Page 25 of 52

Configuring nagios checks over SSH

October 4, 2010 / halfgaar

I had to do a lot of fiddling before I got nagios over ssh working. I used this article as source, mostly, even though I did it differently.

First add some commands to commands.cfg:

define command{
        command_name    check_remote_disk
        command_line    /usr/lib/nagios/plugins/check_by_ssh -p $ARG1$ -l nagios -t 30 -o StrictHostKeyChecking=no -i /etc/nagios3/id_rsa -H $HOSTADDRESS$ -C '/usr/lib/nagios/plugins/check_disk -w $ARG2$ -c $ARG3$ -p $ARG4$'
}
 
define command{
        command_name    check_remote_load
        command_line    /usr/lib/nagios/plugins/check_by_ssh -p $ARG1$ -l nagios -t 30 -o StrictHostKeyChecking=no -i /etc/nagios3/id_rsa -H $HOSTADDRESS$ -C '/usr/lib/nagios/plugins/check_load -w $ARG2$ -c $ARG3$'
}
 
define command{
        command_name    check_remote_swap
        command_line    /usr/lib/nagios/plugins/check_by_ssh -p $ARG1$ -l nagios -t 30 -o StrictHostKeyChecking=no -i /etc/nagios3/id_rsa -H $HOSTADDRESS$ -C '/usr/lib/nagios/plugins/check_swap -w $ARG2$ -c $ARG3$'
}

The file referenced by -i is an SSH secret key. You can create this key by running ssh-keygen and giving the right path. You can’t store anything in the nagios home dir, because that is in /var/run, which is cleared after a reboot. So, you can’t use the default key file.

The -t 30 is necessary because sometimes there is network lag, causing the service to be reported as failure. The default of 10 is not enough…

Next you need to create a user nagios on the target machine and add the .pub file of the key to the authorized_keys. Creating the user should be done like:

useradd --system --shell /bin/bash nagios

Then install the nagios plugins on the target host:

aptitude -P install nagios-plugins-basic

The nagios host needs to be able to log in with user nagios. On Debian, the user that runs nagios (also called ‘nagios’) doesn’t have a shell by default. So, give it a shell.

Then you can create a hostgroup (for example). You can do:

define hostgroup {
        hostgroup_name  nagios-enabled
        alias           Nagios enabled
        members         host1, host2
}

Then create services:

define service {
        hostgroup_name                  nagios-enabled
        service_description             Root partition space
        check_command                   check_remote_disk!22!20%!10%!/
        use                             generic-service
        notification_interval           0
}
 
define service {
        hostgroup_name                  nagios-enabled
        service_description             Swap space
        check_command                   check_remote_swap!22!50%!30%
        use                             generic-service
        notification_interval           0
}
 
define service {
        hostgroup_name                  nagios-enabled
        service_description             Load
        check_command                   check_remote_load!22!5.0,4.0,3.0!10.0,6.0,4.0
        use                             generic-service
        notification_interval           0
}

This will check load, swap and root space on all your standard nagios enabled hosts. Next you can define custom services:

define service {
        host_name                       piet
        service_description             Some partition
        check_command                   check_remote_disk!22!40%!30%!/mnt/dinklefat
        use                             generic-service
        notification_interval           0
}

Dropping all Linux disk cache

October 2, 2010 / halfgaar

sync; echo 3 > /proc/sys/vm/drop_caches

source.

Making apache log files world readable

October 1, 2010 / halfgaar

Just chmod the dir, and to make sure rotated files are also readable, change /etc/logrotate.d/apache2. The mask is defined in there.

/var/log/apache2/*.log {
        blablabla
        create 644 root adm
        blablabla
}

Show privileges for mysql users

September 30, 2010 / halfgaar

(source) To show one users privilges in mysql:

SHOW GRANTS FOR 'luser'@'localhost';

To list current users grants:

SHOW GRANTS;

Show all users:

select user,password,host from mysql.user;

Apache rewrite rule to rewrite to sub dir

September 27, 2010 / halfgaar

One one particular site, I wanted to rewrite all requests to a sub dir. It took me over an hour, because of some obscure problem I haven’t been able to identify.

# The main site located in the /site dir. The .* after the ^ is weird, but without it, it wouldn't work.
RewriteCond %{REQUEST_URI} !^.*/site/.*
RewriteRule ^(.*)$ site$1 [L,R=permanent]

My guess is it has to do with:

AddHandler php-cgi-script .php
Action php-cgi-script /php5/php5-cgi

Exim cheatsheet

September 23, 2010 / halfgaar

Lazy blogging today.

Working with a postfix mail queue

September 22, 2010 / halfgaar

Some useful commands when working with a postfix mailqueue:

“postsuper -r ALL”. Requeues all messages.
“postcat [file]”. Views queue files in /var/spool/bla.
“postqueue”. Deal with queue.

This one is to remove all messages with a certain recipient:

mailq | tail -n +2 | grep -v '^ *(' | awk  'BEGIN { RS = "" }  { if ($8 == "person@example.com" && $9 == "") print $1 } ' | tr -d '*!' | postsuper -d -

I believe there were more, but I can’t remember them. Wish I had blogged earlier…

Rewrite rules to redirect to a temporary offline page

September 22, 2010 / halfgaar

Sometimes you want to take a site offline for a while. You can put this in .htaccess or the vhost config:

ErrorDocument 503 "We are performing maintenance on the site. Check back in a few minutes."
RewriteCond %{REMOTE_ADDR} !=1.2.3.4
RewriteEngine On
RewriteRule .* - [R=503,L]

When using .htaccess, be sure to have AllowOverride All.

Or when using HTML files and images:

<VirtualHost *>
  ServerAdmin webmaster@ytec.nl
  ServerName www.example.nl
 
  DocumentRoot /var/www/down/
 
  ErrorDocument 503 /maintenance.html
 
  RewriteCond %{REQUEST_URI} =/maintenance.html [OR]
  RewriteCond %{REQUEST_URI} =/logo.jpg
  RewriteRule (.*) $1 [L]
 
  RewriteEngine On
  RewriteRule .* - [R=503,L]
</VirtualHost>

Enabling authentication and SSL for Postfix on Debian

September 20, 2010 / halfgaar

I used this document as main source. This blogpost is also useful.

First install libsasl2 and configure it. Enable it in /etc/default/sasl.

First make the sasl config file in /etc/postfix/sasl which says:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Then configure the ssl paramters in postfix (the following is deprecated. See aforementioned official postfix docs for good way):

# According to official docs, this should be in one pem file.
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
# This should be smtp_tls_security_level = may, because use_tls is deprecated.
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
# I don't know if this one is also needed.
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
# When TLS encryption is optional in the Postfix SMTP server, do not announce or accept SASL authentication over unencrypted connections. 
smtpd_tls_auth_only=yes

Then enable the three smtps lines in master.cf:

smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

Then you need to do some hacking to get the jailed postfix to access /var/run/saslauthd:

rm -r /var/run/saslauthd/
mkdir -p /var/spool/postfix/var/run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /var/run
chgrp sasl /var/spool/postfix/var/run/saslauthd
# Add user postfix to group sasl
adduser postfix sasl

Then you should be good to go. Start all daemons.

Configuring thunderbird to put date of original message above quote

September 14, 2010 / halfgaar

To put “on [date] x wrote” instead of “x wrote” above a quote, set the mailnews.reply_header_type param to 2.

BigSmoke