diff --git a/docs/deploy/create_server.rst b/docs/deploy/create_server.rst index 4be9ec75..1e6b457e 100644 --- a/docs/deploy/create_server.rst +++ b/docs/deploy/create_server.rst @@ -300,6 +300,11 @@ For Kingfisher servers (instructions are incomplete): For Redash servers, see :doc:`redash`. +For Prometheus: + +#. Copy the ``/home/prometheus-server/data`` directory +#. Update the IP addresses in the ``pillar/prometheus_client.sls`` file, and deploy to all services + 6. Update external services --------------------------- diff --git a/docs/develop/update/firewall.rst b/docs/develop/update/firewall.rst index 81d9d73c..909c9a0b 100644 --- a/docs/develop/update/firewall.rst +++ b/docs/develop/update/firewall.rst @@ -117,7 +117,7 @@ You can configure a Hetzner firewall as follows: - - Accept * - Allow Prometheus - - 213.138.113.219/32 + - 139.162.253.17/32 - 0.0.0.0/0 - 0-65535 - 7231 @@ -176,7 +176,7 @@ You can configure a Linode Cloud Firewall as follows: * - Allow-Prometheus - TCP - 7231 - - 213.138.113.219/32, 2001:41c8:51:7db::219/128 + - 139.162.253.17/32, 2a01:7e00::f03c:93ff:fe13:a12c/128 - Accept Most servers will also have: diff --git a/docs/develop/update/network.rst b/docs/develop/update/network.rst index 66469236..37d5580e 100644 --- a/docs/develop/update/network.rst +++ b/docs/develop/update/network.rst @@ -21,7 +21,7 @@ Linux networking systemd-networkd ~~~~~~~~~~~~~~~~ -`systemd-networkd `__ is a system daemon to configure networking, and is our preferred solution for Linode instances. Configurations are available for `Linode`_ and other hosts. The configuration is written to ``/etc/systemd/network/05-eth0.network``. +`systemd-networkd `__ is a system daemon to configure networking, and is our preferred solution for Linode instances. Configurations are available for Linode and other hosts. The configuration is written to ``/etc/systemd/network/05-eth0.network``. Linode template ^^^^^^^^^^^^^^^ diff --git a/pillar/maintenance.sls b/pillar/maintenance.sls deleted file mode 100644 index 03e0fc7b..00000000 --- a/pillar/maintenance.sls +++ /dev/null @@ -1,3 +0,0 @@ -maintenance: - enabled: True - patching: manual diff --git a/pillar/prometheus_client.sls b/pillar/prometheus_client.sls index 808a08fa..1007622c 100644 --- a/pillar/prometheus_client.sls +++ b/pillar/prometheus_client.sls @@ -1,6 +1,6 @@ firewall: - prometheus_ipv4: 213.138.113.219 - prometheus_ipv6: 2001:41c8:51:7db::219 + prometheus_ipv4: 139.162.253.17 + prometheus_ipv6: 2a01:7e00::f03c:93ff:fe13:a12c prometheus: node_exporter: diff --git a/pillar/prometheus_server.sls b/pillar/prometheus_server.sls index 7768b869..371b9792 100644 --- a/pillar/prometheus_server.sls +++ b/pillar/prometheus_server.sls @@ -1,9 +1,17 @@ +network: + host_id: ocp20 + ipv4: 139.162.253.17 + #ipv6: 2a01:7e00::f03c:93ff:fe13:a12c + networkd: + template: linode + gateway4: 139.162.253.1 + prometheus: prometheus: service: prometheus-server user: prometheus-server basename: prometheus - version: 2.36.2 + version: 2.37.6 local_storage_retention: 120d config: conf-prometheus.yml: salt://prometheus/files/conf-prometheus.yml @@ -13,7 +21,7 @@ prometheus: service: prometheus-alertmanager user: prometheus-alertmanager basename: alertmanager - version: 0.24.0 + version: 0.25.0 config: conf-alertmanager.yml: salt://prometheus/files/conf-alertmanager.yml diff --git a/pillar/prometheus_server_maintenance.sls b/pillar/prometheus_server_maintenance.sls new file mode 100644 index 00000000..60e66eee --- /dev/null +++ b/pillar/prometheus_server_maintenance.sls @@ -0,0 +1,7 @@ +maintenance: + enabled: True + patching: manual + rkhunter_customisation: | + ALLOW_SSH_ROOT_USER=yes + RTKT_FILE_WHITELIST=/usr/lib/x86_64-linux-gnu/libkeyutils.so.1.9 + USER_FILEPROP_FILES_DIRS=/usr/lib/x86_64-linux-gnu/libkeyutils.so.1.9 diff --git a/pillar/top.sls b/pillar/top.sls index b2aa46ee..96270747 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -10,14 +10,12 @@ base: - cove_oc4ids - cove_oc4ids_maintenance - private.cove_oc4ids - - maintenance 'cove-ocds': - cove - cove_ocds - cove_ocds_maintenance - private.cove_ocds - - maintenance 'docs': - docs @@ -43,7 +41,7 @@ base: - prometheus_server - private.smtp - private.prometheus_server - - maintenance + - prometheus_server_maintenance 'redash': - redash diff --git a/salt-config/roster b/salt-config/roster index 741e45da..968227d5 100644 --- a/salt-config/roster +++ b/salt-config/roster @@ -5,7 +5,7 @@ cove-ocds: ocp18.open-contracting.org docs: ocp07.open-contracting.org kingfisher-process: ocp04.open-contracting.org kingfisher-replica: ocp05.open-contracting.org -prometheus: ocp03.open-contracting.org +prometheus: ocp20.open-contracting.org redash: ocp14.open-contracting.org redmine: ocp16.open-contracting.org registry: diff --git a/salt/core/systemd/files/prometheus-alertmanager.service b/salt/core/systemd/files/prometheus-alertmanager.service index 73f4ba5a..51d67d2c 100644 --- a/salt/core/systemd/files/prometheus-alertmanager.service +++ b/salt/core/systemd/files/prometheus-alertmanager.service @@ -8,6 +8,7 @@ Group={{ user }} ExecReload=/bin/kill -HUP $MAINPID ExecStart=/home/{{ user }}/{{ entry.basename }}-{{ entry.version }}.{{ grains.kernel|lower }}-{{ grains.osarch }}/{{ entry.basename }} \ --web.listen-address 127.0.0.1:9095 \ + --cluster.listen-address ""\ --config.file /home/{{ user }}/conf-alertmanager.yml \ {%- if salt['pillar.get']('apache:sites:prometheus-alertmanager:servername') %} --web.external-url https://{{ pillar.apache.sites['prometheus-alertmanager'].servername }}/ \ diff --git a/salt/prometheus/files/conf-prometheus.yml b/salt/prometheus/files/conf-prometheus.yml index a6c21c82..c1837d46 100644 --- a/salt/prometheus/files/conf-prometheus.yml +++ b/salt/prometheus/files/conf-prometheus.yml @@ -16,7 +16,7 @@ scrape_configs: 'ocds-kingfisher-replica': 'ocp05.open-contracting.org', 'ocds-kingfisher2': 'ocp04.open-contracting.org', 'ocds-live.docs': 'ocp07.open-contracting.org', - 'prometheus-server-node': 'ocp03.open-contracting.org', + 'prometheus-server-node': 'ocp20.open-contracting.org', 'data-registry': 'ocp13.open-contracting.org', 'redash': 'ocp14.open-contracting.org', 'redmine': 'ocp16.open-contracting.org',