Migration of Nagios -> Zabbix project, new plan

Howdy folks,

As part of my gradual induction into the Infra team, I’ve learned that some while ago there was a plan to migrate Fedora from Nagios to Zabbix - that’s Pagure 11393 for the history. This seemed like an ideal thing to work on - it’s a good idea on it’s own, but it also gets me hands on with most (if not all) of the infra.

As I was looking into how to go about doing this, we also had interest from some other members of the wider infra team, notably @dkirwan (who was involved in the last attempt) and @markrosenbaum. So, it made sense to put our heads together and start figuring out some next steps.

The result is listed at Fedora Zabbix Planning doc & notes - HackMD where we’re going into a fair amount of detail about what we want to achieve, but broadly its:

• Get Zabbix updated to 7.0 in STG (already done, at least for the server)
• Check the worst of the custom Nagios checks can be ported to Zabbix, so we have confidence that all the checks can be ported in time
• Implement as much in STG as we can to test
• Roll out to Prod once we’re confident it’ll work

More details can be found in the doc, and once we’re rolling we will create any needed tickets or other supporting things. We’re happy to have input (or more volunteers!) on the plans

Wonderful news and great write up! The plan, risks, mistakes, challenges, and the recommendation to freeze nagios in Phase 3 all make a lot of sense!

Zabbix server is now at 7.0LTS in both STG and Prod!

That is a good plan, one thing to take in consideration is that we also want to use AWX with Fedora Ansible repository, which will need a change in the structure of the repository. That could affect the Zabbix work as well.

@zlopez so I’ve tried to keep that in mind - unfortunately that’s a massive project in it’s own right, and the only way I think we could really keep that clean here is to start a new Ansible repo just for monitoring. That feels risky, to me - we’d be creating a split brain problem and dealing with two problems at once (Zabbix, and Ansible). The split brain is inevitable when we tackle this, but at least it can be limited to just Ansible…

However, this is why I’m thinking about how we can move any needed agent monitoring out into tasks/monitoring.yml so that we’re not adding further trouble for ourselves down the road.

I’m doing a spike on how the checks are currently being deployed right now, for both Nagios and Zabbix, and comparing that to other Zabbix deployments I’m aware of, to see what I can learn & form some opinions. I’ll have some results in a few days, I hope!

Hey Greg. Thanks for taking this on.

A few comments:

I’m not sure ‘moving’ things from nagios to zabbix is going to work
well. Or I guess I might not be clear on what you are proposing there.

The reason I say this is two fold: First, removing just specific things
from nagios is likely to be difficult since it generates everything via
ansible templates from inventory. We did have some way to say ‘no
monitoring on this machine’ but it’s clearly not working because we
tried to do this with ‘logdetective02.fedoraproject.org’ and it’s not
working. Secondly, if we remove a check from nagios and add it to
zabbix, we now need to make sure we pay attention to both of them and it
might not be clear whats “only in zabbix” now.

So, I’d suggest just perhaps keeping track somewhere of what is
considered ‘working in zabbix’ as they are moved and then shutting off
nagios (or perhaps just not redeploying it in the new dc?)

Otherwise looks great thanks for working on this!

OK, so “port” might have been a bad choice of words. What I mean is “copy”, I think, but I avoided that because I don’t necessarily mean “direct copy”, but rather getting staging Zabbix monitoring the same things Nagios - just not perhaps in the same way, if need be. So, copying the end state, I think?

That means we can (at least operationally) ignore Zabbix until we hit the point of it being “done”, because we’re not removing things from Nagios - and the Nagios freeze is only for Prod, by which time most of the Ansible code should have been testing in Staging, and the bulk of the Prod migration can be pretty quick. It does mean we have to choose one of those two scenarios (either finding a way to disable hosts in Nagios, or watching both systems) but hopefully for a short window.

Ultimately it’s about confidence, because we have to trust our monitoring, so before we go to Prod, we have to be happy that Staging is working.

I should add that while I see your point on removing hosts from Nagios because of the Ansible inventory, I hope we can move checks inside Ansible, since that code is defined in one place. But as I said above, I’m still diving into the exact deployment code this week, so I’ll put out more detail on that once I’ve absorbed some things

OK, taking some of this on board, and also some discussions I had with @kevin yesterday, I’ve updated the doc with a few extra points. You can search for “19/3” since I tagged my changes with the date, but briefly:

• A note about Koji builders needing much lighter checks
• Comment about templates we already have Ansible code for
• Thoughts about cleanup of templates/triggers on staging Zabbix
• A note that we’ll want to think about OpenShift monitoring

I’m looking at some initial explorations with a few of the staging hosts in the next few days

Thanks, That all looks good to me.

Note that it’s not just koji builders, but also the vmhosts that host
those builders (but thats pretty obvious).

Thanks!

Time for an update. As a reminder, the ongoing planning & notes are in the HackMD.

So, right now we are mostly done with phase 0. Staging Zabbix has these changes:

• Updated to 7.0.11
• Had it’s templates cleaned up so we can see what we’re doing
• Switched to native Zabbix Matrix notifications
• Set up a new Zabbix bot to route those notifications to #fedora-zodbot:fedora.im
• New templates created
  • the first is a base template with minimal triggers, suitable for all hosts, even Koji builders
  • the second adds the remaining checks from the upstream base as a dependant
• Autoregistration is pointed at the first template so all hosts get something
• All existing hosts have been moved to the first / second template as appropriate
  • This should cut down on the spam from the bvm* hosts since they are in the basic “autoregister” template

This has all been added to Ansible so it can be kept correct.

Next steps are to start the work of porting service monitoring to Zabbix. There’s already some examples of this in the codebase, so I’ll be starting there

Hello folks, it’s been a while. This obviously got paused during the DC move, as that had priority. As such I’ve not touched it in a few months.

However, with the DC move done, I’m picking it back up. As of this week, we have:

• Base Zabbix updated to 7.0
• SAML integration deployed (you can log in with a FAS account now, and JIT provisioning appears to work)
• Core templates deployed and auto-registration enabled
• Ability to easily override templates thresholds from Ansible added to inventory vars
• Matrix notifications set up

That’s a good base, and I’ve rolled that out to prod as well, so you can log in to either zabbix.fedoraproject.org or zabbix.stg.fedoraproject.org with your FAS account.

Right now, any FAS account gets read-only view, sysadmin-noc gets Admin rights (so can ack things or edit thresholds) and sysadmin-main gets Superadmin rights (everything). That likely needs some tweaking, but it’s broadly where we want it to be, I think. Likewise I forsee changes to minor things like which Matrix room notifications go to, and suchlike. Largely though, I think the core setup is solid.

So, in the next weeks I’ll be moving on to the “pick an application and monitor it” phase where we copy stuff from Nagios to Zabbix, at least in terms of what we monitor (the how might be different ofc). I’m also looking at how we make it easy to deploy monitoring from a given application role, so it’s kept in one place (right now I think the easiest way is a set of templates deployed in the server role, and then an application just needs to add itself to the relevant group, but I’m still experimenting).

Onwards

Good afternoon infra-folk, time for a Zabbix update

As we go into F43 beta freeze, the current state is that pretty much all the hosts we monitor in Nagios are now present in Zabbix. Last week I added the zabbix_agent role to all the remaining playbooks and ran them, so any host which ran the nagios_client role now have Zabbix too^[1]

There are still a bunch of ping-only hosts that do not run an agent (builders, mgmt interfaces, external services) monitored direct from the server - these are ~50% done but not complex and will get finished off.

That means we’re ready to tackle services. I looked at the ~1100 services we currently monitor, and then removed all the ones we already get for “free” from the base template (such as disk, swap, cpu, etc). I then did my best to group/count them, and here’s what I got:

    131 Rsyslogd Process
    129 mail_queue
     63 http-*
     60 Check queue *
     31 Zombie Processes
     31 SSH-virtservers
     31 Cron Daemon
     23 IPA Free IDs
     21 Check datanommer *
     20 ICMP-Ping4-vm-builders
     11 Check_Raid
      8 vpnclients
      8 Check MirrorList * Cache
      7 Check bus *
      6 Check bus server *
      5 Check Fedora countme *
      5 Check CentOS countme *
      4 Varnish Process
      4 proxy* mirrorlist docker container
      4 Check TicketKey age
      4 Check proxies for oversubscription
      4 Check ostree summary age
      3 IPA Replication Status
      3 Check FAS DB
      2 SSH-bastion
      2 openvpn CRL expiry
      2 DNS: fp.o
      2 Check * memcached daemon
      1 Sigul bridge Process
      1 Service
      1 Redis/celery queue
      1 mail_queue_redhat
      1 http(s)-*
      1 Check read-only filesystem
      1 Check NFS File Locks
      1 Check Nagios
      1 Check MySQL Backup
      1 Check Merged Log
      1 check mailman api
      1 Check Koji*
      1 certgetter-http

I may have grouped wrongly is some cases, but still, thats ~40 types of thing to monitor, which is not so bad.

As a start, I looked at the mail_queue item, which runs mailq and alerts if mails are stuck. It’s fairly trivial to set up in Zabbix, and looks like this:

• add a one-line file to the drop-in conf dir, eg /etc/zabbix/zabbix_agentd.d/mailqueue.conf
• content looks like: UserParameter=item.key,thing-to-run | processing-stuff
  • this makes the item available to monitor via the agent
• add item.key to a Zabbix template, and appropriate triggers
• add the template to the appropriate hosts
  • the agent on those hosts will then start running the command and reporting the value

Now, this throws up 2 questions. Firstly, and probably easier to answer - the agent will hit SELinux restrictions on running the commands that the NRPE agent runs, because we built a policy for NRPE. I’m researching how other Zabbix users handle SELinux, but I’m leaning towards building a new policy to distribute with the agent. Opinions welcome on this - and I’m also going to take a look to the Ansible community and see if how we deploy selinux policies is still solid.

Second, and more philosophical, is where to put the Ansible code for each check. Today, we have everything in the Nagios server role - but I’m already seeing instances of hosts/services missing in places you’d expect them (certainly one or two of the ping-only mgmt interfaces in rdu3 are). My instinct here is to lean towards the Zabbix monitoring code being added to the role that deploys the service (so, postfix for the check above) - this means that adding the role automatically deploys the necessary monitoring too.

Does this approach make sense / concern anyone? (especially @kevin @james @phsmoura :P) There will always be some things that have be run against the Zabbix server directly (such as the OCP workers, which we don’t run Ansible on today), but I’d like to keep that to a minimum, and have hosts declare their own monitoring needs. I’m trialling some of these ideas out on STG during the freeze, so I can link to PRs with example implementations if that helps.

The best news is that once we’ve agreed the pattern, it should be fairly straightforward to crank through the list above and implement the service templates - and then we’re really close to retiring Nagios . Oh, and if any of those services aren’t needed anymore, let me know, I’ll be glad to ignore them!

1. with the exception of autosign01 which needs special handling due to the security lockdown ↩︎

Thank you so much for all this work. I will be so happy when I do a git pull of the infrastructure ansible and all of the nagios are removed from my tree.

Great progress!

On selinux, yeah, we probibly need to make a custom policy that allows the things we want to allow.

Adding the monitoring to the role makes a good amount of sense. As long as we don’t think we are going to often be trying to make changes to all of them, then they are more scattered, but I suspect that won’t happen very often if ever.

So, for me on this plan. There’s fewer kinds of service checks than I thought there would be.