observium

A Puppet module which installs and configures Observium monitoring software. For infomation about observium please see Observium

Table of Contents

1. Description
2. Setup - The basics of getting started with observium
   • What observium affects
   • Setup requirements
   • Password requirements
   • Beginning with observium
3. Usage - Configuration options and additional functionality
4. Limitations - OS compatibility, etc.
5. Development - Guide for contributing to the module

Description

A Puppet module to install Observium in a basic configuration on Ubuntu or RedHat.

Setup

What observium affects

Observium module installs and configures the following by default,

• Apache
• Mysql or MariaDB
• Enable EPEL, remi-php and OpenNMS yum repo on RHEL.
• Modifies\enables firewalld on RHEL
• Installs required packages for Observium
• Installs Observium software on the system
• Configures Obersvium software on the system
• Sets selinux into permissive mode on RHEL
• Configures SNMP v3 on the observium host
• Creates a certificate and key pay under /etc/ssl/observium_key.pem and observium_cert.pem

If you are managing yumrepos, firewall, selinux, snmp, mysql, apache within your control-repo you can disable configuring this by setting manage_{service} to false. See reference.

Setup Requirements

Please ensure you meet the dependency requirements and have the following in your Puppetfile.

• puppetlabs-stdlib
• puppet-archive
• puppetlabs-yumrepo_core - only required for RHEL
• puppetlabs-mysql
• puppetlabs-cron_core
• puppet-selinux - only required for RHEL
• puppetlabs-apache
• puppet-snmp
• puppet-firewalld - only required for RHEL and if managing firewall
• puppetlabs-resource_api
• puppetlabs-firewall - only required for Ubuntu and if managing firewall
• puppetlabs-translate
• camptocamp-systemd

Password requirements

Beginning with the 3.0.0 release, default passwords are no longer provided by this module. This was a insecure default as every instances of observium setup with these defaults would use the same passwords.

With the removal of the default, users now need to specify these password when using this module. There are two methods to do this in Puppet.

1. Via parameters through resource like declarations. (Least preferred as you cannot protect these values)

class { 'observium':
  db_password       => 'your_password_here',
  rootdb_password   => 'your_password_here',
  snmpv3_authpass   => 'your_password_here',
  snmpv3_cryptopass => 'your_password_here',
  admin_password    => 'very_secure',
}

2. Via environment hiera. (Preferred as we can encrypt these values) Within environment hiera place the values like shown.

---
observium::db_password: "your_password_here"
observium::rootdb_password: "your_password_here"
observium::snmpv3_authpass: "your_password_here"
observium::snmpv3_cryptopass: "your_password_here"
observium::admin_password: "very_secure"

These values should be encrypted using the hiera-eyaml gem. See Puppet documentation.

Beginning with observium

In its most basic form you can install observium by

class { 'observium':
  db_password       => 'your_password_here',
  rootdb_password   => 'your_password_here',
  snmpv3_authpass   => 'your_password_here',
  snmpv3_cryptopass => 'your_password_here',
  admin_password    => 'very_secure',
}

Usage

Please see reference for details instructions on observium class paramaters.

Basic usage

1. Setup Observium with custom certificates

class { 'observium': 
    manage_ssl      => true,
    custom_ssl_cert => '/opt/observium/ssl/cert.pem',
    custom_ssl_key  => '/opt/observium/ssl/key.pem',
}

2. Setup Observium without managing Firewall or Apache (Note: you will need to configure apache manually or with another Puppet module)

class { 'observium':
    manage_fw     => false,
    manage_apache => false,
}

3. Setup Observium on RHEL, specifying local repo and install location of Observium, can also be performed with Hiera. If your EPEL was hosted at myrepo.local and you saved the observium installer under /tmp

$my_repo = { 'epel' => {
    'ensure'   => 'present',
    'enabled'  => '1',
    'descr'    => 'Extra packages for enterprise linux',
    'baseurl'  => 'http://myrepo.local/epel7',
    'gpgcheck' => '1',
    'gpgkey'   => 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7',
    'target'   => '/etc/yum.repos.d/epel.repo',
    },
}

class { 'observium':
    repos          => $my_repo,
    download_url   => '/tmp/',
    installer_name => 'observium-community-latest.tar.gz',
}

Limitations

Observium doesn't provide an option to download anything other than the latest release of community edition Observium. I originally intended to provide an option of which version of Observium to install. This module will just install the latest Observium release.

Tested with the following setups.

• PE 2021.7.2
  • Puppet 7.21.0
• RHEL
  • 7
  • 8
  • 9
• Rocky
  • 8
• Ubuntu
  • 20.04 LTS
  • 22.04 LTS

RHEL specific limitations

RHEL 7 requires the following yum repos for installation - these will be automatically added if you host has internet connection.

• EPEL
• OpenNMS common
• OpenNMS RHEL7
• remi-php72
• remi-safe

RHEL 8 requires the following yum repos for installation - these will be automatically added if you host has internet connection.

• EPEL
• OpenNMS common
• OpenNMS RHEL8
• remi-modular - note you will need to enable php7.2 after adding this repo

/bin/dnf module -y install php:remi-7.2

• remi-safe

RHEL 9 requires the following yum repos for installation - these will be automatically added if you host has internet connection.

• EPEL
• OpenNMS common
• OpenNMS RHEL9
• remi-modular - note you will need to enable php8.2 after adding this repo

/bin/dnf module -y install php:remi-8.2

• remi-safe

Upgrading Observium

Please see Upgrading steps from Observium to upgrade. If you are managaing Observium with Puppet, please disable Puppet agent on your server before performing the upgrade steps. This module looks for the presence of '/opt/observium/VERSION' before extracting the observium tar ball. You can reenable Puppet once the upgrade is complete.

To disable Puppet manually on a host.

puppet agent --disable

To reenable

puppet agent --enable

Development

If you find any issues with this module, please log them in the issues register of the GitHub project. Issues

Reference

Table of Contents

Classes

Public Classes

• observium: A short summary of the purpose of this class

Private Classes

• observium::apache: Class: observium::apache inherits observium Configure apache server with virtual host for observium
• observium::config: Class: observium::config Configure observium configuration files lint:ignore:140chars lint:ignore:arrow_alignment
• observium::database_init: Class: obversium Init the observium database after install. lint:ignore:140chars
• observium::firewall: Class: observium::firewall Manage iptables on ubuntu
• observium::firewalld: Class: observium::firewall Manages firewall and opens ports for observium
• observium::install: Class: observium::install Creates folder structure for Observium, and install from tar
• observium::mariadb: Class: observium::mariadb Install mysql or mariadb - OS dependant
• observium::packages: Class: observium::packages Installs required packges for observium
• observium::selinux: Class: observium::selinux Class disables selinux as per observium install guide.
• observium::snmp: Class: observium::snmp Sets up SNMP locally to permit monitoring of local host out of the box.
• observium::yum: Creates requried yumrepo for RHEL and installs GPG keys.

Classes

observium

Observium base class which accepts parameters to customise the observium install.

lint:ignore:140chars

lint:ignore:parameter_order

Examples

include observium

Parameters

The following parameters are available in the observium class:

• auth_mechanism
• db_password
• rootdb_password
• download_url
• installer_name
• install_dir
• db_host
• db_user
• db_charset
• db_collate
• community
• snmpv3_authlevel
• snmpv3_authname
• snmpv3_authpass
• snmpv3_authalgo
• snmpv3_cryptopass
• snmpv3_cryptoalgo
• snmpd_agentaddress
• mib_locations
• additional_mib_location
• additional_snmp_conf_options
• fping_location
• email_default
• email_from
• admin_password
• apache_bind_ip
• apache_access_log
• apache_error_log
• apache_custom_options
• apache_auth_require
• apache_hostname
• apache_port
• apache_sslport
• custom_ssl_cert
• custom_ssl_key
• manage_repo
• manage_selinux
• manage_fw
• manage_snmp
• manage_mysql
• manage_apache
• manage_apachephp
• manage_ssl
• repos
• gpgkeys
• observium_additional_conf

auth_mechanism

Data type: String

Auth mechanism to use default: mysql

db_password

Data type: String

Mysql password for observium user - default 'changeme'

rootdb_password

Data type: String

Mysql root password - default 'hello123'

download_url

Data type: String

Url to the installer, IE http://observium.com/, can be a file path - default 'http://www.observium.org/'

installer_name

Data type: String

Installer name, IE observium-installer.tar - default 'observium-community-latest.tar.gz'

install_dir

Data type: String

Install directory - default '/opt/observium'

db_host

Data type: String

Database host to use - default 'localhost'

db_user

Data type: String

Database user to use - default 'observium'

db_charset

Data type: String

Database charset to use - default 'utf8' Ubuntu 22.04 'utf8mb3'

db_collate

Data type: String

Database collate to use - default 'utf8_general_ci' Ubuntu 22.04 'utf8mb3_general_ci'

community

Data type: String

Default SNMP community to configure - default 'puppet'

snmpv3_authlevel

Data type: Enum['noAuthNoPriv','authNoPriv','authPriv']

Default SNMP authlevel to use - default 'authPriv' Valid options - ['noAuthNoPriv','authNoPriv','authPriv']

snmpv3_authname

Data type: String

SNMP Authname SNMPv3 user - default 'observium'

snmpv3_authpass

Data type: String

Auth password - min 8 character

snmpv3_authalgo

Data type: Enum['SHA','MD5']

Auth algorithm - defualt 'SHA' Valid options - ['SHA','MD5']

snmpv3_cryptopass

Data type: String

Crypto pass - min 8 character

snmpv3_cryptoalgo

Data type: Enum['AES','DES']

Crypto algorithm - default 'AES' Valid options - ['AES','DES']

snmpd_agentaddress

Data type: Array

An array of addresses, on which snmpd will listen for queries. - default ['udp:127.0.0.1:161','udp6:[::1]:161']

mib_locations

Data type: Array

Miblocations for observium to add to snmp.conf, default ['/opt/observium/mibs/rfc','/opt/observium/mibs/net-snmp']

additional_mib_location

Data type: Array

Additional mib locations to add to snmp.conf. Appended to built in mib_locations. default []

Default value: []

additional_snmp_conf_options

Data type: Array

Additional options to add to snmp.conf. default []

Default value: []

fping_location

Data type: String

Change if fping is in a non default locaiton - default, RHEL '/sbin/fping' Ubuntu '/usr/bin/fping'

email_default

Data type: String

Not setup yet, use additional config option to setup email default

email_from

Data type: String

Not setup yet, use additional config option to setup email from

admin_password

Data type: String

Admin password for the default admin observium user - default 'changeme'

apache_bind_ip

Data type: String

Bind IP address - default $facts['ipaddress']

Default value: $facts['networking']['ip']

apache_access_log

Data type: Stdlib::Unixpath

Apache access log file - default '/opt/observium/logs/access_log'

apache_error_log

Data type: Stdlib::Unixpath

Apache error log file - default '/opt/observium/logs/error_log'

apache_custom_options

Data type: Hash

Apache custom options, example could be changing auth type or adding Shibboleth support,

To add Shibboleth support you would add the following to your hiera data

observium::apache_custom_options:
  auth_type: "shibboleth"
  shib_request_settings:
    requireSession: 1

Default value: {}

apache_auth_require

Data type: String

Apache auth require parameter - default 'all granted'

apache_hostname

Data type: String

Apache hostname for observium site - default $facts['hostname']

Default value: $facts['networking']['hostname']

apache_port

Data type: Stdlib::Port

Apache non SSL port - note if SSL is enabled this will have no effect - default '80'

apache_sslport

Data type: Stdlib::Port

Apache SSL port - note if SSL isn't enable this will have no effect - defautl '443'

custom_ssl_cert

Data type: String

Path to SSL certificate, note this module will automatically create a cert in this location '/etc/ssl/observium_cert.pem' - default '/etc/ssl/observium_cert.pem'

custom_ssl_key

Data type: String

Path to SSL certificate key, note this module will automatically create a key in this location '/etc/ssl/observium_key.pem' - default '/etc/ssl/observium_key.pem'

manage_repo

Data type: Boolean

Manage repo, RHEL only, - default true

manage_selinux

Data type: Boolean

Manage selinux, RHEL only. This will set selinux to permissive mode as observium havn't published a selinux profile - default true

manage_fw

Data type: Boolean

Manage firewalld on RHEL. UFW on ubuntu. - default RHEL true, Ubuntu false

manage_snmp

Data type: Boolean

Configure snmpd on the observium and add to observium - default true

manage_mysql

Data type: Boolean

Install and configure mysql, - default true

manage_apache

Data type: Boolean

Install and configure Apache, - defalt true

manage_apachephp

Data type: Boolean

Configure Apachemod php, - default true

manage_ssl

Data type: Boolean

Setup the web site as SSL. If no cert provided, a self signed one will be used. - default false

repos

Data type: Optional[Hash]

Customise repoistory locations for RedHat

Default value: undef

gpgkeys

Data type: Optional[Hash]

Customise GPG keys for RedHat

Default value: undef

observium_additional_conf

Data type: Optional[Array]

Array of additional configurations options to add to /opt/observium/config.php

Default value: undef

Changelog

All notable changes to this project will be documented in this file.

Release 3.0.0

Upgrade warning

The following default parameters for passwords have been removed from the module.

• observium::db_password
• observium::rootdb_password
• observium::snmpv3_authpass
• observium::snmpv3_cryptopass
• observium::admin_password

If you were relying on these defaults you will need to set them in your control repo hiera before upgrading to 3.0.0. Passwords and other sensitive data in your control repo should be encrypted and protected, see https://www.puppet.com/docs/puppet/8/securing-sensitive-data.html.

Features

• Added support for RHEL9
• Added support for stdlib 9.0 or later. Note: the observium module itself supports stdlib 9, however its dependencies did not. When upgrading to stdlib 9 please ensure you upgrade other dependant modules.
• Incorporated security recommendations from baile320, removal of default passwords.
• Bumped module dependencies to later versions.
• Bumped PDK version to 3.2.0.
• Lint and other minor fixes.
• Added lint, unit and litmus tests within Github actions pipeline.

Thanks to https://github.com/baile320 for their security recommendations for this release. :)

Release 2.0.0

Features

• Added support for Ubuntu 22.04
• Bump PDK to 2.6.1
• Allow users to customise observium installation directory via 'install_dir' parameter.
• Allow users to specify mysql auth mechanism via 'auth_mechanism' parameter.
• Added observium snmp mib locations to snmp.conf. User can customise these via the 'mib_locations' and 'additional_mib_location' parameters.
• Added 'apache_custom_options' parameter to specify custom options for apache::vhost directory.
• Added 'apache_auth_require' parameter to specify Apache auth require
• Added ability to specify Apache error and access log location via parameter.

Bugfixes

• Updated GPG for OpenNMS yum repos. This was causing installations to fail on RHEL7 and 8. https://www.opennms.com/en/blog/2023-02-13-security-update-mandatory-gpg-key-rotation-for-meridian-and-horizon/

Deprecations

• Deprecated support for Ubuntu 18.04
• Dropped Puppet 6 support
• Warning: If upgrading puppetlabs-mysql from version <13 to version >= 13 may cause issues with existing mysql installations. Proceed with caution. This results in any Ubuntu 20.04 or later systems being switched from using mysql to mariadb uncleanly.

Thanks to https://github.com/i0dev for their efforts on this release :)

Release 1.0.0

Features

• First non-beta release.
• Can upgrade to this new version from earlier versions without affecting existing installations.
• Updated module dependencies, removing redundant and deprecated modules.
• Added all dependencies based on dependency dependencies.
• Refactored code to making it easier to debug.
• Setup Rspec testing for module
• Updated module to latest pdk 2.1.0
• Added db_charset option - see reference.

Bugfixes

• Fixed issue causing continuous corrective changes on Ubuntu 20.04, 18.04 and RHEL7.
  • Observium installation documentation instructs to install packages which don't exist. This was causing the corrective change on Ubuntu 18.04 and RHEL7.
• Fixed lint issues in code

Release 0.1.3

Features

Bugfixes

• Included php-ldap package by default. Not including this package causes issues if LDAP auth is configured for observium using observium_additional_conf. See https://github.com/benjamin-robertson/observium/pull/1 for more details. Thanks to https://github.com/egypcio

Known Issues

Release 0.1.2

Features

• Initial release

Bugfixes

Known Issues