def setup_global_vars(): """Initialize global variables from config files""" global cert_server, cert_server_path, cert_copy_to_path, SYCO_PLUGIN_PATH cert_server = config.general.get_cert_server_ip() cert_server_path = config.general.get_option('haproxy.remote_cert_path') cert_copy_to_path = config.general.get_option('haproxy.local_cert_path') SYCO_PLUGIN_PATH = app.get_syco_plugin_paths("/var/haproxy/").next()
def install_haproxy(args): global CERT_SERVER, CERT_SERVER_PATH, CERT_COPY_TO_PATH, SYCO_PLUGIN_PATH, ACCEPTED_HAPROXY_ENV CERT_SERVER = config.general.get_cert_server_ip() CERT_SERVER_PATH = config.general.get_option('haproxy.remote_cert_path') CERT_COPY_TO_PATH = config.general.get_option('haproxy.local_cert_path') SYCO_PLUGIN_PATH = app.get_syco_plugin_paths("/var/haproxy/").next() ACCEPTED_HAPROXY_ENV = get_environments() if len(sys.argv) != 3: print_killmessage() else: HAPROXY_ENV = sys.argv[2] if HAPROXY_ENV.lower() not in ACCEPTED_HAPROXY_ENV: print_killmessage() app.print_verbose("Install HA Proxy version: %d" % script_version) version_obj = version.Version("InstallHaproxy", script_version) version_obj.check_executed() os.chdir("/") x("yum install -y tcl haproxy") _configure_iptables() _copy_certificate_files() _configure_haproxy() version_obj.mark_executed()
def install_keepalived(args): global SYCO_PLUGIN_PATH, ACCEPTED_KA_ENV, ka_env SYCO_PLUGIN_PATH = app.get_syco_plugin_paths("/var/keepalived/").next() ACCEPTED_KA_ENV = get_environments() if len(args) != 2: print_killmessage() else: ka_env = args[1] if ka_env.lower() not in ACCEPTED_KA_ENV: print_killmessage() app.print_verbose("Install Keepalived version: %d" % script_version) version_obj = version.Version("InstallKeepalived", script_version) version_obj.check_executed() os.chdir("/") install_packages("keepalived") _configure_keepalived() # Adding iptables rules iptables_setup() save() version_obj.mark_executed()
def install_haproxy(args): app.print_verbose("Install HA Proxy version: %d" % script_version) version_obj = version.Version("InstallHaproxy", script_version) version_obj.check_executed() global CERT_SERVER, CERT_SERVER_PATH, CERT_COPY_TO_PATH, SYCO_PLUGIN_PATH CERT_SERVER = config.general.get_cert_server_ip() CERT_SERVER_PATH = config.general.get_option('haproxy.remote_cert_path') CERT_COPY_TO_PATH = config.general.get_option('haproxy.local_cert_path') SYCO_PLUGIN_PATH = app.get_syco_plugin_paths("/var/haproxy/").next() # Validate all command line parameters. if len(sys.argv) != 4: print_killmessage() haproxy_env() haproxy_state() x("yum install -y tcl haproxy") iptables.add_haproxy_chain() iptables.save() _copy_certificate_files() _configure_haproxy() version_obj.mark_executed()
def get_environments(): """List all accepted environments from plugin folders""" environments = [] for path in app.get_syco_plugin_paths("/var/haproxy/"): for f in os.listdir(path): foo = re.search('(.*)\.haproxy\.cfg', f) if foo: environments.append(foo.group(1)) return environments
def _install_nrpe_plugins(): """Install NRPE-plugins (to be executed remoteley) and SELinux-rules.""" # Install packages and their dependencies. _install_nrpe_plugins_dependencies() x("cp -p {0}lib/nagios/plugins_nrpe/* {1}".format(constant.SYCO_PATH, PLG_PATH)) for plugin_path in app.get_syco_plugin_paths("/var/icinga/plugins/"): x("cp -p {0}* {1}".format(plugin_path, PLG_PATH)) # Set the sssd password nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg") nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password()) nrpe_config.replace("$(LDAPURL)", config.general.get_ldap_hostname()) nrpe_config.replace("$(SQLPASS)", app.get_mysql_monitor_password().replace("&","\&").replace("/","\/")) # Set name of main disk host_config = config.host(net.get_hostname()) if host_config.is_guest(): nrpe_config.replace("${MAINDISK}", "vda") elif host_config.is_firewall() or host_config.is_host(): nrpe_config.replace("${MAINDISK}", "sda") # Change ownership of plugins to nrpe (from icinga/nagios) x("chmod -R 550 /usr/lib64/nagios/plugins/") x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/") # Set SELinux roles to allow NRPE execution of binaries such as python/perl. # Corresponding .te-files summarize rule content x("mkdir -p /var/lib/syco_selinux_modules") rule_path_list = list_plugin_files("/var/nagios/selinux_rules") for path in rule_path_list: x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path)) x("semodule -i /var/lib/syco_selinux_modules/*.pp") # Fix some SELinux rules on custom plugins. _fix_selinux("nagios_unconfined_plugin_exec_t", "check_disk") _fix_selinux("nagios_services_plugin_exec_t", "check_ldap.php") _fix_selinux("nagios_services_plugin_exec_t", "check_iptables.py") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_clam*") # TODO?? #_fix_selinux("nagios_unconfined_plugin_exec_t", "pmp-check-mysql*") #_fix_selinux("nagios_unconfined_plugin_exec_t", "farpayment_stats.py") #_fix_selinux("nagios_unconfined_plugin_exec_t", "rentalfront_stats.py") #_fix_selinux("nagios_unconfined_plugin_exec_t", "checkMySQLProcesslist.sh") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_connections.pl") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_procs.sh") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ulimit.py") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_hpasm") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_hparray") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ifutil.pl") # New in centos 6.7 x("setsebool -P nagios_run_sudo 1")
def _install_nrpe_plugins(): """Install NRPE-plugins (to be executed remotely) and SELinux-rules.""" # Install packages and their dependencies. _install_nrpe_plugins_dependencies() x("cp -p -r {0}lib/nagios/plugins_nrpe/* {1}".format( constant.SYCO_PATH, PLG_PATH)) for plugin_path in app.get_syco_plugin_paths("/var/icinga/plugins/"): x("cp -p -r {0}* {1}".format(plugin_path, PLG_PATH)) # Set the sssd password nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg") nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password()) nrpe_config.replace("$(LDAPURL)", config.general.get_ldap_hostname()) nrpe_config.replace("$(SQLPASS)", app.get_mysql_monitor_password()) # Set name of main disk host_config = config.host(net.get_hostname()) if host_config.is_guest(): nrpe_config.replace("${MAINDISK}", "vda") elif host_config.is_firewall() or host_config.is_host(): nrpe_config.replace("${MAINDISK}", "sda") # Change ownership of plugins to nrpe (from icinga/nagios) x("chmod -R 550 /usr/lib64/nagios/plugins/") x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/") # Restore default selinux context for plugins, this should solve most selinux issues x("restorecon -r {0}".format(PLG_PATH)) # Set SELinux roles to allow NRPE execution of binaries such as python/perl. # Corresponding .te-files summarize rule content x("mkdir -p /var/lib/syco_selinux_modules") rule_path_list = list_plugin_files("/var/nagios/selinux_rules") for path in rule_path_list: x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path)) x("semodule -i /var/lib/syco_selinux_modules/*.pp") # Fix some SELinux rules on custom plugins. _fix_selinux("nagios_unconfined_plugin_exec_t", "check_disk") _fix_selinux("nagios_services_plugin_exec_t", "check_ldap.php") _fix_selinux("nagios_services_plugin_exec_t", "check_iptables.py") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_clam*") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_connections.pl") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_procs.sh") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ulimit.py") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_hpasm") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_hparray") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ifutil.pl") # New in centos 6.7 x("setsebool -P nagios_run_sudo 1")
def main(): """ Used to control the command line options, and the execution of the script. First function called when using the script. """ # Module variables cmd_list = Commands() usage = "usage: %prog [options] command\n\n" usage += "Commands:\n" usage += cmd_list.get_help() info = "System Console {0}, syco(git {1})".format( app.version, get_last_git_commit('/opt/syco')) for plugin_path in app.get_syco_plugin_paths(): info += ", {0}(git {1})".format(os.path.basename(plugin_path), get_last_git_commit(plugin_path)) app.parser = OptionParser(usage=usage, version=info, add_help_option=True) app.parser.add_option("-v", "--verbose", action="store_const", const=2, dest="verbose", default=1, help="Show more output.") app.parser.add_option("-q", "--quiet", action="store_const", const=0, dest="verbose", help="Show no output.") app.parser.add_option("-f", "--force", action="store_const", const=1, dest="force", default=0, help="Ignore version.cfg.") (app.options, args) = app.parser.parse_args() app.print_verbose(app.parser.get_version()) if len(args) < 1 and 2 > len(args): app.parser.print_help() else: try: cmd_list.execute(args) except version.VersionException, e: app.print_error(repr(e.args))
def install_squid(args): global SYCO_PLUGIN_PATH, ACCEPTED_SQUID_ENV SYCO_PLUGIN_PATH = str(app.get_syco_plugin_paths("/var/squid/").next()) app.print_verbose("Install Squid Caching Proxy version: %d" % script_version) version_obj = version.Version("InstallSquid", script_version) version_obj.check_executed() os.chdir("/") x("yum install -y squid") _configure_iptables() _configure_squid() version_obj.mark_executed()
def _configure_haproxy(env, state): x("cp {0}haproxy.cfg {0}org.haproxy.cfg".format(HAPROXY_CONF_DIR)) for path in app.get_syco_plugin_paths("/var/haproxy/"): app.print_verbose("Copy config files from %s" % path) x("cp {0}/{1}.haproxy.cfg {2}haproxy.cfg".format(path, env, HAPROXY_CONF_DIR)) x("cp {0}/error.html {1}error.html".format(path, HAPROXY_CONF_DIR)) scopen.scOpen(HAPROXY_CONF).replace("${ENV_IP}", get_ip_address('eth1')) if '${ENV_IP_ALIAS' in open(HAPROXY_CONF).read(): scopen.scOpen(HAPROXY_CONF).replace("${ENV_IP_ALIAS}", get_ip_address('eth1:1')) _configure_haproxy_state(state) _configure_credentials(env) _chkconfig("haproxy", "on") _service("haproxy", "restart")
def _copy_conf(file_ext, to_folder, active_dc): ''' Copy a set of config/zone files from all syco plugins into a named folder. WRNING: If several syco plugins are installed with their own named.conf and zone files. That might f**k up the installation. ''' bind_config_subdir = config.host(config.general.get_nameserver_server()).get_bind_conf_subdir() if len(bind_config_subdir) > 0 and not bind_config_subdir.startswith('/'): bind_config_subdir = "/" + bind_config_subdir app.print_verbose("\nCopy config/zone files from all syco plugin modules into a named folder.") for plugin_path in app.get_syco_plugin_paths("/var/dns"): for zone_fn in os.listdir(plugin_path + bind_config_subdir): if zone_fn.endswith(file_ext): app.print_verbose("\nConfigure file {0}".format(zone_fn)) x("cp {0}/{1} {2}".format(plugin_path + bind_config_subdir, zone_fn, to_folder)) _replace_tags("{0}{1}".format(to_folder, zone_fn), active_dc)
def _configure_haproxy(env, state): x("cp {0}haproxy.cfg {0}org.haproxy.cfg".format(HAPROXY_CONF_DIR)) for path in app.get_syco_plugin_paths("/var/haproxy/"): app.print_verbose("Copy config files from %s" % path) x("cp {0}/{1}.haproxy.cfg {2}haproxy.cfg".format(path, env, HAPROXY_CONF_DIR)) x("cp {0}/error.html {1}".format(path, HAPROXY_CONF_DIR)) x("cp -R {0}/errors.xml {1}".format(path, HAPROXY_CONF_DIR)) ifname = get_front_nic_name() scopen.scOpen(HAPROXY_CONF).replace("${ENV_IP}", get_first_ip_from_nic(ifname)) if '${ENV_IP_ALIAS' in open(HAPROXY_CONF).read(): scopen.scOpen(HAPROXY_CONF).replace("${ENV_IP_ALIAS}", get_first_ip_from_nic('{0}:1'.format(ifname))) _configure_haproxy_state(state) _configure_credentials(env) _chkconfig("haproxy", "on") _service("haproxy", "restart") _setup_monitoring() # chroot jail should not be accessible by anyone. x("chmod 000 /var/lib/haproxy")
def main(): """ Used to control the command line options, and the execution of the script. First function called when using the script. """ # Module variables cmd_list = Commands() usage = "usage: %prog [options] command\n\n" usage += "Commands:\n" usage += cmd_list.get_help() info = "System Console {0}, syco(git {1})".format( app.version, get_last_git_commit('/opt/syco') ) for plugin_path in app.get_syco_plugin_paths(): info += ", {0}(git {1})".format( os.path.basename(plugin_path), get_last_git_commit(plugin_path) ) app.parser = OptionParser(usage=usage, version=info , add_help_option=True) app.parser.add_option("-v", "--verbose", action="store_const", const=2, dest="verbose", default=1, help="Show more output.") app.parser.add_option("-q", "--quiet", action="store_const", const=0, dest="verbose", help="Show no output.") app.parser.add_option("-f", "--force", action="store_const", const=1, dest="force", default=0, help="Ignore version.cfg.") (app.options, args) = app.parser.parse_args() app.print_verbose(app.parser.get_version()) if len(args) < 1 and 2 > len(args): app.parser.print_help() else: try: cmd_list.execute(args) except version.VersionException, e: app.print_error(repr(e.args))
def install_keepalived(args): global SYCO_PLUGIN_PATH, ACCEPTED_KA_ENV SYCO_PLUGIN_PATH = app.get_syco_plugin_paths("/var/keepalived/").next() ACCEPTED_KA_ENV = get_environments() if len(sys.argv) != 3: print_killmessage() else: KA_ENV = sys.argv[2] if KA_ENV.lower() not in ACCEPTED_KA_ENV: print_killmessage() app.print_verbose("Install Keepalived version: %d" % script_version) version_obj = version.Version("InstallKeepalived", script_version) version_obj.check_executed() os.chdir("/") x("yum install -y keepalived") _configure_iptables() _configure_keepalived() version_obj.mark_executed()
def _configure_haproxy(env, state): x("cp {0}haproxy.cfg {0}org.haproxy.cfg".format(HAPROXY_CONF_DIR)) for path in app.get_syco_plugin_paths("/var/haproxy/"): app.print_verbose("Copy config files from %s" % path) x("cp {0}/{1}.haproxy.cfg {2}haproxy.cfg".format( path, env, HAPROXY_CONF_DIR)) x("cp {0}/error.html {1}".format(path, HAPROXY_CONF_DIR)) x("cp -R {0}/errors.xml {1}".format(path, HAPROXY_CONF_DIR)) ifname = get_front_nic_name() scopen.scOpen(HAPROXY_CONF).replace("${ENV_IP}", get_first_ip_from_nic(ifname)) if '${ENV_IP_ALIAS' in open(HAPROXY_CONF).read(): scopen.scOpen(HAPROXY_CONF).replace( "${ENV_IP_ALIAS}", get_first_ip_from_nic('{0}:1'.format(ifname))) _configure_haproxy_state(state) _configure_credentials(env) _chkconfig("haproxy", "on") _service("haproxy", "restart") _setup_monitoring() # chroot jail should not be accessible by anyone. x("chmod 000 /var/lib/haproxy")
__license__ = "???" __version__ = "1.0.0" __status__ = "Production" from general import x, download_file import app import version import os import iptables import install # The version of this module, used to prevent the same script version to be # executed more then once on the same host. SCRIPT_VERSION = 1 CONF_SOURCE = str(app.get_syco_plugin_paths("/var").next()) def build_commands(commands): commands.add( "install-espower", install_espower, help="Install power modules for elastcisearch install-espower logstash version", ) commands.add("uninstall-espower", uninstall_espower, help="Uninstall the power modules for elastic search") def install_espower(args): """Installation of Elastic search passing rule""" if len(args) != 2: raise Exception("syco install-espower Logstash Version [syco install-es 1.4.2]")
# Common classes/functions that are used by the project. sys.path.append(sys.path[0] + "/common/") import app import version import general general.require_linux_user("root") # Files published to public repos. sys.path.append(app.SYCO_PUBLIC_PATH) # Import all py files including syco commands. command_dir = os.listdir(app.SYCO_PUBLIC_PATH) # Files only available in private user repos. for plugin_path in app.get_syco_plugin_paths("/bin/"): sys.path.append(plugin_path) if os.path.isdir(plugin_path): command_dir += os.listdir(plugin_path) for module in command_dir: if (module == '__init__.py' or module[-4:] == '.pyc' or module[-3:] == '.sh' or module[-3:] == 'led'): continue module = module.replace('.py', '') py_command = module + "=__import__(\"" + module + "\", locals(), globals())" exec py_command