Tag Archives: centos 5

WTF Nagios Installed?

Nagios is one of those Open Source projects that I’ve had a love-hate relationship with over the years. On one hand, it’s a powerful, popular tool. On the other it’s one where you are supposed to “just” grab the source, compile it, and install.

The the complication is the quotation marks around the word “just”. Despite the fact that I’m a reasonably accomplished software engineer, my experience over the years with “just” doing that has been less than stellar… to the point where unless it’s for hobby purposes, I tend to avoid those projects. They bring to mind the Shrek line “The Princess will be up the stairs in the highest room in the tallest tower.” At those points in time, I’m usually not in a position to slay the dragon and climb those stairs by troubleshooting other people’s code.

I ran into a situation where Nagios really would be very beneficial, so I decided to give it another chance. It is a popular active project and as such, is always improving. After perusing the web sites, reading the requirements, and finding a Fedora Quickstart page, I reached for my default tool of CentOS inside a virtual machine.

Quite frankly I was pleasantly surprised that there were zero problems following the instructions. Everything compiled, installed, and ran without complaint save one minor point. I say to the Nagios team, “Thank you.”

The minor point was SELinux. The instructions say to disable it, but give a couple of commands if you wish to keep it active. Those commands didn’t work as-is so I just disabled it for the time being. (Yes, yes, I know, I know… but that’s a discussion for another time.)

How to Install Octave on CentOS 5 Using Yum

I don’t use Octave often, but when it’s needed, nothing else will do.

Octave doesn’t appear to be part of RHEL anymore, so it’s not included in CentOS 5. It is available, however, on the EPEL (Extra Packages for Enterprise Linux) project.To pull Octave from EPEL using yum, you first need to add the EPEL repository to the list of available yum repositories.Then it’s yum install as usual.

To Add EPEL to Yum

The following command will install the needed files so that yum will look in EPEL. (Look at the EPEL documentation for the latest information. This was current at the time of writing.)
[sourcecode lang=”bash” gutter=”false”]$ sudo rpm -Uvh dl.fedoraproject.org/pub/epel/5/x86_64//epel-release-5-4.noarch.rpm[/sourcecode]
Next, use yum as expected:
[sourcecode lang=”bash” gutter=”false”]$ sudo yum install octave[/sourcecode]
That’s it!

Remove Extraneous RedHat Services to Help Secure Servers

One of the principles of server security is to run only those services and daemons that are absolutely necessary, and no more. A good, hardened server shouldn’t be having extraneous conversations with other machines.

While this is by no means a comprehensive list, here are some extraneous services that may be running on your server after a fresh CentOS or RedHat install. Obviously, you should look at your server’s purpose and skip those that are needed for your particular machine.

Detecting Running Services

There are various commands that will show what’s listening on what port. I personally like

# lsof -i

Disabling Daemons

If one can’t just remove a daemon, one may disable it.

  1. Stop the daemon.
    # service daemon name stop
    
  2. Disable the daemon from running automatically.
    # chkconfig --level 0123456 daemon name off
    

Daemons to Consider Removing

Avahi
My servers aren't doing Zeroconf to talk to new machines that appear on the network. If it says, "Bonjour", my server isn't listening. Avahi is embedded pretty deeply in the system, so you'll probably not be able to remove the avahi package without neutering your server.
CUPS
For some reason the printer subsystem CUPS is embedded pretty deeply in the system, and you may not be able to remove it without erasing administrative tools that you might want to keep.
Exim
For some reason the LSB RPM depends on Exim, so again I simply disable Exim. Cron jobs can still send e-mail without Exim running. If you don't care about LSB compliance, you can sudo yum erase exim.

There are others. Please suggest more!

Installing PowerDNS

PowerDNS Logo
There are notes on installing PowerDNS on a CentOS 5 server. This is generic enough that it aught to work on any RPM based Linux distro with yum installed.

Preliminary Setup

  • Ensure BIND is not installed.
    $ sudo yum erase bind
    
  • Create a user to run as.
    $ sudo useradd -c "PowerDNS" -M -r -s /sbin/nologin pdns
    
  • Install MySQL
  • $ sudo yum install mysql-server
    $ sudo /sbin/service mysqld start
    $ sudo /sbin/chkconfig --level 35 mysqld on
    
  • Set MySQL root password. Please use different passwords.
    $ /usr/bin/mysqladmin -u root password 'new password'
    $ /usr/bin/mysqladmin -u root -h localhost password 'new password'
  • Run the following MySQL commands. Please change the passwords in the file first.
    $ mysql --user=root mysql -p
    Enter password:
    mysql> source database-install.sql;

    The database-install.sql is something I created. It has the following:

    ################################################################################
    #
    # Adjust users.
    #
    #  !!! WARNING !!!  Change the two passwords below!
    #
    ################################################################################
    
    # Change the root password here.
    UPDATE mysql.user SET password = PASSWORD('password') WHERE user = 'root';
    
    # Change the PowerDNS password here.
    CREATE USER 'powerdns'@'localhost' IDENTIFIED BY 'password';
    
    DROP USER '';
    FLUSH PRIVILEGES;
    
    ################################################################################
    #
    # Create database and tables.
    #
    ################################################################################
    CREATE DATABASE powerdns;
    
    USE powerdns;
    
    CREATE TABLE domains
    (
    id              INT          AUTO_INCREMENT,
    name            VARCHAR(255) NOT NULL,
    master          VARCHAR(128) DEFAULT NULL,
    last_check      INT          DEFAULT NULL,
    type            VARCHAR(6)   NOT NULL,
    notified_serial INT          DEFAULT NULL,
    account         VARCHAR(40)  DEFAULT NULL,
    PRIMARY KEY (id)
    ) type=InnoDB;
    
    CREATE UNIQUE INDEX name_index ON domains(name);
    
    CREATE TABLE records
    (
    id              INT          AUTO_INCREMENT,
    domain_id       INT          DEFAULT NULL,
    name            VARCHAR(255) DEFAULT NULL,
    type            VARCHAR(6)   DEFAULT NULL,
    content         VARCHAR(255) DEFAULT NULL,
    ttl             INT          DEFAULT NULL,
    prio            INT          DEFAULT NULL,
    change_date     INT          DEFAULT NULL,
    PRIMARY KEY(id)
    ) type=InnoDB;
    
    CREATE INDEX rec_name_index ON records(name);
    CREATE INDEX nametype_index ON records(name,type);
    CREATE INDEX domain_id ON records(domain_id);
    
    CREATE TABLE supermasters
    (
    ip              VARCHAR(25)  NOT NULL,
    nameserver      VARCHAR(255) NOT NULL,
    account         VARCHAR(40)  DEFAULT NULL
    ) type=InnoDB;
    
    GRANT ALL ON domains TO powerdns;
    GRANT ALL ON records TO powerdns;
    GRANT SELECT ON supermasters TO powerdns;

PowerDNS Setup

  • Download PowerDNS RPM.
  • Install RPM.
  • Change the permissions on the PowerDNS config file since it holds passwords in plain text.
    $ sudo chmod 440 /etc/powerdns/pdns.conf
  • Edit the PowerDNS config file.
    $ sudo vim /etc/powerdns/pdns.conf
  • Find the setgid and setuid lines. Add the appropriate lines
    setgid=pdns
    setuid=pdns
  • Find the launch line. Add information for the MySQL database.
    launch=gmysql
    gmysql-host=localhost
    gmysql-user=powerdns
    gmysql-password=password
    gmysql-dbname=powerdns
    gmysql-socket=/var/lib/mysql/mysql.sock
  • Find the local-address line and add the IP address of the publicly-facing NIC. See Chapter 15 of the documentation.
    local-address=xxx.xxx.xxx.xxx
  • Find the log-dns-details line and add the following:
    log-dns-details=off

Testing

  • Ensure that your firewall is allowing traffic on port 53 both UDP and TCP. If you do not, you’ll encounter strange errors with the DNS server not being found. (Ahem, yes, I did this recently.)
  • Test the setup by running PowerDNS in monitor mode:
    $ sudo /etc/init.d/pdns monitor
    
    Jan 04 22:46:34 This is a standalone pdns
    Jan 04 22:46:34 UDP server bound to 127.0.0.1:53
    Jan 04 22:46:34 TCP server bound to 127.0.0.1:53
    Jan 04 22:46:34 PowerDNS 2.9.21.2 (C) 2001-2008 PowerDNS.COM BV (Nov 16 2008, 14:07:43, gcc 4.2.3 (Ubuntu 4.2.3-2ubuntu7)) starting up
    Jan 04 22:46:34 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
    Jan 04 22:46:34 Set effective group id to 105
    Jan 04 22:46:34 Set effective user id to 102
    Jan 04 22:46:34 Creating backend connection for TCP
    Jan 04 22:46:34 gmysql Connection succesful
    Jan 04 22:46:34 About to create 3 backend threads for UDP
    Jan 04 22:46:34 gmysql Connection succesful
    Jan 04 22:46:34 gmysql Connection succesful
    Jan 04 22:46:34 gmysql Connection succesful
    Jan 04 22:46:34 Done launching threads, ready to distribute questions
  • If there are problems, see Chapter 4 of the documentation.
  • Test the operation. Leave the monitor (previous item) running. Pull up a new shell. Execute the following host command and look for a similar response.
    $ host www.test.com 127.0.0.1
    Using domain server:
    Name: 127.0.0.1
    Address: 127.0.0.1#53
    Aliases: 
    
    Host www.test.com not found: 2(SERVFAIL)

    In the monitor you should see the following message:

    Not authoritative for 'www.test.com', sending servfail to 127.0.0.1 (recursion was desired)
  • Add some test records to the database:
    $ mysql --user=root -p
    mysql> source database-test.sql;

    That file has the following commands, which I copied from the InterNet:

    USE powerdns;
    
    INSERT INTO domains (name, type) values ('test.com', 'NATIVE');
    INSERT INTO records (domain_id, name, content, type,ttl,prio) VALUES (1,'test.com','localhost ahu@ds9a.nl 1','SOA',86400,NULL);
    INSERT INTO records (domain_id, name, content, type,ttl,prio) VALUES (1,'test.com','dns-us1.powerdns.net','NS',86400,NULL);
    INSERT INTO records (domain_id, name, content, type,ttl,prio) VALUES (1,'test.com','dns-eu1.powerdns.net','NS',86400,NULL);
    INSERT INTO records (domain_id, name, content, type,ttl,prio) VALUES (1,'www.test.com','199.198.197.196','A',120,NULL);
    INSERT INTO records (domain_id, name, content, type,ttl,prio) VALUES (1,'mail.test.com','195.194.193.192','A',120,NULL);
    INSERT INTO records (domain_id, name, content, type,ttl,prio) VALUES (1,'localhost.test.com','127.0.0.1','A',120,NULL);
    INSERT INTO records (domain_id, name, content, type,ttl,prio) VALUES (1,'test.com','mail.test.com','MX',120,25);
  • Run the test again:
    $ host www.test.com 127.0.0.1
    Using domain server:
    Name: 127.0.0.1
    Address: 127.0.0.1#53
    Aliases:
    
    www.test.com has address 199.198.197.196
  • Try another test.
    $  host -v -t mx www.test.com 127.0.0.1
    Trying "www.test.com"
    Using domain server:
    Name: 127.0.0.1
    Address: 127.0.0.1#53
    Aliases: 
    
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27585
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;www.test.com.			IN	MX
    
    ;; AUTHORITY SECTION:
    test.com.		86400	IN	SOA	localhost. ahu.ds9a.nl. 1 10800 3600 604800 3600
    
    Received 86 bytes from 127.0.0.1#53 in 21 ms
  • If you are receiving the following in the monitor:
    Authoritative empty NO ERROR to 127.0.0.1 for 'www.test.com' (AAAA), other types do exist.

    Then you did not put the log-dns-details=off in the configuration file. See the documentation, which says

    As the name implies, this is not an error. It tells you there are questions for a domain which exists in your database, but for which no record of the requested type exists. To get rid of this error, add log-dns-details=off to your configuration.

  • Remove the test records.
    $ mysql --user=root -p
    mysql> USE powerdns;
    mysql> DELETE FROM domains;
    mysql> DELETE FROM records;
  • Ensure pdns is set to run at boot time.
    $ sudo /sbin/chkconfig --level 35 pdns on
  • Start the services as a dæmon and you're done.
    $ sudo /etc/init.d/pdns start

Updates

2009-01-20
Fixed the section on local-address in the configuration file which prevented outside machines from accessing the name server.
2010-04-21
Fixed error caught by Matt. Thanks, Matt!
2011-01-22
Added a note to remind that port 53 must be opened for both TCP and UDP.

Installing Bernstein’s ucspi-tcp on CentOS 5

This is a companion to installing daemontools on CentOS 5. I ran into trouble when trying to get ucspi-tcp to compile. When I ran

$ make

I would get

/usr/bin/ld: errno: TLS definition in /lib/libc.so.6 section .tbss mismatches non-TLS reference in envdir.o 

and the install process would halt prematurely.

The problem appears to be identical to the problem with compiling daemontools on CentOS 5. Just before the step that says:

Compile the ucspi-tcp programs:

make

Type the following:

$ vim conf-cc

Then append the following to the first line (which starts with “gcc”…):

 -include /usr/include/errno.h

Now you can continue on your merry way and type:

$ make

Installing Bernstein’s daemontools on CentOS 5

Caveat: I  haven’t used daemontools for a long time, so this information is probably obsolete.

 

I was running into trouble trying to get daemontools to compile. When I ran

package/install

[2008-11-24 Update: fixed editing oversight]
I would get

/usr/bin/ld: errno: TLS definition in /lib/libc.so.6 section .tbss mismatches non-TLS reference in envdir.o

and the install process would halt prematurely.

weblocust wrote the answer on this page:

After you have untarred the daemontools file, go to the: admin/package/src directory and find the file: conf-cc edit this and add the following to the parameter line for gcc: -include /usr/include/errno.h

Save it and run the commands as told to in the daemontools installation instructions. It should then work.

In other words, when following the daemontools installation instructions, just before the step that says:

Compile and set up the daemontools programs:

package/install

Type the following:

$ vim src/conf-cc

Then append the following to the first line (which starts with “gcc”…):

 -include /usr/include/errno.h

Now you can continue on your merry way and type:

package/install

After everything compiles and installs cleanly, /etc/inittab will have been modified to start the svscan dæmon at boot time. Verify that the following line was appended to /etc/inittab:

SV:123456:respawn:/command/svscanboot

Start the svscan dæmon by running

init q