From 3ef83057161e6d973f79805340d4c3d210425465 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 30 May 2021 16:08:03 +0200 Subject: cleanup: old preliminary tasks --- .../prometheus/exporter/base/tasks/main.yml | 21 ++++++++-------- .../exporter/base/templates/nginx-vhost.conf.j2 | 15 ------------ .../prometheus/exporter/node/tasks/main.yml | 28 ++++------------------ roles/monitoring/prometheus/server/tasks/main.yml | 11 ++++----- 4 files changed, 18 insertions(+), 57 deletions(-) delete mode 100644 roles/monitoring/prometheus/exporter/base/templates/nginx-vhost.conf.j2 (limited to 'roles') diff --git a/roles/monitoring/prometheus/exporter/base/tasks/main.yml b/roles/monitoring/prometheus/exporter/base/tasks/main.yml index c3a04bd9..7982f1f9 100644 --- a/roles/monitoring/prometheus/exporter/base/tasks/main.yml +++ b/roles/monitoring/prometheus/exporter/base/tasks/main.yml @@ -1,16 +1,15 @@ --- - name: create main configuration directories - loop: - - exporters-available - - exporters-enabled file: - path: "/etc/prometheus-exporter/{{ item }}" + path: "/etc/prometheus/exporters" state: directory -- name: install nginx vhost - vars: - nginx_vhost: - name: prometheus-exporter - content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}" - include_role: - name: nginx/vhost +- name: install apt packages + apt: + name: prom-exporter-exporter + state: present + +## TODO: +## - systemd service unit +## - add snippet to exporter-exporter config-dir +## - create certificate/key diff --git a/roles/monitoring/prometheus/exporter/base/templates/nginx-vhost.conf.j2 b/roles/monitoring/prometheus/exporter/base/templates/nginx-vhost.conf.j2 deleted file mode 100644 index e032ca3d..00000000 --- a/roles/monitoring/prometheus/exporter/base/templates/nginx-vhost.conf.j2 +++ /dev/null @@ -1,15 +0,0 @@ -server { - listen {{ prometheus_exporter_port }}; - listen [::]:{{ prometheus_exporter_port }}; - server_name _; - - ## TODO: configure ssl - - location / { - return 404 "unknown exporter: $uri\n"; - } - include /etc/prometheus-exporter/exporters-enabled/*; - - access_log /var/log/nginx/access-prometheus-exporter.log; - error_log /var/log/nginx/error-prometheus-exporter.log; -} diff --git a/roles/monitoring/prometheus/exporter/node/tasks/main.yml b/roles/monitoring/prometheus/exporter/node/tasks/main.yml index 286b6d75..0758eb3f 100644 --- a/roles/monitoring/prometheus/exporter/node/tasks/main.yml +++ b/roles/monitoring/prometheus/exporter/node/tasks/main.yml @@ -1,29 +1,9 @@ --- - name: install apt packages apt: - name: prometheus-node-exporter + name: prom-exporter-node state: present - ## TODO: add other configs -- name: listen on localhost only - lineinfile: - path: /etc/default/prometheus-node-exporter - regexp: '^ARGS=' - line: 'ARGS="--web.listen-address=127.0.0.1:9100"' - notify: restart prometheus-node-exporter - -- name: create nginx snippet - copy: - content: | - location = /node { - proxy_pass http://127.0.0.1:9100/metrics; - } - dest: /etc/prometheus-exporter/exporters-available/node - # notify: reload nginx - -- name: enable nginx snippet - file: - src: /etc/prometheus-exporter/exporters-available/node - dest: /etc/prometheus-exporter/exporters-enabled/node - state: link - # notify: reload nginx +## TODO: +## - systemd service unit +## - add snippet to exporter-exporter config-dir diff --git a/roles/monitoring/prometheus/server/tasks/main.yml b/roles/monitoring/prometheus/server/tasks/main.yml index 784e872a..ec5bd9a9 100644 --- a/roles/monitoring/prometheus/server/tasks/main.yml +++ b/roles/monitoring/prometheus/server/tasks/main.yml @@ -8,12 +8,9 @@ - name: install apt packages apt: - name: prometheus + name: prom-server state: present -- name: listen on localhost only - lineinfile: - path: /etc/default/prometheus - regexp: '^ARGS=' - line: 'ARGS="--web.listen-address=127.0.0.1:9090 --storage.tsdb.retention={{ prometheus_server_retention }}"' - notify: restart prometheus +## TODO: +## - systemd service unit +## - create CA and certificate/key -- cgit v1.2.3 From e29ce4fdbe2ce669c62777fffa18ae8557e54a73 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 30 May 2021 22:28:46 +0200 Subject: prometheus: initial simple server role --- chaos-at-home/ch-mon.yml | 12 +++++ inventory/group_vars/chaos-at-home/network.yml | 3 ++ inventory/host_vars/ch-mon.yml | 62 ++++++++++++++++++++++ inventory/hosts.ini | 2 + roles/monitoring/prometheus/server/tasks/main.yml | 48 ++++++++++++++++- .../server/templates/prometheus.service.j2 | 38 +++++++++++++ .../prometheus/server/templates/prometheus.yml.j2 | 11 ++++ 7 files changed, 175 insertions(+), 1 deletion(-) create mode 100644 chaos-at-home/ch-mon.yml create mode 100644 inventory/host_vars/ch-mon.yml create mode 100644 roles/monitoring/prometheus/server/templates/prometheus.service.j2 create mode 100644 roles/monitoring/prometheus/server/templates/prometheus.yml.j2 (limited to 'roles') diff --git a/chaos-at-home/ch-mon.yml b/chaos-at-home/ch-mon.yml new file mode 100644 index 00000000..fb0eff53 --- /dev/null +++ b/chaos-at-home/ch-mon.yml @@ -0,0 +1,12 @@ +--- +- name: Basic Setup + hosts: ch-mon + roles: + - role: apt-repo/base + - role: core/base + - role: core/sshd/base + - role: core/zsh + - role: core/ntp + - role: storage/lvm/groups + - role: apt-repo/spreadspace + - role: monitoring/prometheus/server diff --git a/inventory/group_vars/chaos-at-home/network.yml b/inventory/group_vars/chaos-at-home/network.yml index db345b75..fa34a7a0 100644 --- a/inventory/group_vars/chaos-at-home/network.yml +++ b/inventory/group_vars/chaos-at-home/network.yml @@ -41,6 +41,7 @@ network_zones: key: "{{ vault_wifi_keys.iot }}" offsets: ch-wled-test: 1 + ch-mon: 230 ch-iot: 254 svc: @@ -63,6 +64,7 @@ network_zones: ch-nic: 53 __svc_http__: 80 __svc_imap__: 143 + ch-mon: 230 ch-router-obsd: 253 ch-router: 254 ############# @@ -83,6 +85,7 @@ network_zones: ch-sw1: 201 ch-ap0: 220 ch-ap1: 221 + ch-mon: 230 ch-gnocchi: 240 ch-router: 241 diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml new file mode 100644 index 00000000..6bfa58d4 --- /dev/null +++ b/inventory/host_vars/ch-mon.yml @@ -0,0 +1,62 @@ +--- +install_jumphost: ch-jump + +install: + vm: + memory: 8G + numcpus: 8 + autostart: yes + disks: + primary: /dev/sda + scsi: + sda: + type: zfs + name: root + size: 10g + sdb: + type: zfs + name: data + size: 50g + interfaces: + - bridge: br-svc + name: svc0 + - bridge: br-iot + name: iot0 + - bridge: br-mgmt + name: mgmt0 + +network: + nameservers: "{{ network_zones.svc.dns }}" + domain: "{{ host_domain }}" + systemd_link: + interfaces: "{{ install.interfaces }}" + primary: &_network_primary_ + name: svc0 + address: "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets[inventory_hostname]) | ipaddr('address/prefix') }}" + gateway: "{{ network_zones.svc.gateway }}" + static_routes: + - destination: "{{ network_zones.lan.prefix }}" + gateway: "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ipaddr('address') }}" + interfaces: + - *_network_primary_ + - name: iot0 + address: "{{ network_zones.iot.prefix | ipaddr(network_zones.iot.offsets[inventory_hostname]) | ipaddr('address/prefix') }}" + - name: mgmt0 + address: "{{ network_zones.mgmt.prefix | ipaddr(network_zones.mgmt.offsets[inventory_hostname]) | ipaddr('address/prefix') }}" + + +lvm_groups: + mondata: + pvs: + - /dev/sdb + + +spreadspace_apt_repo_components: + - prometheus + +prometheus_server_storage: + type: lvm + vg: mondata + lv: prometheus + size: 30G + fs: ext4 diff --git a/inventory/hosts.ini b/inventory/hosts.ini index 871ee575..954e9374 100644 --- a/inventory/hosts.ini +++ b/inventory/hosts.ini @@ -30,6 +30,7 @@ ch-prometheus-legacy host_name=prometheus ch-testvm-prometheus host_name=testvm-prometheus ch-iot host_name=iot ch-vpn host_name=vpn +ch-mon host_name=mon ch-epimetheus host_name=epimetheus ch-mc host_name=mc ch-atlas host_name=atlas @@ -324,6 +325,7 @@ ch-prometheus-legacy ch-testvm-prometheus ch-iot ch-vpn +ch-mon ch-k8s-master [vmhost-ch-prometheus] ch-prometheus diff --git a/roles/monitoring/prometheus/server/tasks/main.yml b/roles/monitoring/prometheus/server/tasks/main.yml index ec5bd9a9..ffbc5ffe 100644 --- a/roles/monitoring/prometheus/server/tasks/main.yml +++ b/roles/monitoring/prometheus/server/tasks/main.yml @@ -1,4 +1,11 @@ --- +- name: check if prometheus apt component of spreadspace repo is enabled + assert: + msg: "please enable the 'prometheus' component of spreadspace repo using 'spreadspace_apt_repo_components'" + that: + - spreadspace_apt_repo_components is defined + - "'prometheus' in spreadspace_apt_repo_components" + - name: prepare storage volume for /var/lib/prometheus when: prometheus_server_storage is defined vars: @@ -11,6 +18,45 @@ name: prom-server state: present +- name: create configuration directories + loop: + - rules + - targets + file: + path: "/etc/prometheus/{{ item }}" + state: directory + +- name: generate configuration file + template: + src: prometheus.yml.j2 + dest: /etc/prometheus/prometheus.yml + +- name: add user for server + user: + name: prometheus + system: yes + home: /var/lib/prometheus + create_home: no + +- name: create data directory + file: + path: /var/lib/prometheus/metrics2 + state: directory + owner: prometheus + group: prometheus + ## TODO: -## - systemd service unit ## - create CA and certificate/key + +- name: generate systemd service unit + template: + src: prometheus.service.j2 + dest: /etc/systemd/system/prometheus.service + notify: restart prometheus + +- name: make sure prometheus is enabled and started + systemd: + name: prometheus.service + daemon_reload: yes + state: started + enabled: yes diff --git a/roles/monitoring/prometheus/server/templates/prometheus.service.j2 b/roles/monitoring/prometheus/server/templates/prometheus.service.j2 new file mode 100644 index 00000000..0530e589 --- /dev/null +++ b/roles/monitoring/prometheus/server/templates/prometheus.service.j2 @@ -0,0 +1,38 @@ +[Unit] +Description=Monitoring system and time series database +Documentation=https://prometheus.io/docs/introduction/overview/ man:prometheus(1) +After=time-sync.target + +[Service] +Restart=on-failure +User=prometheus +ExecStart=/usr/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/var/lib/prometheus/metrics2/ --storage.tsdb.retention.time={{ prometheus_server_retention }} +ExecReload=/bin/kill -HUP $MAINPID +TimeoutStopSec=20s +SendSIGKILL=no + +# systemd hardening-options +AmbientCapabilities= +CapabilityBoundingSet= +DeviceAllow=/dev/null rw +DevicePolicy=strict +LimitMEMLOCK=0 +LimitNOFILE=8192 +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target diff --git a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 new file mode 100644 index 00000000..cadc3ef0 --- /dev/null +++ b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 @@ -0,0 +1,11 @@ +global: + scrape_interval: 15s + evaluation_interval: 15s + +rule_files: + - /etc/prometheus/rules/*.yml + +scrape_configs: + - job_name: 'prometheus' + static_configs: + - targets: ['localhost:9090'] -- cgit v1.2.3 From acfdc3ae8545177547fa75510cb9e56e0b909156 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 30 May 2021 23:24:32 +0200 Subject: prometheus basic exporter base role --- chaos-at-home/ch-mon.yml | 1 + .../prometheus/exporter/base/defaults/main.yml | 2 +- .../prometheus/exporter/base/handlers/main.yml | 5 +++ .../prometheus/exporter/base/tasks/main.yml | 37 ++++++++++++++++++---- .../prometheus/exporter/base/templates/service.j2 | 31 ++++++++++++++++++ 5 files changed, 69 insertions(+), 7 deletions(-) create mode 100644 roles/monitoring/prometheus/exporter/base/handlers/main.yml create mode 100644 roles/monitoring/prometheus/exporter/base/templates/service.j2 (limited to 'roles') diff --git a/chaos-at-home/ch-mon.yml b/chaos-at-home/ch-mon.yml index fb0eff53..b069bbf8 100644 --- a/chaos-at-home/ch-mon.yml +++ b/chaos-at-home/ch-mon.yml @@ -10,3 +10,4 @@ - role: storage/lvm/groups - role: apt-repo/spreadspace - role: monitoring/prometheus/server + - role: monitoring/prometheus/exporter/base diff --git a/roles/monitoring/prometheus/exporter/base/defaults/main.yml b/roles/monitoring/prometheus/exporter/base/defaults/main.yml index 5f8ce103..963763a5 100644 --- a/roles/monitoring/prometheus/exporter/base/defaults/main.yml +++ b/roles/monitoring/prometheus/exporter/base/defaults/main.yml @@ -1,2 +1,2 @@ --- -prometheus_exporter_port: 9000 +prometheus_exporter_listen: ":9999" diff --git a/roles/monitoring/prometheus/exporter/base/handlers/main.yml b/roles/monitoring/prometheus/exporter/base/handlers/main.yml new file mode 100644 index 00000000..ebd760cf --- /dev/null +++ b/roles/monitoring/prometheus/exporter/base/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart prometheus-exporter-exporter + service: + name: prometheus-exporter-exporter + state: restarted diff --git a/roles/monitoring/prometheus/exporter/base/tasks/main.yml b/roles/monitoring/prometheus/exporter/base/tasks/main.yml index 7982f1f9..fab6ff7b 100644 --- a/roles/monitoring/prometheus/exporter/base/tasks/main.yml +++ b/roles/monitoring/prometheus/exporter/base/tasks/main.yml @@ -1,15 +1,40 @@ --- -- name: create main configuration directories - file: - path: "/etc/prometheus/exporters" - state: directory +- name: check if prometheus apt component of spreadspace repo is enabled + assert: + msg: "please enable the 'prometheus' component of spreadspace repo using 'spreadspace_apt_repo_components'" + that: + - spreadspace_apt_repo_components is defined + - "'prometheus' in spreadspace_apt_repo_components" - name: install apt packages apt: name: prom-exporter-exporter state: present +- name: create configuration directories + file: + path: /etc/prometheus/exporter/enabled + state: directory + +- name: add user for prometheus-exporter + user: + name: prometheus-exporter + system: yes + home: /nonexistent + create_home: no + ## TODO: -## - systemd service unit -## - add snippet to exporter-exporter config-dir ## - create certificate/key + +- name: generate systemd service unit + template: + src: service.j2 + dest: /etc/systemd/system/prometheus-exporter-exporter.service + notify: restart prometheus-exporter-exporter + +- name: make sure prometheus-exporter-exporter is enabled and started + systemd: + name: prometheus-exporter-exporter.service + daemon_reload: yes + state: started + enabled: yes diff --git a/roles/monitoring/prometheus/exporter/base/templates/service.j2 b/roles/monitoring/prometheus/exporter/base/templates/service.j2 new file mode 100644 index 00000000..6069fc79 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/base/templates/service.j2 @@ -0,0 +1,31 @@ +[Unit] +Description=Prometheus exporter proxy + +[Service] +Restart=always +User=prometheus-exporter +ExecStart=/usr/bin/prometheus-exporter-exporter --config.dirs=/etc/prometheus/exporter/enabled --config.file="" --web.listen-address="{{ prometheus_exporter_listen }}" + +# systemd hardening-options +AmbientCapabilities= +CapabilityBoundingSet= +DeviceAllow=/dev/null rw +DevicePolicy=strict +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target -- cgit v1.2.3 From 35fb88969a6cb85d8ba7541820acf3b0ff891055 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Mon, 31 May 2021 22:41:50 +0200 Subject: prometheus: initial node exporter role --- chaos-at-home/ch-mon.yml | 1 + .../prometheus/exporter/base/templates/service.j2 | 1 + .../prometheus/exporter/node/defaults/main.yml | 5 +++ .../prometheus/exporter/node/handlers/main.yml | 6 ++++ .../prometheus/exporter/node/tasks/main.yml | 36 ++++++++++++++++++++-- .../prometheus/exporter/node/templates/service.j2 | 10 ++++++ 6 files changed, 56 insertions(+), 3 deletions(-) create mode 100644 roles/monitoring/prometheus/exporter/node/defaults/main.yml create mode 100644 roles/monitoring/prometheus/exporter/node/templates/service.j2 (limited to 'roles') diff --git a/chaos-at-home/ch-mon.yml b/chaos-at-home/ch-mon.yml index b069bbf8..2cb69484 100644 --- a/chaos-at-home/ch-mon.yml +++ b/chaos-at-home/ch-mon.yml @@ -11,3 +11,4 @@ - role: apt-repo/spreadspace - role: monitoring/prometheus/server - role: monitoring/prometheus/exporter/base + - role: monitoring/prometheus/exporter/node diff --git a/roles/monitoring/prometheus/exporter/base/templates/service.j2 b/roles/monitoring/prometheus/exporter/base/templates/service.j2 index 6069fc79..e2c54d6c 100644 --- a/roles/monitoring/prometheus/exporter/base/templates/service.j2 +++ b/roles/monitoring/prometheus/exporter/base/templates/service.j2 @@ -5,6 +5,7 @@ Description=Prometheus exporter proxy Restart=always User=prometheus-exporter ExecStart=/usr/bin/prometheus-exporter-exporter --config.dirs=/etc/prometheus/exporter/enabled --config.file="" --web.listen-address="{{ prometheus_exporter_listen }}" +{# TODO: implement reloading once the exporter_exporter supports this #} # systemd hardening-options AmbientCapabilities= diff --git a/roles/monitoring/prometheus/exporter/node/defaults/main.yml b/roles/monitoring/prometheus/exporter/node/defaults/main.yml new file mode 100644 index 00000000..5eff7844 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/node/defaults/main.yml @@ -0,0 +1,5 @@ +--- +prometheus_exporter_node_disable_collectors: [] + +prometheus_exporter_node_extra_collectors: +- ntp diff --git a/roles/monitoring/prometheus/exporter/node/handlers/main.yml b/roles/monitoring/prometheus/exporter/node/handlers/main.yml index 9c62baf6..3e1b2000 100644 --- a/roles/monitoring/prometheus/exporter/node/handlers/main.yml +++ b/roles/monitoring/prometheus/exporter/node/handlers/main.yml @@ -3,3 +3,9 @@ service: name: prometheus-node-exporter state: restarted + +- name: reload prometheus-exporter-exporter + service: + name: prometheus-exporter-exporter + ## TODO: implement reload once exporter_exporter supports this... + state: restarted diff --git a/roles/monitoring/prometheus/exporter/node/tasks/main.yml b/roles/monitoring/prometheus/exporter/node/tasks/main.yml index 0758eb3f..694dafb0 100644 --- a/roles/monitoring/prometheus/exporter/node/tasks/main.yml +++ b/roles/monitoring/prometheus/exporter/node/tasks/main.yml @@ -1,9 +1,39 @@ --- +- name: check if prometheus apt component of spreadspace repo is enabled + assert: + msg: "please enable the 'prometheus' component of spreadspace repo using 'spreadspace_apt_repo_components'" + that: + - spreadspace_apt_repo_components is defined + - "'prometheus' in spreadspace_apt_repo_components" + - name: install apt packages apt: name: prom-exporter-node state: present -## TODO: -## - systemd service unit -## - add snippet to exporter-exporter config-dir +- name: create directory for textfile collector + file: + path: /var/lib/prometheus-node-exporter/textfile-collector + state: directory + +- name: generate systemd service unit + template: + src: service.j2 + dest: /etc/systemd/system/prometheus-node-exporter.service + notify: restart prometheus-node-exporter + +- name: make sure prometheus-exporter-exporter is enabled and started + systemd: + name: prometheus-node-exporter.service + daemon_reload: yes + state: started + enabled: yes + +- name: register exporter + copy: + content: | + method: http + http: + port: 9100 + dest: /etc/prometheus/exporter/enabled/node.yml + notify: reload prometheus-exporter-exporter diff --git a/roles/monitoring/prometheus/exporter/node/templates/service.j2 b/roles/monitoring/prometheus/exporter/node/templates/service.j2 new file mode 100644 index 00000000..c3b46472 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/node/templates/service.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=Prometheus exporter + +[Service] +Restart=always +User=prometheus-exporter +ExecStart=/usr/bin/prometheus-node-exporter --web.listen-address="127.0.0.1:9100" --web.disable-exporter-metrics --collector.textfile.directory="/var/lib/prometheus-node-exporter/textfile-collector" {% for collector in prometheus_exporter_node_disable_collectors %} --no-collector.{{ collector }}{% endfor %}{% for collector in prometheus_exporter_node_extra_collectors %} --collector.{{ collector }}{% endfor %}{{ '' }} + +[Install] +WantedBy=multi-user.target -- cgit v1.2.3 From cff0e0a73e85f9c4bc89a481842fa5959d09a9b0 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Tue, 1 Jun 2021 17:43:29 +0200 Subject: prometheus: node exporter automatically select time-sync collector --- roles/monitoring/prometheus/exporter/node/defaults/main.yml | 11 +++++++++-- .../monitoring/prometheus/exporter/node/templates/service.j2 | 2 +- 2 files changed, 10 insertions(+), 3 deletions(-) (limited to 'roles') diff --git a/roles/monitoring/prometheus/exporter/node/defaults/main.yml b/roles/monitoring/prometheus/exporter/node/defaults/main.yml index 5eff7844..56227fbb 100644 --- a/roles/monitoring/prometheus/exporter/node/defaults/main.yml +++ b/roles/monitoring/prometheus/exporter/node/defaults/main.yml @@ -1,5 +1,12 @@ --- -prometheus_exporter_node_disable_collectors: [] +_prometheus_exporter_node_time_collector_map_: + "": timex + systemd-timesyncd: timex + chrony: ntp + openntpd: ntp + +prometheus_exporter_node_timesync_collector: "{{ _prometheus_exporter_node_time_collector_map_[ntp_variant | default('')] }}" +prometheus_exporter_node_disable_collectors: [] prometheus_exporter_node_extra_collectors: -- ntp +- "{{ prometheus_exporter_node_timesync_collector }}" diff --git a/roles/monitoring/prometheus/exporter/node/templates/service.j2 b/roles/monitoring/prometheus/exporter/node/templates/service.j2 index c3b46472..801850ed 100644 --- a/roles/monitoring/prometheus/exporter/node/templates/service.j2 +++ b/roles/monitoring/prometheus/exporter/node/templates/service.j2 @@ -4,7 +4,7 @@ Description=Prometheus exporter [Service] Restart=always User=prometheus-exporter -ExecStart=/usr/bin/prometheus-node-exporter --web.listen-address="127.0.0.1:9100" --web.disable-exporter-metrics --collector.textfile.directory="/var/lib/prometheus-node-exporter/textfile-collector" {% for collector in prometheus_exporter_node_disable_collectors %} --no-collector.{{ collector }}{% endfor %}{% for collector in prometheus_exporter_node_extra_collectors %} --collector.{{ collector }}{% endfor %}{{ '' }} +ExecStart=/usr/bin/prometheus-node-exporter --web.listen-address="127.0.0.1:9100" --web.disable-exporter-metrics --collector.textfile.directory="/var/lib/prometheus-node-exporter/textfile-collector"{% for collector in prometheus_exporter_node_disable_collectors %} --no-collector.{{ collector }}{% endfor %}{% for collector in prometheus_exporter_node_extra_collectors %} --collector.{{ collector }}{% endfor %}{{ '' }} [Install] WantedBy=multi-user.target -- cgit v1.2.3 From 94f56133bb0035fe85ee9e58d573eb4485e9fa42 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Wed, 2 Jun 2021 00:46:12 +0200 Subject: prometheus: initial serverside config --- roles/monitoring/prometheus/exporter/node/tasks/main.yml | 7 ------- roles/monitoring/prometheus/server/defaults/main.yml | 3 +++ roles/monitoring/prometheus/server/tasks/main.yml | 16 ++++++++++++---- .../prometheus/server/templates/prometheus.yml.j2 | 13 ++++++++++++- 4 files changed, 27 insertions(+), 12 deletions(-) (limited to 'roles') diff --git a/roles/monitoring/prometheus/exporter/node/tasks/main.yml b/roles/monitoring/prometheus/exporter/node/tasks/main.yml index 694dafb0..c8756acf 100644 --- a/roles/monitoring/prometheus/exporter/node/tasks/main.yml +++ b/roles/monitoring/prometheus/exporter/node/tasks/main.yml @@ -1,11 +1,4 @@ --- -- name: check if prometheus apt component of spreadspace repo is enabled - assert: - msg: "please enable the 'prometheus' component of spreadspace repo using 'spreadspace_apt_repo_components'" - that: - - spreadspace_apt_repo_components is defined - - "'prometheus' in spreadspace_apt_repo_components" - - name: install apt packages apt: name: prom-exporter-node diff --git a/roles/monitoring/prometheus/server/defaults/main.yml b/roles/monitoring/prometheus/server/defaults/main.yml index b5d13b5d..ab08a2ff 100644 --- a/roles/monitoring/prometheus/server/defaults/main.yml +++ b/roles/monitoring/prometheus/server/defaults/main.yml @@ -4,3 +4,6 @@ # ... prometheus_server_retention: "15d" + +prometheus_server_jobs: + - node diff --git a/roles/monitoring/prometheus/server/tasks/main.yml b/roles/monitoring/prometheus/server/tasks/main.yml index ffbc5ffe..5c649f34 100644 --- a/roles/monitoring/prometheus/server/tasks/main.yml +++ b/roles/monitoring/prometheus/server/tasks/main.yml @@ -20,16 +20,18 @@ - name: create configuration directories loop: + - jobs - rules - targets file: path: "/etc/prometheus/{{ item }}" state: directory -- name: generate configuration file - template: - src: prometheus.yml.j2 - dest: /etc/prometheus/prometheus.yml +- name: create sub-directroy for all exporter types in jobs directory + loop: "{{ prometheus_server_jobs }}" + file: + path: "/etc/prometheus/jobs/{{ item }}" + state: directory - name: add user for server user: @@ -48,6 +50,12 @@ ## TODO: ## - create CA and certificate/key +- name: generate configuration file + template: + src: prometheus.yml.j2 + dest: /etc/prometheus/prometheus.yml + notify: restart prometheus + - name: generate systemd service unit template: src: prometheus.service.j2 diff --git a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 index cadc3ef0..007afa90 100644 --- a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 +++ b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 @@ -8,4 +8,15 @@ rule_files: scrape_configs: - job_name: 'prometheus' static_configs: - - targets: ['localhost:9090'] + - targets: ['localhost:9090'] +{% for job in prometheus_server_jobs %} + + - job_name: '{{ job }}' + metrics_path: /proxy + params: + module: + - {{ job }} + file_sd_configs: + - files: + - "/etc/prometheus/jobs/{{ job }}/*.yml" +{% endfor %} -- cgit v1.2.3 From 43ec757a4cf7bc27f2156c490db67e7c38764d1b Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Wed, 2 Jun 2021 01:50:20 +0200 Subject: prometheus: server CA and certificates --- roles/monitoring/prometheus/server/tasks/main.yml | 4 +- roles/monitoring/prometheus/server/tasks/tls.yml | 98 +++++++++++++++++++++++ 2 files changed, 100 insertions(+), 2 deletions(-) create mode 100644 roles/monitoring/prometheus/server/tasks/tls.yml (limited to 'roles') diff --git a/roles/monitoring/prometheus/server/tasks/main.yml b/roles/monitoring/prometheus/server/tasks/main.yml index 5c649f34..61660a03 100644 --- a/roles/monitoring/prometheus/server/tasks/main.yml +++ b/roles/monitoring/prometheus/server/tasks/main.yml @@ -47,8 +47,8 @@ owner: prometheus group: prometheus -## TODO: -## - create CA and certificate/key +- name: create TLS CA and certificates + import_tasks: tls.yml - name: generate configuration file template: diff --git a/roles/monitoring/prometheus/server/tasks/tls.yml b/roles/monitoring/prometheus/server/tasks/tls.yml new file mode 100644 index 00000000..f9ad5ca3 --- /dev/null +++ b/roles/monitoring/prometheus/server/tasks/tls.yml @@ -0,0 +1,98 @@ +--- +- name: install python-cryptoraphy + apt: + name: "{{ python_basename }}-cryptography" + state: present + +- name: create base directory + file: + path: /etc/ssl/prometheus + state: directory + +- name: create CA directory + file: + path: /etc/ssl/prometheus/ca + state: directory + owner: root + group: root + mode: 0700 + +- name: create server cert/key directory + file: + path: /etc/ssl/prometheus/server + state: directory + owner: root + group: prometheus + mode: 0750 + +- name: create CA private key + openssl_privatekey: + path: /etc/ssl/prometheus/ca/key.pem + type: RSA + size: 4096 + owner: root + group: root + mode: 0600 + +- name: create signing request for CA certificate + openssl_csr: + path: /etc/ssl/prometheus/ca/csr.pem + privatekey_path: /etc/ssl/prometheus/ca/key.pem + CN: "prometheus CA" + useCommonNameForSAN: no + key_usage: + - cRLSign + - digitalSignature + - keyCertSign + key_usage_critical: yes + basic_constraints: + - 'CA:TRUE' + - 'pathlen:0' + basic_constraints_critical: yes + +- name: create self-signed CA certificate + openssl_certificate: + path: /etc/ssl/prometheus/ca-crt.pem + csr_path: /etc/ssl/prometheus/ca/csr.pem + privatekey_path: /etc/ssl/prometheus/ca/key.pem + provider: selfsigned + selfsigned_digest: sha256 + selfsigned_not_after: "+18250d" ## 50 years + + +- name: create server private key to connect to exporter + openssl_privatekey: + path: /etc/ssl/prometheus/server/exporter-key.pem + type: RSA + size: 4096 + owner: prometheus + group: prometheus + mode: 0400 + +- name: create signing request for server certificate to connect to exporter + openssl_csr: + path: /etc/ssl/prometheus/server/exporter-csr.pem + privatekey_path: /etc/ssl/prometheus/server/exporter-key.pem + CN: "{{ inventory_hostname }}" + subject_alt_name: + - "DNS:{{ host_name }}.{{ host_domain }}" + - "IP:{{ ansible_default_ipv4.address }}" + key_usage: + - digitalSignature + key_usage_critical: yes + extended_key_usage: + - clientAuth + extended_key_usage_critical: yes + basic_constraints: + - 'CA:FALSE' + basic_constraints_critical: yes + +- name: create server certificate to connect to exporter + openssl_certificate: + path: /etc/ssl/prometheus/server/exporter-crt.pem + csr_path: /etc/ssl/prometheus/server/exporter-csr.pem + provider: ownca + ownca_path: /etc/ssl/prometheus/ca-crt.pem + ownca_privatekey_path: /etc/ssl/prometheus/ca/key.pem + ownca_digest: sha256 + ownca_not_after: "+18250d" ## 50 years -- cgit v1.2.3 From 96232fb34906f9efd98189838141d896668d3dd8 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Wed, 2 Jun 2021 02:25:33 +0200 Subject: prometheus: preliminary tls support for exporter connections --- .../prometheus/exporter/base/tasks/main.yml | 4 +- .../prometheus/exporter/base/tasks/tls.yml | 61 ++++++++++++++++++++++ .../prometheus/exporter/base/templates/service.j2 | 2 +- .../prometheus/server/templates/prometheus.yml.j2 | 7 +++ 4 files changed, 71 insertions(+), 3 deletions(-) create mode 100644 roles/monitoring/prometheus/exporter/base/tasks/tls.yml (limited to 'roles') diff --git a/roles/monitoring/prometheus/exporter/base/tasks/main.yml b/roles/monitoring/prometheus/exporter/base/tasks/main.yml index fab6ff7b..9a214f39 100644 --- a/roles/monitoring/prometheus/exporter/base/tasks/main.yml +++ b/roles/monitoring/prometheus/exporter/base/tasks/main.yml @@ -23,8 +23,8 @@ home: /nonexistent create_home: no -## TODO: -## - create certificate/key +- name: create TLS certificate and key + import_tasks: tls.yml - name: generate systemd service unit template: diff --git a/roles/monitoring/prometheus/exporter/base/tasks/tls.yml b/roles/monitoring/prometheus/exporter/base/tasks/tls.yml new file mode 100644 index 00000000..b2731b09 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/base/tasks/tls.yml @@ -0,0 +1,61 @@ +--- +- name: install python-cryptoraphy + apt: + name: "{{ python_basename }}-cryptography" + state: present + +- name: create base directory + file: + path: /etc/ssl/prometheus + state: directory + +- name: create exporter cert/key directory + file: + path: /etc/ssl/prometheus/exporter + state: directory + owner: root + group: prometheus-exporter + mode: 0750 + +- name: create exporter private key + openssl_privatekey: + path: /etc/ssl/prometheus/exporter/key.pem + type: RSA + size: 4096 + owner: prometheus-exporter + group: prometheus-exporter + mode: 0400 + notify: restart prometheus-exporter-exporter + +- name: create signing request for exporter certificate + openssl_csr: + path: /etc/ssl/prometheus/exporter/csr.pem + privatekey_path: /etc/ssl/prometheus/exporter/key.pem + CN: "{{ inventory_hostname }}" + subject_alt_name: + - "DNS:{{ host_name }}.{{ host_domain }}" + - "IP:{{ ansible_default_ipv4.address }}" + key_usage: + - digitalSignature + key_usage_critical: yes + extended_key_usage: + - serverAuth + extended_key_usage_critical: yes + basic_constraints: + - 'CA:FALSE' + basic_constraints_critical: yes + +## TODO: implement remote singing using server + +- name: create exporter certificate + openssl_certificate: + path: /etc/ssl/prometheus/exporter/crt.pem + csr_path: /etc/ssl/prometheus/exporter/csr.pem + provider: ownca + ownca_path: /etc/ssl/prometheus/ca-crt.pem + ownca_privatekey_path: /etc/ssl/prometheus/ca/key.pem + ownca_digest: sha256 + ownca_not_after: "+18250d" ## 50 years + notify: restart prometheus-exporter-exporter + +## TODO: install /etc/ssl/prometheus/ca-crt.pem from server diff --git a/roles/monitoring/prometheus/exporter/base/templates/service.j2 b/roles/monitoring/prometheus/exporter/base/templates/service.j2 index e2c54d6c..c24baf43 100644 --- a/roles/monitoring/prometheus/exporter/base/templates/service.j2 +++ b/roles/monitoring/prometheus/exporter/base/templates/service.j2 @@ -4,7 +4,7 @@ Description=Prometheus exporter proxy [Service] Restart=always User=prometheus-exporter -ExecStart=/usr/bin/prometheus-exporter-exporter --config.dirs=/etc/prometheus/exporter/enabled --config.file="" --web.listen-address="{{ prometheus_exporter_listen }}" +ExecStart=/usr/bin/prometheus-exporter-exporter -config.dirs=/etc/prometheus/exporter/enabled -config.file="" -web.listen-address="" -web.tls.listen-address="{{ prometheus_exporter_listen }}" -web.tls.cert="/etc/ssl/prometheus/exporter/crt.pem" -web.tls.key="/etc/ssl/prometheus/exporter/key.pem" --web.tls.ca="/etc/ssl/prometheus/ca-crt.pem" -web.tls.verify {# TODO: implement reloading once the exporter_exporter supports this #} # systemd hardening-options diff --git a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 index 007afa90..e94ea043 100644 --- a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 +++ b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 @@ -9,6 +9,8 @@ scrape_configs: - job_name: 'prometheus' static_configs: - targets: ['localhost:9090'] + labels: + instance: "{{ inventory_hostname }}" {% for job in prometheus_server_jobs %} - job_name: '{{ job }}' @@ -16,6 +18,11 @@ scrape_configs: params: module: - {{ job }} + scheme: https + tls_config: + ca_file: /etc/ssl/prometheus/ca-crt.pem + cert_file: /etc/ssl/prometheus/server/exporter-crt.pem + key_file: /etc/ssl/prometheus/server/exporter-key.pem file_sd_configs: - files: - "/etc/prometheus/jobs/{{ job }}/*.yml" -- cgit v1.2.3 From f0e65f6846bce9b30f8a97bfab68a06795b730ed Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Thu, 3 Jun 2021 15:14:23 +0200 Subject: prometheus: add blackbox exporter --- chaos-at-home/ch-mon.yml | 1 + .../prometheus/exporter/blackbox/defaults/main.yml | 22 ++++++++++ .../prometheus/exporter/blackbox/handlers/main.yml | 16 ++++++++ .../prometheus/exporter/blackbox/tasks/main.yml | 39 ++++++++++++++++++ .../exporter/blackbox/templates/config.yml.j2 | 4 ++ .../exporter/blackbox/templates/service.j2 | 32 +++++++++++++++ .../prometheus/exporter/node/templates/service.j2 | 2 +- .../monitoring/prometheus/server/handlers/main.yml | 5 +++ roles/monitoring/prometheus/server/tasks/main.yml | 2 +- .../prometheus/server/templates/prometheus.yml.j2 | 48 ++++++++++++++++++++++ 10 files changed, 169 insertions(+), 2 deletions(-) create mode 100644 roles/monitoring/prometheus/exporter/blackbox/defaults/main.yml create mode 100644 roles/monitoring/prometheus/exporter/blackbox/handlers/main.yml create mode 100644 roles/monitoring/prometheus/exporter/blackbox/tasks/main.yml create mode 100644 roles/monitoring/prometheus/exporter/blackbox/templates/config.yml.j2 create mode 100644 roles/monitoring/prometheus/exporter/blackbox/templates/service.j2 (limited to 'roles') diff --git a/chaos-at-home/ch-mon.yml b/chaos-at-home/ch-mon.yml index 2cb69484..a1179204 100644 --- a/chaos-at-home/ch-mon.yml +++ b/chaos-at-home/ch-mon.yml @@ -12,3 +12,4 @@ - role: monitoring/prometheus/server - role: monitoring/prometheus/exporter/base - role: monitoring/prometheus/exporter/node + - role: monitoring/prometheus/exporter/blackbox diff --git a/roles/monitoring/prometheus/exporter/blackbox/defaults/main.yml b/roles/monitoring/prometheus/exporter/blackbox/defaults/main.yml new file mode 100644 index 00000000..fcf66555 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/blackbox/defaults/main.yml @@ -0,0 +1,22 @@ +--- +prometheus_exporter_blackbox_modules: + icmp: + prober: icmp + tcp_connect: + prober: tcp + tcp_tls: + prober: tcp + tcp: + tls: true + tls_config: + insecure_skip_verify: true + http_2xx: + prober: http + ssh_banner: + prober: tcp + tcp: + query_response: + - expect: "^SSH-2.0-" + - send: "SSH-2.0-blackbox-ssh-check" + +prometheus_exporter_blackbox_modules_extra: {} diff --git a/roles/monitoring/prometheus/exporter/blackbox/handlers/main.yml b/roles/monitoring/prometheus/exporter/blackbox/handlers/main.yml new file mode 100644 index 00000000..99a416e2 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/blackbox/handlers/main.yml @@ -0,0 +1,16 @@ +--- +- name: restart prometheus-blackbox-exporter + service: + name: prometheus-blackbox-exporter + state: restarted + +- name: reload prometheus-blackbox-exporter + service: + name: prometheus-blackbox-exporter + state: reloaded + +- name: reload prometheus-exporter-exporter + service: + name: prometheus-exporter-exporter + ## TODO: implement reload once exporter_exporter supports this... + state: restarted diff --git a/roles/monitoring/prometheus/exporter/blackbox/tasks/main.yml b/roles/monitoring/prometheus/exporter/blackbox/tasks/main.yml new file mode 100644 index 00000000..3b8e997d --- /dev/null +++ b/roles/monitoring/prometheus/exporter/blackbox/tasks/main.yml @@ -0,0 +1,39 @@ +--- +- name: install apt packages + apt: + name: prom-exporter-blackbox + state: present + +- name: create config directory + file: + path: /etc/prometheus/exporter/blackbox + state: directory + +- name: generate configuration + template: + src: config.yml.j2 + dest: /etc/prometheus/exporter/blackbox/config.yml + notify: reload prometheus-blackbox-exporter + +- name: generate systemd service unit + template: + src: service.j2 + dest: /etc/systemd/system/prometheus-blackbox-exporter.service + notify: restart prometheus-blackbox-exporter + +- name: make sure prometheus-exporter-exporter is enabled and started + systemd: + name: prometheus-blackbox-exporter.service + daemon_reload: yes + state: started + enabled: yes + +- name: register exporter + copy: + content: | + method: http + http: + port: 9115 + path: '/probe' + dest: /etc/prometheus/exporter/enabled/blackbox.yml + notify: reload prometheus-exporter-exporter diff --git a/roles/monitoring/prometheus/exporter/blackbox/templates/config.yml.j2 b/roles/monitoring/prometheus/exporter/blackbox/templates/config.yml.j2 new file mode 100644 index 00000000..01e3f7a0 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/blackbox/templates/config.yml.j2 @@ -0,0 +1,4 @@ +# {{ ansible_managed }} + +modules: + {{ prometheus_exporter_blackbox_modules | combine(prometheus_exporter_blackbox_modules_extra) | to_nice_yaml(indent=2) | indent(2)}} diff --git a/roles/monitoring/prometheus/exporter/blackbox/templates/service.j2 b/roles/monitoring/prometheus/exporter/blackbox/templates/service.j2 new file mode 100644 index 00000000..c9c5712c --- /dev/null +++ b/roles/monitoring/prometheus/exporter/blackbox/templates/service.j2 @@ -0,0 +1,32 @@ +[Unit] +Description=Prometheus blackbox exporter + +[Service] +Restart=always +User=prometheus-exporter +ExecStart=/usr/bin/prometheus-blackbox-exporter --web.listen-address="127.0.0.1:9115" --config.file=/etc/prometheus/exporter/blackbox/config.yml +ExecReload=/bin/kill -HUP $MAINPID + +# systemd hardening-options +AmbientCapabilities=CAP_NET_RAW +CapabilityBoundingSet=CAP_NET_RAW +DeviceAllow=/dev/null rw +DevicePolicy=strict +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target diff --git a/roles/monitoring/prometheus/exporter/node/templates/service.j2 b/roles/monitoring/prometheus/exporter/node/templates/service.j2 index 801850ed..7aa2834a 100644 --- a/roles/monitoring/prometheus/exporter/node/templates/service.j2 +++ b/roles/monitoring/prometheus/exporter/node/templates/service.j2 @@ -1,5 +1,5 @@ [Unit] -Description=Prometheus exporter +Description=Prometheus node exporter [Service] Restart=always diff --git a/roles/monitoring/prometheus/server/handlers/main.yml b/roles/monitoring/prometheus/server/handlers/main.yml index edeba752..bf8735e9 100644 --- a/roles/monitoring/prometheus/server/handlers/main.yml +++ b/roles/monitoring/prometheus/server/handlers/main.yml @@ -3,3 +3,8 @@ service: name: prometheus state: restarted + +- name: reload prometheus + service: + name: prometheus + state: reloaded diff --git a/roles/monitoring/prometheus/server/tasks/main.yml b/roles/monitoring/prometheus/server/tasks/main.yml index 61660a03..6b030fb4 100644 --- a/roles/monitoring/prometheus/server/tasks/main.yml +++ b/roles/monitoring/prometheus/server/tasks/main.yml @@ -54,7 +54,7 @@ template: src: prometheus.yml.j2 dest: /etc/prometheus/prometheus.yml - notify: restart prometheus + notify: reload prometheus - name: generate systemd service unit template: diff --git a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 index e94ea043..eb77d6d1 100644 --- a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 +++ b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 @@ -1,3 +1,5 @@ +# {{ ansible_managed }} + global: scrape_interval: 15s evaluation_interval: 15s @@ -27,3 +29,49 @@ scrape_configs: - files: - "/etc/prometheus/jobs/{{ job }}/*.yml" {% endfor %} + + ## TODO: temporary test + - job_name: 'ping' + metrics_path: /proxy + params: + module: + - blackbox + - icmp + scheme: https + tls_config: + ca_file: /etc/ssl/prometheus/ca-crt.pem + cert_file: /etc/ssl/prometheus/server/exporter-crt.pem + key_file: /etc/ssl/prometheus/server/exporter-key.pem + static_configs: + - targets: + - 62.99.185.129 + - 9.9.9.9 + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__param_target] + target_label: instance + - target_label: __address__ + replacement: 192.168.32.230:9999 + + - job_name: 'tcp_tls' + metrics_path: /proxy + params: + module: + - blackbox + - tcp_tls + scheme: https + tls_config: + ca_file: /etc/ssl/prometheus/ca-crt.pem + cert_file: /etc/ssl/prometheus/server/exporter-crt.pem + key_file: /etc/ssl/prometheus/server/exporter-key.pem + static_configs: + - targets: + - web.chaos-at-home.org:443 + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__param_target] + target_label: instance + - target_label: __address__ + replacement: 192.168.32.230:9999 -- cgit v1.2.3 From 8bcf938a7b95536c66a34b043915615df489f243 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Thu, 3 Jun 2021 22:55:21 +0200 Subject: prometheus: fix blackbox exporter icmp probes --- inventory/host_vars/ch-mon.yml | 4 ++++ .../prometheus/exporter/blackbox/defaults/main.yml | 10 +++++--- .../exporter/blackbox/templates/service.j2 | 6 ++++- .../prometheus/server/templates/prometheus.yml.j2 | 28 +++++++++++++++++++--- 4 files changed, 41 insertions(+), 7 deletions(-) (limited to 'roles') diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml index 6bfa58d4..222b0e08 100644 --- a/inventory/host_vars/ch-mon.yml +++ b/inventory/host_vars/ch-mon.yml @@ -60,3 +60,7 @@ prometheus_server_storage: lv: prometheus size: 30G fs: ext4 + +prometheus_exporter_blackbox_modules_extra: + icmp: + prober: icmp diff --git a/roles/monitoring/prometheus/exporter/blackbox/defaults/main.yml b/roles/monitoring/prometheus/exporter/blackbox/defaults/main.yml index fcf66555..4e7d8d9a 100644 --- a/roles/monitoring/prometheus/exporter/blackbox/defaults/main.yml +++ b/roles/monitoring/prometheus/exporter/blackbox/defaults/main.yml @@ -1,10 +1,8 @@ --- prometheus_exporter_blackbox_modules: - icmp: - prober: icmp tcp_connect: prober: tcp - tcp_tls: + tcp_tls_connect: prober: tcp tcp: tls: true @@ -12,6 +10,12 @@ prometheus_exporter_blackbox_modules: insecure_skip_verify: true http_2xx: prober: http + http_tls_2xx: + prober: http + http: + fail_if_not_ssl: true + tls_config: + insecure_skip_verify: true ssh_banner: prober: tcp tcp: diff --git a/roles/monitoring/prometheus/exporter/blackbox/templates/service.j2 b/roles/monitoring/prometheus/exporter/blackbox/templates/service.j2 index c9c5712c..a8a91d0b 100644 --- a/roles/monitoring/prometheus/exporter/blackbox/templates/service.j2 +++ b/roles/monitoring/prometheus/exporter/blackbox/templates/service.j2 @@ -8,8 +8,13 @@ ExecStart=/usr/bin/prometheus-blackbox-exporter --web.listen-address="127.0.0.1: ExecReload=/bin/kill -HUP $MAINPID # systemd hardening-options +{% if prometheus_exporter_blackbox_modules | combine(prometheus_exporter_blackbox_modules_extra) | dict2items | selectattr('value.prober', 'eq', 'icmp') | length > 0 %} AmbientCapabilities=CAP_NET_RAW CapabilityBoundingSet=CAP_NET_RAW +{% else %} +AmbientCapabilities= +CapabilityBoundingSet= +{% endif %} DeviceAllow=/dev/null rw DevicePolicy=strict LockPersonality=true @@ -17,7 +22,6 @@ MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true PrivateTmp=true -PrivateUsers=true ProtectControlGroups=true ProtectHome=true ProtectKernelModules=true diff --git a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 index eb77d6d1..5eb7c570 100644 --- a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 +++ b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 @@ -54,12 +54,12 @@ scrape_configs: - target_label: __address__ replacement: 192.168.32.230:9999 - - job_name: 'tcp_tls' + - job_name: 'https' metrics_path: /proxy params: module: - blackbox - - tcp_tls + - http_tls_2xx scheme: https tls_config: ca_file: /etc/ssl/prometheus/ca-crt.pem @@ -67,7 +67,7 @@ scrape_configs: key_file: /etc/ssl/prometheus/server/exporter-key.pem static_configs: - targets: - - web.chaos-at-home.org:443 + - web.chaos-at-home.org relabel_configs: - source_labels: [__address__] target_label: __param_target @@ -75,3 +75,25 @@ scrape_configs: target_label: instance - target_label: __address__ replacement: 192.168.32.230:9999 + + - job_name: 'ssh' + metrics_path: /proxy + params: + module: + - blackbox + - ssh_banner + scheme: https + tls_config: + ca_file: /etc/ssl/prometheus/ca-crt.pem + cert_file: /etc/ssl/prometheus/server/exporter-crt.pem + key_file: /etc/ssl/prometheus/server/exporter-key.pem + static_configs: + - targets: + - 192.168.32.230:222 + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - target_label: instance + replacement: 'ch-mon' + - target_label: __address__ + replacement: 192.168.32.230:9999 -- cgit v1.2.3 From 8ab24a10ac669ade61761d37e68207b402bc277c Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 6 Jun 2021 14:57:25 +0200 Subject: prometheus: move CA to seperate role and add prometheus zone groups --- chaos-at-home/ch-mon.yml | 3 +- .../group_vars/promzone-chaos-at-home/vars.yml | 3 ++ inventory/hosts.ini | 10 ++++ roles/monitoring/prometheus/ca/tasks/main.yml | 52 ++++++++++++++++++++ roles/monitoring/prometheus/server/tasks/tls.yml | 55 ++++------------------ 5 files changed, 76 insertions(+), 47 deletions(-) create mode 100644 inventory/group_vars/promzone-chaos-at-home/vars.yml create mode 100644 roles/monitoring/prometheus/ca/tasks/main.yml (limited to 'roles') diff --git a/chaos-at-home/ch-mon.yml b/chaos-at-home/ch-mon.yml index a1179204..bce4adab 100644 --- a/chaos-at-home/ch-mon.yml +++ b/chaos-at-home/ch-mon.yml @@ -9,7 +9,8 @@ - role: core/ntp - role: storage/lvm/groups - role: apt-repo/spreadspace - - role: monitoring/prometheus/server + - role: monitoring/prometheus/ca - role: monitoring/prometheus/exporter/base - role: monitoring/prometheus/exporter/node - role: monitoring/prometheus/exporter/blackbox + - role: monitoring/prometheus/server diff --git a/inventory/group_vars/promzone-chaos-at-home/vars.yml b/inventory/group_vars/promzone-chaos-at-home/vars.yml new file mode 100644 index 00000000..413a6502 --- /dev/null +++ b/inventory/group_vars/promzone-chaos-at-home/vars.yml @@ -0,0 +1,3 @@ +--- +promethues_server: ch-mon +promethues_zone_name: chaos@home diff --git a/inventory/hosts.ini b/inventory/hosts.ini index 954e9374..1c1051aa 100644 --- a/inventory/hosts.ini +++ b/inventory/hosts.ini @@ -379,6 +379,16 @@ vmhost-sk-2019vm-guests vmhost-sk-tomnext-guests +## prometheus monitoring +[promzone-chaos-at-home-server] +ch-mon +[promzone-chaos-at-home] +ch-mon +ch-testvm-prometheus +[promzone-chaos-at-home:children] +promzone-chaos-at-home-server + + ## hoster [hroot] sk-2019 diff --git a/roles/monitoring/prometheus/ca/tasks/main.yml b/roles/monitoring/prometheus/ca/tasks/main.yml new file mode 100644 index 00000000..9f166321 --- /dev/null +++ b/roles/monitoring/prometheus/ca/tasks/main.yml @@ -0,0 +1,52 @@ +--- +- name: install python-cryptoraphy + apt: + name: "{{ python_basename }}-cryptography" + state: present + +- name: create base directory + file: + path: /etc/ssl/prometheus + state: directory + +- name: create CA directory + file: + path: /etc/ssl/prometheus/ca + state: directory + owner: root + group: root + mode: 0700 + +- name: create CA private key + openssl_privatekey: + path: /etc/ssl/prometheus/ca/key.pem + type: RSA + size: 4096 + owner: root + group: root + mode: 0600 + +- name: create signing request for CA certificate + openssl_csr: + path: /etc/ssl/prometheus/ca/csr.pem + privatekey_path: /etc/ssl/prometheus/ca/key.pem + CN: "CA for promethues zone {{ promethues_zone_name }}" + useCommonNameForSAN: no + key_usage: + - cRLSign + - digitalSignature + - keyCertSign + key_usage_critical: yes + basic_constraints: + - 'CA:TRUE' + - 'pathlen:0' + basic_constraints_critical: yes + +- name: create self-signed CA certificate + openssl_certificate: + path: /etc/ssl/prometheus/ca-crt.pem + csr_path: /etc/ssl/prometheus/ca/csr.pem + privatekey_path: /etc/ssl/prometheus/ca/key.pem + provider: selfsigned + selfsigned_digest: sha256 + selfsigned_not_after: "+18250d" ## 50 years diff --git a/roles/monitoring/prometheus/server/tasks/tls.yml b/roles/monitoring/prometheus/server/tasks/tls.yml index f9ad5ca3..5c112e12 100644 --- a/roles/monitoring/prometheus/server/tasks/tls.yml +++ b/roles/monitoring/prometheus/server/tasks/tls.yml @@ -9,14 +9,6 @@ path: /etc/ssl/prometheus state: directory -- name: create CA directory - file: - path: /etc/ssl/prometheus/ca - state: directory - owner: root - group: root - mode: 0700 - - name: create server cert/key directory file: path: /etc/ssl/prometheus/server @@ -25,42 +17,7 @@ group: prometheus mode: 0750 -- name: create CA private key - openssl_privatekey: - path: /etc/ssl/prometheus/ca/key.pem - type: RSA - size: 4096 - owner: root - group: root - mode: 0600 - -- name: create signing request for CA certificate - openssl_csr: - path: /etc/ssl/prometheus/ca/csr.pem - privatekey_path: /etc/ssl/prometheus/ca/key.pem - CN: "prometheus CA" - useCommonNameForSAN: no - key_usage: - - cRLSign - - digitalSignature - - keyCertSign - key_usage_critical: yes - basic_constraints: - - 'CA:TRUE' - - 'pathlen:0' - basic_constraints_critical: yes - -- name: create self-signed CA certificate - openssl_certificate: - path: /etc/ssl/prometheus/ca-crt.pem - csr_path: /etc/ssl/prometheus/ca/csr.pem - privatekey_path: /etc/ssl/prometheus/ca/key.pem - provider: selfsigned - selfsigned_digest: sha256 - selfsigned_not_after: "+18250d" ## 50 years - - -- name: create server private key to connect to exporter +- name: create private key to connect to exporter openssl_privatekey: path: /etc/ssl/prometheus/server/exporter-key.pem type: RSA @@ -68,8 +25,9 @@ owner: prometheus group: prometheus mode: 0400 + notify: reload prometheus -- name: create signing request for server certificate to connect to exporter +- name: create signing request for client certificate to connect to exporter openssl_csr: path: /etc/ssl/prometheus/server/exporter-csr.pem privatekey_path: /etc/ssl/prometheus/server/exporter-key.pem @@ -87,7 +45,9 @@ - 'CA:FALSE' basic_constraints_critical: yes -- name: create server certificate to connect to exporter +## TODO: implement remote signing? + +- name: create client certificate to connect to exporter openssl_certificate: path: /etc/ssl/prometheus/server/exporter-crt.pem csr_path: /etc/ssl/prometheus/server/exporter-csr.pem @@ -96,3 +56,6 @@ ownca_privatekey_path: /etc/ssl/prometheus/ca/key.pem ownca_digest: sha256 ownca_not_after: "+18250d" ## 50 years + notify: reload prometheus + +## TODO: install /etc/ssl/prometheus/ca-crt.pem from server -- cgit v1.2.3 From 6082a92fa86d121d3ea4256859ee4c9d412e78c0 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Thu, 10 Jun 2021 01:15:32 +0200 Subject: promethues: remote certificate signing for exporter/base --- chaos-at-home/ch-testvm-prometheus.yml | 7 +++- inventory/host_vars/ch-testvm-prometheus.yml | 3 ++ roles/monitoring/prometheus/ca/tasks/main.yml | 2 +- .../prometheus/exporter/base/tasks/tls.yml | 49 +++++++++++++++++++--- roles/monitoring/prometheus/server/tasks/tls.yml | 34 ++++++++++----- .../prometheus/server/templates/prometheus.yml.j2 | 16 +++---- 6 files changed, 85 insertions(+), 26 deletions(-) (limited to 'roles') diff --git a/chaos-at-home/ch-testvm-prometheus.yml b/chaos-at-home/ch-testvm-prometheus.yml index a34d58e3..9caa2f9a 100644 --- a/chaos-at-home/ch-testvm-prometheus.yml +++ b/chaos-at-home/ch-testvm-prometheus.yml @@ -7,5 +7,8 @@ - role: core/sshd/base - role: core/zsh - role: core/ntp - - role: kubernetes/base - - role: kubernetes/standalone/base + - role: apt-repo/spreadspace + - role: monitoring/prometheus/exporter/base + - role: monitoring/prometheus/exporter/node + # - role: kubernetes/base + # - role: kubernetes/standalone/base diff --git a/inventory/host_vars/ch-testvm-prometheus.yml b/inventory/host_vars/ch-testvm-prometheus.yml index d11d565c..e539735f 100644 --- a/inventory/host_vars/ch-testvm-prometheus.yml +++ b/inventory/host_vars/ch-testvm-prometheus.yml @@ -33,6 +33,9 @@ network: - *_network_primary_ +spreadspace_apt_repo_components: + - prometheus + containerd_storage: type: lvm diff --git a/roles/monitoring/prometheus/ca/tasks/main.yml b/roles/monitoring/prometheus/ca/tasks/main.yml index 9f166321..cde4a267 100644 --- a/roles/monitoring/prometheus/ca/tasks/main.yml +++ b/roles/monitoring/prometheus/ca/tasks/main.yml @@ -34,7 +34,6 @@ useCommonNameForSAN: no key_usage: - cRLSign - - digitalSignature - keyCertSign key_usage_critical: yes basic_constraints: @@ -50,3 +49,4 @@ provider: selfsigned selfsigned_digest: sha256 selfsigned_not_after: "+18250d" ## 50 years + selfsigned_create_subject_key_identifier: always_create diff --git a/roles/monitoring/prometheus/exporter/base/tasks/tls.yml b/roles/monitoring/prometheus/exporter/base/tasks/tls.yml index b2731b09..72186acb 100644 --- a/roles/monitoring/prometheus/exporter/base/tasks/tls.yml +++ b/roles/monitoring/prometheus/exporter/base/tasks/tls.yml @@ -45,17 +45,56 @@ - 'CA:FALSE' basic_constraints_critical: yes -## TODO: implement remote singing using server +- name: slurp CSR + slurp: + src: /etc/ssl/prometheus/exporter/csr.pem + register: prometheus_exporter_server_csr -- name: create exporter certificate - openssl_certificate: +- name: check if exporter certificate exists + stat: path: /etc/ssl/prometheus/exporter/crt.pem - csr_path: /etc/ssl/prometheus/exporter/csr.pem + register: prometheus_exporter_server_cert + +- name: read exporter client certificate issuer key id and validity + when: prometheus_exporter_server_cert.stat.exists + openssl_certificate_info: + path: /etc/ssl/prometheus/exporter/crt.pem + valid_at: + ten_years: '+3650d' + register: prometheus_exporter_server_cert_info + +- name: slurp existing exporter certificate + when: prometheus_exporter_server_cert.stat.exists + slurp: + src: /etc/ssl/prometheus/exporter/crt.pem + register: prometheus_exporter_server_cert_current + +- name: generate exporter certificate + delegate_to: "{{ promethues_server }}" + community.crypto.x509_certificate_pipe: + content: "{{ prometheus_exporter_server_cert_current.content | default('') | b64decode }}" + csr_content: "{{ prometheus_exporter_server_csr.content | b64decode }}" provider: ownca ownca_path: /etc/ssl/prometheus/ca-crt.pem ownca_privatekey_path: /etc/ssl/prometheus/ca/key.pem ownca_digest: sha256 ownca_not_after: "+18250d" ## 50 years + force: "{{ prometheus_exporter_server_cert.stat.exists and (not prometheus_exporter_server_cert_info.valid_at.ten_years) }}" + register: prometheus_exporter_server_cert + +- name: store exporter certificate + copy: + content: "{{ prometheus_exporter_server_cert.certificate }}" + dest: /etc/ssl/prometheus/exporter/crt.pem notify: restart prometheus-exporter-exporter -## TODO: install /etc/ssl/prometheus/ca-crt.pem from server +- name: slurp CA certificate + delegate_to: "{{ promethues_server }}" + slurp: + src: /etc/ssl/prometheus/ca-crt.pem + register: prometheus_exporter_ca_certificate + +- name: install CA certificate + copy: + content: "{{ prometheus_exporter_ca_certificate.content | b64decode }}" + dest: /etc/ssl/prometheus/ca-crt.pem diff --git a/roles/monitoring/prometheus/server/tasks/tls.yml b/roles/monitoring/prometheus/server/tasks/tls.yml index 5c112e12..940c69b1 100644 --- a/roles/monitoring/prometheus/server/tasks/tls.yml +++ b/roles/monitoring/prometheus/server/tasks/tls.yml @@ -17,9 +17,9 @@ group: prometheus mode: 0750 -- name: create private key to connect to exporter +- name: create private key for scrape-client certificate openssl_privatekey: - path: /etc/ssl/prometheus/server/exporter-key.pem + path: /etc/ssl/prometheus/server/scrape-key.pem type: RSA size: 4096 owner: prometheus @@ -27,10 +27,10 @@ mode: 0400 notify: reload prometheus -- name: create signing request for client certificate to connect to exporter +- name: create signing request for scrape-client certificate openssl_csr: - path: /etc/ssl/prometheus/server/exporter-csr.pem - privatekey_path: /etc/ssl/prometheus/server/exporter-key.pem + path: /etc/ssl/prometheus/server/scrape-csr.pem + privatekey_path: /etc/ssl/prometheus/server/scrape-key.pem CN: "{{ inventory_hostname }}" subject_alt_name: - "DNS:{{ host_name }}.{{ host_domain }}" @@ -45,17 +45,31 @@ - 'CA:FALSE' basic_constraints_critical: yes +## TODO: install /etc/ssl/prometheus/ca-crt.pem from CA host + +- name: check if scrape-client certificate exists + stat: + path: /etc/ssl/prometheus/server/scrape-crt.pem + register: prometheus_server_scrape_client_cert + +- name: check scrape-client certificate validity + when: prometheus_server_scrape_client_cert.stat.exists + openssl_certificate_info: + path: /etc/ssl/prometheus/server/scrape-crt.pem + valid_at: + ten_years: '+3650d' + register: prometheus_server_scrape_client_cert_info + ## TODO: implement remote signing? -- name: create client certificate to connect to exporter +- name: create scrape-client certificate openssl_certificate: - path: /etc/ssl/prometheus/server/exporter-crt.pem - csr_path: /etc/ssl/prometheus/server/exporter-csr.pem + path: /etc/ssl/prometheus/server/scrape-crt.pem + csr_path: /etc/ssl/prometheus/server/scrape-csr.pem provider: ownca ownca_path: /etc/ssl/prometheus/ca-crt.pem ownca_privatekey_path: /etc/ssl/prometheus/ca/key.pem ownca_digest: sha256 ownca_not_after: "+18250d" ## 50 years + force: "{{ prometheus_server_scrape_client_cert.stat.exists and (not prometheus_server_scrape_client_cert_info.valid_at.ten_years) }}" notify: reload prometheus - -## TODO: install /etc/ssl/prometheus/ca-crt.pem from server diff --git a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 index 5eb7c570..3975c74d 100644 --- a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 +++ b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 @@ -23,8 +23,8 @@ scrape_configs: scheme: https tls_config: ca_file: /etc/ssl/prometheus/ca-crt.pem - cert_file: /etc/ssl/prometheus/server/exporter-crt.pem - key_file: /etc/ssl/prometheus/server/exporter-key.pem + cert_file: /etc/ssl/prometheus/server/scrape-crt.pem + key_file: /etc/ssl/prometheus/server/scrape-key.pem file_sd_configs: - files: - "/etc/prometheus/jobs/{{ job }}/*.yml" @@ -40,8 +40,8 @@ scrape_configs: scheme: https tls_config: ca_file: /etc/ssl/prometheus/ca-crt.pem - cert_file: /etc/ssl/prometheus/server/exporter-crt.pem - key_file: /etc/ssl/prometheus/server/exporter-key.pem + cert_file: /etc/ssl/prometheus/server/scrape-crt.pem + key_file: /etc/ssl/prometheus/server/scrape-key.pem static_configs: - targets: - 62.99.185.129 @@ -63,8 +63,8 @@ scrape_configs: scheme: https tls_config: ca_file: /etc/ssl/prometheus/ca-crt.pem - cert_file: /etc/ssl/prometheus/server/exporter-crt.pem - key_file: /etc/ssl/prometheus/server/exporter-key.pem + cert_file: /etc/ssl/prometheus/server/scrape-crt.pem + key_file: /etc/ssl/prometheus/server/scrape-key.pem static_configs: - targets: - web.chaos-at-home.org @@ -85,8 +85,8 @@ scrape_configs: scheme: https tls_config: ca_file: /etc/ssl/prometheus/ca-crt.pem - cert_file: /etc/ssl/prometheus/server/exporter-crt.pem - key_file: /etc/ssl/prometheus/server/exporter-key.pem + cert_file: /etc/ssl/prometheus/server/scrape-crt.pem + key_file: /etc/ssl/prometheus/server/scrape-key.pem static_configs: - targets: - 192.168.32.230:222 -- cgit v1.2.3 From 11baa089a6aaf62a5c35f8009aebf889a4bf85fa Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Thu, 10 Jun 2021 01:29:39 +0200 Subject: prometheus: generate target configs --- inventory/group_vars/promzone-chaos-at-home/vars.yml | 2 ++ roles/monitoring/prometheus/server/tasks/main.yml | 11 +++++++++++ 2 files changed, 13 insertions(+) (limited to 'roles') diff --git a/inventory/group_vars/promzone-chaos-at-home/vars.yml b/inventory/group_vars/promzone-chaos-at-home/vars.yml index 413a6502..8a0d0aa8 100644 --- a/inventory/group_vars/promzone-chaos-at-home/vars.yml +++ b/inventory/group_vars/promzone-chaos-at-home/vars.yml @@ -1,3 +1,5 @@ --- promethues_server: ch-mon promethues_zone_name: chaos@home + +prometheus_zone_targets: "{{ groups['promzone-chaos-at-home'] }}" diff --git a/roles/monitoring/prometheus/server/tasks/main.yml b/roles/monitoring/prometheus/server/tasks/main.yml index 6b030fb4..492e8dc2 100644 --- a/roles/monitoring/prometheus/server/tasks/main.yml +++ b/roles/monitoring/prometheus/server/tasks/main.yml @@ -50,6 +50,17 @@ - name: create TLS CA and certificates import_tasks: tls.yml +- name: generate targets config + loop: "{{ prometheus_zone_targets }}" + copy: + content: | + - targets: [ "{{ hostvars[item].ansible_default_ipv4.address }}:9999" ] + labels: + instance: "{{ item }}" + dest: "/etc/prometheus/targets/{{ item }}.yml" + +# TODO: enable targets for configured jobs using symlinks in /etc/prometheus/jobs/*/ + - name: generate configuration file template: src: prometheus.yml.j2 -- cgit v1.2.3 From d0482708def7d7b5165590db30bdca014d187528 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 13 Jun 2021 19:23:46 +0200 Subject: add meta dep for prometheus exporter --- chaos-at-home/ch-mon.yml | 4 +--- chaos-at-home/ch-testvm-prometheus.yml | 3 +-- inventory/host_vars/ch-mon.yml | 4 ++++ roles/monitoring/prometheus/exporter/defaults/main.yml | 3 +++ roles/monitoring/prometheus/exporter/meta/main.yml | 7 +++++++ 5 files changed, 16 insertions(+), 5 deletions(-) create mode 100644 roles/monitoring/prometheus/exporter/defaults/main.yml create mode 100644 roles/monitoring/prometheus/exporter/meta/main.yml (limited to 'roles') diff --git a/chaos-at-home/ch-mon.yml b/chaos-at-home/ch-mon.yml index bce4adab..248de5d6 100644 --- a/chaos-at-home/ch-mon.yml +++ b/chaos-at-home/ch-mon.yml @@ -10,7 +10,5 @@ - role: storage/lvm/groups - role: apt-repo/spreadspace - role: monitoring/prometheus/ca - - role: monitoring/prometheus/exporter/base - - role: monitoring/prometheus/exporter/node - - role: monitoring/prometheus/exporter/blackbox + - role: monitoring/prometheus/exporter - role: monitoring/prometheus/server diff --git a/chaos-at-home/ch-testvm-prometheus.yml b/chaos-at-home/ch-testvm-prometheus.yml index 9caa2f9a..3fd99d41 100644 --- a/chaos-at-home/ch-testvm-prometheus.yml +++ b/chaos-at-home/ch-testvm-prometheus.yml @@ -8,7 +8,6 @@ - role: core/zsh - role: core/ntp - role: apt-repo/spreadspace - - role: monitoring/prometheus/exporter/base - - role: monitoring/prometheus/exporter/node + - role: monitoring/prometheus/exporter # - role: kubernetes/base # - role: kubernetes/standalone/base diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml index 222b0e08..25dae3ac 100644 --- a/inventory/host_vars/ch-mon.yml +++ b/inventory/host_vars/ch-mon.yml @@ -61,6 +61,10 @@ prometheus_server_storage: size: 30G fs: ext4 +prometheus_exporters: + - node + - blackbox + prometheus_exporter_blackbox_modules_extra: icmp: prober: icmp diff --git a/roles/monitoring/prometheus/exporter/defaults/main.yml b/roles/monitoring/prometheus/exporter/defaults/main.yml new file mode 100644 index 00000000..858c1837 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/defaults/main.yml @@ -0,0 +1,3 @@ +--- +prometheus_exporters: + - node diff --git a/roles/monitoring/prometheus/exporter/meta/main.yml b/roles/monitoring/prometheus/exporter/meta/main.yml new file mode 100644 index 00000000..ddb30f9a --- /dev/null +++ b/roles/monitoring/prometheus/exporter/meta/main.yml @@ -0,0 +1,7 @@ +--- +dependencies: + - role: monitoring/prometheus/exporter/base + - role: monitoring/prometheus/exporter/node + when: "'node' in prometheus_exporters" + - role: monitoring/prometheus/exporter/blackbox + when: "'blackbox' in prometheus_exporters" -- cgit v1.2.3 From 4e5f835b6dd5aee26a663155211ee5dd3642d07d Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Mon, 14 Jun 2021 00:49:48 +0200 Subject: make prometheus exporter list groupvars --- inventory/group_vars/promzone-chaos-at-home/vars.yml | 4 ++++ inventory/host_vars/ch-mon.yml | 3 +-- roles/monitoring/prometheus/exporter/defaults/main.yml | 3 --- roles/monitoring/prometheus/exporter/meta/main.yml | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) delete mode 100644 roles/monitoring/prometheus/exporter/defaults/main.yml (limited to 'roles') diff --git a/inventory/group_vars/promzone-chaos-at-home/vars.yml b/inventory/group_vars/promzone-chaos-at-home/vars.yml index 8a0d0aa8..2345292b 100644 --- a/inventory/group_vars/promzone-chaos-at-home/vars.yml +++ b/inventory/group_vars/promzone-chaos-at-home/vars.yml @@ -3,3 +3,7 @@ promethues_server: ch-mon promethues_zone_name: chaos@home prometheus_zone_targets: "{{ groups['promzone-chaos-at-home'] }}" + +prometheus_exporters_extra: [] +prometheus_exporters_default: + - node diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml index 25dae3ac..025289a4 100644 --- a/inventory/host_vars/ch-mon.yml +++ b/inventory/host_vars/ch-mon.yml @@ -61,8 +61,7 @@ prometheus_server_storage: size: 30G fs: ext4 -prometheus_exporters: - - node +prometheus_exporters_extra: - blackbox prometheus_exporter_blackbox_modules_extra: diff --git a/roles/monitoring/prometheus/exporter/defaults/main.yml b/roles/monitoring/prometheus/exporter/defaults/main.yml deleted file mode 100644 index 858c1837..00000000 --- a/roles/monitoring/prometheus/exporter/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -prometheus_exporters: - - node diff --git a/roles/monitoring/prometheus/exporter/meta/main.yml b/roles/monitoring/prometheus/exporter/meta/main.yml index ddb30f9a..d1d3eac7 100644 --- a/roles/monitoring/prometheus/exporter/meta/main.yml +++ b/roles/monitoring/prometheus/exporter/meta/main.yml @@ -2,6 +2,6 @@ dependencies: - role: monitoring/prometheus/exporter/base - role: monitoring/prometheus/exporter/node - when: "'node' in prometheus_exporters" + when: "'node' in (prometheus_exporters_default | union(prometheus_exporters_extra))" - role: monitoring/prometheus/exporter/blackbox - when: "'blackbox' in prometheus_exporters" + when: "'blackbox' in (prometheus_exporters_default | union(prometheus_exporters_extra))" -- cgit v1.2.3 From 1e9d610bb87ce6f0cb1e5a8d44f09616f90273e2 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 18 Jun 2021 01:24:40 +0200 Subject: prometheus enable/disable targets for jobs --- .../group_vars/promzone-chaos-at-home/vars.yml | 12 ++++++--- roles/monitoring/prometheus/ca/tasks/main.yml | 2 +- .../prometheus/exporter/base/tasks/tls.yml | 4 +-- .../prometheus/server/filter_plugins/prometheus.py | 29 ++++++++++++++++++++++ roles/monitoring/prometheus/server/tasks/main.yml | 11 ++++++-- 5 files changed, 49 insertions(+), 9 deletions(-) create mode 100644 roles/monitoring/prometheus/server/filter_plugins/prometheus.py (limited to 'roles') diff --git a/inventory/group_vars/promzone-chaos-at-home/vars.yml b/inventory/group_vars/promzone-chaos-at-home/vars.yml index 2345292b..078576f1 100644 --- a/inventory/group_vars/promzone-chaos-at-home/vars.yml +++ b/inventory/group_vars/promzone-chaos-at-home/vars.yml @@ -1,9 +1,13 @@ --- -promethues_server: ch-mon -promethues_zone_name: chaos@home - -prometheus_zone_targets: "{{ groups['promzone-chaos-at-home'] }}" +prometheus_scrape_endpoint: "{{ network.primary.address | ipaddr('address') }}:9999" prometheus_exporters_extra: [] prometheus_exporters_default: - node + +prometheus_server: ch-mon +prometheus_server_jobs: + - node + +prometheus_zone_name: chaos@home +prometheus_zone_targets: "{{ groups['promzone-chaos-at-home'] }}" diff --git a/roles/monitoring/prometheus/ca/tasks/main.yml b/roles/monitoring/prometheus/ca/tasks/main.yml index cde4a267..064cb6e8 100644 --- a/roles/monitoring/prometheus/ca/tasks/main.yml +++ b/roles/monitoring/prometheus/ca/tasks/main.yml @@ -30,7 +30,7 @@ openssl_csr: path: /etc/ssl/prometheus/ca/csr.pem privatekey_path: /etc/ssl/prometheus/ca/key.pem - CN: "CA for promethues zone {{ promethues_zone_name }}" + CN: "CA for prometheus zone {{ prometheus_zone_name }}" useCommonNameForSAN: no key_usage: - cRLSign diff --git a/roles/monitoring/prometheus/exporter/base/tasks/tls.yml b/roles/monitoring/prometheus/exporter/base/tasks/tls.yml index 72186acb..2f880e6a 100644 --- a/roles/monitoring/prometheus/exporter/base/tasks/tls.yml +++ b/roles/monitoring/prometheus/exporter/base/tasks/tls.yml @@ -70,7 +70,7 @@ register: prometheus_exporter_server_cert_current - name: generate exporter certificate - delegate_to: "{{ promethues_server }}" + delegate_to: "{{ prometheus_server }}" community.crypto.x509_certificate_pipe: content: "{{ prometheus_exporter_server_cert_current.content | default('') | b64decode }}" csr_content: "{{ prometheus_exporter_server_csr.content | b64decode }}" @@ -89,7 +89,7 @@ notify: restart prometheus-exporter-exporter - name: slurp CA certificate - delegate_to: "{{ promethues_server }}" + delegate_to: "{{ prometheus_server }}" slurp: src: /etc/ssl/prometheus/ca-crt.pem register: prometheus_exporter_ca_certificate diff --git a/roles/monitoring/prometheus/server/filter_plugins/prometheus.py b/roles/monitoring/prometheus/server/filter_plugins/prometheus.py new file mode 100644 index 00000000..81cfae70 --- /dev/null +++ b/roles/monitoring/prometheus/server/filter_plugins/prometheus.py @@ -0,0 +1,29 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +from functools import partial + +from ansible import errors + + +def prometheus_job_targets(hostvars, jobs, targets): + try: + result = [] + for job in jobs: + for target in targets: + enabled = job in hostvars[target]['prometheus_exporters_default'] or job in hostvars[target]['prometheus_exporters_extra'] + result.append({'job': job, 'target': target, 'enabled': enabled}) + return result + except Exception as e: + raise errors.AnsibleFilterError("prometheus_job_targets(): %s" % str(e)) + + +class FilterModule(object): + + ''' prometheus filters ''' + filter_map = { + 'prometheus_job_targets': prometheus_job_targets, + } + + def filters(self): + return self.filter_map diff --git a/roles/monitoring/prometheus/server/tasks/main.yml b/roles/monitoring/prometheus/server/tasks/main.yml index 492e8dc2..44f0800e 100644 --- a/roles/monitoring/prometheus/server/tasks/main.yml +++ b/roles/monitoring/prometheus/server/tasks/main.yml @@ -54,12 +54,19 @@ loop: "{{ prometheus_zone_targets }}" copy: content: | - - targets: [ "{{ hostvars[item].ansible_default_ipv4.address }}:9999" ] + - targets: [ "{{ hostvars[item].prometheus_scrape_endpoint }}" ] labels: instance: "{{ item }}" dest: "/etc/prometheus/targets/{{ item }}.yml" -# TODO: enable targets for configured jobs using symlinks in /etc/prometheus/jobs/*/ +- name: enable targets for jobs + loop: "{{ hostvars | prometheus_job_targets(prometheus_server_jobs, prometheus_zone_targets) }}" + loop_control: + label: "{{ item.job }} -> {{ item.target }}" + file: + src: "{{ item.enabled | ternary('/etc/prometheus/targets/' + item.target + '.yml', omit) }}" + path: "/etc/prometheus/jobs/{{ item.job }}/{{ item.target }}.yml" + state: "{{ item.enabled | ternary('link', 'absent') }}" - name: generate configuration file template: -- cgit v1.2.3 From 96a0a80a8b9d79099aba971412c698179093452d Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 18 Jun 2021 01:43:09 +0200 Subject: cosmetic fix --- roles/monitoring/prometheus/exporter/base/tasks/tls.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'roles') diff --git a/roles/monitoring/prometheus/exporter/base/tasks/tls.yml b/roles/monitoring/prometheus/exporter/base/tasks/tls.yml index 2f880e6a..e34025e4 100644 --- a/roles/monitoring/prometheus/exporter/base/tasks/tls.yml +++ b/roles/monitoring/prometheus/exporter/base/tasks/tls.yml @@ -55,7 +55,7 @@ path: /etc/ssl/prometheus/exporter/crt.pem register: prometheus_exporter_server_cert -- name: read exporter client certificate issuer key id and validity +- name: read exporter client certificate validity when: prometheus_exporter_server_cert.stat.exists openssl_certificate_info: path: /etc/ssl/prometheus/exporter/crt.pem -- cgit v1.2.3 From 1a40395d35db76e1482bc32fb7a97e6a60c4b1dc Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Mon, 21 Jun 2021 00:23:51 +0200 Subject: promethues: initial support for alert rules --- .../monitoring/prometheus/server/defaults/main.yml | 9 - .../prometheus/server/defaults/main/main.yml | 13 ++ .../prometheus/server/defaults/main/rules_node.yml | 219 +++++++++++++++++++++ .../server/defaults/main/rules_prometheus.yml | 192 ++++++++++++++++++ roles/monitoring/prometheus/server/tasks/main.yml | 39 ++-- .../prometheus/server/templates/rules.yml.j2 | 5 + 6 files changed, 453 insertions(+), 24 deletions(-) delete mode 100644 roles/monitoring/prometheus/server/defaults/main.yml create mode 100644 roles/monitoring/prometheus/server/defaults/main/main.yml create mode 100644 roles/monitoring/prometheus/server/defaults/main/rules_node.yml create mode 100644 roles/monitoring/prometheus/server/defaults/main/rules_prometheus.yml create mode 100644 roles/monitoring/prometheus/server/templates/rules.yml.j2 (limited to 'roles') diff --git a/roles/monitoring/prometheus/server/defaults/main.yml b/roles/monitoring/prometheus/server/defaults/main.yml deleted file mode 100644 index ab08a2ff..00000000 --- a/roles/monitoring/prometheus/server/defaults/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -# prometheus_server_storage: -# type: (zfs|lvm) -# ... - -prometheus_server_retention: "15d" - -prometheus_server_jobs: - - node diff --git a/roles/monitoring/prometheus/server/defaults/main/main.yml b/roles/monitoring/prometheus/server/defaults/main/main.yml new file mode 100644 index 00000000..b10d6f17 --- /dev/null +++ b/roles/monitoring/prometheus/server/defaults/main/main.yml @@ -0,0 +1,13 @@ +--- +# prometheus_server_storage: +# type: (zfs|lvm) +# ... + +prometheus_server_retention: "15d" + +prometheus_server_jobs: + - node + +prometheus_server_rules: + prometheus: "{{ prometheus_server_rules_prometheus + prometheus_server_rules_prometheus_extra }}" + node: "{{ prometheus_server_rules_node + prometheus_server_rules_prometheus_extra }}" diff --git a/roles/monitoring/prometheus/server/defaults/main/rules_node.yml b/roles/monitoring/prometheus/server/defaults/main/rules_node.yml new file mode 100644 index 00000000..ab7317ac --- /dev/null +++ b/roles/monitoring/prometheus/server/defaults/main/rules_node.yml @@ -0,0 +1,219 @@ +--- +## https://awesome-prometheus-alerts.grep.to/rules#host-and-hardware +prometheus_server_rules_node_extra: [] +prometheus_server_rules_node: + - alert: HostOutOfMemory + expr: node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes * 100 < 10 + for: 2m + labels: + severity: warning + annotations: + summary: Host out of memory (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Node memory is filling up (< 10% left)\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostMemoryUnderMemoryPressure + expr: rate(node_vmstat_pgmajfault[1m]) > 1000 + for: 2m + labels: + severity: warning + annotations: + summary: Host memory under memory pressure (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "The node is under heavy memory pressure. High rate of major page faults\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostOutOfDiskSpace + expr: (node_filesystem_avail_bytes * 100) / node_filesystem_size_bytes < 10 and ON (instance, device, mountpoint) node_filesystem_readonly == 0 + for: 2m + labels: + severity: warning + annotations: + summary: Host out of disk space (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Disk is almost full (< 10% left)\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostDiskWillFillIn24Hours + expr: (node_filesystem_avail_bytes * 100) / node_filesystem_size_bytes < 10 and ON (instance, device, mountpoint) predict_linear(node_filesystem_avail_bytes{fstype!~"tmpfs"}[1h], 24 * 3600) < 0 and ON (instance, device, mountpoint) node_filesystem_readonly == 0 + for: 2m + labels: + severity: warning + annotations: + summary: Host disk will fill in 24 hours (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Filesystem is predicted to run out of space within the next 24 hours at current write rate\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostOutOfInodes + expr: node_filesystem_files_free{mountpoint ="/rootfs"} / node_filesystem_files{mountpoint="/rootfs"} * 100 < 10 and ON (instance, device, mountpoint) node_filesystem_readonly{mountpoint="/rootfs"} == 0 + for: 2m + labels: + severity: warning + annotations: + summary: Host out of inodes (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Disk is almost running out of available inodes (< 10% left)\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostInodesWillFillIn24Hours + expr: node_filesystem_files_free{mountpoint ="/rootfs"} / node_filesystem_files{mountpoint="/rootfs"} * 100 < 10 and predict_linear(node_filesystem_files_free{mountpoint="/rootfs"}[1h], 24 * 3600) < 0 and ON (instance, device, mountpoint) node_filesystem_readonly{mountpoint="/rootfs"} == 0 + for: 2m + labels: + severity: warning + annotations: + summary: Host inodes will fill in 24 hours (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Filesystem is predicted to run out of inodes within the next 24 hours at current write rate\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostUnusualDiskReadLatency + expr: rate(node_disk_read_time_seconds_total[1m]) / rate(node_disk_reads_completed_total[1m]) > 0.1 and rate(node_disk_reads_completed_total[1m]) > 0 + for: 2m + labels: + severity: warning + annotations: + summary: Host unusual disk read latency (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Disk latency is growing (read operations > 100ms)\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostUnusualDiskWriteLatency + expr: rate(node_disk_write_time_seconds_total[1m]) / rate(node_disk_writes_completed_total[1m]) > 0.1 and rate(node_disk_writes_completed_total[1m]) > 0 + for: 2m + labels: + severity: warning + annotations: + summary: Host unusual disk write latency (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Disk latency is growing (write operations > 100ms)\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostHighCpuLoad + expr: 100 - (avg by(instance) (rate(node_cpu_seconds_total{mode="idle"}[2m])) * 100) > 80 + for: 0m + labels: + severity: warning + annotations: + summary: Host high CPU load (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "CPU load is > 80%\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostCpuStealNoisyNeighbor + expr: avg by(instance) (rate(node_cpu_seconds_total{mode="steal"}[5m])) * 100 > 10 + for: 0m + labels: + severity: warning + annotations: + summary: Host CPU steal noisy neighbor (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "CPU steal is > 10%. A noisy neighbor is killing VM performances or a spot instance may be out of credit.\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostSystemdServiceCrashed + expr: node_systemd_unit_state{state="failed"} == 1 + for: 0m + labels: + severity: warning + annotations: + summary: Host systemd service crashed (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "systemd service crashed\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostPhysicalComponentTooHot + expr: node_hwmon_temp_celsius > 75 + for: 5m + labels: + severity: warning + annotations: + summary: Host physical component too hot (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Physical hardware component too hot\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostNodeOvertemperatureAlarm + expr: node_hwmon_temp_crit_alarm_celsius == 1 + for: 0m + labels: + severity: critical + annotations: + summary: Host node overtemperature alarm (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Physical node temperature alarm triggered\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostRaidArrayGotInactive + expr: node_md_state{state="inactive"} > 0 + for: 0m + labels: + severity: critical + annotations: + summary: Host RAID array got inactive (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "RAID array {{ '{{' }} $labels.device {{ '}}' }} is in degraded state due to one or more disks failures. Number of spare drives is insufficient to fix issue automatically.\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostRaidDiskFailure + expr: node_md_disks{state="failed"} > 0 + for: 2m + labels: + severity: warning + annotations: + summary: Host RAID disk failure (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "At least one device in RAID array on {{ '{{' }} $labels.instance {{ '}}' }} failed. Array {{ '{{' }} $labels.md_device {{ '}}' }} needs attention and possibly a disk swap\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostOomKillDetected + expr: increase(node_vmstat_oom_kill[1m]) > 0 + for: 0m + labels: + severity: warning + annotations: + summary: Host OOM kill detected (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "OOM kill detected\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostEdacCorrectableErrorsDetected + expr: increase(node_edac_correctable_errors_total[1m]) > 0 + for: 0m + labels: + severity: info + annotations: + summary: Host EDAC Correctable Errors detected (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Host {{ '{{' }} $labels.instance {{ '}}' }} has had {{ '{{' }} printf \"%.0f\" $value {{ '}}' }} correctable memory errors reported by EDAC in the last 5 minutes.\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostEdacUncorrectableErrorsDetected + expr: node_edac_uncorrectable_errors_total > 0 + for: 0m + labels: + severity: warning + annotations: + summary: Host EDAC Uncorrectable Errors detected (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Host {{ '{{' }} $labels.instance {{ '}}' }} has had {{ '{{' }} printf \"%.0f\" $value {{ '}}' }} uncorrectable memory errors reported by EDAC in the last 5 minutes.\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostNetworkReceiveErrors + expr: rate(node_network_receive_errs_total[2m]) / rate(node_network_receive_packets_total[2m]) > 0.01 + for: 2m + labels: + severity: warning + annotations: + summary: Host Network Receive Errors (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Host {{ '{{' }} $labels.instance {{ '}}' }} interface {{ '{{' }} $labels.device {{ '}}' }} has encountered {{ '{{' }} printf \"%.0f\" $value {{ '}}' }} receive errors in the last five minutes.\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostNetworkTransmitErrors + expr: rate(node_network_transmit_errs_total[2m]) / rate(node_network_transmit_packets_total[2m]) > 0.01 + for: 2m + labels: + severity: warning + annotations: + summary: Host Network Transmit Errors (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Host {{ '{{' }} $labels.instance {{ '}}' }} interface {{ '{{' }} $labels.device {{ '}}' }} has encountered {{ '{{' }} printf \"%.0f\" $value {{ '}}' }} transmit errors in the last five minutes.\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostNetworkInterfaceSaturated + expr: (rate(node_network_receive_bytes_total{device!~"^tap.*"}[1m]) + rate(node_network_transmit_bytes_total{device!~"^tap.*"}[1m])) / node_network_speed_bytes{device!~"^tap.*"} > 0.8 + for: 1m + labels: + severity: warning + annotations: + summary: Host Network Interface Saturated (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "The network interface \"{{ '{{' }} $labels.interface {{ '}}' }}\" on \"{{ '{{' }} $labels.instance {{ '}}' }}\" is getting overloaded.\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostConntrackLimit + expr: node_nf_conntrack_entries / node_nf_conntrack_entries_limit > 0.8 + for: 5m + labels: + severity: warning + annotations: + summary: Host conntrack limit (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "The number of conntrack is approching limit\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostClockSkew + expr: (node_timex_offset_seconds > 0.05 and deriv(node_timex_offset_seconds[5m]) >= 0) or (node_timex_offset_seconds < -0.05 and deriv(node_timex_offset_seconds[5m]) <= 0) + for: 2m + labels: + severity: warning + annotations: + summary: Host clock skew (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Clock skew detected. Clock is out of sync.\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: HostClockNotSynchronising + expr: min_over_time(node_timex_sync_status[1m]) == 0 and node_timex_maxerror_seconds >= 16 + for: 2m + labels: + severity: warning + annotations: + summary: Host clock not synchronising (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Clock not synchronising.\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" diff --git a/roles/monitoring/prometheus/server/defaults/main/rules_prometheus.yml b/roles/monitoring/prometheus/server/defaults/main/rules_prometheus.yml new file mode 100644 index 00000000..6d84efa4 --- /dev/null +++ b/roles/monitoring/prometheus/server/defaults/main/rules_prometheus.yml @@ -0,0 +1,192 @@ +--- +## https://awesome-prometheus-alerts.grep.to/rules#prometheus-self-monitoring +prometheus_server_rules_prometheus_extra: [] +prometheus_server_rules_prometheus: + - alert: PrometheusJobMissing + expr: absent(up{job="prometheus"}) + for: 0m + labels: + severity: warning + annotations: + summary: Prometheus job missing (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "A Prometheus job has disappeared\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusJobMissing + expr: absent(up{job="prometheus"}) + for: 0m + labels: + severity: warning + annotations: + summary: Prometheus job missing (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "A Prometheus job has disappeared\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusTargetMissing + expr: up == 0 + for: 0m + labels: + severity: critical + annotations: + summary: Prometheus target missing (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "A Prometheus target has disappeared. An exporter might be crashed.\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusAllTargetsMissing + expr: count by (job) (up) == 0 + for: 0m + labels: + severity: critical + annotations: + summary: Prometheus all targets missing (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "A Prometheus job does not have living target anymore.\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusConfigurationReloadFailure + expr: prometheus_config_last_reload_successful != 1 + for: 0m + labels: + severity: warning + annotations: + summary: Prometheus configuration reload failure (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Prometheus configuration reload error\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusTooManyRestarts + expr: changes(process_start_time_seconds{job=~"prometheus|pushgateway|alertmanager"}[15m]) > 2 + for: 0m + labels: + severity: warning + annotations: + summary: Prometheus too many restarts (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Prometheus has restarted more than twice in the last 15 minutes. It might be crashlooping.\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusRuleEvaluationFailures + expr: increase(prometheus_rule_evaluation_failures_total[3m]) > 0 + for: 0m + labels: + severity: critical + annotations: + summary: Prometheus rule evaluation failures (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Prometheus encountered {{ '{{' }} $value {{ '}}' }} rule evaluation failures, leading to potentially ignored alerts.\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusTemplateTextExpansionFailures + expr: increase(prometheus_template_text_expansion_failures_total[3m]) > 0 + for: 0m + labels: + severity: critical + annotations: + summary: Prometheus template text expansion failures (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Prometheus encountered {{ '{{' }} $value {{ '}}' }} template text expansion failures\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusRuleEvaluationSlow + expr: prometheus_rule_group_last_duration_seconds > prometheus_rule_group_interval_seconds + for: 5m + labels: + severity: warning + annotations: + summary: Prometheus rule evaluation slow (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Prometheus rule evaluation took more time than the scheduled interval. It indicates a slower storage backend access or too complex query.\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusNotificationsBacklog + expr: min_over_time(prometheus_notifications_queue_length[10m]) > 0 + for: 0m + labels: + severity: warning + annotations: + summary: Prometheus notifications backlog (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "The Prometheus notification queue has not been empty for 10 minutes\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusTargetEmpty + expr: prometheus_sd_discovered_targets == 0 + for: 0m + labels: + severity: critical + annotations: + summary: Prometheus target empty (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Prometheus has no target in service discovery\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusTargetScrapingSlow + expr: prometheus_target_interval_length_seconds{quantile="0.9"} > 60 + for: 5m + labels: + severity: warning + annotations: + summary: Prometheus target scraping slow (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Prometheus is scraping exporters slowly\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusLargeScrape + expr: increase(prometheus_target_scrapes_exceeded_sample_limit_total[10m]) > 10 + for: 5m + labels: + severity: warning + annotations: + summary: Prometheus large scrape (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Prometheus has many scrapes that exceed the sample limit\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusTargetScrapeDuplicate + expr: increase(prometheus_target_scrapes_sample_duplicate_timestamp_total[5m]) > 0 + for: 0m + labels: + severity: warning + annotations: + summary: Prometheus target scrape duplicate (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Prometheus has many samples rejected due to duplicate timestamps but different values\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusTsdbCheckpointCreationFailures + expr: increase(prometheus_tsdb_checkpoint_creations_failed_total[1m]) > 0 + for: 0m + labels: + severity: critical + annotations: + summary: Prometheus TSDB checkpoint creation failures (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Prometheus encountered {{ '{{' }} $value {{ '}}' }} checkpoint creation failures\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusTsdbCheckpointDeletionFailures + expr: increase(prometheus_tsdb_checkpoint_deletions_failed_total[1m]) > 0 + for: 0m + labels: + severity: critical + annotations: + summary: Prometheus TSDB checkpoint deletion failures (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Prometheus encountered {{ '{{' }} $value {{ '}}' }} checkpoint deletion failures\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusTsdbCompactionsFailed + expr: increase(prometheus_tsdb_compactions_failed_total[1m]) > 0 + for: 0m + labels: + severity: critical + annotations: + summary: Prometheus TSDB compactions failed (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Prometheus encountered {{ '{{' }} $value {{ '}}' }} TSDB compactions failures\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusTsdbHeadTruncationsFailed + expr: increase(prometheus_tsdb_head_truncations_failed_total[1m]) > 0 + for: 0m + labels: + severity: critical + annotations: + summary: Prometheus TSDB head truncations failed (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Prometheus encountered {{ '{{' }} $value {{ '}}' }} TSDB head truncation failures\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusTsdbReloadFailures + expr: increase(prometheus_tsdb_reloads_failures_total[1m]) > 0 + for: 0m + labels: + severity: critical + annotations: + summary: Prometheus TSDB reload failures (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Prometheus encountered {{ '{{' }} $value {{ '}}' }} TSDB reload failures\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusTsdbWalCorruptions + expr: increase(prometheus_tsdb_wal_corruptions_total[1m]) > 0 + for: 0m + labels: + severity: critical + annotations: + summary: Prometheus TSDB WAL corruptions (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Prometheus encountered {{ '{{' }} $value {{ '}}' }} TSDB WAL corruptions\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusTsdbWalTruncationsFailed + expr: increase(prometheus_tsdb_wal_truncations_failed_total[1m]) > 0 + for: 0m + labels: + severity: critical + annotations: + summary: Prometheus TSDB WAL truncations failed (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Prometheus encountered {{ '{{' }} $value {{ '}}' }} TSDB WAL truncation failures\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" diff --git a/roles/monitoring/prometheus/server/tasks/main.yml b/roles/monitoring/prometheus/server/tasks/main.yml index 44f0800e..a70bd6fd 100644 --- a/roles/monitoring/prometheus/server/tasks/main.yml +++ b/roles/monitoring/prometheus/server/tasks/main.yml @@ -18,21 +18,6 @@ name: prom-server state: present -- name: create configuration directories - loop: - - jobs - - rules - - targets - file: - path: "/etc/prometheus/{{ item }}" - state: directory - -- name: create sub-directroy for all exporter types in jobs directory - loop: "{{ prometheus_server_jobs }}" - file: - path: "/etc/prometheus/jobs/{{ item }}" - state: directory - - name: add user for server user: name: prometheus @@ -50,6 +35,21 @@ - name: create TLS CA and certificates import_tasks: tls.yml +- name: create configuration directories + loop: + - jobs + - rules + - targets + file: + path: "/etc/prometheus/{{ item }}" + state: directory + +- name: create sub-directroy for all exporter types in jobs directory + loop: "{{ prometheus_server_jobs }}" + file: + path: "/etc/prometheus/jobs/{{ item }}" + state: directory + - name: generate targets config loop: "{{ prometheus_zone_targets }}" copy: @@ -68,10 +68,19 @@ path: "/etc/prometheus/jobs/{{ item.job }}/{{ item.target }}.yml" state: "{{ item.enabled | ternary('link', 'absent') }}" +- name: generate rules files for all jobs + loop: "{{ prometheus_server_jobs | union(['prometheus']) }}" + template: + src: rules.yml.j2 + dest: "/etc/prometheus/rules/{{ item }}.yml" + validate: "promtool check rules %s" + notify: reload prometheus + - name: generate configuration file template: src: prometheus.yml.j2 dest: /etc/prometheus/prometheus.yml + validate: "promtool check config %s" notify: reload prometheus - name: generate systemd service unit diff --git a/roles/monitoring/prometheus/server/templates/rules.yml.j2 b/roles/monitoring/prometheus/server/templates/rules.yml.j2 new file mode 100644 index 00000000..30576363 --- /dev/null +++ b/roles/monitoring/prometheus/server/templates/rules.yml.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +groups: + - name: {{ item }} + {{ {'rules': prometheus_server_rules[item]} | to_nice_yaml(indent=2, width=1337) | indent(4) }} -- cgit v1.2.3 From 7440787a0cf4dd2bab4439ba481e34ead78c0c55 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Mon, 21 Jun 2021 23:18:49 +0200 Subject: grafana: smtp settings --- inventory/host_vars/ch-mon.yml | 6 ++++++ roles/monitoring/grafana/defaults/main.yml | 2 ++ roles/monitoring/grafana/tasks/main.yml | 13 ++++++++++++- 3 files changed, 20 insertions(+), 1 deletion(-) (limited to 'roles') diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml index 6e064764..a889780d 100644 --- a/inventory/host_vars/ch-mon.yml +++ b/inventory/host_vars/ch-mon.yml @@ -70,3 +70,9 @@ prometheus_exporter_blackbox_modules_extra: grafana_secret_key: "{{ vault_grafana_secret_key }}" + +grafana_config_smtp: + enabled: true + host: "{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ipaddr('address') }}:25" + from_name: "chaos@home Grafana" + from_address: noreply@chaos-at-home.org diff --git a/roles/monitoring/grafana/defaults/main.yml b/roles/monitoring/grafana/defaults/main.yml index 8798dfb5..7141d488 100644 --- a/roles/monitoring/grafana/defaults/main.yml +++ b/roles/monitoring/grafana/defaults/main.yml @@ -19,3 +19,5 @@ grafana_config_security: grafana_config_users: allow_sign_up: false allow_org_create: false + +grafana_config_smtp: {} diff --git a/roles/monitoring/grafana/tasks/main.yml b/roles/monitoring/grafana/tasks/main.yml index 2e7594ec..0cf968f1 100644 --- a/roles/monitoring/grafana/tasks/main.yml +++ b/roles/monitoring/grafana/tasks/main.yml @@ -46,12 +46,23 @@ loop_control: label: "{{ item.key }}" ini_file: - path: /etc/grafana/grafana.inig + path: /etc/grafana/grafana.ini section: users option: "{{ item.key }}" value: "{{ item.value | string }}" notify: restart grafana +- name: configure grafana smtp + loop: "{{ grafana_config_smtp | dict2items }}" + loop_control: + label: "{{ item.key }}" + ini_file: + path: /etc/grafana/grafana.ini + section: smtp + option: "{{ item.key }}" + value: "{{ item.value | string }}" + notify: restart grafana + - name: make sure grafan-server is enabled and started systemd: name: grafana-server -- cgit v1.2.3 From 8e9b9ef4e15084113d833b731aee485d0c989e16 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Mon, 21 Jun 2021 23:58:37 +0200 Subject: some more grafana configs --- inventory/host_vars/ch-mon.yml | 11 +++++++---- roles/monitoring/grafana/defaults/main.yml | 1 + roles/monitoring/grafana/tasks/main.yml | 11 +++++++++++ 3 files changed, 19 insertions(+), 4 deletions(-) (limited to 'roles') diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml index a889780d..03a9b80a 100644 --- a/inventory/host_vars/ch-mon.yml +++ b/inventory/host_vars/ch-mon.yml @@ -72,7 +72,10 @@ prometheus_exporter_blackbox_modules_extra: grafana_secret_key: "{{ vault_grafana_secret_key }}" grafana_config_smtp: - enabled: true - host: "{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ipaddr('address') }}:25" - from_name: "chaos@home Grafana" - from_address: noreply@chaos-at-home.org + enabled: true + host: "{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ipaddr('address') }}:25" + from_name: "chaos@home Grafana" + from_address: noreply@chaos-at-home.org + +grafana_config_plugins: + enable_alpha: true diff --git a/roles/monitoring/grafana/defaults/main.yml b/roles/monitoring/grafana/defaults/main.yml index 7141d488..0118b8cb 100644 --- a/roles/monitoring/grafana/defaults/main.yml +++ b/roles/monitoring/grafana/defaults/main.yml @@ -21,3 +21,4 @@ grafana_config_users: allow_org_create: false grafana_config_smtp: {} +grafana_config_plugins: {} diff --git a/roles/monitoring/grafana/tasks/main.yml b/roles/monitoring/grafana/tasks/main.yml index 0cf968f1..55cce412 100644 --- a/roles/monitoring/grafana/tasks/main.yml +++ b/roles/monitoring/grafana/tasks/main.yml @@ -63,6 +63,17 @@ value: "{{ item.value | string }}" notify: restart grafana +- name: configure grafana plugins + loop: "{{ grafana_config_plugins | dict2items }}" + loop_control: + label: "{{ item.key }}" + ini_file: + path: /etc/grafana/grafana.ini + section: plugins + option: "{{ item.key }}" + value: "{{ item.value | string }}" + notify: restart grafana + - name: make sure grafan-server is enabled and started systemd: name: grafana-server -- cgit v1.2.3 From 5408325a13337672ea09907278ff97b42de60b36 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Tue, 22 Jun 2021 23:29:18 +0200 Subject: add minimalistic role for prometheus/alertmanager --- chaos-at-home/ch-mon.yml | 1 + inventory/host_vars/ch-mon.yml | 7 +++- .../prometheus/alertmanager/defaults/main.yml | 5 +++ .../prometheus/alertmanager/handlers/main.yml | 10 +++++ .../prometheus/alertmanager/tasks/main.yml | 45 ++++++++++++++++++++++ .../alertmanager/templates/alertmanager.yml.j2 | 17 ++++++++ .../templates/prometheus-alertmanager.service.j2 | 37 ++++++++++++++++++ 7 files changed, 121 insertions(+), 1 deletion(-) create mode 100644 roles/monitoring/prometheus/alertmanager/defaults/main.yml create mode 100644 roles/monitoring/prometheus/alertmanager/handlers/main.yml create mode 100644 roles/monitoring/prometheus/alertmanager/tasks/main.yml create mode 100644 roles/monitoring/prometheus/alertmanager/templates/alertmanager.yml.j2 create mode 100644 roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2 (limited to 'roles') diff --git a/chaos-at-home/ch-mon.yml b/chaos-at-home/ch-mon.yml index 8e25d6ec..906e8adc 100644 --- a/chaos-at-home/ch-mon.yml +++ b/chaos-at-home/ch-mon.yml @@ -12,5 +12,6 @@ - role: apt-repo/spreadspace - role: monitoring/prometheus/ca - role: monitoring/prometheus/exporter + - role: monitoring/prometheus/alertmanager - role: monitoring/prometheus/server - role: monitoring/grafana diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml index 03a9b80a..c0551768 100644 --- a/inventory/host_vars/ch-mon.yml +++ b/inventory/host_vars/ch-mon.yml @@ -68,6 +68,11 @@ prometheus_exporter_blackbox_modules_extra: icmp: prober: icmp +promethues_alertmanager_smtp: + smarthost: "{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ipaddr('address') }}:25" + from: "noreply@chaos-at-home.org" + require_tls: no + grafana_secret_key: "{{ vault_grafana_secret_key }}" @@ -75,7 +80,7 @@ grafana_config_smtp: enabled: true host: "{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ipaddr('address') }}:25" from_name: "chaos@home Grafana" - from_address: noreply@chaos-at-home.org + from_address: "noreply@chaos-at-home.org" grafana_config_plugins: enable_alpha: true diff --git a/roles/monitoring/prometheus/alertmanager/defaults/main.yml b/roles/monitoring/prometheus/alertmanager/defaults/main.yml new file mode 100644 index 00000000..34b03df0 --- /dev/null +++ b/roles/monitoring/prometheus/alertmanager/defaults/main.yml @@ -0,0 +1,5 @@ +--- +promethues_alertmanager_smtp: + smarthost: "127.0.0.1:25" + from: "noreply@example.com" + require_tls: no diff --git a/roles/monitoring/prometheus/alertmanager/handlers/main.yml b/roles/monitoring/prometheus/alertmanager/handlers/main.yml new file mode 100644 index 00000000..571b1f7c --- /dev/null +++ b/roles/monitoring/prometheus/alertmanager/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: restart prometheus-alertmanager + service: + name: prometheus-alertmanager + state: restarted + +- name: reload prometheus-alertmanager + service: + name: prometheus-alertmanager + state: reloaded diff --git a/roles/monitoring/prometheus/alertmanager/tasks/main.yml b/roles/monitoring/prometheus/alertmanager/tasks/main.yml new file mode 100644 index 00000000..fe8ce9ca --- /dev/null +++ b/roles/monitoring/prometheus/alertmanager/tasks/main.yml @@ -0,0 +1,45 @@ +--- +- name: check if prometheus apt component of spreadspace repo is enabled + assert: + msg: "please enable the 'prometheus' component of spreadspace repo using 'spreadspace_apt_repo_components'" + that: + - spreadspace_apt_repo_components is defined + - "'prometheus' in spreadspace_apt_repo_components" + +- name: install apt packages + apt: + name: prom-alertmanager + state: present + +- name: add user for server + user: + name: prometheus-alertmanager + system: yes + home: /nonexistent + create_home: no + +- name: create data directory + file: + path: /var/lib/prometheus/alertmanager + state: directory + owner: prometheus-alertmanager + group: prometheus-alertmanager + +- name: generate configuration file + template: + src: alertmanager.yml.j2 + dest: /etc/prometheus/alertmanager.yml + notify: reload prometheus-alertmanager + +- name: generate systemd service unit + template: + src: prometheus-alertmanager.service.j2 + dest: /etc/systemd/system/prometheus-alertmanager.service + notify: restart prometheus-alertmanager + +- name: make sure alertmanager is enabled and started + systemd: + name: prometheus-alertmanager.service + daemon_reload: yes + state: started + enabled: yes diff --git a/roles/monitoring/prometheus/alertmanager/templates/alertmanager.yml.j2 b/roles/monitoring/prometheus/alertmanager/templates/alertmanager.yml.j2 new file mode 100644 index 00000000..b1d40bb2 --- /dev/null +++ b/roles/monitoring/prometheus/alertmanager/templates/alertmanager.yml.j2 @@ -0,0 +1,17 @@ +# {{ ansible_managed }} + +global: + smtp_smarthost: '{{ promethues_alertmanager_smtp.smarthost }}' + smtp_from: '{{ promethues_alertmanager_smtp.from }}' + smtp_require_tls: {{ promethues_alertmanager_smtp.require_tls | ternary('true', 'false') }} + +route: + receiver: empty + + routes: + - match_re: + instance: ^$ + receiver: empty + +receivers: +- name: empty diff --git a/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2 b/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2 new file mode 100644 index 00000000..f290dca8 --- /dev/null +++ b/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2 @@ -0,0 +1,37 @@ +[Unit] +Description=Alertmanager for Prometheus Monitoring system +Documentation=https://prometheus.io/docs/alerting/alertmanager/ + +[Service] +Restart=on-failure +User=prometheus-alertmanager +ExecStart=/usr/bin/prometheus-alertmanager --config.file=/etc/prometheus/alertmanager.yml --cluster.listen-address= --storage.path="/var/lib/prometheus/alertmanager" +ExecReload=/bin/kill -HUP $MAINPID +TimeoutStopSec=20s +SendSIGKILL=no + +# systemd hardening-options +AmbientCapabilities= +CapabilityBoundingSet= +DeviceAllow=/dev/null rw +DevicePolicy=strict +LimitMEMLOCK=0 +LimitNOFILE=8192 +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target -- cgit v1.2.3 From 6cf380956bdd31292b4ccf51b1bbc217b93bf45f Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Wed, 23 Jun 2021 23:06:40 +0200 Subject: prometheus: connect server to alertmanager if configured --- inventory/host_vars/ch-mon.yml | 5 ++- .../prometheus/server/defaults/main/main.yml | 5 ++- .../server/defaults/main/rules_prometheus.yml | 47 ++++++++++++++++++++++ .../prometheus/server/templates/prometheus.yml.j2 | 13 ++++++ 4 files changed, 68 insertions(+), 2 deletions(-) (limited to 'roles') diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml index c0551768..111ffb55 100644 --- a/inventory/host_vars/ch-mon.yml +++ b/inventory/host_vars/ch-mon.yml @@ -61,6 +61,10 @@ prometheus_server_storage: size: 30G fs: ext4 +prometheus_server_alertmanager: + url: "127.0.0.1:9093" + + prometheus_exporters_extra: - blackbox @@ -73,7 +77,6 @@ promethues_alertmanager_smtp: from: "noreply@chaos-at-home.org" require_tls: no - grafana_secret_key: "{{ vault_grafana_secret_key }}" grafana_config_smtp: diff --git a/roles/monitoring/prometheus/server/defaults/main/main.yml b/roles/monitoring/prometheus/server/defaults/main/main.yml index b10d6f17..8e7fea4b 100644 --- a/roles/monitoring/prometheus/server/defaults/main/main.yml +++ b/roles/monitoring/prometheus/server/defaults/main/main.yml @@ -9,5 +9,8 @@ prometheus_server_jobs: - node prometheus_server_rules: - prometheus: "{{ prometheus_server_rules_prometheus + prometheus_server_rules_prometheus_extra }}" + prometheus: "{{ prometheus_server_rules_prometheus + ((prometheus_server_alertmanager is defined) | ternary(prometheus_server_rules_prometheus_alertmanager, [])) + prometheus_server_rules_prometheus_extra }}" node: "{{ prometheus_server_rules_node + prometheus_server_rules_prometheus_extra }}" + +# prometheus_server_alertmanager: +# url: "127.0.0.1:9093" diff --git a/roles/monitoring/prometheus/server/defaults/main/rules_prometheus.yml b/roles/monitoring/prometheus/server/defaults/main/rules_prometheus.yml index 6d84efa4..8d4672b1 100644 --- a/roles/monitoring/prometheus/server/defaults/main/rules_prometheus.yml +++ b/roles/monitoring/prometheus/server/defaults/main/rules_prometheus.yml @@ -190,3 +190,50 @@ prometheus_server_rules_prometheus: annotations: summary: Prometheus TSDB WAL truncations failed (instance {{ '{{' }} $labels.instance {{ '}}' }}) description: "Prometheus encountered {{ '{{' }} $value {{ '}}' }} TSDB WAL truncation failures\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + +prometheus_server_rules_prometheus_alertmanager: + - alert: PrometheusAlertmanagerConfigurationReloadFailure + expr: alertmanager_config_last_reload_successful != 1 + for: 0m + labels: + severity: warning + annotations: + summary: Prometheus AlertManager configuration reload failure (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "AlertManager configuration reload error\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusAlertmanagerConfigNotSynced + expr: count(count_values("config_hash", alertmanager_config_hash)) > 1 + for: 0m + labels: + severity: warning + annotations: + summary: Prometheus AlertManager config not synced (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Configurations of AlertManager cluster instances are out of sync\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusAlertmanagerE2eDeadManSwitch + expr: vector(1) + for: 0m + labels: + severity: critical + annotations: + summary: Prometheus AlertManager E2E dead man switch (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Prometheus DeadManSwitch is an always-firing alert. It's used as an end-to-end test of Prometheus through the Alertmanager.\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusNotConnectedToAlertmanager + expr: prometheus_notifications_alertmanagers_discovered < 1 + for: 0m + labels: + severity: critical + annotations: + summary: Prometheus not connected to alertmanager (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Prometheus cannot connect the alertmanager\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" + + - alert: PrometheusAlertmanagerNotificationFailing + expr: rate(alertmanager_notifications_failed_total[1m]) > 0 + for: 0m + labels: + severity: critical + annotations: + summary: Prometheus AlertManager notification failing (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "Alertmanager is failing sending notifications\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" diff --git a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 index 3975c74d..c76990f4 100644 --- a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 +++ b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 @@ -6,6 +6,13 @@ global: rule_files: - /etc/prometheus/rules/*.yml +{% if prometheus_server_alertmanager is defined %} + +alerting: + alertmanagers: + - static_configs: + - targets: ['{{ prometheus_server_alertmanager.url }}'] +{% endif %} scrape_configs: - job_name: 'prometheus' @@ -13,6 +20,12 @@ scrape_configs: - targets: ['localhost:9090'] labels: instance: "{{ inventory_hostname }}" +{% if prometheus_server_alertmanager is defined %} + + - job_name: 'alertmanager' + static_configs: + - targets: ['{{ prometheus_server_alertmanager.url }}'] +{% endif %} {% for job in prometheus_server_jobs %} - job_name: '{{ job }}' -- cgit v1.2.3 From 6c990fd148f8813dcbafbf2e27fa5ecbe88af5dc Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Thu, 24 Jun 2021 22:29:26 +0200 Subject: move monitoring web interfaces into common nginx vhost --- chaos-at-home/ch-mon.yml | 13 +++++++++++++ inventory/host_vars/ch-mon.yml | 7 +++++++ roles/monitoring/grafana/tasks/main.yml | 15 --------------- .../monitoring/prometheus/alertmanager/defaults/main.yml | 3 +++ .../templates/prometheus-alertmanager.service.j2 | 2 +- roles/monitoring/prometheus/server/defaults/main/main.yml | 4 ++++ .../prometheus/server/templates/prometheus.service.j2 | 2 +- .../prometheus/server/templates/prometheus.yml.j2 | 9 +++++++++ 8 files changed, 38 insertions(+), 17 deletions(-) (limited to 'roles') diff --git a/chaos-at-home/ch-mon.yml b/chaos-at-home/ch-mon.yml index 906e8adc..bb20677f 100644 --- a/chaos-at-home/ch-mon.yml +++ b/chaos-at-home/ch-mon.yml @@ -15,3 +15,16 @@ - role: monitoring/prometheus/alertmanager - role: monitoring/prometheus/server - role: monitoring/grafana + - role: nginx/vhost + nginx_vhost: + name: monitoring + template: generic-proxy-no-buffering + hostnames: + - "_" + locations: + '/grafana/': + proxy_pass: "http://127.0.0.1:3000" + '/prometheus/': + proxy_pass: "http://127.0.0.1:9090" + '/alertmanager/': + proxy_pass: "http://127.0.0.1:9093" diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml index 111ffb55..118e7f0b 100644 --- a/inventory/host_vars/ch-mon.yml +++ b/inventory/host_vars/ch-mon.yml @@ -63,6 +63,9 @@ prometheus_server_storage: prometheus_server_alertmanager: url: "127.0.0.1:9093" + path_prefix: "/alertmanager/" + +prometheus_server_web_external_url: /prometheus/ prometheus_exporters_extra: @@ -72,11 +75,15 @@ prometheus_exporter_blackbox_modules_extra: icmp: prober: icmp + promethues_alertmanager_smtp: smarthost: "{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ipaddr('address') }}:25" from: "noreply@chaos-at-home.org" require_tls: no +prometheus_alertmanager_web_route_prefix: /alertmanager/ + + grafana_secret_key: "{{ vault_grafana_secret_key }}" grafana_config_smtp: diff --git a/roles/monitoring/grafana/tasks/main.yml b/roles/monitoring/grafana/tasks/main.yml index 55cce412..8698c036 100644 --- a/roles/monitoring/grafana/tasks/main.yml +++ b/roles/monitoring/grafana/tasks/main.yml @@ -79,18 +79,3 @@ name: grafana-server state: started enabled: yes - -- name: configure nginx vhost - vars: - nginx_vhost: - name: grafana - template: generic-proxy-no-buffering - hostnames: - - "_" - locations: - '/': - proxy_pass: "http://127.0.0.1:{{ grafana_config_server.http_port | default(3000) }}" - extra_directives: |- - client_max_body_size 0; - include_role: - name: nginx/vhost diff --git a/roles/monitoring/prometheus/alertmanager/defaults/main.yml b/roles/monitoring/prometheus/alertmanager/defaults/main.yml index 34b03df0..62663ab8 100644 --- a/roles/monitoring/prometheus/alertmanager/defaults/main.yml +++ b/roles/monitoring/prometheus/alertmanager/defaults/main.yml @@ -3,3 +3,6 @@ promethues_alertmanager_smtp: smarthost: "127.0.0.1:25" from: "noreply@example.com" require_tls: no + +prometheus_alertmanager_web_listen_address: 127.0.0.1:9093 +# prometheus_alertmanager_web_route_prefix: /alertmanager/ diff --git a/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2 b/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2 index f290dca8..e548607d 100644 --- a/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2 +++ b/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2 @@ -5,7 +5,7 @@ Documentation=https://prometheus.io/docs/alerting/alertmanager/ [Service] Restart=on-failure User=prometheus-alertmanager -ExecStart=/usr/bin/prometheus-alertmanager --config.file=/etc/prometheus/alertmanager.yml --cluster.listen-address= --storage.path="/var/lib/prometheus/alertmanager" +ExecStart=/usr/bin/prometheus-alertmanager --config.file=/etc/prometheus/alertmanager.yml --cluster.listen-address= --storage.path="/var/lib/prometheus/alertmanager"{% if prometheus_alertmanager_web_route_prefix is defined %} --web.route-prefix={{ prometheus_alertmanager_web_route_prefix }}{% endif %} --web.listen-address={{ prometheus_alertmanager_web_listen_address }} ExecReload=/bin/kill -HUP $MAINPID TimeoutStopSec=20s SendSIGKILL=no diff --git a/roles/monitoring/prometheus/server/defaults/main/main.yml b/roles/monitoring/prometheus/server/defaults/main/main.yml index 8e7fea4b..c9291172 100644 --- a/roles/monitoring/prometheus/server/defaults/main/main.yml +++ b/roles/monitoring/prometheus/server/defaults/main/main.yml @@ -14,3 +14,7 @@ prometheus_server_rules: # prometheus_server_alertmanager: # url: "127.0.0.1:9093" +# path_prefix: / + +prometheus_server_web_listen_address: 127.0.0.1:9090 +# prometheus_server_web_external_url: /prometheus/ diff --git a/roles/monitoring/prometheus/server/templates/prometheus.service.j2 b/roles/monitoring/prometheus/server/templates/prometheus.service.j2 index 0530e589..3a366a61 100644 --- a/roles/monitoring/prometheus/server/templates/prometheus.service.j2 +++ b/roles/monitoring/prometheus/server/templates/prometheus.service.j2 @@ -6,7 +6,7 @@ After=time-sync.target [Service] Restart=on-failure User=prometheus -ExecStart=/usr/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/var/lib/prometheus/metrics2/ --storage.tsdb.retention.time={{ prometheus_server_retention }} +ExecStart=/usr/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/var/lib/prometheus/metrics2/ --storage.tsdb.retention.time={{ prometheus_server_retention }}{% if prometheus_server_web_external_url is defined %} --web.external-url={{ prometheus_server_web_external_url }}{% endif %} --web.listen-address={{ prometheus_server_web_listen_address }} ExecReload=/bin/kill -HUP $MAINPID TimeoutStopSec=20s SendSIGKILL=no diff --git a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 index c76990f4..69d5bcdc 100644 --- a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 +++ b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 @@ -12,10 +12,16 @@ alerting: alertmanagers: - static_configs: - targets: ['{{ prometheus_server_alertmanager.url }}'] +{% if 'path_prefix' in prometheus_server_alertmanager %} + path_prefix: '{{ prometheus_server_alertmanager.path_prefix }}' +{% endif %} {% endif %} scrape_configs: - job_name: 'prometheus' +{% if prometheus_server_web_external_url is defined %} + metrics_path: '{{ (prometheus_server_web_external_url | urlsplit('path'), 'metrics') | path_join }}' +{% endif %} static_configs: - targets: ['localhost:9090'] labels: @@ -23,6 +29,9 @@ scrape_configs: {% if prometheus_server_alertmanager is defined %} - job_name: 'alertmanager' +{% if 'path_prefix' in prometheus_server_alertmanager %} + metrics_path: '{{ (prometheus_server_alertmanager.path_prefix, 'metrics') | path_join }}' +{% endif %} static_configs: - targets: ['{{ prometheus_server_alertmanager.url }}'] {% endif %} -- cgit v1.2.3 From 51090aa083e7e7b9c5b3bf78e59cf4d3e9696871 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 25 Jun 2021 01:37:52 +0200 Subject: grafana: drop some settings --- inventory/host_vars/ch-mon.yml | 9 --------- roles/monitoring/grafana/defaults/main.yml | 3 --- roles/monitoring/grafana/tasks/main.yml | 22 ---------------------- 3 files changed, 34 deletions(-) (limited to 'roles') diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml index 118e7f0b..4df29b23 100644 --- a/inventory/host_vars/ch-mon.yml +++ b/inventory/host_vars/ch-mon.yml @@ -85,12 +85,3 @@ prometheus_alertmanager_web_route_prefix: /alertmanager/ grafana_secret_key: "{{ vault_grafana_secret_key }}" - -grafana_config_smtp: - enabled: true - host: "{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ipaddr('address') }}:25" - from_name: "chaos@home Grafana" - from_address: "noreply@chaos-at-home.org" - -grafana_config_plugins: - enable_alpha: true diff --git a/roles/monitoring/grafana/defaults/main.yml b/roles/monitoring/grafana/defaults/main.yml index 0118b8cb..8798dfb5 100644 --- a/roles/monitoring/grafana/defaults/main.yml +++ b/roles/monitoring/grafana/defaults/main.yml @@ -19,6 +19,3 @@ grafana_config_security: grafana_config_users: allow_sign_up: false allow_org_create: false - -grafana_config_smtp: {} -grafana_config_plugins: {} diff --git a/roles/monitoring/grafana/tasks/main.yml b/roles/monitoring/grafana/tasks/main.yml index 8698c036..61dd8638 100644 --- a/roles/monitoring/grafana/tasks/main.yml +++ b/roles/monitoring/grafana/tasks/main.yml @@ -52,28 +52,6 @@ value: "{{ item.value | string }}" notify: restart grafana -- name: configure grafana smtp - loop: "{{ grafana_config_smtp | dict2items }}" - loop_control: - label: "{{ item.key }}" - ini_file: - path: /etc/grafana/grafana.ini - section: smtp - option: "{{ item.key }}" - value: "{{ item.value | string }}" - notify: restart grafana - -- name: configure grafana plugins - loop: "{{ grafana_config_plugins | dict2items }}" - loop_control: - label: "{{ item.key }}" - ini_file: - path: /etc/grafana/grafana.ini - section: plugins - option: "{{ item.key }}" - value: "{{ item.value | string }}" - notify: restart grafana - - name: make sure grafan-server is enabled and started systemd: name: grafana-server -- cgit v1.2.3 From f231ca779d0c7585893897bf6a802d7631344810 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 25 Jun 2021 10:26:34 +0200 Subject: promethues exporter: add TODO list --- roles/monitoring/prometheus/exporter/TODO | 38 +++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 roles/monitoring/prometheus/exporter/TODO (limited to 'roles') diff --git a/roles/monitoring/prometheus/exporter/TODO b/roles/monitoring/prometheus/exporter/TODO new file mode 100644 index 00000000..c02e5699 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/TODO @@ -0,0 +1,38 @@ +Node Exporter - Text Collector Scripts: + - https://github.com/prometheus-community/node-exporter-textfile-collector-scripts + - https://packages.debian.org/bullseye/prometheus-node-exporter-collectors + +IPMI Exporter: + - https://github.com/soundcloud/ipmi_exporter + - https://packages.debian.org/bullseye/prometheus-ipmi-exporter + +Postfix Exporter: + - https://github.com/kumina/postfix_exporter + - https://packages.debian.org/bullseye/prometheus-postfix-exporter + +NGINX Exporter: + - https://github.com/nginxinc/nginx-prometheus-exporter + - https://packages.debian.org/bullseye/prometheus-nginx-exporter + +Bind Exporter: + - https://github.com/prometheus-community/bind_exporter + - https://packages.debian.org/bullseye/prometheus-bind-exporter + +MySQLd Exporter: + - https://github.com/prometheus/mysqld_exporter + - https://packages.debian.org/bullseye/prometheus-mysqld-exporter + +Postgres Exporter: + - https://github.com/prometheus-community/postgres_exporter + - https://packages.debian.org/bullseye/prometheus-postgres-exporter + +SNMP Exporter: + - https://github.com/prometheus/snmp_exporter + - https://packages.debian.org/bullseye/prometheus-snmp-exporter + +Process Exporter: + - https://github.com/ncabatoff/process-exporter + - https://packages.debian.org/bullseye/prometheus-process-exporter + +SSL Exporter: + - https://github.com/ribbybibby/ssl_exporter -- cgit v1.2.3