Merge remote-tracking branch 'adsb/fordsa'

* adsb/fordsa:
  dsa-check-soas: fix error when 0 (or more than 1) records returned

diff --git a/config/nagios-master.cfg b/config/nagios-master.cfg
index 6f65a23..b659622 100644 (file)
--- a/config/nagios-master.cfg
+++ b/config/nagios-master.cfg
@@ -20,145 +20,140 @@ servers:
     pingable: false
     check_command: dsa_check_always_ok
   gw-1und1-sec:
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: notacomputer
     pingable: false
     check_command: dsa_check_always_ok
   gw-accumu:
     address: 130.239.18.97
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-accumu2:
     address: 130.242.6.198
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-aql:
     address: 141.170.2.19
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-bytemark:
     address: 89.16.160.116
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-c3sl:
     address: 200.17.202.254
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-cecsit:
     address: 150.203.164.1
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-arm:
     address: 213.104.121.213
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-brown:
     address: 138.16.160.1
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-conova:
     address: 217.196.149.238
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-csail:
     address: 128.31.0.1
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-dgi:
     address: 93.94.130.190
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-freenet:
     address: 62.104.23.249
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-gatech:
     address: 128.61.240.1
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-grnet:
     address: 194.177.211.193
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-isc:
     # really henet, because of something weird
     address: 72.52.94.70
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-leaseweb:
     address: 185.17.185.190
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-manda:
     address: 82.195.78.118
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-marist:
     address: 148.100.88.1
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-osuosl:
     address: 140.211.166.1
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-sakura:
     address: 133.242.99.65
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-sanger:
-    address: 193.62.202.20
-    parents: gw-ubcece
+    address: 193.62.202.25
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
     contacts: tjrc1, dave
   gw-scanplus-lobos:
     address: 212.211.132.249
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-scanplus-villa:
     address: 212.211.132.1
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-sil:
     address: 86.59.118.145
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-skroutz1:
     address: 154.57.0.249
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-skroutz2:
     address: 154.57.0.250
-    parents: gw-ubcece
-    hostgroups: layer3-infrastructure
-  gw-ubcece:
-    address: 206.12.19.254
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
-    contacts: lfilipoz
   gw-umn:
     address: 128.101.240.222
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-unicamp:
     address: 143.106.167.113
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-utwente:
     address: 130.89.149.1
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-ynic:
     # really janet, because ynic is stupid about firewalling
-    address: 146.97.71.46
-    parents: gw-ubcece
+    address: 144.32.255.227
+    parents: ubc-gateway
     hostgroups: layer3-infrastructure
   gw-zivit:
-    parents: gw-ubcece
+    parents: ubc-gateway
     hostgroups: notacomputer
     pingable: false
     check_command: dsa_check_always_ok
   ubc-gateway:
     address: 209.87.16.254
-    parents: gw-ubcece
     hostgroups: layer3-infrastructure
   # }}}
   # {{{ servers
@@ -166,105 +161,105 @@ servers:
   schumann:
     address: 212.227.126.54
     parents: gw-1und1-sec
-    hostgroups: computers, service, apache2-hosts, rsyncd-hosts, stretch, security_mirror, hassrvfs, pe1950
+    hostgroups: computers, service, apache2-hosts, rsyncd-hosts, buster, security_mirror, hassrvfs, pe1950, physical_x86_intel
   wieck:
     address: 195.20.242.89
     parents: gw-1und1-sec
-    hostgroups: computers, service, apache2-hosts, rsyncd-hosts, stretch, security_mirror, hasvarlogfs, no-bacula, pe1950
+    hostgroups: computers, service, apache2-hosts, rsyncd-hosts, stretch, security_mirror, hasvarlogfs, no-bacula, pe1950, physical_x86_intel
   # }}}
   # {{{ gw-accumu
   pettersson:
     address: 130.239.18.123
     parents: gw-accumu
-    hostgroups: computers, hasbootfs, aacraid, nfs-client, service, apache2-hosts, stretch, autofs, sw-raid
+    hostgroups: computers, hasbootfs, aacraid, nfs-client, service, buster, autofs, sw-raid, physical_x86_intel
     contacts: zobel, tfheen, lfilipoz, zumbi, jcristau, pabs, aurel32, dsa-nsa
     contact_groups: ""
   mirror-accumu:
     address: 130.242.6.199
     parents: gw-accumu2
-    hostgroups: computers, service, stretch, apache2-hosts, hassrvfs, rsyncd-hosts
+    hostgroups: computers, service, stretch, apache2-hosts, hassrvfs, rsyncd-hosts, physical_x86_intel
   # }}}
   # {{{ gw-aql
   eller:
     address: 141.170.6.156
     parents: gw-aql
-    hostgroups: computers, porterbox, stretch, hassrvfs
+    hostgroups: computers, porterbox, buster, hassrvfs
   mips-aql-01:
     address: 141.170.6.149
     parents: gw-aql
-    hostgroups: computers, buildd, stretch, nfs-client
+    hostgroups: computers, buildd, buster, nfs-client
   mips-aql-02:
     address: 141.170.6.150
     parents: gw-aql
-    hostgroups: computers, buildd, stretch, nfs-client
+    hostgroups: computers, buildd, buster, nfs-client
   mips-aql-04:
     address: 141.170.6.154
     parents: gw-aql
-    hostgroups: computers, buildd, stretch, nfs-client
+    hostgroups: computers, buildd, buster, nfs-client
   mips-aql-05:
     address: 141.170.6.155
     parents: gw-aql
-    hostgroups: computers, buildd, stretch, nfs-client
+    hostgroups: computers, buildd, buster, nfs-client
   mips-aql-06:
     address: 141.170.6.157
     parents: gw-aql
-    hostgroups: computers, buildd, stretch, hassrvfs
+    hostgroups: computers, buildd, buster, hassrvfs
   minkus:
     address: 141.170.6.151
     parents: gw-aql
-    hostgroups: computers, porterbox, stretch, nfs-client
+    hostgroups: computers, porterbox, buster, nfs-client
   mipsel-aql-01:
     address: 141.170.6.152
     parents: gw-aql
-    hostgroups: computers, buildd, stretch, hassrvfs, hasbootfs, sw-raid
+    hostgroups: computers, buildd, buster, hassrvfs, hasbootfs, sw-raid
   mipsel-aql-02:
     address: 141.170.6.153
     parents: gw-aql
-    hostgroups: computers, buildd, stretch, hassrvfs, hasbootfs, sw-raid
+    hostgroups: computers, buildd, buster, hassrvfs, hasbootfs, sw-raid
   mipsel-aql-03:
     address: 141.170.6.158
     parents: gw-aql
-    hostgroups: computers, buildd, stretch, hassrvfs
+    hostgroups: computers, buildd, buster, hassrvfs
   # }}}
   # {{{ gw-arm
   abel:
     address: 217.140.96.56
     parents: gw-arm
-    hostgroups: computers, hasbootfs, hassrvfs, porterbox, stretch, broken_mq
+    hostgroups: computers, hasbootfs, hassrvfs, porterbox, buster, broken_mq
   arnold:
     address: 217.140.96.57
     parents: gw-arm
-    hostgroups: computers, hasbootfs, hassrvfs, buildd, stretch, broken_mq
+    hostgroups: computers, hasbootfs, hassrvfs, buildd, buster, broken_mq
   arm-arm-01:
     address: 217.140.96.58
     parents: gw-arm
-    hostgroups: computers, hassrvfs, buildd, stretch, broken_mq, sw-raid
+    hostgroups: computers, hassrvfs, buildd, buster, broken_mq, sw-raid
   arm-arm-03:
     address: 217.140.96.60
     parents: gw-arm
-    hostgroups: computers, hassrvfs, buildd, stretch, broken_mq, sw-raid
+    hostgroups: computers, hassrvfs, buildd, buster, broken_mq, sw-raid
   arm-arm-04:
     address: 217.140.96.61
     parents: gw-arm
-    hostgroups: computers, hassrvfs, buildd, stretch, broken_mq, sw-raid
+    hostgroups: computers, hassrvfs, buildd, buster, broken_mq, sw-raid
   harris:
     address: 217.140.96.66
     parents: gw-arm
-    hostgroups: computers, hasbootfs, hassrvfs, stretch, armhf, porterbox, broken_mq
+    hostgroups: computers, hasbootfs, hassrvfs, buster, armhf, porterbox, broken_mq
   hartmann:
     address: 217.140.96.67
     parents: gw-arm
-    hostgroups: computers, hasbootfs, hassrvfs, stretch, armhf, buildd, broken_mq
+    hostgroups: computers, hasbootfs, hassrvfs, buster, armhf, buildd, broken_mq
   hoiby:
     address: 217.140.96.71
     parents: gw-arm
-    hostgroups: computers, hasbootfs, hassrvfs, armhf, stretch, buildd, broken_mq
+    hostgroups: computers, hasbootfs, hassrvfs, armhf, buster, buildd, broken_mq
   # }}}
   # {{{ gw-brown
   fasolo:
     address: 138.16.160.17
     parents: gw-brown
-    hostgroups: computers, service, apache2-hosts, apache-https, dl380, rsyncd-hosts, stretch, hassrvfs, postgres96-hosts, manyprocesses
+    hostgroups: computers, service, apache2-hosts, apache-https, dl380, rsyncd-hosts, stretch, hassrvfs, postgres96-hosts, manyprocesses, physical_x86_intel
   # }}}
   # {{{ gw-bytemark
   bm-bl1:
@@ -340,24 +335,16 @@ servers:
     address: 5.153.231.4
     parents: gw-bytemark
     hostgroups: computers, service, kvmdomains, stretch, apache2-hosts, no-bacula, apache-https, nfs-server, systemd-timesyncd
-  adayevskaya:
-    address: 5.153.231.5
-    parents: gw-bytemark
-    hostgroups: computers, service, kvmdomains, stretch, systemd-timesyncd
   pejacevic:
     address: 5.153.231.6
     parents: gw-bytemark
-    hostgroups: computers, service, kvmdomains, stretch, apache2-hosts, nfs-client, autofs, apache-https, systemd-timesyncd
+    hostgroups: computers, service, kvmdomains, buster, apache2-hosts, nfs-client, autofs, apache-https, systemd-timesyncd
     contacts: holger
   piu-slave-bm-a:
     address: 5.153.231.7
     parents: gw-bytemark
-    hostgroups: computers, service, kvmdomains, stretch, nfs-client, autofs, systemd-timesyncd
+    hostgroups: computers, service, kvmdomains, buster, nfs-client, autofs, systemd-timesyncd
     contacts: holger
-  binet:
-    address: 5.153.231.8
-    parents: gw-bytemark
-    hostgroups: computers, buildd, hassrvfs, kvmdomains, stretch, systemd-timesyncd
   bmdb1:
     address: 5.153.231.10
     parents: gw-bytemark
@@ -373,55 +360,15 @@ servers:
   backuphost:
     address: 5.153.231.12
     parents: ganeti-bytemark
-    hostgroups: computers, hassrvfs, kvmdomains, stretch, systemd-timesyncd
-  philp:
-    address: 5.153.231.13
-    parents: ganeti-bytemark
-    hostgroups: computers, hassrvfs, kvmdomains, stretch, apache2-hosts, apache-https, systemd-timesyncd, broken_https_default_vhost
-  rainier:
-    address: 5.153.231.16
-    parents: ganeti-bytemark
-    hostgroups: computers, kvmdomains, stretch, systemd-timesyncd
-  rapoport:
-    address: 5.153.231.15
-    parents: ganeti-bytemark
-    hostgroups: computers, kvmdomains, stretch, systemd-timesyncd
+    hostgroups: computers, hassrvfs, kvmdomains, buster, systemd-timesyncd
   delfin:
     address: 5.153.231.17
     parents: ganeti-bytemark
-    hostgroups: computers, hassrvfs, kvmdomains, stretch, apache2-hosts, apache-https, nfs-client, autofs, systemd-timesyncd
-  wuiet:
-    address: 5.153.231.18
-    parents: ganeti-bytemark
-    hostgroups: computers, general, kvmdomains, stretch, service, apache-https, apache2-hosts, heavy-exim, systemd-timesyncd
-  dinis:
-    address: 5.153.231.19
-    parents: ganeti-bytemark
-    hostgroups: computers, general, kvmdomains, stretch, hassrvfs, systemd-timesyncd
-  donizetti:
-    address: 5.153.231.20
-    parents: ganeti-bytemark
-    hostgroups: computers, general, kvmdomains, stretch, nfs-client, autofs, systemd-timesyncd
+    hostgroups: computers, hassrvfs, kvmdomains, buster, apache2-hosts, apache-https, nfs-client, autofs, systemd-timesyncd
   dillon:
     address: 5.153.231.22
     parents: ganeti-bytemark
     hostgroups: computers, general, kvmdomains, stretch, nfs-client, autofs, hassrvfs, systemd-timesyncd
-  ticharich:
-    address: 5.153.231.23
-    parents: ganeti-bytemark
-    hostgroups: computers, general, kvmdomains, stretch, nfs-client, autofs, apache2-hosts, apache-https, service, broken_https_default_vhost, systemd-timesyncd
-  petrova:
-    address: 5.153.231.25
-    parents: ganeti-bytemark
-    hostgroups: computers, kvmdomains, stretch, apache2-hosts, apache-https, systemd-timesyncd
-  olin:
-    address: 5.153.231.26
-    parents: ganeti-bytemark
-    hostgroups: computers, kvmdomains, stretch, systemd-timesyncd
-  barriere:
-    address: 5.153.231.27
-    parents: ganeti-bytemark
-    hostgroups: computers, service, kvmdomains, stretch, hassrvfs, porterbox, systemd-timesyncd
   quantz:
     address: 5.153.231.28
     parents: ganeti-bytemark
@@ -430,55 +377,19 @@ servers:
     address: 5.153.231.29
     parents: ganeti-bytemark
     hostgroups: computers, service, kvmdomains, stretch, hassrvfs, nfs-client, autofs, systemd-timesyncd
-  paradis:
-    address: 5.153.231.30
-    parents: ganeti-bytemark
-    hostgroups: computers, service, kvmdomains, stretch, hassrvfs, apache2-hosts, apache-https, systemd-timesyncd
-  x86-bm-01:
-    address: 5.153.231.32
-    parents: ganeti-bytemark
-    hostgroups: computers, pybuildd, hassrvfs, kvmdomains, stretch, systemd-timesyncd
   tate:
     address: 5.153.231.33
     parents: ganeti-bytemark
     hostgroups: computers, service, kvmdomains, stretch, autofs, nfs-client, apache2-hosts, apache-https, systemd-timesyncd
-  gideon:
-    address: 5.153.231.34
-    parents: ganeti-bytemark
-    hostgroups: computers, service, kvmdomains, stretch, hassrvfs, systemd-timesyncd
-  lindsay:
-    address: 5.153.231.36
-    parents: ganeti-bytemark
-    hostgroups: computers, service, kvmdomains, stretch, autofs, nfs-client, systemd-timesyncd
   sor:
     address: 5.153.231.38
     parents: ganeti-bytemark
     hostgroups: computers, service, kvmdomains, stretch, hassrvfs, apache2-hosts, apache-https, autofs, nfs-client, systemd-timesyncd
-  jerea:
-    address: 5.153.231.39
-    parents: ganeti-bytemark
-    hostgroups: computers, service, kvmdomains, stretch, hassrvfs, apache2-hosts, apache-https, systemd-timesyncd
-  mekeel:
-    address: 5.153.231.40
-    parents: ganeti-bytemark
-    hostgroups: computers, service, kvmdomains, stretch, hassrvfs, nfs-client, autofs, systemd-timesyncd
-  pinel:
-    address: 5.153.231.42
-    parents: ganeti-bytemark
-    hostgroups: computers, service, kvmdomains, stretch, hassrvfs, apache2-hosts, apache-https, nfs-client, autofs, heavy-exim, systemd-timesyncd
-  rusca:
-    address: 5.153.231.43
-    parents: ganeti-bytemark
-    hostgroups: computers, service, kvmdomains, stretch, hassrvfs, systemd-timesyncd
-  manziarly:
-    address: 5.153.231.44
-    parents: ganeti-bytemark
-    hostgroups: computers, service, kvmdomains, stretch, autofs, nfs-client, apache2-hosts, apache-https, systemd-timesyncd
 
   casulana:
     address: 5.153.231.41
     parents: gw-bytemark
-    hostgroups: computers, service, stretch, hassrvfs, dl380, manyprocesses, apache2-hosts
+    hostgroups: computers, service, buster, hassrvfs, dl380, manyprocesses, apache2-hosts, physical_x86_intel
     contacts: zobel, tfheen, lfilipoz, zumbi, jcristau, pabs, aurel32, dsa-nsa
     contact_groups: ""
   # }}}
@@ -486,14 +397,14 @@ servers:
   santoro:
     address: 200.17.202.197
     parents: gw-c3sl
-    hostgroups: computers, service, apache2-hosts, rsyncd-hosts, hassrvfs, stretch, high-RTT, security_mirror, no-bacula, apache-https
+    hostgroups: computers, service, apache2-hosts, rsyncd-hosts, hassrvfs, stretch, high-RTT, security_mirror, no-bacula, apache-https, physical_x86_intel
     contacts: faw
   # }}}
   # {{{ gw-cecsit
   mirror-anu:
     address: 150.203.164.39
     parents: gw-cecsit
-    hostgroups: computers, service, apache2-hosts, dl360, hassrvfs, stretch, apache-https
+    hostgroups: computers, service, apache2-hosts, dl360, hassrvfs, stretch, apache-https, physical_x86_intel
   mirror-anu2:
     address: 150.203.164.60
     parents: mirror-anu
@@ -520,49 +431,50 @@ servers:
     address: 217.196.149.235
     parents: gw-conova
     hostgroups: notacomputer
-  mirror-conova:
-    address: 217.196.149.229
-    parents: gw-conova
-    hostgroups: computers, stretch, service, apache2-hosts
-  mirror-conova-debian:
-    address: 217.196.149.232
-    hostgroups: secondary-IPs
-    parents: mirror-conova
-  mirror-conova-security:
-    address: 217.196.149.233
-    hostgroups: secondary-IPs, rsyncd-hosts, security_mirror
-    parents: mirror-conova
-  mirror-conova-archive:
-    address: 217.196.149.234
-    hostgroups: secondary-IPs, rsyncd-hosts
-    parents: mirror-conova
-  mirror-conova-syncproxy4-eu:
-    address: 217.196.149.237
-    hostgroups: secondary-IPs, rsyncd-hosts, https-service
-    parents: mirror-conova
 
   arm-conova-01:
     address: 217.196.149.230
     parents: ganeti-conova
-    hostgroups: computers, hassrvfs, buildd, stretch
+    hostgroups: computers, hassrvfs, buildd, buster
   arm-conova-02:
     address: 217.196.149.231
     parents: ganeti-conova
-    hostgroups: computers, hassrvfs, buildd, stretch
+    hostgroups: computers, hassrvfs, buildd, buster
   amdahl:
     address: 217.196.149.236
     parents: ganeti-conova
-    hostgroups: computers, hassrvfs, porterbox, stretch
+    hostgroups: computers, hassrvfs, porterbox, buster
+
+  schmelzer:
+    address: 185.69.161.161
+    parents: gw-conova
+    hostgroups: computers, service, stretch, r540, manyprocesses, apache2-hosts, apache-https, systemd-timesyncd, physical_x86_intel
+  schmelzer-debian:
+    address: 217.196.149.232
+    hostgroups: secondary-IPs
+    parents: schmelzer
+  schmelzer-security:
+    address: 217.196.149.233
+    hostgroups: secondary-IPs, rsyncd-hosts, security_mirror
+    parents: schmelzer
+  schmelzer-archive:
+    address: 217.196.149.234
+    hostgroups: secondary-IPs, rsyncd-hosts
+    parents: schmelzer
+  schmelzer-syncproxy4-eu:
+    address: 217.196.149.237
+    hostgroups: secondary-IPs, rsyncd-hosts, https-service
+    parents: schmelzer
   # }}}
   # {{{ gw-csail
   csail-node01:
     address: 128.31.0.16
     parents: gw-csail
-    hostgroups: computers, service, dl360, stretch, drbd-hosts
+    hostgroups: computers, service, dl360, stretch, drbd-hosts, physical_x86_intel
   csail-node02:
     address: 128.31.0.46
     parents: gw-csail
-    hostgroups: computers, service, dl360, stretch, drbd-hosts
+    hostgroups: computers, service, dl360, stretch, drbd-hosts, physical_x86_intel
   ganeti-csail:
     address: 128.31.0.49
     parents: gw-csail
@@ -575,11 +487,11 @@ servers:
   x86-csail-01:
     address: 128.31.0.50
     parents: ganeti-csail
-    hostgroups: computers, buildd, hassrvfs, kvmdomains, stretch, systemd-timesyncd
+    hostgroups: computers, buildd, hassrvfs, kvmdomains, buster, systemd-timesyncd
   x86-csail-02:
     address: 128.31.0.68
     parents: ganeti-csail
-    hostgroups: computers, buildd, hassrvfs, kvmdomains, stretch, systemd-timesyncd
+    hostgroups: computers, buildd, hassrvfs, kvmdomains, buster, systemd-timesyncd
   soriano:
     address: 128.31.0.67
     parents: ganeti-csail
@@ -592,18 +504,26 @@ servers:
     address: 128.31.0.69
     parents: ganeti-csail
     hostgroups: computers, service, kvmdomains, stretch, hassrvfs, uploadqueue, queued, systemd-timesyncd
+  barriere:
+    address: 128.31.0.66
+    parents: ganeti-csail
+    hostgroups: computers, service, kvmdomains, buster, hassrvfs, porterbox, systemd-timesyncd
+  olin:
+    address: 128.31.0.65
+    parents: ganeti-csail
+    hostgroups: computers, kvmdomains, stretch, systemd-timesyncd
   # }}}
   # {{{ gw-dgi
   storace:
     address: 93.94.130.161
     parents: gw-dgi
-    hostgroups: computers, stretch, dl380, nfs-client, hassrvfs
+    hostgroups: computers, buster, dl380, nfs-client, hassrvfs, physical_x86_intel
   # }}}
   # {{{ gw-gatech
   sechter:
     address: 128.61.240.73
     parents: gw-gatech
-    hostgroups: computers, service, apache2-hosts, rsyncd-hosts, sw-raid, hasbootfs, hassrvfs, stretch, security_mirror
+    hostgroups: computers, service, apache2-hosts, rsyncd-hosts, sw-raid, hasbootfs, hassrvfs, stretch, security_mirror, physical_x86_intel
   # }}}
   # {{{ gw-grnet
   ganeti-grnet:
@@ -613,15 +533,15 @@ servers:
   grnet-node01:
     address: 194.177.211.195
     parents: gw-grnet
-    hostgroups: computers, service, dl380, stretch, drbd-hosts
+    hostgroups: computers, service, dl380, stretch, drbd-hosts, physical_x86_intel
   grnet-node02:
     address: 194.177.211.196
     parents: gw-grnet
-    hostgroups: computers, service, dl380, stretch, drbd-hosts
+    hostgroups: computers, service, dl380, stretch, drbd-hosts, physical_x86_intel
   loghost-grnet-01:
     address: 194.177.211.200
     parents: gw-grnet
-    hostgroups: computers, service, kvmdomains, stretch, hassrvfs, systemd-timesyncd
+    hostgroups: computers, service, kvmdomains, buster, hassrvfs, systemd-timesyncd
   geo3:
     address: 194.177.211.201
     parents: gw-grnet
@@ -633,7 +553,11 @@ servers:
   x86-grnet-01:
     address: 194.177.211.203
     parents: ganeti-grnet
-    hostgroups: computers, pybuildd, hassrvfs, kvmdomains, stretch, systemd-timesyncd
+    hostgroups: computers, pybuildd, hassrvfs, kvmdomains, buster, systemd-timesyncd
+  x86-grnet-02:
+    address: 194.177.211.204
+    parents: ganeti-grnet
+    hostgroups: computers, pybuildd, hassrvfs, kvmdomains, buster, systemd-timesyncd
   vittoria:
     address: 194.177.211.205
     parents: ganeti-grnet
@@ -641,7 +565,7 @@ servers:
   boott:
     address: 194.177.211.206
     parents: ganeti-grnet
-    hostgroups: computers, service, hassrvfs, kvmdomains, stretch, systemd-timesyncd
+    hostgroups: computers, service, hassrvfs, kvmdomains, buster, systemd-timesyncd
   porta:
     address: 194.177.211.207
     parents: ganeti-grnet
@@ -659,7 +583,7 @@ servers:
   mirror-isc:
     address: 149.20.4.13
     parents: gw-isc
-    hostgroups: computers, service, apache2-hosts, apache-https, dl360, hassrvfs, xinetd-hosts, stretch
+    hostgroups: computers, service, apache2-hosts, apache-https, dl360, hassrvfs, xinetd-hosts, stretch, physical_x86_intel
   mirror-isc2:
     address: 149.20.4.14
     parents: mirror-isc
@@ -677,23 +601,23 @@ servers:
   lw01:
     address: 185.17.185.177
     parents: gw-leaseweb
-    hostgroups: computers, service, stretch, dl180, nfs-server, rsyncd-hosts
+    hostgroups: computers, service, stretch, dl180, nfs-server, physical_x86_intel
   lw02:
     address: 185.17.185.178
     parents: gw-leaseweb
-    hostgroups: computers, service, stretch, dl180, nfs-server, rsyncd-hosts
+    hostgroups: computers, service, stretch, dl180, nfs-server, physical_x86_intel
   lw03:
     address: 185.17.185.179
     parents: gw-leaseweb
-    hostgroups: computers, service, stretch, dl180, nfs-server, rsyncd-hosts
+    hostgroups: computers, service, stretch, dl180, nfs-server, physical_x86_intel
   lw04:
     address: 185.17.185.180
     parents: gw-leaseweb
-    hostgroups: computers, service, stretch, dl180, nfs-server, rsyncd-hosts
+    hostgroups: computers, service, stretch, dl180, nfs-server, physical_x86_intel
   lw07:
     address: 185.17.185.187
     parents: gw-leaseweb
-    hostgroups: computers, service, stretch, dl180, nfs-client, autofs, hassrvfs, postgres96-hosts, apache2-hosts, haproxy-hosts, haproxy-https-host, varnish-hosts
+    hostgroups: computers, service, stretch, dl180, nfs-client, autofs, hassrvfs, postgres96-hosts, apache2-hosts, haproxy-hosts, haproxy-https-host, varnish-hosts, physical_x86_intel
   lw07-2:
     address: 185.17.185.185
     parents: lw07
@@ -702,148 +626,191 @@ servers:
   lw08:
     address: 185.17.185.189
     parents: gw-leaseweb
-    hostgroups: computers, service, stretch, dl180, nfs-client, autofs, hassrvfs, apache2-hosts
+    hostgroups: computers, service, stretch, dl180, nfs-client, autofs, hassrvfs, apache2-hosts, physical_x86_intel
   lw09:
     address: 185.17.185.181
     parents: gw-leaseweb
-    hostgroups: computers, service, stretch, dl180
+    hostgroups: computers, service, stretch, dl180, physical_x86_intel
   lw10:
     address: 185.17.185.182
     parents: gw-leaseweb
-    hostgroups: computers, service, stretch, dl180
+    hostgroups: computers, service, stretch, dl180, physical_x86_intel
   # }}}
   # {{{ gw-manda
   czerny:
     address: 82.195.75.109
     parents: gw-manda
-    hostgroups: computers, service, dl380, acpid-hosts, stretch, drbd-hosts, manyprocesses
+    hostgroups: computers, service, dl380, acpid-hosts, buster, manyprocesses, physical_x86_intel
   clementi:
     address: 82.195.75.103
     parents: gw-manda
-    hostgroups: computers, service, dl380, acpid-hosts, stretch, drbd-hosts, manyprocesses
+    hostgroups: computers, service, dl380, acpid-hosts, stretch, manyprocesses, physical_x86_intel
   manda-node03:
     address: 82.195.75.69
     parents: gw-manda
-    hostgroups: computers, service, stretch, r540, drbd-hosts, manyprocesses
+    hostgroups: computers, service, stretch, r540, drbd-hosts, manyprocesses, physical_x86_intel
   manda-node04:
     address: 82.195.75.70
     parents: gw-manda
-    hostgroups: computers, service, stretch, r540, drbd-hosts, manyprocesses
+    hostgroups: computers, service, stretch, r540, drbd-hosts, manyprocesses, physical_x86_intel
   bendel:
     address: 82.195.75.100
-    parents: ganeti3
-    hostgroups: computers, service, hasbootfs, kvmdomains, hassrvfs, apache2-hosts, stretch, postfix-hosts, heavy-postfix, apache-https, amavis-hosts, hasvarlogfs
+    parents: ganeti-manda
+    hostgroups: computers, service, hasbootfs, kvmdomains, hassrvfs, apache2-hosts, stretch, postfix-hosts, heavy-postfix, apache-https, amavis-hosts, hasvarlogfs, systemd-timesyncd
   master:
     address: 82.195.75.110
-    parents: ganeti3
-    hostgroups: computers, service, kvmdomains, stretch, hassrvfs, spamd, heavy-exim, highload
+    parents: ganeti-manda
+    hostgroups: computers, service, kvmdomains, stretch, hassrvfs, spamd, heavy-exim, highload, systemd-timesyncd
   vento:
     address: 82.195.75.98
-    parents: ganeti3
-    hostgroups: computers, service, kvmdomains, stretch, hassrvfs, apache2-hosts, apache-https, heavy-exim
-  lully:
-    address: 82.195.75.99
-    parents: ganeti3
-    hostgroups: computers, service, hasbootfs, kvmdomains, stretch, hasvarlogfs
+    parents: ganeti-manda
+    hostgroups: computers, service, kvmdomains, stretch, hassrvfs, apache2-hosts, apache-https, heavy-exim, systemd-timesyncd
   draghi:
     address: 82.195.75.106
-    parents: ganeti3
-    hostgroups: computers, service, hassrvfs, apache2-hosts, spamd, heavy-exim, kvmdomains, xinetd-hosts, apache-https, stretch
+    parents: ganeti-manda
+    hostgroups: computers, service, hassrvfs, apache2-hosts, spamd, heavy-exim, kvmdomains, xinetd-hosts, apache-https, stretch, systemd-timesyncd
   geo1:
     address: 82.195.75.105
-    parents: ganeti3
-    hostgroups: computers, service, bind9-hosts, kvmdomains, stretch
+    parents: ganeti-manda
+    hostgroups: computers, service, bind9-hosts, kvmdomains, buster, systemd-timesyncd
   handel:
     address: 82.195.75.104
-    parents: ganeti3
-    hostgroups: computers, service, kvmdomains, apache2-hosts, stretch, postgres96-hosts, hassrvfs
+    parents: ganeti-manda
+    hostgroups: computers, service, kvmdomains, apache2-hosts, buster, postgres11-hosts, hassrvfs, systemd-timesyncd
   kaufmann:
     address: 82.195.75.107
-    parents: ganeti3
-    hostgroups: computers, service, apache2-hosts, rsyncd-hosts, kvmdomains, stretch, apache-https
-  ganeti3:
-    address: 82.195.75.111
+    parents: ganeti-manda
+    hostgroups: computers, service, apache2-hosts, rsyncd-hosts, kvmdomains, buster, apache-https, systemd-timesyncd, bind9-hosts
+  ganeti-manda:
+    address: 82.195.75.71
     parents: gw-manda
     hostgroups: notacomputer
   wilder:
     address: 82.195.75.112
-    parents: ganeti3
-    hostgroups: computers, service, hassrvfs, apache2-hosts, kvmdomains, stretch, apache-https, rsyncd-hosts
+    parents: ganeti-manda
+    hostgroups: computers, service, hassrvfs, apache2-hosts, kvmdomains, stretch, apache-https, rsyncd-hosts, systemd-timesyncd
   mailly:
     address: 82.195.75.114
-    parents: ganeti3
-    hostgroups: computers, service, kvmdomains, stretch, spamd, heavy-exim, mail-relay
+    parents: ganeti-manda
+    hostgroups: computers, service, kvmdomains, stretch, spamd, heavy-exim, mail-relay, systemd-timesyncd
   denis:
     address: 82.195.75.91
-    parents: ganeti3
-    hostgroups: computers, service, kvmdomains, stretch, bind9-hosts
+    parents: ganeti-manda
+    hostgroups: computers, service, kvmdomains, stretch, bind9-hosts, systemd-timesyncd
   vogler:
     address: 82.195.75.92
-    parents: ganeti3
-    hostgroups: computers, service, kvmdomains, stretch
+    parents: ganeti-manda
+    hostgroups: computers, service, kvmdomains, stretch, systemd-timesyncd
   wolkenstein:
     address: 82.195.75.65
-    parents: ganeti3
-    hostgroups: computers, hasbootfs, hassrvfs, kvmdomains, service, xinetd-hosts, apache2-hosts, stretch, apache-https
+    parents: ganeti-manda
+    hostgroups: computers, hasbootfs, hassrvfs, kvmdomains, service, xinetd-hosts, apache2-hosts, stretch, apache-https, systemd-timesyncd
   mips-manda-01:
     address: 82.195.75.66
     parents: gw-manda
-    hostgroups: computers, buildd, stretch, hassrvfs
+    hostgroups: computers, buildd, buster, hassrvfs
   mipsel-manda-01:
     address: 82.195.75.72
     parents: gw-manda
-    hostgroups: computers, buildd, stretch, hassrvfs, sw-raid, hasbootfs
+    hostgroups: computers, buildd, buster, hassrvfs, sw-raid, hasbootfs
+  snapshotdb-manda-01:
+    address: 82.195.75.73
+    parents: gw-manda
+    hostgroups: computers, hassrvfs, kvmdomains, buster, postgres96-hosts, systemd-timesyncd
   mipsel-manda-02:
     address: 82.195.75.74
     parents: gw-manda
-    hostgroups: computers, buildd, stretch, hassrvfs, sw-raid, hasbootfs
+    hostgroups: computers, buildd, buster, hassrvfs, sw-raid, hasbootfs
   mipsel-manda-03:
     address: 82.195.75.67
     parents: gw-manda
-    hostgroups: computers, buildd, stretch, hassrvfs
+    hostgroups: computers, buildd, buster, hassrvfs
   seger:
     address: 82.195.75.93
-    parents: ganeti3
-    hostgroups: computers, service, apache2-hosts, hassrvfs, rsyncd-hosts, kvmdomains, apache-https, postgres96-hosts, stretch
+    parents: ganeti-manda
+    hostgroups: computers, service, apache2-hosts, hassrvfs, rsyncd-hosts, kvmdomains, apache-https, postgres96-hosts, stretch, systemd-timesyncd
   suchon:
     address: 82.195.75.68
-    parents: ganeti3
-    hostgroups: computers, service, kvmdomains, stretch, uploadqueue, queued, systemd-timesyncd
+    parents: ganeti-manda
+    hostgroups: computers, service, kvmdomains, hassrvfs, stretch, uploadqueue, queued, systemd-timesyncd
+  adayevskaya:
+    address: 82.195.75.75
+    parents: ganeti-manda
+    hostgroups: computers, service, kvmdomains, buster, systemd-timesyncd
+  postgresql-manda-01:
+    address: 82.195.75.76
+    parents: ganeti-manda
+    hostgroups: computers, service, kvmdomains, hassrvfs, buster, systemd-timesyncd, postgres11-hosts
+  dinis:
+    address: 82.195.75.77
+    parents: ganeti-manda
+    hostgroups: computers, general, kvmdomains, buster, hassrvfs, systemd-timesyncd
+  gideon:
+    address: 82.195.75.78
+    parents: ganeti-manda
+    hostgroups: computers, service, kvmdomains, stretch, hassrvfs, systemd-timesyncd
+  rainier:
+    address: 82.195.75.94
+    parents: ganeti-manda
+    hostgroups: computers, kvmdomains, stretch, systemd-timesyncd
+  rapoport:
+    address: 82.195.75.95
+    parents: ganeti-manda
+    hostgroups: computers, kvmdomains, stretch, systemd-timesyncd
+  petrova:
+    address: 82.195.75.96
+    parents: ganeti-manda
+    hostgroups: computers, kvmdomains, stretch, apache2-hosts, apache-https, systemd-timesyncd
   # }}}
   # {{{ gw-marist
   zani:
     address: 148.100.88.22
     parents: gw-marist
-    hostgroups: computers, pybuildd, hassrvfs, stretch, incomingmailrelayed
+    hostgroups: computers, pybuildd, hassrvfs, buster, incomingmailrelayed587
   # }}}
   # {{{ gw-osuosl
   byrd:
     address: 140.211.166.200
     parents: gw-osuosl
-    hostgroups: computers, service, dl380, stretch
+    hostgroups: computers, service, dl380, stretch, physical_x86_intel
   beach:
     address: 140.211.166.201
     parents: byrd
-    hostgroups: computers, service, kvmdomains, stretch, apache2-hosts, hassrvfs, rsyncd-hosts, apache-https
+    hostgroups: computers, service, kvmdomains, buster, apache2-hosts, hassrvfs, rsyncd-hosts, apache-https
+
+  mipsel-osuosl-01:
+    address: 140.211.166.210
+    parents: gw-osuosl
+    hostgroups: computers, buildd, buster, hassrvfs
+
+  mipsel-osuosl-02:
+    address: 140.211.166.211
+    parents: gw-osuosl
+    hostgroups: computers, buildd, buster, hassrvfs
 
   pijper:
     address: 140.211.166.194
     parents: gw-osuosl
     hostgroups: computers, stretch, service, manyprocesses
+  loghost-osuosl-01:
+    address: 140.211.166.202
+    parents: pijper
+    hostgroups: computers, service, kvmdomains, buster, hassrvfs, systemd-timesyncd
+
   pieta:
     address: 140.211.166.195
     parents: gw-osuosl
-    hostgroups: computers, stretch, service, manyprocesses
+    hostgroups: computers, buster, service, manyprocesses
   ppc64el-osuosl-01:
     address: 140.211.166.196
-    parents: pieta
-    hostgroups: computers, hassrvfs, buildd, stretch
+    parents: pijper
+    hostgroups: computers, hassrvfs, buildd, buster
   # }}}
   # {{{ gw-sanger
   sallinen:
     address: 193.62.202.26
     parents: gw-sanger
-    hostgroups: computers, service, stretch, dl380, nfs-client, autofs, postgres96-hosts, apache2-hosts, haproxy-hosts, haproxy-https-host, varnish-hosts
+    hostgroups: computers, service, stretch, dl380, nfs-client, autofs, postgres96-hosts, apache2-hosts, haproxy-hosts, haproxy-https-host, varnish-hosts, physical_x86_intel
   sallinen-2:
     address: 193.62.202.27
     parents: sallinen
@@ -851,154 +818,257 @@ servers:
   sibelius:
     address: 193.62.202.28
     parents: gw-sanger
-    hostgroups: computers, service, apache2-hosts, sw-raid, jessie, rsyncd-hosts, hasvarlogfs, multipath-hosts, nfs-server, varnish-hosts
+    hostgroups: computers, service, apache2-hosts, sw-raid, buster, rsyncd-hosts, hasvarlogfs, multipath-hosts, nfs-server
     contacts: tjrc1, dave
   # }}}
   # {{{ gw-scanplus
   lobos:
     address: 212.211.132.250
     parents: gw-scanplus-lobos
-    hostgroups: computers, service, apache2-hosts, rsyncd-hosts, dl380, hassrvfs, stretch, security_mirror
+    hostgroups: computers, service, apache2-hosts, rsyncd-hosts, dl380, hassrvfs, stretch, security_mirror, physical_x86_intel
   villa:
     address: 212.211.132.32
     parents: gw-scanplus-villa
-    hostgroups: computers, service, apache2-hosts, rsyncd-hosts, dl360, hassrvfs, stretch, security_mirror
+    hostgroups: computers, service, apache2-hosts, rsyncd-hosts, dl360, hassrvfs, stretch, security_mirror, physical_x86_intel
   # }}}
   # {{{ gw-sil
   eberlin:
     address: 86.59.118.155
     parents: gw-sil
-    hostgroups: computers, buildd, stretch, sw-raid
+    hostgroups: computers, buildd, buster, sw-raid
   mips-sil-01:
     address: 86.59.118.146
     parents: gw-sil
-    hostgroups: computers, buildd, stretch, hassrvfs
+    hostgroups: computers, buildd, buster, hassrvfs
   mipsel-sil-01:
     address: 86.59.118.147
     parents: gw-sil
-    hostgroups: computers, buildd, stretch, hassrvfs
+    hostgroups: computers, buildd, buster, hassrvfs
   # }}}
   # {{{ gw-skroutz
   mirror-skroutz:
     address: 154.57.0.251
     parents: gw-skroutz1, gw-skroutz2
-    hostgroups: computers, stretch, service, sw-raid, hassrvfs, apache2-hosts
+    hostgroups: computers, stretch, service, sw-raid, hassrvfs, apache2-hosts, physical_x86_intel
   # }}}
   # {{{ ubc-gateway
   ubc-enc2bl01:
     address: 209.87.16.1
     parents: ubc-gateway
-    hostgroups: computers, bl460g8, service, stretch, multipath-hosts, manyprocesses
+    hostgroups: computers, bl460g8, service, stretch, multipath-hosts, manyprocesses, physical_x86_intel
   ubc-enc2bl02:
     address: 209.87.16.2
     parents: ubc-gateway
-    hostgroups: computers, bl460g8, service, stretch, multipath-hosts, manyprocesses
+    hostgroups: computers, bl460g8, service, stretch, multipath-hosts, manyprocesses, physical_x86_intel
   ubc-enc2bl09:
     address: 209.87.16.9
     parents: ubc-gateway
-    hostgroups: computers, bl460g8, service, stretch, multipath-hosts, manyprocesses
+    hostgroups: computers, bl460g8, service, stretch, multipath-hosts, manyprocesses, physical_x86_intel
   ubc-enc2bl10:
     address: 209.87.16.10
     parents: ubc-gateway
-    hostgroups: computers, bl460g8, service, stretch, multipath-hosts, manyprocesses
+    hostgroups: computers, bl460g8, service, stretch, multipath-hosts, manyprocesses, physical_x86_intel
+  ganeti2-ubc:
+    address: 209.87.16.17
+    parents: ubc-gateway
+    hostgroups: notacomputer
 
   rachmaninoff:
     address: 209.87.16.20
-    parents: ubc-gateway
-    hostgroups: computers, service, kvmdomains, stretch, systemd-timesyncd
+    parents: ganeti2-ubc
+    hostgroups: computers, service, kvmdomains, buster, systemd-timesyncd
   x86-ubc-01:
     address: 209.87.16.21
-    parents: ubc-gateway
-    hostgroups: computers, buildd, hassrvfs, kvmdomains, stretch, systemd-timesyncd
+    parents: ganeti2-ubc
+    hostgroups: computers, buildd, hassrvfs, kvmdomains, buster, systemd-timesyncd
+  x86-ubc-02:
+    address: 209.87.16.22
+    parents: ganeti2-ubc
+    hostgroups: computers, buildd, hassrvfs, kvmdomains, buster, systemd-timesyncd
+  manziarly:
+    address: 209.87.16.23
+    parents: ganeti2-ubc
+    hostgroups: computers, service, kvmdomains, buster, autofs, nfs-client, apache2-hosts, apache-https, systemd-timesyncd, hassrvfs
   elgar:
     address: 209.87.16.24
-    parents: ubc-gateway
-    hostgroups: computers, service, kvmdomains, stretch, systemd-timesyncd
+    parents: ganeti2-ubc
+    hostgroups: computers, service, kvmdomains, buster, systemd-timesyncd
   gombert:
     address: 209.87.16.25
-    parents: ubc-gateway
-    hostgroups: computers, service, kvmdomains, stretch, apache2-hosts, apache-https, systemd-timesyncd
+    parents: ganeti2-ubc
+    hostgroups: computers, service, kvmdomains, buster, apache2-hosts, apache-https, systemd-timesyncd
   nono:
     address: 209.87.16.26
-    parents: ubc-gateway
-    hostgroups: computers, service, kvmdomains, stretch, heavy-exim, apache2-hosts, apache-https, broken_https_default_vhost, hassrvfs, systemd-timesyncd
+    parents: ganeti2-ubc
+    hostgroups: computers, service, kvmdomains, buster, heavy-exim, apache2-hosts, apache-https, broken_https_default_vhost, hassrvfs, systemd-timesyncd
   reger:
     address: 209.87.16.27
-    parents: ubc-gateway
+    parents: ganeti2-ubc
     hostgroups: computers, service, kvmdomains, stretch, apache2-hosts, apache-https, heavy-exim, systemd-timesyncd
   diabelli:
     address: 209.87.16.28
-    parents: ubc-gateway
-    hostgroups: computers, service, kvmdomains, stretch, apache2-hosts, apache-https, broken_https_default_vhost, systemd-timesyncd
+    parents: ganeti2-ubc
+    hostgroups: computers, service, kvmdomains, buster, apache2-hosts, apache-https, broken_https_default_vhost, systemd-timesyncd
   menotti:
     address: 209.87.16.29
-    parents: ubc-gateway
+    parents: ganeti2-ubc
     hostgroups: computers, service, kvmdomains, stretch, hassrvfs, apache2-hosts, apache-https, systemd-timesyncd
   danzi:
     address: 209.87.16.30
-    parents: ubc-gateway
+    parents: ganeti2-ubc
     hostgroups: computers, service, kvmdomains, stretch, postgres96-hosts, systemd-timesyncd
   geo2:
     address: 209.87.16.31
-    parents: ubc-gateway
+    parents: ganeti2-ubc
     hostgroups: computers, service, bind9-hosts, kvmdomains, stretch, systemd-timesyncd
   lotti:
     address: 209.87.16.32
-    parents: ubc-gateway
-    hostgroups: computers, service, kvmdomains, stretch, hassrvfs, systemd-timesyncd
+    parents: ganeti2-ubc
+    hostgroups: computers, service, kvmdomains, buster, hassrvfs, systemd-timesyncd
   muffat:
     address: 209.87.16.33
-    parents: ubc-gateway
+    parents: ganeti2-ubc
     hostgroups: computers, service, kvmdomains, stretch, spamd, heavy-exim, mail-relay, systemd-timesyncd
   sonntag:
     address: 209.87.16.34
-    parents: ubc-gateway
+    parents: ganeti2-ubc
     hostgroups: computers, service, kvmdomains, stretch, nfs-client, autofs, systemd-timesyncd
   tchaikovsky:
     address: 209.87.16.35
-    parents: ubc-gateway
+    parents: ganeti2-ubc
     hostgroups: computers, general, apache2-hosts, kvmdomains, apache-https, stretch, systemd-timesyncd
   gretchaninov:
     address: 209.87.16.36
-    parents: ubc-gateway
-    hostgroups: computers, general, kvmdomains, stretch, hassrvfs, nfs-server, apache2-hosts, xinetd-hosts, apache-https, systemd-timesyncd
+    parents: ganeti2-ubc
+    hostgroups: computers, general, kvmdomains, buster, hassrvfs, nfs-server, apache2-hosts, xinetd-hosts, apache-https, systemd-timesyncd
   tye:
     address: 209.87.16.37
-    parents: ubc-gateway
-    hostgroups: computers, service, kvmdomains, stretch, heavy-exim, apache2-hosts, apache-https, nfs-client, autofs, hassrvfs, systemd-timesyncd
+    parents: ganeti2-ubc
+    hostgroups: computers, service, kvmdomains, stretch, apache2-hosts, apache-https, nfs-client, autofs, hassrvfs, systemd-timesyncd
   ullmann:
     address: 209.87.16.38
-    parents: ubc-gateway
+    parents: ganeti2-ubc
     hostgroups: computers, service, kvmdomains, stretch, postgres96-hosts, nfs-client, apache2-hosts, autofs, apache-https, systemd-timesyncd
   buxtehude:
     address: 209.87.16.39
-    parents: ubc-gateway
-    hostgroups: computers, service, kvmdomains, stretch, hassrvfs, apache2-hosts, heavy-exim, postgres96-hosts, hasvarlogfs, apache-https, spamd, nfs-server, systemd-timesyncd
+    parents: ganeti2-ubc
+    hostgroups: computers, service, kvmdomains, buster, hassrvfs, apache2-hosts, heavy-exim, postgres11-hosts, hasvarlogfs, apache-https, spamd, nfs-server, systemd-timesyncd
   piu-slave-ubc-01:
     address: 209.87.16.42
-    parents: ubc-gateway
-    hostgroups: computers, service, kvmdomains, stretch, nfs-client, autofs, systemd-timesyncd
+    parents: ganeti2-ubc
+    hostgroups: computers, service, kvmdomains, buster, nfs-client, autofs, systemd-timesyncd
     contacts: holger
   hier:
     address: 209.87.16.43
-    parents: ubc-gateway
-    hostgroups: computers, service, kvmdomains, stretch, hassrvfs, apache2-hosts, apache-https, nfs-client, autofs, systemd-timesyncd
+    parents: ganeti2-ubc
+    hostgroups: computers, service, kvmdomains, buster, hassrvfs, apache2-hosts, apache-https, nfs-client, autofs, systemd-timesyncd
   godard:
     address: 209.87.16.44
-    parents: ubc-gateway
+    parents: ganeti2-ubc
     hostgroups: computers, service, kvmdomains, stretch, hassrvfs, apache2-hosts, apache-https, systemd-timesyncd, postfix-hosts, postgres96-hosts, crazymanyprocesses
+  godard-pages:
+    address: 209.87.16.45
+    parents: godard
+    hostgroups: notacomputer
   debussy:
     address: 209.87.16.46
-    parents: ubc-gateway
+    parents: ganeti2-ubc
     hostgroups: computers, service, kvmdomains, stretch, systemd-timesyncd, apache2-hosts, apache-https, broken_https_default_vhost
-  kantuser:
+  static-master-ubc-01:
     address: 209.87.16.47
-    parents: ubc-gateway
-    hostgroups: computers, service, kvmdomains, stretch, systemd-timesyncd, apache2-hosts
+    parents: ganeti2-ubc
+    hostgroups: computers, service, kvmdomains, buster, systemd-timesyncd, hassrvfs
   grabbe:
     address: 209.87.16.48
+    parents: ganeti2-ubc
+    hostgroups: computers, service, kvmdomains, buster, systemd-timesyncd, apache2-hosts, apache-https
+  trabaci:
+    address: 209.87.16.49
+    parents: ganeti2-ubc
+    hostgroups: computers, service, kvmdomains, stretch, hassrvfs, systemd-timesyncd
+  wuiet:
+    address: 209.87.16.60
+    parents: ganeti2-ubc
+    hostgroups: computers, general, kvmdomains, stretch, service, apache-https, apache2-hosts, heavy-exim, systemd-timesyncd
+  philp:
+    address: 209.87.16.61
+    parents: ganeti2-ubc
+    hostgroups: computers, hassrvfs, kvmdomains, stretch, apache2-hosts, apache-https, systemd-timesyncd, broken_https_default_vhost
+  lindsay:
+    address: 209.87.16.62
+    parents: ganeti2-ubc
+    hostgroups: computers, service, kvmdomains, buster, autofs, nfs-client, systemd-timesyncd
+  pinel:
+    address: 209.87.16.63
+    parents: ganeti2-ubc
+    hostgroups: computers, service, kvmdomains, stretch, hassrvfs, apache2-hosts, apache-https, nfs-client, autofs, heavy-exim, systemd-timesyncd
+  ticharich:
+    address: 209.87.16.64
+    parents: ganeti2-ubc
+    hostgroups: computers, general, kvmdomains, buster, nfs-client, autofs, apache2-hosts, apache-https, service, broken_https_default_vhost, systemd-timesyncd
+  donizetti:
+    address: 209.87.16.65
+    parents: ganeti2-ubc
+    hostgroups: computers, general, kvmdomains, stretch, nfs-client, autofs, systemd-timesyncd
+  jerea:
+    address: 209.87.16.66
+    parents: ganeti2-ubc
+    hostgroups: computers, service, kvmdomains, buster, hassrvfs, apache2-hosts, apache-https, systemd-timesyncd
+  paradis:
+    address: 209.87.16.67
+    parents: ganeti2-ubc
+    hostgroups: computers, service, kvmdomains, buster, hassrvfs, apache2-hosts, apache-https, systemd-timesyncd
+  paradis2:
+    address: 209.87.16.68
+    parents: paradis
+    hostgroups: secondary-IPs
+  mekeel:
+    address: 209.87.16.69
+    parents: ganeti2-ubc
+    hostgroups: computers, service, kvmdomains, buster, hassrvfs, nfs-client, autofs, systemd-timesyncd
+
+  ganeti3-ubc:
+    address: 209.87.16.50
+    parents: ubc-gateway
+    hostgroups: notacomputer
+  ubc-node-arm01:
+    address: 209.87.16.51
+    parents: ubc-gateway
+    hostgroups: computers, buster, service, sw-raid, drbd-hosts
+  ubc-node-arm02:
+    address: 209.87.16.52
     parents: ubc-gateway
-    hostgroups: computers, service, kvmdomains, stretch, systemd-timesyncd, apache2-hosts, apache-https
+    hostgroups: computers, buster, service, sw-raid, drbd-hosts
+  ubc-node-arm03:
+    address: 209.87.16.53
+    parents: ubc-gateway
+    hostgroups: computers, buster, service, sw-raid, drbd-hosts
+
+  arm-ubc-01:
+    address: 209.87.16.54
+    parents: ganeti3-ubc
+    hostgroups: computers, hassrvfs, buildd, buster, systemd-timesyncd
+  arm-ubc-02:
+    address: 209.87.16.55
+    parents: ganeti3-ubc
+    hostgroups: computers, hassrvfs, buildd, buster, systemd-timesyncd
+  arm-ubc-03:
+    address: 209.87.16.56
+    parents: ganeti3-ubc
+    hostgroups: computers, hassrvfs, buildd, buster, systemd-timesyncd
+  arm-ubc-04:
+    address: 209.87.16.57
+    parents: ganeti3-ubc
+    hostgroups: computers, hassrvfs, buildd, buster, systemd-timesyncd
+  arm-ubc-05:
+    address: 209.87.16.58
+    parents: ganeti3-ubc
+    hostgroups: computers, hassrvfs, buildd, buster, systemd-timesyncd
+  arm-ubc-06:
+    address: 209.87.16.59
+    parents: ganeti3-ubc
+    hostgroups: computers, hassrvfs, buildd, buster, systemd-timesyncd
+
   # }}}
   # {{{ gw-umn
   #saens:
@@ -1008,7 +1078,7 @@ servers:
   mirror-umn:
     address: 128.101.240.212
     parents: gw-umn
-    hostgroups: computers, service, apache2-hosts, apache-https, dl360, hassrvfs, stretch
+    hostgroups: computers, service, apache2-hosts, apache-https, dl360, hassrvfs, stretch, physical_x86_intel
   mirror-umn2:
     address: 128.101.240.215
     parents: mirror-umn
@@ -1030,59 +1100,67 @@ servers:
   ppc64el-unicamp-01:
     address: 143.106.167.121
     parents: prokofiev
-    hostgroups: computers, hassrvfs, buildd, stretch
+    hostgroups: computers, hassrvfs, buildd, buster
   plummer:
     address: 143.106.167.122
     parents: prokofiev
-    hostgroups: computers, porterbox, hassrvfs, stretch
+    hostgroups: computers, porterbox, hassrvfs, buster
   # }}}
   # {{{ gw-utwente
   klecker:
     address: 130.89.148.10
     parents: gw-utwente
-    hostgroups: computers, service, apache2-hosts, apache-https, rsyncd-hosts, dl380, stretch, incomingmailrelayed2025, hassrvfs
+    hostgroups: computers, service, dl380, stretch, incomingmailrelayed2025, hassrvfs, physical_x86_intel
   klecker-ftp:
     address: 130.89.148.12
-    parents: klecker
+    parents: new-klecker
     hostgroups: secondary-IPs
   klecker-archive:
     address: 130.89.148.13
-    parents: klecker
-    hostgroups: secondary-IPs
-  klecker-static:
-    address: 130.89.148.14
-    parents: klecker
+    parents: new-klecker
     hostgroups: secondary-IPs
+  new-klecker:
+    address: 130.89.148.77
+    parents: gw-utwente
+    hostgroups: computers, service, buster, r540, manyprocesses, incomingmailrelayed2025, physical_x86_intel, hassrvfs, apache2-hosts, apache-https
+  smit:
+    address: 130.89.148.78
+    parents: gw-utwente
+    hostgroups: computers, service, buster, r540, manyprocesses, incomingmailrelayed2025, physical_x86_intel, apache2-hosts, apache-https, hassrvfs, rsyncd-hosts
+  mikrotik-utwente:
+    address: 130.89.148.79
+    parents: gw-utwente
+    hostgroups: notacomputer
   # }}}
   # {{{ gw-ynic
   henze:
     address: 144.32.168.74
     parents: gw-ynic
-    hostgroups: computers, hasbootfs, hassrvfs, armhf, stretch, buildd
+    hostgroups: computers, hasbootfs, hassrvfs, armhf, buster, buildd
   hasse:
     address: 144.32.168.75
     parents: gw-ynic
-    hostgroups: computers, hasbootfs, hassrvfs, armhf, stretch, buildd
+    hostgroups: computers, hasbootfs, hassrvfs, armhf, buster, buildd
   antheil:
     address: 144.32.168.76
     parents: gw-ynic
-    hostgroups: computers, hasbootfs, hassrvfs, armhf, stretch, buildd
+    hostgroups: computers, hasbootfs, hassrvfs, armhf, buster, buildd
   # }}}
   # {{{ gw-zivit
   zandonai:
     address: 80.245.147.46
     parents: gw-zivit
-    hostgroups: computers, buildd, hassrvfs, stretch
+    hostgroups: computers, buildd, hassrvfs, buster
   zelenka:
     address: 80.245.147.40
     parents: gw-zivit
-    hostgroups: computers, porterbox, hassrvfs, stretch
+    hostgroups: computers, porterbox, hassrvfs, buster
   # }}}
   # {{{ gw-sakura
   setoguchi:
     address: 133.242.99.74
     parents: gw-sakura
-    hostgroups: computers, service, stretch, no-bacula, hassrvfs, apache2-hosts, rsyncd-hosts, security_mirror
+    hostgroups: computers, service, stretch, no-bacula, hassrvfs, apache2-hosts, rsyncd-hosts, security_mirror, physical_x86_intel
   # }}}
 
 # {{{ ############################# host groups #############################
@@ -1144,10 +1222,14 @@ hostgroups:
     alias: Dell PowerEdge R540 hosts
     private: 1
 
-  jessie:
-    alias: Hosts running jessie
+  physical_x86_intel:
+    alias: Physical machines with Intel CPUs
+    private: 1
+
   stretch:
     alias: Hosts running stretch
+  buster:
+    alias: Hosts running buster
 
   kvmdomains:
     alias: Hosts that are KVM domains
@@ -1187,6 +1269,9 @@ hostgroups:
   xinetd-hosts:
     alias: hosts providing services via xinetd
     private: 1
+  postgres11-hosts:
+    alias: hosts running postgres11
+    private: 1
   postgres96-hosts:
     alias: hosts running postgres96
     private: 1
@@ -1263,7 +1348,7 @@ hostgroups:
     alias: hosts with a /var/log filesystem
     private: 1
 
-  incomingmailrelayed:
+  incomingmailrelayed587:
     alias: incoming mail needs to go through a mail relay
     # i.e. no port 25
     private: 1
@@ -1469,7 +1554,7 @@ services:
     nrpe: "/usr/lib/nagios/plugins/check_disk 95 97 /storage/snapshot-farm-4"
     hosts: lw04
   -
-    name: disk usage on /storage/snapshot-farm-90
+    name: disk usage on /storage/snapshot-farm-09
     servicegroups: diskspace
     nrpe: "/usr/lib/nagios/plugins/check_disk 95 97 /storage/snapshot-farm-09"
     hosts: lw09
@@ -1639,13 +1724,14 @@ services:
   -
     name: process - bacula-dir
     servicegroups: backup
-    nrpe: "/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1: -u bacula -C bacula-dir -a '/usr/sbin/bacula-dir -f -c /etc/bacula/bacula-dir.conf'"
+    nrpe: "/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1: -u bacula -C bacula-dir -a '/usr/sbin/bacula-dir -fP -c /etc/bacula/bacula-dir.conf'"
     hosts: dinis
   -
     name: process - bacula-fd
     servicegroups: backup
     nrpe: "/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1: -u bacula -C bacula-fd -a '/usr/sbin/bacula-fd -c /etc/bacula/bacula-fd.conf'"
     hostgroups: computers
+    excludehostgroups: buildd, pybuildd, porterbox, no-bacula
 
   -
     name: network backup status - draghi
@@ -1733,14 +1819,14 @@ services:
     runfrom: lotti
     hostgroups: computers
   -
-    name: remote logging on lully
+    name: remote logging on loghost-grnet-01
     remotecheck: "/usr/lib/nagios/plugins/dsa-check-log-age-loghost $HOSTNAME$"
-    runfrom: lully
+    runfrom: loghost-grnet-01
     hostgroups: computers
   -
-    name: remote logging on loghost-grnet-01
+    name: remote logging on loghost-osuosl-01
     remotecheck: "/usr/lib/nagios/plugins/dsa-check-log-age-loghost $HOSTNAME$"
-    runfrom: loghost-grnet-01
+    runfrom: loghost-osuosl-01
     hostgroups: computers
   # }}}
   # {{{ base service
@@ -1762,17 +1848,10 @@ services:
     hostgroups: computers
     max_check_attempts: -2
     notification_interval: 1440
-  -
-    name: process - nrpe
-    nrpe: "/usr/lib/nagios/plugins/check_procs -w 1:25 -c 1: -u nagios -C nrpe -a '/usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d'"
-    hostgroups: computers
-    excludehostgroups: stretch
-    max_check_attempts: -1
-    depends: network service - nrpe
   -
     name: process - nrpe
     nrpe: "/usr/lib/nagios/plugins/check_procs -w 1:25 -c 1: -u nagios -C nrpe -a '/usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -f'"
-    hostgroups: stretch
+    hostgroups: stretch, buster
     max_check_attempts: -1
     depends: network service - nrpe
   ###
@@ -1782,7 +1861,7 @@ services:
     hostgroups: computers
   -
     name: network service - munin-node
-    check: check_tcp!4949
+    nrpe: "/usr/lib/nagios/plugins/check_tcp -H localhost -p 4949"
     hostgroups: computers
     depends: process - munin-node
   ###
@@ -1819,8 +1898,12 @@ services:
   -
     name: process - irqbalance
     nrpe: "/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1: -u root -C irqbalance -a '/usr/sbin/irqbalance'"
+    hostgroups: stretch
+  -
+    name: unexpected process - irqbalance
+    nrpe: "/usr/lib/nagios/plugins/check_procs -w 0:0 -C irqbalance"
     hostgroups: computers
-    excludehosts: harris
+    excludehostgroups: stretch
   ###
   -
     name: process - cron
@@ -1899,7 +1982,7 @@ services:
     name: process - stunnel4 - puppet-ekeyd is crazy
     nrpe: "sudo /usr/lib/nagios/plugins/dsa-check-stunnel-sanity"
     hostgroups: computers
-    excludehosts: czerny, grnet-node01, storace
+    excludehosts: manda-node04, grnet-node01, storace
   # }}}
   # {{{ anti-services
   -
@@ -1923,7 +2006,7 @@ services:
   -
     name: unwanted process - rpc.statd
     nrpe: "/usr/lib/nagios/plugins/check_procs -w 0:0 -C rpc.statd"
-    hostgroups: stretch
+    hostgroups: stretch, buster
     excludehosts: storace
   -
     name: unwanted process - inetd
@@ -1948,6 +2031,10 @@ services:
     name: "host SSL cert - debian client"
     nrpe: "if [ -e /etc/ssl/debian/certs/thishost.crt ]; then /usr/lib/nagios/plugins/dsa-check-cert-expire /etc/ssl/debian/certs/thishost.crt; else echo 'No thishost.crt on this host.'; fi"
     hostgroups: computers
+  -
+    name: "host SSL cert - CA"
+    nrpe: "sudo -u puppet /usr/lib/nagios/plugins/dsa-check-cert-expire /srv/puppet.debian.org/ca/ca.crt"
+    hosts: handel
   -
     name: "sso CRL"
     nrpe: "if [ -e /var/lib/dsa/sso/ca.crl ]; then /usr/lib/nagios/plugins/dsa-check-crl-expire -w 129600 -c 86400 /var/lib/dsa/sso/ca.crl; else echo 'No sso/ca.crl on this host.'; fi"
@@ -1959,6 +2046,13 @@ services:
     runfrom: handel
   # }}}
   # {{{ HW health/raid
+  -
+    name: Intel - CPU microcode
+    servicegroups: raid
+    nrpe: "/usr/bin/sudo /usr/lib/nagios/plugins/dsa-check-ucode-intel"
+    check_interval: 120
+    hostgroups: physical_x86_intel
+  ###
   -
     name: process - mdadm monitor
     servicegroups: raid
@@ -2254,7 +2348,7 @@ services:
     name: network service - smtp
     check: dsa_check_smtp
     hostgroups: computers
-    excludehostgroups: postfix-hosts, incomingmailrelayed, incomingmailrelayed2025
+    excludehostgroups: postfix-hosts, incomingmailrelayed587, incomingmailrelayed2025
     depends: process - exim
 
   -
@@ -2265,7 +2359,7 @@ services:
   -
     name: network service - submission
     check: dsa_check_smtp_port!587
-    hostgroups: incomingmailrelayed
+    hostgroups: incomingmailrelayed587
     depends: process - exim
   -
     name: network service - smtp 2025
@@ -2285,11 +2379,11 @@ services:
     nrpe: "/usr/lib/nagios/plugins/check_procs -w 1:50 -c 1:100 -u www-data -a /usr/sbin/apache2"
     hostgroups: apache2-hosts
     depends: process - apache2 - master
-    excludehosts: klecker
+    excludehosts: new-klecker
   -
     name: process - apache2 - worker
     nrpe: "/usr/lib/nagios/plugins/check_procs -w 1:80 -c 1:150 -u www-data -a /usr/sbin/apache2"
-    hosts: klecker
+    hosts: new-klecker
     depends: process - apache2 - master
   -
     name: unwanted process - apache2
@@ -2301,12 +2395,17 @@ services:
     name: network service - http
     check: check_http
     hostgroups: apache2-hosts
-    excludehosts: klecker, casulana
+    excludehosts: casulana
     depends: process - apache2 - master
   -
     name: network service - http
     check: check_http
-    depends: klecker:process - apache2 - master
+    depends: new-klecker:process - apache2 - master
+    hosts: klecker-archive
+  -
+    name: network service - http
+    check: check_http
+    depends: new-klecker:process - apache2 - master
     hosts: klecker-ftp
 
   # keyserver on kaufmann
@@ -2384,7 +2483,6 @@ services:
     name: process - varnish
     nrpe: "/usr/lib/nagios/plugins/check_procs -w 1:2 -c 1:15 -u vcache -a '/usr/sbin/varnishd -j unix,user=vcache -F -a '"
     hostgroups: varnish-hosts
-    excludehostgroups: jessie
   -
     name: unwanted process - varnish
     nrpe: "/usr/lib/nagios/plugins/check_procs -w 0 -C varnishd"
@@ -2404,11 +2502,15 @@ services:
     name: unwanted process - postgresql
     nrpe: "/usr/lib/nagios/plugins/check_procs -w 0 -C postgres"
     hostgroups: computers
-    excludehostgroups: postgres96-hosts
+    excludehostgroups: postgres96-hosts, postgres11-hosts
   -
     name: unwanted process - postgresql 9.0
     nrpe: "/usr/lib/nagios/plugins/check_procs -w 0 -C postgres -a '9.0/bin/postgres'"
     hostgroups: computers
+  -
+    name: process - postgresql11 - master
+    nrpe: "/usr/lib/nagios/plugins/check_procs -w 1:10 -c 1: -u postgres -C postgres -a '/usr/lib/postgresql/11/bin/postgres'"
+    hostgroups: postgres11-hosts
   -
     name: process - postgresql96 - master
     nrpe: "/usr/lib/nagios/plugins/check_procs -w 1:10 -c 1: -u postgres -C postgres -a '/usr/lib/postgresql/9.6/bin/postgres'"
@@ -2441,11 +2543,6 @@ services:
     retry_interval: 5
   # }}}
   # {{{ NFS Stuff
-  -
-    name: process - statd
-    nrpe: "/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1: -u statd -C rpc.statd -a '/sbin/rpc.statd'"
-    hostgroups: nfs-client, nfs-server
-    excludehostgroups: stretch
   -
     name: process - nfsd
     nrpe: "/usr/lib/nagios/plugins/check_procs -w 1:10 -c 1: -u root -C nfsd -a '[nfsd]'"
@@ -2709,8 +2806,18 @@ services:
     hostgroups: bind9-hosts
   -
     name: network service - dns
-    check: check_dns
-    hostgroups: bind9-hosts
+    check: check_dig!www.debian.org!
+    hosts: geo1, geo2, geo3
+    depends: process - named
+  -
+    name: network service - dns
+    check: check_dig!_openpgpkey.debian.org!-A -t SOA
+    hosts: kaufmann
+    depends: process - named
+  -
+    name: network service - dns
+    check: check_dig!debian.org!-A -t SOA
+    hosts: denis
     depends: process - named
   -
     name: unwanted process - named
@@ -2910,6 +3017,18 @@ services:
     hostgroups: computers
     check_interval:  60
     retry_interval: 15
+
+  -
+    name: puppet - catalog run
+    remotecheck: "/usr/lib/nagios/plugins/check_puppetdb_nodes -a 4 --node $HOSTNAME$.debian.org -w 720 -c 1440"
+    hostgroups: computers
+    runfrom: handel
+
+  -
+    name: puppet - all catalog runs
+    nrpe: "/usr/lib/nagios/plugins/check_puppetdb_nodes -a 4 -w 720 -c 1440"
+    hosts: handel
+
   ####
   -
     name: ping peer on mgmt network

diff --git a/dsa-nagios-checks/checks/check_puppetdb_nodes b/dsa-nagios-checks/checks/check_puppetdb_nodes
new file mode 100644 (file)
index 0000000..f76674e
--- /dev/null
+++ b/dsa-nagios-checks/checks/check_puppetdb_nodes
@@ -0,0 +1,253 @@
+#!/usr/bin/perl
+
+# Copyright (c) 2014, Evgeni Golov
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright notice, this
+#   list of conditions and the following disclaimer in the documentation and/or
+#   other materials provided with the distribution.
+#
+# * Neither the name of the {organization} nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
+# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+use strict;
+use warnings;
+use JSON;
+use LWP;
+use Monitoring::Plugin;
+use Date::Parse;
+
+my $np = Monitoring::Plugin->new(
+    usage => "Usage: %s [ -H|--hostname=<hostname>] "
+      . "[ -p|--port=<port> ] [-s] [ -w|--warning=<minutes> ] "
+      . "[ -c|--critical=<minutes> ] [ -W|--warnfails=<num> ] "
+      . "[ -C|--critfails=<num> ] [ -n|--node=<node> ]"
+      . "[ -a|--apiversion=<num> ]"
+      . "[ -i|--ignore=<list> ]",
+    shortname => 'Check last node runs from PuppetDB',
+    url       => 'https://github.com/evgeni/check_puppetdb_nodes',
+    version   => '1.0',
+    license   => 'This plugin is free software, and comes with ABSOLUTELY
+NO WARRANTY. It may be used, redistributed and/or modified under
+the terms of the BSD 3-clause license.',
+);
+
+$np->add_arg(
+    spec => 'warning|w=i',
+    help => "Exit with WARNING status if nodes did not update for "
+      . "more than INTEGER minutes (default: %s)",
+    default => 120,
+);
+
+$np->add_arg(
+    spec => 'critical|c=i',
+    help => "Exit with CRITICAL status if nodes did not update for "
+      . "more than INTEGER minutes (default: %s)",
+    default => 1440,
+);
+
+$np->add_arg(
+    spec => 'warnfails|W=i',
+    help => "Exit with WARNING status if nodes had at least INTEGER "
+      . "failures in the last run (default: %s)",
+    default => 1,
+);
+
+$np->add_arg(
+    spec => 'critfails|C=i',
+    help => "Exit with CRITICAL status if nodes had at least INTEGER "
+      . "failures in the last run (default: %s)",
+    default => 1,
+);
+
+$np->add_arg(
+    spec    => 'hostname|H=s',
+    help    => 'Hostname of the PuppetDB (default: %s)',
+    default => 'localhost',
+);
+
+$np->add_arg(
+    spec    => 'port|p=i',
+    help    => 'Port PuppetDB is running on (default: %s)',
+    default => 8080,
+);
+
+$np->add_arg(
+    spec => 'node|n=s',
+    help => 'Node name to check, if not given, all nodes will be checked',
+);
+
+$np->add_arg(
+    spec => 'ssl|s',
+    help => "Use HTTPS instead of HTTP",
+);
+
+$np->add_arg(
+    spec => 'insecure|k',
+    help => "Allow connections via HTTPS without checking certificates",
+);
+
+$np->add_arg(
+    spec    => 'apiversion|a=n',
+    help    => 'Specify PupppetDB API version (default: %s)',
+    default => 3,
+);
+
+$np->add_arg(
+    spec    => 'ignore|i=s',
+    help    => 'Node names to ignore (comma-separated list) (default: %s)',
+    default => '',
+);
+
+$np->getopts;
+
+my %apiurls = (
+    3 => { 'nodes' => 'v3/nodes', 'event-counts' => 'v3/event-counts' },
+    4 => { 'nodes' => 'pdb/query/v4/nodes', 'event-counts' => 'pdb/query/v4/event-counts', 'logs' => 'pdb/query/v4/reports/{hash}/logs' },
+);
+if ( !exists $apiurls{$np->opts->apiversion} ) {
+    $np->nagios_exit( 'UNKNOWN', 'Unsupported PuppetDB API version ' . $np->opts->apiversion );
+}
+
+my @ignore_list = split( ',', $np->opts->ignore );
+
+my $url = sprintf( 'http%s://%s:%d/',
+    defined( $np->opts->ssl ) ? 's' : '',
+    $np->opts->hostname, $np->opts->port );
+
+my $ua = new LWP::UserAgent;
+$ua->default_header( 'Accept' => 'application/json' );
+if ( defined( $np->opts->insecure ) ) {
+    $ua->ssl_opts( verify_hostname => 0 ,SSL_verify_mode => 0x00);
+}
+
+my %parameters = ();
+if ( defined( $np->opts->node ) ) {
+    %parameters = ( 'query' => '["=","certname","' . $np->opts->node . '"]' );
+}
+my $uri = URI->new( $url . $apiurls{$np->opts->apiversion}{'nodes'} );
+$uri->query_form(%parameters);
+my $response = $ua->get($uri);
+
+if ( !$response->is_success ) {
+    $np->nagios_exit( 'UNKNOWN',
+        $response->code . ": " . $response->status_line );
+}
+
+my $data = decode_json( $response->decoded_content );
+
+my $now = time();
+
+if ( defined( $np->opts->node ) and !@$data ) {
+    $np->add_message( CRITICAL,
+        $np->opts->node . " not found in puppetdb\n" );
+}
+
+foreach my $node (@$data) {
+    my $certname          = defined($node->{'certname'}) ? $node->{'certname'} : $node->{'name'} ;
+    my $deactivated       = $node->{'deactivated'};
+    my $catalog_timestamp = $node->{'catalog_timestamp'};
+    my $report_hash       = $node->{'latest_report_hash'};
+    my $ts                = str2time($catalog_timestamp);
+
+    next if grep { $certname eq $_ } @ignore_list;
+
+    if ( !defined $deactivated and !length $catalog_timestamp ) {
+           $np->add_message( CRITICAL, 
+                   "$certname last run UNAVAILABLE\n" );
+    }
+    if ( !defined $deactivated and length $catalog_timestamp ) {
+        my $delta = ( $now - $ts );
+        if ( $delta > ( $np->opts->critical * 60 ) ) {
+            $np->add_message( CRITICAL,
+                "$certname did not update since $catalog_timestamp\n" );
+        }
+        elsif ( $delta > ( $np->opts->warning * 60 ) ) {
+            $np->add_message( WARNING,
+                "$certname did not update since $catalog_timestamp\n" );
+        }
+
+        my %apiparameters = (
+            3 => {
+                  'query' => '["and",["=","certname","'
+                    . $certname
+                    . '"],["=","latest-report?",true]]',
+                  'summarize-by' => 'certname',
+                  'count-by'     => 'resource',
+                 },
+            4 => {
+                'query' => '["and",["=","certname","'
+                    . $certname
+                    . '"],["=","latest_report?",true]]',
+                'summarize_by' => 'certname',
+                'count_by'     => 'resource',
+                  }
+        );
+        my $uri = URI->new( $url . $apiurls{$np->opts->apiversion}{'event-counts'} );
+        $uri->query_form($apiparameters{$np->opts->apiversion});
+        $response = $ua->get($uri);
+
+        if ( $response->is_success ) {
+            my $node_data = decode_json( $response->decoded_content );
+
+            my $failures = 0;
+            if (    defined( @$node_data[0] )
+                and defined( @$node_data[0]->{'failures'} ) )
+            {
+                $failures = @$node_data[0]->{'failures'};
+            }
+
+            if ( $failures >= $np->opts->critfails ) {
+                $np->add_message( CRITICAL,
+                    "$certname had $failures failures in the last run\n" );
+            }
+            elsif ( $failures >= $np->opts->warnfails ) {
+                $np->add_message( WARNING,
+                    "$certname had $failures failures in the last run\n" );
+            }
+            elsif ( exists $apiurls{$np->opts->apiversion}{'logs'} and $report_hash) {
+                my $apiurl = $apiurls{$np->opts->apiversion}{'logs'};
+                $apiurl =~ s/{hash}/$report_hash/;
+                $uri = URI->new( $url . $apiurl );
+                $response = $ua->get($uri);
+                if ( $response->is_success ) {
+                    my $logs = decode_json( $response->decoded_content );
+                    foreach my $log (@$logs) {
+                        my $tags = $log->{'tags'};
+                        if ( grep(/^err$/, @$tags) ) { 
+                            $np->add_message( WARNING, "$certname, $log->{'message'}" );
+                        }
+                    }
+                }
+            }
+
+        } else {
+                $np->nagios_exit( 'UNKNOWN', 'Unsupported query ' . $response->decoded_content);
+        }
+
+    }
+}
+
+my $code;
+my $message;
+( $code, $message ) = $np->check_messages;
+
+$np->nagios_exit( $code, $message );

diff --git a/dsa-nagios-checks/checks/dsa-check-backuppg b/dsa-nagios-checks/checks/dsa-check-backuppg
index 13e935e..0784348 100755 (executable)
--- a/dsa-nagios-checks/checks/dsa-check-backuppg
+++ b/dsa-nagios-checks/checks/dsa-check-backuppg
@@ -102,10 +102,7 @@ def wal_pre(w, host, db):
     (w1,w2) = w
     if w2 == 0:
         w1 -= 1
-        if (host,db) in ( ('main'), ):
-            w2 = 0xFE
-        else:
-            w2 = 0xFF
+        w2 = 0xFF
     else:
         w2 -= 1
 
@@ -162,7 +159,7 @@ config = load_conf(options.conffile)
 
 os.chdir(config['rootdir'])
 for dir in os.listdir('.'):
-    if dir.startswith('.') or dir.endswith('.old'):
+    if dir.startswith('.') or dir.endswith('.old') or dir == 'lost+found':
         note_info('IGNORED', dir)
         continue
 

diff --git a/dsa-nagios-checks/checks/dsa-check-hpssacli b/dsa-nagios-checks/checks/dsa-check-hpssacli
index 2982600..c59aa73 100755 (executable)
--- a/dsa-nagios-checks/checks/dsa-check-hpssacli
+++ b/dsa-nagios-checks/checks/dsa-check-hpssacli
@@ -1,7 +1,7 @@
 #!/usr/bin/perl -w
 
-# check _physical_ disk status of disks on HP smart array controllers
-# requires hpssacli
+# check _physical_ disk status of disks on Smart Array controllers
+# requires hpssacli or ssacli
 #
 # does _not_ check raid status.  use arrayprobe for that.
 
@@ -45,9 +45,17 @@ $SIG{'__DIE__'} = sub {
        exit $CODE{'UNKNOWN'};
 };
 
+# support both the older hpssacli and the newer ssacli
+my $BIN;
+if ($0 =~ /hpssacli/) {
+       $BIN = "hpssacli";
+} else {
+       $BIN = "ssacli";
+}
+
 sub runcmd($) {
        my ($cmd) = @_;
-       $cmd = "sudo hpssacli $cmd";
+       $cmd = "sudo $BIN $cmd";
        open(FH, $cmd."|") or die ("Cannot run $cmd: $!");
        my @lines = <FH>;
        close FH;
@@ -83,81 +91,95 @@ if ($params->{'help'}) {
 };
 die ($usage) unless (scalar @ARGV == 0);
 
-my $ctrlallshow = runcmd("controller all show");
-my @controllers;
+my $ctrlallshow = runcmd("controller all show detail");
+my $slot;
+my %controllers;
 for (@$ctrlallshow) {
        chomp;
        next if /^$/;
        next if ($params->{'ignore-controller'} && /$params->{'ignore-controller'}/);
        if (/in Slot ([0-9a-z]+)/) {
-               push @controllers, $1;
-               next;
+               $slot = $1;
+               $controllers{$slot} = ();
+       } elsif (/^ *(Controller|Cache|Battery\/Capacitor) Status: (.*)$/) {
+               my $system = $1;
+               my $status = $2;
+
+               if ($system eq 'Cache') {
+                       # Can be:
+                       # - 'OK'
+                       # - 'Not Configured' (for e.g. HP SSD Smart Path)
+                       # - 'Permanently Disabled'
+                       # - ...?
+                       next if $status =~ /^(OK|Not Configured)$/;
+                       if ($params->{'ignore-cache'}) {
+                               push @{$controllers{$slot}}, "$system: $status (ignored)";
+                               next;
+                       }
+               }
+
+               push @{$controllers{$slot}}, "$system: $status";
+               if ($status ne 'OK') {
+                       next if ($params->{'no-battery'} && $system eq 'Battery/Capacitor');
+                       record('WARNING');
+               };
+       } elsif (/^ *(Cache Status Details): (Cable Error)/) {
+               push @{$controllers{$slot}}, $2;
+               record('CRITICAL');
+       } elsif (/^ *(Battery\/Capacitor Count): (.*)/) {
+               next if $params->{'no-battery'} || int($2) > 0;
+               push @{$controllers{$slot}}, "Battery count: $2";
+               record('CRITICAL');
        };
-       die ("Cannot read line '$_' gotten from hpssacli controller all show\n");
 };
 
-if (scalar @controllers == 0) {
+if (scalar keys %controllers == 0) {
        if ($params->{'no-controller-ok'}) {
-               print "No smartarray controllers found with hpssacli\n";
+               print "No Smart Array controllers found with $BIN\n";
                exit $CODE{'OK'}
        } else {
-               print "UNKNOWN: No smartarray controllers found with hpssacli\n";
+               print "UNKNOWN: No Smart Array controllers found with $BIN\n";
                exit $CODE{'UNKNOWN'}
        }
 };
 
 my @resultstr;
 
-for my $slot (sort @controllers) {
-       my @drives;
+for my $slot (sort keys %controllers) {
        my $nodrives = 0;
        my %status;
-       my @freetext;
 
-       my $ldallshow = runcmd("controller slot=$slot ld all show");
+       # check logicaldrives
+       my $logicaldrive;
        my @logicaldrives;
-       for (@$ldallshow) {
+       my $lds = runcmd("controller slot=$slot ld all show detail");
+       for (@$lds) {
                chomp;
                next if /^$/;
-               next if (/^\S.*in Slot $slot/);
-               next if /^ *array [A-Z]$/;
-               if (/logicaldrive ([0-9a-z]+)/) {
-                       push @logicaldrives, $1;
-                       next;
+               if (/Logical Drive: ([0-9a-z]+)/) {
+                       $logicaldrive = $1;
+                       push @logicaldrives, $logicaldrive;
                } elsif (/^Error: The specified device does not have any logical drives.$/) {
                        $nodrives = 1;
-               } else {
-                       die ("Cannot read line '$_' gotten from hpssacli controller slot = $slot logicaldrive all show\n");
-               }
-       };
-
-       # check logicaldrives
-       for my $logicaldrive (sort @logicaldrives) {
-               my $lds = runcmd("controller slot=$slot ld $logicaldrive show");
-               for (@$lds) {
-                       chomp;
-                       next if /^$/;
-                       if (/^ *Parity Initialization Status: (Initialization Completed|Initialization Failed|Rebuilding)$/) {
-                               my $status = $1;
-                               if ($status eq 'Initialization Completed') {
-                                       push @{$status{'OK'}}, "Parity LD$logicaldrive";
-                               } elsif ($status eq 'Rebuilding') {
-                                       push @{$status{'Failed'}}, "Parity LD$logicaldrive";
-                                       record('WARNING');
-                               } elsif ($status eq 'Initialization Failed') {
-                                       push @{$status{'Failed'}}, "Parity LD$logicaldrive";
-                                       record('CRITICAL');
-                               } else {
-                                       record('UNKNOWN');
-                               }
+               } elsif (/^ *Parity Initialization Status: (Initialization Completed|Initialization Failed|Rebuilding)$/) {
+                       my $status = $1;
+                       if ($status eq 'Initialization Completed') {
+                               push @{$status{'OK'}}, "Parity LD$logicaldrive";
+                       } elsif ($status eq 'Rebuilding') {
+                               push @{$status{'Failed'}}, "Parity LD$logicaldrive";
+                               record('WARNING');
+                       } elsif ($status eq 'Initialization Failed') {
+                               push @{$status{'Failed'}}, "Parity LD$logicaldrive";
+                               record('CRITICAL');
+                       } else {
+                               record('UNKNOWN');
                        }
-                       if (/^ *LD Acceleration Method: (.*)$/) {
-                               my $status = $1;
-                               # can at least be "Controller Cache" or HP SSD Smart Path", both OK
-                               if ($status eq 'All disabled') {
-                                       push @{$status{'Acceleration method'}}, "LD$logicaldrive disabled";
-                                       record('WARNING');
-                               }
+               } elsif (/^ *LD Acceleration Method: (.*)$/) {
+                       my $status = $1;
+                       # can at least be "Controller Cache" or HP SSD Smart Path", both OK
+                       if ($status eq 'All disabled') {
+                               push @{$status{'Acceleration method'}}, "LD$logicaldrive disabled";
+                               record('WARNING');
                        }
                }
        }
@@ -173,13 +195,14 @@ for my $slot (sort @controllers) {
                push @resultstr, "Slot $slot: no logical drives";
        };
 
-
-       my $pds = runcmd("controller slot=$slot pd all show");
+       my $pds = runcmd("controller slot=$slot pd all show detail");
+       my $drive;
+       my %drives;
        for (@$pds) {
                chomp;
                next if /^$/;
                next if (/^\S.*in Slot $slot/);
-               next if /^ *array [A-Z]$/;
+               next if /^ *Array [A-Z]$/i;
                next if /^ *unassigned/;
                if (/^ *HBA Drives/) {
                        # HBA mode implies no logical drives, thus reset the "drives found" check and proceed with
@@ -187,35 +210,39 @@ for my $slot (sort @controllers) {
                        $nodrives = 0;
                        next;
                }
-               if (/^ *(array [A-Z]) \(Failed\)$/) {
+               if (/^ *(Array [A-Z]) \(Failed\)$/i) {
                        record('CRITICAL');
                        push @{$status{'Failed'}}, $1;
                } elsif (/^Error: The specified controller does not have any physical drives on it.$/) {
                        $nodrives = 1;
-               } elsif (/^ *physicaldrive (\S+) .* (OK|Predictive Failure|Failed|Rebuilding)(?:, (?:active )?spare.*)?\)$/) {
-                       my $drive = $1;
-                       my $status = $2;
-                       push @{$status{$status}}, $drive;
-                       if ($status eq 'OK') {
-                       } elsif ($status eq 'Predictive Failure' ||
-                                $status eq 'Rebuilding') {
-                               record('WARNING');
-                       } elsif ($status eq 'Failed') {
-                               record('CRITICAL');
-                       } else {
-                               record('UNKNOWN');
-                       };      
-                       push @drives, $drive;
+               } elsif (/^ *physicaldrive (\S+)/) {
+                       $drive = $1;
+                       $drives{$drive} = {};
+               } elsif (defined $drive && m/^\s*(.*?):\s*(.*?)\s*$/) {
+                       $drives{$drive}{$1} = $2;
                } else {
-                       die ("Cannot read line '$_' gotten from hpssacli controller slot=$slot pd all show\n");
-               };
+                       die ("Cannot read line '$_' gotten from $BIN controller slot=$slot pd all show\n");
+               }
        };
 
        # Check that all drives have the proper transfer speed.
        # sometimes stuff breaks and they fall back to 10mb/sec.
-       for my $drive (@drives) {
-               # skip drives that are known to have failed
-               next if (exists $status{'Failed'} && grep {$drive eq $_} @{$status{'Failed'}});
+       for my $drive (sort keys %drives) {
+               my $value = $drives{$drive};
+               my $status = $value->{'Status'};
+               push @{$status{$status}}, $drive;
+               if ($status eq 'OK') {
+               } elsif ($status eq 'Predictive Failure' ||
+                        $status eq 'Rebuilding') {
+                       record('WARNING');
+               } elsif ($status eq 'Failed') {
+                       record('CRITICAL');
+                       # skip drives that are known to have failed
+                       next;
+               } else {
+                       record('UNKNOWN');
+               }
+
                my $type;
                if ($drive =~ /^[0-9]+:[0-9]+$/) { # scsi drives
                        $type = 'SCSI';
@@ -224,46 +251,33 @@ for my $slot (sort @controllers) {
                } elsif ($drive =~ /^[0-9]+[C]:[0-9]+:[0-9]+$/) { # New 6GBPS SAS
                        $type = 'SAS+';
                } else {
-                       # I'm not going to run pass arguments of unknown form to the shell..
                        warn ("Unknown diskdrive ID $drive\n");
                        next;
                }
 
-               my $pd = runcmd("controller slot=$slot pd $drive show");
-               while (defined $pd->[0] && !($pd->[0] =~ /physicaldrive/)) {
-                       shift @$pd;
-               };
-               shift @$pd;
-               my %value;
-               for (@$pd) {
-                       if (m/^\s*(.*?):\s*(.*?)\s*$/) {
-                               $value{$1} = $2;
-                       }
-               }
-
                my $key;
                my $expected;
                if ($type eq 'SCSI') {
                        $key = 'Transfer Speed';
-                       if (!defined $value{'Transfer Mode'}) {
+                       if (!defined $value->{'Transfer Mode'}) {
                                record('WARNING');
                                push @{$status{'unknown transfer mode'}}, $drive;
                                next;
-                       } elsif ($value{'Transfer Mode'} eq 'Ultra 3 Wide') {
+                       } elsif ($value->{'Transfer Mode'} eq 'Ultra 3 Wide') {
                                $expected = '160 MB/Sec';
-                       } elsif ($value{'Transfer Mode'} eq 'Ultra 320 Wide') {
+                       } elsif ($value->{'Transfer Mode'} eq 'Ultra 320 Wide') {
                                $expected = '320 MB/Sec';
                        } else {
                                record('WARNING');
-                               push @{$status{'unknown transfer mode'}}, $drive."(".$value{'Transfer Mode'}.")";
+                               push @{$status{'unknown transfer mode'}}, $drive."(".$value->{'Transfer Mode'}.")";
                                next;
                        };
                } elsif ($type eq 'SAS' || $type eq 'SAS+') {
                        $key = 'PHY Transfer Rate';
-                       if ($value{'Interface Type'} eq 'SATA') {
+                       if ($value->{'Interface Type'} eq 'SATA') {
                                $expected = [ '1.5Gbps', '3.0Gbps', '6.0Gbps' ];
-                       } elsif ($value{'PHY Count'} eq '2') {
-                               if (defined($value{'Redundant Path(s)'})) {
+                       } elsif ($value->{'PHY Count'} eq '2') {
+                               if (defined($value->{'Redundant Path(s)'})) {
                                        $expected = [ '3.0GBPS, 3.0GBPS', '6.0GBPS, 6.0GBPS',
                                                      '12.0GBPS, 12.0GBPS' ];
                                } else {
@@ -281,21 +295,21 @@ for my $slot (sort @controllers) {
 
                if ($params->{'ignore-transfer-speed'}) {
                        if (grep { $drive eq $_ } @{$params->{'ignore-transfer-speed'}}) {
-                               push @{$status{'ignored transfer speed'}}, $drive."(".$value{$key}.")";
+                               push @{$status{'ignored transfer speed'}}, $drive."(".$value->{$key}.")";
                                next;
                        };
                };
-               if (!defined $value{$key}) {
+               if (!defined $value->{$key}) {
                        record('WARNING');
                        push @{$status{'unknown transfer speed'}}, $drive;
                } elsif (ref($expected) eq 'ARRAY') {
-                       if (scalar(grep { uc($value{$key}) eq uc($_) } @$expected) == 0) {
+                       if (scalar(grep { uc($value->{$key}) eq uc($_) } @$expected) == 0) {
                                record('WARNING');
-                               push @{$status{'bad transfer speed'}}, $drive."(".$value{$key}.")";
+                               push @{$status{'bad transfer speed'}}, $drive."(".$value->{$key}.")";
                        };
-               } elsif (uc($value{$key}) ne uc($expected)) {
+               } elsif (uc($value->{$key}) ne uc($expected)) {
                        record('WARNING');
-                       push @{$status{'bad transfer speed'}}, $drive."(".$value{$key}.")";
+                       push @{$status{'bad transfer speed'}}, $drive."(".$value->{$key}.")";
                };
        };
 
@@ -308,44 +322,7 @@ for my $slot (sort @controllers) {
                next;
        };
 
-       my $cst = runcmd("controller slot=$slot show detail");
-       for (@$cst) {
-               chomp;
-               next if /^$/;
-               next if (/^\S.*in Slot $slot/);
-               if (/^ *(Controller|Cache|Battery\/Capacitor) Status: (.*)$/) {
-                       my $system = $1;
-                       my $status = $2;
-
-                       if ($system eq 'Cache') {
-                               # Can be:
-                               # - 'OK'
-                               # - 'Not Configured' (for e.g. HP SSD Smart Path)
-                               # - 'Permanently Disabled'
-                               # - ...?
-                               next if $status =~ /^(OK|Not Configured)$/;
-                               if ($params->{'ignore-cache'}) {
-                                       push @freetext, "$system: $status (ignored)";
-                                       next;
-                               }
-                       }
-
-                       push @freetext, "$system: $status";
-                       if ($status ne 'OK') {
-                               next if ($params->{'no-battery'} && $system eq 'Battery/Capacitor');
-                               record('WARNING');
-                       };
-               } elsif (/^ *(Cache Status Details): (Cable Error)/) {
-                       push @freetext, $2;
-                       record('CRITICAL');
-               } elsif (/^ *(Battery\/Capacitor Count): (.*)/) {
-                       next if $params->{'no-battery'} || int($2) > 0;
-                       push @freetext, "Battery count: $2";
-                       record('CRITICAL');
-               };
-       };
-
-       my $status = join(" - ", ((map { $_.": ".join(", ", @{$status{$_}}) } keys %status), @freetext));
+       my $status = join(" - ", ((map { $_.": ".join(", ", @{$status{$_}}) } keys %status), @{$controllers{$slot}}));
 
        push @resultstr, "Slot $slot: $status";
 };

diff --git a/dsa-nagios-checks/checks/dsa-check-packages b/dsa-nagios-checks/checks/dsa-check-packages
index 28844e5..03af4ec 100755 (executable)
--- a/dsa-nagios-checks/checks/dsa-check-packages
+++ b/dsa-nagios-checks/checks/dsa-check-packages
@@ -101,7 +101,7 @@ sub get_packages {
                        # apt-cache policy output is in the same order as its
                        # arguments.
                        #
-                       # We needs thi, because the output block in apt-cache
+                       # We need this, because the output block in apt-cache
                        # policy does not show the arch:
                        #
                        # | weasel@stanley:~$ apt-cache policy libedit2:amd64

diff --git a/dsa-nagios-checks/checks/dsa-check-raid-sw b/dsa-nagios-checks/checks/dsa-check-raid-sw
index 0297036..7707348 100755 (executable)
--- a/dsa-nagios-checks/checks/dsa-check-raid-sw
+++ b/dsa-nagios-checks/checks/dsa-check-raid-sw
@@ -99,7 +99,7 @@ while (<FH>) {
        }
        elsif ( $line =~ / resync /) {
                #       [==>..................]  resync = 10.3% (15216320/146994624) finish=2153.2min speed=1018K/sec
-               my ($percent) = ($line =~ m# resync = ([0-9.]+%)#);
+               my ($percent) = ($line =~ m# resync *= *([0-9.]+%)#);
                my ($finish)  = ($line =~ m# finish=([0-9.]+min)#);
                my ($speed)   = ($line =~ m# speed=([0-9.]+K/sec)#);
                push @resyncing, "$device ($percent done, finish in $finish at $speed)";

diff --git a/dsa-nagios-checks/checks/dsa-check-statusfile b/dsa-nagios-checks/checks/dsa-check-statusfile
index 4654731..841cd01 100755 (executable)
--- a/dsa-nagios-checks/checks/dsa-check-statusfile
+++ b/dsa-nagios-checks/checks/dsa-check-statusfile
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
 
 # Relay the status of a check that was previously run and which stored
 # its result in a file to nagios.
@@ -49,7 +49,7 @@ statusfile = args[0]
 # find out what the max age is that we accept
 m = re.match('([0-9]+)([smhd])?$', options.age)
 if not m:
-    print >> sys.stderr, "Invalid age %s"%(options.age)
+    print("Invalid age %s" % options.age, file=sys.stderr)
     parser.print_help(file=sys.stderr)
     sys.exit(1)
 (count, unit) = m.groups()
@@ -58,29 +58,29 @@ max_age = int(count) * UNITS_TO_SECONDS[unit]
 
 # let's see if it exists
 if not os.path.exists(statusfile):
-    print "UNKNOWN: %s does not exist."%(statusfile)
+    print("UNKNOWN: %s does not exist." % statusfile)
     sys.exit(NAGIOS_STATUS['UNKNOWN'])
 
 
 mtime = os.path.getmtime(statusfile)
 if mtime + max_age < time.time():
-    print "WARNING: %s is old: %.1f hours."%(statusfile, (time.time() - mtime)/3600)
+    print("WARNING: %s is old: %.1f hours." % (statusfile, (time.time() - mtime)/3600))
     sys.exit(NAGIOS_STATUS['WARNING'])
 
 status = open(statusfile, "r")
 returnvalue = status.readline().strip()
 
-if not returnvalue in NAGIOS_STATUS:
-    print "UNKNOWN: %s has invalid return value: %s."%(statusfile, returnvalue)
+if returnvalue not in NAGIOS_STATUS:
+    print("UNKNOWN: %s has invalid return value: %s." % (statusfile, returnvalue))
     sys.exit(NAGIOS_STATUS['UNKNOWN'])
 
 linecnt = 0
 for line in status:
-    print line,
+    print(line, end='')
     linecnt += 1
 
 if linecnt == 0:
-    print "Found no output.  Something is probably wrong"
+    print("Found no output.  Something is probably wrong")
     sys.exit(NAGIOS_STATUS['UNKNOWN'])
 
 sys.exit(NAGIOS_STATUS[returnvalue])

diff --git a/dsa-nagios-checks/checks/dsa-check-timedatectl b/dsa-nagios-checks/checks/dsa-check-timedatectl
index 1c61cf3..bc97862 100755 (executable)
--- a/dsa-nagios-checks/checks/dsa-check-timedatectl
+++ b/dsa-nagios-checks/checks/dsa-check-timedatectl
@@ -61,11 +61,32 @@ fi
 temp="$(mktemp)"
 trap "rm -f '$temp'" EXIT
 
-LC_ALL=C timedatectl > "$temp"
-ut=$(sed '/Universal time:/ { s/^[^:]*: *//; p}; d' "$temp")
-rtc=$(sed '/RTC time:/ { s/^[^:]*: *//; p}; d' "$temp")
-ntpenabled=$(sed '/\(NTP enabled\|Network time on\):/ { s/^[^:]*: *//; p}; d' "$temp")
-ntpsynced=$(sed '/NTP synchronized:/ { s/^[^:]*: *//; p}; d' "$temp")
+systemdversion="$(timedatectl --version | head -n1 | awk '{print $2}')"
+if [ -z "$systemdversion" ]; then
+       echo "Unknown: Cannot get systemd version"
+       exit 3
+fi
+if [ "$systemdversion" -lt 241 ] ; then # before buster (Debian 10)
+       LC_ALL=C timedatectl > "$temp"
+       ut=$(sed '/Universal time:/ { s/^[^:]*: *//; p}; d' "$temp")
+       rtc=$(sed '/RTC time:/ { s/^[^:]*: *//; p}; d' "$temp")
+       ntpenabled=$(sed '/\(NTP enabled\|Network time on\|NTP service\):/ { s/^[^:]*: *//; p}; d' "$temp")
+       ntpsynced=$(sed '/\(NTP synchronized\|System clock synchronized\):/ { s/^[^:]*: *//; p}; d' "$temp")
+else
+       LC_ALL=C timedatectl show > "$temp"
+       ut=$(sed '/^TimeUSec=/ { s/^[^=]*=//; p}; d' "$temp")
+       rtc=$(sed '/^RTCTimeUSec=/ { s/^[^=]*=//; p}; d' "$temp")
+       ntpenabled=$(sed '/^NTP=/ { s/^[^=]*=//; p}; d' "$temp")
+       ntpsynced=$(sed '/^NTPSynchronized=/ { s/^[^=]*=//; p}; d' "$temp")
+       if [ "$ntpenabled" = "no" ]; then # in buster (Debian 10) ntpenabled no longer also considers the ntp service
+               ntp_status=$(systemctl is-enabled 'ntp.service' 2>/dev/null) && rc=$? || rc=$?
+               if [ "$rc" = 0 ] && [ "$ntp_status" = "enabled" ] ; then
+                       if systemctl --quiet is-active ntp.service; then
+                               ntpenabled=yes
+                       fi
+               fi
+       fi
+fi
 
 uts=$(TZ=UTC date -d "$ut" +%s)
 rtcs=$(TZ=UTC date -d "$rtc" +%s 2>/dev/null || echo "N/A")
@@ -90,7 +111,7 @@ else
                exit 1
        fi
 
-       if [ "$ntpenabled" != "yes" ]; then
+       if [ "$ntpenabled" != "yes" -a "$ntpenabled" != "active"  ]; then
                echo "Warning: NTP not enabled!"
                exit 1
        fi

diff --git a/dsa-nagios-checks/checks/dsa-check-ucode-intel b/dsa-nagios-checks/checks/dsa-check-ucode-intel
new file mode 100755 (executable)
index 0000000..5d03b52
--- /dev/null
+++ b/dsa-nagios-checks/checks/dsa-check-ucode-intel
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Copyright 2019 Peter Palfrader
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+
+cpu_sig="$(iucode_tool --scan-system 2>&1 | sed -e 's/.*with signature //')"
+cpu_flags="$(cat /sys/devices/system/cpu/cpu0/microcode/processor_flags)"
+avail_line="$(iucode_tool -l -s "$cpu_sig,$cpu_flags" -tb /lib/firmware/intel-ucode 2>&1 | grep "sig[[:space:]]*$cpu_sig")"
+avail="$(echo "$avail_line" | sed -e 's/.*rev[[:space:]]*//; s/[,[:space:]].*//')"
+
+if [ -z "$avail" ]; then
+  echo "UNKNOWN: did not find available ucode"
+  exit 3
+fi
+
+current=$(awk '$1 == "microcode" {print $3; exit}' < /proc/cpuinfo)
+
+if [ -z "$current" ]; then
+  echo "UNKNOWN: did not learn current ucode"
+  exit 3
+fi
+
+if [ "$(printf "%d" "$avail")" != "$(printf "%d" "$current")" ]; then
+  echo "WARN: current ucode is $current while $avail is available"
+  exit 1
+else
+  echo "OK: current ucode $current matches available $avail"
+  exit 0
+fi

diff --git a/dsa-nagios-checks/debian/changelog b/dsa-nagios-checks/debian/changelog
index 8aff0ec..664e04b 100644 (file)
--- a/dsa-nagios-checks/debian/changelog
+++ b/dsa-nagios-checks/debian/changelog
@@ -1,4 +1,22 @@
-dsa-nagios-checks (117) UNRELEASED; urgency=medium
+dsa-nagios-checks (119) UNRELEASED; urgency=medium
+
+  * dsa-check-raid-sw: correctly parse resync percentages under 10%.
+  * Add check_puppetdb_nodes.
+
+ -- Peter Palfrader <weasel@debian.org>  Mon, 20 May 2019 12:52:00 +0200
+
+dsa-nagios-checks (118) unstable; urgency=medium
+
+  [ Peter Palfrader ]
+  * dsa-check-timedatectl:
+    - in buster, timedatectl no longer considers the ntp status of
+      the ntp.service.  So we manually do that now.
+    - also switch to parsing the machine readable output in buster.
+  * dsa-check-ucode-intel: add.
+
+ -- Peter Palfrader <weasel@debian.org>  Mon, 20 May 2019 12:50:51 +0200
+
+dsa-nagios-checks (117) unstable; urgency=medium
 
   [ Peter Palfrader ]
   * dsa-check-hpssacli: add --ignore-cache
@@ -6,12 +24,16 @@ dsa-nagios-checks (117) UNRELEASED; urgency=medium
   * dsa-check-zone-rrsig-expiration-many: fix use of uninitialized value
     with unsigned zones.
   * dsa-check-running-kernel: handle -unsigned packages
+  * dsa-check-backuppg: Ignore lost+found directory
 
   [ Jan Wagner ]
   * update-apt-statusdir, dsa-update-unowned-file-status:
     Create status directory if not existing.
 
- -- Peter Palfrader <weasel@debian.org>  Sun, 11 Mar 2018 09:06:13 +0100
+  [ Moritz Muehlenhoff ]
+  * dsa-check-timedatectl: Adapt check for buster.
+
+ -- Aurelien Jarno <aurel32@debian.org>  Mon, 01 Apr 2019 09:59:09 +0200
 
 dsa-nagios-checks (116) unstable; urgency=medium