Visualizzazione post con etichetta Fedora. Mostra tutti i post
Visualizzazione post con etichetta Fedora. Mostra tutti i post

mercoledì 29 agosto 2012

Nagios: check remote hosts via SSH with command validation


Nagios server: Fedora release 16 (Verne)
Nagios remote node: Debian GNU/Linux testing (wheezy)


Basic SSH Configuration
Let's allow the access from the nagios server to the nagios node creating a ssh key passphrase-less:

zmo@nagiosSer:~$ cd .ssh/
zmo@nagiosSer:~/.ssh$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/zmo/.ssh/id_dsa): nagios     
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in nagios.
Your public key has been saved in nagios.pub.
The key fingerprint is:
....

.. so that you will have nagios and nagios.pub from the others

zmo@nagiosSer:~/.ssh$ ls
id_rsa id_rsa.pub nagios nagios.pub

On the remote node create the nagios user and the necessary file

root@nagiosNod:~# adduser nagios
Adding user `nagios' ...
Adding new group `nagios' (1006) ...
Adding new user `nagios' (1006) with group `nagios' ...
...
Enter new UNIX password: xxxxxxxx
Retype new UNIX password: xxxxxxxx
...
root@nagiosNod:~# su - nagios
nagios@nagiosNod:~$ mkdir .ssh
nagios@nagiosNod:~$ touch .ssh/authorized_keys


Paste your pub key, from the nagios server, into the remote nagios authorized_keys file


zmo@nagiosSer:~/.ssh$ cat nagios.pub | ssh nagios@nagiosNod.remote.com 'cat >> /home/nagios/.ssh/authorized_keys'
nagios@nagiosNod.remote.com's password: xxxxxxxx


Have a try

zmo@nagiosSer:~$ ssh -i .ssh/nagios nagios@nagiosNod 
Last login: Tue Aug 28 20:44:54 2012 from nagiosSer
nagios@nagiosNod:~$



On the nagios server


root@nagiosSer:~# yum install nagios-plugins-by_ssh.i686


On the nagios remote node
Install the nagios plugins

root@nagiosNod:~# apt-get install nagios-plugins-basic


NOTE: you can find where the plugins have been stored by 

root@nagiosNod:~# dpkg -L nagios-plugins-basic
...
/usr/lib/nagios/plugins/check_apt
/usr/lib/nagios/plugins/check_tcp
/usr/lib/nagios/plugins/check_dummy
/usr/lib/nagios/plugins/check_ntp
/usr/lib/nagios/plugins/check_nwstat
/usr/lib/nagios/plugins/check_load
/usr/lib/nagios/plugins/check_procs
...


On the nagios server
Let's write a SSH config file

root@nagiosSer:~# cd /etc/nagios
root@nagiosSer:~/etc/nagios# vim check_by_ssh_config


Host nagiosNod 84.68.x.x
	User nagios
	Hostname nagiosNod.remote.com
	IdentityFile /home/zmo/.ssh/nagios

This file will be passed as ssh configuration to check_by_ssh. You can obviously add others hosts.

Configure the commands.cfg

root@nagiosSer:~/etc/nagios# vim objects/commands.cfg


# Check Remote Disk
define command {
        command_name    check_remote_disk
        command_line    $USER1$/check_by_ssh -H $HOSTADDRESS$ -F /etc/nagios/check_by_ssh_config -C "/usr/lib/nagios/plugins/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$"
}

A little explanation:
* $USER$ - the user which nagios run (nagios)
* $HOSTADDRESS$ - the numeric IP address definied in the server configuration file (/etc/nagios/objects/nagiosNod.cfg), mapped on "address" field
* -F /etc/nagios/check_by_ssh_config - The SSH configuration file previously written
* -C /usr/lib/nagios/.. - The command will execute on the remote node

Its better (not mandatory) to put that services in a different group. So, open /etc/nagios/objects/templates.cfg (or services.cfg) and append:

# Remote service
define service{
	name				remote-service
	use				generic-service
        max_check_attempts              4
        normal_check_interval           5
        retry_check_interval            1
        register                        0
	}


Now in /etc/nagios/objects/nagiosNod.cfg file we could append:

define service {
        use                             remote-service
	host_name			nagiosNod
        service_description             Home Partition
        check_command                   check_remote_disk!20%!10%!/home
	}


SSH validation
This step is for allow just the check_* commands execution from the nagios server on the nagios nod; not other commands, not a login or whatever else.

Create a validation commands file:

nagios@nagiosNod:~# touch /usr/local/bin/validate-nagios-check
nagios@nagiosNod:~# chown nagios.nagios /usr/local/bin/validate-nagios-check
nagios@nagiosNod:~# su - nagios
nagios@nagiosNod:~$ vim /usr/local/bin/validate-nagios-check
#!/bin/sh
# Ensure 
case "$SSH_ORIGINAL_COMMAND" in
	*\&*)
		echo "Rejected"
		;;
	*\;*)
		echo "Rejected"
		;;
	/usr/lib/nagios/plugins/check_*)
		exec $SSH_ORIGINAL_COMMAND
		;;
	*)
		echo "Rejected"
		;;
esac

A little explanation: $SSH_ORIGINAL_COMMAND is our /usr/lib/nagios/plugins/check_* . Using exec here, will prevent to open a shell for the command execution but just to exec the command.

Let's back to our authorized_keys. We have to append in the beginnin of the key definition (ssh-dss or ssh-rsa) the string to execute our validate-nagios-check script from the nagios server.

nagios@nagiosNod:~$ vim .ssh/authorized_keys
from="73.224.x.x",command="/usr/local/bin/validate-nagios-check" 
ssh-dss AAAAB3NzaC1kc3MAAACBAKK3jM9O+cmjPufrn9Ie7q+iJJu+1B0bHH6lhfYC8KandEIWP0gMGz4v...
...


You can test the validation script from the nagios server to the node.

root@nagiosSer:~# ssh -i /home/nagios/.ssh/nagios nagios@nagiosNod.remote.com
Rejected
Connection to nagiosNod.remote.com closed.
root@nagiosSer:~# ssh -i /home/nagios/.ssh/nagios nagios@nagiosNod.remote.com /bin/ls
Rejected
root@nagiosSer:~# ssh -i /home/nagios/.ssh/nagios nagios@nagiosNod.remote.com /usr/lib/nagios/plugins/check_http -hcheck_http v1.4.16 (nagios-plugins 1.4.16)
Copyright (c) 1999 Ethan Galstad 
Copyright (c) 1999-2011 Nagios Plugin Development Team
...
Pubblicato da alle Nessun commento:
Etichette: , , ,

giovedì 22 dicembre 2011

Upgrade apt-cacher-ng on Fedora 15

Get the last version of apt-cacher:


cd /usr/src
wget http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/apt-cacher-ng_x.x.x.orig.tar.xz
tar xvf apt-cacher-ng_x.x.x.orig.tar.xz


Compile it:


cd /usr/src/apt-cacher-ng_last_release
make
(if something goes wrong or missing, do a 'make clean' and retype 'make')
cp /usr/local/sbin/apt-cacher-ng /usr/lcoal/sbin/back_apt-cacher-ng
cp build/apt-cacher-ng /usr/local/sbin/
cp build/in.acng /usr/local/sbin



Integrate all missing file from the sources/conf directory to your /etc/apt-cacher-ng (dont overwrite acng.conf)


cp archlx_mirrors backends_debian.default backends_ubuntu.default cygwin_mirrors delconfirm.html epel_mirrors fedora_mirrors maint.html security.conf report.html sfnet_mirrors sl_mirrors style.css ubuntu_mirrors userinfo.html /etc/apt-cacher-ng


Test everything is working restarting the service:


/etc/init.d/apt-cacher-ng restart


Test the maintenance page to:

http://your_apt-cacher_server:3142/acng-report.html



CONFIGURE YUM FOR RETRIEVE PACKAGES FROM THE CACHER


sudo vim /etc/yum.conf
...
# ZMo: apt-cacher for yum
proxy=http://your_apt-cacher_server:3142
...

Pubblicato da alle Nessun commento:
Etichette:

lunedì 28 novembre 2011

OpenERP 6 on Fedora 15

postgresql installation


[fedora@lovelock ~]$ sudo yum install postgresql-server postgresql-libs postgresql



Initialize postgresql db and start the daemon:


[fedora@lovelock ~]$ /etc/init.d/postgresql initdb
Initializing database:                                     [  OK  ]
[fedora@lovelock ~]$ /etc/init.d/postgresql start
Starting postgresql (via systemctl):                       [  OK  ]



postgresql user
Become postgres and create the db user:


[fedora@lovelock]$ su - postgres
-bash-4.2$ createuser openerp
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) y
Shall the new role be allowed to create more new roles? (y/n) n



openerp user and environment
Create openerp system user and give a him a password:


[fedora@lovelock]$ sudo adduser --system openerp
[fedora@lovelock]$ sudo passwd openerp
Changing password for user openerp.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.



Create the OpenERP release directory:


[fedora@lovelock]$ su openerp -c mkdir /home/openerp/6



setup and test the server
Download the server tarball and unpack it:


[fedora@lovelock]$ su - openerp
[openerp@lovelock]$ cd 6
[openerp@lovelock]$ wget http://www.openerp.com/download/stable/source/openerp-server-6.0.0.tar.gz
[openerp@lovelock]$ tar xvf openerp-server-6.0.0.tar.gz


Install dependencies for the server:


[fedora@lovelock]$ sudo yum install python-lxml.i686 python-mako python-dateutil python-psycopg2 pychart pydot pytz python-vobject python-reportlab PyYAML python-imaging




NOTE: to generally test openerp releases, you don't need to perform a complete installation. Inside the /bin directory, in the untarred openerp archive, you can run "opnenerp-server.py". Running openerp-server.py will also notify you for every missing dependence.



[openerp@lovelock]$ cd openerp-server-6.0.0/bin
[openerp@lovelock]$ ./openerp-server.py"
...
[2011-11-18 17:07:43,573][?] INFO:server:OpenERP version - 6.0.0
[2011-11-18 17:07:43,574][?] INFO:server:addons_path - /home/openerp/6/openerp-server-6.0.0/bin/addons
[2011-11-18 17:07:43,575][?] INFO:server:database hostname - localhost
[2011-11-18 17:07:43,576][?] INFO:server:database port - 5432
[2011-11-18 17:07:43,577][?] INFO:server:database user - openerp
[2011-11-18 17:07:43,578][?] INFO:server:initialising distributed objects services
[2011-11-18 17:07:43,940][?] INFO:web-services:starting HTTP service at 0.0.0.0 port 8069
[2011-11-18 17:07:43,944][?] INFO:web-services:starting HTTPS service at 0.0.0.0 port 8071
[2011-11-18 17:07:43,946][?] INFO:web-services:Registered XML-RPC over HTTP
[2011-11-18 17:07:43,948][?] INFO:web-services:starting NET-RPC service at 0.0.0.0 port 8070
[2011-11-18 17:07:43,950][?] INFO:server:Starting 3 services
[2011-11-18 17:07:43,952][?] INFO:server:OpenERP server is running, waiting for connections...



..ctrl+c to exit the test.

install the server


[fedora@lovelock]$ su - root
[root@lovelock]# yum install python-setuptools
[root@lovelock]# cd /home/openerp/6/openerp-server-6.0.0
[root@lovelock]# python setup.py install
...
copying doc/migrate/3.4.0-4.0.0/post-tiny.py -> /usr/share/doc/openerp-server-6.0.0/migrate/3.4.0-4.0.0
running install_egg_info
Copying openerp_server.egg-info to /usr/lib/python2.7/site-packages/openerp_server-6.0.0-py2.7.egg-info
running install_scripts
copying build/scripts-2.7/openerp-server -> /usr/bin
changing mode of /usr/bin/openerp-server to 755
[root@lovelock]#



Copy the configuration file for the server:


[root@lovelock]# cp doc/openerp-server.conf /etc/openerp-server.cfg
[root@lovelock]# chown openerp.openerp /etc/openerp-server.cfg



setup and test the client
Install client dependencies:


[fedora@lovelock]$ sudo yum install python-lxml.i686 python-mako python-dateutil python-psycopg2 pychart pydot pytz python-vobject python-reportlab PyYAML python-imaging pygtk2 glade2 python-matplotlib python-dateutil pytz pydot hippo-canvas-python mx-devel python-imaging


Download openerp-client tarball and untar it:


[fedora@lovelock]$ su - openerp
[openerp@lovelock]$ cd 6
[openerp@lovelock]$ wget http://www.openerp.com/download/stable/source/openerp-client-6.0.0.tar.gz
[openerp@lovelock]$ tar xvf openerp-client-6.0.0.tar.gz



Test openerp-client:


[openerp@lovelock]$ cd openerp-client-6.0.0/bin
[openerp@lovelock]$ python openerp-client.py



install the client


[fedora@lovelock]$ su - root
[root@lovelock]# cd /home/openerp/6/openerp-client-6.0.0
[root@lovelock]# python setup.py install



setup and test openerp-web
OpenERP-web dependencies:


yum install python-cherrypy python-formencode python-babel



Download OpenERP-web tarball and unpack it:


[fedora@lovelock]$ su - openerp
[openerp@lovelock]$ cd 6
[openerp@lovelock]$ wget http://www.openerp.com/download/stable/source/openerp-web-6.0.0.tar.gz
[openerp@lovelock]$ tar xvf openerp-web-6.0.0.tar.gz



Run OpenERP-web:


[openerp@lovelock]$ cd openerp-web-6.0.0
[openerp@lovelock]$ python openerp-web.py
[21/Nov/2011:05:12:44] ENGINE Bus STARTING
[21/Nov/2011:05:12:44] ENGINE Started monitor thread '_TimeoutMonitor'.
[21/Nov/2011:05:12:44] ENGINE Started monitor thread 'Autoreloader'.
[21/Nov/2011:05:12:44] ENGINE Serving on 0.0.0.0:8080
[21/Nov/2011:05:12:44] ENGINE Bus STARTED



install openerp-web


[openerp@lovelock]$ su - root
[root@lovelock]# cd /home/openerp/6/openerp-web-6.0.0
[root@lovelock]# python setup.py install
...
Using /usr/lib/python2.7/site-packages
Finished processing dependencies for openerp-web==6.0.0



Put the openerp-web configuration file in /etc:


[root@lovelock]# cp doc/openerp-web.cfg /etc
[root@lovelock]# chown openerp.openerp /etc/openerp-web.cfg



Uncomment log section:


[root@lovelock]# vim /etc/openerp-web.cfg
change:
...
#log.access_file = "/var/log/openerp-web/access.log"
#log.error_file = "/var/log/openerp-web/error.log"
...
to:
...
log.access_file = "/var/log/openerp-web/access.log"
log.error_file = "/var/log/openerp-web/error.log"
...



Create openerp log files dir:


[root@lovelock]# mkdir /var/log/openerp-web
[root@lovelock]# chown openerp.openerp /var/log/openerp-web



init scripts
I've found these scripts on-line, optimized for CentOS Linux, so thanks to the author for avoid me to rewrite both from scratch. I've made few modifications there, and now they works on Fedora.

Put these files in /etc/init.d/ directory and give "x" permissions to the both.

Download (right mouse click and "Save link as..."):


openerp-server
openerp-web




[root@lovelock]# cd /etc/init.d/
[root@lovelock]# wget http://www.simoneroselli.eu/files/2011/11/openerp-server.txt
[root@lovelock]# wget http://www.simoneroselli.eu/files/2011/11/openerp-web.txt



[root@lovelock]# mv openerp-server.txt openerp-server
[root@lovelock]# mv openerp-web.txt openerp-web



[root@lovelock]# chmod +x openerp-*



Make pid directory for the daemons:


[root@lovelock]# mkdir /var/run/openerp
[root@lovelock]# chown openerp.openerp /var/run/openerp



Start the daemons


[root@lovelock]# /etc/init.d/openerp-server start
[root@lovelock]# /etc/init.d/openerp-web start

Pubblicato da alle Nessun commento:
Etichette: ,
Iscriviti a: Post (Atom)