NIC Teaming on Debian Squeeze
NIC teaming on the newest version of Debian is incredibly easy. You'll need to know first what type of team you'd like to create:
- mode=0 (balance-rr) Round-robin policy: Transmit packets in sequential order from the first available slave through the last. This mode provides load balancing and fault tolerance.
- mode=1 (active-backup) Active-backup policy: Only one slave in the bond is active. A different slave becomes active if, and only if, the active slave fails. The bond’s MAC address is externally visible on only one port (network adapter) to avoid confusing the switch. This mode provides fault tolerance. The primary option affects the behavior of this mode.
- mode=2 (balance-xor) XOR policy: Transmit based on source MAC address XOR'd with destination MAC address. This selects the same slave for each destination MAC address. This mode provides load balancing and fault tolerance.
- mode=3 (broadcast) Broadcast policy: Transmits everything on all slave interfaces. This mode provides fault tolerance.
- mode=4 (802.3ad) IEEE 802.3ad Dynamic link aggregation: Creates aggregation groups that share the same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification. Ethtool support in the base drivers for retrieving the speed and duplex of each slave. A switch that supports IEEE 802.3ad Dynamic link aggregation. Most switches will require some type of configuration to enable 802.3ad mode.
- mode=5 (balance-tlb) Adaptive transmit load balancing: Channel bonding that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each slave. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed receiving slave. Ethtool support in the base drivers for retrieving the speed of each slave.
- mode=6 (balance-alb) Adaptive load balancing: Includes balance-tlb plus receive load balancing (rlb) for IPV4 traffic, and does not require any special switch support. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP Replies sent by the local system on their way out and overwrites the source hardware address with the unique hardware address of one of the slaves in the bond such that different peers use different hardware addresses for the server.
Once you choose your team method, install the ifenslave package
Now open the file /etc/network/interfaces and add the bonded interface:
auto bond0
iface bond0 inet static
address 192.168.20.20
netmask 255.255.255.0
broadcast 192.168.20.255
network 192.168.20.0
gateway 192.168.20.1
bond_mode active-backup
bond_miimon 100
bond_downdelay 200
bond_updelay 200
slaves eth0 eth1
Note that bond_mode is the teaming option you selected above. You can restart the networking service, or just reboot the server to ensure the team comes up after shutdown.
Nagios Setup on Debian Lenny
Below are instructions on building Nagios from scratch on Debian Lenny. These instructions also make it very easy to update the build when new ones come out.
Apache Configuration
First install the essential packages needed to compile and use Nagios.
Modify the file /etc/apache2/apache2.conf so that it's a bit cleaner.
LockFile /var/lock/apache2/accept.lock
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 25
KeepAliveTimeout 15
<IfModule mpm_prefork_module>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 0
</IfModule>
<IfModule mpm_worker_module>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
DefaultType text/plain
HostnameLookups Off
ErrorLog /var/log/apache2/error.log
LogLevel warn
# Include module configuration:
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf
# Include all the user configurations:
Include /etc/apache2/httpd.conf
# Include ports listing
Include /etc/apache2/ports.conf
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined
# Include generic snippets of statements
Include /etc/apache2/conf.d/
# Include the virtual host configurations:
Include /etc/apache2/sites-enabled/
Now create the Apache configuration file for Nagios so it can load the web interface. Create the file /etc/apache2/conf.d/nagios.conf with the following:
<Directory "/usr/local/nagios/sbin">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/htpasswd.users
Require valid-user
SetEnv TZ "US/Eastern"
</Directory>
Alias /nagios "/usr/local/nagios/share"
<Directory "/usr/local/nagios/share">
Options None
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/htpasswd.users
Require valid-user
</Directory>
Modify /etc/apache2/ports.conf to have just one line to listen for SSL:
Modify /etc/apache2/mods-available/ssl.conf to clean up the SSL configuration, we'll enable this later.
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/apache2/ssl_mutex
SSLCipherSuite HIGH:MEDIUM:!ADH
SSLProtocol all -SSLv2
</IfModule>
Create the file /etc/apache2/sites-available/nagios-ssl for the virtual directory routing information.
<VirtualHost *>
ServerAdmin webmaster@localhost
CustomLog /var/log/apache2/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/private/apache-self-signed.crt
SSLCertificateKeyFile /etc/ssl/private/apache-priv.key
</VirtualHost>
Modify the file /etc/apache2/httpd.conf so it has just one line:
Now we can enable our modules and sites in Apache.
a2dissite default
a2ensite nagios-ssl
Now create a self signed certificate to use for the site, or a third party if necessary.
Nagios Install
Prerequisites
Setup our users and groups that will run Nagios. Note that the www-root user is specific to Debian since that user runs the Apache web process:
groupadd -g 9001 nagcmd
usermod -G nagcmd www-data
useradd -u 9000 -g nagios -G nagcmd -d /usr/local/nagios -c "Nagios Admin" nagios
Now setup the initial directories and permissions where we'll keep the files. I chose to create /var/nagios because that's where I'll store the data files since it's the largest partition and meant for variable data.
chown nagios:nagios /usr/local/nagios /etc/nagios /var/nagios
Download the Nagios source and unpack.
wget http://superb-east.dl.sourceforge.net/sourceforge/nagios/nagios-3.x.x.tar.gz
tar zxvf nagios-3.x.x.tar.gz
cd nagios-3.x.x
Install
Configure and build Nagios for the proper directories and options.
make all
make install
make install-init
make install-commandmode
make install-config
Set Nagios to start on boot and set the password Apache file to authenticate users.
cd /etc/nagios/
htpasswd -c htpasswd.users nagios
chown www-data htpasswd.users
chmod 600 htpasswd.users
To add more users to the htpasswd.users file just type
since the -c is only for file creation.
Configuration
Edit the file /etc/nagios/cgi.cfg and modify any "authorized" line to include the users you created in the htpassswd.users file, for example:
Create a folder in /etc/nagios to contain all the configuration files. Typically the site name is a good choice. Once the folder is created, modify the file /etc/nagios/nagios.cfg and remove all the "cfg_file" entries and add the line:
Or whatever folder you created for your config files, site1 in this example.
Now add some images for icon view to the base install. These packs can usually be downloaded from the Nagios Exchange.
tar zxvf image_logos.tar.gz
Third Party Tools
Plugins
The Nagios plugins are necessary to run checks on server processes and health. In the configure statement, be sure to use the same folder locations as when Nagios itself was configured. Plugins will be installed in the /usr/local/nagios/libexec directory.
wget http://superb-east.dl.sourceforge.net/sourceforge/nagios-plugins/nagios-plugins-1.4.xx.tar.gz
tar zxvf nagios-plugins-1.4.xx.tar.gz
cd nagios-plugins-1.4.xx
./configure --sysconfdir=/etc/nagios --localstatedir=/var/nagios --enable-perl-modules
make
make check
make install
NRPE
This install adds the NRPE plugin so that checks can be done on other servers securely and remotely. The NRPE client/server doesn't need to be installed on the Nagios server; it just needs the plugin to run the checks. The remote servers of course need the NRPE client installed. Again, take note of the configure directors and that --enable-ssl=yes is set to yes. This allows for a secure SSL handshake.
wget http://superb-east.dl.sourceforge.net/sourceforge/nrpe/nrpe-2.xx.tar.gz
tar zxvf nrpe-2.xx.tar.gz
cd nrpe-2.xx
./configure --sysconfdir=/etc/nagios --localstatedir=/var/nagios --enable-ssl=yes
make all
make install
PNP Graphing
A couple packages are needed first as well as mod_rewrite for Apache:
a2enmod rewrite
Open /etc/php5/apache2/php.ini and make sure the following is set to Off:
Then restart Apache to have the setting take effect:
Download, configure and install PNP. Note directory locations in configure.
wget http://voxel.dl.sourceforge.net/project/pnp4nagios/PNP-0.6/pnp4nagios-0.6.x.tar.gz
tar zxvf pnp4nagios-0.6.x.tar.gz
cd pnp4nagios-0.6.x
./configure --sysconfdir=/etc/pnp --localstatedir=/var/pnp4nagios
make all
make install
make install-webconf
make install-config
Setup the base configuration:
cp process_perfdata.cfg-sample process_perfdata.cfg
cp rra.cfg-sample rra.cfg
cd /etc/nagios
Edit /etc/nagios/nagios.cfg to turn on some switches and make performance data go to PNP. Typically these are commented out to start.
process_performance_data=1
Add the new command to commands.cfg in /etc/nagios/site1 or wherever your commands for the site are stored:
command_name service-perfdata-pnp
command_line /usr/bin/perl /usr/local/pnp4nagios/libexec/process_perfdata.pl
}
Modify /etc/apache2/conf.d/pnp4nagios.conf to include the same password file that Nagios uses. This file is created by the install scripts.
Restart Apache for the changes to take effect. You can now navigate to https://hostname/pnp4nagios and see the install checklist. If all is complete, remove the /usr/local/pnp4nagios/share/install.php file.
General Use
For Nagios to function, it first needs to be started with this command:
If a configuration or syntax error in your configuration occurs, you can test the output and find out where it is by running this command:
Now you can try starting Nagios again. If you make configuration changes, the configuration must be reloaded. Do this use:
To access Nagios through the web, Apache must be started, or restarted if it already was running. This will also accept the new web configurations that may have been made:
/etc/init.d/apache2 restart
Latest and greatest Subversion on Debian Lenny
Debian has its own package for Subversion, but most of the time you want to use the latest Subversion package that's out there. This explains how to build and use that over Apache and HTTPS.
Installation
This particular install does not use the Berkeley DB method of code repository storage, but rather the flat file system storage method. Both have their advantages, but the file is believed to be faster. Read more here.
First setup Apache and get all the Subversion dependencies.
apt-get build-dep subversion
cd /usr/src
wget http://subversion.tigris.org/downloads/subversion-1.6.13.tar.gz
tar zxvf subversion-1.6.13.tar.gz
cd subversion-1.6.13
./configure --prefix=/usr/local
Then we get this warning, but FSFS is fine to use instead of Berkeley.
configure: WARNING: we have configured without BDB filesystem support You don't seem to have Berkeley DB version 4.0.14 or newer installed and linked to APR-UTIL. We have created Makefiles which will build without the Berkeley DB back-end; your repositories will use FSFS as the default back-end. You can find the latest version of Berkeley DB here: http://www.oracle.com/technology/software/products/berkeley-db/index.html
Continue with the build:
make install
After install, this error comes up, but it can be ignored and the next few steps will fix.
apxs:Error: Activation failed for custom /etc/apache2/httpd.conf file.. apxs:Error: At least one `LoadModule' directive already has to exist.. make: *** [install-mods-shared] Error 1
Create the file /etc/apache2/mods-available/dav_svn.load with the following:
LoadModule dav_svn_module /usr/lib/apache2/modules/mod_dav_svn.so
LoadModule authz_svn_module /usr/lib/apache2/modules/mod_authz_svn.so
Copy over the modules from source and install them in the Apache directories; also enable SSL since we want to push this over a secure channel:
cp /usr/src/subversion-1.6.11/subversion/mod_authz_svn/.libs/mod_authz_svn.so /usr/lib/apache2/modules/
a2enmod dav_svn
a2enmod ssl
Configuration
Create the file /etc/apache2/sites-available/svn so that Apache knows about the SVN repository:
<VirtualHost svn.mysite.com:443>
DocumentRoot /var/svn
# SSL Definitions
SSLEngine on
SSLCertificateFile /etc/ssl/private/myserver_svn.crt
SSLCertificateKeyFile /etc/ssl/private/myserver_svn.key
# Subversion
<Location /svn>
DAV svn
SVNListParentPath on
SVNParentPath /var/svn
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /etc/svn/dav_svn.passwd
AuthzSVNAccessFile /etc/svn/dav_svn.control
Require valid-user
</Location>
</VirtualHost>
Now enable the site and start/restart Apache:
/etc/init.d/apache2 restart
Setup the initial repository with the svncreate command and make the user running the web service the owner, since they will be the user actually modifying the repository files.
svnadmin create /var/svn/myproject
chown -R www-data:www-data /var/svn/myproject
Now we can create the username/password files along with the access files.
touch /etc/svn/dav_svn.passwd
htpasswd -mb /etc/svn/dav_svn.passwd myuser mypassword
Create the access file to your repositories.
And now edit the file. You can set users using r and rw access writes. First you list the repository, and then the folder location after that for more fine grained permissions.
myuser = r
[myproject:/trunk/base/code]
myuser = rw
Now reboot the server and test access; it should start up automatically.
Maintenance and Use
The best way to use SVN over HTTPS is with Tortoise for Windows or some other tool if using Linux, like RapidSVN.
Adding Additional Users
To add more users, just run the htpasswd command linked to your dav_svn.passwd file, same as the initial configuration for users.
And now edit the access file containing the other users and defined in the Apache configuration. You can set users using r and rw access writes. First you list the repository, and then the folder location after that for more fine grained permissions.
myuser = r
newuser = r
[myproject:/trunk/base/code]
myuser = rw
newuser = rw
Backing Up the Repositories
To backup a repository, use the svnadmin dump command which will export the entire database and revisions. You can then tar up and gzip the dump file for compression, and back it up to tape or disk somewhere else. There are also incremental backups that can be done of disk/tape space is an issue.
Restoring the Repositories
Restoring the SVN database is simply rewriting all the revisions from the dump back into a database. The restore process also works well for moving an older repository over to a new one since restoring the dump into a new SVN database will update it to that version.
svnadmin load /home/svn/restoredproject < /home/backups/myproject_dumpfile
chown -R www-data:www-data /home/svn/restoredproject
chmod -R 770 /home/svn/restoredproject
QuickBooks Enterprise Install on Debian
Operating System: Debian Lenny 5.0
This server needs an /opt directory for the package install, so the partitioning is a little bit different than a typical Linux setup. This is what mine ended up looking like:
| Filesystem | Size | Mounted on |
|---|---|---|
| /dev/sda1 | 2G | / |
| /swap | X | /swap |
| /dev/sda9 | (rest) | /home |
| /dev/sda6 | 2G | /opt |
| /dev/sda7 | 1G | /tmp |
| /dev/sda5 | 3G | /usr |
| /dev/sda8 | 2G | /var |
Setup a few packages necessary for the server first.
Now users and groups need to be added for permissions and the Samba folder share access.
useradd -d /home/user1 -g quickbooks user1
useradd -d /home/user2 -g quickbooks user2
useradd -d /home/user3 -g quickbooks user3
useradd -d /home/user4 -g quickbooks user4
smbpasswd -a user1
smbpasswd -a user2
smbpasswd -a user3
smbpasswd -a user4
Create the folder where the QuickBooks data files will be stored and set the appropriate permissions.
chown user1:quickbooks /home/qbdata/
chmod 775 /home/qbdata/
Now configure Samba by moving the built in configuration and writing your own.
mv smb.conf smb.conf.orig
cp smb.conf.orig smb.conf
vi smb.conf
The configuration file should read:
workgroup = WORKGROUP
server string = %h server
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
[qbdata]
path = /home/qbdata
comment = Quickbooks Enterprise database share
valid users = user1,user2,user3,user4
public = no
writeable = yes
printable = no
create mask = 0765
Now restart Samba and test the permissions using a Windows client. You should be able to see the logs created by each client and who was accessing the share.
tail /var/log/samba/log.smbd
tail /var/log/samba/log.rst-win-utl3
Using Alien, we'll create a deb package from an rpm so it can be installed. Some other directories and files need to be created for logging purposes since Debian uses rsyslog and QuickBooks won't create them on its own.
wget http://http-download.intuit.com/http.intuit/CMO/qbes/resources/qbdbm-20.0-5.i386.rpm
alien qbdbm-20.0-5.i386.rpm
mkdir /var/lock/subsys
dpkg -i qbdbm_20.0-6_i386.deb
touch /var/log/qbdbfilemon.log
touch /var/log/qbdbmgrn_20.log
touch /var/lock/subsys/qbdbfilemon
touch /var/lock/subsys/qbdbmgrn_20
We need to add a line to the syslog configuration in /etc/rsyslog.conf, just put it at the end.
Setup the QuickBooks binaries to startup automatically.
update-rc.d qbdbmgrn_20 defaults
Modify the file /opt/qb/util/qbmonitord.conf in include the directory where the QuickBooks data will live.
Restart the server and you should be able to run a ps -e and see the following processes running indicating the server is up. There also should be a /home/qbdata/qbdir.dat file created automatically.
1994 ? 00:00:02 gam_server
1995 ? 00:25:40 QBDBMgrN_20
OpenVPN – Installation and Configuration
Operating System: Debian Etch 4.0
Install and Key Generation
First we just need to grab the primary packages from the repos and install. Make sure you're root.
Next find the easy-rsa directory, and copy those files over to the OpenVPN configuration directory so we can setup a certificate.
Now in the /etc/openvpn directory open up the vars file and make some edits that suit you. I only made changes to the very end of the file.
Save this file. Then run:
Yeah, there's a dot, a space, and then another dot in there. Then these commands:
./build-ca
You'll be asked the cert questions, but most of the defaults should be filled in for you since you manually entered them in the vars file. Now build the server key:
You'll be asked the same type of questions, but for common name you need to enter something. "Server" is the default. Run this next command, which will take awhile.
Then generate your TLS-AUTH keys:
openvpn --genkey --secret ta.key
Now create a key directory closer to the root folder to stay organized and copy the necessary keys there:
cp ca.crt ../../keys
mv dh2048.pem ta.key myserver.crt myserver.key ../../keys
Server Config File
My server configuration is located in /etc/openvpn/server.conf. It's what worked for me. The 172.21.0.0 subnet is the virtual one used by the VPN. The 10.10.0.0 subnet is the LAN I'm trying to connect to.
port 1194
proto udp
server 172.21.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
push "route 10.10.0.0 255.255.255.0"
max-clients 10
user nobody
group nogroup
duplicate-cn
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/myserver.crt
key /etc/openvpn/keys/myserver.key
dh /etc/openvpn/keys/dh2048.pem
tls-auth /etc/openvpn/keys/ta.key 0
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 4
More info on configuration options is here: http://openvpn.net/howto.html. You'll also have to enable packet forwarding so packets can flow from the VPN interface to the ethernet interface. Open the file /etc/sysctl.confand uncomment this line:
Restart the server.
Setup the Revocation List
Now setup a revocation list so you can block certificates and users that you create. Execute your variables again.
. ./vars
I had to modify my openssl configuration and repoint to my openvpn directory.
mv openssl.cnf openssl.cnf.old
ln -s /etc/openvpn/easy-rsa/openssl.cnf openssl.cnf
Edit the config file openssl.cnf at the end and comment out the pkcs11 section if you're not using it, otherwise it will throw errors. Then create your CRL:
openssl ca -gencrl -keyfile ca.key -cert ca.crt -out \ crl.pem
User Configuration
Now create your first user:
Answer the same prompts and give it a password. If you don't want to use a password, just use build-key instead. Restart the OpenVPN server for it to read the config:
Now, on the client machine run the same install commands (assuming you're using an Ubuntu or Debain box) and create a keys directory:
mkdir /etc/openvpn/keys
Copy the keys ca.crt, user1.crt, user1.key, and ta.key into the keys directory and then create a file called client.conf in the /etc/openvpn directory. Be sure you restrict access and lock down the keys directory, since compromise of these files will give someone else access.
Here's my config:
dev tun
proto udp
remote myserver.site.com 1194
nobind
user nobody
group nogroup
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/user1.crt
key /etc/openvpn/keys/user1.key
tls-auth /etc/openvpn/keys/ta.key 1
comp-lzo persist-key
persist-tun
log /var/log/openvpn/openvpn.log
verb 4
ns-cert-type server
You can get more info on the configuration here: http://openvpn.net/howto.html. Now start up the VPN:
You can check the logs for errors, but in a few seconds, if you run an ifconfig, you can see a tun0 device has been created and has one of the virtual IP addresses. You can then ping the remote VPN server's inside address for testing.
Routing Issues
In my situation, my VPN server was not the default gateway on my LAN, so I had to add some permantent routes to my clients so they could find their way back through the tunnel and to my remote client. For Linux boxes use:
And on Windows use:
Adding and Removing Other Users
When you need to add new users or client certificates, simply run:
. ./vars
./pkitool client2
This will generate the keys for the new client to copy down to their machine, just the same as the initial client.
Removing users is easy as well.
. ./vars
./revoke-full client2
You may see a bunch of error 23's at the end, but that's normal and just testing that the certificate does not have access anymore.
Nagios – Installation, Configuration, and Use
Operating System: Debian Etch 4.0
An excellent resource to deploying Nagios is a book by Wolfgang Barth called "Nagios System and Network Monitoring" from No Scratch Press. It goes into nice detail on how to get the basics running or write your own plugins if you wish, plus many 3rd party tools to assist in monitoring.
Installation
First install the essential packages needed to compile and use Nagios as root.
apt-get install build-essential
apt-get install openssl
apt-get install apache2 mysql-server libmysqlclient-dev
apt-get install gcc make autoconf automake libgd ntpdate libperl-dev libnet-snmp-perl libdbd-sybase-perl
Create the users and groups that will be used to run Nagios.
groupadd -g 9001 nagcmd
useradd -u 9000 -g nagios -G nagcmd -d /usr/local/nagios -c "Nagios Admin" nagios
Add the Apache dameon user to Nagios group, which by default in Debian is www-data.
Now setup the initial directories and permissions where we'll keep the files. I chose to create /home/nagios because that's where I'll store the data files since the home partition is the largest on the server.
chown nagios:nagios /usr/local/nagios /etc/nagios /home/nagios
Download the Nagios source and unpack.
wget http://superb-east.dl.sourceforge.net/sourceforge/nagios/nagios-3.x.x.tar.gz
tar zxvf nagios-3.x.x.tar.gz
Build the source including the location of the directories created previously. The sysconfdir is pretty standard, but localstatedir needs to have a bit more space if you have it.
Observe configuration summary and make sure everything is OK.
General Options:
-------------------------
Nagios executable: nagios
Nagios user/group: nagios,nagios
Command user/group: nagios,nagcmd
Embedded Perl: yes, with caching
Event Broker: yes
Install ${prefix}: /usr/local/nagios
Lock file: /home/nagios/nagios.lock
Check result directory: /home/nagios/spool/checkresults
Init directory: /etc/init.d
Apache conf.d directory: /etc/apache2/conf.d
Mail program: /usr/bin/mail
Host OS: linux-gnu
Web Interface Options:
------------------------
HTML URL: http://localhost/nagios/
CGI URL: http://localhost/nagios/cgi-bin/
Traceroute (used by WAP): /usr/sbin/traceroute
If the config looks OK, compile all:
make install
make install-init
make install-commandmode
make install-config
This will allow Nagios to be started upon boot.
Now download and install the latest batch of plugins so Nagios has something to run. Again, pay close attention to the configure statement so that the directories are the same as those specified for compiling Nagios itself.
wget http://superb-west.dl.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.x.tar.gz
tar zxvf nagios-plugins-1.4.x
cd nagios-plugins-1.4.x
./configure --sysconfdir=/etc/nagios --localstatedir=/home/nagios --enable-perl-modules
make
make check
make install
Test the ICMP plugin since it is a necessary component.
Configuration
Configure the Nagios web interface (Apache):
make install-webconf
/etc/init.d/apache2 reload
Create an htaccess file for simple authentication into the Nagios monitoring site.
htpasswd -c htpasswd.users nagios
chown www-data htpasswd.users
chmod 600 htpasswd.users
Be sure when you add other users that can login, you add them to the cgi.cfg as well.
For easier readability and configuration, set configuration site with a unique name. This will help if you're monitoring multiple sites and will have many config files. Notice the primary and global config files are in /etc/nagios but the primary configurations that need editing can go under it. Nagios will recursively check all files the end with .cfg.
mv objects mysite
Third-party Utilities
These utilities make it easier to manage and gather information from Nagios, especially for reporting reasons.
NDOUtils
Download and install ndoutils for database storage of performance data.
wget http://superb-east.dl.sourceforge.net/sourceforge/nagios/ndoutils-1.4.x.tar.gz
tar zxvf ndoutils-1.4.x.tar.gz
Check to make sure you're using the right versions for compatibility.
define CURRENT_OBJECT_STRUCTURE_VERSION 307 /* increment when changes are made to data structures... */
fgrep CURRENT_OBJECT_STRUCTURE_VERSION ndoutils-1.4.x/include/*/objects.h
include/nagios-2x/objects.h:#define CURRENT_OBJECT_STRUCTURE_VERSION 2
include/nagios-3x/objects.h:#define CURRENT_OBJECT_STRUCTURE_VERSION 307 /* increment when changes are made to data structures... */
./configure --sysconfdir=/etc
make
cd src
cp ndo2db-3x ndomod-3x.o log2ndo file2sock /usr/local/nagios/bin/
Prepare MySQL for ndoutils.
mysql> grant usage on *.* to 'nagios'@'localhost' identified by 'password' with max_queries_per_hour 0 max_connections_per_hour 0 max_updates_per_hour 0;
mysql> grant select, insert, update, delete on 'nagios_perfdata'.* to 'nagios'@'localhost';
mysql> flush privileges;
mysql> quit
cd /usr/src/ndoutil-1.4.x/db
mysql -u root -p nagios_level3 < mysql.sql
Configure ndoutil for use.
cp config/ndo*.cfg /etc/nagios/
cd /etc/nagios
Modify /etc/nagios/ndomod.cfg:
Test the ndoutil daemon and see if it runs.
ls -l /home/nagios/ndo.sock srwxr-xr-x 1 nagios nagios 0 2009-01-02 15:02 /home/nagios/ndo.sock
kill -9 [ndo2db-3x pid]
rm /home/nagios/ndo.sock
Create an inet daemon for ndoutil.
cp skeleton ndo2db-3x
chmod 755 ndo2db-3x
Edit the new ndo2db-3x file:
### BEGIN INIT INFO
# Provides: ndo2db-3x
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Example initscript
# Description: This file should be used to construct scripts to be
# placed in /etc/init.d.
### END INIT INFO
# Author: Ryan Rosiek
#
# Please remove the "Author" lines above and replace them
# with your own name if you copy and modify this script.
# Do NOT "set -e"
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="ndoutil daemon startup for ndo2db-3x"
NAME=ndo2db-3x
DAEMON=/usr/local/nagios/bin/$NAME
DAEMON_ARGS="-c /etc/nagios/ndo2db.cfg"
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
...
do_stop() {
...
# Remove sock file
rm -r /home/nagios/ndo.sock
...
}
...
Modify the Nagios config to start event broker module.
...
broker_module=/usr/local/nagios/bin/ndomod-3x.o config_file=/etc/nagios/ndomod.cfg
Start the services.
Log into the database and make sure information is being written.
mysql> use nagios_level3
mysql> select * from nagios_objects where objecttype_id=2;
NRPE
NRPE makes it easier to run service checks on remote clients. First add it to the server.
wget http://localhost/nrpe-2.x.tar.gz
tar zxvf nrpe-2.x.tar.gz
cd nrpe-2.x.tar.gz
./configure --sysconfdir=/etc/nagios --localstatedir=/home/nagios --enable-ssl=no
make
make install
Note: SSL was not configured in this case because all monitoring traffic is internal and no access to this network is allowed
NSClient++
The NSClient++ is a great utility to run on Windows servers and for NRPE to check. Download latest client and unzip.
- Create folder C:\Program Files\NSClient
- Copy unzipped files into this folder
- Uncomment these lines in NSC.ini
;CheckSystem.dll
;CheckDisk.dll
;CheckEventLog.d
;allowed_hosts= (under Settings)
;use_file=1
;allow_arguments=1
;port=5666
;use_ssl=0
Comment out:
In a command prompt:
cd "Program Files\NSClient"
NSClient++ /install
Recent Posts
- Bootstrap Typeahead with OnSelect
- SharePoint 2010 Error in Managed Service Accounts
- NIC Teaming on Debian Squeeze
- Nagios Setup on Debian Lenny
- Server path error in vSphere 4.1
Tags
Archives
Photos
