Ansible role to manage Zabbix


This role installs Zabbix pollers, agents and Web UI.

Zabbix agents can be autoconfigured to setup user parameters to fetch stats from various services.
They are made to work with these templates:

Pollers and Web UI are meant to be installed on Debian Stretch. It could be ported to other
distributions but the work are not yet been done. The Agent can be installed on Debian and
RedHat families.

Please note TLS has been made compulsory for all components.

Role Logic

In order to separate installation and autodetection, this role provides extra entrypoints which are
intended to be used with the import_role module. Entrypoints are:
* main (default): install the agent and, if the host is a poller, the adequate poller
* agent_detect_config: check for installed services and install specific configuration
* webui: install the PHP Web UI

At the beginning of your play you could install the server:

- hosts: all
- role: dc-monitoring
ca_path: "{{ inventory_dir }}/tls/monitoring.crt"
cert_path: "{{ inventory_dir }}/tls/monitoring_{{ inventory_hostname | lower }}.crt"
key_path: "{{ inventory_dir }}/tls/monitoring_{{ inventory_hostname | lower }}.key"

If you want to use the autodetection feature, add this at the far end of your play (so that all other services are installed and can be detected):

- hosts: all
- import_role:
name: dc-monitoring
tasks_from: agent_detect_config

And to install the Web UI:

- hosts: all
- import_role:
name: dc-monitoring
tasks_from: webui
title: "My Super Supervision"
# direct database access is needed
poller: …
# you can add extra parameters to the underlying `httpd` role


This feature uses the main entrypoint.

This entrypoint first install a poller. You need to define which server
is going to poll it (passive mode) using agent.monitored_by (FQDN or
IP) and the port in agent.monitored_by_port if not the default 10050.
You also need to define to which server send data (active mode) using
agent.sending_to (FQDN or IP, can be followed by colons and a port

Then, you the poller structure is defined it will also install the
poller. The poller.type needs to be setup to either server or
proxy. Then you need to define which database type it would use to
store the data. A server can use pgsql or mysql. A proxy can also
use sqlite3.

It is recommended to setup secure communications using TLS. The CA
certificate (file path) validating your monitoring installation needs to
be defined by tls.ca_path. The agent certificate and private key
should be defined in agent.tls.cert_path and agent.tls.key_path
respectively. The poller certificate and private key should be defined
in poller.tls.cert_path and poller.tls.key_path respectively.

Agent Autodetection

This feature uses the agent_detect_config entrypoint.

This entrypoint accepts the same parameters as the main entrypoint.

Agent Permissions

If you need the agent to access specific files on your system, then
you can specify a special_group in which to be added. This is
especially useful if you use the kernel hidepid security feature.
Please note the group needs to be created beforehand.

Agent Registration

You can optionally ask this role to register the agent into the server.
It is especially useful to take advantage of the service detection to
automatically add templates accordingly. It is possible to override the
list of templates.

Macros are also defined because some are needed for the templates and
take advantage of facts or service autodetection. You can override or
add custom macros.

Here is an example with oveerides:
- hosts: all
- import_role:
name: dc-monitoring
tasks_from: agent_detect_config


api_user: "supuser"
api_pw: "suppassword"
- "Linux servers"
- "Template System systemd"
- "My Dear Custom Template"
HTTPD_BIN: httpd3 # to override autodetection
REMOVEME: Null # to remove an unwanted macro

## Configuration Backup

The database contains all the monitoring configuration (hosts,
templates…), except a few basic settings in the poller's configuration
file. It is recommended to backup the database, but it can be practical
to export the configuration from it in order to have a textual
representation which can be used to share with another system.

If the system is a server (not a proxy) and `poller.config_backup` is
True, then a daily backup will be done using the Zabbix CLI tool. The
result can be found here in the `/home/zabbix_backup/backup/`
directory. Beware Zabbix CLI may not yet be able to backup all
important configuration bits, so please check the documentation of the
version available in your system.

| Branch: | Revision:

ansible-role-zabbix @ master

Name Size Revision Age Author Comment
  defaults 52df44fb 9 months Marc Dequènes (Duck) add firewalld support
  files 50bfaef4 5 months Marc Dequènes (Duck) add configuration backup
  handlers f98ab3e1 9 months Marc Dequènes Initial release.
  meta f98ab3e1 9 months Marc Dequènes Initial release.
  tasks 848bda6e 3 months Marc Dequènes (Duck) enable selinux/zabbix_run_sudo for recent CentOS
  templates 50bfaef4 5 months Marc Dequènes (Duck) add configuration backup
  vars b5823ada 6 months Marc Dequènes (Duck) add mailman3 service 5.4 KB 50bfaef4 5 months Marc Dequènes (Duck) add configuration backup

Latest revisions

# Date Author Comment
848bda6e 2018-12-24 22:09 Marc Dequènes (Duck)

enable selinux/zabbix_run_sudo for recent CentOS

7e59afab 2018-10-25 10:02 Marc Dequènes (Duck)

Merge branch 'backup'

50bfaef4 2018-10-25 10:00 Marc Dequènes (Duck)

add configuration backup

b5823ada 2018-09-20 10:59 Marc Dequènes (Duck)

add mailman3 service

2bf7f8d3 2018-08-30 18:29 Marc Dequènes (Duck)

improve SELinux settings on F28+

5770202b 2018-08-27 08:30 Marc Dequènes (Duck)

don't rely on PG peer auth, use password

10474c71 2018-07-23 09:15 Marc Dequènes (Duck)

enable/start services

It is done by default on Debian systems but no on RedHat.

88b72c0a 2018-07-11 19:50 Marc Dequènes

use raw block for stat_storage_3ware_units_disco

3c1c0d84 2018-07-11 16:23 Marc Dequènes

registration proxy variable fix

88b13196 2018-07-11 13:59 Marc Dequènes

removing obsolete files is no longer necessary

View all revisions | View revisions

Also available in: Atom