通过 
搜索
搜索cytopia / check_git
Nagios 插件,用于验证 git 仓库。
0.6
2016-12-11 12:29 UTC
README
Nagios 插件,用于验证 git 目录。检查包括 git status(带有或没有子模块),HEAD 在分支或标签上(任何或指定的),与远程比较有差异(带有或没有子模块),HEAD(标签、分支或提交)已使用 GPG 签名,并且签名有效。
Nagios / Icinga 集成
有两种方法可以与 nagios 或 icinga 集成。
1.1 直接方法(不推荐)
直接从 nagios 使用 check_git 并在检查触发时测试仓库。为了使输出对 Nagios / Icinga 可用,您必须使用 -n <NAME>,这将从输出中删除 shell 颜色,以及其他一些操作。默认情况下,抛出正确退出代码 success、warning、error 和 unknown。
示例
$ check_git -d <PATH_TO_GIT_DIR> -s -n <PROJECT_NAME>
1.2 仅解析日志文件的方法(推荐)
这种方法减少了 nagios 每隔 5 分钟检查仓库的开销,而是检查 check_git 创建的日志文件。有时完整的检查(状态、gpg、远程检查等)可能需要几秒钟,而且您不希望每 5 分钟就给系统施加压力。
为此,您只需将 check_git 添加到 crontab 中,例如,只每 4 小时检查一次您的仓库。Nagios / Icinga 仍然可以每隔 5 分钟检查日志文件。
crontab
0 0,4,8,12,16,20 * * * /full/path/to/check_git -d <GIT_DIR> -n <PROJECT_NAME> -l /var/log/git/<project-name>.log
这将每 4 小时更新 /var/log/git/<project-name>.log 下的日志文件,而 nagios/icinga 可以随时检查它。
实际检查
$ check_git_log -f /var/log/git/<project-name>.log
2. 示例
以下示例分别显示每个选项,当然您也可以组合大多数检查。
2.1 检查 git 状态
没有子模块(-s)
$ check_git -d /shared/httpd/my-project/ -s -n My-Project [SUCCESS] My-Project git repo is healthy. [SUCCESS] Git status: clean
有子模块(-S)
$ check_git -d /shared/httpd/my-project/ -S -n My-Project [CRITICAL] My-Project git repo has errors. [SUCCESS] Git status: clean [CRITICAL] Git status: submodule(s) unclean
2.2 检查 HEAD 的状态(分支或标签)
HEAD 必须在分支上(任何分支 -b)
$ check_git -d /shared/httpd/my-project/ -b -n My-Project
[SUCCESS] My-Project git repo is healthy.
[SUCCESS] Git Branch: on branch 'develop'
HEAD 必须在分支 develop 上(-B)
$ check_git -d /shared/httpd/my-project/ -B develop -n My-Project
[SUCCESS] My-Project git repo is healthy.
[SUCCESS] Git Branch: on branch 'develop'
HEAD 必须在标签上(任何标签 -t)
$ check_git -d /shared/httpd/my-project/ -t -n My-Project [CRITICAL] My-Project git repo has errors. [CRITICAL] Git Tag: not on any tag
HEAD 必须在标签 0.3 上(-T)
$ check_git -d /shared/httpd/my-project/ -T 0.3 -n My-Project [CRITICAL] My-Project git repo has errors. [CRITICAL] Git Tag: on tag '0.2', but should be on: '0.3'
2.3 检查提交/标签的 GPG 签名
检查当前提交(如果 HEAD 是标签,则是当前标签)是否使用 gpg 签名且有效(-g)。
$ check_git -d /shared/httpd/my-project/ -g -n My-Project [SUCCESS] My-Project git repo is healthy. [SUCCESS] GPG Signed: Yes with key: 695128A2 [SUCCESS] GPG Pubkey: available [SUCCESS] GPG Signer: cytopia [SUCCESS] GPG Trust: ULTIMATE
检查当前提交(如果 HEAD 是标签,则是当前标签)是否使用 gpg 签名,有效,并且与指定的密钥标识匹配(-G)。
$ check_git -d /shared/httpd/my-project/ -G 695128A2,00000000,11111111,22222222 -n My-Project [SUCCESS] My-Project git repo is healthy. [SUCCESS] GPG Signed: Yes with expected key: 695128A2 [SUCCESS] GPG Pubkey: available [SUCCESS] GPG Signer: cytopia [SUCCESS] GPG Trust: ULTIMATE
2.4 检查与远程的差异
检查是否有要拉取的新代码(仅在您处于分支上时才合理)。排除子模块的检查(-R)
$ check_git -d /shared/httpd/my-project/ -R origin -n My-Project
[SUCCESS] My-Project git repo is healthy.
[SUCCESS] Git remote: equals with 'origin'
检查是否有要拉取的新代码(仅在您处于分支上时才合理)。包含子模块的检查(-r)
$ check_git -d /shared/httpd/my-project/ -r origin -n My-Project [CRITICAL] My-Project git repo has errors. [SUCCESS] Git remote: equals with 'origin' [CRITICAL] Git remote: submodule(s) differs from 'origin'
2.5 显示额外的详细输出
显示一些详细输出(也将显示在 nagios 扩展输出中)
$ check_git -d /shared/httpd/my-project/ -v -n My-Project
[SUCCESS] My-Project git repo is healthy.
[INFO] Bin: git version 2.10.2
[INFO] Path: /shared/httpd/my-project/
[INFO] Submodules: 2
[INFO] HEAD: on branch 'develop'
[INFO] GPG: signed 695128A2
3. 使用方法
Usage: check_git -d <git dir> [-s|-S] [-r|-R <remote>] [-b] [-B <branch>] [-t] [-T <tag>]] [-g] [-G <hash>[,<hash>]] [-v] OR -d <git dir> [-n <name>] [-l logfile] [-s|-S] [-r|-R <remote>] [-b] [-B <branch>] [-t] [-T <tag>]] [-g] [-G <hash>[,<hash>]] [-v] OR -h OR -V check_git can validate a git repository by different requirements You can have normal output or nagios (-n) compatible output to integrate this into your monitoring system. Required arguments: -d <git dir> Specify path to git repository. Optional arguments (output): -v Be more verbose. -n <name> Create nagios style check outout. Removes colors and adds a project name to the first line. -l <logfile> Log to file instead of stdout. This is especially useful if you want to integrate this check via nagios. You can then add a cronjob which periodically logs to file (as your deploy user) and the nagios check simply parses the logfile via 'check_git_log'. Requires '-n'. Optional arguments (checks): -s Check if git directory is clean. This also take any submodules into account. To prevent checking submodules use '-S'. '-s' and '-S' are mutually exclusive. -S Check if git directory is clean (ignore submodules). This ignores any submodules. To also check against submodules use '-s'. '-s' and '-S' are mutually exclusive. -r <remote> Check if git repository is in sync with remote. This option makes only sense, if your repository is checked out on a branch that can be compared with remote. This also take any submodules into account. To prevent checking submodules use '-R'. '-r' and '-R' are mutually exclusive. -R <remote> Check if git repository is in sync with remote (ignore submodules). This option makes only sense, if your repository is checked out on a branch that can be compared with remote. This ignores any submodules. To also check submodules use '-r'. '-r' and '-R' are mutually exclusive. -b Check if repository is checkout out on a branch. No detached HEAD or tag. '-b', '-B', '-t' and '-T' are mutually exclusive. -B [<branch>] Check if repository is checkout out on the specified branch. '-b', '-B', '-t' and '-T' are mutually exclusive. -t Check if repository is checkout out on a tag. No detached HEAD or branch. '-b', '-B', '-t' and '-T' are mutually exclusive. -T [<tag>] Check if repository is checkout out on the specified tag. No detached HEAD or branch. '-b', '-B', '-t' and '-T' are mutually exclusive. -g Check if current HEAD is signed and has a valid GPG signature. If current HEAD is a tag, the GPG signature of the tag is checked, instead of the signature of the current commit. For this to pass, you will also have to add your trusted GPG public keys locally. Returns: Error, if not signed. Warning, if signed, but pubkey is not available. Warning, if signed, but pubkey is not trusted. OK, if signed, pubkey is available and trusted. '-g', and '-G' are mutually exclusive. -G <hash>[,<hash>] Check if current HEAD is signed by the given key id (hash) and has a valid GPG signature. You can separate multiple key-id's via comma without space. key-id (hash) must be the last 8 characters (all uppercase) of the key. If current HEAD is a tag, the GPG signature of the tag is checked, instead of the signature of the current commit. For this to pass, you will also have to add your trusted GPG public keys locally. Returns: Error, if not signed. Error, if signed with a different key-id. Warning, if signed, but pubkey is not available. Warning, if signed, but pubkey is not trusted. OK, if signed, pubkey is available and trusted. '-g', and '-G' are mutually exclusive. Version and Help: -V Show version information -h Show this help screen