Installation
Tested on (Requirements)
OS base: CentOS 7 (x86_64)
Provisioner: Ansible \(\boldsymbol{\ge}\) 4.4.1
Extra Libraries:
PyCrypto \(\boldsymbol{\gt}\) 2.6.1
Note
It is important to check if the PyCrypto system version is greater than 2.6.1, because this is a pre-requisite that Ansible-vault needs to work correctly.
Directory Structure
.
├── ansible.cfg
├── inventory
│ └── hosts
├── playbooks
│ ├── healthcheck.yml
└── roles
└── healthcheck
├── handlers
├── tasks
├── vars
├── templates
└── files
Ansible Structure
We implemented a Role in Ansible that contains the whole process of installation and configuration of Nagios and it’s integration with some plugins.
---
##############################################################
# INITIAL-CONFIGURATION #
##############################################################
- include_tasks: dell-repos.yml
- include_tasks: packages.yml
- include_tasks: nagios-users.yml
- include_tasks: apache-config.yml
- include_tasks: firewall-config.yml
- include_tasks: ipmi-config.yml
- include_tasks: mail-config.yml
- include_tasks: snmp-config.yml
##############################################################
# NAGIOS-CORE #
##############################################################
- include_tasks: nagios-installed.yml
- include_tasks: nagios-install.yml
when: nagios_installed.stat.exists == false
- include_tasks: nagios-config.yml
- include_tasks: nagios-post-install.yml
when: nagios_installed.stat.exists == false
- include_tasks: selinux-config.yml
##############################################################
# NAGIOS-PLUGINS #
##############################################################
- include_tasks: nagios-plugins-installed.yml
- include_tasks: nagios-plugins.yml
when: nagios_plugins_installed.matched == 0
- include_tasks: dell-plugin.yml
when: dell_plugin_dir.stat.exists == false
- include_tasks: dell-plugin-config.yml
- include_tasks: ipmi-sensors-plugin.yml
when: ipmi_sensor_plugin.stat.exists == false
- include_tasks: ipmi-plugin-status.yml
- include_tasks: ilo-plugin.yml
when: ilo_plugins.matched == 0
- include_tasks: ilo-plugin-config.yml
- include_tasks: pnp4nagios-install.yml
when: pnp_dir.stat.exists == false
- include_tasks: pnp4nagios-config.yml
##############################################################
# CHECK-CORRECT-CONFIG & REMOVE TEMP DIR #
##############################################################
- include_tasks: final-check.yml
Initial Configuration
dell-repos.yml
This procedure is necessary in order to install the package srvadmin-idrac7 from the official Dell repo. This makes it easier to check the presence/absence of the packages using the ansible-module “yum” instead of writing manually the process of compilation and verification.
---
- name: Setup Dell Linux Independent Repository
yum_repository:
name: dell-system-update_independent
state: present
baseurl: "{{ baseurl_dell_independent_repo }}"
description: dell-system-update_independent
gpgkey: "{{ gpgkey_dell_independent_repo }}"
- name: Setup Dell Linux Dependent Repository
yum_repository:
name: dell-system-update_dependent
state: present
baseurl: "{{ baseurl_dell_dependent_repo }}"
description: dell-system-update_dependent
gpgkey: "{{ gpgkey_dell_dependent_repo }}"
packages.yml
This taskfile contains the dependencies for using some Ansible modules and for installing Nagios core and it’s plugins.
System Packages |
Description |
|---|---|
Python-passlib |
Dependency of Ansible HTPASSWD Module |
Python2-pip |
PIP Installs OMSDK (Dependency of Dell Plugin) |
LibSELinux-Python |
Dependency of Ansible SELinux Module |
PolicyCoreUtils-Python |
Dependency of Ansible SELinux Module |
mailx |
Provides “mail” command, used in notify nagios commands |
ipmiutil |
Necessary for IPMI Status: Critical [X system event log (SEL) entries present] |
The other dependencies are listed in the taskfile showed bellow.
Note
This solution uses a list of packages in the yum ansible module instead of an ansible iterator (item) because this specification improves the install operation, creating a complete dependency tree instead of calling “n times” the yum module.
Note
The @ syntax in yum module specifies the item is a package group.
Note
The Dell OpenManage Plugin has two lists of dependencies: The first one is installed with the “yum” module and the second one with the “pip” module.
---
- name: System Packages
yum:
name:
- python-passlib #Dependency for htpasswd ansible module
- python2-pip #PIP Installs OMSDK required for Dell plugin
- libselinux-python #SELinux Ansible module dependency
- policycoreutils-python #SELinux Ansible module dependency
- mailx
- ipmiutil
state: present
update_cache: yes
- name: NAGIOS Dependencies
yum:
name:
- httpd
- php
- glibc
- gcc
- glibc-common
- gd
- gd-devel
- make
- net-snmp
- "@development"
state: present
tags: centos-7,nagios,packages
- name: IPMI_Sensor Monitoring Plugin Dependencies
yum:
name:
- freeipmi
- perl
- perl-IPC-Run
state: present
update_cache: yes
- name: Dependencies for iLO REST Plugin
yum:
name:
- curl
- libcurl
- libcurl-devel
- nmap
- libtdb-devel
- python
- openssl-devel
state: present
update_cache: yes
- name: Dependencies for Dell OME Plugin
yum:
name:
- perl-Sys-Syslog # SNMPTT Dependency
- perl-Net-IP
- perl-Net-SNMP
- libwsman1
- openwsman-perl
- perl-Socket6
- snmptt
- net-snmp-perl
- srvadmin-idrac7
- java-1.8.0-openjdk
- java-1.8.0-openjdk-devel
- python-netaddr
state: present
update_cache: yes
- name: Python dependency for Dell OME Plugin
pip:
name:
- omsdk
- omdrivers
- argparse
state: present
- name: Dependencies for PNP4Nagios
yum:
name:
- rrdtool
- php
- perl
- rrdtool-perl
- php-gd
state: present
nagios-users.yml
It is necessary before installing Nagios-Core to create a Nagios user, and a nagcmd group, whose members will be apache and nagios users. It’s also necessary to let nagios execute /usr/sbin/ipmi-sensors and /usr/sbin/ipmi-sel with root permissions. This is assured making it explicit in the sudoers file.
---
- name: Group nagcmd needed by NAGIOS
group:
name: nagcmd
state: present
- name: User nagios
user:
name: nagios
groups: nagcmd
password: "{{ nagios_passwd }}"
- name: User apache in group nagcmd
user:
name: apache
groups: nagcmd
- name: SUDO permissions for ipmi execution
lineinfile:
path: /etc/sudoers
regexp: '^nagios\s'
line: 'nagios ALL=(root) NOPASSWD: /usr/sbin/ipmi-sensors, /usr/sbin/ipmi-sel'
state: present
apache-config.yml
The objective is to configure Nagios to provide a Web interface, so it’s necessary to write in the httpd.conf file the line Listen <IP>:80. In this generic installation, we will insert Listen 80, allowing every network interface to provide this service.
Finally, we will associate in /etc/hosts our nagios_ip with the ServerName set previously.
---
- name: Apache necessary line in httpd.conf
lineinfile:
path: /etc/httpd/conf/httpd.conf
line: "Listen 80"
notify: apache_restart
- name: Define Host
lineinfile:
path: /etc/hosts
line: "{{ nagios_ip }} {{ health_server_name }}"
firewall-config.yml
Note
It’s important to remember that Firewalld is the firewall of the system in CentOS 7.
We will need to allow HTTP port in the firewall configuration. The SNMP ports (161-162) should be allowed for the correct operation of iLO REST Plugin. We decided to allow these firewall requirements in the public zone.
---
- name: Allow requests throw port 80
firewalld:
zone: public
service: http
state: enabled
permanent: true
notify:
- apache_restart
- firewalld_restart
- name: Allow SNMP ports for iLO REST Plugin
firewalld:
zone: public
port: 161-162/udp
state: enabled
permanent: true
notify:
- firewalld_restart
ipmi-config.yml
Assures the existence of ipmi-config directory and synchronizes the ipmi.cfg file with root as owner, nagcmd as Group owner and permissions 640: read and write for Owner and read-only for group members. If the final state of the task is changed, Nagios daemon is restarted.
---
- name: Assures existence of ipmi-config Directory
file:
path: /etc/ipmi-config/
state: directory
- name: Syncronize IPMI configuration
template:
src: "etc/ipmi-config/{{ item }}.j2"
dest: "/etc/ipmi-config/{{ item }}"
owner: root
group: nagcmd
mode: 0640
with_items:
- ipmi-ilo.cfg
- ipmi-dell.cfg
notify:
- nagios_restart
mail-config.yml
Synchronizes the mail configuration file with the version located in the repository.
Warning
Read the section Mail Configuration for more details.
---
- name: Synchronizes the mail configuration
copy:
src: etc/mail.rc
dest: /etc/mail.rc
snmp-config.yml
The Dell plugin requires this previous SNMP configuration, read the section Preconfiguration for more details.
Synchronizes /etc/snmp/snmptt.ini and /etc/snmp/snmptrapd.conf snmp configuration files, with the version located in the repository. If there is a modification, snmptt and snmptrapd services are restarted. After that, those services are enabled in boot time if they were not enabled.
---
- name: Synchronize Nagios config files
copy:
src: "{{ item }}"
dest: "/{{ item }}"
with_items:
- etc/snmp/snmptt.ini
- etc/snmp/snmptrapd.conf
notify:
- snmptt_restart
- snmptrapd_restart
- name: SNMP services enabled in boot time
service:
name: "{{ item }}"
enabled: yes
with_items:
- snmptt
- snmptrapd
Installing Nagios Core
nagios-install.yml and nagios-installed.yml
This taskfile is included only when the path /usr/local/nagios doesn’t exist. This state is registered in nagios-installed.yml, with the module stat.
---
- name: Check if NAGIOS is installed
stat:
path: /usr/local/nagios
register: nagios_installed
Nagios Core is downloaded from {{ nagios_core_url }} and stored in {{ temp_dir }}, then it is configured with nagcmd as the command group, and openssl enabled. Then, the MakeFile is executed as follows [1]:
Make options used |
Descriptions |
|---|---|
make all |
. |
make install |
Install main program, CGI’s and HTML files |
make install-init |
Install the init script |
make install-commandmode |
Install and configures permissions for holding external command file |
make install-config |
Generates templates for initial configuration |
Note
The directive make install-webconf is executed in nagios-post-install.yml
---
- name: Create Temp Dir
file:
path: "{{ temp_dir }}"
state: directory
- name: Download Nagios Core
get_url:
url: "{{ nagios_core_url }}"
dest: "{{ temp_dir }}"
- name: Extract Nagios
unarchive:
src: "{{ temp_dir }}/nagios-4.4.1.tar.gz"
dest: "{{ temp_dir }}"
- name: Exec configure
shell: "./configure --build=x86_64-redhat-linux --with-command-group=nagcmd --with-openssl"
args:
chdir: "{{ temp_dir }}/nagios-4.4.1"
- name: Make all
make:
chdir: "{{ temp_dir }}/nagios-4.4.1"
target: all
- name: Make install
make:
chdir: "{{ temp_dir }}/nagios-4.4.1"
target: install
- name: Install Nagios-init scripts
make:
chdir: "{{ temp_dir }}/nagios-4.4.1"
target: install-init
- name: Install Nagios Command-mode
make:
chdir: "{{ temp_dir }}/nagios-4.4.1"
target: install-commandmode
- name: Generates Templates for Nagios configure Files
make:
chdir: "{{ temp_dir }}/nagios-4.4.1"
target: install-config
nagios-config.yml
This taskfile synchronize the Nagios config files with the ones stored in the repository, if there is a change in this synchronization, Nagios daemon is restarted with the handler nagios_restart.
Then, the module htpasswd assigns the password stored with Ansible Vault in the variable {{ nagios_admin_passwd }} using ldap_sha1 as crypt scheme and restarts Nagios daemon if the final state of the task is changed.
---
- name: Synchronize Nagios config files
copy:
src: "{{ item }}"
dest: "/{{ item }}"
with_items:
- usr/local/nagios/etc/objects/contacts.cfg
- usr/local/nagios/etc/objects/localhost.cfg
- usr/local/nagios/etc/objects/commands.cfg
- usr/local/nagios/etc/nagios.cfg
- usr/local/nagios/etc/objects/common.cfg
- usr/local/nagios/etc/objects/timeperiods.cfg
- usr/local/nagios/etc/objects/common_services.cfg
notify:
- nagios_restart
- name: Assing password for the Web GUI user nagiosadmin
htpasswd:
path: /usr/local/nagios/etc/htpasswd.users
name: nagiosadmin
password: "{{ nagios_admin_passwd }}"
crypt_scheme: ldap_sha1
notify:
- nagios_restart
nagios-post-install.yml
After nagios-config.yml is completed, make install-webconf is executed, generating
the Apache config file for Nagios Web Interface. This step is executed only if Nagios Core was
not installed before the current execution.
--- - name: Make install-webconf make: chdir: "{{ temp_dir }}/nagios-4.4.1" target: install-webconf
selinux-config.yml
Note
By default, the files under the directory /usr/local/nagios/var/rw don’t belongs to the httpd_sys_rw_content_t context. It is necessary to add these contexts (this is what the taskfile does) because the way Web interface interacts with Nagios is with the Command File /usr/local/nagios/var/rw/nagios.cmd executing from /usr/local/nagios/sbin/
Warning
The error Could not stat() command file /usr/local/nagios/var/rw/nagios.cmd
is fixed by this taskfile. The explanation is in the Nagios Command Error section.
It’s necessary to execute restorecon -r <directory> in order to restart the SELinux
configuration over these directories. This is executed by a handler in the Ansible role.
---
- name: Allow apache to modify nagios command file
sefcontext:
target: '/usr/local/nagios/var/rw(/.*)?'
setype: httpd_sys_rw_content_t
state: present
notify: nagios_cmd_selinux_sync
- name: Allow apache to execute in /usr/local/nagios/sbin
sefcontext:
target: '/usr/local/nagios/sbin'
setype: httpd_sys_script_exec_t
state: present
notify: nagios_sbin_selinux_sync
Installing Nagios Plugins
The taskfile nagios-plugins-installed.yml registers in ansible variables if the plugins are
installed or not.
---
- name: Checks if NAGIOS basic plugins are installed
find:
paths: /usr/local/nagios/libexec
register: nagios_plugins_installed
- name: Checks if IPMI-Sensor plugin is installed
stat:
path: /usr/local/nagios/libexec/check_ipmi_sensor
register: ipmi_sensor_plugin
- name: Checks if iLO REST plugin is installed
find:
paths: /usr/local/nagios/libexec
patterns: "*hpeilo*"
register: ilo_plugins
- name: Checks if Dell OME plugin is installed
stat:
path: /usr/local/nagios/dell
register: dell_plugin_dir
- name: Checks if PNP4Nagios is installed
stat:
path: /usr/local/pnp4nagios
register: pnp_dir
Read the following sections for more information about the installation and configuration process of the plugins.
Final Check
The final steps include removing {{ temp_dir }} and checking the Nagios configuration with the
command /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg.
This execution finishes assuring with handlers that nagios and apache services are started and enabled to start in boot time.
---
- name: Check integrity in Nagios configuration
shell: "/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg"
notify:
- nagios_started
- apache_started
- nagios_enabled
- apache_enabled
- name: Remove temp dir
file:
path: "{{ temp_dir }}"
state: absent