diff options
author | Christian Pointner <equinox@spreadspace.org> | 2023-05-26 21:34:14 +0200 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2023-07-17 21:51:22 +0200 |
commit | 695131994b5a749e129fb304e8ba709acd37afe8 (patch) | |
tree | 02111746a1cd0cfc31c5736170b12aafadcb771e /roles/monitoring/prometheus/exporter/chrony | |
parent | make textfile collector for apt packages configurable (diff) |
add support for chrony_exporter (replaces textfile collector)
Diffstat (limited to 'roles/monitoring/prometheus/exporter/chrony')
4 files changed, 117 insertions, 0 deletions
diff --git a/roles/monitoring/prometheus/exporter/chrony/defaults/main.yml b/roles/monitoring/prometheus/exporter/chrony/defaults/main.yml new file mode 100644 index 00000000..699ed580 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/chrony/defaults/main.yml @@ -0,0 +1,6 @@ +--- +# prometheus_exporter_chrony_version: + +prometheus_exporter_chrony_enable_collectors: + - sources + - tracking diff --git a/roles/monitoring/prometheus/exporter/chrony/handlers/main.yml b/roles/monitoring/prometheus/exporter/chrony/handlers/main.yml new file mode 100644 index 00000000..0c940ca9 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/chrony/handlers/main.yml @@ -0,0 +1,15 @@ +--- +- name: restart prometheus-chrony-exporter + service: + name: prometheus-chrony-exporter + state: restarted + +- name: reload nginx + service: + name: nginx + state: reloaded + +### TODO: remove this once all hosts have been migrated +- name: reload systemd + systemd: + daemon_reload: yes diff --git a/roles/monitoring/prometheus/exporter/chrony/tasks/main.yml b/roles/monitoring/prometheus/exporter/chrony/tasks/main.yml new file mode 100644 index 00000000..f15037ec --- /dev/null +++ b/roles/monitoring/prometheus/exporter/chrony/tasks/main.yml @@ -0,0 +1,65 @@ +--- +- name: generate apt pin file for exporter-chrony package + when: prometheus_exporter_chrony_version is defined + copy: + dest: "/etc/apt/preferences.d/prom-exporter-chrony.pref" + content: | + Package: prom-exporter-chrony + Pin: version {{ prometheus_exporter_chrony_version }}-1 + Pin-Priority: 1001 + +- name: remove apt pin file for exporter-chrony package + when: prometheus_exporter_chrony_version is not defined + file: + path: "/etc/apt/preferences.d/prom-exporter-chrony.pref" + state: absent + +- name: install apt packages + apt: + name: "prom-exporter-chrony{% if prometheus_exporter_chrony_version is defined %}={{ prometheus_exporter_chrony_version }}-1{% endif %}" + state: present + allow_downgrade: yes + notify: restart prometheus-chrony-exporter + +- name: generate systemd service unit + template: + src: service.j2 + dest: /etc/systemd/system/prometheus-chrony-exporter.service + notify: restart prometheus-chrony-exporter + +- name: make sure prometheus-chrony-exporter is enabled and started + systemd: + name: prometheus-chrony-exporter.service + daemon_reload: yes + state: started + enabled: yes + +- name: register exporter + copy: + content: | + location = /chrony { + proxy_pass http://127.0.0.1:9123/metrics; + } + dest: /etc/prometheus/exporter/chrony.locations + notify: reload nginx + + +## TODO: remove these tasks once all hosts have been migrated +- name: make sure the systemd timer for chrony textfile collector is disabled and stopped + systemd: + service: prometheus-node-exporter_chrony.timer + enabled: no + state: stopped + register: result_systemd_stop + failed_when: "result_systemd_stop is failed and 'Could not find the requested service' not in result_systemd_stop.msg" + +- name: remove files from chrony textfile collector + loop: + - /etc/systemd/system/prometheus-node-exporter_chrony.timer + - /etc/systemd/system/prometheus-node-exporter_chrony.service + - /usr/local/share/prometheus-node-exporter/chrony + - /var/lib/prometheus-node-exporter/textfile-collector/chrony.prom + file: + path: "{{ item }}" + state: absent + notify: reload systemd diff --git a/roles/monitoring/prometheus/exporter/chrony/templates/service.j2 b/roles/monitoring/prometheus/exporter/chrony/templates/service.j2 new file mode 100644 index 00000000..cb806649 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/chrony/templates/service.j2 @@ -0,0 +1,31 @@ +[Unit] +Description=Prometheus chrony exporter + +[Service] +Restart=always +User=_chrony +ExecStart=/usr/bin/prometheus-chrony-exporter --web.listen-address="127.0.0.1:9123" --chrony.address=unix:///run/chrony/chronyd.sock {% for collector in prometheus_exporter_chrony_enable_collectors %} --collector.{{ collector }}{% endfor %}{{ '' }} + +# systemd hardening-options +AmbientCapabilities= +CapabilityBoundingSet= +DeviceAllow=/dev/null rw +DevicePolicy=strict +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +ReadWritePaths=/run/chrony +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target |