122 changed files with 2720 additions and 123 deletions
@ -0,0 +1,5 @@
@@ -0,0 +1,5 @@
|
||||
[defaults] |
||||
hostfile = hosts |
||||
remote_user = root |
||||
private_key_file = /home/ger/.ssh/id_dsa |
||||
host_key_checking = false |
||||
@ -0,0 +1,55 @@
@@ -0,0 +1,55 @@
|
||||
[rugcms] |
||||
|
||||
cms-ft11 ansible_host=cms-ft11.service.rug.nl ansible_port=22 |
||||
cms-ft12 ansible_host=cms-ft12.service.rug.nl ansible_port=22 |
||||
|
||||
cms-ft21 ansible_host=cms-ft21.service.rug.nl ansible_port=22 |
||||
cms-ft22 ansible_host=cms-ft22.service.rug.nl ansible_port=22 |
||||
|
||||
|
||||
cms-fa11 ansible_host=cms-fa11.service.rug.nl ansible_port=22 |
||||
cms-fa12 ansible_host=cms-fa12.service.rug.nl ansible_port=22 |
||||
cms-fa13 ansible_host=cms-fa13.service.rug.nl ansible_port=22 |
||||
cms-fa14 ansible_host=cms-fa14.service.rug.nl ansible_port=22 |
||||
|
||||
cms-fp11 ansible_host=cms-fp11.service.rug.nl ansible_port=22 |
||||
cms-fp12 ansible_host=cms-fp12.service.rug.nl ansible_port=22 |
||||
cms-fp13 ansible_host=cms-fp13.service.rug.nl ansible_port=22 |
||||
cms-fp14 ansible_host=cms-fp14.service.rug.nl ansible_port=22 |
||||
cms-fp15 ansible_host=cms-fp15.service.rug.nl ansible_port=22 |
||||
cms-fp16 ansible_host=cms-fp16.service.rug.nl ansible_port=22 |
||||
|
||||
|
||||
cms-fa21 ansible_host=cms-fa21.service.rug.nl ansible_port=22 |
||||
cms-fa22 ansible_host=cms-fa22.service.rug.nl ansible_port=22 |
||||
cms-fa23 ansible_host=cms-fa23.service.rug.nl ansible_port=22 |
||||
cms-fa24 ansible_host=cms-fa24.service.rug.nl ansible_port=22 |
||||
|
||||
cms-fp21 ansible_host=cms-fp21.service.rug.nl ansible_port=22 |
||||
cms-fp22 ansible_host=cms-fp22.service.rug.nl ansible_port=22 |
||||
cms-fp23 ansible_host=cms-fp23.service.rug.nl ansible_port=22 |
||||
cms-fp24 ansible_host=cms-fp24.service.rug.nl ansible_port=22 |
||||
cms-fp25 ansible_host=cms-fp25.service.rug.nl ansible_port=22 |
||||
cms-fp26 ansible_host=cms-fp26.service.rug.nl ansible_port=22 |
||||
|
||||
[acc-new] |
||||
cms-fa[21:24] |
||||
|
||||
[prod] |
||||
cms-fp[21:26] |
||||
|
||||
[test] |
||||
cms-ft[21:22] |
||||
|
||||
[old-test] |
||||
cms-ft[11:12] |
||||
|
||||
[old-acc] |
||||
cms-fa[11:14] |
||||
|
||||
[old-prod] |
||||
cms-fp[11:16] |
||||
|
||||
[new] |
||||
cms-fa[21:24] |
||||
cms-fp[21:26] |
||||
Binary file not shown.
Binary file not shown.
@ -0,0 +1,227 @@
@@ -0,0 +1,227 @@
|
||||
#!/bin/bash |
||||
|
||||
# prevent SYNC-floods: |
||||
echo 1 > /proc/sys/net/ipv4/tcp_syncookies |
||||
|
||||
# initialize: |
||||
iptables -F |
||||
iptables -X |
||||
iptables -Z |
||||
|
||||
# config default policy's: |
||||
iptables -P INPUT DROP |
||||
iptables -P OUTPUT DROP |
||||
iptables -P FORWARD DROP |
||||
|
||||
iptables -N LOGDROP |
||||
iptables -A LOGDROP -j LOG |
||||
iptables -A LOGDROP -j DROP |
||||
|
||||
# kernel tweaks: |
||||
/bin/echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts |
||||
/bin/echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route |
||||
/bin/echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses |
||||
/bin/echo 1 > /proc/sys/net/ipv4/conf/all/log_martians |
||||
/bin/echo 0 > /proc/sys/net/ipv4/ip_forward |
||||
|
||||
# allow loopback: |
||||
iptables -A INPUT -i lo -j ACCEPT |
||||
iptables -A OUTPUT -o lo -j ACCEPT |
||||
|
||||
# allow asds.id.rug.nl |
||||
iptables -A INPUT -i br0 -s 129.125.2.50 -j ACCEPT |
||||
iptables -A OUTPUT -o br0 -d 129.125.2.50 -j ACCEPT |
||||
|
||||
# allow vlan933: |
||||
iptables -A INPUT -i bond0.933 -j ACCEPT |
||||
iptables -A OUTPUT -o bond0.933 -j ACCEPT |
||||
|
||||
# allow vlan934: |
||||
iptables -A INPUT -i bond0.934 -j ACCEPT |
||||
iptables -A OUTPUT -o bond0.934 -j ACCEPT |
||||
#allow outbound to databases: |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.182 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.182 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.183 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.183 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.184 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.184 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.185 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.185 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.186 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.186 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.187 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.187 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.188 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.188 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.141 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.141 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.142 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.142 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.143 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.143 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.144 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.144 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.148 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.148 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.149 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.149 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.150 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.150 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.50.147 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.50.147 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.71 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.71 -j ACCEPT |
||||
|
||||
# allow munin-statieken-server: |
||||
iptables -A INPUT -p tcp -s 129.125.50.91 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.50.91 -j ACCEPT |
||||
|
||||
# allow agenda: |
||||
iptables -A INPUT -p tcp -s 129.125.2.116 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.2.116 -j ACCEPT |
||||
|
||||
# allow imap.google.com: |
||||
iptables -A INPUT -p tcp -s 74.125.136/24 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 74.125.136/24 -j ACCEPT |
||||
|
||||
# allow imap.rug.nl: |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.2.81/32 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.2.81/32 -j ACCEPT |
||||
|
||||
# allow more google: |
||||
iptables -A INPUT -p tcp -s 173.194.65.0/24 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 173.194.65.0/24 -j ACCEPT |
||||
|
||||
# new tcp packets sync packets: |
||||
iptables -A INPUT -i br0 -p tcp ! --syn -m state --state NEW -j DROP |
||||
|
||||
# refuse loopback pacts incoming eth0: |
||||
iptables -A INPUT -i br0 -d 127.0.0.0/8 -j DROP |
||||
|
||||
# allow dns outbound to/from DNS server: |
||||
iptables -A INPUT -i br0 -p udp --sport 53 -j ACCEPT |
||||
iptables -A OUTPUT -o br0 -p udp --dport 53 -j ACCEPT |
||||
|
||||
# allow www outbound to 80: |
||||
iptables -A INPUT -i br0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT |
||||
iptables -A OUTPUT -o br0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT |
||||
|
||||
# allow www outbound to 443: |
||||
iptables -A INPUT -i br0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT |
||||
iptables -A OUTPUT -o br0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT |
||||
|
||||
# allow smtp outbound: |
||||
iptables -A INPUT -i br0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT |
||||
iptables -A OUTPUT -o br0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT |
||||
|
||||
# allow ssh from BWP: |
||||
iptables -A INPUT -i br0 -p tcp -s 129.125.249.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT |
||||
iptables -A OUTPUT -o br0 -p tcp -d 129.125.249.0/24 -m state --state ESTABLISHED -j ACCEPT |
||||
|
||||
# log/drop the rest: |
||||
iptables -A INPUT -i br0 -s 129.125.0.0/16 -d 129.125.36.121/32 -j LOGDROP |
||||
|
||||
#zabbix monitorings |
||||
iptables -A INPUT -i br0 -s 129.125.50.238 -j ACCEPT |
||||
iptables -A OUTPUT -o br0 -d 129.125.50.238 -j ACCEPT |
||||
|
||||
# allow 9080 inbound: |
||||
iptables -A INPUT -i br0 -p tcp --dport 9080 -j ACCEPT |
||||
iptables -A OUTPUT -o br0 -p tcp --sport 9080 -j ACCEPT |
||||
|
||||
# allow 2222 inbound: |
||||
iptables -A INPUT -i br0 -p tcp -s 129.125.249.0/24 --dport 2222 -j ACCEPT |
||||
iptables -A OUTPUT -o br0 -p tcp -d 129.125.249.0/24 --sport 2222 -j ACCEPT |
||||
|
||||
# inbound gadgets: |
||||
iptables -A INPUT -i br0 -p tcp -m state --state ESTABLISHED -j ACCEPT |
||||
iptables -A OUTPUT -o br0 -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT |
||||
|
||||
# allow from operator: |
||||
iptables -A INPUT -i br0 -s 129.125.50.41/32 -j ACCEPT |
||||
iptables -A OUTPUT -o br0 -d 129.125.50.41/32 -j ACCEPT |
||||
|
||||
# allow from/to ldap: |
||||
iptables -A INPUT -i br0 -s 129.125.68.50/32 -j ACCEPT |
||||
iptables -A OUTPUT -o br0 -d 129.125.68.50/32 -j ACCEPT |
||||
|
||||
# ldaps outbound: |
||||
iptables -A INPUT -i br0 -p tcp --sport 636 -m state --state ESTABLISHED -j ACCEPT |
||||
iptables -A OUTPUT -o br0 -p tcp --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT |
||||
|
||||
# allow nfs: |
||||
iptables -A INPUT -i br0 -s 129.125.50.171/32 -j ACCEPT |
||||
iptables -A OUTPUT -o br0 -d 129.125.50.171/32 -j ACCEPT |
||||
|
||||
|
||||
# allow ntp |
||||
iptables -A INPUT -i br0 -p tcp --sport 123 -j ACCEPT |
||||
iptables -A OUTPUT -o br0 -p tcp --dport 123 -j ACCEPT |
||||
iptables -A INPUT -i br0 -p udp --sport 123 -j ACCEPT |
||||
iptables -A OUTPUT -o br0 -p udp --dport 123 -j ACCEPT |
||||
|
||||
# allow charanga: |
||||
iptables -A INPUT -i br0 -p tcp -s 129.125.60.94/32 --dport 22 -j ACCEPT |
||||
iptables -A OUTPUT -o br0 -p tcp -d 129.125.60.94/32 --sport 22 -j ACCEPT |
||||
|
||||
# charanga 129.125.60.94 port 2222: |
||||
iptables -A INPUT -i br0 -p tcp -s 129.125.60.94/32 --dport 2222 -j ACCEPT |
||||
iptables -A OUTPUT -o br0 -p tcp -d 129.125.60.94/32 --sport 2222 -j ACCEPT |
||||
|
||||
|
||||
# allow imaps: |
||||
iptables -A INPUT -p tcp --sport 993 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp --dport 993 -j ACCEPT |
||||
|
||||
# Flush & default |
||||
ip6tables -F INPUT |
||||
ip6tables -F OUTPUT |
||||
ip6tables -F FORWARD |
||||
|
||||
# setup log-chain: |
||||
ip6tables -N LOGREJECT |
||||
ip6tables -A LOGREJECT -j LOG |
||||
ip6tables -A LOGREJECT -j REJECT |
||||
|
||||
# Set the default policy to drop |
||||
ip6tables -P INPUT DROP |
||||
ip6tables -P OUTPUT DROP |
||||
ip6tables -P FORWARD DROP |
||||
|
||||
# rules: |
||||
ip6tables -A INPUT -i lo -j ACCEPT |
||||
ip6tables -A INPUT -j REJECT |
||||
ip6tables -A OUTPUT -j REJECT |
||||
|
||||
# allow ganglia-statieken-server: |
||||
iptables -A INPUT -p tcp -s 129.125.60.89 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.60.89 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.191 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.191 -j ACCEPT |
||||
|
||||
# open up port 9100 prometues: |
||||
iptables -A INPUT -i br0 -p tcp -s 129.125.2.233/32 --dport 9100 -j ACCEPT |
||||
iptables -A OUTPUT -o br0 -p tcp -d 129.125.2.233/32 --sport 9100 -j ACCEPT |
||||
|
||||
# allow icmp: |
||||
iptables -A INPUT -p icmp -j ACCEPT |
||||
iptables -A OUTPUT -p icmp -j ACCEPT |
||||
@ -0,0 +1,209 @@
@@ -0,0 +1,209 @@
|
||||
#!/usr/bin/python |
||||
|
||||
import os |
||||
import re |
||||
import sys |
||||
|
||||
binarypath = "/usr/sbin/megacli" |
||||
|
||||
if len(sys.argv) > 2: |
||||
print 'Usage: megaclisas-status [--nagios]' |
||||
sys.exit(1) |
||||
|
||||
nagiosmode=False |
||||
nagiosoutput='' |
||||
nagiosgoodarray=0 |
||||
nagiosbadarray=0 |
||||
nagiosgooddisk=0 |
||||
nagiosbaddisk=0 |
||||
|
||||
# Check command line arguments to enable nagios or not |
||||
if len(sys.argv) > 1: |
||||
if sys.argv[1] == '--nagios': |
||||
nagiosmode=True |
||||
else: |
||||
print 'Usage: megaclisas-status [-nagios]' |
||||
sys.exit(1) |
||||
|
||||
# Check binary exists (and +x), if not print an error message |
||||
# or return UNKNOWN nagios error code |
||||
if os.path.exists(binarypath) and os.access(binarypath, os.X_OK): |
||||
pass |
||||
else: |
||||
if nagiosmode: |
||||
print 'UNKNOWN - Cannot find '+binarypath |
||||
else: |
||||
print 'Cannot find '+binarypath+'. Please install it.' |
||||
sys.exit(3) |
||||
|
||||
# Get command output |
||||
def getOutput(cmd): |
||||
output = os.popen(cmd) |
||||
lines = [] |
||||
for line in output: |
||||
if not re.match(r'^$',line.strip()): |
||||
lines.append(line.strip()) |
||||
return lines |
||||
|
||||
def returnControllerNumber(output): |
||||
for line in output: |
||||
if re.match(r'^Controller Count.*$',line.strip()): |
||||
return int(line.split(':')[1].strip().strip('.')) |
||||
|
||||
def returnControllerModel(output): |
||||
for line in output: |
||||
if re.match(r'^Product Name.*$',line.strip()): |
||||
return line.split(':')[1].strip() |
||||
|
||||
def returnArrayNumber(output): |
||||
i = 0 |
||||
for line in output: |
||||
if re.match(r'^Number of Virtual (Disk|Drive).*$',line.strip()): |
||||
i = line.strip().split(':')[1].strip() |
||||
return i |
||||
|
||||
def returnArrayInfo(output,controllerid,arrayid): |
||||
id = 'c'+str(controllerid)+'u'+str(arrayid) |
||||
operationlinennumber = False |
||||
linenumber = 0 |
||||
|
||||
for line in output: |
||||
if re.match(r'Number Of Drives\s*((per span))?:.*[0-9]+$',line.strip()): |
||||
ldpdcount = line.split(':')[1].strip() |
||||
if re.match(r'Span Depth *:.*[0-9]+$',line.strip()): |
||||
spandepth = line.split(':')[1].strip() |
||||
if re.match(r'^RAID Level\s*:.*$',line.strip()): |
||||
raidlevel = line.strip().split(':')[1].split(',')[0].split('-')[1].strip() |
||||
type = 'RAID' + raidlevel |
||||
if re.match(r'^Size\s*:.*$',line.strip()): |
||||
# Size reported in MB |
||||
if re.match(r'^.*MB$',line.strip().split(':')[1]): |
||||
size = line.strip().split(':')[1].strip('MB').strip() |
||||
size = str(int(round((float(size) / 1000))))+'G' |
||||
# Size reported in TB |
||||
elif re.match(r'^.*TB$',line.strip().split(':')[1]): |
||||
size = line.strip().split(':')[1].strip('TB').strip() |
||||
size = str(int(round((float(size) * 1000))))+'G' |
||||
# Size reported in GB (default) |
||||
else: |
||||
size = line.strip().split(':')[1].strip('GB').strip() |
||||
size = str(int(round((float(size)))))+'G' |
||||
if re.match(r'^State\s*:.*$',line.strip()): |
||||
state = line.strip().split(':')[1].strip() |
||||
if re.match(r'^Ongoing Progresses\s*:.*$',line.strip()): |
||||
operationlinennumber = linenumber |
||||
linenumber += 1 |
||||
if operationlinennumber: |
||||
inprogress = output[operationlinennumber+1] |
||||
else: |
||||
inprogress = 'None' |
||||
|
||||
if ldpdcount and (int(spandepth) > 1): |
||||
ldpdcount = int(ldpdcount) * int(spandepth) |
||||
if int(raidlevel) < 10: |
||||
type = type + "0" |
||||
|
||||
return [id,type,size,state,inprogress] |
||||
|
||||
def returnDiskInfo(output,controllerid): |
||||
arrayid = False |
||||
diskid = False |
||||
table = [] |
||||
state = 'undef' |
||||
model = 'undef' |
||||
for line in output: |
||||
if re.match(r'^Virtual (Disk|Drive): [0-9]+.*$',line.strip()): |
||||
arrayid = line.split('(')[0].split(':')[1].strip() |
||||
if re.match(r'Firmware state: .*$',line.strip()): |
||||
state = line.split(':')[1].strip() |
||||
if re.match(r'Inquiry Data: .*$',line.strip()): |
||||
model = line.split(':')[1].strip() |
||||
model = re.sub(' +', ' ', model) |
||||
if re.match(r'PD: [0-9]+ Information.*$',line.strip()): |
||||
diskid = line.split()[1].strip() |
||||
|
||||
if arrayid != False and state != 'undef' and model != 'undef' and diskid != False: |
||||
table.append([str(arrayid), str(diskid), state, model]) |
||||
state = 'undef' |
||||
model = 'undef' |
||||
|
||||
return table |
||||
|
||||
cmd = binarypath+' -adpCount -NoLog' |
||||
output = getOutput(cmd) |
||||
controllernumber = returnControllerNumber(output) |
||||
|
||||
bad = False |
||||
|
||||
# List available controller |
||||
if not nagiosmode: |
||||
print '-- Controller informations --' |
||||
print '-- ID | Model' |
||||
controllerid = 0 |
||||
while controllerid < controllernumber: |
||||
cmd = binarypath+' -AdpAllInfo -a'+str(controllerid)+' -NoLog' |
||||
output = getOutput(cmd) |
||||
controllermodel = returnControllerModel(output) |
||||
print 'c'+str(controllerid)+' | '+controllermodel |
||||
controllerid += 1 |
||||
print '' |
||||
|
||||
controllerid = 0 |
||||
if not nagiosmode: |
||||
print '-- Arrays informations --' |
||||
print '-- ID | Type | Size | Status | InProgress' |
||||
|
||||
while controllerid < controllernumber: |
||||
arrayid = 0 |
||||
cmd = binarypath+' -LdGetNum -a'+str(controllerid)+' -NoLog' |
||||
output = getOutput(cmd) |
||||
arraynumber = returnArrayNumber(output) |
||||
while arrayid < int(arraynumber): |
||||
cmd = binarypath+' -LDInfo -l'+str(arrayid)+' -a'+str(controllerid)+' -NoLog' |
||||
output = getOutput(cmd) |
||||
arrayinfo = returnArrayInfo(output,controllerid,arrayid) |
||||
if not nagiosmode: |
||||
print arrayinfo[0]+' | '+arrayinfo[1]+' | '+arrayinfo[2]+' | '+arrayinfo[3]+' | '+arrayinfo[4] |
||||
if not arrayinfo[3] == 'Optimal': |
||||
bad = True |
||||
nagiosbadarray=nagiosbadarray+1 |
||||
else: |
||||
nagiosgoodarray=nagiosgoodarray+1 |
||||
arrayid += 1 |
||||
controllerid += 1 |
||||
if not nagiosmode: |
||||
print '' |
||||
|
||||
if not nagiosmode: |
||||
print '-- Disks informations' |
||||
print '-- ID | Model | Status' |
||||
|
||||
controllerid = 0 |
||||
while controllerid < controllernumber: |
||||
arrayid = 0 |
||||
cmd = binarypath+' -LDInfo -lall -a'+str(controllerid)+' -NoLog' |
||||
output = getOutput(cmd) |
||||
cmd = binarypath+' -LdPdInfo -a'+str(controllerid)+' -NoLog' |
||||
output = getOutput(cmd) |
||||
arraydisk = returnDiskInfo(output,controllerid) |
||||
for array in arraydisk: |
||||
if not array[2] == 'Online' and not array[2] == 'Online, Spun Up': |
||||
bad=True |
||||
nagiosbaddisk=nagiosbaddisk+1 |
||||
else: |
||||
nagiosgooddisk=nagiosgooddisk+1 |
||||
if not nagiosmode: |
||||
print 'c'+str(controllerid)+'u'+array[0]+'p'+array[1]+' | '+array[3]+' | '+array[2] |
||||
controllerid += 1 |
||||
|
||||
if nagiosmode: |
||||
if bad: |
||||
print 'RAID ERROR - Arrays: OK:'+str(nagiosgoodarray)+' Bad:'+str(nagiosbadarray)+' - Disks: OK:'+str(nagiosgooddisk)+' Bad:'+str(nagiosbaddisk) |
||||
sys.exit(2) |
||||
else: |
||||
print 'RAID OK - Arrays: OK:'+str(nagiosgoodarray)+' Bad:'+str(nagiosbadarray)+' - Disks: OK:'+str(nagiosgooddisk)+' Bad:'+str(nagiosbaddisk) |
||||
else: |
||||
if bad: |
||||
print '\nThere is at least one disk/array in a NOT OPTIMAL state.' |
||||
sys.exit(1) |
||||
|
||||
@ -0,0 +1,10 @@
@@ -0,0 +1,10 @@
|
||||
|
||||
|
||||
_____ ________ ____ |
||||
____ _____ ______ _/ ____\____ \_____ \/_ | |
||||
_/ ___\ / \ / ___/ ______ \ __\\__ \ / ____/ | | |
||||
\ \___| Y Y \\___ \ /_____/ | | / __ \_/ \ | | |
||||
\___ >__|_| /____ > |__| (____ /\_______ \|___| |
||||
\/ \/ \/ \/ \/ |
||||
|
||||
|
||||
@ -0,0 +1,10 @@
@@ -0,0 +1,10 @@
|
||||
|
||||
|
||||
_____ ________ ________ |
||||
____ _____ ______ _/ ____\____ \_____ \\_____ \ |
||||
_/ ___\ / \ / ___/ ______ \ __\\__ \ / ____/ / ____/ |
||||
\ \___| Y Y \\___ \ /_____/ | | / __ \_/ \/ \ |
||||
\___ >__|_| /____ > |__| (____ /\_______ \_______ \ |
||||
\/ \/ \/ \/ \/ \/ |
||||
|
||||
|
||||
@ -0,0 +1,9 @@
@@ -0,0 +1,9 @@
|
||||
|
||||
|
||||
_____ ________ ________ |
||||
____ _____ ______ _/ ____\____ \_____ \ \_____ \ |
||||
_/ ___\ / \ / ___/ ______ \ __\\__ \ / ____/ _(__ < |
||||
\ \___| Y Y \\___ \ /_____/ | | / __ \_/ \ / \ |
||||
\___ >__|_| /____ > |__| (____ /\_______ \/______ / |
||||
\/ \/ \/ \/ \/ \/ |
||||
|
||||
@ -0,0 +1,9 @@
@@ -0,0 +1,9 @@
|
||||
|
||||
|
||||
_____ ________ _____ |
||||
____ _____ ______ _/ ____\____ \_____ \ / | | |
||||
_/ ___\ / \ / ___/ ______ \ __\\__ \ / ____/ / | |_ |
||||
\ \___| Y Y \\___ \ /_____/ | | / __ \_/ \/ ^ / |
||||
\___ >__|_| /____ > |__| (____ /\_______ \____ | |
||||
\/ \/ \/ \/ \/ |__| |
||||
|
||||
@ -0,0 +1,10 @@
@@ -0,0 +1,10 @@
|
||||
|
||||
|
||||
_____ ________ ____ |
||||
____ _____ ______ _/ ____\_____ \_____ \/_ | |
||||
_/ ___\ / \ / ___/ ______ \ __\\____ \ / ____/ | | |
||||
\ \___| Y Y \\___ \ /_____/ | | | |_> > \ | | |
||||
\___ >__|_| /____ > |__| | __/\_______ \|___| |
||||
\/ \/ \/ |__| \/ |
||||
|
||||
|
||||
@ -0,0 +1,10 @@
@@ -0,0 +1,10 @@
|
||||
|
||||
|
||||
_____ ________ ________ |
||||
____ _____ ______ _/ ____\_____ \_____ \\_____ \ |
||||
_/ ___\ / \ / ___/ ______ \ __\\____ \ / ____/ / ____/ |
||||
\ \___| Y Y \\___ \ /_____/ | | | |_> > \/ \ |
||||
\___ >__|_| /____ > |__| | __/\_______ \_______ \ |
||||
\/ \/ \/ |__| \/ \/ |
||||
|
||||
|
||||
@ -0,0 +1,10 @@
@@ -0,0 +1,10 @@
|
||||
|
||||
|
||||
_____ ________ ________ |
||||
____ _____ ______ _/ ____\_____ \_____ \ \_____ \ |
||||
_/ ___\ / \ / ___/ ______ \ __\\____ \ / ____/ _(__ < |
||||
\ \___| Y Y \\___ \ /_____/ | | | |_> > \ / \ |
||||
\___ >__|_| /____ > |__| | __/\_______ \/______ / |
||||
\/ \/ \/ |__| \/ \/ |
||||
|
||||
|
||||
@ -0,0 +1,11 @@
@@ -0,0 +1,11 @@
|
||||
|
||||
|
||||
_____ ________ _____ |
||||
____ _____ ______ _/ ____\_____ \_____ \ / | | |
||||
_/ ___\ / \ / ___/ ______ \ __\\____ \ / ____/ / | |_ |
||||
\ \___| Y Y \\___ \ /_____/ | | | |_> > \/ ^ / |
||||
\___ >__|_| /____ > |__| | __/\_______ \____ | |
||||
\/ \/ \/ |__| \/ |__| |
||||
|
||||
|
||||
|
||||
@ -0,0 +1,10 @@
@@ -0,0 +1,10 @@
|
||||
|
||||
|
||||
_____ ________ .________ |
||||
____ _____ ______ _/ ____\_____ \_____ \ | ____/ |
||||
_/ ___\ / \ / ___/ ______ \ __\\____ \ / ____/ |____ \ |
||||
\ \___| Y Y \\___ \ /_____/ | | | |_> > \ / \ |
||||
\___ >__|_| /____ > |__| | __/\_______ \/______ / |
||||
\/ \/ \/ |__| \/ \/ |
||||
|
||||
|
||||
@ -0,0 +1,10 @@
@@ -0,0 +1,10 @@
|
||||
|
||||
|
||||
_____ ________ ________ |
||||
____ _____ ______ _/ ____\_____ \_____ \/ _____/ |
||||
_/ ___\ / \ / ___/ ______ \ __\\____ \ / ____/ __ \ |
||||
\ \___| Y Y \\___ \ /_____/ | | | |_> > \ |__\ \ |
||||
\___ >__|_| /____ > |__| | __/\_______ \_____ / |
||||
\/ \/ \/ |__| \/ \/ |
||||
|
||||
|
||||
@ -0,0 +1,10 @@
@@ -0,0 +1,10 @@
|
||||
|
||||
|
||||
_____ __ ________ ____ |
||||
____ _____ ______ _/ ____\/ |_\_____ \/_ | |
||||
_/ ___\ / \ / ___/ ______ \ __\\ __\/ ____/ | | |
||||
\ \___| Y Y \\___ \ /_____/ | | | | / \ | | |
||||
\___ >__|_| /____ > |__| |__| \_______ \|___| |
||||
\/ \/ \/ \/ |
||||
|
||||
|
||||
Binary file not shown.
@ -0,0 +1,47 @@
@@ -0,0 +1,47 @@
|
||||
umask 022 |
||||
|
||||
# if running bash |
||||
if [ -n "$BASH_VERSION" ]; then |
||||
# include .bashrc if it exists |
||||
if [ -f "$HOME/.bashrc" ]; then |
||||
. "$HOME/.bashrc" |
||||
fi |
||||
fi |
||||
|
||||
# set PATH so it includes user's private bin if it exists |
||||
if [ -d "$HOME/bin" ] ; then |
||||
PATH="$HOME/bin:$PATH" |
||||
fi |
||||
|
||||
EDITOR=nano |
||||
export EDITOR |
||||
|
||||
JAVA_HOME=$HOME/software/java |
||||
export JAVA_HOME |
||||
|
||||
PATH=$JAVA_HOME/bin:/usr/local/bin:/usr/bin:/usr/ccs/bin:$PATH |
||||
export PATH |
||||
|
||||
RUGCMS_CLASSPATH=\ |
||||
$HOME/software/tomcat/lib/*:\ |
||||
$HOME/servers/tomcat-common/lib/*:\ |
||||
$HOME/servers/ucms-common/lib/ucms/*:\ |
||||
$HOME/servers/ucms-common/lib/xml/*:\ |
||||
$HOME/servers/ucms-common/lib/jackrabbit/*:\ |
||||
$HOME/servers/ucms-common/lib/apache/*:\ |
||||
$HOME/servers/ucms-common/lib/google/*:\ |
||||
$HOME/servers/ucms-common/lib/* |
||||
export RUGCMS_CLASSPATH |
||||
|
||||
source $HOME/scripts/setClusterAndNode.sh |
||||
|
||||
if [[ $CLUSTER == 'test' ]]; then |
||||
PS1=$'\\[\\e[32;1m\\]\\u@\\h (\\w) : \\[\\e[0m\\]' |
||||
elif [[ $CLUSTER == 'acceptation' ]]; then |
||||
PS1=$'\\[\\e[33;1m\\]\\u@\\h (\\w) : \\[\\e[0m\\]' |
||||
elif [[ $CLUSTER == 'production' ]]; then |
||||
PS1=$'\\[\\e[31m\\]\\u@\\h (\\w) : \\[\\e[0m\\]' |
||||
else |
||||
PS1=$'\\[\\e[35;1m\\]\\u@\\h (\\w) : \\[\\e[0m\\]' |
||||
fi |
||||
export PS1 |
||||
@ -0,0 +1,3 @@
@@ -0,0 +1,3 @@
|
||||
search service.rug.nl |
||||
nameserver 129.125.4.6 |
||||
nameserer 8.8.8.8 |
||||
@ -0,0 +1,139 @@
@@ -0,0 +1,139 @@
|
||||
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ |
||||
|
||||
# This is the sshd server system-wide configuration file. See |
||||
# sshd_config(5) for more information. |
||||
|
||||
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin |
||||
|
||||
# The strategy used for options in the default sshd_config shipped with |
||||
# OpenSSH is to specify options with their default value where |
||||
# possible, but leave them commented. Uncommented options override the |
||||
# default value. |
||||
|
||||
# If you want to change the port on a SELinux system, you have to tell |
||||
# SELinux about this change. |
||||
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER |
||||
# |
||||
#Port 22 |
||||
#AddressFamily any |
||||
#ListenAddress 0.0.0.0 |
||||
#ListenAddress :: |
||||
|
||||
HostKey /etc/ssh/ssh_host_rsa_key |
||||
#HostKey /etc/ssh/ssh_host_dsa_key |
||||
HostKey /etc/ssh/ssh_host_ecdsa_key |
||||
HostKey /etc/ssh/ssh_host_ed25519_key |
||||
|
||||
# Ciphers and keying |
||||
#RekeyLimit default none |
||||
|
||||
# Logging |
||||
#SyslogFacility AUTH |
||||
SyslogFacility AUTHPRIV |
||||
#LogLevel INFO |
||||
|
||||
# Authentication: |
||||
|
||||
#LoginGraceTime 2m |
||||
PermitRootLogin without-password |
||||
#StrictModes yes |
||||
#MaxAuthTries 6 |
||||
#MaxSessions 10 |
||||
|
||||
#PubkeyAuthentication yes |
||||
|
||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 |
||||
# but this is overridden so installations will only check .ssh/authorized_keys |
||||
AuthorizedKeysFile .ssh/authorized_keys |
||||
|
||||
#AuthorizedPrincipalsFile none |
||||
|
||||
#AuthorizedKeysCommand none |
||||
#AuthorizedKeysCommandUser nobody |
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts |
||||
#HostbasedAuthentication no |
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for |
||||
# HostbasedAuthentication |
||||
#IgnoreUserKnownHosts no |
||||
# Don't read the user's ~/.rhosts and ~/.shosts files |
||||
#IgnoreRhosts yes |
||||
|
||||
# To disable tunneled clear text passwords, change to no here! |
||||
#PasswordAuthentication yes |
||||
#PermitEmptyPasswords no |
||||
PasswordAuthentication yes |
||||
|
||||
# Change to no to disable s/key passwords |
||||
#ChallengeResponseAuthentication yes |
||||
ChallengeResponseAuthentication no |
||||
|
||||
# Kerberos options |
||||
#KerberosAuthentication no |
||||
#KerberosOrLocalPasswd yes |
||||
#KerberosTicketCleanup yes |
||||
#KerberosGetAFSToken no |
||||
#KerberosUseKuserok yes |
||||
|
||||
# GSSAPI options |
||||
GSSAPIAuthentication yes |
||||
GSSAPICleanupCredentials no |
||||
#GSSAPIStrictAcceptorCheck yes |
||||
#GSSAPIKeyExchange no |
||||
#GSSAPIEnablek5users no |
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing, |
||||
# and session processing. If this is enabled, PAM authentication will |
||||
# be allowed through the ChallengeResponseAuthentication and |
||||
# PasswordAuthentication. Depending on your PAM configuration, |
||||
# PAM authentication via ChallengeResponseAuthentication may bypass |
||||
# the setting of "PermitRootLogin without-password". |
||||
# If you just want the PAM account and session checks to run without |
||||
# PAM authentication, then enable this but set PasswordAuthentication |
||||
# and ChallengeResponseAuthentication to 'no'. |
||||
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several |
||||
# problems. |
||||
UsePAM yes |
||||
|
||||
#AllowAgentForwarding yes |
||||
#AllowTcpForwarding yes |
||||
#GatewayPorts no |
||||
X11Forwarding yes |
||||
#X11DisplayOffset 10 |
||||
#X11UseLocalhost yes |
||||
#PermitTTY yes |
||||
#PrintMotd yes |
||||
#PrintLastLog yes |
||||
#TCPKeepAlive yes |
||||
#UseLogin no |
||||
#UsePrivilegeSeparation sandbox |
||||
#PermitUserEnvironment no |
||||
#Compression delayed |
||||
#ClientAliveInterval 0 |
||||
#ClientAliveCountMax 3 |
||||
#ShowPatchLevel no |
||||
#UseDNS yes |
||||
#PidFile /var/run/sshd.pid |
||||
#MaxStartups 10:30:100 |
||||
#PermitTunnel no |
||||
#ChrootDirectory none |
||||
#VersionAddendum none |
||||
|
||||
# no default banner path |
||||
#Banner none |
||||
|
||||
# Accept locale-related environment variables |
||||
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES |
||||
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT |
||||
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE |
||||
AcceptEnv XMODIFIERS |
||||
|
||||
# override default of no subsystems |
||||
Subsystem sftp /usr/libexec/openssh/sftp-server |
||||
|
||||
# Example of overriding settings on a per-user basis |
||||
#Match User anoncvs |
||||
# X11Forwarding no |
||||
# AllowTcpForwarding no |
||||
# PermitTTY no |
||||
# ForceCommand cvs server |
||||
Binary file not shown.
Binary file not shown.
@ -0,0 +1,34 @@
@@ -0,0 +1,34 @@
|
||||
- copy: |
||||
src: files/motd.{{ ansible_hostname }} |
||||
dest: /etc/motd |
||||
owner: root |
||||
group: root |
||||
mode: 0644 |
||||
|
||||
- copy: |
||||
src: files/hosts |
||||
dest: /etc/hosts |
||||
owner: root |
||||
group: root |
||||
mode: 0644 |
||||
|
||||
- copy: |
||||
src: files/sshd_config |
||||
dest: /etc/ssh/sshd_config |
||||
owner: root |
||||
group: root |
||||
mode: 0600 |
||||
|
||||
- copy: |
||||
src: files/resolv.conf |
||||
dest: /etc/resolv.conf |
||||
owner: root |
||||
group: root |
||||
mode: 0644 |
||||
|
||||
- copy: |
||||
src: files/yum_debug_dump.txt.gz |
||||
dest: /root/yum_debug_dump.txt.gz |
||||
owner: root |
||||
group: root |
||||
mode: 0600 |
||||
@ -0,0 +1,6 @@
@@ -0,0 +1,6 @@
|
||||
- copy: |
||||
src: files/firewall.sh |
||||
dest: /root/firewall/firewall.sh |
||||
owner: root |
||||
group: root |
||||
mode: 0700 |
||||
@ -0,0 +1 @@
@@ -0,0 +1 @@
|
||||
- selinux: state=disabled |
||||
@ -0,0 +1,9 @@
@@ -0,0 +1,9 @@
|
||||
- docker_container: |
||||
name: netdata |
||||
image: titpetric/netdata |
||||
network_mode: host |
||||
hostname: "{{ ansible_hostname }}" |
||||
capabilities: SYS_PTRACE |
||||
state: started |
||||
volumes: |
||||
- /sys:/host/sys:ro |
||||
@ -0,0 +1,6 @@
@@ -0,0 +1,6 @@
|
||||
- user: |
||||
name: ger |
||||
comment: "ger user" |
||||
state: present |
||||
group: rugcms |
||||
home: /home/ger |
||||
@ -0,0 +1 @@
@@ -0,0 +1 @@
|
||||
- yum: name=python-docker-py state=latest |
||||
@ -0,0 +1 @@
@@ -0,0 +1 @@
|
||||
- yum: name=epel-release state=latest |
||||
@ -0,0 +1 @@
@@ -0,0 +1 @@
|
||||
- yum: name=ntp state=latest |
||||
@ -0,0 +1 @@
@@ -0,0 +1 @@
|
||||
- yum: name=yum-utils state=latest |
||||
@ -0,0 +1,21 @@
@@ -0,0 +1,21 @@
|
||||
- include: rugcms-group.yml |
||||
- include: rugcms-user.yml |
||||
- include: rugcms-keys.yml |
||||
- include: rugcms-profile.yml |
||||
- include: rugcms-password.yml |
||||
- include: stealth-client.yml |
||||
- include: install-epel.yml |
||||
- include: install-ntp.yml |
||||
- include: install-yum-utils.yml |
||||
- include: install-docker-py.yml |
||||
- include: disable-selinux.yml |
||||
- include: start-ntp.yml |
||||
- include: stop-firewalld.yml |
||||
- include: copy-firewall.yml |
||||
- include: run-firewall.yml |
||||
- include: nagios-client.yml |
||||
- include: mega-cli.yml |
||||
- include: copy-files.yml |
||||
- include: start-services.yml |
||||
- include: docker-netdata.yml |
||||
- include: upgrade.yml |
||||
@ -0,0 +1,27 @@
@@ -0,0 +1,27 @@
|
||||
- copy: |
||||
src: files/Lib_Utils-1.00-09.noarch.rpm |
||||
dest: /tmp/Lib_Utils-1.00-09.noarch.rpm |
||||
|
||||
- yum: |
||||
name: /tmp/Lib_Utils-1.00-09.noarch.rpm |
||||
state: present |
||||
|
||||
- copy: |
||||
src: files/MegaCli-8.04.07-1.noarch.rpm |
||||
dest: /tmp/MegaCli-8.04.07-1.noarch.rpm |
||||
|
||||
- yum: |
||||
name: /tmp/MegaCli-8.04.07-1.noarch.rpm |
||||
state: present |
||||
|
||||
- copy: |
||||
src: files/megaclisas-status |
||||
dest: /usr/sbin/megaclisas-status |
||||
owner: root |
||||
group: root |
||||
mode: 0700 |
||||
|
||||
- file: |
||||
src: /opt/MegaRAID/MegaCli/MegaCli64 |
||||
dest: /usr/sbin/megacli |
||||
state: link |
||||
@ -0,0 +1,42 @@
@@ -0,0 +1,42 @@
|
||||
|
||||
- file: path=/nagios state=directory |
||||
|
||||
- unarchive: |
||||
src: files/nagios.tar.gz |
||||
dest: /nagios |
||||
|
||||
- cron: |
||||
name: "check disk full" |
||||
minute: "00,10,20,30,40,50" |
||||
hour: "*" |
||||
job: "/nagios/cron/check_disk" |
||||
|
||||
- cron: |
||||
name: "check disk ok" |
||||
minute: "00,10,20,30,40,50" |
||||
hour: "*" |
||||
job: "/nagios/cron/check_disks" |
||||
|
||||
- cron: |
||||
name: "check firewall" |
||||
minute: "00,10,20,30,40,50" |
||||
hour: "*" |
||||
job: "/nagios/cron/check_iptables" |
||||
|
||||
- replace: |
||||
path: /nagios/cron/check_iptables |
||||
regexp: 'HOSTNAME="cms-fa11.service.rug.nl"' |
||||
replace: 'HOSTNAME="{{ ansible_hostname }}.service.rug.nl"' |
||||
backup: yes |
||||
|
||||
- replace: |
||||
path: /nagios/cron/check_disk |
||||
regexp: 'HOSTNAME="cms-fa11.service.rug.nl"' |
||||
replace: 'HOSTNAME="{{ ansible_hostname }}.service.rug.nl"' |
||||
backup: yes |
||||
|
||||
- replace: |
||||
path: /nagios/cron/check_disks |
||||
regexp: 'HOSTNAME="cms-fa11.service.rug.nl"' |
||||
replace: 'HOSTNAME="{{ ansible_hostname }}.service.rug.nl"' |
||||
backup: yes |
||||
@ -0,0 +1,3 @@
@@ -0,0 +1,3 @@
|
||||
- group: |
||||
name: rugcms |
||||
state: present |
||||
@ -0,0 +1,7 @@
@@ -0,0 +1,7 @@
|
||||
- authorized_key: |
||||
user: rugcms |
||||
key: '{{ item }}' |
||||
state: present |
||||
with_items: |
||||
- 'ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAz/4D/jhUycyYS8gOrQDs+BqK+MLzfB9kb60W9zGTs9KigKGUOtvZ78mb1F2+ouy/uQUbOO4MoUu+fOzSlSE56GdyTSc/RsLaoHde2aRalXnRf55tuIVgv6MNG7siZt1i4iDhm/uql8nzc7m0Ompr9XXLXOQ0ZGFPViLLYyRcLOc= r.m.uittenbroek@rug.nl' |
||||
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoRM/8ItzD87bvO6WVwDS83mkLUv0fo1dUxBzGB0w9j+a4vtUbcGm13TXp6zIS6zZqj09QD8jznO1OE92tC1axjuwENbAi7WiqaFMJdqB6MLN4Fxo4xa5LaadDTFbd4yLI1lzheowfPvFypUW90L4ToEkKkvgp+r+4C7BrLLUTzksS3PzBB2jp25XimdbxQvbZS74RdEa4O1Xqz0A4+FbM9r90OIJGrexVTKb2jpQk3bhTIpCXDkRldA1PLYSPoUAmCViGPoHCoyNbtZj8MWDjOKH/Ut/WXg5z60JfFqHazkHsQiJ9YkgUk2zy/7cjl5Pl8DVkPp79c/F5YFw492XN rugcms@charanga' |
||||
@ -0,0 +1,6 @@
@@ -0,0 +1,6 @@
|
||||
- copy: |
||||
src: files/profile_rugcms |
||||
dest: /local_disk/.profile |
||||
owner: rugcms |
||||
group: rugcms |
||||
mode: 0700 |
||||
@ -0,0 +1,6 @@
@@ -0,0 +1,6 @@
|
||||
- user: |
||||
name: rugcms |
||||
comment: "rugcms user" |
||||
state: present |
||||
group: rugcms |
||||
home: /local_disk |
||||
@ -0,0 +1 @@
@@ -0,0 +1 @@
|
||||
- script: chdir=/root/firewall firewall.sh |
||||
@ -0,0 +1,4 @@
@@ -0,0 +1,4 @@
|
||||
- systemd: |
||||
name: ntpd.service |
||||
state: started |
||||
enabled: yes |
||||
@ -0,0 +1,14 @@
@@ -0,0 +1,14 @@
|
||||
- systemd: |
||||
name: sshd.service |
||||
state: started |
||||
enabled: yes |
||||
|
||||
- systemd: |
||||
name: postfix.service |
||||
state: started |
||||
enabled: yes |
||||
|
||||
- systemd: |
||||
name: docker.service |
||||
state: started |
||||
enabled: yes |
||||
@ -0,0 +1,15 @@
@@ -0,0 +1,15 @@
|
||||
- group: |
||||
name: kees |
||||
state: present |
||||
|
||||
- user: |
||||
name: kees |
||||
comment: "stealth user" |
||||
state: present |
||||
group: kees |
||||
home: /home/kees |
||||
|
||||
- authorized_key: |
||||
user: kees |
||||
key: 'ssh-dss AAAAB3NzaC1kc3MAAACBALg7GbHKk2jYPNXUgW69AKKnCALjroTtwCA0bt4zde1mavYNoQK8JY/pe4BSOQtsyo3JECYzmAZwoNbq8nJCh8ORf5tKs8njEykZ0n7BVWtCT/jh9EFPTFhFK864TdFVCvwtIafAL4kEVNvJ0wrJYa1mN/ds03HWliv+3Shj6x0dAAAAFQDxlwgId3zlrXiCfk3ciAHN5b2ScwAAAIEArZ3/Hg7FECh5Fjf7lnBQZW7sjG5OLZRJIZlj2/jYnvIRUrsN2XmebwO4Q5q7g7FLWlfbg+x2Lmv1OWf/zGd3U6aAx8M+d+nTWDtWpQNvcE99HlfOs9Q4Rzxx6ZOyaZn57lCva/nCmLe0DTPVB8rvocMmqe1r3n7/KgxxKttbWRUAAACAfH2y4JPt2AcVdHnHiibpQBtxK/9m6AEjsB/g02tMXHZletMs9jF6kGynan7xJqRqvWxkGS1ClHIUdt2uK6A6pbqOf2BwcBIxAdljLRrZOyvmW9KTqduHMemYv6xQnpNGb8moWq5V5FKiATvd/LB46O1zwZejJErfj70LRE98Hv4= stealth@operator' |
||||
state: present |
||||
@ -0,0 +1,3 @@
@@ -0,0 +1,3 @@
|
||||
- systemd: |
||||
name: firewalld.service |
||||
enabled: no |
||||
@ -0,0 +1 @@
@@ -0,0 +1 @@
|
||||
- yum: name=* state=latest |
||||
Binary file not shown.
Binary file not shown.
@ -0,0 +1,227 @@
@@ -0,0 +1,227 @@
|
||||
#!/bin/bash |
||||
|
||||
# prevent SYNC-floods: |
||||
echo 1 > /proc/sys/net/ipv4/tcp_syncookies |
||||
|
||||
# initialize: |
||||
iptables -F |
||||
iptables -X |
||||
iptables -Z |
||||
|
||||
# config default policy's: |
||||
iptables -P INPUT DROP |
||||
iptables -P OUTPUT DROP |
||||
iptables -P FORWARD DROP |
||||
|
||||
iptables -N LOGDROP |
||||
iptables -A LOGDROP -j LOG |
||||
iptables -A LOGDROP -j DROP |
||||
|
||||
# kernel tweaks: |
||||
/bin/echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts |
||||
/bin/echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route |
||||
/bin/echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses |
||||
/bin/echo 1 > /proc/sys/net/ipv4/conf/all/log_martians |
||||
/bin/echo 0 > /proc/sys/net/ipv4/ip_forward |
||||
|
||||
# allow loopback: |
||||
iptables -A INPUT -i lo -j ACCEPT |
||||
iptables -A OUTPUT -o lo -j ACCEPT |
||||
|
||||
# allow asds.id.rug.nl |
||||
iptables -A INPUT -i eth0 -s 129.125.2.50 -j ACCEPT |
||||
iptables -A OUTPUT -o eth0 -d 129.125.2.50 -j ACCEPT |
||||
|
||||
# allow vlan933: |
||||
iptables -A INPUT -i bond0.933 -j ACCEPT |
||||
iptables -A OUTPUT -o bond0.933 -j ACCEPT |
||||
|
||||
# allow vlan934: |
||||
iptables -A INPUT -i bond0.934 -j ACCEPT |
||||
iptables -A OUTPUT -o bond0.934 -j ACCEPT |
||||
#allow outbound to databases: |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.182 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.182 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.183 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.183 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.184 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.184 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.185 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.185 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.186 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.186 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.187 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.187 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.188 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.188 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.141 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.141 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.142 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.142 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.143 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.143 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.144 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.144 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.148 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.148 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.149 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.149 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.150 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.150 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.50.147 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.50.147 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.71 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.71 -j ACCEPT |
||||
|
||||
# allow munin-statieken-server: |
||||
iptables -A INPUT -p tcp -s 129.125.50.91 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.50.91 -j ACCEPT |
||||
|
||||
# allow agenda: |
||||
iptables -A INPUT -p tcp -s 129.125.2.116 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.2.116 -j ACCEPT |
||||
|
||||
# allow imap.google.com: |
||||
iptables -A INPUT -p tcp -s 74.125.136/24 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 74.125.136/24 -j ACCEPT |
||||
|
||||
# allow imap.rug.nl: |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.2.81/32 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.2.81/32 -j ACCEPT |
||||
|
||||
# allow more google: |
||||
iptables -A INPUT -p tcp -s 173.194.65.0/24 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 173.194.65.0/24 -j ACCEPT |
||||
|
||||
# new tcp packets sync packets: |
||||
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP |
||||
|
||||
# refuse loopback pacts incoming eth0: |
||||
iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP |
||||
|
||||
# allow dns outbound to/from DNS server: |
||||
iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT |
||||
iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT |
||||
|
||||
# allow www outbound to 80: |
||||
iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT |
||||
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT |
||||
|
||||
# allow www outbound to 443: |
||||
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT |
||||
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT |
||||
|
||||
# allow smtp outbound: |
||||
iptables -A INPUT -i eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT |
||||
iptables -A OUTPUT -o eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT |
||||
|
||||
# allow ssh from BWP: |
||||
iptables -A INPUT -i eth0 -p tcp -s 129.125.249.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT |
||||
iptables -A OUTPUT -o eth0 -p tcp -d 129.125.249.0/24 -m state --state ESTABLISHED -j ACCEPT |
||||
|
||||
# log/drop the rest: |
||||
iptables -A INPUT -i eth0 -s 129.125.0.0/16 -d 129.125.36.121/32 -j LOGDROP |
||||
|
||||
#zabbix monitorings |
||||
iptables -A INPUT -i eth0 -s 129.125.50.238 -j ACCEPT |
||||
iptables -A OUTPUT -o eth0 -d 129.125.50.238 -j ACCEPT |
||||
|
||||
# allow 9080 inbound: |
||||
iptables -A INPUT -i eth0 -p tcp --dport 9080 -j ACCEPT |
||||
iptables -A OUTPUT -o eth0 -p tcp --sport 9080 -j ACCEPT |
||||
|
||||
# allow 2222 inbound: |
||||
iptables -A INPUT -i eth0 -p tcp -s 129.125.249.0/24 --dport 2222 -j ACCEPT |
||||
iptables -A OUTPUT -o eth0 -p tcp -d 129.125.249.0/24 --sport 2222 -j ACCEPT |
||||
|
||||
# inbound gadgets: |
||||
iptables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT |
||||
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT |
||||
|
||||
# allow from operator: |
||||
iptables -A INPUT -i eth0 -s 129.125.50.41/32 -j ACCEPT |
||||
iptables -A OUTPUT -o eth0 -d 129.125.50.41/32 -j ACCEPT |
||||
|
||||
# allow from/to ldap: |
||||
iptables -A INPUT -i eth0 -s 129.125.68.50/32 -j ACCEPT |
||||
iptables -A OUTPUT -o eth0 -d 129.125.68.50/32 -j ACCEPT |
||||
|
||||
# ldaps outbound: |
||||
iptables -A INPUT -i eth0 -p tcp --sport 636 -m state --state ESTABLISHED -j ACCEPT |
||||
iptables -A OUTPUT -o eth0 -p tcp --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT |
||||
|
||||
# allow nfs: |
||||
iptables -A INPUT -i eth0 -s 129.125.50.171/32 -j ACCEPT |
||||
iptables -A OUTPUT -o eth0 -d 129.125.50.171/32 -j ACCEPT |
||||
|
||||
|
||||
# allow ntp |
||||
iptables -A INPUT -i eth0 -p tcp --sport 123 -j ACCEPT |
||||
iptables -A OUTPUT -o eth0 -p tcp --dport 123 -j ACCEPT |
||||
iptables -A INPUT -i eth0 -p udp --sport 123 -j ACCEPT |
||||
iptables -A OUTPUT -o eth0 -p udp --dport 123 -j ACCEPT |
||||
|
||||
# allow charanga: |
||||
iptables -A INPUT -i eth0 -p tcp -s 129.125.60.94/32 --dport 22 -j ACCEPT |
||||
iptables -A OUTPUT -o eth0 -p tcp -d 129.125.60.94/32 --sport 22 -j ACCEPT |
||||
|
||||
# charanga 129.125.60.94 port 2222: |
||||
iptables -A INPUT -i eth0 -p tcp -s 129.125.60.94/32 --dport 2222 -j ACCEPT |
||||
iptables -A OUTPUT -o eth0 -p tcp -d 129.125.60.94/32 --sport 2222 -j ACCEPT |
||||
|
||||
|
||||
# allow imaps: |
||||
iptables -A INPUT -p tcp --sport 993 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp --dport 993 -j ACCEPT |
||||
|
||||
# Flush & default |
||||
ip6tables -F INPUT |
||||
ip6tables -F OUTPUT |
||||
ip6tables -F FORWARD |
||||
|
||||
# setup log-chain: |
||||
ip6tables -N LOGREJECT |
||||
ip6tables -A LOGREJECT -j LOG |
||||
ip6tables -A LOGREJECT -j REJECT |
||||
|
||||
# Set the default policy to drop |
||||
ip6tables -P INPUT DROP |
||||
ip6tables -P OUTPUT DROP |
||||
ip6tables -P FORWARD DROP |
||||
|
||||
# rules: |
||||
ip6tables -A INPUT -i lo -j ACCEPT |
||||
ip6tables -A INPUT -j REJECT |
||||
ip6tables -A OUTPUT -j REJECT |
||||
|
||||
# allow ganglia-statieken-server: |
||||
iptables -A INPUT -p tcp -s 129.125.60.89 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.60.89 -j ACCEPT |
||||
|
||||
iptables -A INPUT -p tcp -s 129.125.36.191 -j ACCEPT |
||||
iptables -A OUTPUT -p tcp -d 129.125.36.191 -j ACCEPT |
||||
|
||||
# open up port 9100 prometues: |
||||
iptables -A INPUT -i eth0 -p tcp -s 129.125.2.233/32 --dport 9100 -j ACCEPT |
||||
iptables -A OUTPUT -o eth0 -p tcp -d 129.125.2.233/32 --sport 9100 -j ACCEPT |
||||
|
||||
# allow icmp: |
||||
iptables -A INPUT -p icmp -j ACCEPT |
||||
iptables -A OUTPUT -p icmp -j ACCEPT |
||||
@ -0,0 +1,209 @@
@@ -0,0 +1,209 @@
|
||||
#!/usr/bin/python |
||||
|
||||
import os |
||||
import re |
||||
import sys |
||||
|
||||
binarypath = "/usr/sbin/megacli" |
||||
|
||||
if len(sys.argv) > 2: |
||||
print 'Usage: megaclisas-status [--nagios]' |
||||
sys.exit(1) |
||||
|
||||
nagiosmode=False |
||||
nagiosoutput='' |
||||
nagiosgoodarray=0 |
||||
nagiosbadarray=0 |
||||
nagiosgooddisk=0 |
||||
nagiosbaddisk=0 |
||||
|
||||
# Check command line arguments to enable nagios or not |
||||
if len(sys.argv) > 1: |
||||
if sys.argv[1] == '--nagios': |
||||
nagiosmode=True |
||||
else: |
||||
print 'Usage: megaclisas-status [-nagios]' |
||||
sys.exit(1) |
||||
|
||||
# Check binary exists (and +x), if not print an error message |
||||
# or return UNKNOWN nagios error code |
||||
if os.path.exists(binarypath) and os.access(binarypath, os.X_OK): |
||||
pass |
||||
else: |
||||
if nagiosmode: |
||||
print 'UNKNOWN - Cannot find '+binarypath |
||||
else: |
||||
print 'Cannot find '+binarypath+'. Please install it.' |
||||
sys.exit(3) |
||||
|
||||
# Get command output |
||||
def getOutput(cmd): |
||||
output = os.popen(cmd) |
||||
lines = [] |
||||
for line in output: |
||||
if not re.match(r'^$',line.strip()): |
||||
lines.append(line.strip()) |
||||
return lines |
||||
|
||||
def returnControllerNumber(output): |
||||
for line in output: |
||||
if re.match(r'^Controller Count.*$',line.strip()): |
||||
return int(line.split(':')[1].strip().strip('.')) |
||||
|
||||
def returnControllerModel(output): |
||||
for line in output: |
||||
if re.match(r'^Product Name.*$',line.strip()): |
||||
return line.split(':')[1].strip() |
||||
|
||||
def returnArrayNumber(output): |
||||
i = 0 |
||||
for line in output: |
||||
if re.match(r'^Number of Virtual (Disk|Drive).*$',line.strip()): |
||||
i = line.strip().split(':')[1].strip() |
||||
return i |
||||
|
||||
def returnArrayInfo(output,controllerid,arrayid): |
||||
id = 'c'+str(controllerid)+'u'+str(arrayid) |
||||
operationlinennumber = False |
||||
linenumber = 0 |
||||
|
||||
for line in output: |
||||
if re.match(r'Number Of Drives\s*((per span))?:.*[0-9]+$',line.strip()): |
||||
ldpdcount = line.split(':')[1].strip() |
||||
if re.match(r'Span Depth *:.*[0-9]+$',line.strip()): |
||||
spandepth = line.split(':')[1].strip() |
||||
if re.match(r'^RAID Level\s*:.*$',line.strip()): |
||||
raidlevel = line.strip().split(':')[1].split(',')[0].split('-')[1].strip() |
||||
type = 'RAID' + raidlevel |
||||
if re.match(r'^Size\s*:.*$',line.strip()): |
||||
# Size reported in MB |
||||
if re.match(r'^.*MB$',line.strip().split(':')[1]): |
||||
size = line.strip().split(':')[1].strip('MB').strip() |
||||
size = str(int(round((float(size) / 1000))))+'G' |
||||
# Size reported in TB |
||||
elif re.match(r'^.*TB$',line.strip().split(':')[1]): |
||||
size = line.strip().split(':')[1].strip('TB').strip() |
||||
size = str(int(round((float(size) * 1000))))+'G' |
||||
# Size reported in GB (default) |
||||
else: |
||||
size = line.strip().split(':')[1].strip('GB').strip() |
||||
size = str(int(round((float(size)))))+'G' |
||||
if re.match(r'^State\s*:.*$',line.strip()): |
||||
state = line.strip().split(':')[1].strip() |
||||
if re.match(r'^Ongoing Progresses\s*:.*$',line.strip()): |
||||
operationlinennumber = linenumber |
||||
linenumber += 1 |
||||
if operationlinennumber: |
||||
inprogress = output[operationlinennumber+1] |
||||
else: |
||||
inprogress = 'None' |
||||
|
||||
if ldpdcount and (int(spandepth) > 1): |
||||
ldpdcount = int(ldpdcount) * int(spandepth) |
||||
if int(raidlevel) < 10: |
||||
type = type + "0" |
||||
|
||||
return [id,type,size,state,inprogress] |
||||
|
||||
def returnDiskInfo(output,controllerid): |
||||
arrayid = False |
||||
diskid = False |
||||
table = [] |
||||
state = 'undef' |
||||
model = 'undef' |
||||
for line in output: |
||||
if re.match(r'^Virtual (Disk|Drive): [0-9]+.*$',line.strip()): |
||||
arrayid = line.split('(')[0].split(':')[1].strip() |
||||
if re.match(r'Firmware state: .*$',line.strip()): |
||||
state = line.split(':')[1].strip() |
||||
if re.match(r'Inquiry Data: .*$',line.strip()): |
||||
model = line.split(':')[1].strip() |
||||
model = re.sub(' +', ' ', model) |
||||
if re.match(r'PD: [0-9]+ Information.*$',line.strip()): |
||||
diskid = line.split()[1].strip() |
||||
|
||||
if arrayid != False and state != 'undef' and model != 'undef' and diskid != False: |
||||
table.append([str(arrayid), str(diskid), state, model]) |
||||
state = 'undef' |
||||
model = 'undef' |
||||
|
||||
return table |
||||
|
||||
cmd = binarypath+' -adpCount -NoLog' |
||||
output = getOutput(cmd) |
||||
controllernumber = returnControllerNumber(output) |
||||
|
||||
bad = False |
||||
|
||||
# List available controller |
||||
if not nagiosmode: |
||||
print '-- Controller informations --' |
||||
print '-- ID | Model' |
||||
controllerid = 0 |
||||
while controllerid < controllernumber: |
||||
cmd = binarypath+' -AdpAllInfo -a'+str(controllerid)+' -NoLog' |
||||
output = getOutput(cmd) |
||||
controllermodel = returnControllerModel(output) |
||||
print 'c'+str(controllerid)+' | '+controllermodel |
||||
controllerid += 1 |
||||
print '' |
||||
|
||||
controllerid = 0 |
||||
if not nagiosmode: |
||||
print '-- Arrays informations --' |
||||
print '-- ID | Type | Size | Status | InProgress' |
||||
|
||||
while controllerid < controllernumber: |
||||
arrayid = 0 |
||||
cmd = binarypath+' -LdGetNum -a'+str(controllerid)+' -NoLog' |
||||
output = getOutput(cmd) |
||||
arraynumber = returnArrayNumber(output) |
||||
while arrayid < int(arraynumber): |
||||
cmd = binarypath+' -LDInfo -l'+str(arrayid)+' -a'+str(controllerid)+' -NoLog' |
||||
output = getOutput(cmd) |
||||
arrayinfo = returnArrayInfo(output,controllerid,arrayid) |
||||
if not nagiosmode: |
||||
print arrayinfo[0]+' | '+arrayinfo[1]+' | '+arrayinfo[2]+' | '+arrayinfo[3]+' | '+arrayinfo[4] |
||||