OSMC 2019 | Directing the Director by Martin Schurz

DIRECTING THE DIRECTORDIRECTING THE DIRECTOR

T-Systems
15 years experience
monitoring
automation
databases
performance & debugging
ABOUT MEABOUT ME

WHAT CAN YOU EXPECTWHAT CAN YOU EXPECT
a little bit of history
implementing a monitoring system
the user perspective
some Ansible code
(live demo)

STARTING POINTSTARTING POINT
three years ago

three years ago
one central monitoring system

three years ago
central team handles all changes

three years ago
central team handles all changes
monitoring is requested and then implemeneted

WHAT DO WE WANT?WHAT DO WE WANT?
Monitoring as a Service …

… for our projects

… for our projects
… and our customers

THE FIRST TRY ™THE FIRST TRY ™

DOCKER WITHOUT BASH SCRIPTSDOCKER WITHOUT BASH SCRIPTS
Possible through Packer and Ansible

SHOW ME SOME CODESHOW ME SOME CODE

KUBERNETESKUBERNETES
did you just say cloud?

KUBERNETESKUBERNETES
did you just say cloud?
don’t ask me, I’m just a happy user

NOW WE HAVE A SAAS MONITORINGNOW WE HAVE A SAAS MONITORING
central team keeps up with all updates
also found some bugs in icinga and other software
a good self-service solution

THERE IS MORE TO ITTHERE IS MORE TO IT
central team supports our projects with consulting
shared knowledgebase
and a library of default checks and dashboards
also helping with migrations

BUT DO YOU ACTUALLY USE THIS?BUT DO YOU ACTUALLY USE THIS?

currently running 37 instances

which support 94 different projects

which support 94 different projects
but still most old projects on SNMP/NRPE :(

DECENTRALIZED CHALLENGESDECENTRALIZED CHALLENGES
teams need synchronization
individual solutions need discussions
talk …

DECENTRALIZED CHALLENGESDECENTRALIZED CHALLENGES
teams need synchronization
individual solutions need discussions
talk … A LOT

OLD HABBITS DIE SLOWLYOLD HABBITS DIE SLOWLY
SNMP and NRPE still deeply embedded
self-service alone is insufﬁcient, also need enablement
Icinga Director is a good starting point

BUT THEN, THINGS HAPPENBUT THEN, THINGS HAPPEN

IF YOU BUILD IT, THEY WILL COMEIF YOU BUILD IT, THEY WILL COME
Hmm, we are con guring our servers with
Ansible. Why not con gure Icinga too?

LOOKING INTO UPSTREAMLOOKING INTO UPSTREAM
searching for an Ansible module to manage our
conﬁguration
there is an icinga2_host module, but no module uses
the Director API
:(

ROLL OUR OWNROLL OUR OWN
our implementation uses Ansible uri module

- name: see if service template already exists
uri:
headers:
Accept: application/json
url: "{{ icinga_host }}/director/service?
name={{ item.name }}"
method: GET
user: "{{ icinga_user }}"
password: "{{ icinga_pass }}"
return_content: yes
register: service_template_presence
with_items: "{{ checks }}"
failed_when: false

- name: create service template if it does not exist
uri:
headers:
url: "{{ icinga_host }}/director/service"
method: POST
body: '{"check_command":"{{ item.item.check_command }}","obje
body_format: json
return_content: yes
register: service_template_created
with_items: "{{ service_template_presence.results }}"
when: "'error' in item.content"
changed_when: service_template_created.status == 201
failed when: service template created status != 201

- name: modify service template if it does exist
uri:
headers:
url: "{{ icinga_host }}/director/service?name={{ item.item.nam
method: POST
body: '{"check_command":"{{ item.item.check_command }}","obje
body_format: json
return_content: yes
register: service_template_modified
with_items: "{{ service_template_presence.results }}"
when: "'error' not in item.content"
changed_when: service_template_modified.status == 200
failed when: service template modified status != 200

IMPLEMENTED FOR ALL ICINGA OBJECTSIMPLEMENTED FOR ALL ICINGA OBJECTS
Hosts
Services
Vars
Apply Rules
Users
Templates

CREATING AN APPLY RULECREATING AN APPLY RULE

- object_name: tomcat_user_processes
object_type: apply
imports:
- check_user_procs
assign_filter: "host.vars.tomcat_port=true"
vars:
username: "tomcat"
warning: "50"
critical: "80"

CREATED A ANSIBLE ROLE FOR SHARINGCREATED A ANSIBLE ROLE FOR SHARING

DISCOVERED SOME PROBLEMSDISCOVERED SOME PROBLEMS
complex configuration in a single file
no delete feature implemented
assign_filter has to be specified for every Rule

.
├── apply_rules
│ └── srv
│ ├── all.yml
│ ├── web.yml
│ ├── db.yml
│ ├── int
│ │ ├── all.yml
│ │ ├── db
│ │ │ └── 01.yml
├── icinga_command.yml
├── icinga_hostgroups.yml
├── icinga_hosttemplates.yml
├── icinga_notification.yml
├── icinga_service_template.yml
├── icinga timeperiods yml

WHAT IS GAINEDWHAT IS GAINED
hierarchical host configuration
short and concise configuration files
reuse of initial ansible tasks
deleting objects now possible

WHAT IS LEFTWHAT IS LEFT
needs to get faster
use a full ﬂedged Ansible module
publish this to upstream

WAIT, THERE’S MOREWAIT, THERE’S MORE

SETTING DOWNTIMES WITH ANSIBLESETTING DOWNTIMES WITH ANSIBLE
- hosts: webserver
tasks:
- name: set downtime
icinga_downtime:
dt_task: "add"
type: "Service"
comment: "Deployment Application"
duration: "7200"
author: "ansible-playbook"
service:
- "tomcat_status_check"
- "tomcat_user_open_files"

DELETING DOWNTIMES WITH ANSIBLEDELETING DOWNTIMES WITH ANSIBLE
- hosts: webserver
tasks:
- name: remove downtime
icinga_downtime:
dt_task: "remove"
type: "Service"
comment: "Deployment Application"
duration: "7200"
author: "ansible-playbook"
service:
- "tomcat_status_check"
- "tomcat_user_open_files"

TALKING ABOUT NOTIFICATIONS …TALKING ABOUT NOTIFICATIONS …
we want all our production hosts and services to notify
us on failure 24x7

us on failure 24x7
really all services?

us on failure 24x7
really all services?
what about ntp or sssd

ICINGA TEXT CONFIGURATIONICINGA TEXT CONFIGURATION
assign where "Live" in host.groups && !(
match("oracle_soft_parse_ratio_*", service.name) ||
match("oracle_connected_users_*", service.name) ||
match("oracle_switch_interval_*", service.name))

NOW THE JSON VERSIONNOW THE JSON VERSION
assign_filter: "host.groups=%22Live%22&!(
service.name=%22oracle_soft_parse_ratio_%2A%22|
service.name=%22oracle_connected_users_%2A%22|
service.name=%22oracle_switch_interval_%2A%22)"

ACCEPTING THE REALITYACCEPTING THE REALITY
that will not work for long
really error prone
one typo can mix up all of our notiﬁcations!

ACCEPTING THE REALITYACCEPTING THE REALITY
that will not work for long
really error prone
one typo can mix up all of our notiﬁcations!
so this needs to be auto-generated

INPUTINPUT
voice_exempt:
- hostname: db
servicename: oracle_soft
- hostname: web
servicename: http_hits

PROCESSPROCESS
- name: generate single strings for exeptions
set_fact:
args:
voice_exempt_strings:
"{{ voice_exempt_strings|default([]) +
[ '("' + item.hostname + '" in host.display_name and
"' + item.servicename + '" in service.display_name)'
] }}"
with_items: "{{voice_exempt}}"

OUTPUTOUTPUT
# echo with debug module
msg: '( "db" in host.display_name and
"oracle_soft" in service.display_name)
&&
( "web" in host.display_name and
"http_hits" in service.display_name)
)'

RESULTRESULT
easy conﬁguration
understandable array for exceptions

RESULTRESULT
easy conﬁguration
not so understandable rule for transforming :/

RESULTRESULT
easy conﬁguration
not so understandable rule for transforming :/
that we never need to touch :)

WHAT DID WE LEARNWHAT DID WE LEARN
encourage sharing (internal and external)
Ansible is awesome
trust!

THANKS!THANKS!
QUESTIONS?QUESTIONS?

OSMC 2019 | Directing the Director by Martin Schurz

OSMC 2019 | Directing the Director by Martin Schurz

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to OSMC 2019 | Directing the Director by Martin Schurz

Similar to OSMC 2019 | Directing the Director by Martin Schurz (20)

Recently uploaded

Recently uploaded (20)

OSMC 2019 | Directing the Director by Martin Schurz