yelp / puppet-uchiwa Goto Github PK

View Code? Open in Web Editor NEW

20.0 31.0 59.0 149 KB

Puppet module for installing Uchiwa

License: Apache License 2.0

Ruby 56.68% Puppet 34.48% HTML 8.84%

puppet-uchiwa's Introduction

Uchiwa-Puppet

Tested with Travis CI

Upgrade Note

Versions greater than 0.3.0 are incompatible with previous versions of the Yelp-Uchiwa module.

Installation

$ puppet module install yelp-uchiwa

Prerequisites

One or more working Sensu installations

Dependencies

puppetlabs/apt
puppetlabs/stdlib

See Modulefile for details.

Examples

Simple Setup

By default the puppet module will connect to a single Sensu API endpoint on localhost:

node 'uchiwa-server.foo.com' {
  include ::uchiwa
}

API definitions will default to the following values:

name     => 'sensu'
host     => '127.0.0.1'
ssl      => false
insecure => false
port     => 4567
user     => 'sensu'
pass     => 'sensu'
path     => ''
timeout  => 5

Simple Server Without the Repo

The module itself sets up the Sensu repo in order to download Uchiwa. Often this is also done by the Sensu puppet module too. To get around this duplication you can ask the Uchiwa module not to manage the repo:

class { '::uchiwa':
  install_repo => false,
}

Advanced Example Using Multiple APIs

This is an example of how to setup Uchiwa connecting to two different API endpoints. In this example there is one endpoint using mostly default parameters, and then a second endpoint using all the possible options:

node 'uchiwa-server.foo.com' {

  $uchiwa_api_config = [
    {
      host  => '10.56.5.8',
    },
    {
      host      => '10.16.1.25',
      ssl       => true,
      insecure  => true,
      port      => 7654,
      user      => 'sensu',
      pass      => 'saBEnX8PQoyz2LG',
      path      => '/sensu',
      timeout   => 5
    }
  ]
  class { 'uchiwa':
    sensu_api_endpoints => $uchiwa_api_config,
  }
}

SSL (HTTPS)

This is an example on how to use Uchiwa with HTTPS:

Puppet:

class { 'uchiwa':
  ssl = {
    'certfile' => '/path/to/certfile',
    'keyfile' => '/path/to/keyfile',
  }
}

Simple YAML:

uchiwa::ssl: { 'certfile': '/opt/ssl/public.crt', 'keyfile': '/opt/ssl/private.key' }

Litle more advanced:

uchiwa::ssl: { 'certfile': '/opt/ssl/%{::hostname}.crt', 'keyfile': '/opt/ssl/%{::hostname}.key' }

Users Options

Example of declaring the UsersOptions hash as defined in https://docs.uchiwa.io/getting-started/configuration/#users-options:

Via hiera:

uchiwa::usersoptions:
  disableNoExpiration: true
  requireSilencingReason: true
  defaultExpireOnResolve: true

License

See LICENSE file.

puppet-uchiwa's People

Contributors

Stargazers

Watchers

puppet-uchiwa's Issues

Obscure Datacat errors from Uchiwa module

Given the simple manifest at https://gist.github.com/gdhgdhgdh/e87cddfd23f36cbe5cef I get the following error from Puppet 3.7.3 on a Vagrant box running CentOS 7:

==> default: Error: /Stage[main]/Uchiwa::Config/Datacat[/etc/sensu/uchiwa.json]/
Datacat_collector[/etc/sensu/uchiwa.json]: Could not evaluate: undefined method
`each' for nil:NilClass

What is it that I've done wrong? :(

Cheers,
Gavin.

New Release

There have been a lot of changes since the last release of this module, and it has been almost a year and a half. There have been some very useful additions to this module, such as supporting User Options (#78), adding SSL support (#68), and supporting multiple backends (#66), but they are not available to users who load this module through Puppet Forge

Binding to 0.0.0.0 and use of empty passwords are bad practices

Greetings,

I am a security researcher, who is looking for security smells in Puppet scripts. I noticed instances of binding to 0.0.0.0. Binding an address to 0.0.0.0 indicates allowing connections from all IP addresses. I would like to draw attention to these instances. Binding to 0.0.0.0 may lead to denial of service attacks. Practitioners have reported how binding to 0.0.0.0 facilitated security issues for MySQL (https://serversforhackers.com/c/mysql-network-security), Memcached (https://news.ycombinator.com/item?id=16493480), and Kibana (https://www.elastic.co/guide/en/kibana/5.0/breaking-changes-5.0.html).

I suggest to use a dedicated IP address other than 0.0.0.0.

Any feedback is appreciated.

Source: https://github.com/Yelp/puppet-uchiwa/blob/master/manifests/params.pp

SSL Support

According to the Uchiwa documentation, SSL support is present by using:

{
  "uchiwa": {
    "ssl": {
      "certfile": "/path/to/uchiwa.pem",
      "keyfile": "/path/to/uchiwa.key"
    }
  }
}

If i look into the docs and the uchiwa.json.erb file, I don't see any reference to the SSL: section.

Is it possible for you guys to implement this? Would be much appreciated!

Commit caused regression

commit b76eac99511139ba9eac1e7669c640b9704c2f3 seems to create a redundant comma, that creates an invalid uchiwa.json. Uchiwa starts with the following error:

{"Date":"2016-06-14T11:21:39.126584744Z","Level":"fatal","Src":{"Func":"github.com/sensu/uchiwa/uchiwa/config.Load","Line":48},"Output":"Error decoding file /etc/sensu/uchiwa.json: invalid character '}' looking for beginning of object key string"}

Incorrect repository url

They repo URL in the module is pointing to repos.sensuapp.org, which no longer works. The documentation on the website (https://sensuapp.org/docs/latest/install-repositories) says repositories.sensuapp.org.

Rob

Support usersOptions

Looks like these are new configuration values that it'd be awesome if this module supported: https://docs.uchiwa.io/getting-started/configuration/#users-options

Could you add release v2.0.0 to the release page

I'm managing some puppet modules by hand and release number and I like to link back to the github release and I noticed that v2.0.0 isn't on there.

Thanks!

Explanation of "incompatible with previous versions of the Sensu-Puppet module"

Could I get some details on what "Versions greater than 0.2.0 are incompatible with previous versions of the Sensu-Puppet module" means?

Does this mean that versions of yelp-uchiwa/ pauloconnor greater than 0.2.0 are incompatible with previous versions of the Sensu-Puppet module https://github.com/sensu/sensu-puppet ? If so, what versions of sensu/sensu-puppet are impacted (and how?) . I am in the process of setting up the Sensu stack and am attempting to to use both of these puppet modules. So far seems to be working after a minor fix for #13. Thanks in advance, and apologies if this is obvious and I'm missing it.

Detail: undefined method `each_with_index' for nil:NilClass

Hi, I'm trying use this class, but I receive this error:

Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Evaluation Error: Error while evaluating a Function Call, Failed to parse template uchiwa/etc/sensu/uchiwa.json.erb:
  Filepath: /etc/puppetlabs/code/modules/uchiwa/templates/etc/sensu/uchiwa.json.erb
  Line: 4
  Detail: undefined method `each_with_index' for nil:NilClass
 at /etc/puppetlabs/code/modules/uchiwa/manifests/config.pp:8:16 on node sensu-server-1
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

My profile is:

$uchiwa_api_config = [{
  host      => 'sensu-server',
  ssl       => false,
  insecure  => false,
  port      => '4567',
  user      => 'sensu',
  pass      => 'sensu',
  path      => '/',
  timeout   => '5'
}]

class { "uchiwa":
  sensu_api_endpoints => $uchiwa_api_config,
  install_repo => false,
  host => '0.0.0.0',
  port => '3000',
  refresh => '5',
  }

Why's this error happen?
It's a fresh puppetserver installation.

Duplicate Apt Resource

When trying to install sensu client on the same node I get:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Duplicate declaration: 
Apt::Source[sensu] is already declared in file 
/etc/puppet/environments/branches/sensu/modules/uchiwa/manifests/repo/apt.pp:34; cannot redeclare 
at /etc/puppet/environments/branches/sensu/modules/sensu/manifests/repo/apt.pp:35 
on node txxxxxx.com

Can we name the uchiwa resource something else? like uchiwa or sensu-uchiwa?

uchiwa is not under the yelp namespace on the forge.

The README says to download from yelp-uchiwa which doesn't exist.

Changelog

Hey guys,

it would be super cool if you could start using/doing Changelog :)

cheers

If params for port and refresh are integers, then init.pp needs to change from validate_string

Can see that there has been some movement back and forth around whether the port and refresh should be string or integer. At present, init.pp is failing as it is using

validate_string($port)
and
validate_string($refresh)

Suggest in both cases these could be

validate_numeric($port)
validate_numeric($refresh)

Uchiwa module has ancient requirements

yelp-uchiwa 1.0.2 and 2.0.0 require:

Ubuntu Linux version 10.04 or 12.04
puppet 3.x
puppetlabs-apt < 3.0

These requirements are ancient, and in many cases, no longer supported (or secure). Because of these requirements, i cannot update the uchiwa module without force or other nasty means.

Suggest code review and requirements bump-up to:

Ubuntu 14.04 and 16.04
puppet 4.x (and eventually, 5.x)
puppetlabs-apt < 5

New puppet-uchiwa release?

Hi there

After merging changes introduced in #21, #22 and #23, I was wondering whether you could make a new puppet-uchiwa release.

If they're not aware of the changes introduced in uchiwa 0.3, people risk to configure uchiwa with default values in ms rather than seconds.

Thanks :)

Duplicate declaration apt

Install sensu module and uchiwa for puppet.
Configure manifest and after start puppet agent got this error:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Duplicate declaration: Apt::Source[sensu] is already declared in file /etc/puppet/environments/taxi/modules/uchiwa/manifests/repo/apt.pp:38; cannot redeclare at /etc/puppet/environments/taxi/modules/sensu/manifests/repo/apt.pp:35 on node sensu-server.mydomain.com

Can u help?

Support the users attribute

A new attribute users is available which allow to define multiple users on the configuration file: http://docs.uchiwa.io/en/latest/configuration/uchiwa/#multiple-users-with-simple-authentication

Rename to puppet-uchiwa?

Most puppet modules on github are puppet-bla. Yelp-uchiwa doesn't really make sense to me as a repo name. I can make this change if I get a second vote.

setting install_repo to false breaks module

class { '::uchiwa': version => '0.2.1-1', install_repo => false, }
On e.g. Centos 6.4, PE 3.2 fails with:
Error 400 on SERVER: Invalid relationship: Package[uchiwa] { require => Yumrepo[sensu] }, because Yumrepo[sensu] doesn't seem to be in the catalog
Because class uchiwa::install doesn't take into account that install_repo might be false when setting require for the package. I will fix and submit a pull request.

Can't notify a service if it's not declared

This doesn't exist:

puppet-uchiwa/manifests/install.pp

Line 45 in 92c7f71

notify => Service['uchiwa'],

If manage_services is set to false:

puppet-uchiwa/manifests/service.pp

Lines 8 to 9 in 92c7f71

 if $uchiwa::manage_services == true { 

 service { $uchiwa::service_name:

Service enable loop

Not exactly sure whats going on here but on RHEL 7 I am seeing on every puppet run the uchiwa service trying to be enabled for boot. In order to fix the problem I set the class to stop managing its services and did my own notify and service declaration:

https://github.com/Yelp/puppet-uchiwa/blob/master/manifests/service.pp

class { '::uchiwa':
    install_repo        => false,
    user                => 'sensu',
    pass                => 'sensu',
    port                => '3000',
    sensu_api_endpoints => $uchiwa_api_config,
    manage_services     => false,
    notify              => Service['uchiwa'],
  }
   service { ['uchiwa']:
    ensure   => 'running',
    enable   => true,
    provider => 'redhat',
  }

Also as a side note init.pp has better documentation then the readme file does. It would be cool if that could get ported over or at least an FYI stating there is more info there.

Support for FreeBSD.

All,

I'd like to use this puppet module on FreeBSD but there is not support. Would you be okay to a pull-request that addresses this issue?

Mike D.

JSON acceptance tests are failing

Running rake beaker shows 2 failing tests:

Failures:

  1) sensu class uchiwa ensure => present should produce consistent uchiwa.json file
     On host ``
     Failure/Error: expect(cat.stdout).to eq (uchiwa_json)


       expected: "{\n\"sensu\": [\n    {\n      \"name\": \"Main Server\",\n      \"host\": \"127.0.0.1\",\n      \"ssl\": false,\n      \"insecure\": false,\n      \"port\": 4567,\n      \"user\": \"sensu\",\n      \"pass\": \"secret\",\n      \"path\": \"\",\n      \"timeout\": 5000\n    }\n  ],\n  \"uchiwa\": {\n    \"host\": \"0.0.0.0\",\n    \"port\": 3000,\n    \"user\": \"\",\n    \"pass\": \"\",\n    \"stats\": 10,\n    \"refresh\": 10000\n  }\n}\n"
            got: "{\n\"sensu\": [\n    {\n      \"name\": \"Main Server\",\n      \"host\": \"127.0.0.1\",\n      \"ssl\": false,\n      \"insecure\": false,\n      \"port\": 4567,\n      \"user\": \"sensu\",\n      \"pass\": \"secret\",\n      \"path\": \"\",\n      \"timeout\": 5000\n    }\n  ],\n  \"uchiwa\": {\n    \"host\": \"0.0.0.0\",\n    \"port\": 3000,\n    \"user\": \"\",\n    \"pass\": \"\",\n    \"refresh\": 5\n  }\n}\n"

       (compared using ==)

       Diff:
       @@ -17,8 +17,7 @@
            "port": 3000,
            "user": "",
            "pass": "",
       -    "stats": 10,
       -    "refresh": 10000
       +    "refresh": 5
          }
        }
     # ./spec/acceptance/class_spec.rb:62:in `block (5 levels) in <top (required)>'
     # ./spec/acceptance/class_spec.rb:61:in `block (4 levels) in <top (required)>'

  2) sensu class uchiwa ensure => present should produce a uchiwa.json file from defaults
     On host ``
     Failure/Error: expect(cat.stdout).to eq (uchiwa_json)


       expected: "{\n\"sensu\": [\n    {\n      \"name\": \"sensu\",\n      \"host\": \"127.0.0.1\",\n      \"ssl\": false,\n      \"insecure\": false,\n      \"port\": 4567,\n      \"user\": \"sensu\",\n      \"pass\": \"sensu\",\n      \"path\": \"\",\n      \"timeout\": 5000\n    }\n  ],\n  \"uchiwa\": {\n    \"host\": \"0.0.0.0\",\n    \"port\": 3000,\n    \"user\": \"\",\n    \"pass\": \"\",\n    \"stats\": 10,\n    \"refresh\": 10000\n  }\n}\n"
            got: "{\n\"sensu\": [\n    {\n      \"name\": \"sensu\",\n      \"host\": \"127.0.0.1\",\n      \"ssl\": false,\n      \"insecure\": false,\n      \"port\": 4567,\n      \"user\": \"sensu\",\n      \"pass\": \"sensu\",\n      \"path\": \"\",\n      \"timeout\": 5\n    }\n  ],\n  \"uchiwa\": {\n    \"host\": \"0.0.0.0\",\n    \"port\": 3000,\n    \"user\": \"\",\n    \"pass\": \"\",\n    \"refresh\": 5\n  }\n}\n"

       (compared using ==)

       Diff:
       @@ -9,7 +9,7 @@
              "user": "sensu",
              "pass": "sensu",
              "path": "",
       -      "timeout": 5000
       +      "timeout": 5
            }
          ],
          "uchiwa": {
       @@ -17,8 +17,7 @@
            "port": 3000,
            "user": "",
            "pass": "",
       -    "stats": 10,
       -    "refresh": 10000
       +    "refresh": 5
          }
        }
     # ./spec/acceptance/class_spec.rb:81:in `block (5 levels) in <top (required)>'
     # ./spec/acceptance/class_spec.rb:80:in `block (4 levels) in <top (required)>'

Finished in 3 minutes 1 second
5 examples, 2 failures

Failed examples:

rspec ./spec/acceptance/class_spec.rb:57 # sensu class uchiwa ensure => present should produce consistent uchiwa.json file
rspec ./spec/acceptance/class_spec.rb:76 # sensu class uchiwa ensure => present should produce a uchiwa.json file from defaults

Am I being inappropriately redirected?

Starting here:

https://forge.puppetlabs.com/pauloconnor/uchiwa

I follow a link labeled: 'Project URL' which my browser tells me goes to:

https://github.com/pauloconnor/pauloconnor-uchiwa

routes me to this page:

https://github.com/Yelp/puppet-uchiwa

Why?

	if $uchiwa::manage_services == true {
	service { $uchiwa::service_name: