Opened 10 months ago

Last modified 6 months ago

#32901 assigned project

puppetize Nagios

Reported by: anarcat Owned by: anarcat
Priority: Low Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Major Keywords:
Cc: Actual Points:
Parent ID: #31239 Points: 10
Reviewer: Sponsor:

Description (last modified by anarcat)

one part of our install process is to configure Nagios, by hand, in the git repository. I usually do this by copy-pasting some similar blob of config from a possibly similar machine and hope for the best.

this is a manual step, and as part of the automation of the install process, it should be made automatic.

one way this could (and probably should) be done is by making Puppet automatically add its nodes into Nagios. this can be done using the icinga2 module, for example. care should be taken to do a smooth transition, keeping existing configurations and just adding the Puppet ones on top, for new machines.

but this could (eventually) be retroactively added to all nodes, removing all manual configuration.


  1. [x] audit and import the module in our monorepo
  2. [ ] enable on the nagios server, without writing any config (hopefully a noop) not possible, config is overwritten by module, instead...
  3. [ ] move the base configuration (config/static) from git into Puppet (mostly icinga.cfg and so on, because they are overwritten by the module)
  4. [ ] enable a single config from puppet, as a test
  5. [ ] add a new host check configuration
  6. [ ] add a new service check configuration
  7. [ ] add all *base* service checks for the new host (e.g. the services defined for the computers hostgroup, equivalent of pieces of from-git/generated/auto-services.cfg)
  8. [ ] convert legacy config into puppet (at this stage we only have the old hosts as legacy config) done in third step
  9. [ ] convert NRPE service definitions (puppet:///modules/nagios/tor-nagios/generated/nrpe_tor.cfg, generated from the git repo)
  10. [ ] remove NRPE config sync from nagios to Puppet (the rsync to pauli in config/Makefile)
  11. [ ] convert old hosts checks into puppet
  12. [ ] convert old services checks into puppet
  13. [ ] remove git hook receiver on nagios server (/etc/ssh/userkeys/nagiosadm key, which calls /home/nagiosadm/bin/from-git-rw)

It's a long way there, but getting to the state where *new* hosts are covered would already be a great improvement.

Child Tickets

Change History (9)

comment:1 Changed 9 months ago by gaba

Keywords: tpa-roadmap-february added

comment:2 Changed 9 months ago by anarcat

Owner: changed from tpa to anarcat
Status: newassigned

comment:3 Changed 9 months ago by anarcat

Description: modified (diff)

apparently, the icinga module in puppet *can* be installed without destroying existing configs, so this *should* work. i update the summary to add a checklist reflecting that.

comment:4 Changed 9 months ago by anarcat

Description: modified (diff)

comment:5 Changed 9 months ago by anarcat

Points: 10

probably underestimating here even, but gotta give some ballpark.

comment:6 Changed 9 months ago by anarcat

Description: modified (diff)

reorder checklist: we can't have nice things as the icinga module immediately rewrites the icinga.cfg, at the very least. also add items to convert NRPE, which I have overlooked.

comment:7 Changed 9 months ago by anarcat

forgot to mentioned I merged the icinga module in our puppet, without any changes, and without including it anywhere, after an audit, so at least that is ready to roll.

however, considering how different this thing is from our configuration, i wonder if it might not be better to just setup a new server from scratch, using puppet.

comment:8 Changed 8 months ago by anarcat

Keywords: tpa-roadmap-april added; tpa-roadmap-february removed

comment:9 Changed 6 months ago by anarcat

Keywords: tpa-roadmap-april removed

remove from the roadmap altogether, we do not have time to complete this.

Note: See TracTickets for help on using tickets.