nagios-promoo 1.1.0 → 1.2.0

data/lib/nagios/promoo/appdb/probes/sync_probe.rb

@@ -0,0 +1,179 @@
+# Internal deps
+require File.join(File.dirname(__FILE__), 'base_probe')
+
+module Nagios
+  module Promoo
+    module Appdb
+      module Probes
+        # Probe for checking appliance synchronization between sites and AppDB.
+        #
+        # @author Boris Parak <parak@cesnet.cz>
+        class SyncProbe < Nagios::Promoo::Appdb::Probes::BaseProbe
+          class << self
+            def description
+              [
+                'sync',
+                'Run a probe checking consistency between a published VO-wide ' \
+                'image list and appliances available at the site (via AppDB)'
+              ]
+            end
+
+            def options
+              [
+                [
+                  :vo,
+                  {
+                    type: :string,
+                    required: true,
+                    desc: 'Virtual Organization name (used to select the appropriate VO-wide image list)'
+                  }
+                ],
+                [
+                  :token,
+                  {
+                    type: :string,
+                    required: true,
+                    desc: 'AppDB authentication token (used to access the VO-wide image list)'
+                  }
+                ],
+                [
+                  :warning_after,
+                  {
+                    type: :numeric,
+                    default: 24,
+                    desc: 'A number of hours after list publication when missing or outdated appliances raise WARNING'
+                  }
+                ],
+                [
+                  :critical_after,
+                  {
+                    type: :numeric,
+                    default: 72,
+                    desc: 'A number of hours after list publication when missing or outdated appliances raise CRITICAL'
+                  }
+                ]
+              ]
+            end
+
+            def declaration
+              'sync'
+            end
+
+            def runnable?
+              true
+            end
+          end
+
+          IMAGE_LIST_TEMPLATE = 'https://$$TOKEN$$:x-oauth-basic@vmcaster.appdb.egi.eu' \
+                                '/store/vo/$$VO$$/image.list'.freeze
+
+          def run(_args = [])
+            @_results = { found: [], outdated: [], missing: [], expected: [] }
+
+            Timeout.timeout(options[:timeout]) { check_vmc_sync }
+
+            wrong = @_results[:missing] + @_results[:outdated]
+            if wrong.any?
+              if (@_last_update + options[:critical_after].hours) < Time.now
+                puts "SYNC CRITICAL - Appliance(s) #{wrong.inspect} missing " \
+                     "or outdated in #{options[:vo].inspect} " \
+                     "more than #{options[:critical_after]} hours after list publication [#{@_last_update}]"
+                exit 2
+              end
+
+              if (@_last_update + options[:warning_after].hours) < Time.now
+                puts "SYNC WARNING - Appliance(s) #{wrong.inspect} missing " \
+                     "or outdated in #{options[:vo].inspect} " \
+                     "more than #{options[:warning_after]} hours after list publication [#{@_last_update}]"
+                exit 1
+              end
+            end
+
+            puts "SYNC OK - All appliances registered in #{options[:vo].inspect} " \
+                 "are available [#{@_results[:expected].count}]"
+          rescue => ex
+            puts "SYNC UNKNOWN - #{ex.message}"
+            puts ex.backtrace if options[:debug]
+            exit 3
+          end
+
+          private
+
+          def check_vmc_sync
+            vo_list.each do |hv_image|
+              mpuri_versionless = versionless_mpuri(hv_image['ad:mpuri'])
+              @_results[:expected] << mpuri_versionless
+
+              matching = provider_appliances.detect { |appl| appl['mp_uri'] == mpuri_versionless }
+              unless matching
+                @_results[:missing] << mpuri_versionless
+                next
+              end
+
+              @_results[:outdated] << mpuri_versionless if hv_image['hv:version'] != matching['vmiversion']
+              @_results[:found] << mpuri_versionless
+            end
+          end
+
+          def provider_appliances
+            return @_appliances if @_appliances
+
+            @_appliances = [appdb_provider['provider:image']].flatten.compact
+            @_appliances.keep_if { |appliance| appliance['voname'] == options[:vo] }
+            @_appliances.reject { |appliance| appliance['mp_uri'].blank? }
+
+            @_appliances.each do |appliance|
+              appliance['mp_uri'] = versionless_mpuri(appliance['mp_uri'])
+            end
+
+            @_appliances
+          end
+
+          def vo_list
+            return @_hv_images if @_hv_images
+
+            list = JSON.parse pkcs7_data
+            raise "AppDB image list #{list_url.inspect} is empty or malformed" unless list && list['hv:imagelist']
+
+            list = list['hv:imagelist']
+            unless DateTime.parse(list['dc:date:expires']) > Time.now
+              raise "AppDB image list #{list_url.inspect} has expired"
+            end
+            raise "AppDB image list #{list_url.inspect} doesn't contain images" unless list['hv:images']
+            @_last_update = DateTime.parse list['dc:date:created']
+
+            @_hv_images = list['hv:images'].collect { |im| im['hv:image'] }
+            @_hv_images.reject! { |im| im.blank? || im['ad:mpuri'].blank? }
+            @_hv_images
+          end
+
+          def pkcs7_data
+            content = OpenSSL::PKCS7.read_smime(retrieve_list)
+            content.data
+          end
+
+          def retrieve_list
+            response = HTTParty.get list_url
+            unless response.success?
+              raise 'Could not get a VO-wide image list' \
+                   "from #{list_url.inspect} [#{response.code}]"
+            end
+            response.parsed_response
+          end
+
+          def list_url
+            IMAGE_LIST_TEMPLATE.gsub('$$TOKEN$$', options[:token]).gsub('$$VO$$', options[:vo])
+          end
+
+          def normalize_mpuri(mpuri)
+            mpuri.gsub(%r{/+$}, '')
+          end
+
+          def versionless_mpuri(mpuri)
+            normalize_mpuri(mpuri).gsub(/:\d+$/, '')
+          end
+        end
+      end
+    end
+  end
+end

data/lib/nagios/promoo/appdb/version.rb

@@ -1,7 +1,7 @@
 module Nagios
   module Promoo
     module Appdb
-      VERSION = "1.1.0"
+      VERSION = '1.2.0'.freeze
     end
   end
 end

data/lib/nagios/promoo/master.rb

@@ -4,29 +4,47 @@
 # Include available probe modules
 Dir.glob(File.join(File.dirname(__FILE__), '*', 'master.rb')) { |mod| require mod.chomp('.rb') }
 
-class Nagios::Promoo::Master < ::Thor
-  class_option :debug, type: :boolean, desc: 'Turn on debugging mode', default: false
-  class_option :ca_path, type: :string, desc: 'Path to a directory with CA certificates', default: '/etc/grid-security/certificates'
-  class_option :ca_file, type: :string, desc: 'Path to a file with CA certificates'
-  class_option :insecure, type: :boolean, desc: 'Turn on insecure mode (without SSL client validation)', default: false
-  class_option :timeout, type: :numeric, desc: 'Timeout for all internal connections and other processes (in seconds)', default: 720
+module Nagios
+  module Promoo
+    # Main class for `nagios-promoo`.
+    #
+    # @author Boris Parak <parak@cesnet.cz>
+    class Master < ::Thor
+      class_option :debug, type: :boolean, desc: 'Turn on debugging mode', default: false
+      class_option :ca_path,
+                   type: :string,
+                   desc: 'Path to a directory with CA certificates',
+                   default: '/etc/grid-security/certificates'
+      class_option :ca_file, type: :string, desc: 'Path to a file with CA certificates'
+      class_option :insecure,
+                   type: :boolean,
+                   desc: 'Turn on insecure mode (without SSL client validation)',
+                   default: false
+      class_option :timeout,
+                   type: :numeric,
+                   desc: 'Timeout for all internal connections and other processes (in seconds)',
+                   default: 720
 
-  desc 'opennebula PROBE', 'Run the given probe for OpenNebula'
-  subcommand 'opennebula', Nagios::Promoo::Opennebula::Master
+      desc 'opennebula PROBE', 'Run the given probe for OpenNebula'
+      subcommand 'opennebula', Nagios::Promoo::Opennebula::Master
 
-  desc 'occi PROBE', 'Run the given probe for OCCI'
-  subcommand 'occi', Nagios::Promoo::Occi::Master
+      desc 'occi PROBE', 'Run the given probe for OCCI'
+      subcommand 'occi', Nagios::Promoo::Occi::Master
 
-  desc 'appdb PROBE', 'Run the given probe for AppDB'
-  subcommand 'appdb', Nagios::Promoo::Appdb::Master
+      desc 'appdb PROBE', 'Run the given probe for AppDB'
+      subcommand 'appdb', Nagios::Promoo::Appdb::Master
 
-  desc 'version', 'Print PROMOO version'
-  def version
-    puts Nagios::Promoo::VERSION
-  end
+      desc 'version', 'Print PROMOO version'
+      def version
+        puts Nagios::Promoo::VERSION
+      end
 
-  class << self
-    # Force thor to exit with a non-zero return code on failure
-    def exit_on_failure?; true; end
+      class << self
+        # Force thor to exit with a non-zero return code on failure
+        def exit_on_failure?
+          true
+        end
+      end
+    end
   end
 end

data/lib/nagios/promoo/occi/master.rb

@@ -4,42 +4,73 @@ require 'occi-api'
 # Internal deps
 require File.join(File.dirname(__FILE__), 'version')
 
-# Define modules
-module Nagios::Promoo::Occi; end
-module Nagios::Promoo::Occi::Probes; end
+module Nagios
+  module Promoo
+    # Namespace for OCCI-related code.
+    #
+    # @author Boris Parak <parak@cesnet.cz>
+    module Occi
+      # Namespace for OCCI-related probes.
+      #
+      # @author Boris Parak <parak@cesnet.cz>
+      module Probes; end
+    end
+  end
+end
+
 Dir.glob(File.join(File.dirname(__FILE__), 'probes', '*.rb')) { |probe| require probe.chomp('.rb') }
 
-class Nagios::Promoo::Occi::Master < ::Thor
-  class << self
-    # Hack to override the help message produced by Thor.
-    # https://github.com/wycats/thor/issues/261#issuecomment-16880836
-    def banner(command, namespace = nil, subcommand = nil)
-      "#{basename} occi #{command.usage}"
-    end
+module Nagios
+  module Promoo
+    module Occi
+      # Master class for all OCCI probes.
+      #
+      # @author Boris Parak <parak@cesnet.cz>
+      class Master < ::Thor
+        class << self
+          # Hack to override the help message produced by Thor.
+          # https://github.com/wycats/thor/issues/261#issuecomment-16880836
+          def banner(command, _namespace = nil, _subcommand = nil)
+            "#{basename} occi #{command.usage}"
+          end
 
-    def available_probes
-      Nagios::Promoo::Occi::Probes.constants.collect { |probe| Nagios::Promoo::Occi::Probes.const_get(probe) }.reject { |probe| !probe.runnable? }
-    end
-  end
+          def available_probes
+            probes = Nagios::Promoo::Occi::Probes.constants.collect do |probe|
+              Nagios::Promoo::Occi::Probes.const_get(probe)
+            end
+            probes.select(&:runnable?)
+          end
+        end
 
-  class_option :endpoint, type: :string, desc: 'OCCI-enabled endpoint', default: 'http://localhost:3000/'
-  class_option :auth, type: :string, desc: 'Authentication mechanism', enum: %w(x509-voms), default: 'x509-voms'
-  class_option :token, type: :string, desc: 'Authentication token', default: "file:///tmp/x509up_u#{`id -u`.strip}"
+        class_option :endpoint, type: :string, desc: 'OCCI-enabled endpoint', default: 'http://localhost:3000/'
+        class_option :auth,
+                     type: :string,
+                     desc: 'Authentication mechanism',
+                     enum: %w[x509-voms],
+                     default: 'x509-voms'
+        class_option :token,
+                     type: :string,
+                     desc: 'Authentication token',
+                     default: "file:///tmp/x509up_u#{`id -u`.strip}"
 
-  available_probes.each do |probe|
-    desc *probe.description
-    probe.options.each do |opt|
-      option opt.first, opt.last
-    end
-    class_eval %Q^
+        available_probes.each do |probe|
+          desc(*probe.description)
+          probe.options.each do |opt|
+            option opt.first, opt.last
+          end
+
+          class_eval %^
 def #{probe.declaration}(*args)
   #{probe}.new(options).run(args)
 end
 ^
-  end
+        end
 
-  desc 'version', 'Print version of the OCCI probe set'
-  def version
-    puts Nagios::Promoo::Occi::VERSION
+        desc 'version', 'Print version of the OCCI probe set'
+        def version
+          puts Nagios::Promoo::Occi::VERSION
+        end
+      end
+    end
   end
 end

data/lib/nagios/promoo/occi/probes/base_probe.rb

@@ -1,29 +1,42 @@
-class Nagios::Promoo::Occi::Probes::BaseProbe
-  class << self
-    def runnable?; false; end
-  end
+module Nagios
+  module Promoo
+    module Occi
+      module Probes
+        # Base probe for all OCCI-related probes.
+        #
+        # @author Boris Parak <parak@cesnet.cz>
+        class BaseProbe
+          class << self
+            def runnable?
+              false
+            end
+          end
 
-  attr_reader :options
+          attr_reader :options
 
-  def initialize(options)
-    @options = options
-  end
+          def initialize(options)
+            @options = options
+          end
 
-  def client
-    @_client ||= Occi::Api::Client::ClientHttp.new({
-      :endpoint => options[:endpoint],
-      :auth => {
-        :type               => options[:auth].gsub('-voms', ''),
-        :user_cert          => options[:token].gsub('file://', ''),
-        :user_cert_password => nil,
-        :ca_path            => options[:ca_path],
-        :voms               => options[:auth] == 'x509-voms' ? true : false
-      },
-      :log => {
-        :level  => options[:debug] ? Occi::Api::Log::DEBUG : Occi::Api::Log::ERROR,
-        :logger => nil,
-        :out => '/dev/null',
-      }
-    })
+          def client
+            @_client ||= ::Occi::Api::Client::ClientHttp.new(
+              endpoint: options[:endpoint],
+              auth: {
+                type: options[:auth].gsub('-voms', ''),
+                user_cert: options[:token].gsub('file://', ''),
+                user_cert_password: nil,
+                ca_path: options[:ca_path],
+                voms: options[:auth] == 'x509-voms' ? true : false
+              },
+              log: {
+                level: options[:debug] ? ::Occi::Api::Log::DEBUG : ::Occi::Api::Log::ERROR,
+                logger: nil,
+                out: '/dev/null'
+              }
+            )
+          end
+        end
+      end
+    end
   end
 end

data/lib/nagios/promoo/occi/probes/categories_probe.rb

@@ -3,58 +3,100 @@ require File.join(File.dirname(__FILE__), 'base_probe')
 require File.join(File.dirname(__FILE__), 'kinds_probe')
 require File.join(File.dirname(__FILE__), 'mixins_probe')
 
-class Nagios::Promoo::Occi::Probes::CategoriesProbe < Nagios::Promoo::Occi::Probes::BaseProbe
-  class << self
-    def description
-      ['categories', 'Run a probe checking for mandatory OCCI category definitions']
-    end
+module Nagios
+  module Promoo
+    module Occi
+      module Probes
+        # Probe for checking OCCI categories declared by endpoints.
+        #
+        # @author Boris Parak <parak@cesnet.cz>
+        class CategoriesProbe < Nagios::Promoo::Occi::Probes::BaseProbe
+          class << self
+            def description
+              ['categories', 'Run a probe checking for mandatory OCCI category definitions']
+            end
 
-    def options
-      [
-        [:optional, { type: :array, default: [], desc: 'Identifiers of optional categories (optional by force)' }],
-        [:check_location, { type: :boolean, default: false, desc: 'Verify declared REST locations for INFRA resources' }],
-      ]
-    end
+            def options
+              [
+                [
+                  :optional,
+                  {
+                    type: :array, default: [],
+                    desc: 'Identifiers of optional categories (optional by force)'
+                  }
+                ],
+                [
+                  :check_location,
+                  {
+                    type: :boolean, default: false,
+                    desc: 'Verify declared REST locations for INFRA resources'
+                  }
+                ]
+              ]
+            end
 
-    def declaration
-      "categories"
-    end
+            def declaration
+              'categories'
+            end
 
-    def runnable?; true; end
-  end
+            def runnable?
+              true
+            end
+          end
 
-  def run(args = [])
-    categories = all_categories
-    categories -= options[:optional] if options[:optional]
-
-    Timeout::timeout(options[:timeout]) do
-      categories.each do |cat|
-        fail "#{cat.inspect} is missing" unless client.model.get_by_id(cat, true)
-        next unless options[:check_location] && Nagios::Promoo::Occi::Probes::KindsProbe::INFRA_KINDS.include?(cat)
-
-        # Make sure declared locations are actually available as REST
-        # endpoints. Failure will raise an exception, no need to do
-        # anything here. To keep requirements reasonable, only INFRA
-        # kinds are considered relevant for this part of the check.
-        begin
-          client.list(cat)
-        rescue => err
-          fail "Failed to verify declared REST location for #{cat.inspect} (#{err.message})"
-        end
-      end
-    end
+          def run(_args = [])
+            categories = all_categories
+            categories -= options[:optional] if options[:optional]
 
-    puts 'CATEGORIES OK - All specified OCCI categories were found'
-  rescue => ex
-    puts "CATEGORIES CRITICAL - #{ex.message}"
-    puts ex.backtrace if options[:debug]
-    exit 2
-  end
+            Timeout.timeout(options[:timeout]) do
+              categories.each do |cat|
+                raise "#{cat.inspect} is missing" unless client.model.get_by_id(cat, true)
+                next unless options[:check_location] && infra_kinds.include?(cat)
+
+                # Make sure declared locations are actually available as REST
+                # endpoints. Failure will raise an exception, no need to do
+                # anything here. To keep requirements reasonable, only INFRA
+                # kinds are considered relevant for this part of the check.
+                begin
+                  client.list(cat)
+                rescue => ex
+                  raise "Failed to verify declared REST location for #{cat.inspect} (#{ex.message})"
+                end
+              end
+            end
 
-  private
+            puts 'CATEGORIES OK - All specified OCCI categories were found'
+          rescue => ex
+            puts "CATEGORIES CRITICAL - #{ex.message}"
+            puts ex.backtrace if options[:debug]
+            exit 2
+          end
 
-  def all_categories
-    Nagios::Promoo::Occi::Probes::KindsProbe::CORE_KINDS + Nagios::Promoo::Occi::Probes::KindsProbe::INFRA_KINDS \
-    + Nagios::Promoo::Occi::Probes::MixinsProbe::INFRA_MIXINS + Nagios::Promoo::Occi::Probes::MixinsProbe::CONTEXT_MIXINS
+          private
+
+          def core_kinds
+            Nagios::Promoo::Occi::Probes::KindsProbe::CORE_KINDS
+          end
+
+          def infra_kinds
+            Nagios::Promoo::Occi::Probes::KindsProbe::INFRA_KINDS
+          end
+
+          def infra_mixins
+            Nagios::Promoo::Occi::Probes::MixinsProbe::INFRA_MIXINS
+          end
+
+          def context_mixins
+            Nagios::Promoo::Occi::Probes::MixinsProbe::CONTEXT_MIXINS
+          end
+
+          def all_categories
+            %i[core_kinds infra_kinds infra_mixins context_mixins].reduce([]) do |memo, elm|
+              memo.concat send(elm)
+            end
+          end
+        end
+      end
+    end
   end
 end