Jkrauska has uploaded a new change for review.
https://gerrit.wikimedia.org/r/115345
Change subject: Initial commit of pmacct module and role
......................................................................
Initial commit of pmacct module and role
Change-Id: I44f02a7911ac8f596f78ea0a6ae5a61c72e75e5c
---
A manifests/role/pmacct.pp
A modules/pmacct/README.txt
A modules/pmacct/manifests/configs.pp
A modules/pmacct/manifests/init.pp
A modules/pmacct/manifests/install.pp
A modules/pmacct/templates/config.erb
6 files changed, 337 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/45/115345/1
diff --git a/manifests/role/pmacct.pp b/manifests/role/pmacct.pp
new file mode 100644
index 0000000..3d52370
--- /dev/null
+++ b/manifests/role/pmacct.pp
@@ -0,0 +1,93 @@
+# manifests/role/pmacct.pp
+
+class role::pmacct {
+ system::role { 'role::pmacct':
+ description => '(network monitoring) flow accounting ' }
+
+ $db_host = '127.0.01'
+ $db_name = 'pmacct'
+ $db_user = 'pmacct'
+ $db_pass = 'pmacct'
+
+ # Behave differently in labs from production
+ case $::realm {
+ 'labs': {
+ $agents = {
+ # tpa - as65001
+ cr1-sdtpa => {
+ port => '6001',
+ ip => '208.80.152.196',
+ samplerate => '200',
+ },
+ testing => {
+ port => '123',
+ ip => '123.123.123.123',
+ samplerate => '123',
+ },
+ } # end of agents
+ }
+ 'production': {
+ $agents = {
+ # tpa - as65001
+ cr1-sdtpa => {
+ port => '6511',
+ ip => '208.80.152.196',
+ samplerate => '200',
+ },
+ # Currently running old JunOS and will not sample correctly
+ #cr2-pmtpa => {
+ #port => '6512',
+ #ip => '208.80.152.197',
+ #samplerate => '1000',
+ #},
+
+ # eqiad - as65002
+ cr1-eqiad => {
+ port => '6521',
+ ip => '208.80.154.196',
+ samplerate => '1000',
+ },
+ cr2-eqiad => {
+ port => '6522',
+ ip => '208.80.154.197',
+ samplerate => '1000',
+ },
+
+ # ulsfo - as65003
+ cr1-ulsfo => {
+ port => '6531',
+ ip => '198.35.26.192',
+ samplerate => '1000',
+ },
+ cr2-ulsfo => {
+ port => '6532',
+ ip => '198.35.26.193',
+ samplerate => '1000',
+ },
+
+ # ams - as43821
+ cr1-esams => {
+ port => '4381',
+ ip => '91.198.174.245',
+ samplerate => '1000',
+ },
+ cr2-knams => {
+ port => '4382',
+ ip => '91.198.174.246',
+ samplerate => '1000',
+ }
+ } # end of agents
+
+ }
+ default: {
+ fail('unknown realm, should be labs or production')
+ }
+ }
+
+ # module
+ class { '::pmacct':
+ agents => $agents,
+ }
+
+}
+
diff --git a/modules/pmacct/README.txt b/modules/pmacct/README.txt
new file mode 100644
index 0000000..c303a4a
--- /dev/null
+++ b/modules/pmacct/README.txt
@@ -0,0 +1,63 @@
+# mysql schema is also necessary -- documenting here
+
+#drop database if exists pmacct;
+#create database pmacct;
+
+use pmacct;
+
+drop table if exists traffic_by_asn;
+create table if not exists traffic_by_asn (
+ agent_id INT(4) UNSIGNED NOT NULL,
+ as_dst INT(4) UNSIGNED NOT NULL,
+ as_path CHAR(21) NOT NULL,
+ peer_as_dst INT(4) UNSIGNED NOT NULL,
+ packets INT UNSIGNED NOT NULL,
+ bytes BIGINT UNSIGNED NOT NULL,
+ stamp_inserted DATETIME NOT NULL,
+ stamp_updated DATETIME,
+ PRIMARY KEY (agent_id, as_dst, as_path, peer_as_dst, stamp_inserted)
+);
+
+drop table if exists traffic_by_country;
+create table if not exists traffic_by_country (
+ agent_id INT(4) UNSIGNED NOT NULL,
+ country_ip_dst CHAR(2) NOT NULL,
+ packets INT UNSIGNED NOT NULL,
+ bytes BIGINT UNSIGNED NOT NULL,
+ stamp_inserted DATETIME NOT NULL,
+ stamp_updated DATETIME,
+ PRIMARY KEY (agent_id, country_ip_dst, stamp_inserted)
+);
+
+drop table if exists traffic_by_sourceport;
+create table if not exists traffic_by_sourceport (
+ agent_id INT(4) UNSIGNED NOT NULL,
+ src_port INT(2) UNSIGNED NOT NULL,
+ packets INT UNSIGNED NOT NULL,
+ bytes BIGINT UNSIGNED NOT NULL,
+ stamp_inserted DATETIME NOT NULL,
+ stamp_updated DATETIME,
+ PRIMARY KEY (agent_id, src_port, stamp_inserted)
+);
+
+drop table if exists traffic_by_interface;
+create table if not exists traffic_by_interface (
+ agent_id INT(4) UNSIGNED NOT NULL,
+ iface_out INT(4) UNSIGNED NOT NULL,
+ packets INT UNSIGNED NOT NULL,
+ bytes BIGINT UNSIGNED NOT NULL,
+ stamp_inserted DATETIME NOT NULL,
+ stamp_updated DATETIME,
+ PRIMARY KEY (agent_id, iface_out, stamp_inserted)
+);
+
+drop table if exists traffic_by_sourceip;
+create table if not exists traffic_by_sourceip (
+ agent_id INT(4) UNSIGNED NOT NULL,
+ ip_src CHAR(15) NOT NULL,
+ packets INT UNSIGNED NOT NULL,
+ bytes BIGINT UNSIGNED NOT NULL,
+ stamp_inserted DATETIME NOT NULL,
+ stamp_updated DATETIME,
+ PRIMARY KEY (agent_id, ip_src, stamp_inserted)
+);
diff --git a/modules/pmacct/manifests/configs.pp
b/modules/pmacct/manifests/configs.pp
new file mode 100644
index 0000000..8ab9938
--- /dev/null
+++ b/modules/pmacct/manifests/configs.pp
@@ -0,0 +1,27 @@
+# pmacct::makeconfig
+# Generates a unique config file per device and pretag file.
+
+define pmacct::configs ($name, $port, $ip, $samplerate) {
+ # Single confile file per device
+ file { "${pmacct::home}/configs/config-${name}.cfg":
+ ensure => 'file',
+ owner => 'pmacct',
+ group => 'pmacct',
+ mode => '0640',
+ content => template('pmacct/config.erb'),
+ require => File [ "${pmacct::home}/configs" ],
+ }
+
+ # Populate pretag file
+ file_line { "Port ${port}":
+ line => "set_tag=${port} ip=${ip}",
+ path => "${pmacct::home}/configs/pretag.map",
+ }
+
+ # Corresponding ferm rule for firewall redirect
+ ferm::rule {"${name}-BGP":
+ rule => "proto tcp dport 179 source ${ip} REDIRECT to-ports ${port}",
+ table => 'nat',
+ chain => 'PREROUTING',
+ }
+}
diff --git a/modules/pmacct/manifests/init.pp b/modules/pmacct/manifests/init.pp
new file mode 100644
index 0000000..19474f7
--- /dev/null
+++ b/modules/pmacct/manifests/init.pp
@@ -0,0 +1,25 @@
+# Class: pmacct
+#
+# This installs and mangages pmacct configuraiton
+# http://www.pmacct.net/
+#
+# Will initially be added to node 'netmon1001'
+
+class pmacct ($agents) {
+
+ # Install package and make sure user and directories are set
+ class {'pmacct::install':
+ home => '/srv/pmacct',
+ }
+
+ # Iterate over the device list to create new configs
+ # FIXME: Review daniel's different method for iterating over a hash..
+ create_resources('pmacct::configs', $agents)
+
+ # Iterate over the device list to verify/check iptables redirects
+ # FIXME: ferm (should probably happen in one iterate...
+
+
+ # FIXME: make sure services are running (not start/stop scripts)
+ # ...
+}
diff --git a/modules/pmacct/manifests/install.pp
b/modules/pmacct/manifests/install.pp
new file mode 100644
index 0000000..1ad287f
--- /dev/null
+++ b/modules/pmacct/manifests/install.pp
@@ -0,0 +1,57 @@
+# Class: pmacct::install
+#
+# This installs and mangages pmacct configuraiton
+# http://www.pmacct.net/
+
+
+class pmacct::install ($home) {
+
+ # Package
+ # Must be built with these configure flags
+ # --enable-mysql --enable-64bit --enable-threads --enable-geoip
+ package { 'pmacct':
+ ensure => installed,
+ }
+
+ # User creation (not done by package)
+ generic::systemuser { 'pmacct':
+ name => 'pmacct',
+ home => $home,
+ shell => '/bin/bash',
+ }
+
+ # Home directory
+ file { $home:
+ ensure => 'directory',
+ owner => 'pmacct',
+ group => 'pmacct',
+ mode => '0750',
+ }
+
+ # Log directory
+ file { "${home}/logs":
+ ensure => 'directory',
+ owner => 'pmacct',
+ group => 'pmacct',
+ mode => '0750',
+ require => File[ $home ],
+ }
+
+ # Config directory
+ file { "${home}/configs":
+ ensure => 'directory',
+ owner => 'pmacct',
+ group => 'pmacct',
+ mode => '0750',
+ require => File[ $home ],
+ }
+
+ # Pretag map file
+ file { "${home}/configs/pretag.map":
+ ensure => present,
+ owner => 'pmacct',
+ group => 'pmacct',
+ mode => '0640',
+ }
+
+}
diff --git a/modules/pmacct/templates/config.erb
b/modules/pmacct/templates/config.erb
new file mode 100644
index 0000000..32a3430
--- /dev/null
+++ b/modules/pmacct/templates/config.erb
@@ -0,0 +1,72 @@
+!# Wikimedia pmacct netflow collector configuration file (one daemon per
collector)
+!# This file is managed by Puppet!
+!#
+!# Note: '!' is used for comments, '#' added for better syntax highlighting
+!#
+!# Custom configuration made from template for <%= @name %>
+
+daemonize: true
+syslog: daemon
+pidfile: /var/run/nfacctd-<%= @name %>.pid
+
+!# Maxmind Country Database
+geoip_ipv4_file: /usr/share/GeoIP/GeoIP.dat
+
+!# SQL Settings
+sql_optimize_clauses: true
+sql_refresh_time: 300
+sql_history: 5m
+sql_history_roundoff: m
+
+!# Tag Mapping to set agent_id in mysql
+pre_tag_map: <%= @home %>/config/pretag.map
+
+!# Full List of Plugins
+plugins: mysql[country], mysql[port], mysql[iface], mysql[src], mysql[asn]
+
+!# ASN Aggregation
+aggregate[asn]: tag,dst_as,as_path,peer_dst_as
+sql_table[asn]: traffic_by_asn
+sql_table_type[asn]: bgp
+
+!# Country Aggregation
+aggregate[country]: tag,dst_host_country
+sql_table[country]: traffic_by_country
+
+!# Source Port Aggregation
+aggregate[port]: tag,src_port
+sql_table[port]: traffic_by_sourceport
+
+!# Outbound interface
+aggregate[iface]: tag,out_iface
+sql_table[iface]: traffic_by_interface
+
+!# Source Host (which VIP)
+aggregate[src]: tag,src_host
+sql_table[src]: traffic_by_sourceip
+
+!# Netflow UDP Port
+nfacctd_port: <%= @port %>
+
+!# Disable some warnings due to JunOS bugs
+nfacctd_disable_checks: true
+
+!# FIXME: Use a map file, which can be relaoded with a SIGUSR2
+!# Correct for sampling rate by upscaling byte counts
+nfacctd_ext_sampling_rate: <%= @samplerate %>
+nfacctd_renormalize: true
+
+!# BGP Config
+bgp_daemon: true
+bgp_daemon_max_peers: 1
+
+!# Note: JunOS does not support custom bgp ports, so we are using iptables
NAT redirect to accomplish the same locally
+!# eg. iptables --table nat --append PREROUTING --proto tcp --source
208.80.152.196 --dport 179 --jump REDIRECT --to-ports 6001
+!# Using same port number as Flow, but BGP is TCP and Flow is UDP
+bgp_daemon_port: <%= @port %>
+
+!# Rely on BGP for destination ASN (IPFIX buggy)
+nfacctd_as_new: bgp
+
+!# Strip as-path to first 3 hops (disabled)
+!bgp_aspath_radius: 3
--
To view, visit https://gerrit.wikimedia.org/r/115345
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I44f02a7911ac8f596f78ea0a6ae5a61c72e75e5c
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Jkrauska <jkrau...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
