...
 
Commits (6)
......@@ -14,29 +14,31 @@ example service.
You're going to need a relatively recent version of
[Ansible](https://ansible.com) (>= 2.4), the virtual machine
management tools (Vagrant and Virtualbox), and a few small other
management tools (Vagrant and libvirt), and a few small other
custom tools used to manage credentials, that we will build ourselves.
On a Debian stable (*stretch*) system, not all packages have
sufficiently recent versions in the main repository. The simplest way
to solve this is to pull some packages from the *stretch-backports*
repository. This can be achieved with the following commands:
On a Debian stable (*buster*) system, run the following:
```shell
echo deb http://deb.debian.org/debian stretch-backports main \
| sudo tee /etc/apt/sources.list.d/backports.list
sudo apt update
sudo apt install golang bind9utils
sudo apt install -t stretch-backports ansible vagrant virtualbox
sudo apt install golang bind9utils ansible vagrant libvirt-daemon-system
go get -u git.autistici.org/ale/x509ca
go get -u git.autistici.org/ale/ed25519gen
export PATH=$PATH:$HOME/go/bin
```
Since the system's `libvirt` daemon will be used as Vagrant provider,
the user running *float* must belong to the `libvirt` UNIX group to be
able to talk to the daemon.
```shell
sudo usermod -a -G libvirt $USER
sg libvirt
```
Finally, on non-Debian systems it is important to verify that the
default Python installation is Python 2 and not Python 3: while we're
working on supporting both, this is not yet complete and *float* might
break when used with Python 3.
default Python installation is Python 3 and not Python 2. Running from a
virtual environment should work, as long as the *ansible* module is
available.
## Step 2: Set up a new environment
......
......@@ -194,7 +194,7 @@ strategy = mitogen_linear
NUM_HOSTS = %(num_hosts)d
Vagrant.configure(2) do |config|
config.vm.box = "debian/stretch64"
config.vm.box = "debian/buster64"
# Use the old insecure Vagrant SSH key for access.
config.ssh.insert_key = false
......
deb http://deb.debian.org/debian stretch main contrib non-free
deb http://deb.debian.org/debian stretch-backports main
deb http://deb.debian.org/debian stretch-updates main contrib non-free
deb http://security.debian.org/ stretch/updates main contrib non-free
deb http://deb.debian.org/debian buster main contrib non-free
deb http://deb.debian.org/debian buster-backports main
deb http://deb.debian.org/debian buster-updates main contrib non-free
deb http://security.debian.org/ buster/updates main contrib non-free
......@@ -5,7 +5,7 @@ Requires=mtail.socket
[Service]
Type=simple
# Systemd will pass mtail.socket as FD 3.
ExecStart=/usr/bin/mtail -progs /etc/mtail -logtostderr -port 3903 -logfds 3
ExecStart=/usr/bin/mtail -progs /etc/mtail -logtostderr -port 3903 -logs /proc/self/fd/3
Restart=on-failure
User=mtail
......
ARGS="--collectors.enabled=conntrack,diskstats,entropy,filefd,filesystem,loadavg,meminfo,netdev,netstat,sockstat,stat,systemd,textfile,time,uname,vmstat \
--collector.diskstats.ignored-devices=^(ram|loop|fd)\d+$ \
--collector.filesystem.ignored-mount-points=^/(sys|proc|dev|run)($|/) \
--collector.textfile.directory=/var/lib/prometheus/node-exporter \
--collector.systemd.unit-blacklist=^.*\.(device|swap|mount)$"
ARGS=""
......@@ -60,7 +60,6 @@
state: present
vars:
packages:
- apt-transport-https
- unattended-upgrades
- rsync
- git
......
---
# Install rsyslog from the backports repository. This isn't strictly
# necessary but it is done to have the same version of rsyslog on all
# hosts, including the log-collector.
- name: Install rsyslog packages from backports
- name: Install rsyslog packages
apt:
name: "{{ packages }}"
default_release: stretch-backports
state: present
vars:
packages:
- rsyslog
- rsyslog-gnutls
# Bring in mtail 3.0 for bugfixes etc
- name: Install mtail from backports
- name: Install mtail packages
apt:
name: mtail
default_release: stretch-backports
state: present
- name: Install mtail systemd units
......
# This file controls the configuration of the audit daemon. We are
# forwarding all audit logs to the central log collector via audispd.
#
# NOTE: the auditd version included in Debian stretch has a bug where
# the 'write_logs' option is not properly handled. See
# https://bugzilla.redhat.com/show_bug.cgi?id=1382397
# for details. This should be fixed in the next stable release.
#
write_logs = no
priority_boost = 4
flush = none
......
......@@ -9,7 +9,7 @@
- name: Install docker.com package repository
apt_repository:
repo: "deb [arch=amd64] {% if apt_proxy is defined %}http://{{ apt_proxy }}/HTTPS/{% else %}https:{% endif %}//download.docker.com/linux/debian stretch stable"
repo: "deb [arch=amd64] {% if apt_proxy is defined %}http://{{ apt_proxy }}/HTTPS/{% else %}https:{% endif %}//download.docker.com/linux/debian buster stable"
state: present
- file:
......
......@@ -5,7 +5,7 @@
system: yes
home: "/var/log/remote"
groups: ["log-collector-credentials"]
# Install logviewer, a very simple frontend to locally stored logs.
#- apt: name="logviewer" state="present"
......@@ -102,12 +102,10 @@
enabled: yes
masked: no
# Setup the rsyslog-collector instance. Needs packages from
# stretch-backports, to support modern versions of Elasticsearch.
- name: Install rsyslog-elasticsearch package from backports
# Setup the rsyslog-collector instance.
- name: Install rsyslog-elasticsearch
apt:
name: rsyslog-elasticsearch
default_release: stretch-backports
state: present
- name: Create the rsyslog-collector logs dir
file:
......
......@@ -6,5 +6,5 @@ then hope that if there are multiple alertmanagers, they are all on
the same overlay network.
#}
ARGS="--web.external-url=https://alertmanager.{{ domain_public[0] }} --cluster.listen-address=:9094 --cluster.advertise-address={{ float_host_dns_map[inventory_hostname + '.prometheus'] | list | first }}:9094{% for h in groups['prometheus']|sort %}{% if h != inventory_hostname %} --cluster.peer={{ h }}.prometheus.{{ domain }}:9094{% endif %}{% endfor %}"
ARGS="--storage.path=/var/lib/prometheus/alertmanager --config.file=/etc/prometheus/alertmanager.yml --web.external-url=https://alertmanager.{{ domain_public[0] }} --cluster.listen-address=:9094 --cluster.advertise-address={{ float_host_dns_map[inventory_hostname + '.prometheus'] | list | first }}:9094{% for h in groups['prometheus']|sort %}{% if h != inventory_hostname %} --cluster.peer={{ h }}.prometheus.{{ domain }}:9094{% endif %}{% endfor %}"