search

voxpupuli / puppet-zabbix

Puppet module for creating and maintaining zabbix components with puppet.
https://forge.puppet.com/puppet/zabbix
Apache License 2.0
80 stars 227 forks source link

ListenIP to accept $::fqdn as a value #212

Open pvl7 opened 8 years ago

pvl7 commented 8 years ago

Hello

I have multitenant systems where Zabbix agent binds to the wrong interfaces. Using '*' isn't a solution because, for example, on DMZ systems it may create a security hole. Can't rely on interface naming either as it is not consistent across systems and might not pick up the right nic with default module parameters.

The easy solution that works is to pass the $::fqdn or other fully qualified name to the listenip parameter for agent but the Puppet module must translate it to the IP address as Zabbix agent doesn't accept fdqn as a value. I've done that change to my local fork and it works perfectly. Wondering if you ok to merge it to the original repo? :)

[11:14]:git diff manifests/agent.pp
diff --git a/manifests/agent.pp b/manifests/agent.pp
index 701dd15..b501021 100644
--- a/manifests/agent.pp
+++ b/manifests/agent.pp
@@ -263,12 +263,19 @@ class zabbix::agent (
   # to network name. If more than 1 interfaces are available, we
   # can find the ipaddress of this specific interface if listenip
   # is set to for example "eth1" or "bond0.73".
+  #
+  # On multitenant systems sometimes useful to feed listenip
+  # with the host's FQDN record to bind on the proper interface.
+  #
   if ($listenip != undef) {
     if ($listenip =~ /^(eth|bond|lxc|eno|tap|tun).*/) {
       $int_name  = "ipaddress_${listenip}"
       $listen_ip = inline_template('<%= scope.lookupvar(int_name) %>')
     } elsif is_ip_address($listenip) or $listenip == '*' {
       $listen_ip = $listenip
+    } elsif is_domain_name($listenip) {
+      $domain_name = $listenip
+      $listen_ip = inline_template('<%= Resolv.getaddress(domain_name) %>')
     } else {
       $listen_ip = $::ipaddress
     }

Thanks, Pavel

bastelfreak commented 8 years ago

Hi,

are you interested to turn the block into a function including your changes? We discussed that in https://github.com/voxpupuli/puppet-zabbix/pull/217#discussion_r62984382

pvl7 commented 8 years ago

Hi

yes, I thought about it as there are too many inline templates in the block.

bastelfreak commented 8 years ago

That would be cool. Please use our master branch as a base. I removed the inline templates already.

jyaworski commented 8 years ago

There's not a better way to do dns resolution? That's hideous that we need to call inline_template like that. Would it be better to do the resolution in the template itself rather than in the DSL?

bastelfreak commented 8 years ago

I played a bit with https://forge.puppet.com/dalen/dnsquery which works really great.