diff --git a/README.md b/README.md index e69de29..19dbb7d 100644 --- a/README.md +++ b/README.md @@ -0,0 +1,4 @@ +# Description +Configures and sets up the MON api. Includes attributes for log backups, ossec file watching and ossec rules. +Also included is an icinga check for the service health check. + diff --git a/attributes/backup.rb b/attributes/backup.rb new file mode 100644 index 0000000..f91142e --- /dev/null +++ b/attributes/backup.rb @@ -0,0 +1,2 @@ +# Logs to backup +node.default[:mon_log_backup][:logs][:som_api] = [ '/var/log/som-api/' ] diff --git a/attributes/default.rb b/attributes/default.rb new file mode 100644 index 0000000..a06b8ab --- /dev/null +++ b/attributes/default.rb @@ -0,0 +1,2 @@ +node.default[:som_api][:group] = 'som_api' +node.default[:som_api][:owner] = 'som_api' diff --git a/attributes/ufw.rb b/attributes/ufw.rb new file mode 100644 index 0000000..e39bc27 --- /dev/null +++ b/attributes/ufw.rb @@ -0,0 +1,14 @@ +default[:som_api][:firewall][:rules] = [ + :https => { + :port => "443", + :protocol => "tcp" + }, + :https_8080 => { + :port => "8080", + :protocol => "tcp" + }, + :http_8081 => { + :port => "8081", + :protocol => "tcp" + } +] diff --git a/files/default/hpmiddleware-keystore-development.jks b/files/default/hpmiddleware-keystore-development.jks new file mode 100644 index 0000000..340d991 Binary files /dev/null and b/files/default/hpmiddleware-keystore-development.jks differ diff --git a/files/default/hpmiddleware-keystore-production.jks b/files/default/hpmiddleware-keystore-production.jks new file mode 100644 index 0000000..2bf256e Binary files /dev/null and b/files/default/hpmiddleware-keystore-production.jks differ diff --git a/files/default/hpmiddleware-truststore.jks b/files/default/hpmiddleware-truststore.jks new file mode 100644 index 0000000..e255ac0 Binary files /dev/null and b/files/default/hpmiddleware-truststore.jks differ diff --git a/metadata.rb b/metadata.rb new file mode 100644 index 0000000..cf4d63c --- /dev/null +++ b/metadata.rb @@ -0,0 +1,7 @@ +name 'mon_api' +maintainer "MON Team" +maintainer_email "hpcs-mon-som@hp.com" +license "All rights reserved" +description "Installs/Configures mon_api" +long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) +version "0.0.1" diff --git a/recipes/default.rb b/recipes/default.rb new file mode 100644 index 0000000..e885495 --- /dev/null +++ b/recipes/default.rb @@ -0,0 +1,60 @@ +#require 'zlib' + +package 'mon-api' do + action :upgrade +end + +service 'mon-api' do + action :enable + provider Chef::Provider::Service::Upstart +end + +directory "/var/log/mon-api" do + recursive true + owner node[:mon_api][:owner] + group node[:mon_api][:group] + mode 0755 + action :create +end + +# Create the config file +template '/etc/mon/mon-api-config.yml' do + action :create + owner 'root' + group node[:mon_api][:group] + mode '640' + source "service-config.yml.erb" + variables( + :creds => creds, + :keystore_pass => keystore_pass + ) + notifies :restart, "service[som-api]" +end + + +credentials = data_bag_item(node[:mon_api][:data_bag], 'mon_credentials') +setting = data_bag_item(node[:mon_api][:data_bag], 'mon_api') + +cookbook_file "/etc/ssl/hpmiddleware-keystore.jks" do + source creds[:keystore_file] + owner 'root' + group node[:mon_api][:group] + mode '640' +end + +cookbook_file "/etc/ssl/hpmiddleware-truststore.jks" do + source "hpmiddleware-truststore.jks" + owner 'root' + group node[:mon_api][:group] + mode '640' +end + + +# Until dropwizard 0.7.0 there is no support for running on a privileged port as an unprivleged user, I work around this via ufw rules +bash "nat 443 to 8080" do + action :run + code 'echo -e "*nat\n:PREROUTING ACCEPT [0:0]\n-A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8080\nCOMMIT" >> /etc/ufw/before.rules' + not_if "grep 'to-port 8080' /etc/ufw/before.rules" + notifies :restart, "service[ufw]" +end + diff --git a/templates/default/ehCacheConfig.xml.erb b/templates/default/ehCacheConfig.xml.erb new file mode 100644 index 0000000..2b04151 --- /dev/null +++ b/templates/default/ehCacheConfig.xml.erb @@ -0,0 +1,25 @@ + + + + + + + + + \ No newline at end of file diff --git a/templates/default/mon-service-config.yml.erb b/templates/default/mon-service-config.yml.erb new file mode 100644 index 0000000..48bd679 --- /dev/null +++ b/templates/default/mon-service-config.yml.erb @@ -0,0 +1,68 @@ +# Whether this server is running on a secure port +accessedViaHttps: false + +# Cloud service integration information +cloudServices: + hpcs.compute: + version: 2 #1.1 + # API URL format with an optional placeholder for AZ + urlFormat: https://region-b.geo-1.compute.hpcloudsvc.com/v2 # https://region-a.geo-1.compute.hpcloudsvc.com/v1.1 + port: 80 + hpcs.object-store: + version: 1.0 + urlFormat: https://region-a.geo-1.objects.hpcloudsvc.com/v1.0 # https://region-a.geo-1.compute.hpcloudsvc.com/v1 + port: 80 + +# Identity (Control services) +identityService: + url: <%=@creds['identyService']['url']%> #https://region-a.geo-1.identity.hpcloudsvc.com:35357/v2.0/tokens + username: <%=username%> + password: <%=password%> + tenantId: <%=tenantId%> + +# Topic for publishing metrics to +metricsTopic: metrics + +# Topic for publishing domain events to +eventsTopic: events + +kafka: + brokerUris: + - <%=@settings['kafka']['hostname']%>:9092 + zookeeperUris: + - <%=@settings['kafka']['hostname']%>:2181 + healthCheckTopic: healthcheck + +database: + driverClass: com.mysql.jdbc.Driver + url: jdbc:mysql://<%= @creds['mysql']['hostname']%>:3306/<%=@creds['mysql']['schema']%>?connectTimeout=5000&autoReconnect=true + user: <%=@creds['mysql']['username'] %> + password: <%=@creds['mysql']['password'] %> + maxWaitForConnection: 1s + validationQuery: "/* MyService Health Check */ SELECT 1" + minSize: 8 + maxSize: 32 + checkConnectionWhileIdle: false + +jerseyClient: + gzipEnabledForRequests: false + +middleware: + enabled: false + serviceIds: 100 + endpointIds: 160 + serverVIP: <%= @creds['middleware']['vip']%> + serverPort: 9543 + connTimeout: 500 + connSSLClientAuth: true + keystore: /etc/ssl/hpmiddleware-keystore.jks + keystorePass: changeit + truststore: /etc/ssl/hpmiddleware-truststore.jks + truststorePass: <%= @creds['middleware']['truststore_password'] %> + connPoolMaxActive: 3 + connPoolMaxIdle: 3 + connPoolEvictPeriod: 600000 + connPoolMinIdleTime: 600000 + connRetryTimes: 2 + connRetryInterval: 50 + rolesToMatch: [user, domainuser, domainadmin] \ No newline at end of file diff --git a/templates/default/service-config.yml.erb b/templates/default/service-config.yml.erb new file mode 100644 index 0000000..17a9273 --- /dev/null +++ b/templates/default/service-config.yml.erb @@ -0,0 +1,92 @@ +repositoryType: vertica +useMiddleware: true + +roles: + users: [som-user,monitoring-user] + delegates: [som-delegate,monitoring-delegate] + +http: + port: 8080 #Note that until dropwizard 0.7.0 there is no support for privileged ports + adminPort: 8081 + maxThreads: 1024 + minThreads: 32 + connectorType: nonblocking+ssl + + contextParameters: + ServerVIP: <%= @creds[:context_params][:server_vip] %> + ServerPort: 35357 + ConnTimeout: 500 + ServiceIds: 230,260 + Endpoints: 2301,2601,2602 + ConnSSLClientAuth: True + Keystore: /etc/ssl/hpmiddleware-keystore.jks + KeystorePass: <%= @creds[:context_params][:keystore_password]%> + Truststore: /etc/ssl/hpmiddleware-truststore.jks + TruststorePass: <%= @creds[:context_params][:truststore_password] %> + ConnPoolMaxActive: 3 + ConnPoolMaxIdle: 3 + ConnPoolEvictPeriod: 60000 + ConnPoolMinIdleTime: 90000 + DelayAuthDecision: False + AuthVersion: v3 + EHCacheConfig: ehCacheConfig.xml + ssl: + keyStore: /etc/ssl/som-api-keystore.jks + keyStorePassword: <%= @keystore_pass %> + supportedProtocols: ["SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"] + + requestLog: + console: + enabled: false + file: + enabled: true + currentLogFilename: /var/log/som-api/requests.log + archivedLogFilenamePattern: /var/log/som-api/requests-%d.log.gz + archivedFileCount: 32 + +database: + driverClass: com.vertica.jdbc.Driver + url: jdbc:vertica://<%= @creds[:db][:host][node[:fqdn]] %>:5433/som + user: <%= @creds[:db][:user] %> + password: "<%= @creds[:db][:password] %>" + properties: + charSet: UTF-8 + ssl: true + + # The maximum amount of time to wait on an empty pool before throwing an exception + maxWaitForConnection: 1s + + # The SQL vertica to run when validating a connection's liveness + validationQuery: "/* MyService Health Check */ SELECT 1" + + # The minimum number of connections to keep open + minSize: 8 + + # The maximum number of connections to keep open + maxSize: 64 + + # Whether or not idle connections should be validated + checkConnectionWhileIdle: false + + # How long a connection must be held before it can be validated + checkConnectionHealthWhenIdleFor: 10s + + # The maximum lifetime of an idle connection + closeConnectionIfIdleFor: 1 minute + +logging: + # Options: DEBUG, TRACE, WARN, INFO + level: INFO + + console: + enabled: false + + file: + enabled: true + # Do not write log statements below this threshold to the file + threshold: ALL + # The file to which statements will be logged + currentLogFilename: /var/log/som-api/som-api.log + archivedLogFilenamePattern: /var/log/som-api/som-api%d.log.gz + # The maximum number of log files to archive + archivedFileCount: 10