From e86ee4891665c497de4e3a8f6a2a07935cd23322 Mon Sep 17 00:00:00 2001 From: Rasmus Thorslund Date: Tue, 11 Feb 2025 08:39:27 +0100 Subject: [PATCH] added some scripts and firewall rules for naemon --- ansible/playbooks/cosmos_lock.yaml | 12 ++++++++++++ ansible/playbooks/cosmos_unlock.yaml | 9 +++++++++ ansible/playbooks/cosmos_unlock_run.yaml | 13 +++++++++++++ kubernetes.tf | 4 ++-- main.tf | 19 ++++++++++++++++++- pgcluster.tf | 2 +- reboot_cluster.sh | 8 ++++++++ ssh_command_cluster.sh | 10 ++++++++++ 8 files changed, 73 insertions(+), 4 deletions(-) create mode 100644 ansible/playbooks/cosmos_lock.yaml create mode 100644 ansible/playbooks/cosmos_unlock.yaml create mode 100644 ansible/playbooks/cosmos_unlock_run.yaml create mode 100644 reboot_cluster.sh create mode 100755 ssh_command_cluster.sh diff --git a/ansible/playbooks/cosmos_lock.yaml b/ansible/playbooks/cosmos_lock.yaml new file mode 100644 index 0000000..d7f5312 --- /dev/null +++ b/ansible/playbooks/cosmos_lock.yaml @@ -0,0 +1,12 @@ +--- +- name: Create a file to pause Cosmos + hosts: all + become: yes + tasks: + - name: Ensure the file /etc/no-automatic-cosmos exists with specific content + ansible.builtin.copy: + dest: /etc/no-automatic-cosmos + content: "Cosmos paused by Ansible\n" + owner: root + group: root + mode: '0644' diff --git a/ansible/playbooks/cosmos_unlock.yaml b/ansible/playbooks/cosmos_unlock.yaml new file mode 100644 index 0000000..4ae2fc2 --- /dev/null +++ b/ansible/playbooks/cosmos_unlock.yaml @@ -0,0 +1,9 @@ +--- +- name: Remove the file to resume Cosmos + hosts: all + become: yes + tasks: + - name: Remove the file /etc/no-automatic-cosmos if it exists + ansible.builtin.file: + path: /etc/no-automatic-cosmos + state: absent diff --git a/ansible/playbooks/cosmos_unlock_run.yaml b/ansible/playbooks/cosmos_unlock_run.yaml new file mode 100644 index 0000000..88c4046 --- /dev/null +++ b/ansible/playbooks/cosmos_unlock_run.yaml @@ -0,0 +1,13 @@ +--- +- name: Remove the no_automatic_cosmos and run cosmos.s + hosts: all + become: yes + serial: 1 + tasks: + - name: Remove the file /etc/no-automatic-cosmos if it exists + ansible.builtin.file: + path: /etc/no-automatic-cosmos + state: absent + + - name: Run cosmos + ansible.builtin.command: scriptherder --mode wrap --syslog --name cosmos -- /usr/local/bin/run-cosmos --random-sleep -v diff --git a/kubernetes.tf b/kubernetes.tf index 318a418..082eefc 100644 --- a/kubernetes.tf +++ b/kubernetes.tf @@ -203,7 +203,7 @@ resource "openstack_compute_instance_v2" "controller-nodes" { name = "${var.controller_name}-${count.index}.${var.dns_suffix}" flavor_name = "${var.controller_instance_type}" key_pair = "thorslund" - security_groups = ["https", "microk8s", "Allow SSH from SUNET jumphosts"] + security_groups = ["https", "microk8s", "Allow SSH from SUNET jumphosts", "naemon"] block_device { @@ -226,7 +226,7 @@ resource "openstack_compute_instance_v2" "worker-nodes" { name = "${var.worker_name}-${count.index}.${var.dns_suffix}" flavor_name = "${var.worker_instance_type}" key_pair = "thorslund" - security_groups = ["microk8s", "Allow SSH from SUNET jumphosts"] + security_groups = ["microk8s", "Allow SSH from SUNET jumphosts", "naemon"] block_device { uuid = "5d24aca9-11be-4de1-9770-4a097d68f361" diff --git a/main.tf b/main.tf index 2cc5793..fc002e2 100644 --- a/main.tf +++ b/main.tf @@ -47,7 +47,7 @@ resource "openstack_networking_secgroup_rule_v2" "naemon_rule3" { resource "openstack_networking_secgroup_rule_v2" "naemon_rule4" { direction = "ingress" ethertype = "IPv6" - protocol = "icmp" + protocol = "ipv6-icmp" remote_group_id = openstack_networking_secgroup_v2.naemon.id security_group_id = openstack_networking_secgroup_v2.naemon.id } @@ -84,6 +84,23 @@ resource "openstack_networking_secgroup_rule_v2" "naemon_rule8" { remote_ip_prefix = "2001:6b0:6c::37f/128" security_group_id = openstack_networking_secgroup_v2.naemon.id } + +resource "openstack_networking_secgroup_rule_v2" "naemon_rule9" { + direction = "ingress" + ethertype = "IPv4" + protocol = "icmp" + remote_ip_prefix = "109.105.111.111/32" + security_group_id = openstack_networking_secgroup_v2.naemon.id +} +resource "openstack_networking_secgroup_rule_v2" "naemon_rule10" { + direction = "ingress" + ethertype = "IPv6" + protocol = "ipv6-icmp" + remote_ip_prefix = "2001:948:4:6::111/128" + security_group_id = openstack_networking_secgroup_v2.naemon.id +} + + resource "openstack_networking_secgroup_v2" "https" { name = "https" description = "Traffic to allow between microk8s hosts" diff --git a/pgcluster.tf b/pgcluster.tf index f4055e5..6285011 100644 --- a/pgcluster.tf +++ b/pgcluster.tf @@ -3,7 +3,7 @@ resource "openstack_compute_instance_v2" "pg-nodes" { name = "${var.pgcluster_name}-${count.index}.${var.dns_suffix}" flavor_name = "${var.pgcluster_instance_type}" key_pair = "thorslund" - security_groups = ["https", "microk8s", "Allow SSH from SUNET jumphosts"] + security_groups = ["https", "microk8s", "Allow SSH from SUNET jumphosts", "naemon"] block_device { diff --git a/reboot_cluster.sh b/reboot_cluster.sh new file mode 100644 index 0000000..2f679af --- /dev/null +++ b/reboot_cluster.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +for host in *{spg,sc,sw}*.sunet.se; do + echo "Rebooting $host" + ssh $host 'systemctl reboot' + done + + diff --git a/ssh_command_cluster.sh b/ssh_command_cluster.sh new file mode 100755 index 0000000..f8e53bb --- /dev/null +++ b/ssh_command_cluster.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +COMMAND=$1 + +for host in *{spg,sc,sw}*.sunet.se; do + echo "Running command: $COMMAND on $host" + ssh $host $COMMAND + done + +