Coverage for lib/lib_openstack_service_checks.py : 39%

Hot-keys on this page
r m x p toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
'''store keystone credentials''' unitdata.kv().set('keystonecreds', creds) return
def novarc(self):
def plugins_dir(self):
raise OSCCredentialsError('auth_url') else:
' credentials_project').split() raise OSCCredentialsError(', '.join(missing))
for k in all_attrs if k not in ('credentials_project', 'domain')])) 'user_domain_name': ident_creds['domain'], 'project_domain_name': ident_creds['domain'], }) else:
'''retrieve keystone credentials from either config or relation data
If config 'os-crendentials' is set, return that info otherwise look for a keystonecreds relation data'
:return: dict of credential information for keystone '''
def nova_warn(self):
def nova_crit(self):
def nova_skip_aggregates(self): skipped_aggregates = self.charm_config.get('skipped_host_aggregates') # We have to make sure there are no malicious injections in the code # as this gets passed to a python script via bash regex = r'(\w+[,\w+]*)' sanitized = ",".join(re.findall(regex, skipped_aggregates)) sanitized = [s for s in sanitized.split(',') if s != ""] sanitized = ",".join(sanitized) return sanitized
def skip_disabled(self): return '--skip-disabled' else:
def check_dns(self):
render(source='nagios.novarc', target=self.novarc, context=creds, owner='nagios', group='nagios')
nrpe = NRPE() if not os.path.exists(self.plugins_dir): os.makedirs(self.plugins_dir)
charm_plugin_dir = os.path.join(hookenv.charm_dir(), 'files', 'plugins/') host.rsync(charm_plugin_dir, self.plugins_dir, options=['--executability'])
nova_check_command = os.path.join(self.plugins_dir, 'check_nova_services.py') check_command = '{} --warn {} --crit {} --skip-aggregates {} {}'.format( nova_check_command, self.nova_warn, self.nova_crit, self.nova_skip_aggregates, self.skip_disabled).strip() nrpe.add_check(shortname='nova_services', description='Check that enabled Nova services are up', check_cmd=check_command, )
nrpe.add_check(shortname='neutron_agents', description='Check that enabled Neutron agents are up', check_cmd=os.path.join(self.plugins_dir, 'check_neutron_agents.sh'), )
if len(self.check_dns): nrpe.add_check(shortname='dns_multi', description='Check DNS names are resolvable', check_cmd='{} {}'.format( os.path.join(self.plugins_dir, 'check_dns_multi.sh'), ' '.join(self.check_dns.split())), ) else: nrpe.remove_check(shortname='dns_multi') nrpe.write()
self.create_endpoint_checks(creds)
"""http(s)://host:port or http(s)://host will return a host and a port
Even if a port is not specified, this helper will return a host and a port (guessing it from the protocol used, if needed)
:param netloc: network location part as returned by urllib.urlparse :type netloc: str :param scheme: URL scheme specifier as returned by urllib.urlparse :returns: str :rtype: Tuple[str, str] """ if netloc.find(':') == -1: # no port specified host = netloc port = 80 if scheme == 'http' else 443 else: host, port = netloc.split(':')
return host, port
""" Create an NRPE check for each Keystone catalog endpoint.
Read the Keystone catalog, and create a check for each endpoint listed. If there is a healthcheck endpoint for the API, use that URL, otherwise check the url '/'. If SSL, add a check for the cert.
v2 endpoint needs the 'interface' attribute: <Endpoint {'id': 'XXXXX', 'region': 'RegionOne', 'publicurl': 'http://10.x.x.x:9696', 'service_id': 'YYY', 'internalurl': 'http://10.x.x.x:9696', 'enabled': True, 'adminurl': 'http://10.x.x.x:9696'}> """ # provide URLs that can be used for healthcheck for some services # This also provides a nasty hack-ish way to add switches if we need # for some services. health_check_params = { 'aodh': '/healthcheck', 'barbican': '/v1 -e Unauthorized', 'ceilometer': '/ -e Unauthorized -d x-openstack-request-id', 'cinderv1': '/v1 -e Unauthorized -d x-openstack-request-id', 'cinderv2': '/v2 -e Unauthorized -d x-openstack-request-id', 'cinderv3': '/v3 -e Unauthorized -d x-openstack-request-id', 'glance': '/healthcheck', 'gnocchi': '/v1 -e Unauthorized', 'heat': '/v1 -e Unauthorized -d X-Openstack-Request-Id', 'keystone': '/healthcheck', 'nova': '/healthcheck', 'placement': '/healthcheck -e Unauthorized -d x-openstack-request-id', 's3': '/healthcheck', 'swift': self.charm_config.get('swift_check_params', '/'), }
self.get_keystone_client(creds) endpoints = self.keystone_endpoints services = [svc for svc in self.keystone_services if svc.enabled] nrpe = NRPE() skip_service = set() for endpoint in endpoints: endpoint.service_names = [x.name for x in services if x.id == endpoint.service_id] service_name = endpoint.service_names[0] endpoint.healthcheck_url = health_check_params.get(service_name, '/')
# Note(aluria): glance-simplestreams-sync does not provide an API to check if service_name == 'image-stream': continue
if not hasattr(endpoint, 'interface'): if service_name == 'keystone': # Note(aluria): filter:healthcheck is not configured in v2 # https://docs.openstack.org/keystone/pike/configuration.html#health-check-middleware continue for interface in 'admin internal public'.split(): old_interface_name = '{}url'.format(interface) if not hasattr(endpoint, old_interface_name): continue endpoint.interface = interface endpoint.url = getattr(endpoint, old_interface_name) skip_service.add(service_name) break
check_url = urlparse(endpoint.url) if not self.charm_config.get('check_{}_urls'.format(endpoint.interface)): nrpe.remove_check(shortname='{}_{}'.format(service_name, endpoint.interface)) if check_url.scheme == 'https': nrpe.remove_check(shortname='{}_{}_cert'.format(service_name, endpoint.interface)) continue
cmd_params = ['/usr/lib/nagios/plugins/check_http'] host, port = self._split_url(check_url.netloc, check_url.scheme) cmd_params.append('-H {} -p {}'.format(host, port)) cmd_params.append('-u {}'.format(endpoint.healthcheck_url))
# if this is https, we want to add a check for cert expiry # also need to tell check_http use use TLS if check_url.scheme == 'https': cmd_params.append('-S') # Add an extra check for TLS cert expiry cmd_params_cert = cmd_params.copy() cmd_params_cert.append('-C {},{}'.format(self.charm_config['tls_warn_days'] or 30, self.charm_config['tls_crit_days'] or 14)) nrpe.add_check(shortname='{}_{}_cert'.format(service_name, endpoint.interface), description='Certificate expiry check for {} {}'.format(service_name, endpoint.interface), check_cmd=' '.join(cmd_params_cert))
# Add the actual health check for the URL nrpe.add_check(shortname='{}_{}'.format(service_name, endpoint.interface), description='Endpoint url check for {} {}'.format(service_name, endpoint.interface), check_cmd=' '.join(cmd_params))
nrpe.write()
"""Import the appropriate Keystone client depending on API version.
Use credential info to determine the Keystone API version, and make a client session object that is to be used for authenticated communication with Keystone.
:returns: a keystoneclient Client object """ if int(creds.get('auth_version', 0)) >= 3: from keystoneclient.v3 import client from keystoneclient.auth.identity import v3 as kst_version auth_fields = 'username password auth_url user_domain_name project_domain_name project_name'.split() else: from keystoneclient.v2_0 import client from keystoneclient.auth.identity import v2 as kst_version auth_fields = 'username password auth_url tenant_name'.split()
auth_creds = dict([(key, creds.get(key)) for key in auth_fields]) auth = kst_version.Password(**auth_creds) sess = session.Session(auth=auth) self._keystone_client = client.Client(session=sess)
if self._keystone_client is None: raise OSCEndpointError('Unable to list the endpoint errors, yet: ' 'could not connect to the Identity Service')
def keystone_endpoints(self): try: return self._keystone_client.endpoints.list() except keystoneauth1.exceptions.http.InternalServerError as error: raise OSCEndpointError( 'Unable to list the keystone endpoints, yet: {}'.format(error))
def keystone_services(self): return self._keystone_client.services.list() |