Jkrauska has uploaded a new change for review. https://gerrit.wikimedia.org/r/115345
Change subject: Initial commit of pmacct module and role ...................................................................... Initial commit of pmacct module and role Change-Id: I44f02a7911ac8f596f78ea0a6ae5a61c72e75e5c --- A manifests/role/pmacct.pp A modules/pmacct/README.txt A modules/pmacct/manifests/configs.pp A modules/pmacct/manifests/init.pp A modules/pmacct/manifests/install.pp A modules/pmacct/templates/config.erb 6 files changed, 337 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/45/115345/1 diff --git a/manifests/role/pmacct.pp b/manifests/role/pmacct.pp new file mode 100644 index 0000000..3d52370 --- /dev/null +++ b/manifests/role/pmacct.pp @@ -0,0 +1,93 @@ +# manifests/role/pmacct.pp + +class role::pmacct { + system::role { 'role::pmacct': + description => '(network monitoring) flow accounting ' } + + $db_host = '127.0.01' + $db_name = 'pmacct' + $db_user = 'pmacct' + $db_pass = 'pmacct' + + # Behave differently in labs from production + case $::realm { + 'labs': { + $agents = { + # tpa - as65001 + cr1-sdtpa => { + port => '6001', + ip => '208.80.152.196', + samplerate => '200', + }, + testing => { + port => '123', + ip => '123.123.123.123', + samplerate => '123', + }, + } # end of agents + } + 'production': { + $agents = { + # tpa - as65001 + cr1-sdtpa => { + port => '6511', + ip => '208.80.152.196', + samplerate => '200', + }, + # Currently running old JunOS and will not sample correctly + #cr2-pmtpa => { + #port => '6512', + #ip => '208.80.152.197', + #samplerate => '1000', + #}, + + # eqiad - as65002 + cr1-eqiad => { + port => '6521', + ip => '208.80.154.196', + samplerate => '1000', + }, + cr2-eqiad => { + port => '6522', + ip => '208.80.154.197', + samplerate => '1000', + }, + + # ulsfo - as65003 + cr1-ulsfo => { + port => '6531', + ip => '198.35.26.192', + samplerate => '1000', + }, + cr2-ulsfo => { + port => '6532', + ip => '198.35.26.193', + samplerate => '1000', + }, + + # ams - as43821 + cr1-esams => { + port => '4381', + ip => '91.198.174.245', + samplerate => '1000', + }, + cr2-knams => { + port => '4382', + ip => '91.198.174.246', + samplerate => '1000', + } + } # end of agents + + } + default: { + fail('unknown realm, should be labs or production') + } + } + + # module + class { '::pmacct': + agents => $agents, + } + +} + diff --git a/modules/pmacct/README.txt b/modules/pmacct/README.txt new file mode 100644 index 0000000..c303a4a --- /dev/null +++ b/modules/pmacct/README.txt @@ -0,0 +1,63 @@ +# mysql schema is also necessary -- documenting here + +#drop database if exists pmacct; +#create database pmacct; + +use pmacct; + +drop table if exists traffic_by_asn; +create table if not exists traffic_by_asn ( + agent_id INT(4) UNSIGNED NOT NULL, + as_dst INT(4) UNSIGNED NOT NULL, + as_path CHAR(21) NOT NULL, + peer_as_dst INT(4) UNSIGNED NOT NULL, + packets INT UNSIGNED NOT NULL, + bytes BIGINT UNSIGNED NOT NULL, + stamp_inserted DATETIME NOT NULL, + stamp_updated DATETIME, + PRIMARY KEY (agent_id, as_dst, as_path, peer_as_dst, stamp_inserted) +); + +drop table if exists traffic_by_country; +create table if not exists traffic_by_country ( + agent_id INT(4) UNSIGNED NOT NULL, + country_ip_dst CHAR(2) NOT NULL, + packets INT UNSIGNED NOT NULL, + bytes BIGINT UNSIGNED NOT NULL, + stamp_inserted DATETIME NOT NULL, + stamp_updated DATETIME, + PRIMARY KEY (agent_id, country_ip_dst, stamp_inserted) +); + +drop table if exists traffic_by_sourceport; +create table if not exists traffic_by_sourceport ( + agent_id INT(4) UNSIGNED NOT NULL, + src_port INT(2) UNSIGNED NOT NULL, + packets INT UNSIGNED NOT NULL, + bytes BIGINT UNSIGNED NOT NULL, + stamp_inserted DATETIME NOT NULL, + stamp_updated DATETIME, + PRIMARY KEY (agent_id, src_port, stamp_inserted) +); + +drop table if exists traffic_by_interface; +create table if not exists traffic_by_interface ( + agent_id INT(4) UNSIGNED NOT NULL, + iface_out INT(4) UNSIGNED NOT NULL, + packets INT UNSIGNED NOT NULL, + bytes BIGINT UNSIGNED NOT NULL, + stamp_inserted DATETIME NOT NULL, + stamp_updated DATETIME, + PRIMARY KEY (agent_id, iface_out, stamp_inserted) +); + +drop table if exists traffic_by_sourceip; +create table if not exists traffic_by_sourceip ( + agent_id INT(4) UNSIGNED NOT NULL, + ip_src CHAR(15) NOT NULL, + packets INT UNSIGNED NOT NULL, + bytes BIGINT UNSIGNED NOT NULL, + stamp_inserted DATETIME NOT NULL, + stamp_updated DATETIME, + PRIMARY KEY (agent_id, ip_src, stamp_inserted) +); diff --git a/modules/pmacct/manifests/configs.pp b/modules/pmacct/manifests/configs.pp new file mode 100644 index 0000000..8ab9938 --- /dev/null +++ b/modules/pmacct/manifests/configs.pp @@ -0,0 +1,27 @@ +# pmacct::makeconfig +# Generates a unique config file per device and pretag file. + +define pmacct::configs ($name, $port, $ip, $samplerate) { + # Single confile file per device + file { "${pmacct::home}/configs/config-${name}.cfg": + ensure => 'file', + owner => 'pmacct', + group => 'pmacct', + mode => '0640', + content => template('pmacct/config.erb'), + require => File [ "${pmacct::home}/configs" ], + } + + # Populate pretag file + file_line { "Port ${port}": + line => "set_tag=${port} ip=${ip}", + path => "${pmacct::home}/configs/pretag.map", + } + + # Corresponding ferm rule for firewall redirect + ferm::rule {"${name}-BGP": + rule => "proto tcp dport 179 source ${ip} REDIRECT to-ports ${port}", + table => 'nat', + chain => 'PREROUTING', + } +} diff --git a/modules/pmacct/manifests/init.pp b/modules/pmacct/manifests/init.pp new file mode 100644 index 0000000..19474f7 --- /dev/null +++ b/modules/pmacct/manifests/init.pp @@ -0,0 +1,25 @@ +# Class: pmacct +# +# This installs and mangages pmacct configuraiton +# http://www.pmacct.net/ +# +# Will initially be added to node 'netmon1001' + +class pmacct ($agents) { + + # Install package and make sure user and directories are set + class {'pmacct::install': + home => '/srv/pmacct', + } + + # Iterate over the device list to create new configs + # FIXME: Review daniel's different method for iterating over a hash.. + create_resources('pmacct::configs', $agents) + + # Iterate over the device list to verify/check iptables redirects + # FIXME: ferm (should probably happen in one iterate... + + + # FIXME: make sure services are running (not start/stop scripts) + # ... +} diff --git a/modules/pmacct/manifests/install.pp b/modules/pmacct/manifests/install.pp new file mode 100644 index 0000000..1ad287f --- /dev/null +++ b/modules/pmacct/manifests/install.pp @@ -0,0 +1,57 @@ +# Class: pmacct::install +# +# This installs and mangages pmacct configuraiton +# http://www.pmacct.net/ + + +class pmacct::install ($home) { + + # Package + # Must be built with these configure flags + # --enable-mysql --enable-64bit --enable-threads --enable-geoip + package { 'pmacct': + ensure => installed, + } + + # User creation (not done by package) + generic::systemuser { 'pmacct': + name => 'pmacct', + home => $home, + shell => '/bin/bash', + } + + # Home directory + file { $home: + ensure => 'directory', + owner => 'pmacct', + group => 'pmacct', + mode => '0750', + } + + # Log directory + file { "${home}/logs": + ensure => 'directory', + owner => 'pmacct', + group => 'pmacct', + mode => '0750', + require => File[ $home ], + } + + # Config directory + file { "${home}/configs": + ensure => 'directory', + owner => 'pmacct', + group => 'pmacct', + mode => '0750', + require => File[ $home ], + } + + # Pretag map file + file { "${home}/configs/pretag.map": + ensure => present, + owner => 'pmacct', + group => 'pmacct', + mode => '0640', + } + +} diff --git a/modules/pmacct/templates/config.erb b/modules/pmacct/templates/config.erb new file mode 100644 index 0000000..32a3430 --- /dev/null +++ b/modules/pmacct/templates/config.erb @@ -0,0 +1,72 @@ +!# Wikimedia pmacct netflow collector configuration file (one daemon per collector) +!# This file is managed by Puppet! +!# +!# Note: '!' is used for comments, '#' added for better syntax highlighting +!# +!# Custom configuration made from template for <%= @name %> + +daemonize: true +syslog: daemon +pidfile: /var/run/nfacctd-<%= @name %>.pid + +!# Maxmind Country Database +geoip_ipv4_file: /usr/share/GeoIP/GeoIP.dat + +!# SQL Settings +sql_optimize_clauses: true +sql_refresh_time: 300 +sql_history: 5m +sql_history_roundoff: m + +!# Tag Mapping to set agent_id in mysql +pre_tag_map: <%= @home %>/config/pretag.map + +!# Full List of Plugins +plugins: mysql[country], mysql[port], mysql[iface], mysql[src], mysql[asn] + +!# ASN Aggregation +aggregate[asn]: tag,dst_as,as_path,peer_dst_as +sql_table[asn]: traffic_by_asn +sql_table_type[asn]: bgp + +!# Country Aggregation +aggregate[country]: tag,dst_host_country +sql_table[country]: traffic_by_country + +!# Source Port Aggregation +aggregate[port]: tag,src_port +sql_table[port]: traffic_by_sourceport + +!# Outbound interface +aggregate[iface]: tag,out_iface +sql_table[iface]: traffic_by_interface + +!# Source Host (which VIP) +aggregate[src]: tag,src_host +sql_table[src]: traffic_by_sourceip + +!# Netflow UDP Port +nfacctd_port: <%= @port %> + +!# Disable some warnings due to JunOS bugs +nfacctd_disable_checks: true + +!# FIXME: Use a map file, which can be relaoded with a SIGUSR2 +!# Correct for sampling rate by upscaling byte counts +nfacctd_ext_sampling_rate: <%= @samplerate %> +nfacctd_renormalize: true + +!# BGP Config +bgp_daemon: true +bgp_daemon_max_peers: 1 + +!# Note: JunOS does not support custom bgp ports, so we are using iptables NAT redirect to accomplish the same locally +!# eg. iptables --table nat --append PREROUTING --proto tcp --source 208.80.152.196 --dport 179 --jump REDIRECT --to-ports 6001 +!# Using same port number as Flow, but BGP is TCP and Flow is UDP +bgp_daemon_port: <%= @port %> + +!# Rely on BGP for destination ASN (IPFIX buggy) +nfacctd_as_new: bgp + +!# Strip as-path to first 3 hops (disabled) +!bgp_aspath_radius: 3 -- To view, visit https://gerrit.wikimedia.org/r/115345 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I44f02a7911ac8f596f78ea0a6ae5a61c72e75e5c Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Jkrauska <jkrau...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits