p216149
/
docs
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

playbooks voor tivoli client en rugcms uitrol toegevoegd

Browse Source
master
G.J.C. Strikwerda 5 years ago
parent 2191d58669
commit e2f5caa305
122 changed files with 2720 additions and 123 deletions
Show Stats Download Patch File Download Diff File

5
playbooks/rugcms-frontend-uitrol/ansible.cfg
Unescape Escape View File

@ -0,0 +1,5 @@
[defaults]
hostfile = hosts
remote_user = root
private_key_file = /home/ger/.ssh/id_dsa
host_key_checking = false

55
playbooks/rugcms-frontend-uitrol/hosts
Unescape Escape View File

@ -0,0 +1,55 @@
[rugcms]
cms-ft11 ansible_host=cms-ft11.service.rug.nl ansible_port=22
cms-ft12 ansible_host=cms-ft12.service.rug.nl ansible_port=22
cms-ft21 ansible_host=cms-ft21.service.rug.nl ansible_port=22
cms-ft22 ansible_host=cms-ft22.service.rug.nl ansible_port=22
cms-fa11 ansible_host=cms-fa11.service.rug.nl ansible_port=22
cms-fa12 ansible_host=cms-fa12.service.rug.nl ansible_port=22
cms-fa13 ansible_host=cms-fa13.service.rug.nl ansible_port=22
cms-fa14 ansible_host=cms-fa14.service.rug.nl ansible_port=22
cms-fp11 ansible_host=cms-fp11.service.rug.nl ansible_port=22
cms-fp12 ansible_host=cms-fp12.service.rug.nl ansible_port=22
cms-fp13 ansible_host=cms-fp13.service.rug.nl ansible_port=22
cms-fp14 ansible_host=cms-fp14.service.rug.nl ansible_port=22
cms-fp15 ansible_host=cms-fp15.service.rug.nl ansible_port=22
cms-fp16 ansible_host=cms-fp16.service.rug.nl ansible_port=22
cms-fa21 ansible_host=cms-fa21.service.rug.nl ansible_port=22
cms-fa22 ansible_host=cms-fa22.service.rug.nl ansible_port=22
cms-fa23 ansible_host=cms-fa23.service.rug.nl ansible_port=22
cms-fa24 ansible_host=cms-fa24.service.rug.nl ansible_port=22
cms-fp21 ansible_host=cms-fp21.service.rug.nl ansible_port=22
cms-fp22 ansible_host=cms-fp22.service.rug.nl ansible_port=22
cms-fp23 ansible_host=cms-fp23.service.rug.nl ansible_port=22
cms-fp24 ansible_host=cms-fp24.service.rug.nl ansible_port=22
cms-fp25 ansible_host=cms-fp25.service.rug.nl ansible_port=22
cms-fp26 ansible_host=cms-fp26.service.rug.nl ansible_port=22
[acc-new]
cms-fa[21:24]
[prod]
cms-fp[21:26]
[test]
cms-ft[21:22]
[old-test]
cms-ft[11:12]
[old-acc]
cms-fa[11:14]
[old-prod]
cms-fp[11:16]
[new]
cms-fa[21:24]
cms-fp[21:26]

BIN
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/files/Lib_Utils-1.00-09.noarch.rpm
View File

Binary file not shown.

BIN
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/files/MegaCli-8.04.07-1.noarch.rpm
View File

Binary file not shown.

227
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/files/firewall.sh
Unescape Escape View File

@ -0,0 +1,227 @@
#!/bin/bash
# prevent SYNC-floods:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# initialize:
iptables -F
iptables -X
iptables -Z
# config default policy's:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -N LOGDROP
iptables -A LOGDROP -j LOG
iptables -A LOGDROP -j DROP
# kernel tweaks:
/bin/echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
/bin/echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/bin/echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
/bin/echo 0 > /proc/sys/net/ipv4/ip_forward
# allow loopback:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# allow asds.id.rug.nl
iptables -A INPUT -i br0 -s 129.125.2.50 -j ACCEPT
iptables -A OUTPUT -o br0 -d 129.125.2.50 -j ACCEPT
# allow vlan933:
iptables -A INPUT -i bond0.933 -j ACCEPT
iptables -A OUTPUT -o bond0.933 -j ACCEPT
# allow vlan934:
iptables -A INPUT -i bond0.934 -j ACCEPT
iptables -A OUTPUT -o bond0.934 -j ACCEPT
#allow outbound to databases:
iptables -A INPUT -p tcp -s 129.125.36.182 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.182 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.183 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.183 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.184 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.184 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.185 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.185 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.186 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.186 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.187 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.187 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.188 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.188 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.141 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.141 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.142 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.142 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.143 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.143 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.144 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.144 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.148 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.148 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.149 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.149 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.150 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.150 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.50.147 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.50.147 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.71 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.71 -j ACCEPT
# allow munin-statieken-server:
iptables -A INPUT -p tcp -s 129.125.50.91 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.50.91 -j ACCEPT
# allow agenda:
iptables -A INPUT -p tcp -s 129.125.2.116 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.2.116 -j ACCEPT
# allow imap.google.com:
iptables -A INPUT -p tcp -s 74.125.136/24 -j ACCEPT
iptables -A OUTPUT -p tcp -d 74.125.136/24 -j ACCEPT
# allow imap.rug.nl:
iptables -A INPUT -p tcp -s 129.125.2.81/32 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.2.81/32 -j ACCEPT
# allow more google:
iptables -A INPUT -p tcp -s 173.194.65.0/24 -j ACCEPT
iptables -A OUTPUT -p tcp -d 173.194.65.0/24 -j ACCEPT
# new tcp packets sync packets:
iptables -A INPUT -i br0 -p tcp ! --syn -m state --state NEW -j DROP
# refuse loopback pacts incoming eth0:
iptables -A INPUT -i br0 -d 127.0.0.0/8 -j DROP
# allow dns outbound to/from DNS server:
iptables -A INPUT -i br0 -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -o br0 -p udp --dport 53 -j ACCEPT
# allow www outbound to 80:
iptables -A INPUT -i br0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o br0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# allow www outbound to 443:
iptables -A INPUT -i br0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o br0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
# allow smtp outbound:
iptables -A INPUT -i br0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o br0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
# allow ssh from BWP:
iptables -A INPUT -i br0 -p tcp -s 129.125.249.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o br0 -p tcp -d 129.125.249.0/24 -m state --state ESTABLISHED -j ACCEPT
# log/drop the rest:
iptables -A INPUT -i br0 -s 129.125.0.0/16 -d 129.125.36.121/32 -j LOGDROP
#zabbix monitorings
iptables -A INPUT -i br0 -s 129.125.50.238 -j ACCEPT
iptables -A OUTPUT -o br0 -d 129.125.50.238 -j ACCEPT
# allow 9080 inbound:
iptables -A INPUT -i br0 -p tcp --dport 9080 -j ACCEPT
iptables -A OUTPUT -o br0 -p tcp --sport 9080 -j ACCEPT
# allow 2222 inbound:
iptables -A INPUT -i br0 -p tcp -s 129.125.249.0/24 --dport 2222 -j ACCEPT
iptables -A OUTPUT -o br0 -p tcp -d 129.125.249.0/24 --sport 2222 -j ACCEPT
# inbound gadgets:
iptables -A INPUT -i br0 -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o br0 -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
# allow from operator:
iptables -A INPUT -i br0 -s 129.125.50.41/32 -j ACCEPT
iptables -A OUTPUT -o br0 -d 129.125.50.41/32 -j ACCEPT
# allow from/to ldap:
iptables -A INPUT -i br0 -s 129.125.68.50/32 -j ACCEPT
iptables -A OUTPUT -o br0 -d 129.125.68.50/32 -j ACCEPT
# ldaps outbound:
iptables -A INPUT -i br0 -p tcp --sport 636 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o br0 -p tcp --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT
# allow nfs:
iptables -A INPUT -i br0 -s 129.125.50.171/32 -j ACCEPT
iptables -A OUTPUT -o br0 -d 129.125.50.171/32 -j ACCEPT
# allow ntp
iptables -A INPUT -i br0 -p tcp --sport 123 -j ACCEPT
iptables -A OUTPUT -o br0 -p tcp --dport 123 -j ACCEPT
iptables -A INPUT -i br0 -p udp --sport 123 -j ACCEPT
iptables -A OUTPUT -o br0 -p udp --dport 123 -j ACCEPT
# allow charanga:
iptables -A INPUT -i br0 -p tcp -s 129.125.60.94/32 --dport 22 -j ACCEPT
iptables -A OUTPUT -o br0 -p tcp -d 129.125.60.94/32 --sport 22 -j ACCEPT
# charanga 129.125.60.94 port 2222:
iptables -A INPUT -i br0 -p tcp -s 129.125.60.94/32 --dport 2222 -j ACCEPT
iptables -A OUTPUT -o br0 -p tcp -d 129.125.60.94/32 --sport 2222 -j ACCEPT
# allow imaps:
iptables -A INPUT -p tcp --sport 993 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 993 -j ACCEPT
# Flush & default
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD
# setup log-chain:
ip6tables -N LOGREJECT
ip6tables -A LOGREJECT -j LOG
ip6tables -A LOGREJECT -j REJECT
# Set the default policy to drop
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
# rules:
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -j REJECT
ip6tables -A OUTPUT -j REJECT
# allow ganglia-statieken-server:
iptables -A INPUT -p tcp -s 129.125.60.89 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.60.89 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.191 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.191 -j ACCEPT
# open up port 9100 prometues:
iptables -A INPUT -i br0 -p tcp -s 129.125.2.233/32 --dport 9100 -j ACCEPT
iptables -A OUTPUT -o br0 -p tcp -d 129.125.2.233/32 --sport 9100 -j ACCEPT
# allow icmp:
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

209
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/files/megaclisas-status
Unescape Escape View File

@ -0,0 +1,209 @@
#!/usr/bin/python
import os
import re
import sys
binarypath = "/usr/sbin/megacli"
if len(sys.argv) > 2:
print 'Usage: megaclisas-status [--nagios]'
sys.exit(1)
nagiosmode=False
nagiosoutput=''
nagiosgoodarray=0
nagiosbadarray=0
nagiosgooddisk=0
nagiosbaddisk=0
# Check command line arguments to enable nagios or not
if len(sys.argv) > 1:
if sys.argv[1] == '--nagios':
nagiosmode=True
else:
print 'Usage: megaclisas-status [-nagios]'
sys.exit(1)
# Check binary exists (and +x), if not print an error message
# or return UNKNOWN nagios error code
if os.path.exists(binarypath) and os.access(binarypath, os.X_OK):
pass
else:
if nagiosmode:
print 'UNKNOWN - Cannot find '+binarypath
else:
print 'Cannot find '+binarypath+'. Please install it.'
sys.exit(3)
# Get command output
def getOutput(cmd):
output = os.popen(cmd)
lines = []
for line in output:
if not re.match(r'^$',line.strip()):
lines.append(line.strip())
return lines
def returnControllerNumber(output):
for line in output:
if re.match(r'^Controller Count.*$',line.strip()):
return int(line.split(':')[1].strip().strip('.'))
def returnControllerModel(output):
for line in output:
if re.match(r'^Product Name.*$',line.strip()):
return line.split(':')[1].strip()
def returnArrayNumber(output):
i = 0
for line in output:
if re.match(r'^Number of Virtual (Disk|Drive).*$',line.strip()):
i = line.strip().split(':')[1].strip()
return i
def returnArrayInfo(output,controllerid,arrayid):
id = 'c'+str(controllerid)+'u'+str(arrayid)
operationlinennumber = False
linenumber = 0
for line in output:
if re.match(r'Number Of Drives\s*((per span))?:.*[0-9]+$',line.strip()):
ldpdcount = line.split(':')[1].strip()
if re.match(r'Span Depth *:.*[0-9]+$',line.strip()):
spandepth = line.split(':')[1].strip()
if re.match(r'^RAID Level\s*:.*$',line.strip()):
raidlevel = line.strip().split(':')[1].split(',')[0].split('-')[1].strip()
type = 'RAID' + raidlevel
if re.match(r'^Size\s*:.*$',line.strip()):
# Size reported in MB
if re.match(r'^.*MB$',line.strip().split(':')[1]):
size = line.strip().split(':')[1].strip('MB').strip()
size = str(int(round((float(size) / 1000))))+'G'
# Size reported in TB
elif re.match(r'^.*TB$',line.strip().split(':')[1]):
size = line.strip().split(':')[1].strip('TB').strip()
size = str(int(round((float(size) * 1000))))+'G'
# Size reported in GB (default)
else:
size = line.strip().split(':')[1].strip('GB').strip()
size = str(int(round((float(size)))))+'G'
if re.match(r'^State\s*:.*$',line.strip()):
state = line.strip().split(':')[1].strip()
if re.match(r'^Ongoing Progresses\s*:.*$',line.strip()):
operationlinennumber = linenumber
linenumber += 1
if operationlinennumber:
inprogress = output[operationlinennumber+1]
else:
inprogress = 'None'
if ldpdcount and (int(spandepth) > 1):
ldpdcount = int(ldpdcount) * int(spandepth)
if int(raidlevel) < 10:
type = type + "0"
return [id,type,size,state,inprogress]
def returnDiskInfo(output,controllerid):
arrayid = False
diskid = False
table = []
state = 'undef'
model = 'undef'
for line in output:
if re.match(r'^Virtual (Disk|Drive): [0-9]+.*$',line.strip()):
arrayid = line.split('(')[0].split(':')[1].strip()
if re.match(r'Firmware state: .*$',line.strip()):
state = line.split(':')[1].strip()
if re.match(r'Inquiry Data: .*$',line.strip()):
model = line.split(':')[1].strip()
model = re.sub(' +', ' ', model)
if re.match(r'PD: [0-9]+ Information.*$',line.strip()):
diskid = line.split()[1].strip()
if arrayid != False and state != 'undef' and model != 'undef' and diskid != False:
table.append([str(arrayid), str(diskid), state, model])
state = 'undef'
model = 'undef'
return table
cmd = binarypath+' -adpCount -NoLog'
output = getOutput(cmd)
controllernumber = returnControllerNumber(output)
bad = False
# List available controller
if not nagiosmode:
print '-- Controller informations --'
print '-- ID | Model'
controllerid = 0
while controllerid < controllernumber:
cmd = binarypath+' -AdpAllInfo -a'+str(controllerid)+' -NoLog'
output = getOutput(cmd)
controllermodel = returnControllerModel(output)
print 'c'+str(controllerid)+' | '+controllermodel
controllerid += 1
print ''
controllerid = 0
if not nagiosmode:
print '-- Arrays informations --'
print '-- ID | Type | Size | Status | InProgress'
while controllerid < controllernumber:
arrayid = 0
cmd = binarypath+' -LdGetNum -a'+str(controllerid)+' -NoLog'
output = getOutput(cmd)
arraynumber = returnArrayNumber(output)
while arrayid < int(arraynumber):
cmd = binarypath+' -LDInfo -l'+str(arrayid)+' -a'+str(controllerid)+' -NoLog'
output = getOutput(cmd)
arrayinfo = returnArrayInfo(output,controllerid,arrayid)
if not nagiosmode:
print arrayinfo[0]+' | '+arrayinfo[1]+' | '+arrayinfo[2]+' | '+arrayinfo[3]+' | '+arrayinfo[4]
if not arrayinfo[3] == 'Optimal':
bad = True
nagiosbadarray=nagiosbadarray+1
else:
nagiosgoodarray=nagiosgoodarray+1
arrayid += 1
controllerid += 1
if not nagiosmode:
print ''
if not nagiosmode:
print '-- Disks informations'
print '-- ID | Model | Status'
controllerid = 0
while controllerid < controllernumber:
arrayid = 0
cmd = binarypath+' -LDInfo -lall -a'+str(controllerid)+' -NoLog'
output = getOutput(cmd)
cmd = binarypath+' -LdPdInfo -a'+str(controllerid)+' -NoLog'
output = getOutput(cmd)
arraydisk = returnDiskInfo(output,controllerid)
for array in arraydisk:
if not array[2] == 'Online' and not array[2] == 'Online, Spun Up':
bad=True
nagiosbaddisk=nagiosbaddisk+1
else:
nagiosgooddisk=nagiosgooddisk+1
if not nagiosmode:
print 'c'+str(controllerid)+'u'+array[0]+'p'+array[1]+' | '+array[3]+' | '+array[2]
controllerid += 1
if nagiosmode:
if bad:
print 'RAID ERROR - Arrays: OK:'+str(nagiosgoodarray)+' Bad:'+str(nagiosbadarray)+' - Disks: OK:'+str(nagiosgooddisk)+' Bad:'+str(nagiosbaddisk)
sys.exit(2)
else:
print 'RAID OK - Arrays: OK:'+str(nagiosgoodarray)+' Bad:'+str(nagiosbadarray)+' - Disks: OK:'+str(nagiosgooddisk)+' Bad:'+str(nagiosbaddisk)
else:
if bad:
print '\nThere is at least one disk/array in a NOT OPTIMAL state.'
sys.exit(1)

10
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/files/motd.cms-fa21
Unescape Escape View File

@ -0,0 +1,10 @@
_____ ________ ____
____ _____ ______ _/ ____\____ \_____ \/_ |
_/ ___\ / \ / ___/ ______ \ __\\__ \ / ____/ | |
\ \___| Y Y \\___ \ /_____/ | | / __ \_/ \ | |
\___ >__|_| /____ > |__| (____ /\_______ \|___|
\/ \/ \/ \/ \/

10
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/files/motd.cms-fa22
Unescape Escape View File

@ -0,0 +1,10 @@
_____ ________ ________
____ _____ ______ _/ ____\____ \_____ \\_____ \
_/ ___\ / \ / ___/ ______ \ __\\__ \ / ____/ / ____/
\ \___| Y Y \\___ \ /_____/ | | / __ \_/ \/ \
\___ >__|_| /____ > |__| (____ /\_______ \_______ \
\/ \/ \/ \/ \/ \/

9
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/files/motd.cms-fa23
Unescape Escape View File

@ -0,0 +1,9 @@
_____ ________ ________
____ _____ ______ _/ ____\____ \_____ \ \_____ \
_/ ___\ / \ / ___/ ______ \ __\\__ \ / ____/ _(__ <
\ \___| Y Y \\___ \ /_____/ | | / __ \_/ \ / \
\___ >__|_| /____ > |__| (____ /\_______ \/______ /
\/ \/ \/ \/ \/ \/

9
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/files/motd.cms-fa24
Unescape Escape View File

@ -0,0 +1,9 @@
_____ ________ _____
____ _____ ______ _/ ____\____ \_____ \ / | |
_/ ___\ / \ / ___/ ______ \ __\\__ \ / ____/ / | |_
\ \___| Y Y \\___ \ /_____/ | | / __ \_/ \/ ^ /
\___ >__|_| /____ > |__| (____ /\_______ \____ |
\/ \/ \/ \/ \/ |__|

10
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/files/motd.cms-fp21
Unescape Escape View File

@ -0,0 +1,10 @@
_____ ________ ____
____ _____ ______ _/ ____\_____ \_____ \/_ |
_/ ___\ / \ / ___/ ______ \ __\\____ \ / ____/ | |
\ \___| Y Y \\___ \ /_____/ | | | |_> > \ | |
\___ >__|_| /____ > |__| | __/\_______ \|___|
\/ \/ \/ |__| \/

10
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/files/motd.cms-fp22
Unescape Escape View File

@ -0,0 +1,10 @@
_____ ________ ________
____ _____ ______ _/ ____\_____ \_____ \\_____ \
_/ ___\ / \ / ___/ ______ \ __\\____ \ / ____/ / ____/
\ \___| Y Y \\___ \ /_____/ | | | |_> > \/ \
\___ >__|_| /____ > |__| | __/\_______ \_______ \
\/ \/ \/ |__| \/ \/

10
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/files/motd.cms-fp23
Unescape Escape View File

@ -0,0 +1,10 @@
_____ ________ ________
____ _____ ______ _/ ____\_____ \_____ \ \_____ \
_/ ___\ / \ / ___/ ______ \ __\\____ \ / ____/ _(__ <
\ \___| Y Y \\___ \ /_____/ | | | |_> > \ / \
\___ >__|_| /____ > |__| | __/\_______ \/______ /
\/ \/ \/ |__| \/ \/

11
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/files/motd.cms-fp24
Unescape Escape View File

@ -0,0 +1,11 @@
_____ ________ _____
____ _____ ______ _/ ____\_____ \_____ \ / | |
_/ ___\ / \ / ___/ ______ \ __\\____ \ / ____/ / | |_
\ \___| Y Y \\___ \ /_____/ | | | |_> > \/ ^ /
\___ >__|_| /____ > |__| | __/\_______ \____ |
\/ \/ \/ |__| \/ |__|

10
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/files/motd.cms-fp25
Unescape Escape View File

@ -0,0 +1,10 @@
_____ ________ .________
____ _____ ______ _/ ____\_____ \_____ \ | ____/
_/ ___\ / \ / ___/ ______ \ __\\____ \ / ____/ |____ \
\ \___| Y Y \\___ \ /_____/ | | | |_> > \ / \
\___ >__|_| /____ > |__| | __/\_______ \/______ /
\/ \/ \/ |__| \/ \/

10
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/files/motd.cms-fp26
Unescape Escape View File

@ -0,0 +1,10 @@
_____ ________ ________
____ _____ ______ _/ ____\_____ \_____ \/ _____/
_/ ___\ / \ / ___/ ______ \ __\\____ \ / ____/ __ \
\ \___| Y Y \\___ \ /_____/ | | | |_> > \ |__\ \
\___ >__|_| /____ > |__| | __/\_______ \_____ /
\/ \/ \/ |__| \/ \/

10
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/files/motd.cms-ft21
Unescape Escape View File

@ -0,0 +1,10 @@
_____ __ ________ ____
____ _____ ______ _/ ____\/ |_\_____ \/_ |
_/ ___\ / \ / ___/ ______ \ __\\ __\/ ____/ | |
\ \___| Y Y \\___ \ /_____/ | | | | / \ | |
\___ >__|_| /____ > |__| |__| \_______ \|___|
\/ \/ \/ \/

BIN
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/files/nagios.tar.gz
View File

Binary file not shown.

47
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/files/profile_rugcms
Unescape Escape View File

@ -0,0 +1,47 @@
umask 022
# if running bash
if [ -n "$BASH_VERSION" ]; then
# include .bashrc if it exists
if [ -f "$HOME/.bashrc" ]; then
. "$HOME/.bashrc"
fi
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi
EDITOR=nano
export EDITOR
JAVA_HOME=$HOME/software/java
export JAVA_HOME
PATH=$JAVA_HOME/bin:/usr/local/bin:/usr/bin:/usr/ccs/bin:$PATH
export PATH
RUGCMS_CLASSPATH=\
$HOME/software/tomcat/lib/*:\
$HOME/servers/tomcat-common/lib/*:\
$HOME/servers/ucms-common/lib/ucms/*:\
$HOME/servers/ucms-common/lib/xml/*:\
$HOME/servers/ucms-common/lib/jackrabbit/*:\
$HOME/servers/ucms-common/lib/apache/*:\
$HOME/servers/ucms-common/lib/google/*:\
$HOME/servers/ucms-common/lib/*
export RUGCMS_CLASSPATH
source $HOME/scripts/setClusterAndNode.sh
if [[ $CLUSTER == 'test' ]]; then
PS1=$'\\[\\e[32;1m\\]\\u@\\h (\\w) : \\[\\e[0m\\]'
elif [[ $CLUSTER == 'acceptation' ]]; then
PS1=$'\\[\\e[33;1m\\]\\u@\\h (\\w) : \\[\\e[0m\\]'
elif [[ $CLUSTER == 'production' ]]; then
PS1=$'\\[\\e[31m\\]\\u@\\h (\\w) : \\[\\e[0m\\]'
else
PS1=$'\\[\\e[35;1m\\]\\u@\\h (\\w) : \\[\\e[0m\\]'
fi
export PS1

3
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/files/resolv.conf
Unescape Escape View File

@ -0,0 +1,3 @@
search service.rug.nl
nameserver 129.125.4.6
nameserer 8.8.8.8

139
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/files/sshd_config
Unescape Escape View File

@ -0,0 +1,139 @@
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin without-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

BIN
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/files/yum_debug_dump.txt.gz
View File

Binary file not shown.

BIN
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/.main.yml.swp
View File

Binary file not shown.

34
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/copy-files.yml
Unescape Escape View File

@ -0,0 +1,34 @@
- copy:
src: files/motd.{{ ansible_hostname }}
dest: /etc/motd
owner: root
group: root
mode: 0644
- copy:
src: files/hosts
dest: /etc/hosts
owner: root
group: root
mode: 0644
- copy:
src: files/sshd_config
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: 0600
- copy:
src: files/resolv.conf
dest: /etc/resolv.conf
owner: root
group: root
mode: 0644
- copy:
src: files/yum_debug_dump.txt.gz
dest: /root/yum_debug_dump.txt.gz
owner: root
group: root
mode: 0600

6
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/copy-firewall.yml
Unescape Escape View File

@ -0,0 +1,6 @@
- copy:
src: files/firewall.sh
dest: /root/firewall/firewall.sh
owner: root
group: root
mode: 0700

1
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/disable-selinux.yml
Unescape Escape View File

@ -0,0 +1 @@
- selinux: state=disabled

9
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/docker-netdata.yml
Unescape Escape View File

@ -0,0 +1,9 @@
- docker_container:
name: netdata
image: titpetric/netdata
network_mode: host
hostname: "{{ ansible_hostname }}"
capabilities: SYS_PTRACE
state: started
volumes:
- /sys:/host/sys:ro

6
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/ger-user.yml
Unescape Escape View File

@ -0,0 +1,6 @@
- user:
name: ger
comment: "ger user"
state: present
group: rugcms
home: /home/ger

1
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/install-docker-py.yml
Unescape Escape View File

@ -0,0 +1 @@
- yum: name=python-docker-py state=latest

1
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/install-epel.yml
Unescape Escape View File

@ -0,0 +1 @@
- yum: name=epel-release state=latest

1
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/install-ntp.yml
Unescape Escape View File

@ -0,0 +1 @@
- yum: name=ntp state=latest

1
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/install-yum-utils.yml
Unescape Escape View File

@ -0,0 +1 @@
- yum: name=yum-utils state=latest

21
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,21 @@
- include: rugcms-group.yml
- include: rugcms-user.yml
- include: rugcms-keys.yml
- include: rugcms-profile.yml
- include: rugcms-password.yml
- include: stealth-client.yml
- include: install-epel.yml
- include: install-ntp.yml
- include: install-yum-utils.yml
- include: install-docker-py.yml
- include: disable-selinux.yml
- include: start-ntp.yml
- include: stop-firewalld.yml
- include: copy-firewall.yml
- include: run-firewall.yml
- include: nagios-client.yml
- include: mega-cli.yml
- include: copy-files.yml
- include: start-services.yml
- include: docker-netdata.yml
- include: upgrade.yml

27
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/mega-cli.yml
Unescape Escape View File

@ -0,0 +1,27 @@
- copy:
src: files/Lib_Utils-1.00-09.noarch.rpm
dest: /tmp/Lib_Utils-1.00-09.noarch.rpm
- yum:
name: /tmp/Lib_Utils-1.00-09.noarch.rpm
state: present
- copy:
src: files/MegaCli-8.04.07-1.noarch.rpm
dest: /tmp/MegaCli-8.04.07-1.noarch.rpm
- yum:
name: /tmp/MegaCli-8.04.07-1.noarch.rpm
state: present
- copy:
src: files/megaclisas-status
dest: /usr/sbin/megaclisas-status
owner: root
group: root
mode: 0700
- file:
src: /opt/MegaRAID/MegaCli/MegaCli64
dest: /usr/sbin/megacli
state: link

42
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/nagios-client.yml
Unescape Escape View File

@ -0,0 +1,42 @@
- file: path=/nagios state=directory
- unarchive:
src: files/nagios.tar.gz
dest: /nagios
- cron:
name: "check disk full"
minute: "00,10,20,30,40,50"
hour: "*"
job: "/nagios/cron/check_disk"
- cron:
name: "check disk ok"
minute: "00,10,20,30,40,50"
hour: "*"
job: "/nagios/cron/check_disks"
- cron:
name: "check firewall"
minute: "00,10,20,30,40,50"
hour: "*"
job: "/nagios/cron/check_iptables"
- replace:
path: /nagios/cron/check_iptables
regexp: 'HOSTNAME="cms-fa11.service.rug.nl"'
replace: 'HOSTNAME="{{ ansible_hostname }}.service.rug.nl"'
backup: yes
- replace:
path: /nagios/cron/check_disk
regexp: 'HOSTNAME="cms-fa11.service.rug.nl"'
replace: 'HOSTNAME="{{ ansible_hostname }}.service.rug.nl"'
backup: yes
- replace:
path: /nagios/cron/check_disks
regexp: 'HOSTNAME="cms-fa11.service.rug.nl"'
replace: 'HOSTNAME="{{ ansible_hostname }}.service.rug.nl"'
backup: yes

3
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/rugcms-group.yml
Unescape Escape View File

@ -0,0 +1,3 @@
- group:
name: rugcms
state: present

7
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/rugcms-keys.yml
Unescape Escape View File

@ -0,0 +1,7 @@
- authorized_key:
user: rugcms
key: '{{ item }}'
state: present
with_items:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAz/4D/jhUycyYS8gOrQDs+BqK+MLzfB9kb60W9zGTs9KigKGUOtvZ78mb1F2+ouy/uQUbOO4MoUu+fOzSlSE56GdyTSc/RsLaoHde2aRalXnRf55tuIVgv6MNG7siZt1i4iDhm/uql8nzc7m0Ompr9XXLXOQ0ZGFPViLLYyRcLOc= r.m.uittenbroek@rug.nl'
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoRM/8ItzD87bvO6WVwDS83mkLUv0fo1dUxBzGB0w9j+a4vtUbcGm13TXp6zIS6zZqj09QD8jznO1OE92tC1axjuwENbAi7WiqaFMJdqB6MLN4Fxo4xa5LaadDTFbd4yLI1lzheowfPvFypUW90L4ToEkKkvgp+r+4C7BrLLUTzksS3PzBB2jp25XimdbxQvbZS74RdEa4O1Xqz0A4+FbM9r90OIJGrexVTKb2jpQk3bhTIpCXDkRldA1PLYSPoUAmCViGPoHCoyNbtZj8MWDjOKH/Ut/WXg5z60JfFqHazkHsQiJ9YkgUk2zy/7cjl5Pl8DVkPp79c/F5YFw492XN rugcms@charanga'

6
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/rugcms-profile.yml
Unescape Escape View File

@ -0,0 +1,6 @@
- copy:
src: files/profile_rugcms
dest: /local_disk/.profile
owner: rugcms
group: rugcms
mode: 0700

6
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/rugcms-user.yml
Unescape Escape View File

@ -0,0 +1,6 @@
- user:
name: rugcms
comment: "rugcms user"
state: present
group: rugcms
home: /local_disk

1
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/run-firewall.yml
Unescape Escape View File

@ -0,0 +1 @@
- script: chdir=/root/firewall firewall.sh

4
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/start-ntp.yml
Unescape Escape View File

@ -0,0 +1,4 @@
- systemd:
name: ntpd.service
state: started
enabled: yes

14
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/start-services.yml
Unescape Escape View File

@ -0,0 +1,14 @@
- systemd:
name: sshd.service
state: started
enabled: yes
- systemd:
name: postfix.service
state: started
enabled: yes
- systemd:
name: docker.service
state: started
enabled: yes

15
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/stealth-client.yml
Unescape Escape View File

@ -0,0 +1,15 @@
- group:
name: kees
state: present
- user:
name: kees
comment: "stealth user"
state: present
group: kees
home: /home/kees
- authorized_key:
user: kees
key: 'ssh-dss AAAAB3NzaC1kc3MAAACBALg7GbHKk2jYPNXUgW69AKKnCALjroTtwCA0bt4zde1mavYNoQK8JY/pe4BSOQtsyo3JECYzmAZwoNbq8nJCh8ORf5tKs8njEykZ0n7BVWtCT/jh9EFPTFhFK864TdFVCvwtIafAL4kEVNvJ0wrJYa1mN/ds03HWliv+3Shj6x0dAAAAFQDxlwgId3zlrXiCfk3ciAHN5b2ScwAAAIEArZ3/Hg7FECh5Fjf7lnBQZW7sjG5OLZRJIZlj2/jYnvIRUrsN2XmebwO4Q5q7g7FLWlfbg+x2Lmv1OWf/zGd3U6aAx8M+d+nTWDtWpQNvcE99HlfOs9Q4Rzxx6ZOyaZn57lCva/nCmLe0DTPVB8rvocMmqe1r3n7/KgxxKttbWRUAAACAfH2y4JPt2AcVdHnHiibpQBtxK/9m6AEjsB/g02tMXHZletMs9jF6kGynan7xJqRqvWxkGS1ClHIUdt2uK6A6pbqOf2BwcBIxAdljLRrZOyvmW9KTqduHMemYv6xQnpNGb8moWq5V5FKiATvd/LB46O1zwZejJErfj70LRE98Hv4= stealth@operator'
state: present

3
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/stop-firewalld.yml
Unescape Escape View File

@ -0,0 +1,3 @@
- systemd:
name: firewalld.service
enabled: no

1
playbooks/rugcms-frontend-uitrol/roles/frontend_acc_prod/tasks/upgrade.yml
Unescape Escape View File

@ -0,0 +1 @@
- yum: name=* state=latest

BIN
playbooks/rugcms-frontend-uitrol/roles/frontend_test/files/Lib_Utils-1.00-09.noarch.rpm
View File

Binary file not shown.

BIN
playbooks/rugcms-frontend-uitrol/roles/frontend_test/files/MegaCli-8.04.07-1.noarch.rpm
View File

Binary file not shown.

227
playbooks/rugcms-frontend-uitrol/roles/frontend_test/files/firewall.sh
Unescape Escape View File

@ -0,0 +1,227 @@
#!/bin/bash
# prevent SYNC-floods:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# initialize:
iptables -F
iptables -X
iptables -Z
# config default policy's:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -N LOGDROP
iptables -A LOGDROP -j LOG
iptables -A LOGDROP -j DROP
# kernel tweaks:
/bin/echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
/bin/echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/bin/echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
/bin/echo 0 > /proc/sys/net/ipv4/ip_forward
# allow loopback:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# allow asds.id.rug.nl
iptables -A INPUT -i eth0 -s 129.125.2.50 -j ACCEPT
iptables -A OUTPUT -o eth0 -d 129.125.2.50 -j ACCEPT
# allow vlan933:
iptables -A INPUT -i bond0.933 -j ACCEPT
iptables -A OUTPUT -o bond0.933 -j ACCEPT
# allow vlan934:
iptables -A INPUT -i bond0.934 -j ACCEPT
iptables -A OUTPUT -o bond0.934 -j ACCEPT
#allow outbound to databases:
iptables -A INPUT -p tcp -s 129.125.36.182 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.182 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.183 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.183 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.184 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.184 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.185 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.185 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.186 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.186 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.187 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.187 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.188 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.188 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.141 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.141 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.142 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.142 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.143 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.143 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.144 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.144 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.148 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.148 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.149 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.149 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.150 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.150 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.50.147 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.50.147 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.71 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.71 -j ACCEPT
# allow munin-statieken-server:
iptables -A INPUT -p tcp -s 129.125.50.91 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.50.91 -j ACCEPT
# allow agenda:
iptables -A INPUT -p tcp -s 129.125.2.116 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.2.116 -j ACCEPT
# allow imap.google.com:
iptables -A INPUT -p tcp -s 74.125.136/24 -j ACCEPT
iptables -A OUTPUT -p tcp -d 74.125.136/24 -j ACCEPT
# allow imap.rug.nl:
iptables -A INPUT -p tcp -s 129.125.2.81/32 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.2.81/32 -j ACCEPT
# allow more google:
iptables -A INPUT -p tcp -s 173.194.65.0/24 -j ACCEPT
iptables -A OUTPUT -p tcp -d 173.194.65.0/24 -j ACCEPT
# new tcp packets sync packets:
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
# refuse loopback pacts incoming eth0:
iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP
# allow dns outbound to/from DNS server:
iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
# allow www outbound to 80:
iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# allow www outbound to 443:
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
# allow smtp outbound:
iptables -A INPUT -i eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
# allow ssh from BWP:
iptables -A INPUT -i eth0 -p tcp -s 129.125.249.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -d 129.125.249.0/24 -m state --state ESTABLISHED -j ACCEPT
# log/drop the rest:
iptables -A INPUT -i eth0 -s 129.125.0.0/16 -d 129.125.36.121/32 -j LOGDROP
#zabbix monitorings
iptables -A INPUT -i eth0 -s 129.125.50.238 -j ACCEPT
iptables -A OUTPUT -o eth0 -d 129.125.50.238 -j ACCEPT
# allow 9080 inbound:
iptables -A INPUT -i eth0 -p tcp --dport 9080 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 9080 -j ACCEPT
# allow 2222 inbound:
iptables -A INPUT -i eth0 -p tcp -s 129.125.249.0/24 --dport 2222 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -d 129.125.249.0/24 --sport 2222 -j ACCEPT
# inbound gadgets:
iptables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
# allow from operator:
iptables -A INPUT -i eth0 -s 129.125.50.41/32 -j ACCEPT
iptables -A OUTPUT -o eth0 -d 129.125.50.41/32 -j ACCEPT
# allow from/to ldap:
iptables -A INPUT -i eth0 -s 129.125.68.50/32 -j ACCEPT
iptables -A OUTPUT -o eth0 -d 129.125.68.50/32 -j ACCEPT
# ldaps outbound:
iptables -A INPUT -i eth0 -p tcp --sport 636 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT
# allow nfs:
iptables -A INPUT -i eth0 -s 129.125.50.171/32 -j ACCEPT
iptables -A OUTPUT -o eth0 -d 129.125.50.171/32 -j ACCEPT
# allow ntp
iptables -A INPUT -i eth0 -p tcp --sport 123 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 123 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 123 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 123 -j ACCEPT
# allow charanga:
iptables -A INPUT -i eth0 -p tcp -s 129.125.60.94/32 --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -d 129.125.60.94/32 --sport 22 -j ACCEPT
# charanga 129.125.60.94 port 2222:
iptables -A INPUT -i eth0 -p tcp -s 129.125.60.94/32 --dport 2222 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -d 129.125.60.94/32 --sport 2222 -j ACCEPT
# allow imaps:
iptables -A INPUT -p tcp --sport 993 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 993 -j ACCEPT
# Flush & default
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD
# setup log-chain:
ip6tables -N LOGREJECT
ip6tables -A LOGREJECT -j LOG
ip6tables -A LOGREJECT -j REJECT
# Set the default policy to drop
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
# rules:
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -j REJECT
ip6tables -A OUTPUT -j REJECT
# allow ganglia-statieken-server:
iptables -A INPUT -p tcp -s 129.125.60.89 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.60.89 -j ACCEPT
iptables -A INPUT -p tcp -s 129.125.36.191 -j ACCEPT
iptables -A OUTPUT -p tcp -d 129.125.36.191 -j ACCEPT
# open up port 9100 prometues:
iptables -A INPUT -i eth0 -p tcp -s 129.125.2.233/32 --dport 9100 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -d 129.125.2.233/32 --sport 9100 -j ACCEPT
# allow icmp:
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

209
playbooks/rugcms-frontend-uitrol/roles/frontend_test/files/megaclisas-status
Unescape Escape View File

@ -0,0 +1,209 @@
#!/usr/bin/python
import os
import re
import sys
binarypath = "/usr/sbin/megacli"
if len(sys.argv) > 2:
print 'Usage: megaclisas-status [--nagios]'
sys.exit(1)
nagiosmode=False
nagiosoutput=''
nagiosgoodarray=0
nagiosbadarray=0
nagiosgooddisk=0
nagiosbaddisk=0
# Check command line arguments to enable nagios or not
if len(sys.argv) > 1:
if sys.argv[1] == '--nagios':
nagiosmode=True
else:
print 'Usage: megaclisas-status [-nagios]'
sys.exit(1)
# Check binary exists (and +x), if not print an error message
# or return UNKNOWN nagios error code
if os.path.exists(binarypath) and os.access(binarypath, os.X_OK):
pass
else:
if nagiosmode:
print 'UNKNOWN - Cannot find '+binarypath
else:
print 'Cannot find '+binarypath+'. Please install it.'
sys.exit(3)
# Get command output
def getOutput(cmd):
output = os.popen(cmd)
lines = []
for line in output:
if not re.match(r'^$',line.strip()):
lines.append(line.strip())
return lines
def returnControllerNumber(output):
for line in output:
if re.match(r'^Controller Count.*$',line.strip()):
return int(line.split(':')[1].strip().strip('.'))
def returnControllerModel(output):
for line in output:
if re.match(r'^Product Name.*$',line.strip()):
return line.split(':')[1].strip()
def returnArrayNumber(output):
i = 0
for line in output:
if re.match(r'^Number of Virtual (Disk|Drive).*$',line.strip()):
i = line.strip().split(':')[1].strip()
return i
def returnArrayInfo(output,controllerid,arrayid):
id = 'c'+str(controllerid)+'u'+str(arrayid)
operationlinennumber = False
linenumber = 0
for line in output:
if re.match(r'Number Of Drives\s*((per span))?:.*[0-9]+$',line.strip()):
ldpdcount = line.split(':')[1].strip()
if re.match(r'Span Depth *:.*[0-9]+$',line.strip()):
spandepth = line.split(':')[1].strip()
if re.match(r'^RAID Level\s*:.*$',line.strip()):
raidlevel = line.strip().split(':')[1].split(',')[0].split('-')[1].strip()
type = 'RAID' + raidlevel
if re.match(r'^Size\s*:.*$',line.strip()):
# Size reported in MB
if re.match(r'^.*MB$',line.strip().split(':')[1]):
size = line.strip().split(':')[1].strip('MB').strip()
size = str(int(round((float(size) / 1000))))+'G'
# Size reported in TB
elif re.match(r'^.*TB$',line.strip().split(':')[1]):
size = line.strip().split(':')[1].strip('TB').strip()
size = str(int(round((float(size) * 1000))))+'G'
# Size reported in GB (default)
else:
size = line.strip().split(':')[1].strip('GB').strip()
size = str(int(round((float(size)))))+'G'
if re.match(r'^State\s*:.*$',line.strip()):
state = line.strip().split(':')[1].strip()
if re.match(r'^Ongoing Progresses\s*:.*$',line.strip()):
operationlinennumber = linenumber
linenumber += 1
if operationlinennumber:
inprogress = output[operationlinennumber+1]
else:
inprogress = 'None'
if ldpdcount and (int(spandepth) > 1):
ldpdcount = int(ldpdcount) * int(spandepth)
if int(raidlevel) < 10:
type = type + "0"
return [id,type,size,state,inprogress]
def returnDiskInfo(output,controllerid):
arrayid = False
diskid = False
table = []
state = 'undef'
model = 'undef'
for line in output:
if re.match(r'^Virtual (Disk|Drive): [0-9]+.*$',line.strip()):
arrayid = line.split('(')[0].split(':')[1].strip()
if re.match(r'Firmware state: .*$',line.strip()):
state = line.split(':')[1].strip()
if re.match(r'Inquiry Data: .*$',line.strip()):
model = line.split(':')[1].strip()
model = re.sub(' +', ' ', model)
if re.match(r'PD: [0-9]+ Information.*$',line.strip()):
diskid = line.split()[1].strip()
if arrayid != False and state != 'undef' and model != 'undef' and diskid != False:
table.append([str(arrayid), str(diskid), state, model])
state = 'undef'
model = 'undef'
return table
cmd = binarypath+' -adpCount -NoLog'
output = getOutput(cmd)
controllernumber = returnControllerNumber(output)
bad = False
# List available controller
if not nagiosmode:
print '-- Controller informations --'
print '-- ID | Model'
controllerid = 0
while controllerid < controllernumber:
cmd = binarypath+' -AdpAllInfo -a'+str(controllerid)+' -NoLog'
output = getOutput(cmd)
controllermodel = returnControllerModel(output)
print 'c'+str(controllerid)+' | '+controllermodel
controllerid += 1
print ''
controllerid = 0
if not nagiosmode:
print '-- Arrays informations --'
print '-- ID | Type | Size | Status | InProgress'
while controllerid < controllernumber:
arrayid = 0
cmd = binarypath+' -LdGetNum -a'+str(controllerid)+' -NoLog'
output = getOutput(cmd)
arraynumber = returnArrayNumber(output)
while arrayid < int(arraynumber):
cmd = binarypath+' -LDInfo -l'+str(arrayid)+' -a'+str(controllerid)+' -NoLog'
output = getOutput(cmd)
arrayinfo = returnArrayInfo(output,controllerid,arrayid)
if not nagiosmode:
print arrayinfo[0]+' | '+arrayinfo[1]+' | '+arrayinfo[2]+' | '+arrayinfo[3]+' | '+arrayinfo[4]
if not arrayinfo[3] == 'Optimal':
bad = True
nagiosbadarray=nagiosbadarray+1
else:
nagiosgoodarray=nagiosgoodarray+1
arrayid += 1
controllerid += 1
if not nagiosmode:
print ''
if not nagiosmode:
print '-- Disks informations'
print '-- ID | Model | Status'
controllerid = 0
while controllerid < controllernumber:
arrayid = 0
cmd = binarypath+' -LDInfo -lall -a'+str(controllerid)+' -NoLog'
output = getOutput(cmd)
cmd = binarypath+' -LdPdInfo -a'+str(controllerid)+' -NoLog'
output = getOutput(cmd)
arraydisk = returnDiskInfo(output,controllerid)
for array in arraydisk:
if not array[2] == 'Online' and not array[2] == 'Online, Spun Up':
bad=True
nagiosbaddisk=nagiosbaddisk+1
else:
nagiosgooddisk=nagiosgooddisk+1
if not nagiosmode:
print 'c'+str(controllerid)+'u'+array[0]+'p'+array[1]+' | '+array[3]+' | '+array[2]
controllerid += 1
if nagiosmode:
if bad:
print 'RAID ERROR - Arrays: OK:'+str(nagiosgoodarray)+' Bad:'+str(nagiosbadarray)+' - Disks: OK:'+str(nagiosgooddisk)+' Bad:'+str(nagiosbaddisk)
sys.exit(2)
else:
print 'RAID OK - Arrays: OK:'+str(nagiosgoodarray)+' Bad:'+str(nagiosbadarray)+' - Disks: OK:'+str(nagiosgooddisk)+' Bad:'+str(nagiosbaddisk)
else:
if bad:
print '\nThere is at least one disk/array in a NOT OPTIMAL state.'
sys.exit(1)

10
playbooks/rugcms-frontend-uitrol/roles/frontend_test/files/motd.cms-fa21
Unescape Escape View File

@ -0,0 +1,10 @@
_____ ________ ____
____ _____ ______ _/ ____\____ \_____ \/_ |
_/ ___\ / \ / ___/ ______ \ __\\__ \ / ____/ | |
\ \___| Y Y \\___ \ /_____/ | | / __ \_/ \ | |
\___ >__|_| /____ > |__| (____ /\_______ \|___|
\/ \/ \/ \/ \/

10
playbooks/rugcms-frontend-uitrol/roles/frontend_test/files/motd.cms-fa22
Unescape Escape View File

@ -0,0 +1,10 @@
_____ ________ ________
____ _____ ______ _/ ____\____ \_____ \\_____ \
_/ ___\ / \ / ___/ ______ \ __\\__ \ / ____/ / ____/
\ \___| Y Y \\___ \ /_____/ | | / __ \_/ \/ \
\___ >__|_| /____ > |__| (____ /\_______ \_______ \
\/ \/ \/ \/ \/ \/

9
playbooks/rugcms-frontend-uitrol/roles/frontend_test/files/motd.cms-fa23
Unescape Escape View File

@ -0,0 +1,9 @@
_____ ________ ________
____ _____ ______ _/ ____\____ \_____ \ \_____ \
_/ ___\ / \ / ___/ ______ \ __\\__ \ / ____/ _(__ <
\ \___| Y Y \\___ \ /_____/ | | / __ \_/ \ / \
\___ >__|_| /____ > |__| (____ /\_______ \/______ /
\/ \/ \/ \/ \/ \/

9
playbooks/rugcms-frontend-uitrol/roles/frontend_test/files/motd.cms-fa24
Unescape Escape View File

@ -0,0 +1,9 @@
_____ ________ _____
____ _____ ______ _/ ____\____ \_____ \ / | |
_/ ___\ / \ / ___/ ______ \ __\\__ \ / ____/ / | |_
\ \___| Y Y \\___ \ /_____/ | | / __ \_/ \/ ^ /
\___ >__|_| /____ > |__| (____ /\_______ \____ |
\/ \/ \/ \/ \/ |__|

10
playbooks/rugcms-frontend-uitrol/roles/frontend_test/files/motd.cms-fp21
Unescape Escape View File

@ -0,0 +1,10 @@
_____ ________ ____
____ _____ ______ _/ ____\_____ \_____ \/_ |
_/ ___\ / \ / ___/ ______ \ __\\____ \ / ____/ | |
\ \___| Y Y \\___ \ /_____/ | | | |_> > \ | |
\___ >__|_| /____ > |__| | __/\_______ \|___|
\/ \/ \/ |__| \/

10
playbooks/rugcms-frontend-uitrol/roles/frontend_test/files/motd.cms-fp22
Unescape Escape View File

@ -0,0 +1,10 @@
_____ ________ ________
____ _____ ______ _/ ____\_____ \_____ \\_____ \
_/ ___\ / \ / ___/ ______ \ __\\____ \ / ____/ / ____/
\ \___| Y Y \\___ \ /_____/ | | | |_> > \/ \
\___ >__|_| /____ > |__| | __/\_______ \_______ \
\/ \/ \/ |__| \/ \/

10
playbooks/rugcms-frontend-uitrol/roles/frontend_test/files/motd.cms-fp23
Unescape Escape View File

@ -0,0 +1,10 @@
_____ ________ ________
____ _____ ______ _/ ____\_____ \_____ \ \_____ \
_/ ___\ / \ / ___/ ______ \ __\\____ \ / ____/ _(__ <
\ \___| Y Y \\___ \ /_____/ | | | |_> > \ / \
\___ >__|_| /____ > |__| | __/\_______ \/______ /
\/ \/ \/ |__| \/ \/

11
playbooks/rugcms-frontend-uitrol/roles/frontend_test/files/motd.cms-fp24
Unescape Escape View File

@ -0,0 +1,11 @@