drop root where possible, add notes about what plugins need access to

4c6a7ecb · taggart · cd96c114 · 4c6a7ecb
Commit 4c6a7ecb authored Jul 10, 2012 by taggart
--- a/manifests/munin.pp
+++ b/manifests/munin.pp
-# FIXME right now this class has some hard coded paths to the sympa spool, logs, etc.
+# sympa munin plugins
+# some of these plugins need database access, ensure that the munin user
+# has access by giving that user a .my.cnf file that gives them read-only
+# access to whereever the database is
+# FIXME right now this class has some hard coded paths to the sympa spool,
+#  logs, etc.

 class sympa::munin {

@@ -25,19 +30,22 @@ class sympa::munin {
  }
  
  munin::plugin { 
+    # only needs to run ps, so can run as munin
    "sympaps":
      ensure => "multips",
-      config => "user root\nenv.names wwsympa sympa archived task_manager bounced bulk\nenv.regex_sympa ^[0-9]* /usr/bin/perl /home/sympa/bin/sympa.pl\nenv.regex_archived ^[0-9]* /usr/bin/perl /home/sympa/bin/archived.pl\nenv.regex_task_manager ^[0-9]* /usr/bin/perl /home/sympa/bin/task_manager.pl\nenv.regex_bounced ^[0-9]* /usr/bin/perl /home/sympa/bin/bounced.pl\nenv.regex_bulk ^[0-9]* /usr/bin/perl /home/sympa/bin/bulk.pl\n";
+      config => "user munin\nenv.names wwsympa sympa archived task_manager bounced bulk\nenv.regex_sympa ^[0-9]* /usr/bin/perl /home/sympa/bin/sympa.pl\nenv.regex_archived ^[0-9]* /usr/bin/perl /home/sympa/bin/archived.pl\nenv.regex_task_manager ^[0-9]* /usr/bin/perl /home/sympa/bin/task_manager.pl\nenv.regex_bounced ^[0-9]* /usr/bin/perl /home/sympa/bin/bounced.pl\nenv.regex_bulk ^[0-9]* /usr/bin/perl /home/sympa/bin/bulk.pl\n";
  }

  munin::plugin {
+    # only needs to run find in spool/ dirs, so can run as munin
    "sympa_queue":
      ensure => "sympa_queue",
-      config => "user root\nenv.spooldir /home/sympa/spool\n",
+      config => "user munin\nenv.spooldir /home/sympa/spool\n",
      script_path_in => "/usr/local/share/munin-plugins";
  }
  
  munin::plugin {
+    # needs to be able to read logs in /var/log/sympa
    "sympa_stats":
      ensure => "sympa_stats",
      config => "user root\nenv.logfile /var/log/sympa/sympa.log\n",
@@ -45,23 +53,26 @@ class sympa::munin {
  }
  
  munin::plugin {
+    # needs db access, can run as munin
    "sympa_subscribers":
      ensure => "sympa_subscribers",
-      config => "user root\n",
+      config => "user munin\n",
      script_path_in => "/usr/local/share/munin-plugins";
  }
  
  munin::plugin {
+    # needs db access, can run as munin
    "sympa_lists":
      ensure => "sympa_lists",
-      config => "user root\n",
+      config => "user munin\n",
      script_path_in => "/usr/local/share/munin-plugins";
  }

  munin::plugin {
+    # needs db access, can run as munin
    "sympa_users":
      ensure => "sympa_users",
-      config => "user root\n",
+      config => "user munin\n",
      script_path_in => "/usr/local/share/munin-plugins";
  }
 }