Thursday, December 6, 2012
A picture worth 1000 MB
Tuesday, November 6, 2012
Monitoring apache-status on aegir servers with nagios / check_mk
Apache server-status can produce interesting performance information that can be useful for server and application tuning, getting access to this information and graphing it with nagios is not terribly hard but add in check_mk and the Aegir platform and things get a little bit more complicated.
In the following steps I will demonstrate how to install the check_mk agent, install the check_apachestatus_auto.pl script and dependencies, add the proper stanza for server-status to aegir and finally add the check into mrpe (check_mk replacement for nrpe).
Assumptions: RedHat/CentOS/Scientific Linux, 64-bit, EPEL, Aegir, root access.
# Install check_mk agent:
*First install the check_mk agent rpm:
* Install the nagios-plugins-perl rpm from EPEL, this will provide the /usr/lib64/nagios/plugins/utils.pm file, as well as creating a directory structure:
* Typically you could enable server-status by un-commenting the correct stanza in /etc/httpd/conf/httpd.conf, but with an aegir system any get request for http://localhost/server-status will be fulfilled by aegir. If you do some digging you will fine the /var/aegir/config/server_master/apache/pre.d directory which is included before any virtual hosts, this is where you need to put a config file for server-status.
* This is one of the easier steps, simply create /etc/check_mk/mrpe.cfg, and add a line with the check alias and location:
In the following steps I will demonstrate how to install the check_mk agent, install the check_apachestatus_auto.pl script and dependencies, add the proper stanza for server-status to aegir and finally add the check into mrpe (check_mk replacement for nrpe).
Assumptions: RedHat/CentOS/Scientific Linux, 64-bit, EPEL, Aegir, root access.
# Install check_mk agent:
*First install the check_mk agent rpm:
yum install http://mathias-kettner.de/download/check_mk-agent-1.2.0p3-1.noarch.rpm --nogpg*We don't want just anyone to poll the data from check_mk, so modify the /etc/xinetd.d/check_mk by adding the ip of your nagios server to the 'only_from' line:
only_from = 127.0.0.1 nagios_server_ip*The check_mk agent operates through xinetd on port 6556, verify that xinetd will start at boot, and make sure it is currently running:
chkconfig xinetd on ; service xinetd start*Hopefully you are running a firewall, to poke a hole in an iptables based firewall you can add a rule similar to:
-A INPUT -s nagios_server_ip -p tcp -m tcp --dport 6556 -j ACCEPTto /etc/sysconfig/iptables, then restart iptables with the service command:
service iptables restart# Install the check_apachestatus_auto.pl plugin
* Install the nagios-plugins-perl rpm from EPEL, this will provide the /usr/lib64/nagios/plugins/utils.pm file, as well as creating a directory structure:
yum install nagios-plugins-perl* Download plugin from http://blog.spreendigital.de/nagios/?#check_apachestatus_auto to /usr/lib64/nagios/plugins, modify it to find utils.pm in /usr/lib64/nagios/plugins:
wget -O /tmp/check_apachestatus_auto.tgz http://blog.spreendigital.de/wp-content/uploads/2009/07/check_apachestatus_auto.tgz tar zxvf /tmp/check_apachestatus_auto.tgz -C /usr/lib64/nagios/plugins/ sed -i 's/\/usr\/local\/nagios\/libexec/\/usr\/lib64\/nagios\/plugins/g' /usr/lib64/nagios/plugins/check_apachestatus_auto.pl# Modify apache to display server-status
* Typically you could enable server-status by un-commenting the correct stanza in /etc/httpd/conf/httpd.conf, but with an aegir system any get request for http://localhost/server-status will be fulfilled by aegir. If you do some digging you will fine the /var/aegir/config/server_master/apache/pre.d directory which is included before any virtual hosts, this is where you need to put a config file for server-status.
cat << EOF >> /var/aegir/config/server_master/apache/pre.d/nagios.conf
<VirtualHost *:80>
ServerName localhost
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
</VirtualHost>
EOF
* Reload apache to read your new config file:
service httpd reload* Verify it's working using curl, this should dump the raw html from the server-status page to your screen:
curl localhost/server-status# Setup mrpe to execute the plugin
* This is one of the easier steps, simply create /etc/check_mk/mrpe.cfg, and add a line with the check alias and location:
mkdir /etc/check_mk echo "Apache_Status /usr/lib64/nagios/plugins/check_apachestatus_auto.pl -H localhost" >> /etc/check_mk/mrpe.cfg# Now that we have installed the check_mk agent, the check_apachestatus_auto.pl script and the mrpe.cfg file you can re-inventory the node from your check_mk server, note the mrpe line in the following output:
cpu.loads 1 new checks cpu.threads 1 new checks df 7 new checks diskstat 1 new checks kernel 3 new checks kernel.util 1 new checks lnx_if 1 new checks mem.used 1 new checks mounts 7 new checks mrpe 1 new checks ntp.time 1 new checks postfix_mailq 1 new checks tcp_conn_stats 1 new checks uptime 1 new checks# Once you have reloaded nagios, check_mk will watch the server-status page and produce nice graphs like this:
Friday, April 13, 2012
Installing Dwarf Fortress and Dwarf Therapist on 64-bit fedora 16/17
Because losing is fun.
Dwarf Fortress:
sudo yum install -y SDL{,_image}.i686 gtk2.i686 mesa-libGLU.i686 SDL_ttf.i686
Grab the latest linux pack for Phoebus with DF pre-installed from http://dffd.wimbli.com/file.php?id=2944, untar and you should be good to go.
Dwarf Therapist:
sudo yum install -y mercurial qt-devel gcc-c++
Checkout a copy of the Dwarf Therapist code:
cd ~/Downloads ; hg clone https://code.google.com/p/dwarftherapist/
Build with qmake/c++
cd ~/Downloads/dwarftherapist/ ; qmake-qt4 && make && sudo make install
Therapist should now be in your path, and runnable from any directory with the 'dwarftherapist' command.
The only way I have been able to get this to run lately is from the directory it was built in, and not using the wrapper script (which is 'dwarftherapist' in all lower case):
cd ~/Downloads/dwarftherapist ; DwarfTherapist
Dwarf Fortress:
sudo yum install -y SDL{,_image}.i686 gtk2.i686 mesa-libGLU.i686 SDL_ttf.i686
Grab the latest linux pack for Phoebus with DF pre-installed from http://dffd.wimbli.com/file.php?id=2944, untar and you should be good to go.
Dwarf Therapist:
sudo yum install -y mercurial qt-devel gcc-c++
Checkout a copy of the Dwarf Therapist code:
cd ~/Downloads ; hg clone https://code.google.com/p/dwarftherapist/
Build with qmake/c++
cd ~/Downloads/dwarftherapist/ ; qmake-qt4 && make && sudo make install
Therapist should now be in your path,
The only way I have been able to get this to run lately is from the directory it was built in, and not using the wrapper script (which is 'dwarftherapist' in all lower case):
cd ~/Downloads/dwarftherapist ; DwarfTherapist
Monday, November 8, 2010
AIX BoF
Home Directories
I have not been able to have home directories automagically created when logging in with LDAP, I have added many of the user home dir's to the default AIX build but you may run into some that don't exist, you can easily make you home directory using sudo.
If you are adding LDAP to a AIX box with local accounts already established it is best practice to remove the account for LDAP users. Before you run this command you must MAKE SURE THAT SECLDAPCLNTD IS NOT RUNNING, if it is still running you will remove all of the admin accounts from LDAP!:
stop-secldapclntd && for i in; do rmuser -p $i ; done
Here are two one liners to create all the current Unix, App, and DB admins home folders:
start-secldapclntd
for i in; do
mkdir /home/$i;
chown -R $i. /home/$i;
done
for i in; do
mkdir /home/$i;
chown -R $i.IRM /home/$i;
done
AIX 5.3 and 6.1
# Installing and configuring LDAP client service on AIX 5.3/6.1
Installation
All packages are available on the /media/software nfs share, instructions reference that location for installation.
# Install Java
If java is not currently installed you can install Java5 64 bit, this version is for AIX 5.3 AND 6.1:
Once java is installed you may need to add it to your path, the following command will do this temporarily:
export PATH=/usr/java5_64/bin:$PATH
# Install gskit
Source: https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=gskitupdt&S_PKG
# Install ITDS packages
Remove any previous version of ldap that are installed, if the following command returns with filesets they need to be removed through smit:
Source http://www-01.ibm.com/support/docview.wss?rs=767&context=SSPREK&uid=swg27009778#ver62
6.2 packages
Once those filesets are installed run 'lslpp -aL idsldap.*' to verify, output should be similar to this:
# Configuration
methods.cfg
Paste the following into a root cli: (this assumes that you use TSM for backups and that the client is configured)
CA Certs
Get certs from the repos
Create and list key database for ssl, if you run into java errors check that your version of java is at least 1.4.2
gsk7cmd -keydb -create -db /etc/security/ldap/key.kdb -pw -type cms
gsk7cmd -cert -list CA -db /etc/security/ldap/key.kdb -pw
Add CA cert from to key database
gsk7cmd -cert -add -db /etc/security/ldap/key.kdb -file /etc/security/ldap/.crt -format ascii -label " CA cert" -pw -trust enable
# mksecldap command / ldap.cfg file
Run the mksecldap command to tie the system into LDAP, this may take a minute or more.
The mkseclsap command cannot be used to setup anonymous bind configurations, instead of using that command create the /etc/security/ldap/ldap.cfg using the following command:
cat </etc/security/ldap/ldap.cfg
ldapservers:,
authtype:ldap_auth
userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map
userbasedn:
groupbasedn:
useSSL:yes
ldapsslkeyf:/etc/security/ldap/key.kdb
ldapsslkeypwd:
EOF
# IDS links
IDS needs certain libraries and binaries linked from /opt/IBM/ldap//... to /usr/lib, etc.
First step is to remove any current links
/opt/IBM/ldap/V6.2/bin/idsrmlink -i -l 64 -s fullsrv
/opt/IBM/ldap/V6.2/bin/idsrmlink -i -l 32 -s fullsrv
Second step is to create new links to the 32 bit binaries
/opt/IBM/ldap/V6.2/bin/idslink -i -l 32 -s base
# Start secldap at reboot
Remove existing inittab entries
rmitab ldapclntd
Create new inittab entry
mkitab 'ldapclntd:23456789:wait:/usr/sbin/start-secldapclntd > /dev/console > 2&>1
# /etc/security/user
Add ldap compatability to /etc/security/user, without this ldap login will not work
# sudo
Add your sudo config, I haven't had success with the AIX Linux Toolbox sudo rpm, try the sudo-noldap package (also on AIX Linux Toolbox)
# Start secldap client
Run the following command to start the ldap client
start-secldapclntd
#
# Syslog
#
AIX pulls its logging configuration from /etc/syslog.conf, the standard AIX build as of May 2009 writes most messages to /var/adm/SYSLOG and does not include rotation. I like the logging to be more Linux-like so I append this to the end of the /etc/syslog.conf file, consider commenting out the existing logging if you don't want to write to /var/adm/SYSLOG:
# Linux-ify the AIX logging setup and enable automagic rotation
# Everything but mail and auth to messages
*.info;mail.none;auth.none /var/log/messages rotate size 10m files 10 compress
# Auth to secure
auth.debug /var/log/secure rotate size 10m files 10 compress
# Mail to maillog
mail.debug /var/log/maillog rotate size 10m files 10 compress
# Emergency messages to all users
*.emerg *ss
*.info;mail.none @
This will send:
All messages except mail and authentication to /var/log/messages.
All authentication messages to /var/log/secure.
All mail messages to /var/log/maillog.
All emergency messages to all users.
All messages except mail to
If you don't like seeing the "Message forwarded from hostname:" message all over splunk you need to run the following command line as root:
chssys -s syslogd -a "-n"
All the files need to exist prior to syslog writing to them, it will not create them on its own:
sudo touch /var/log/messages /var/log/secure /var/log/maillog
You must then restart syslog
stopsrc -s syslogd && startsrc -s syslogd
I have not been able to have home directories automagically created when logging in with LDAP, I have added many of the user home dir's to the default AIX build but you may run into some that don't exist, you can easily make you home directory using sudo.
If you are adding LDAP to a AIX box with local accounts already established it is best practice to remove the account for LDAP users. Before you run this command you must MAKE SURE THAT SECLDAPCLNTD IS NOT RUNNING, if it is still running you will remove all of the admin accounts from LDAP!:
stop-secldapclntd && for i in
Here are two one liners to create all the current Unix, App, and DB admins home folders:
start-secldapclntd
for i in
mkdir /home/$i;
chown -R $i.
done
for i in
mkdir /home/$i;
chown -R $i.IRM /home/$i;
done
AIX 5.3 and 6.1
# Installing and configuring LDAP client service on AIX 5.3/6.1
Installation
All packages are available on the /media/software nfs share, instructions reference that location for installation.
# Install Java
If java is not currently installed you can install Java5 64 bit, this version is for AIX 5.3 AND 6.1:
installp -acgXYd /media/software/AIX/java/ Java5_64.sdk# Install gskit
Source: https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=gskitupdt&S_PKG
installp -acgXd /media/software/AIX/GSKIT/ gsksa.rte gskta.rte
# Install ITDS packages
Remove any previous version of ldap that are installed, if the following command returns with filesets they need to be removed through smit:
lslpp -aL *ldap* # will list installed ldap packages
Source http://www-01.ibm.com/support/docview.wss?rs=767&context=SSPREK&uid=swg27009778#ver62
6.2 packages
installp -acgXd /media/software/AIX/ITDS/6.2.0.2-TIV-ITDS-AIX-IF0002/images/ idsldap.clt32bit62 \
idsldap.clt64bit62 idsldap.cltbase62 idsldap.msg62.en_US idsldap.clt_max_crypto32bit62 \
idsldap.clt_max_crypto64bit62
lslpp -aL idsldap.*
Fileset Level State Type Description (Uninstaller)
----------------------------------------------------------------------------
idsldap.clt32bit62.rte 6.2.0.n C F Directory Server - 32 bit
Client
idsldap.clt64bit62.rte 6.2.0.n C F Directory Server - 64 bit
Client
idsldap.clt_max_crypto32bit62.rte
6.2.0.n C F Directory Server - 32 bit
Client (SSL)
idsldap.clt_max_crypto64bit62.rte
6.2.0.n C F Directory Server - 64 bit
Client (SSL)
idsldap.cltbase62.adt 6.2.0.n C F Directory Server - Base Client
idsldap.cltbase62.rte 6.2.0.n C F Directory Server - Base Client
idsldap.msg62.en_US 6.2.0.n C F Directory Server - Messages -
U.S. English (en)# Configuration
methods.cfg
Paste the following into a root cli: (this assumes that you use TSM for backups and that the client is configured)
if [ $(grep -c LDAP /usr/lib/security/methods.cfg) -eq "0" ];
then
echo "Backing up current methods.cfg, please wait"
dsmc i /usr/lib/security/methods.cfg
cat <>/usr/lib/security/methods.cfg
LDAP:
program = /usr/lib/security/LDAP
program_64 = /usr/lib/security/LDAP64
EOF
else
echo "Found LDAP stanza in /usr/lib/security/methods.cfg, assuming that it is correct."
fi
CA Certs
Get certs from the repos
cd /etc/security/ldap/ && wget .crt && wget .crt gsk7cmd -cert -list CA -db /etc/security/ldap/key.kdb -pw
# mksecldap command / ldap.cfg file
The mkseclsap command cannot be used to setup anonymous bind configurations, instead of using that command create the /etc/security/ldap/ldap.cfg using the following command:
ldapservers:
authtype:ldap_auth
userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map
userbasedn:
groupbasedn:
useSSL:yes
ldapsslkeyf:/etc/security/ldap/key.kdb
ldapsslkeypwd:
EOF
# IDS links
IDS needs certain libraries and binaries linked from /opt/IBM/ldap/
First step is to remove any current links
/opt/IBM/ldap/V6.2/bin/idsrmlink -i -l 32 -s fullsrv
# Start secldap at reboot
Remove existing inittab entries
# /etc/security/user
Add ldap compatability to /etc/security/user, without this ldap login will not work
chsec -f /etc/security/user -s default -a "SYSTEM=LDAP or compat"
# sudo
Add your sudo config, I haven't had success with the AIX Linux Toolbox sudo rpm, try the sudo-noldap package (also on AIX Linux Toolbox)
# Start secldap client
Run the following command to start the ldap client
#
# Syslog
#
AIX pulls its logging configuration from /etc/syslog.conf, the standard AIX build as of May 2009 writes most messages to /var/adm/SYSLOG and does not include rotation. I like the logging to be more Linux-like so I append this to the end of the /etc/syslog.conf file, consider commenting out the existing logging if you don't want to write to /var/adm/SYSLOG:
# Linux-ify the AIX logging setup and enable automagic rotation
# Everything but mail and auth to messages
*.info;mail.none;auth.none /var/log/messages rotate size 10m files 10 compress
# Auth to secure
auth.debug /var/log/secure rotate size 10m files 10 compress
# Mail to maillog
mail.debug /var/log/maillog rotate size 10m files 10 compress
# Emergency messages to all users
*.emerg *ss
*.info;mail.none @
This will send:
All messages except mail and authentication to /var/log/messages.
All authentication messages to /var/log/secure.
All mail messages to /var/log/maillog.
All emergency messages to all users.
All messages except mail to
If you don't like seeing the "Message forwarded from hostname:" message all over splunk you need to run the following command line as root:
chssys -s syslogd -a "-n"
All the files need to exist prior to syslog writing to them, it will not create them on its own:
sudo touch /var/log/messages /var/log/secure /var/log/maillog
You must then restart syslog
stopsrc -s syslogd && startsrc -s syslogd
Wednesday, May 26, 2010
Enabling console access on fully virt guests (virsh/virt-manager)
Using virsh or virt-manager you can gain access to the console by editing grub.conf, this allows you to watch the machine boot from a terminal.
Add the following to the kernel line in /etc/grub.conf and reboot:
Add the following to the kernel line in /etc/grub.conf and reboot:
console=tty0 console=ttyS0
Friday, May 21, 2010
Converting kvm guests from lvm to qcow2, base images and snapshots
lvm based kvm guests are fast but you lose some flexibility, playing with fedora/kvm on my laptop I prefer to use file based images. Converting from lvm images to qcow2 isn't hard but the documentation is sparse.
1. use qemu-img to convert from an lvm to qcow2 format:
2. edit the xml for the image
Creating images from with a base image allows quick rollouts of many boxes based on an single install - for example I have a 'golden image' of centos, I can stop that VM and create 2 servers using the original VM disk as a base file and writing changes to different files.
Taking this further I can then snapshot both images so once I start making changes, rolling back to a point in time prior to the changes is very easy:
references:
http://www.linux-kvm.com/content/how-you-can-use-qemukvm-base-images-be-more-productive-part-1
1. use qemu-img to convert from an lvm to qcow2 format:
qemu-img convert -O qcow2 /dev/vg_name/lv_name/ /var/lib/libvirt/images/image_name.qcow2If you want the image compressed add '-c' right after the word convert.
2. edit the xml for the image
virsh edit image_namemodify the disk stanza, adding a type to the driver line; on the source line change 'dev' to 'file' and modify the path:
driver name='qemu' type='qcow2' source file='/var/lib/libvirt/images/image_name.qcow2'
Creating images from with a base image allows quick rollouts of many boxes based on an single install - for example I have a 'golden image' of centos, I can stop that VM and create 2 servers using the original VM disk as a base file and writing changes to different files.
qemu-img create -b original_image.qcow2 -f qcow2 clone_image01.qcow2 qemu-img create -b original_image.qcow2 -f qcow2 clone_image02.qcow2
Taking this further I can then snapshot both images so once I start making changes, rolling back to a point in time prior to the changes is very easy:
qemu-img snapshot -c snapshot_name vm_image_name.qcow2
references:
http://www.linux-kvm.com/content/how-you-can-use-qemukvm-base-images-be-more-productive-part-1
Thursday, November 12, 2009
DHCP hostnames
On my home LAN Windows and Ubuntu boxes push their hostnames into local DNS which makes them easily resolvable - my router lists the names associated with MACs in its web interface, this is one of those small things that is really convenient. For some reason my fedora boxes have not been doing this lately and I finally got annoyed enough to look it up, turns out the fix is very simple.
First off figure out which interface you are using, if you are using more then 1 then I will assume you know which one you want the hostname pushed from, easily enough you can run 'ipconfig' or 'ip addr show' and note the interface name. In most cases this will be eth0 for copper and something like wlan0 for a wireless connection. Once you have the interface name substitute it into the following command:
Then restart networking:
In the above example I am using '$HOSTNAME' which is the system hostname variable but you could set this to a static name if you desired.
First off figure out which interface you are using, if you are using more then 1 then I will assume you know which one you want the hostname pushed from, easily enough you can run 'ipconfig' or 'ip addr show' and note the interface name. In most cases this will be eth0 for copper and something like wlan0 for a wireless connection. Once you have the interface name substitute it into the following command:
echo "DHCP_HOSTNAME=$HOSTNAME" >> /etc/sysconfig/network-scripts/ifcfg-
Then restart networking:
sudo service network restart
In the above example I am using '$HOSTNAME' which is the system hostname variable but you could set this to a static name if you desired.
Subscribe to:
Posts (Atom)