From: Rakshitha Kamath Date: Thu, 22 Dec 2022 10:15:07 +0000 (+0530) Subject: Signalfx agent node configuration X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F719%2Fhead;p=ceph-cm-ansible.git Signalfx agent node configuration --- diff --git a/roles/signalfx_splunk_agent_configuration/README.rst b/roles/signalfx_splunk_agent_configuration/README.rst new file mode 100644 index 00000000..832bb5d0 --- /dev/null +++ b/roles/signalfx_splunk_agent_configuration/README.rst @@ -0,0 +1,73 @@ +signalfx_splunk_agent_configuration +=================================== + +This role will help you configure any server node to monitor the services like HTTP and SYSTEMD. +This will create the necessary configuration files and add the server for monitoring on the dashboard. + +Prerequisites +------------- + +Requires an access_token which needs to be generated in your profile. + +HTTP - Monitoring ++++++++++++++++++ + +Create a variable file as follows. Example: http_vars.yml:: + + --- + access_token: "" + basic_attributes: + appcode: "" + http_enabled: true + http_monitors: + - host: example1.domain.com + http_timeout: 1s + - host: example2.domain.com + port: 80 + use_https: false + - host: example3.domain.com + port: 8443 + path: /my/path/index.html + skip_verify: true + ++++++++++++++++++ + + +SYSTEMD - Monitoring +++++++++++++++++++++ + +Create a variable file as follows. Example: systemd_vars.yml:: + + --- + access_token: "" + basic_attributes: + appcode: "" + systemd_enabled: true + systemd_services: + - ssh + - nginx + - firewall + systemd_sendactivestate: true + systemd_extrametrics: + - gauge.active_state.active + +++++++++++++++++++++ + +How to run +---------- + +You can pass the variables file name as a extra variable `var_file_name`. + +If nothing is provided then it will make use of the vars/main.yml parameters and configure the node to default settings. + +NOTE: If you wish to configure the node with default setting, please remember to change the values below. + +- access_token +- appcode + +The way of passing the variable to the ansible playbook can be achieved by running the following command:: + + Example: If your variables file name is http_vars.yml + ansible-playbook -i hosts -e "var_file_name=http_vars.yml" signalfx.yml + +---------- diff --git a/roles/signalfx_splunk_agent_configuration/defaults/main.yml b/roles/signalfx_splunk_agent_configuration/defaults/main.yml new file mode 100644 index 00000000..7cd2f08b --- /dev/null +++ b/roles/signalfx_splunk_agent_configuration/defaults/main.yml @@ -0,0 +1,23 @@ +--- +agent_interval_seconds: 20 +agent_realm: us1 +agent_restorecon_map: + RedHat6: /sbin/restorecon + RedHat7: /usr/sbin/restorecon + RedHat8: /sbin/restorecon +agent_restorecon_path: "{{ agent_restorecon_map[ ansible_distribution + ansible_distribution_major_version ] }}" +signalfx_skip_repo: true + +http_enabled: false +http_monitors: [] + +systemd_enabled: false +systemd_services: [] + +signalfx_repo_base_url: https://splunk.jfrog.io/splunk +signalfx_package_stage: release +signalfx_version: latest +signalfx_conf_file_path: /etc/signalfx/agent.yaml +signalfx_service_user: signalfx-agent +signalfx_service_group: signalfx-agent +signalfx_service_state: started diff --git a/roles/signalfx_splunk_agent_configuration/handlers/main.yml b/roles/signalfx_splunk_agent_configuration/handlers/main.yml new file mode 100644 index 00000000..087164b5 --- /dev/null +++ b/roles/signalfx_splunk_agent_configuration/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- name: agent_systemd_reload + systemd: + daemon_reload: yes + +- name: agent_restart + service: + name: signalfx-agent + state: restarted diff --git a/roles/signalfx_splunk_agent_configuration/tasks/http.yml b/roles/signalfx_splunk_agent_configuration/tasks/http.yml new file mode 100644 index 00000000..44efc875 --- /dev/null +++ b/roles/signalfx_splunk_agent_configuration/tasks/http.yml @@ -0,0 +1,17 @@ +--- +- name: Configure HTTP monitoring + template: + src: http.yaml.j2 + dest: "{{ agent_extra_monitor_path }}/http.yaml" + owner: "{{ signalfx_service_user }}" + group: "{{ signalfx_service_group }}" + mode: 0600 + notify: agent_restart + +- name: Ensure OCSP cache can be created + file: + state: directory + path: '/usr/lib/signalfx-agent/.cache/' + owner: 'signalfx-agent' + group: 'signalfx-agent' + mode: '0700' diff --git a/roles/signalfx_splunk_agent_configuration/tasks/linux_installation.yml b/roles/signalfx_splunk_agent_configuration/tasks/linux_installation.yml new file mode 100644 index 00000000..10dadaf8 --- /dev/null +++ b/roles/signalfx_splunk_agent_configuration/tasks/linux_installation.yml @@ -0,0 +1,25 @@ +--- +- name: Import signalfx-agent deploy for CentOS or RHEL + import_tasks: yum_installation.yml + when: ansible_os_family in rhel_distro + +- name: Import signalfx-agent deploy for Debian or Ubuntu + import_tasks: ubuntu_installation.yml + when: ansible_os_family in ubuntu_distro + +- name: Set signalfx-agent service owner + import_tasks: service_owner.yml + +- name: Write signalfx config + copy: + content: "{{ signalfx_agent_config | to_nice_yaml }}" + dest: "{{ signalfx_conf_file_path }}" + owner: "{{ signalfx_service_user }}" + group: "{{ signalfx_service_group }}" + mode: 0600 + +- name: Start signalfx-agent + service: + name: signalfx-agent + state: "{{ signalfx_service_state }}" + enabled: yes diff --git a/roles/signalfx_splunk_agent_configuration/tasks/main.yml b/roles/signalfx_splunk_agent_configuration/tasks/main.yml new file mode 100644 index 00000000..f72d2469 --- /dev/null +++ b/roles/signalfx_splunk_agent_configuration/tasks/main.yml @@ -0,0 +1,89 @@ +--- +- name: Validate the variable definitions + assert: + that: + - basic_attributes is defined + - basic_attributes['appcode'] is defined + - access_token is defined + quiet: true + +- name: Default monitors + set_fact: + _agent_monitors: "{{ default_monitors }}" + when: agent_monitors is not defined + +- name: Configure SELinux for SignalFX Smart Agent + seboolean: + name: nis_enabled + state: yes + persistent: yes + when: ansible_distribution_major_version | int > 6 + +- name: Create the SignalFX Smart Agent configuration directory + file: + path: "{{ access_token_path | dirname }}" + state: directory + mode: 0700 + +- name: Store SignalFX access token in a separate file + copy: + dest: "{{ access_token_path }}" + content: "{{ access_token }}" + mode: 0600 + no_log: true + +- name: Import the SignalFX Smart Agent role + import_tasks: signalfx_main.yml + vars: + signalfx_agent_config: + signalFxAccessToken: "{'#from': '{{ access_token_path }}'}" + signalFxRealm: "{{ agent_realm }}" + intervalSeconds: "{{ agent_interval_seconds }}" + globalDimensions: "{{ basic_attributes }}" + monitors: "{{ _agent_monitors }}" + +- name: Include extra monitors in agent configuration + blockinfile: + path: "{{ signalfx_conf_file_path }}" + insertafter: 'monitors:' + block: | + - '#from': /etc/signalfx/monitors/* + flatten: true + optional: true + +- name: Create directory for SignalFX extra monitors + file: + path: "{{ agent_extra_monitor_path }}" + state: directory + owner: "{{ signalfx_service_user }}" + group: "{{ signalfx_service_group }}" + mode: 0700 + +- name: Correct bundled binaries SELinux context types to work around an upstream bug + sefcontext: + target: "{{ agent_bin_path }}" + setype: "{{ agent_bin_setype }}" + state: present + +- name: Apply the SELinux context type to collectd + command: "{{ agent_restorecon_path }} -RvF {{ agent_bin_restore }}" + +- name: Fix the SignalFX Smart Agent service startup + blockinfile: + path: "{{ agent_systemd_config }}" + backup: yes + insertbefore: BOF + block: | + [Unit] + Description=SignalFX Smart Agent + After=network.target nss-lookup.target multi-user.target + notify: agent_systemd_reload + when: ansible_distribution_major_version | int > 6 + +- name: Configure HTTP monitoring + import_tasks: http.yml + when: http_enabled + +- name: Configure Systemd services monitoring + import_tasks: systemd.yml + when: systemd_enabled diff --git a/roles/signalfx_splunk_agent_configuration/tasks/service_owner.yml b/roles/signalfx_splunk_agent_configuration/tasks/service_owner.yml new file mode 100644 index 00000000..780a7d5a --- /dev/null +++ b/roles/signalfx_splunk_agent_configuration/tasks/service_owner.yml @@ -0,0 +1,90 @@ +--- +- name: Create user/group + block: + - name: Get groups + getent: + database: group + key: "{{ signalfx_service_group }}" + fail_key: no + - name: Create group + group: + name: "{{ signalfx_service_group }}" + system: yes + when: not getent_group[signalfx_service_group] + - name: Get users + getent: + database: passwd + key: "{{ signalfx_service_user }}" + fail_key: no + - name: Create user + user: + name: "{{ signalfx_service_user }}" + group: "{{ signalfx_service_group }}" + createhome: no + shell: /sbin/nologin + system: yes + when: not getent_passwd[signalfx_service_user] + +- name: Set user/group for signalfx-agent systemd service + block: + - name: Stop systemd service + service: + name: signalfx-agent + state: stopped + - name: Create tmpfile override + lineinfile: + path: /etc/tmpfiles.d/signalfx-agent.conf + create: yes + line: "D /run/signalfx-agent 0755 {{ signalfx_service_user }} {{ signalfx_service_group }} - -" + regexp: '^D /run/signalfx-agent .*' + insertafter: EOF + - name: Initialize tmpfile override + command: systemd-tmpfiles --create --remove /etc/tmpfiles.d/signalfx-agent.conf + - name: Create systemd override directory + file: + path: /etc/systemd/system/signalfx-agent.service.d/ + state: directory + - name: Create systemd service owner override file + lineinfile: + path: /etc/systemd/system/signalfx-agent.service.d/service-owner.conf + create: yes + line: '[Service]' + regexp: '^\[Service\].*' + insertafter: EOF + - name: Set systemd service owner user + lineinfile: + path: /etc/systemd/system/signalfx-agent.service.d/service-owner.conf + line: "User={{ signalfx_service_user }}" + regexp: '^User=.*' + insertafter: '^\[Service\].*' + - name: Set systemd service owner group + lineinfile: + path: /etc/systemd/system/signalfx-agent.service.d/service-owner.conf + line: "Group={{ signalfx_service_group }}" + regexp: '^Group=.*' + insertafter: '^User=.*' + - name: Reload systemd service + systemd: + daemon_reload: yes + when: ansible_service_mgr == 'systemd' + +- name: Set user/group for signalfx-agent initd service + block: + - name: Stop initd service + service: + name: signalfx-agent + state: stopped + - name: Set initd service owner user + lineinfile: + path: /etc/default/signalfx-agent + create: yes + line: "user={{ signalfx_service_user }}" + regexp: '^user=.*' + insertafter: EOF + - name: Set initd service owner group + lineinfile: + path: /etc/default/signalfx-agent + line: "group={{ signalfx_service_group }}" + regexp: '^group=.*' + insertafter: '^user=.*' + when: ansible_service_mgr != 'systemd' diff --git a/roles/signalfx_splunk_agent_configuration/tasks/signalfx_main.yml b/roles/signalfx_splunk_agent_configuration/tasks/signalfx_main.yml new file mode 100644 index 00000000..089071e6 --- /dev/null +++ b/roles/signalfx_splunk_agent_configuration/tasks/signalfx_main.yml @@ -0,0 +1,26 @@ +--- +- name: Accepted distros + set_fact: + ubuntu_distro: ['Ubuntu'] + rhel_distro: ['RedHat', 'Red Hat Enterprise Linux', 'CentOS', 'Amazon'] + cacheable: true + +- name: Confirm if agent configuration is provided! + fail: msg='Please provide a populated signalfx_agent_config' + when: not (signalfx_agent_config| default(false)) + +- name: Confirm if SignalFx Access Token is defined! + fail: msg='Please specify a signalFxAccessToken in your signalfx_agent_config' + when: not (signalfx_agent_config.signalFxAccessToken | default('') | trim) or not signalfx_agent_config.signalFxAccessToken + +- name: Acceptable distribution check + fail: + msg: > + Failed! The target is {{ ansible_os_family }} and this role only supports {{ ubuntu_distro }} and {{ rhel_distro }}. + when: (ansible_os_family not in ubuntu_distro) + and + (ansible_os_family not in rhel_distro) + +- name: Linux installation + include_tasks: linux_installation.yml + when: ( ansible_os_family in ubuntu_distro ) or ( ansible_os_family in rhel_distro ) diff --git a/roles/signalfx_splunk_agent_configuration/tasks/systemd.yml b/roles/signalfx_splunk_agent_configuration/tasks/systemd.yml new file mode 100644 index 00000000..ea354f9e --- /dev/null +++ b/roles/signalfx_splunk_agent_configuration/tasks/systemd.yml @@ -0,0 +1,9 @@ +--- +- name: Configure systemd monitoring + template: + src: systemd.yaml.j2 + dest: "{{ agent_extra_monitor_path }}/systemd.yaml" + owner: "{{ signalfx_service_user }}" + group: "{{ signalfx_service_group }}" + mode: 0600 + notify: agent_restart diff --git a/roles/signalfx_splunk_agent_configuration/tasks/ubuntu_installation.yml b/roles/signalfx_splunk_agent_configuration/tasks/ubuntu_installation.yml new file mode 100644 index 00000000..e26ffdfc --- /dev/null +++ b/roles/signalfx_splunk_agent_configuration/tasks/ubuntu_installation.yml @@ -0,0 +1,32 @@ +--- +- name: Delete old signing key for SignalFx Agent + apt_key: + id: 91668001288D1C6D2885D651185894C15AE495F6 + state: absent + +- name: Delete old signing key file for SignalFx Agent + file: + path: /etc/apt/trusted.gpg.d/signalfx.gpg + state: absent + +- name: Add an Apt signing key for Signalfx Agent + get_url: + url: "{{ sfx_repo_base_url }}/signalfx-agent-deb/splunk-B3CD4420.gpg" + dest: /etc/apt/trusted.gpg.d/splunk.gpg + mode: 0644 + +- name: Add Signalfx Agent repository into sources list + apt_repository: + repo: "deb {{ sfx_repo_base_url }}/signalfx-agent-deb {{ sfx_package_stage }} main" + filename: 'signalfx-agent' + mode: 644 + state: present + when: not (sfx_skip_repo | bool) + +- name: Install signalfx-agent via apt package manager + apt: + name: signalfx-agent{% if sfx_version is defined and sfx_version != "latest" %}={{ sfx_version }}{% endif %} + state: "{% if sfx_version is defined and sfx_version != 'latest' %}present{% else %}{{ sfx_version }}{% endif %}" + force: yes + update_cache: yes + policy_rc_d: 101 diff --git a/roles/signalfx_splunk_agent_configuration/tasks/yum_installation.yml b/roles/signalfx_splunk_agent_configuration/tasks/yum_installation.yml new file mode 100644 index 00000000..fec807e9 --- /dev/null +++ b/roles/signalfx_splunk_agent_configuration/tasks/yum_installation.yml @@ -0,0 +1,22 @@ +--- +- name: Delete old signing key for SignalFx Agent + rpm_key: + key: 098acf3b + state: absent + +- name: Add Signalfx Agent repo into source list + yum_repository: + name: signalfx-agent + description: SignalFx Agent Repository + baseurl: "{{ signalfx_repo_base_url }}/signalfx-agent-rpm/{{ signalfx_package_stage }}" + gpgkey: "{{ signalfx_repo_base_url }}/signalfx-agent-rpm/splunk-B3CD4420.pub" + gpgcheck: yes + enabled: yes + when: not (signalfx_skip_repo | bool) + +- name: Install signalfx-agent via yum package manager + yum: + name: signalfx-agent{% if signalfx_version is defined and signalfx_version != "latest" %}-{{ signalfx_version }}{% endif %} + state: "{% if signalfx_version is defined and signalfx_version != 'latest' %}present{% else %}{{ signalfx_version }}{% endif %}" + allow_downgrade: yes + update_cache: yes diff --git a/roles/signalfx_splunk_agent_configuration/templates/http.yaml.j2 b/roles/signalfx_splunk_agent_configuration/templates/http.yaml.j2 new file mode 100644 index 00000000..fa30963b --- /dev/null +++ b/roles/signalfx_splunk_agent_configuration/templates/http.yaml.j2 @@ -0,0 +1,42 @@ +{% for http_monitor in http_monitors %} +- type: http + host: {{ http_monitor.host | default(ansible_fqdn) }} + port: {{ http_monitor.port | default(443) }} + path: {{ http_monitor.path | default('/')}} + httpTimeout: {{ http_monitor.http_timeout | default('5s') }} + useHTTPS: {{ http_monitor.use_https | default(true) }} + skipVerify: {{ http_monitor.skip_verify | default(false) }} + noRedirects: {{ http_monitor.no_redirects | default(false) }} + method: {{ http_monitor.method | default('GET') }} + desiredCode: {{ http_monitor.desired_code | default(200)}} + addRedirectURL: {{ http_monitor.add_redirect_url | default(false) }} +{% if http_monitor.username is defined %} + username: {{ http_monitor.username }} +{% endif %} +{% if http_monitor.password is defined %} + password: {{ http_monitor.password }} +{% endif %} +{% if http_monitor.http_headers is defined %} + httpHeaders: {{ http_monitor.http_headers }} +{% endif %} +{% if http_monitor.ca_cert_path is defined %} + caCertPath: {{ http_monitor.ca_cert_path }} +{% endif %} +{% if http_monitor.client_cert_path is defined %} + clientCertPath: {{ http_monitor.client_cert_path }} +{% endif %} +{% if http_monitor.client_key_path is defined %} + clientKeyPath: {{ http_monitor.client_key_path }} +{% endif %} +{% if http_monitor.request_body is defined %} + requestBody: {{ http_monitor.request_body }} +{% endif %} +{% if http_monitor.regex is defined %} + regex: {{ http_monitor.regex }} +{% endif %} +{% if http_monitor.extra_dimensions is defined %} + extraDimensions: +{{ http_monitor.extra_dimensions | to_nice_yaml | indent(4, True) }} +{% endif %} + +{% endfor %} diff --git a/roles/signalfx_splunk_agent_configuration/templates/systemd.yaml.j2 b/roles/signalfx_splunk_agent_configuration/templates/systemd.yaml.j2 new file mode 100644 index 00000000..6b11c136 --- /dev/null +++ b/roles/signalfx_splunk_agent_configuration/templates/systemd.yaml.j2 @@ -0,0 +1,20 @@ +- type: collectd/systemd + services: +{% for service in systemd_services %} + - {{ service }} +{% endfor %} +{% if systemd_sendactivestate is defined %} + sendActiveState: {{ systemd_sendactivestate }} +{% endif %} +{% if systemd_sendsubstate is defined %} + sendSubState: {{ systemd_sendsubstate }} +{% endif %} +{% if systemd_sendloadstate is defined %} + sendLoadState: {{ systemd_sendloadstate }} +{% endif %} +{% if systemd_extrametrics is defined and systemd_extrametrics | length > 0 %} + extraMetrics: +{% for metric in systemd_extrametrics %} + - {{ metric }} +{% endfor %} +{% endif %} diff --git a/roles/signalfx_splunk_agent_configuration/vars/main.yml b/roles/signalfx_splunk_agent_configuration/vars/main.yml new file mode 100644 index 00000000..6d4fb7d2 --- /dev/null +++ b/roles/signalfx_splunk_agent_configuration/vars/main.yml @@ -0,0 +1,22 @@ +--- +agent_systemd_config: /etc/systemd/system/signalfx-agent.service.d/service-owner.conf +access_token_path: /etc/signalfx/token +agent_extra_monitor_path: /etc/signalfx/monitors +default_monitors: + - type: cpu + extraMetrics: + - cpu.user + - cpu.wait + - cpu.system + - cpu.steal + - type: filesystems + - type: disk-io + - type: net-io + - type: load + - type: memory + - type: vmem + - type: host-metadata + - type: processlist +agent_bin_path: '/usr/lib/signalfx-agent/bin(/.*)' +agent_bin_restore: '/usr/lib/signalfx-agent/bin' +agent_bin_setype: bin_t diff --git a/signalfx.yml b/signalfx.yml new file mode 100644 index 00000000..91b773b7 --- /dev/null +++ b/signalfx.yml @@ -0,0 +1,10 @@ +--- +- name: The signalfx-configurarion for systemd monitoring + hosts: all + gather_facts: yes + + vars_files: + - "{{ var_file_name }}" + + roles: + - signalfx_splunk_agent_configuration