Category Archives: Nagios

Nagios with Hiawatha and PHP-FPM 5.6

Hola ardillas!

This week we’ll look at systems administration gone off the beaten path. We’re all Hiawatha fanatics here at Squirrel5, so when the time came to setup Nagios we were faced with a scary prospect:

“Nagios on CentOS has Apache (httpd) and php as a dependency.”

It’s sad but true – here’s how to confirm what the Nagios dependencies are on CentOS:

yum -y install epel-release
repoquery --requires nagios | egrep -i "httpd|php"
httpd
php

So yes, our life would be much easier if we went with Apache since Apache is mostly preconfigured for it via the CentOS packages, but where’s the fun in that? We want Nagios to work with Hiawatha!

Here’s how we did it:

  1. Make sure the EPEL repo is installed:
yum -y install epel-release

2. Install Nagios and plugins:

yum -y install nagios nagios-plugins nagios-plugins-all

3. Install the REMI repository so we can get PHP-FPM 5.6:

yum -y install http://rpms.remirepo.net/enterprise/remi-release-6.rpm

4. Install the Squirrel5 RPM repository to get Hiawatha:

yum -y install http://rpm.squirrel5.com/squirrel5-repo-1.0-1.x86_64.rpm

5. Install Hiawatha 10:

yum -y install hiawatha

6. Add a Hiawatha user:

useradd hiawatha -s /sbin/nologin

Very important note: Nagios does not like changing the user it runs under, this is by default ‘nagios’ but we are going to change it anyway 🙂

7. Fix permissions so that Nagios runs under the ‘hiawatha‘ user:

mkdir -pv /var/run/nagios
sed -i -- 's/NagiosUser=nagios/NagiosUser=hiawatha/g' /etc/init.d/nagios
sed -i -- 's/NagiosGroup=nagios/NagiosGroup=hiawatha/g' /etc/init.d/nagios
sed -i -- 's#NagiosRunFile=/var/run/nagios.pid#NagiosRunFile=/var/run/nagios/nagios.pid#g' /etc/init.d/nagios
sed -i -- 's/nagios_user=nagios/nagios_user=hiawatha/g' /etc/nagios/nagios.cfg
sed -i -- 's/nagios_group=nagios/nagios_group=hiawatha/g' /etc/nagios/nagios.cfg
sed -i -- 's#lock_file=/var/run/nagios.pid#lock_file=/var/run/nagios/nagios.pid#g' /etc/nagios/nagios.cfg
chown -R hiawatha:hiawatha /usr/lib64/nagios 
chown -R hiawatha:hiawatha /var/lib/php
chown -R hiawatha:hiawatha /var/log/nagios  
chown -R hiawatha:hiawatha /var/spool/nagios
chown -R hiawatha:hiawatha /var/run/nagios
chown -R hiawatha:hiawatha /etc/nagios
chown -R hiawatha:hiawatha /usr/share/nagios

8. Create a directory for the Hiawatha VirtualHost configurations:

mkdir /etc/hiawatha/conf.d

9. Tell Hiawatha to run under the ‘hiawatha‘ user, recognize the ‘.cgi‘ extension and include files under the /etc/hiawatha/conf.d directory:

echo "ServerId = hiawatha:hiawatha" >> /etc/hiawatha/hiawatha.conf
echo "CGIextension = cgi" >> /etc/hiawatha/hiawatha.conf
echo "Include /etc/hiawatha/conf.d" >>  /etc/hiawatha/hiawatha.conf

10. Now let’s add a VirtualHost for Nagios – we’ll call the file /etc/hiawatha/conf.d/nagios.conf

VirtualHost {
Hostname = $your_ip
WebsiteRoot = /usr/share/nagios/html
StartFile = index.php

AccessLogfile = /var/log/hiawatha/nagios-access.log
ErrorLogfile = /var/log/hiawatha/nagios-error.log
ExecuteCGI = yes
TimeForCGI = 5
UseFastCGI = PHP5
PasswordFile = basic:/etc/hiawatha/users
Alias = /nagios:/usr/share/nagios/html
Alias = /nagios/cgi-bin:/usr/lib64/nagios/cgi-bin

RequireTLS = yes
}

11. Now let’s install PHP-FPM 5.6 from the Remi repo along with a bunch of PHP extensions:

yum -y install php56 php56-php-gd php56-php-pecl-dom-varimport php56-php-pecl-jsonc php56-php-xml php56-php-pecl-zip php56-php-pecl-crypto php56-php-mcrypt php56-php-intl php56-php-mysqlnd php56-php-fpm

12. Add a PHP-FPM configuration – this needs to go under /opt/remi/php56/root/etc/php-fpm.d/nagios.conf:


; Start a new pool named 'nagios'.
[nagios]
listen = /var/lib/hiawatha/php-fcgi-nagios.sock
user = hiawatha
group = hiawatha

pm = static
pm.max_children = 2
pm.start_servers = 2
pm.min_spare_servers = 3
pm.max_spare_servers = 5
slowlog = /var/log/php-fpm/nagios-slow.log
php_admin_value[error_log] = /var/log/php-fpm/nagios-error.log
php_admin_flag[log_errors] = on

; Set session path to a directory owned by process user
php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php

13. Move the example PHP-FPM configuration out of the way:

mv /opt/remi/php56/root/etc/php-fpm.d/www.conf /opt/remi/php56/root/etc/php-fpm.d/www.conf-backup

14. Cool – now tell Hiawatha, how to talk to PHP-FPM – add the file /etc/hiawatha/conf.d/php.conf:


FastCGIserver {
FastCGIid = PHP5
ConnectTo = /var/lib/hiawatha/php-fcgi-nagios.sock
Extension = php
}

15. Add an SSL configuration for Hiawatha /etc/hiawatha/conf.d/ssl.conf:


Binding {
Port = 443
TLScertFile = /etc/ssl/serverkey.pem
}

16. Create an SSL self signed certificate:

cd /etc/ssl/
openssl req -subj '/CN=$replace_with_your_ip$/C=US' -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout serverkey.pem -out server.crt
cat server.crt >> serverkey.pem
rm -f server.crt
chmod 400 serverkey.pem

17. Let’s start verifying configurations to make sure everything’s good to go – start with Hiawatha – type:

service hiawatha check

Sample output:

service hiawatha check
Configuration check via Wigwam...
Using /etc/hiawatha
Reading hiawatha.conf
Reading /etc/hiawatha/conf.d/nagios.conf
Reading /etc/hiawatha/conf.d/php.conf
Reading /etc/hiawatha/conf.d/ssl.conf
No non-fatal errors found in the Hiawatha configuration.

Configuration check via Hiawatha...
Using /etc/hiawatha
Reading hiawatha.conf
Reading /etc/hiawatha/conf.d/nagios.conf
Reading /etc/hiawatha/conf.d/php.conf
Reading /etc/hiawatha/conf.d/ssl.conf
Reading mimetype.conf
Configuration OK.

18. Let’s check PHP-FPM next, type:

service php56-php-fpm configtest

Sample output:

service php56-php-fpm configtest
[30-Aug-2016 04:29:30] NOTICE: configuration file /opt/remi/php56/root/etc/php-fpm.conf test is successful

19. Now let’s test Nagios – type:

service nagios checkconfig

Sample output:

service nagios checkconfig
Running configuration check... OK.

20. Let’s add an authorized user for Hiawatha – this is going to be the username and password you’ll need to use to access the web-based interface:

htpasswd -cb /etc/hiawatha/users nagiosadmin obey_the_acorn

Where ‘nagiosadmin‘ is the username and ‘obey_the_acorn‘ is the password.

You should get output like this:

Adding password for user squirrel_supreme

NOTE: If you change the username from ‘nagiosadmin‘ to anything else, make sure to also make this change in the /etc/nagios/cgi.cfg and to restart nagios after making the change.

21. Now start the services:

Nagios:

service nagios start

Sample output:

service nagios start
Starting nagios: done.

Hiawatha:

service hiawatha start

Sample output:

service hiawatha start
Starting webserver: Hiawatha

PHP-FPM:

service php56-php-fpm start

service php56-php-fpm start
Starting php-fpm: [ OK ]

Now you should be able to access the Nagios web-based interface at the IP of your host – for example: https://69.87.218.196/. You’ll get a warning for using a self-signed certificate (this is of course normal) and then you’ll be prompted for your username and password.

This is what you should be looking at now:

Nagios home screen
Nagios home screen

 

Sources:

Sending notifications to Jabber through Ruby – a simple example

Hello Squirrels,

We were recently investigating possible solutions to notify our team members when an alert from our monitoring system comes in.

Most of our team was already using Skype so that seemed like the most natural solution. Unfortunately it turns out, that the most “robust” way of sending messages programmatically to Skype in 2016 is via Sevabot but it requires quite an indirect approach to send those messages. We ended up not even testing this solution as having a dependency to software that requires a graphical environment running seems like overkill for us.

We then looked into using Jabber. A disadvantage with Jabber is of course that we’d need to setup our own Jabber server and maintain it, but this turned out to be trivial in comparison to making Skype work for us (We’ll discuss the Jabber setup in a future post).

The next problem was actually sending the messages. We sure found a lot of ready scripts out there claiming of being able to do the job, but once we tested them they simply would not work.

This prompted us to write our own script to get this done using Ruby. The script uses the xmpp4r gem to interface with Jabber.

Here’s what the script looks like:

#!/bin/env ruby
# Install the gem with:
# gem install xmpp4r --no-ri --no-rdoc

require 'timeout'
require 'xmpp4r'
include Jabber

Timeout::timeout(3) {
 username="username@your-server.com"
 password = "the_supa_password"
 message = (STDIN.read).strip
 destination = ARGV[0]
 Jabber::debug = true

 client = Client.new(JID::new(username))
 client.connect
 client.auth(password)

 msg = Message::new(destination, message)
 msg.type=:chat
 client.send(msg)
}

The above will send a notification from “username@your-server.com” to whoever you specify on the terminal. Example:

echo "hey did you see those squirrels across the street?!?" | /usr/local/bin/jabber_send.rb somebody@some-server.com

The above example will send the message “hey did you see those squirrels across the street?!?” to the user somebody@some-server.com.

Voila!

Sources: