Commit 55081f3a authored by HgO's avatar HgO
Browse files

Merge branch '128-installer-version-plus-recente-de-prometheus-et-alertmanager' into 'main'

Resolve "Installer version plus récente de Prometheus et Alertmanager"

Closes #128

See merge request Neutrinet/infra!170
parents 44b3ec63 9a23f473
Pipeline #749 passed with stage
in 7 minutes and 55 seconds
alertmanager_version: 0.23.0
alertmanager_smtp_host: mail.neutri.net
alertmanager_smtp_port: 587
alertmanager_smtp_require_tls: true
......
telegraf_prometheus_client_listen_address: localhost
prometheus_version: 2.33.3
prometheus_username: prometheus
prometheus_password: "{{ vault_prometheus_password }}"
......
alertmanager_version: 0.23.0
alertmanager_smtp_host: localhost
alertmanager_smtp_port: 25
alertmanager_smtp_require_tls: false
......
......@@ -22,7 +22,6 @@ ProtectControlGroups=true
ProtectHome=true
ProtectKernelTunables=true
ProtectSystem=strict
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectClock=true
......@@ -33,7 +32,6 @@ RestrictNamespaces=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictRealtime=true
RestrictSUIDSGID=true
RestrictNamespaces=true
PrivateTmp=true
PrivateUsers=true
RemoveIPC=true
......
......@@ -4,7 +4,7 @@
- name: restart alertmanager
service:
name: prometheus-alertmanager
name: alertmanager
state: restarted
- name: restart matrix-goneb
......@@ -19,5 +19,5 @@
- name: reload alertmanager
service:
name: prometheus-alertmanager
name: alertmanager
state: reloaded
- name: Création des dossiers d'Alertmanager
file:
path: "{{ alertmanager_dir }}"
owner: alertmanager
group: alertmanager
mode: "u=rwx,g=rx,o="
state: directory
loop:
- /opt/alertamanager
- /opt/alertmanager/{{ alertmanager_version }}
- /etc/alertmanager
- /etc/alertmanager/templates
- /var/lib/alertmanager
loop_control:
loop_var: alertmanager_dir
- name: Création du dossier des archives d'Alertmanager
file:
path: /usr/local/src/alertmanager
owner: root
group: root
mode: "u=rwx,g=rx,o="
state: directory
- name: Téléchargement de l'archive d'Alertmanager v{{ alertmanager_version }}
get_url:
url: https://github.com/prometheus/alertmanager/releases/download/v{{ alertmanager_version }}/alertmanager-{{ alertmanager_version }}.linux-amd64.tar.gz
dest: /usr/local/src/alertmanager/{{ alertmanager_version }}.tar.gz
owner: root
group: root
mode: "u=rw,go=r"
checksum: "sha256:https://github.com/prometheus/alertmanager/releases/download/v{{ alertmanager_version }}/sha256sums.txt"
- name: Décompression de l'archive
unarchive:
src: /usr/local/src/alertmanager/{{ alertmanager_version }}.tar.gz
dest: /opt/alertmanager/{{ alertmanager_version }}
creates: /opt/alertmanager/{{ alertmanager_version }}/alertmanager
remote_src: true
extra_opts:
- --strip-components=1
owner: alertmanager
group: alertmanager
- name: Création du lien symbolique pour les binaires d'Alertmanager
file:
src: /opt/alertmanager/{{ alertmanager_version }}/{{ alertmanager_bin }}
dest: /usr/local/bin/{{ alertmanager_bin }}
state: link
loop:
- alertmanager
- amtool
loop_control:
loop_var: alertmanager_bin
notify: restart alertmanager
- name: Configuration du template des notifications mail
copy:
src: alertmanager/email.tmpl
dest: /etc/alertmanager/templates/email.tmpl
owner: alertmanager
group: alertmanager
mode: "u=rw,go=r"
notify: reload alertmanager
- name: Configuration d'Alertmanager
template:
src: alertmanager/alertmanager.yml.j2
dest: /etc/alertmanager/alertmanager.yml
owner: alertmanager
group: alertmanager
mode: "u=rw,g=r,o="
validate: amtool check-config %s
notify: reload alertmanager
- name: Configuration du service systemd
template:
src: systemd/alertmanager.service.j2
dest: /etc/systemd/system/alertmanager.service
owner: root
group: root
mode: "u=rw,go=r"
notify:
- reload systemd
- restart alertmanager
- name: Activation d'Alertmanager au démarrage
service:
name: alertmanager
state: started
enabled: true
- name: Ajout du job alertmanager dans Prometheus
copy:
src: prometheus/alertmanager.yml
dest: /etc/prometheus/conf.d/alertmanager.yml
owner: prometheus
group: prometheus
mode: "u=rw,go=r"
notify: reload prometheus
- name: Récupération de la liste des dossiers d'installation
find:
path: /opt/alertmanager
file_type: directory
use_regex: true
recurse: false
pattern: '^[0-9]+\.[0-9]+\.[0-9]+$'
register: _alertmanager_installed_dirs
- name: Récupération de la liste des archives
find:
path: /usr/local/src/alertmanager
file_type: file
use_regex: true
recurse: false
pattern: '^[0-9]+\.[0-9]+\.[0-9]+\.tar\.gz$'
register: _alertmanager_archives
- name: Récupération de la plus ancienne version et de la version courante
set_fact:
alertmanager_oldest_archive: "{{ alertmanager_sorted_archives | first }}"
alertmanager_oldest_install_dir: "{{ alertmanager_sorted_install_dirs | first }}"
alertmanager_oldest_version: "{{ alertmanager_sorted_install_dirs | first | basename }}"
vars:
alertmanager_sorted_archives: |-
{{ _alertmanager_archives.files
| map(attribute='path')
| community.general.version_sort }}
alertmanager_sorted_install_dirs: |-
{{ _alertmanager_installed_dirs.files
| map(attribute='path')
| community.general.version_sort }}
- name: Suppression de la plus ancienne version (v{{ alertmanager_oldest_version }})
file:
state: absent
path: "{{ alertmanager_oldest_install_dir }}"
when: _alertmanager_installed_dirs.files | length > 5
- name: Suppression de la plus ancienne archive
file:
state: absent
path: "{{ alertmanager_oldest_archive }}"
when: _alertmanager_archives.files | length > 5
- name: Installation d'Alertmanager
package:
name: prometheus-alertmanager
state: present
- import_tasks: user.yml
tags: ['user']
- name: Configuration de l'environnement d'Alertmanager
template:
src: alertmanager/alertmanager.env.j2
dest: /etc/default/prometheus-alertmanager
owner: root
group: root
mode: "u=rw,g=r,o=r"
notify: restart alertmanager
- import_tasks: alertmanager.yml
tags: ['alertmanager']
- name: Configuration du template des notifications mail
copy:
src: alertmanager/email.tmpl
dest: /etc/prometheus/alertmanager_templates/email.tmpl
owner: root
group: root
mode: "u=rw,go=r"
notify: reload alertmanager
- import_tasks: cleanup.yml
tags: ['cleanup']
- name: Configuration d'Alertmanager
template:
src: alertmanager/alertmanager.yml.j2
dest: /etc/prometheus/alertmanager.yml
owner: prometheus
group: prometheus
mode: "u=rw,g=r,o="
validate: amtool check-config %s
notify: reload alertmanager
- name: Activation d'Alertmanager au démarrage
service:
name: prometheus-alertmanager
state: started
enabled: true
- name: Ajout du job alertmanager dans Prometheus
copy:
src: prometheus/alertmanager.yml
dest: /etc/prometheus/conf.d/alertmanager.yml
owner: prometheus
group: prometheus
mode: "u=rw,go=r"
notify: reload prometheus
- name: Création du dossier des alertes
file:
path: /etc/prometheus/rules.d
owner: prometheus
group: prometheus
mode: "u=rwx,g=rx,o="
state: directory
- name: Copie des alertes de base
copy:
src: alertmanager/base.rules
dest: /etc/prometheus/rules.d/base.rules
owner: root
group: root
mode: "u=rw,go=r"
validate: promtool check rules %s
notify: reload prometheus
- import_tasks: rules.yml
tags: ['rules']
- name: Installation de matrix-goneb
import_tasks: matrix-goneb.yml
......
- name: Création du dossier des alertes
file:
path: /etc/prometheus/rules.d
owner: prometheus
group: prometheus
mode: "u=rwx,g=rx,o="
state: directory
- name: Copie des alertes de base
copy:
src: alertmanager/base.rules
dest: /etc/prometheus/rules.d/base.rules
owner: root
group: root
mode: "u=rw,go=r"
validate: promtool check rules %s
notify: reload prometheus
- name: Création de l'utilisateur pour Alertmanager
user:
name: alertmanager
home: /opt/alertmanager
shell: /sbin/nologin
system: true
state: present
{{ ansible_managed | comment }}
ARGS="--web.listen-address='localhost:9093' --cluster.listen-address="
# Run prometheus-alertmanager -h to view available options.
# --web.listen-address=":9093"
# Address to listen on for the web interface and API.
......@@ -14,7 +14,7 @@ global:
# The directory from which notification templates are read.
templates:
- /etc/prometheus/alertmanager_templates/*.tmpl
- /etc/alertmanager/templates/*.tmpl
# The root route on which each incoming alert enters.
route:
......
{{ ansible_managed | comment }}
[Unit]
Description=Alertmanager
After=network.target
[Service]
Type=simple
User=alertmanager
Group=alertmanager
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/local/bin/alertmanager \
--config.file=/etc/alertmanager/alertmanager.yml \
--storage.path=/var/lib/alertmanager \
--web.listen-address='localhost:9093' \
--cluster.listen-address=
Restart=always
RestartSec=5
# Systemd hardening
ReadWriteDirectories=/var/lib/alertmanager
CapabilityBoundingSet=
LockPersonality=true
NoNewPrivileges=true
MemoryDenyWriteExecute=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
RemoveIPC=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictSUIDSGID=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
PrivateUsers=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectKernelLogs=true
ProtectClock=true
ProtectHostname=true
ProtectProc=noaccess
ProtectSystem=strict
SystemCallFilter=@system-service
[Install]
WantedBy=multi-user.target
prometheus_version: 2.33.3
prometheus_federation_hosts:
- prometheus.example.com
prometheus_telegraf_hosts: "{{ groups.all }}"
......
- name: reload systemd
systemd:
daemon_reload: true
- name: restart prometheus
service:
name: prometheus
state: restarted
- name: restart alertmanager
service:
name: prometheus-alertmanager
state: restarted
- name: reload prometheus
service:
name: prometheus
state: reloaded
- name: reload alertmanager
service:
name: prometheus-alertmanager
state: reloaded
- name: Récupération de la liste des dossiers d'installation
find:
path: /opt/prometheus
file_type: directory
use_regex: true
recurse: false
pattern: '^[0-9]+\.[0-9]+\.[0-9]+$'
register: _prometheus_installed_dirs
- name: Récupération de la liste des archives
find:
path: /usr/local/src/prometheus
file_type: file
use_regex: true
recurse: false
pattern: '^[0-9]+\.[0-9]+\.[0-9]+\.tar\.gz$'
register: _prometheus_archives
- name: Récupération de la plus ancienne version et de la version courante
set_fact:
prometheus_oldest_archive: "{{ prometheus_sorted_archives | first }}"
prometheus_oldest_install_dir: "{{ prometheus_sorted_install_dirs | first }}"
prometheus_oldest_version: "{{ prometheus_sorted_install_dirs | first | basename }}"
vars:
prometheus_sorted_archives: |-
{{ _prometheus_archives.files
| map(attribute='path')
| community.general.version_sort }}
prometheus_sorted_install_dirs: |-
{{ _prometheus_installed_dirs.files
| map(attribute='path')
| community.general.version_sort }}
- name: Suppression de la plus ancienne version (v{{ prometheus_oldest_version }})
file:
state: absent
path: "{{ prometheus_oldest_install_dir }}"
when: _prometheus_installed_dirs.files | length > 5
- name: Suppression de la plus ancienne archive
file:
state: absent
path: "{{ prometheus_oldest_archive }}"
when: _prometheus_archives.files | length > 5
- name: Installation de Prometheus
package:
name: prometheus
state: present
- import_tasks: user.yml
tags: ['user']
- name: Configuration de l'environnement de Prometheus
template:
src: prometheus/prometheus.env.j2
dest: /etc/default/prometheus
owner: root
group: root
mode: "u=rw,g=r,o=r"
notify: restart prometheus
- import_tasks: prometheus.yml
tags: ['prometheus']
- name: Configuration de Prometheus
template:
src: prometheus/prometheus.yml.j2
dest: /etc/prometheus/prometheus.yml
owner: prometheus
group: prometheus
mode: "u=rw,g=r,o="
validate: promtool check config %s
notify: reload prometheus
- name: Création du répertoire des jobs
file:
path: /etc/prometheus/conf.d
owner: prometheus
group: prometheus
mode: "u=rwx,go=rx"
state: directory
- name: Activation de Prometheus au démarrage
service:
name: prometheus
state: started
enabled: true
- name: Trigger Prometheus handlers
meta: flush_handlers
- import_tasks: cleanup.yml
tags: ['cleanup']
- name: Création des dossiers de Prometheus
file:
path: "{{ prometheus_dir }}"
owner: prometheus
group: prometheus
mode: "u=rwx,g=rx,o="
state: directory
loop:
- /opt/prometheus
- /opt/prometheus/{{ prometheus_version }}
- /etc/prometheus
- /var/lib/prometheus
loop_control:
loop_var: prometheus_dir
- name: Création du dossier des archives Prometheus
file:
path: /usr/local/src/prometheus
owner: root
group: root
mode: "u=rwx,g=rx,o="
state: directory
- name: Téléchargement de l'archive Prometheus v{{ prometheus_version }}
get_url:
url: https://github.com/prometheus/prometheus/releases/download/v{{ prometheus_version }}/prometheus-{{ prometheus_version }}.linux-amd64.tar.gz
dest: /usr/local/src/prometheus/{{ prometheus_version }}.tar.gz
owner: root
group: root
mode: "u=rw,go=r"
checksum: "sha256:https://github.com/prometheus/prometheus/releases/download/v{{ prometheus_version }}/sha256sums.txt"
- name: Décompression de l'archive
unarchive:
src: /usr/local/src/prometheus/{{ prometheus_version }}.tar.gz
dest: /opt/prometheus/{{ prometheus_version }}
creates: /opt/prometheus/{{ prometheus_version }}/prometheus
remote_src: true
extra_opts:
- --strip-components=1
owner: prometheus
group: prometheus
- name: Création du lien symbolique pour les binaires de Prometheus
file:
src: /opt/prometheus/{{ prometheus_version }}/{{ prometheus_bin }}
dest: /usr/local/bin/{{ prometheus_bin }}
state: link
loop:
- prometheus
- promtool
loop_control:
loop_var: prometheus_bin
notify: restart prometheus
- name: Configuration de Prometheus
template:
src: prometheus/prometheus.yml.j2
dest: /etc/prometheus/prometheus.yml
owner: prometheus
group: prometheus
mode: "u=rw,g=r,o="
validate: promtool check config %s
notify: reload prometheus
- name: Création du répertoire des jobs
file:
path: /etc/prometheus/conf.d
owner: prometheus
group: prometheus
mode: "u=rwx,go=rx"
state: directory
- name: Configuration du service systemd
template:
src: systemd/prometheus.service.j2
dest: /etc/systemd/system/prometheus.service
owner: root
group: root
mode: "u=rw,go=r"
notify:
- reload systemd
- restart prometheus
- name: Activation de Prometheus au démarrage
service:
name: prometheus
state: started
enabled: true
- name: Création de l'utilisateur prometheus
user:
name: prometheus
home: /opt/prometheus
shell: /sbin/nologin
system: true
state: present
{{ ansible_managed | comment }}
ARGS="--storage.tsdb.retention={{ prometheus_storage_retention }} --web.listen-address='localhost:9090'"
# Run prometheus -h to view available options.
# --web.listen-address="0.0.0.0:9090"
# Address to listen on for UI, API, and telemetry.
# --storage.tsdb.retention=15d
# How long to retain samples in the storage.
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment