
|
||||||
</match>
|
|
||||||
|
|
||||||
<filter app.**>
|
|
||||||
@type record_transformer
|
|
||||||
<record>
|
|
||||||
message ${record["log"]}
|
|
||||||
</record>
|
|
||||||
</filter>
|
|
||||||
|
|
||||||
<match app.**>
|
|
||||||
@type relabel
|
|
||||||
@label @apps
|
|
||||||
</match>
|
|
||||||
|
|
||||||
<match random.**>
|
|
||||||
@type relabel
|
|
||||||
@label @random
|
|
||||||
</match>
|
|
||||||
|
|
||||||
<match apt-mirror.**>
|
|
||||||
@type relabel
|
|
||||||
@label @good
|
|
||||||
</match>
|
|
||||||
</label>
|
|
|
@ -1,39 +0,0 @@
|
||||||
######################
|
|
||||||
# Receive nginx logs #
|
|
||||||
######################
|
|
||||||
|
|
||||||
<label @consul_branch>
|
|
||||||
<match consul>
|
|
||||||
@type copy
|
|
||||||
|
|
||||||
<store>
|
|
||||||
@type rewrite_tag_filter
|
|
||||||
|
|
||||||
<rule>
|
|
||||||
key message
|
|
||||||
pattern (\[WARN\]|left, deregistering|removing server monitor)
|
|
||||||
tag consul.danger
|
|
||||||
</rule>
|
|
||||||
</store>
|
|
||||||
|
|
||||||
<store>
|
|
||||||
@type rewrite_tag_filter
|
|
||||||
|
|
||||||
<rule>
|
|
||||||
key message
|
|
||||||
pattern (\[INFO\])
|
|
||||||
tag consul.good
|
|
||||||
</rule>
|
|
||||||
</store>
|
|
||||||
</match>
|
|
||||||
|
|
||||||
<match consul.danger>
|
|
||||||
@type relabel
|
|
||||||
@label @danger
|
|
||||||
</match>
|
|
||||||
|
|
||||||
<match consul.good>
|
|
||||||
@type relabel
|
|
||||||
@label @good
|
|
||||||
</match>
|
|
||||||
</label>
|
|
|
@ -1,15 +0,0 @@
|
||||||
md5:57588c890f0ef6e8f8a9de3f2336df7c:salt:128-16-245-219-49-150-248-21:aes-256-cfb:y/5qRG08epYJHUpPCrY46RkH9mYeg0PPxe6b8Vus43Ph7TOSJOey/LrOZjJ7
|
|
||||||
iTYfOte4QbTH/P+wjm/8RldxRRSJ3spha/2MuIVQpliC+5KnT9nmC1rLP8+y
|
|
||||||
nbJstGpeGUuRIjzZtMvI1Kvb+j2BEOPCeiTAD2yXwPsMbaODoG5mzYgcSgBV
|
|
||||||
TDvtbG6I0KYDiLbTZw7crusQltx45uvq1zcK+g5UMb7oaqClyJA5VLsWRbeT
|
|
||||||
tiaFXQLYy2oXIvQmw65ccFixLIxVERxGrx/x4uGhR/saQIZMonymG6z3Riy3
|
|
||||||
vejNLQNIfaxZYb0llLTtzt13jsft+5Z766Y8Umoiws+bUF7igLw3CI47pb6y
|
|
||||||
PEwCvhKxk+RG5dtPQysRy1sSPrOTBzVf6+0/Em2BaKRBubRNEDpjI/1+aN5L
|
|
||||||
t5c4qYX3lP3v2bjwF1iQO5qEv3R46ytblZmyaoSPYGsWyzZBNn841QBZ1oi7
|
|
||||||
IlyYsnTFEQ5InVTygCd+04/L3tOoxShvsbxJZ/jYqSBaAo9UdhnYU9wo+8ob
|
|
||||||
Oz2sjarXIJyzqs4a68/YizNRdke7dEFblnYsLZUAtWQBnjo4cwGug8nZGaKr
|
|
||||||
L2M5IT3NWfVHRCf1sbkQspsjGtb3fM/F62VH8OU85vTXvR+SWSTYJzpSvcCH
|
|
||||||
73HqgOD1H0jzwanZi8SvVs7zA3Fr6HgJ4FYbwaB/109BVjnzhcmDm0RkXGQY
|
|
||||||
nqRsvlxEj6NnSGlGQgLvYgT1KLCTYFrZNlNZRzO71B32jc/KxZnwFRcxgrcb
|
|
||||||
/mAsz/TxLdxSjmuCAssfL/YY2uh5fPgL0XC31RdVJ9mdUpHQmtTAfAjYyilJ
|
|
||||||
J/fQOY6ZRDqq1Vfq53wuLrZJdxztWNK8DJguZJ5gdqy/l4ggPnCvDFwI
|
|
|
@ -1,5 +0,0 @@
|
||||||
<source>
|
|
||||||
@type forward
|
|
||||||
port 24224
|
|
||||||
@label @received
|
|
||||||
</source>
|
|
|
@ -1,38 +0,0 @@
|
||||||
# For ESXi syslog Monitoring:
|
|
||||||
<source>
|
|
||||||
@type syslog
|
|
||||||
port 1514
|
|
||||||
bind 0.0.0.0
|
|
||||||
protocol_type tcp
|
|
||||||
format none
|
|
||||||
tag system.esxi
|
|
||||||
</source>
|
|
||||||
|
|
||||||
<filter system.esxi.**>
|
|
||||||
@type grep
|
|
||||||
|
|
||||||
<exclude>
|
|
||||||
key message
|
|
||||||
pattern (iscsid|LikewiseGetDomainJoinInfo|hostd|DictionaryLoad|addVob|backup\.sh|libsmart|\[context\]|Hostd|vmauthd|Rhttpproxy|requested fast path state update| above TEMPERATURE threshold)
|
|
||||||
</exclude>
|
|
||||||
</filter>
|
|
||||||
|
|
||||||
<match system.esxi.**.{debug,info}>
|
|
||||||
@type null
|
|
||||||
</match>
|
|
||||||
|
|
||||||
<match system.esxi.**.{notice,warn,err,crit,alert,emerg}>
|
|
||||||
@type copy
|
|
||||||
|
|
||||||
<store>
|
|
||||||
@type file
|
|
||||||
path /tmp/syslog_esxi.log
|
|
||||||
time_slice_format %Y%m%d
|
|
||||||
time_slice_wait 1m
|
|
||||||
</store>
|
|
||||||
|
|
||||||
<store>
|
|
||||||
@type relabel
|
|
||||||
@label @danger
|
|
||||||
</store>
|
|
||||||
</match>
|
|
|
@ -1,41 +0,0 @@
|
||||||
# For synology syslog Monitoring:
|
|
||||||
<source>
|
|
||||||
@type syslog
|
|
||||||
port 5141
|
|
||||||
bind 0.0.0.0
|
|
||||||
protocol_type tcp
|
|
||||||
message_format auto
|
|
||||||
tag system.synology
|
|
||||||
</source>
|
|
||||||
|
|
||||||
<filter system.synology.**>
|
|
||||||
@type grep
|
|
||||||
|
|
||||||
<exclude>
|
|
||||||
key message
|
|
||||||
pattern (accessed the shared folder)
|
|
||||||
</exclude>
|
|
||||||
</filter>
|
|
||||||
|
|
||||||
<filter system.synology.**>
|
|
||||||
@type record_transformer
|
|
||||||
<record>
|
|
||||||
message ${record["host"]}: ${record["message"]}
|
|
||||||
</record>
|
|
||||||
</filter>
|
|
||||||
|
|
||||||
<match system.synology.**>
|
|
||||||
@type copy
|
|
||||||
|
|
||||||
<store>
|
|
||||||
@type file
|
|
||||||
path /tmp/syslog_synology.log
|
|
||||||
time_slice_format %Y%m%d
|
|
||||||
time_slice_wait 1m
|
|
||||||
</store>
|
|
||||||
|
|
||||||
<store>
|
|
||||||
@type relabel
|
|
||||||
@label @good
|
|
||||||
</store>
|
|
||||||
</match>
|
|
|
@ -1,45 +0,0 @@
|
||||||
# For vyos syslog Monitoring:
|
|
||||||
<source>
|
|
||||||
@type syslog
|
|
||||||
port 5140
|
|
||||||
bind 0.0.0.0
|
|
||||||
protocol_type tcp
|
|
||||||
message_format auto
|
|
||||||
tag system.vyos
|
|
||||||
</source>
|
|
||||||
|
|
||||||
<filter system.vyos.**>
|
|
||||||
@type grep
|
|
||||||
|
|
||||||
<exclude>
|
|
||||||
key message
|
|
||||||
pattern (suspect value|Port3 Link|duplicate on LAN|can't get program name from|call user-defined scripts or executables|FRAG TTL expired|Port4 Link|Overriding mtu|Overriding mru|IPv6 Control Protoco)
|
|
||||||
</exclude>
|
|
||||||
</filter>
|
|
||||||
|
|
||||||
<filter system.vyos.**>
|
|
||||||
@type record_transformer
|
|
||||||
<record>
|
|
||||||
message ${record["host"]}: ${record["message"]}
|
|
||||||
</record>
|
|
||||||
</filter>
|
|
||||||
|
|
||||||
<match system.vyos.**.{debug,info,notice}>
|
|
||||||
@type null
|
|
||||||
</match>
|
|
||||||
|
|
||||||
<match system.vyos.**.{warn,err,crit,alert,emerg}>
|
|
||||||
@type copy
|
|
||||||
|
|
||||||
<store>
|
|
||||||
@type file
|
|
||||||
path /tmp/syslog_vyos.log
|
|
||||||
time_slice_format %Y%m%d
|
|
||||||
time_slice_wait 1m
|
|
||||||
</store>
|
|
||||||
|
|
||||||
<store>
|
|
||||||
@type relabel
|
|
||||||
@label @danger
|
|
||||||
</store>
|
|
||||||
</match>
|
|
|
@ -1,44 +0,0 @@
|
||||||
md5:4d7c92818f78f0384855b1006b60eb0f:salt:101-24-185-121-164-238-97-103:aes-256-cfb:e61qKgTSpyfqU8V+iEk9dDk3DI7Y9QiykJgDwEG0Qn/fquFM/6YhP/+FvQxV
|
|
||||||
BVcIDU1zMtX0TVjq3HBSVLW1fEh0tFLCRRG5lCwj5wpmFa+NeAY4Db4XxjPB
|
|
||||||
q0VbsAv9PI9ptDGylrNvBhAJpB/2A6xJ2h5Lh7026Dv5qi1bdvvAnyxNmbRa
|
|
||||||
UwkKvb9e+ptPk3gjQath/eX9qbR4fiX9LG9URnIkwhvlpYhRUqk94BL04toK
|
|
||||||
pLQEvtk4RdDKHylpdbKmWj2JCFeKb28JNq0AE7CrAi8zXevUoI6jXP+pipA5
|
|
||||||
GdW7BMEpjc8e6O2dy7kd/qWLKMvbEbzj0I1EC5ut1e1gAVzKGjPnwVVWGxaP
|
|
||||||
Hl3K3Vmj59kWU57Zgzmh7WYemt2AnTW6jQcCe5fP7gzIfD4KXYM18rStThOE
|
|
||||||
LXOCyuOFI5/EyGaX1lyWmw6Ic45rnr9iHaYDVqq0Q0aifIsLWxaQlD2AI4+7
|
|
||||||
uaU4Qa+QsSHLCmvhZ/ysKTfp9gKUZEQql/FCtKLjvmTAv8cN20W+c6KbZNI9
|
|
||||||
CrGpDLAY4oIsi0qSLsNqddC6D31dssMLDBC/ZdMdZmpwo32qeRvoca2GYBD9
|
|
||||||
voTiiEEbUP1+ZVhwndIaVMI3tIKc29Ixlo3W6vF4rL5AXyWSmW6OdcdOwgRI
|
|
||||||
FddW89z+LV4HB0L1HNIsWcR8eS/6OzJ3hKB6qFjz77+6X4lna4MX5nW4hnJI
|
|
||||||
dhUK8HzmF2NlP5UnnIPPF0Mznhrnrde6GZxRVkunZrnp9q9r63bJB9okfQSm
|
|
||||||
q/UBDbCUrJo81kRvtfv5+kLB1QppxWQljqzF65tnCbvvWe0KiNztyeP4yjds
|
|
||||||
hTx4vsTdKZGI0eTc7H1IiVgxS8OS7Z1nmd1seho4IsyFobI75E1Si96EgdEQ
|
|
||||||
IOXF2A6aqYJCqPbLaULih1jrrM70m/xENx2mykLwsZDzDs7nPelwze0fLLt/
|
|
||||||
qPxkFaqfElqkc4R8OaXAWVoEl4vZWosYvhrwu9g5JX00RPzS6wEFl3pywwjJ
|
|
||||||
rzQqGkG9fJu5KFRg/PFW19Jc75kuKsV7Glf12lq4mWqfvuc6PrH/ISok2G3/
|
|
||||||
LBuRp/MD+dyrFb+uKDua9cCjGF/d0FZ83vOEPTM607BN3GNuucBAA+u3BMKF
|
|
||||||
8zjL58Af01aSUrnGJ9IESbUOt4Fz9Isep/P4rVh6RkOcJMRvbuXgPCYN5xFv
|
|
||||||
qsf/fBmauim9lmQXg2QomnSBrguv/OgqKxoVwDHVPFqPlwkLPhoA2pN/xoId
|
|
||||||
y4g7BbsPaySGKNfcNG/xzFWM058oSgnxmqq2Jvgb3+mXk+EylRrdKVh8FLhh
|
|
||||||
s1sl04u8I4DiftOGcU0vg1dTmdAKSo8TcDROeQOYknkyT9SE9vUaEOeOvLRD
|
|
||||||
dOJi+S6BFfSE8kuWocL4Amvg8SKMgchvXGOXg44w0GJ1OFPNT4QDlm5PloWD
|
|
||||||
KXS+LBw6kL+617/cIclt1yPdxd0tOhr00moeDYT95Eso+AnvQLswSIRGLXA+
|
|
||||||
2E537p1+fYZqsfrG+FDDo/I6JWTzY3NMnDlo4GWpC/8vHom9effVwa6eHAWd
|
|
||||||
5Wg6d/9m2PQzJhLusBombcf+og+0EPxYgm/F2BL9jdljyOi2Fd2FNJKNA58V
|
|
||||||
Ol1fnIyvN4tQvUVQVTQHS15lTsMC7FGu5sgUY6O1YQTXu+0J2nuL9RRsJHDR
|
|
||||||
zBkRUE7+I/kdgVirgzVZrNGmJd6nVed4f6in0OKk1ITheWHdCXTQqP7nHliL
|
|
||||||
ZG/RZmAVK1djE1EtbnNdIZ3QmsIJdy879kUJn77koKfh7ds1QQxnBBQuMNFA
|
|
||||||
ab79jiMZYlKepZGyb3H/iz5hXo6LtIjNXU1tQOkMp7eni4niWTV8TKL7Kmso
|
|
||||||
1+4qVH5h/cjxjjl1hV4eQ3uNT5+LDEszX4bQgTF1La/PGHSgxisBxxU35OXq
|
|
||||||
0+wgkBjnTtfR1pNmGlzBkknrfCvasde7E37IzhAKFLsxlUPZT7W11UIDDiNr
|
|
||||||
6vZmAo5c5jnp8qhdEgE4FgQxH9s9d+ZtEbA7TCaiD/caO3TNmZiFohd9oDaT
|
|
||||||
i+FM1eHXfs9HfOCLfPe9QNCoXOuKV71qfVf2rRTg2mBV3yx7MN+jAQML2qkW
|
|
||||||
y2Th/sCYh8JzvsgBOZnBZ8gVZadYhnyQg5c7rNucqy6lw4ioS2GyUKrdPnR7
|
|
||||||
vq5OqBpFvbIKm+RaPkMV464fjdZJeJlQwa1ip466rfiipART3j9yZQH8Txkr
|
|
||||||
NACKgjzqnWiMvOe3CibdQsfN86qZpuC66xfTtbvgm1VGJlzWvMMzpRBdSWv5
|
|
||||||
u+KMl6rkqJ2hFnrAYJp1j/IQnY/SMN0LxZYQRWmQwYzqNBl5CEjJLNE/wW+8
|
|
||||||
//qdXor1TRe7zePzn40GJQ8U9AScbYgQU8xkeDfAapdh7XUj0NvFMN80jADJ
|
|
||||||
PimRBX/LgpToKts+XWWU6CiDLYDnsnLD72SB5hwZkWMo6tOMjC+dWKgZBcGH
|
|
||||||
zisf7rGgY/X4VO40i+uMB+HcoRHHSQBVoApIQt2Ozl6Zeaqm28M8/jVmpgUm
|
|
||||||
7BxL/JR0gLvYCSU4BEPFngPauLli0IPvZcEJ0vLW20vtOf+QtwaL0lzMz3fr
|
|
||||||
YaiKkOcdd19P4GSy1LpKkSdapT95EIaQMbnzvg0aRivdO4s4GXihPS3b8A==
|
|
|
@ -1 +0,0 @@
|
||||||
@include conf.d/*.conf
|
|
|
@ -1,57 +0,0 @@
|
||||||
# Load the APT key:
|
|
||||||
execute 'curl https://packages.treasuredata.com/GPG-KEY-td-agent | apt-key add -' do
|
|
||||||
not_if 'apt-key list | grep Treasure'
|
|
||||||
end
|
|
||||||
|
|
||||||
# Deploy the APT source:
|
|
||||||
CMD = 'grep DISTRIB_CODENAME /etc/lsb-release | cut -f 2 -d "="'
|
|
||||||
DIST = run_command(CMD).stdout.chomp
|
|
||||||
|
|
||||||
template '/etc/apt/sources.list.d/treasure-data.list' do
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '644'
|
|
||||||
|
|
||||||
variables(platform: node['platform'], dist: DIST)
|
|
||||||
end
|
|
||||||
|
|
||||||
execute 'apt update' do
|
|
||||||
action :run
|
|
||||||
|
|
||||||
not_if 'which td-agent'
|
|
||||||
end
|
|
||||||
|
|
||||||
# Install
|
|
||||||
package 'td-agent' do
|
|
||||||
action :install
|
|
||||||
end
|
|
||||||
|
|
||||||
# Overwrite the conf:
|
|
||||||
remote_file '/etc/td-agent/td-agent.conf' do
|
|
||||||
owner node['td-agent']['user']
|
|
||||||
group node['td-agent']['group']
|
|
||||||
mode '644'
|
|
||||||
end
|
|
||||||
|
|
||||||
# Create /etc/td-agent/conf.d:
|
|
||||||
directory '/etc/td-agent/conf.d' do
|
|
||||||
owner node['td-agent']['user']
|
|
||||||
group node['td-agent']['group']
|
|
||||||
mode '755'
|
|
||||||
end
|
|
||||||
|
|
||||||
# Deploy /etc/hosts file:
|
|
||||||
HOSTNAME = run_command('uname -n').stdout.chomp
|
|
||||||
|
|
||||||
template '/etc/hosts' do
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '644'
|
|
||||||
|
|
||||||
variables(HOSTNAME: HOSTNAME)
|
|
||||||
end
|
|
||||||
|
|
||||||
# Enable and start:
|
|
||||||
service 'td-agent' do
|
|
||||||
action :enable
|
|
||||||
end
|
|
|
@ -1,22 +0,0 @@
|
||||||
# Manager setting:
|
|
||||||
if node['td-agent']['forward']
|
|
||||||
gem_package 'fluent-plugin-s3' do
|
|
||||||
action :upgrade
|
|
||||||
gem_binary '/usr/sbin/td-agent-gem'
|
|
||||||
end
|
|
||||||
|
|
||||||
encrypted_remote_file '/etc/td-agent/conf.d/processor_nginx.conf' do
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '644'
|
|
||||||
source 'files/etc/td-agent/conf.d/processor_nginx.conf'
|
|
||||||
password ENV['ITAMAE_PASSWORD']
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
# Agent setting:
|
|
||||||
remote_file '/etc/td-agent/conf.d/forwarder_nginx.conf' do
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '644'
|
|
||||||
end
|
|
|
@ -1,5 +0,0 @@
|
||||||
remote_file '/etc/security/limits.d/90-nfile.conf' do
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '644'
|
|
||||||
end
|
|
|
@ -1,7 +0,0 @@
|
||||||
%w( processor.conf processor_consul.conf ).each do |f|
|
|
||||||
remote_file "/etc/td-agent/conf.d/#{f}" do
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '644'
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1,73 +0,0 @@
|
||||||
########################################################
|
|
||||||
# Common Configuration
|
|
||||||
########################################################
|
|
||||||
|
|
||||||
# Monit configuration for `td-agent`:
|
|
||||||
remote_file '/etc/monit/conf.d/td-agent.conf' do
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '644'
|
|
||||||
|
|
||||||
# notifies :restart, 'service[monit]'
|
|
||||||
end
|
|
||||||
|
|
||||||
# add `td-agent` user to `adm` group:
|
|
||||||
execute 'usermod -aG adm td-agent' do
|
|
||||||
not_if 'id td-agent | grep adm'
|
|
||||||
end
|
|
||||||
|
|
||||||
# Deploy the `td-agent` configuration file for monitoring `td-agent` logs:
|
|
||||||
remote_file '/etc/td-agent/conf.d/forwarder_td-agent.conf' do
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '644'
|
|
||||||
end
|
|
||||||
|
|
||||||
########################################################
|
|
||||||
# Agent Configuration:
|
|
||||||
########################################################
|
|
||||||
unless node['td-agent']['forward']
|
|
||||||
remote_file '/etc/td-agent/conf.d/forwarder.conf' do
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '644'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
########################################################
|
|
||||||
# Manager Configuration:
|
|
||||||
########################################################
|
|
||||||
if node['td-agent']['forward']
|
|
||||||
remote_file '/etc/td-agent/conf.d/receiver.conf' do
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '644'
|
|
||||||
end
|
|
||||||
|
|
||||||
template '/etc/consul.d/service-td-agent.json' do
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '644'
|
|
||||||
|
|
||||||
variables(role: node['td-agent']['role'])
|
|
||||||
|
|
||||||
notifies :restart, 'service[supervisor]'
|
|
||||||
end
|
|
||||||
|
|
||||||
%w( 24224/tcp 24224/udp ).each do |p|
|
|
||||||
execute "ufw allow #{p}" do
|
|
||||||
user 'root'
|
|
||||||
|
|
||||||
not_if "LANG=c ufw status | grep #{p}"
|
|
||||||
|
|
||||||
notifies :run, 'execute[ufw reload-or-enable]'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
execute 'ufw reload-or-enable' do
|
|
||||||
user 'root'
|
|
||||||
command 'LANG=C ufw reload | grep skipping && ufw --force enable || exit 0'
|
|
||||||
|
|
||||||
action :nothing
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1,12 +0,0 @@
|
||||||
gem_package 'fluent-plugin-slack' do
|
|
||||||
action :upgrade
|
|
||||||
gem_binary '/usr/sbin/td-agent-gem'
|
|
||||||
end
|
|
||||||
|
|
||||||
encrypted_remote_file '/etc/td-agent/conf.d/watcher.conf' do
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '644'
|
|
||||||
source 'files/etc/td-agent/conf.d/watcher.conf'
|
|
||||||
password ENV['ITAMAE_PASSWORD']
|
|
||||||
end
|
|
|
@ -1,15 +0,0 @@
|
||||||
%w( esxi synology vyos ).each do |c|
|
|
||||||
remote_file "/etc/td-agent/conf.d/syslog_#{c}.conf" do
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '644'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
%w( 1514/tcp 5140/tcp 5141/tcp ).each do |p|
|
|
||||||
execute "ufw allow #{p}" do
|
|
||||||
user 'root'
|
|
||||||
|
|
||||||
not_if "LANG=c ufw status | grep #{p}"
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1 +0,0 @@
|
||||||
deb http://packages.treasuredata.com/3/<%= @platform %>/<%= @dist %>/ <%= @dist %> contrib
|
|
|
@ -1,7 +0,0 @@
|
||||||
{
|
|
||||||
"service": {
|
|
||||||
"name": "td-agent",
|
|
||||||
"tags": ["<%= @role %>"],
|
|
||||||
"port": 24224
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,11 +0,0 @@
|
||||||
127.0.0.1 localhost
|
|
||||||
127.0.1.1 <%= @HOSTNAME %>
|
|
||||||
|
|
||||||
192.168.10.110 primary.td-agent.service.consul
|
|
||||||
192.168.10.115 backup.td-agent.service.consul
|
|
||||||
|
|
||||||
# The following lines are desirable for IPv6 capable hosts
|
|
||||||
::1 localhost ip6-localhost ip6-loopback
|
|
||||||
ff02::1 ip6-allnodes
|
|
||||||
ff02::2 ip6-allrouters
|
|
||||||
|
|
|
@ -1,39 +0,0 @@
|
||||||
package 'monit'
|
|
||||||
|
|
||||||
service 'monit' do
|
|
||||||
action :disable
|
|
||||||
end
|
|
||||||
|
|
||||||
case run_command('grep VERSION_ID /etc/os-release | awk -F\" \'{print $2}\'').stdout.chomp
|
|
||||||
when "18.04"
|
|
||||||
# do nothing
|
|
||||||
else
|
|
||||||
remote_file '/etc/monit/monitrc' do
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '600'
|
|
||||||
|
|
||||||
notifies :reload, 'service[monit]'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
remote_file '/etc/default/monit' do
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '644'
|
|
||||||
|
|
||||||
notifies :run, 'execute[systemctl daemon-reload]'
|
|
||||||
end
|
|
||||||
|
|
||||||
remote_file '/lib/systemd/system/monit.service' do
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '644'
|
|
||||||
|
|
||||||
notifies :run, 'execute[systemctl daemon-reload]'
|
|
||||||
end
|
|
||||||
|
|
||||||
execute 'systemctl daemon-reload' do
|
|
||||||
action :nothing
|
|
||||||
command '/etc/init.d/monit stop && systemctl daemon-reload && systemctl enable monit && systemctl start monit'
|
|
||||||
end
|
|
|
@ -1,10 +0,0 @@
|
||||||
# /etc/default/monit
|
|
||||||
|
|
||||||
# Defaults for monit initscript. This file is sourced by
|
|
||||||
# /bin/sh from /etc/init.d/monit.
|
|
||||||
|
|
||||||
# Set START to yes to start the monit
|
|
||||||
START=yes
|
|
||||||
|
|
||||||
# Options to pass to monit
|
|
||||||
MONIT_OPTS=-I
|
|
|
@ -1,248 +0,0 @@
|
||||||
###############################################################################
|
|
||||||
## Monit control file
|
|
||||||
###############################################################################
|
|
||||||
##
|
|
||||||
## Comments begin with a '#' and extend through the end of the line. Keywords
|
|
||||||
## are case insensitive. All path's MUST BE FULLY QUALIFIED, starting with '/'.
|
|
||||||
##
|
|
||||||
## Below you will find examples of some frequently used statements. For
|
|
||||||
## information about the control file and a complete list of statements and
|
|
||||||
## options, please have a look in the Monit manual.
|
|
||||||
##
|
|
||||||
##
|
|
||||||
###############################################################################
|
|
||||||
## Global section
|
|
||||||
###############################################################################
|
|
||||||
##
|
|
||||||
## Start Monit in the background (run as a daemon):
|
|
||||||
#
|
|
||||||
set daemon 60 # check services at 2-minute intervals
|
|
||||||
with start delay 240 # optional: delay the first check by 4-minutes (by
|
|
||||||
# # default Monit check immediately after Monit start)
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Set syslog logging with the 'daemon' facility. If the FACILITY option is
|
|
||||||
## omitted, Monit will use 'user' facility by default. If you want to log to
|
|
||||||
## a standalone log file instead, specify the full path to the log file
|
|
||||||
#
|
|
||||||
# set logfile syslog facility log_daemon
|
|
||||||
set logfile /var/log/monit.log
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Set the location of the Monit id file which stores the unique id for the
|
|
||||||
## Monit instance. The id is generated and stored on first Monit start. By
|
|
||||||
## default the file is placed in $HOME/.monit.id.
|
|
||||||
#
|
|
||||||
# set idfile /var/.monit.id
|
|
||||||
set idfile /var/lib/monit/id
|
|
||||||
#
|
|
||||||
## Set the location of the Monit state file which saves monitoring states
|
|
||||||
## on each cycle. By default the file is placed in $HOME/.monit.state. If
|
|
||||||
## the state file is stored on a persistent filesystem, Monit will recover
|
|
||||||
## the monitoring state across reboots. If it is on temporary filesystem, the
|
|
||||||
## state will be lost on reboot which may be convenient in some situations.
|
|
||||||
#
|
|
||||||
set statefile /var/lib/monit/state
|
|
||||||
#
|
|
||||||
## Set the list of mail servers for alert delivery. Multiple servers may be
|
|
||||||
## specified using a comma separator. If the first mail server fails, Monit
|
|
||||||
# will use the second mail server in the list and so on. By default Monit uses
|
|
||||||
# port 25 - it is possible to override this with the PORT option.
|
|
||||||
#
|
|
||||||
# set mailserver mail.bar.baz, # primary mailserver
|
|
||||||
# backup.bar.baz port 10025, # backup mailserver on port 10025
|
|
||||||
# localhost # fallback relay
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## By default Monit will drop alert events if no mail servers are available.
|
|
||||||
## If you want to keep the alerts for later delivery retry, you can use the
|
|
||||||
## EVENTQUEUE statement. The base directory where undelivered alerts will be
|
|
||||||
## stored is specified by the BASEDIR option. You can limit the maximal queue
|
|
||||||
## size using the SLOTS option (if omitted, the queue is limited by space
|
|
||||||
## available in the back end filesystem).
|
|
||||||
#
|
|
||||||
set eventqueue
|
|
||||||
basedir /var/lib/monit/events # set the base directory where events will be stored
|
|
||||||
slots 100 # optionally limit the queue size
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Send status and events to M/Monit (for more informations about M/Monit
|
|
||||||
## see http://mmonit.com/). By default Monit registers credentials with
|
|
||||||
## M/Monit so M/Monit can smoothly communicate back to Monit and you don't
|
|
||||||
## have to register Monit credentials manually in M/Monit. It is possible to
|
|
||||||
## disable credential registration using the commented out option below.
|
|
||||||
## Though, if safety is a concern we recommend instead using https when
|
|
||||||
## communicating with M/Monit and send credentials encrypted.
|
|
||||||
#
|
|
||||||
# set mmonit http://monit:monit@192.168.1.10:8080/collector
|
|
||||||
# # and register without credentials # Don't register credentials
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Monit by default uses the following format for alerts if the the mail-format
|
|
||||||
## statement is missing::
|
|
||||||
## --8<--
|
|
||||||
## set mail-format {
|
|
||||||
## from: monit@$HOST
|
|
||||||
## subject: monit alert -- $EVENT $SERVICE
|
|
||||||
## message: $EVENT Service $SERVICE
|
|
||||||
## Date: $DATE
|
|
||||||
## Action: $ACTION
|
|
||||||
## Host: $HOST
|
|
||||||
## Description: $DESCRIPTION
|
|
||||||
##
|
|
||||||
## Your faithful employee,
|
|
||||||
## Monit
|
|
||||||
## }
|
|
||||||
## --8<--
|
|
||||||
##
|
|
||||||
## You can override this message format or parts of it, such as subject
|
|
||||||
## or sender using the MAIL-FORMAT statement. Macros such as $DATE, etc.
|
|
||||||
## are expanded at runtime. For example, to override the sender, use:
|
|
||||||
#
|
|
||||||
# set mail-format { from: monit@foo.bar }
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## You can set alert recipients whom will receive alerts if/when a
|
|
||||||
## service defined in this file has errors. Alerts may be restricted on
|
|
||||||
## events by using a filter as in the second example below.
|
|
||||||
#
|
|
||||||
# set alert sysadm@foo.bar # receive all alerts
|
|
||||||
# set alert manager@foo.bar only on { timeout } # receive just service-
|
|
||||||
# # timeout alert
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Monit has an embedded web server which can be used to view status of
|
|
||||||
## services monitored and manage services from a web interface. See the
|
|
||||||
## Monit Wiki if you want to enable SSL for the web server.
|
|
||||||
#
|
|
||||||
# set httpd port 2812 and
|
|
||||||
# use address localhost # only accept connection from localhost
|
|
||||||
# allow localhost # allow localhost to connect to the server and
|
|
||||||
# allow admin:monit # require user 'admin' with password 'monit'
|
|
||||||
# allow @monit # allow users of group 'monit' to connect (rw)
|
|
||||||
# allow @users readonly # allow users of group 'users' to connect readonly
|
|
||||||
#
|
|
||||||
###############################################################################
|
|
||||||
## Services
|
|
||||||
###############################################################################
|
|
||||||
##
|
|
||||||
## Check general system resources such as load average, cpu and memory
|
|
||||||
## usage. Each test specifies a resource, conditions and the action to be
|
|
||||||
## performed should a test fail.
|
|
||||||
#
|
|
||||||
# check system myhost.mydomain.tld
|
|
||||||
# if loadavg (1min) > 4 then alert
|
|
||||||
# if loadavg (5min) > 2 then alert
|
|
||||||
# if memory usage > 75% then alert
|
|
||||||
# if swap usage > 25% then alert
|
|
||||||
# if cpu usage (user) > 70% then alert
|
|
||||||
# if cpu usage (system) > 30% then alert
|
|
||||||
# if cpu usage (wait) > 20% then alert
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Check if a file exists, checksum, permissions, uid and gid. In addition
|
|
||||||
## to alert recipients in the global section, customized alert can be sent to
|
|
||||||
## additional recipients by specifying a local alert handler. The service may
|
|
||||||
## be grouped using the GROUP option. More than one group can be specified by
|
|
||||||
## repeating the 'group name' statement.
|
|
||||||
#
|
|
||||||
# check file apache_bin with path /usr/local/apache/bin/httpd
|
|
||||||
# if failed checksum and
|
|
||||||
# expect the sum 8f7f419955cefa0b33a2ba316cba3659 then unmonitor
|
|
||||||
# if failed permission 755 then unmonitor
|
|
||||||
# if failed uid root then unmonitor
|
|
||||||
# if failed gid root then unmonitor
|
|
||||||
# alert security@foo.bar on {
|
|
||||||
# checksum, permission, uid, gid, unmonitor
|
|
||||||
# } with the mail-format { subject: Alarm! }
|
|
||||||
# group server
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Check that a process is running, in this case Apache, and that it respond
|
|
||||||
## to HTTP and HTTPS requests. Check its resource usage such as cpu and memory,
|
|
||||||
## and number of children. If the process is not running, Monit will restart
|
|
||||||
## it by default. In case the service is restarted very often and the
|
|
||||||
## problem remains, it is possible to disable monitoring using the TIMEOUT
|
|
||||||
## statement. This service depends on another service (apache_bin) which
|
|
||||||
## is defined above.
|
|
||||||
#
|
|
||||||
# check process apache with pidfile /usr/local/apache/logs/httpd.pid
|
|
||||||
# start program = "/etc/init.d/httpd start" with timeout 60 seconds
|
|
||||||
# stop program = "/etc/init.d/httpd stop"
|
|
||||||
# if cpu > 60% for 2 cycles then alert
|
|
||||||
# if cpu > 80% for 5 cycles then restart
|
|
||||||
# if totalmem > 200.0 MB for 5 cycles then restart
|
|
||||||
# if children > 250 then restart
|
|
||||||
# if loadavg(5min) greater than 10 for 8 cycles then stop
|
|
||||||
# if failed host www.tildeslash.com port 80 protocol http
|
|
||||||
# and request "/somefile.html"
|
|
||||||
# then restart
|
|
||||||
# if failed port 443 type tcpssl protocol http
|
|
||||||
# with timeout 15 seconds
|
|
||||||
# then restart
|
|
||||||
# if 3 restarts within 5 cycles then timeout
|
|
||||||
# depends on apache_bin
|
|
||||||
# group server
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Check filesystem permissions, uid, gid, space and inode usage. Other services,
|
|
||||||
## such as databases, may depend on this resource and an automatically graceful
|
|
||||||
## stop may be cascaded to them before the filesystem will become full and data
|
|
||||||
## lost.
|
|
||||||
#
|
|
||||||
# check filesystem datafs with path /dev/sdb1
|
|
||||||
# start program = "/bin/mount /data"
|
|
||||||
# stop program = "/bin/umount /data"
|
|
||||||
# if failed permission 660 then unmonitor
|
|
||||||
# if failed uid root then unmonitor
|
|
||||||
# if failed gid disk then unmonitor
|
|
||||||
# if space usage > 80% for 5 times within 15 cycles then alert
|
|
||||||
# if space usage > 99% then stop
|
|
||||||
# if inode usage > 30000 then alert
|
|
||||||
# if inode usage > 99% then stop
|
|
||||||
# group server
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Check a file's timestamp. In this example, we test if a file is older
|
|
||||||
## than 15 minutes and assume something is wrong if its not updated. Also,
|
|
||||||
## if the file size exceed a given limit, execute a script
|
|
||||||
#
|
|
||||||
# check file database with path /data/mydatabase.db
|
|
||||||
# if failed permission 700 then alert
|
|
||||||
# if failed uid data then alert
|
|
||||||
# if failed gid data then alert
|
|
||||||
# if timestamp > 15 minutes then alert
|
|
||||||
# if size > 100 MB then exec "/my/cleanup/script" as uid dba and gid dba
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Check directory permission, uid and gid. An event is triggered if the
|
|
||||||
## directory does not belong to the user with uid 0 and gid 0. In addition,
|
|
||||||
## the permissions have to match the octal description of 755 (see chmod(1)).
|
|
||||||
#
|
|
||||||
# check directory bin with path /bin
|
|
||||||
# if failed permission 755 then unmonitor
|
|
||||||
# if failed uid 0 then unmonitor
|
|
||||||
# if failed gid 0 then unmonitor
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Check a remote host availability by issuing a ping test and check the
|
|
||||||
## content of a response from a web server. Up to three pings are sent and
|
|
||||||
## connection to a port and an application level network check is performed.
|
|
||||||
#
|
|
||||||
# check host myserver with address 192.168.1.1
|
|
||||||
# if failed icmp type echo count 3 with timeout 3 seconds then alert
|
|
||||||
# if failed port 3306 protocol mysql with timeout 15 seconds then alert
|
|
||||||
# if failed url http://user:password@www.foo.bar:8080/?querystring
|
|
||||||
# and content == 'action="j_security_check"'
|
|
||||||
# then alert
|
|
||||||
#
|
|
||||||
#
|
|
||||||
###############################################################################
|
|
||||||
## Includes
|
|
||||||
###############################################################################
|
|
||||||
##
|
|
||||||
## It is possible to include additional configuration parts from other files or
|
|
||||||
## directories.
|
|
||||||
#
|
|
||||||
include /etc/monit/conf.d/*.conf
|
|
||||||
#
|
|
|
@ -1,308 +0,0 @@
|
||||||
###############################################################################
|
|
||||||
## Monit control file
|
|
||||||
###############################################################################
|
|
||||||
##
|
|
||||||
## Comments begin with a '#' and extend through the end of the line. Keywords
|
|
||||||
## are case insensitive. All path's MUST BE FULLY QUALIFIED, starting with '/'.
|
|
||||||
##
|
|
||||||
## Below you will find examples of some frequently used statements. For
|
|
||||||
## information about the control file and a complete list of statements and
|
|
||||||
## options, please have a look in the Monit manual.
|
|
||||||
##
|
|
||||||
##
|
|
||||||
###############################################################################
|
|
||||||
## Global section
|
|
||||||
###############################################################################
|
|
||||||
##
|
|
||||||
## Start Monit in the background (run as a daemon):
|
|
||||||
#
|
|
||||||
set daemon 120 # check services at 2-minute intervals
|
|
||||||
# with start delay 240 # optional: delay the first check by 4-minutes (by
|
|
||||||
# # default Monit check immediately after Monit start)
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Set syslog logging. If you want to log to a standalone log file instead,
|
|
||||||
## specify the full path to the log file
|
|
||||||
#
|
|
||||||
set log /var/log/monit.log
|
|
||||||
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Set the location of the Monit lock file which stores the process id of the
|
|
||||||
## running Monit instance. By default this file is stored in $HOME/.monit.pid
|
|
||||||
#
|
|
||||||
# set pidfile /var/run/monit.pid
|
|
||||||
#
|
|
||||||
## Set the location of the Monit id file which stores the unique id for the
|
|
||||||
## Monit instance. The id is generated and stored on first Monit start. By
|
|
||||||
## default the file is placed in $HOME/.monit.id.
|
|
||||||
#
|
|
||||||
# set idfile /var/.monit.id
|
|
||||||
set idfile /var/lib/monit/id
|
|
||||||
#
|
|
||||||
## Set the location of the Monit state file which saves monitoring states
|
|
||||||
## on each cycle. By default the file is placed in $HOME/.monit.state. If
|
|
||||||
## the state file is stored on a persistent filesystem, Monit will recover
|
|
||||||
## the monitoring state across reboots. If it is on temporary filesystem, the
|
|
||||||
## state will be lost on reboot which may be convenient in some situations.
|
|
||||||
#
|
|
||||||
set statefile /var/lib/monit/state
|
|
||||||
#
|
|
||||||
#
|
|
||||||
|
|
||||||
## Set limits for various tests. The following example shows the default values:
|
|
||||||
##
|
|
||||||
# set limits {
|
|
||||||
# programOutput: 512 B, # check program's output truncate limit
|
|
||||||
# sendExpectBuffer: 256 B, # limit for send/expect protocol test
|
|
||||||
# fileContentBuffer: 512 B, # limit for file content test
|
|
||||||
# httpContentBuffer: 1 MB, # limit for HTTP content test
|
|
||||||
# networkTimeout: 5 seconds # timeout for network I/O
|
|
||||||
# programTimeout: 300 seconds # timeout for check program
|
|
||||||
# stopTimeout: 30 seconds # timeout for service stop
|
|
||||||
# startTimeout: 30 seconds # timeout for service start
|
|
||||||
# restartTimeout: 30 seconds # timeout for service restart
|
|
||||||
# }
|
|
||||||
|
|
||||||
## Set global SSL options (just most common options showed, see manual for
|
|
||||||
## full list).
|
|
||||||
#
|
|
||||||
# set ssl {
|
|
||||||
# verify : enable, # verify SSL certificates (disabled by default but STRONGLY RECOMMENDED)
|
|
||||||
# selfsigned : allow # allow self signed SSL certificates (reject by default)
|
|
||||||
# }
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Set the list of mail servers for alert delivery. Multiple servers may be
|
|
||||||
## specified using a comma separator. If the first mail server fails, Monit
|
|
||||||
# will use the second mail server in the list and so on. By default Monit uses
|
|
||||||
# port 25 - it is possible to override this with the PORT option.
|
|
||||||
#
|
|
||||||
# set mailserver mail.bar.baz, # primary mailserver
|
|
||||||
# backup.bar.baz port 10025, # backup mailserver on port 10025
|
|
||||||
# localhost # fallback relay
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## By default Monit will drop alert events if no mail servers are available.
|
|
||||||
## If you want to keep the alerts for later delivery retry, you can use the
|
|
||||||
## EVENTQUEUE statement. The base directory where undelivered alerts will be
|
|
||||||
## stored is specified by the BASEDIR option. You can limit the queue size
|
|
||||||
## by using the SLOTS option (if omitted, the queue is limited by space
|
|
||||||
## available in the back end filesystem).
|
|
||||||
#
|
|
||||||
set eventqueue
|
|
||||||
basedir /var/lib/monit/events # set the base directory where events will be stored
|
|
||||||
slots 100 # optionally limit the queue size
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Send status and events to M/Monit (for more informations about M/Monit
|
|
||||||
## see https://mmonit.com/). By default Monit registers credentials with
|
|
||||||
## M/Monit so M/Monit can smoothly communicate back to Monit and you don't
|
|
||||||
## have to register Monit credentials manually in M/Monit. It is possible to
|
|
||||||
## disable credential registration using the commented out option below.
|
|
||||||
## Though, if safety is a concern we recommend instead using https when
|
|
||||||
## communicating with M/Monit and send credentials encrypted. The password
|
|
||||||
## should be URL encoded if it contains URL-significant characters like
|
|
||||||
## ":", "?", "@". Default timeout is 5 seconds, you can customize it by
|
|
||||||
## adding the timeout option.
|
|
||||||
#
|
|
||||||
# set mmonit http://monit:monit@192.168.1.10:8080/collector
|
|
||||||
# # with timeout 30 seconds # Default timeout is 5 seconds
|
|
||||||
# # and register without credentials # Don't register credentials
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Monit by default uses the following format for alerts if the mail-format
|
|
||||||
## statement is missing::
|
|
||||||
## --8<--
|
|
||||||
## set mail-format {
|
|
||||||
## from: Monit <monit@$HOST>
|
|
||||||
## subject: monit alert -- $EVENT $SERVICE
|
|
||||||
## message: $EVENT Service $SERVICE
|
|
||||||
## Date: $DATE
|
|
||||||
## Action: $ACTION
|
|
||||||
## Host: $HOST
|
|
||||||
## Description: $DESCRIPTION
|
|
||||||
##
|
|
||||||
## Your faithful employee,
|
|
||||||
## Monit
|
|
||||||
## }
|
|
||||||
## --8<--
|
|
||||||
##
|
|
||||||
## You can override this message format or parts of it, such as subject
|
|
||||||
## or sender using the MAIL-FORMAT statement. Macros such as $DATE, etc.
|
|
||||||
## are expanded at runtime. For example, to override the sender, use:
|
|
||||||
#
|
|
||||||
# set mail-format { from: monit@foo.bar }
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## You can set alert recipients whom will receive alerts if/when a
|
|
||||||
## service defined in this file has errors. Alerts may be restricted on
|
|
||||||
## events by using a filter as in the second example below.
|
|
||||||
#
|
|
||||||
# set alert sysadm@foo.bar # receive all alerts
|
|
||||||
#
|
|
||||||
## Do not alert when Monit starts, stops or performs a user initiated action.
|
|
||||||
## This filter is recommended to avoid getting alerts for trivial cases.
|
|
||||||
#
|
|
||||||
# set alert your-name@your.domain not on { instance, action }
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Monit has an embedded HTTP interface which can be used to view status of
|
|
||||||
## services monitored and manage services from a web interface. The HTTP
|
|
||||||
## interface is also required if you want to issue Monit commands from the
|
|
||||||
## command line, such as 'monit status' or 'monit restart service' The reason
|
|
||||||
## for this is that the Monit client uses the HTTP interface to send these
|
|
||||||
## commands to a running Monit daemon. See the Monit Wiki if you want to
|
|
||||||
## enable SSL for the HTTP interface.
|
|
||||||
#
|
|
||||||
# set httpd port 2812 and
|
|
||||||
# use address localhost # only accept connection from localhost
|
|
||||||
# allow localhost # allow localhost to connect to the server and
|
|
||||||
# allow admin:monit # require user 'admin' with password 'monit'
|
|
||||||
# #with ssl { # enable SSL/TLS and set path to server certificate
|
|
||||||
# # pemfile: /etc/ssl/certs/monit.pem
|
|
||||||
# #}
|
|
||||||
|
|
||||||
###############################################################################
|
|
||||||
## Services
|
|
||||||
###############################################################################
|
|
||||||
##
|
|
||||||
## Check general system resources such as load average, cpu and memory
|
|
||||||
## usage. Each test specifies a resource, conditions and the action to be
|
|
||||||
## performed should a test fail.
|
|
||||||
#
|
|
||||||
# check system $HOST
|
|
||||||
# if loadavg (1min) > 4 then alert
|
|
||||||
# if loadavg (5min) > 2 then alert
|
|
||||||
# if cpu usage > 95% for 10 cycles then alert
|
|
||||||
# if memory usage > 75% then alert
|
|
||||||
# if swap usage > 25% then alert
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Check if a file exists, checksum, permissions, uid and gid. In addition
|
|
||||||
## to alert recipients in the global section, customized alert can be sent to
|
|
||||||
## additional recipients by specifying a local alert handler. The service may
|
|
||||||
## be grouped using the GROUP option. More than one group can be specified by
|
|
||||||
## repeating the 'group name' statement.
|
|
||||||
#
|
|
||||||
# check file apache_bin with path /usr/local/apache/bin/httpd
|
|
||||||
# if failed checksum and
|
|
||||||
# expect the sum 8f7f419955cefa0b33a2ba316cba3659 then unmonitor
|
|
||||||
# if failed permission 755 then unmonitor
|
|
||||||
# if failed uid "root" then unmonitor
|
|
||||||
# if failed gid "root" then unmonitor
|
|
||||||
# alert security@foo.bar on {
|
|
||||||
# checksum, permission, uid, gid, unmonitor
|
|
||||||
# } with the mail-format { subject: Alarm! }
|
|
||||||
# group server
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Check that a process is running, in this case Apache, and that it respond
|
|
||||||
## to HTTP and HTTPS requests. Check its resource usage such as cpu and memory,
|
|
||||||
## and number of children. If the process is not running, Monit will restart
|
|
||||||
## it by default. In case the service is restarted very often and the
|
|
||||||
## problem remains, it is possible to disable monitoring using the TIMEOUT
|
|
||||||
## statement. This service depends on another service (apache_bin) which
|
|
||||||
## is defined above.
|
|
||||||
#
|
|
||||||
# check process apache with pidfile /usr/local/apache/logs/httpd.pid
|
|
||||||
# start program = "/etc/init.d/httpd start" with timeout 60 seconds
|
|
||||||
# stop program = "/etc/init.d/httpd stop"
|
|
||||||
# if cpu > 60% for 2 cycles then alert
|
|
||||||
# if cpu > 80% for 5 cycles then restart
|
|
||||||
# if totalmem > 200.0 MB for 5 cycles then restart
|
|
||||||
# if children > 250 then restart
|
|
||||||
# if loadavg(5min) greater than 10 for 8 cycles then stop
|
|
||||||
# if disk read > 500 kb/s for 10 cycles then alert
|
|
||||||
# if disk write > 500 kb/s for 10 cycles then alert
|
|
||||||
# if failed host www.tildeslash.com port 80 protocol http and request "/somefile.html" then restart
|
|
||||||
# if failed port 443 protocol https with timeout 15 seconds then restart
|
|
||||||
# if 3 restarts within 5 cycles then unmonitor
|
|
||||||
# depends on apache_bin
|
|
||||||
# group server
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Check filesystem permissions, uid, gid, space usage, inode usage and disk I/O.
|
|
||||||
## Other services, such as databases, may depend on this resource and an automatically
|
|
||||||
## graceful stop may be cascaded to them before the filesystem will become full and data
|
|
||||||
## lost.
|
|
||||||
#
|
|
||||||
# check filesystem datafs with path /dev/sdb1
|
|
||||||
# start program = "/bin/mount /data"
|
|
||||||
# stop program = "/bin/umount /data"
|
|
||||||
# if failed permission 660 then unmonitor
|
|
||||||
# if failed uid "root" then unmonitor
|
|
||||||
# if failed gid "disk" then unmonitor
|
|
||||||
# if space usage > 80% for 5 times within 15 cycles then alert
|
|
||||||
# if space usage > 99% then stop
|
|
||||||
# if inode usage > 30000 then alert
|
|
||||||
# if inode usage > 99% then stop
|
|
||||||
# if read rate > 1 MB/s for 5 cycles then alert
|
|
||||||
# if read rate > 500 operations/s for 5 cycles then alert
|
|
||||||
# if write rate > 1 MB/s for 5 cycles then alert
|
|
||||||
# if write rate > 500 operations/s for 5 cycles then alert
|
|
||||||
# if service time > 10 milliseconds for 3 times within 5 cycles then alert
|
|
||||||
# group server
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Check a file's timestamp. In this example, we test if a file is older
|
|
||||||
## than 15 minutes and assume something is wrong if its not updated. Also,
|
|
||||||
## if the file size exceed a given limit, execute a script
|
|
||||||
#
|
|
||||||
# check file database with path /data/mydatabase.db
|
|
||||||
# if failed permission 700 then alert
|
|
||||||
# if failed uid "data" then alert
|
|
||||||
# if failed gid "data" then alert
|
|
||||||
# if timestamp > 15 minutes then alert
|
|
||||||
# if size > 100 MB then exec "/my/cleanup/script" as uid dba and gid dba
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Check directory permission, uid and gid. An event is triggered if the
|
|
||||||
## directory does not belong to the user with uid 0 and gid 0. In addition,
|
|
||||||
## the permissions have to match the octal description of 755 (see chmod(1)).
|
|
||||||
#
|
|
||||||
# check directory bin with path /bin
|
|
||||||
# if failed permission 755 then unmonitor
|
|
||||||
# if failed uid 0 then unmonitor
|
|
||||||
# if failed gid 0 then unmonitor
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Check a remote host availability by issuing a ping test and check the
|
|
||||||
## content of a response from a web server. Up to three pings are sent and
|
|
||||||
## connection to a port and an application level network check is performed.
|
|
||||||
#
|
|
||||||
# check host myserver with address 192.168.1.1
|
|
||||||
# if failed ping then alert
|
|
||||||
# if failed port 3306 protocol mysql with timeout 15 seconds then alert
|
|
||||||
# if failed port 80 protocol http
|
|
||||||
# and request /some/path with content = "a string"
|
|
||||||
# then alert
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Check a network link status (up/down), link capacity changes, saturation
|
|
||||||
## and bandwidth usage.
|
|
||||||
#
|
|
||||||
# check network public with interface eth0
|
|
||||||
# if failed link then alert
|
|
||||||
# if changed link then alert
|
|
||||||
# if saturation > 90% then alert
|
|
||||||
# if download > 10 MB/s then alert
|
|
||||||
# if total uploaded > 1 GB in last hour then alert
|
|
||||||
#
|
|
||||||
#
|
|
||||||
## Check custom program status output.
|
|
||||||
#
|
|
||||||
# check program myscript with path /usr/local/bin/myscript.sh
|
|
||||||
# if status != 0 then alert
|
|
||||||
#
|
|
||||||
#
|
|
||||||
###############################################################################
|
|
||||||
## Includes
|
|
||||||
###############################################################################
|
|
||||||
##
|
|
||||||
## It is possible to include additional configuration parts from other files or
|
|
||||||
## directories.
|
|
||||||
#
|
|
||||||
include /etc/monit/conf.d/*
|
|
||||||
include /etc/monit/conf-enabled/*
|
|
||||||
#
|
|
|
@ -1,10 +0,0 @@
|
||||||
[Service]
|
|
||||||
Type=simple
|
|
||||||
KillMode=process
|
|
||||||
ExecStart=/etc/init.d/monit start
|
|
||||||
ExecStop=/etc/init.d/monit stop
|
|
||||||
ExecReload=/etc/init.d/monit reload
|
|
||||||
Restart=always
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
|
@ -3,6 +3,6 @@
|
||||||
# -------------------------------------------
|
# -------------------------------------------
|
||||||
node.reverse_merge!({
|
node.reverse_merge!({
|
||||||
'nginx' => {
|
'nginx' => {
|
||||||
'version' => '1.17.5'
|
'version' => '1.19.3'
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
|
@ -4,12 +4,12 @@ include_recipe './attributes.rb'
|
||||||
# Kernel Parameters:
|
# Kernel Parameters:
|
||||||
include_recipe './kernel.rb'
|
include_recipe './kernel.rb'
|
||||||
|
|
||||||
# Install Let's Encrypt:
|
|
||||||
include_recipe './lego.rb'
|
|
||||||
|
|
||||||
# Prerequisites for Building nginx:
|
# Prerequisites for Building nginx:
|
||||||
include_recipe './webadm.rb'
|
include_recipe './webadm.rb'
|
||||||
|
|
||||||
|
# Install Let's Encrypt:
|
||||||
|
include_recipe './lego.rb'
|
||||||
|
|
||||||
# Build nginx:
|
# Build nginx:
|
||||||
include_recipe './build.rb'
|
include_recipe './build.rb'
|
||||||
|
|
||||||
|
|
|
@ -13,11 +13,13 @@ remote_file '/etc/sudoers.d/webadm' do
|
||||||
mode '440'
|
mode '440'
|
||||||
end
|
end
|
||||||
|
|
||||||
# Create `.ssh` directory:
|
# Create directories:
|
||||||
directory '/home/webadm/.ssh' do
|
%w(/home/webadm/.ssh /home/webadm/repo).each do |d|
|
||||||
owner 'webadm'
|
directory d do
|
||||||
group 'webadm'
|
owner 'webadm'
|
||||||
mode '700'
|
group 'webadm'
|
||||||
|
mode '700'
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# Deploy `~/.ssh/.ssh/authorized_keys`:
|
# Deploy `~/.ssh/.ssh/authorized_keys`:
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
include_recipe '../cookbooks/base/default.rb'
|
include_recipe '../cookbooks/base/default.rb'
|
||||||
include_recipe '../cookbooks/kazu634/default.rb'
|
include_recipe '../cookbooks/kazu634/default.rb'
|
||||||
include_recipe '../cookbooks/supervisor/default.rb'
|
include_recipe '../cookbooks/supervisor/default.rb'
|
||||||
include_recipe '../cookbooks/monit/default.rb'
|
|
||||||
include_recipe '../cookbooks/consul/default.rb'
|
include_recipe '../cookbooks/consul/default.rb'
|
||||||
include_recipe '../cookbooks/fzf/default.rb'
|
include_recipe '../cookbooks/fzf/default.rb'
|
||||||
include_recipe '../cookbooks/promtail/default.rb'
|
include_recipe '../cookbooks/promtail/default.rb'
|
||||||
|
|
Loading…
Reference in New Issue