def setup_global_vars():
"""Initialize global variables from config files"""
global cert_server, cert_server_path, cert_copy_to_path, SYCO_PLUGIN_PATH
cert_server = config.general.get_cert_server_ip()
cert_server_path = config.general.get_option('haproxy.remote_cert_path')
cert_copy_to_path = config.general.get_option('haproxy.local_cert_path')
SYCO_PLUGIN_PATH = app.get_syco_plugin_paths("/var/haproxy/").next()
def install_haproxy(args):
global CERT_SERVER, CERT_SERVER_PATH, CERT_COPY_TO_PATH, SYCO_PLUGIN_PATH, ACCEPTED_HAPROXY_ENV
CERT_SERVER = config.general.get_cert_server_ip()
CERT_SERVER_PATH = config.general.get_option('haproxy.remote_cert_path')
CERT_COPY_TO_PATH = config.general.get_option('haproxy.local_cert_path')
SYCO_PLUGIN_PATH = app.get_syco_plugin_paths("/var/haproxy/").next()
ACCEPTED_HAPROXY_ENV = get_environments()
if len(sys.argv) != 3:
print_killmessage()
else:
HAPROXY_ENV = sys.argv[2]
if HAPROXY_ENV.lower() not in ACCEPTED_HAPROXY_ENV:
print_killmessage()
app.print_verbose("Install HA Proxy version: %d" % script_version)
version_obj = version.Version("InstallHaproxy", script_version)
version_obj.check_executed()
os.chdir("/")
x("yum install -y tcl haproxy")
_configure_iptables()
_copy_certificate_files()
_configure_haproxy()
version_obj.mark_executed()
def install_keepalived(args):
global SYCO_PLUGIN_PATH, ACCEPTED_KA_ENV, ka_env
SYCO_PLUGIN_PATH = app.get_syco_plugin_paths("/var/keepalived/").next()
ACCEPTED_KA_ENV = get_environments()
if len(args) != 2:
print_killmessage()
else:
ka_env = args[1]
if ka_env.lower() not in ACCEPTED_KA_ENV:
print_killmessage()
app.print_verbose("Install Keepalived version: %d" % script_version)
version_obj = version.Version("InstallKeepalived", script_version)
version_obj.check_executed()
os.chdir("/")
install_packages("keepalived")
_configure_keepalived()
# Adding iptables rules
iptables_setup()
save()
version_obj.mark_executed()
def setup_global_vars():
"""Initialize global variables from config files"""
global cert_server, cert_server_path, cert_copy_to_path, SYCO_PLUGIN_PATH
cert_server = config.general.get_cert_server_ip()
cert_server_path = config.general.get_option('haproxy.remote_cert_path')
cert_copy_to_path = config.general.get_option('haproxy.local_cert_path')
SYCO_PLUGIN_PATH = app.get_syco_plugin_paths("/var/haproxy/").next()
def install_haproxy(args):
app.print_verbose("Install HA Proxy version: %d" % script_version)
version_obj = version.Version("InstallHaproxy", script_version)
version_obj.check_executed()
global CERT_SERVER, CERT_SERVER_PATH, CERT_COPY_TO_PATH, SYCO_PLUGIN_PATH
CERT_SERVER = config.general.get_cert_server_ip()
CERT_SERVER_PATH = config.general.get_option('haproxy.remote_cert_path')
CERT_COPY_TO_PATH = config.general.get_option('haproxy.local_cert_path')
SYCO_PLUGIN_PATH = app.get_syco_plugin_paths("/var/haproxy/").next()
# Validate all command line parameters.
if len(sys.argv) != 4:
print_killmessage()
haproxy_env()
haproxy_state()
x("yum install -y tcl haproxy")
iptables.add_haproxy_chain()
iptables.save()
_copy_certificate_files()
_configure_haproxy()
version_obj.mark_executed()
def get_environments():
"""List all accepted environments from plugin folders"""
environments = []
for path in app.get_syco_plugin_paths("/var/haproxy/"):
for f in os.listdir(path):
foo = re.search('(.*)\.haproxy\.cfg', f)
if foo:
environments.append(foo.group(1))
return environments
def get_environments():
"""List all accepted environments from plugin folders"""
environments = []
for path in app.get_syco_plugin_paths("/var/haproxy/"):
for f in os.listdir(path):
foo = re.search('(.*)\.haproxy\.cfg', f)
if foo:
environments.append(foo.group(1))
return environments
def _install_nrpe_plugins():
"""Install NRPE-plugins (to be executed remoteley) and SELinux-rules."""
# Install packages and their dependencies.
_install_nrpe_plugins_dependencies()
x("cp -p {0}lib/nagios/plugins_nrpe/* {1}".format(constant.SYCO_PATH, PLG_PATH))
for plugin_path in app.get_syco_plugin_paths("/var/icinga/plugins/"):
x("cp -p {0}* {1}".format(plugin_path, PLG_PATH))
# Set the sssd password
nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password())
nrpe_config.replace("$(LDAPURL)", config.general.get_ldap_hostname())
nrpe_config.replace("$(SQLPASS)", app.get_mysql_monitor_password().replace("&","\&").replace("/","\/"))
# Set name of main disk
host_config = config.host(net.get_hostname())
if host_config.is_guest():
nrpe_config.replace("${MAINDISK}", "vda")
elif host_config.is_firewall() or host_config.is_host():
nrpe_config.replace("${MAINDISK}", "sda")
# Change ownership of plugins to nrpe (from icinga/nagios)
x("chmod -R 550 /usr/lib64/nagios/plugins/")
x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/")
# Set SELinux roles to allow NRPE execution of binaries such as python/perl.
# Corresponding .te-files summarize rule content
x("mkdir -p /var/lib/syco_selinux_modules")
rule_path_list = list_plugin_files("/var/nagios/selinux_rules")
for path in rule_path_list:
x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path))
x("semodule -i /var/lib/syco_selinux_modules/*.pp")
# Fix some SELinux rules on custom plugins.
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_disk")
_fix_selinux("nagios_services_plugin_exec_t", "check_ldap.php")
_fix_selinux("nagios_services_plugin_exec_t", "check_iptables.py")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_clam*")
# TODO??
#_fix_selinux("nagios_unconfined_plugin_exec_t", "pmp-check-mysql*")
#_fix_selinux("nagios_unconfined_plugin_exec_t", "farpayment_stats.py")
#_fix_selinux("nagios_unconfined_plugin_exec_t", "rentalfront_stats.py")
#_fix_selinux("nagios_unconfined_plugin_exec_t", "checkMySQLProcesslist.sh")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_connections.pl")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_procs.sh")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_ulimit.py")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_hpasm")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_hparray")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_ifutil.pl")
# New in centos 6.7
x("setsebool -P nagios_run_sudo 1")
def _install_nrpe_plugins():
"""Install NRPE-plugins (to be executed remotely) and SELinux-rules."""
# Install packages and their dependencies.
_install_nrpe_plugins_dependencies()
x("cp -p -r {0}lib/nagios/plugins_nrpe/* {1}".format(
constant.SYCO_PATH, PLG_PATH))
for plugin_path in app.get_syco_plugin_paths("/var/icinga/plugins/"):
x("cp -p -r {0}* {1}".format(plugin_path, PLG_PATH))
# Set the sssd password
nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password())
nrpe_config.replace("$(LDAPURL)", config.general.get_ldap_hostname())
nrpe_config.replace("$(SQLPASS)", app.get_mysql_monitor_password())
# Set name of main disk
host_config = config.host(net.get_hostname())
if host_config.is_guest():
nrpe_config.replace("${MAINDISK}", "vda")
elif host_config.is_firewall() or host_config.is_host():
nrpe_config.replace("${MAINDISK}", "sda")
# Change ownership of plugins to nrpe (from icinga/nagios)
x("chmod -R 550 /usr/lib64/nagios/plugins/")
x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/")
# Restore default selinux context for plugins, this should solve most selinux issues
x("restorecon -r {0}".format(PLG_PATH))
# Set SELinux roles to allow NRPE execution of binaries such as python/perl.
# Corresponding .te-files summarize rule content
x("mkdir -p /var/lib/syco_selinux_modules")
rule_path_list = list_plugin_files("/var/nagios/selinux_rules")
for path in rule_path_list:
x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path))
x("semodule -i /var/lib/syco_selinux_modules/*.pp")
# Fix some SELinux rules on custom plugins.
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_disk")
_fix_selinux("nagios_services_plugin_exec_t", "check_ldap.php")
_fix_selinux("nagios_services_plugin_exec_t", "check_iptables.py")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_clam*")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_connections.pl")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_procs.sh")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_ulimit.py")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_hpasm")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_hparray")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_ifutil.pl")
# New in centos 6.7
x("setsebool -P nagios_run_sudo 1")
def main():
"""
Used to control the command line options, and the execution of the script.
First function called when using the script.
"""
# Module variables
cmd_list = Commands()
usage = "usage: %prog [options] command\n\n"
usage += "Commands:\n"
usage += cmd_list.get_help()
info = "System Console {0}, syco(git {1})".format(
app.version, get_last_git_commit('/opt/syco'))
for plugin_path in app.get_syco_plugin_paths():
info += ", {0}(git {1})".format(os.path.basename(plugin_path),
get_last_git_commit(plugin_path))
app.parser = OptionParser(usage=usage, version=info, add_help_option=True)
app.parser.add_option("-v",
"--verbose",
action="store_const",
const=2,
dest="verbose",
default=1,
help="Show more output.")
app.parser.add_option("-q",
"--quiet",
action="store_const",
const=0,
dest="verbose",
help="Show no output.")
app.parser.add_option("-f",
"--force",
action="store_const",
const=1,
dest="force",
default=0,
help="Ignore version.cfg.")
(app.options, args) = app.parser.parse_args()
app.print_verbose(app.parser.get_version())
if len(args) < 1 and 2 > len(args):
app.parser.print_help()
else:
try:
cmd_list.execute(args)
except version.VersionException, e:
app.print_error(repr(e.args))
def install_squid(args):
global SYCO_PLUGIN_PATH, ACCEPTED_SQUID_ENV
SYCO_PLUGIN_PATH = str(app.get_syco_plugin_paths("/var/squid/").next())
app.print_verbose("Install Squid Caching Proxy version: %d" % script_version)
version_obj = version.Version("InstallSquid", script_version)
version_obj.check_executed()
os.chdir("/")
x("yum install -y squid")
_configure_iptables()
_configure_squid()
version_obj.mark_executed()
def _configure_haproxy(env, state):
x("cp {0}haproxy.cfg {0}org.haproxy.cfg".format(HAPROXY_CONF_DIR))
for path in app.get_syco_plugin_paths("/var/haproxy/"):
app.print_verbose("Copy config files from %s" % path)
x("cp {0}/{1}.haproxy.cfg {2}haproxy.cfg".format(path, env, HAPROXY_CONF_DIR))
x("cp {0}/error.html {1}error.html".format(path, HAPROXY_CONF_DIR))
scopen.scOpen(HAPROXY_CONF).replace("${ENV_IP}", get_ip_address('eth1'))
if '${ENV_IP_ALIAS' in open(HAPROXY_CONF).read():
scopen.scOpen(HAPROXY_CONF).replace("${ENV_IP_ALIAS}", get_ip_address('eth1:1'))
_configure_haproxy_state(state)
_configure_credentials(env)
_chkconfig("haproxy", "on")
_service("haproxy", "restart")
def install_squid(args):
global SYCO_PLUGIN_PATH, ACCEPTED_SQUID_ENV
SYCO_PLUGIN_PATH = str(app.get_syco_plugin_paths("/var/squid/").next())
app.print_verbose("Install Squid Caching Proxy version: %d" %
script_version)
version_obj = version.Version("InstallSquid", script_version)
version_obj.check_executed()
os.chdir("/")
x("yum install -y squid")
_configure_iptables()
_configure_squid()
version_obj.mark_executed()
def _copy_conf(file_ext, to_folder, active_dc):
'''
Copy a set of config/zone files from all syco plugins into a named folder.
WRNING: If several syco plugins are installed with their own named.conf and
zone files. That might f**k up the installation.
'''
bind_config_subdir = config.host(config.general.get_nameserver_server()).get_bind_conf_subdir()
if len(bind_config_subdir) > 0 and not bind_config_subdir.startswith('/'):
bind_config_subdir = "/" + bind_config_subdir
app.print_verbose("\nCopy config/zone files from all syco plugin modules into a named folder.")
for plugin_path in app.get_syco_plugin_paths("/var/dns"):
for zone_fn in os.listdir(plugin_path + bind_config_subdir):
if zone_fn.endswith(file_ext):
app.print_verbose("\nConfigure file {0}".format(zone_fn))
x("cp {0}/{1} {2}".format(plugin_path + bind_config_subdir, zone_fn, to_folder))
_replace_tags("{0}{1}".format(to_folder, zone_fn), active_dc)
def _configure_haproxy(env, state):
x("cp {0}haproxy.cfg {0}org.haproxy.cfg".format(HAPROXY_CONF_DIR))
for path in app.get_syco_plugin_paths("/var/haproxy/"):
app.print_verbose("Copy config files from %s" % path)
x("cp {0}/{1}.haproxy.cfg {2}haproxy.cfg".format(path, env, HAPROXY_CONF_DIR))
x("cp {0}/error.html {1}".format(path, HAPROXY_CONF_DIR))
x("cp -R {0}/errors.xml {1}".format(path, HAPROXY_CONF_DIR))
ifname = get_front_nic_name()
scopen.scOpen(HAPROXY_CONF).replace("${ENV_IP}", get_first_ip_from_nic(ifname))
if '${ENV_IP_ALIAS' in open(HAPROXY_CONF).read():
scopen.scOpen(HAPROXY_CONF).replace("${ENV_IP_ALIAS}", get_first_ip_from_nic('{0}:1'.format(ifname)))
_configure_haproxy_state(state)
_configure_credentials(env)
_chkconfig("haproxy", "on")
_service("haproxy", "restart")
_setup_monitoring()
# chroot jail should not be accessible by anyone.
x("chmod 000 /var/lib/haproxy")
def main():
"""
Used to control the command line options, and the execution of the script.
First function called when using the script.
"""
# Module variables
cmd_list = Commands()
usage = "usage: %prog [options] command\n\n"
usage += "Commands:\n"
usage += cmd_list.get_help()
info = "System Console {0}, syco(git {1})".format(
app.version,
get_last_git_commit('/opt/syco')
)
for plugin_path in app.get_syco_plugin_paths():
info += ", {0}(git {1})".format(
os.path.basename(plugin_path),
get_last_git_commit(plugin_path)
)
app.parser = OptionParser(usage=usage, version=info , add_help_option=True)
app.parser.add_option("-v", "--verbose", action="store_const", const=2, dest="verbose", default=1,
help="Show more output.")
app.parser.add_option("-q", "--quiet", action="store_const", const=0, dest="verbose", help="Show no output.")
app.parser.add_option("-f", "--force", action="store_const", const=1, dest="force", default=0,
help="Ignore version.cfg.")
(app.options, args) = app.parser.parse_args()
app.print_verbose(app.parser.get_version())
if len(args) < 1 and 2 > len(args):
app.parser.print_help()
else:
try:
cmd_list.execute(args)
except version.VersionException, e:
app.print_error(repr(e.args))
def install_keepalived(args):
global SYCO_PLUGIN_PATH, ACCEPTED_KA_ENV
SYCO_PLUGIN_PATH = app.get_syco_plugin_paths("/var/keepalived/").next()
ACCEPTED_KA_ENV = get_environments()
if len(sys.argv) != 3:
print_killmessage()
else:
KA_ENV = sys.argv[2]
if KA_ENV.lower() not in ACCEPTED_KA_ENV:
print_killmessage()
app.print_verbose("Install Keepalived version: %d" % script_version)
version_obj = version.Version("InstallKeepalived", script_version)
version_obj.check_executed()
os.chdir("/")
x("yum install -y keepalived")
_configure_iptables()
_configure_keepalived()
version_obj.mark_executed()
def _configure_haproxy(env, state):
x("cp {0}haproxy.cfg {0}org.haproxy.cfg".format(HAPROXY_CONF_DIR))
for path in app.get_syco_plugin_paths("/var/haproxy/"):
app.print_verbose("Copy config files from %s" % path)
x("cp {0}/{1}.haproxy.cfg {2}haproxy.cfg".format(
path, env, HAPROXY_CONF_DIR))
x("cp {0}/error.html {1}".format(path, HAPROXY_CONF_DIR))
x("cp -R {0}/errors.xml {1}".format(path, HAPROXY_CONF_DIR))
ifname = get_front_nic_name()
scopen.scOpen(HAPROXY_CONF).replace("${ENV_IP}",
get_first_ip_from_nic(ifname))
if '${ENV_IP_ALIAS' in open(HAPROXY_CONF).read():
scopen.scOpen(HAPROXY_CONF).replace(
"${ENV_IP_ALIAS}", get_first_ip_from_nic('{0}:1'.format(ifname)))
_configure_haproxy_state(state)
_configure_credentials(env)
_chkconfig("haproxy", "on")
_service("haproxy", "restart")
_setup_monitoring()
# chroot jail should not be accessible by anyone.
x("chmod 000 /var/lib/haproxy")
__license__ = "???"
__version__ = "1.0.0"
__status__ = "Production"
from general import x, download_file
import app
import version
import os
import iptables
import install
# The version of this module, used to prevent the same script version to be
# executed more then once on the same host.
SCRIPT_VERSION = 1
CONF_SOURCE = str(app.get_syco_plugin_paths("/var").next())
def build_commands(commands):
commands.add(
"install-espower",
install_espower,
help="Install power modules for elastcisearch install-espower logstash version",
)
commands.add("uninstall-espower", uninstall_espower, help="Uninstall the power modules for elastic search")
def install_espower(args):
"""Installation of Elastic search passing rule"""
if len(args) != 2:
raise Exception("syco install-espower Logstash Version [syco install-es 1.4.2]")
# Common classes/functions that are used by the project.
sys.path.append(sys.path[0] + "/common/")
import app
import version
import general
general.require_linux_user("root")
# Files published to public repos.
sys.path.append(app.SYCO_PUBLIC_PATH)
# Import all py files including syco commands.
command_dir = os.listdir(app.SYCO_PUBLIC_PATH)
# Files only available in private user repos.
for plugin_path in app.get_syco_plugin_paths("/bin/"):
sys.path.append(plugin_path)
if os.path.isdir(plugin_path):
command_dir += os.listdir(plugin_path)
for module in command_dir:
if (module == '__init__.py' or
module[-4:] == '.pyc' or
module[-3:] == '.sh' or
module[-3:] == 'led'):
continue
module = module.replace('.py', '')
py_command = module + "=__import__(\"" + module + "\", locals(), globals())"
exec py_command
