Monday, October 31, 2011

Softwares I have installed on Mac

// on 2011-02-20.
VLC Player (highly recommended) - play lots of different video formats, including avi, mpeg, rm, rmvb, wmv, dvd, vob, and more!

// on 2011-02-20.
Adium - a free instant messaging application for Mac OS X that can connect to AIM, MSN, Jabber, Yahoo, and more.

// on 2011-02-20.
Google Chrome - Google Chrome is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier.

// on 2011-03-26
witch - Command-Tab is great…if you only ever have one window open in each of your applications. With more than one window, though, it's a hassle to find the one you want. Witch solves that problem by taking you directly to the window you want to reach.

// on 2011-03-26
Navicat - Navicat for MySQL is a powerful Database administration and development tool for MySQL. It works with any MySQL Database Server from version 3.21 or above, and supports most of the latest MySQL features including Trigger, Stored Procedure, Function, Event, View, and Manage User, etc.

//
teamviewer - is our solution for easy and friendly desktop sharing. You can remote control a partner’s desktop to give online assistance, or you can show your screen to a customer - all without worrying about firewalls, IP addresses and NAT.

//
Chicken of the VNC - is a VNC client for Mac OS X. A VNC client allows one to display and interact with a remote computer screen.

//
JollysFastVNC - is a secure ARD and VNC client. Its aim is to be the best and most secure VNC client on the Mac. TaoofMac actually thinks it already has reached this goal.
Posted by Jun Hsieh at 5:53 PM 0 comments Links to this post
Labels:

Separate your users from each other using FreeBSD MAC (Mandatory Access Control)

Imagine you have thousands of users on your FreeBSD server and for some reason you don’t want them to see each other’s files under any circumstances.
Normally you’d use complicated ACLs and/or nested groups to solve this problem but there’s a much simpler approach to all of this.
Using the MAC security framework you can initialize the BSDEXTENDED module which will give you access to a very handy tool called ugidfw. This software module is basicly a file system firewall, the system interates through the list as a certainsubject is trying to access an object.
Firstly, you have to compile MAC support into the kernel by adding the
option MAC
option to your kernel config file, after recompiling and rebooting you should be able to load the mac_bsdextended module using the
kldload mac_bsdextended
command.
Let’s add ugidfw_enable="YES" to /etc/rc.conf
After that we can load firewall rules by starting up the /etc/rc.d/ugidfw script, which is going to read the default rules set in /etc/rc.bsdextended.
Let’s assume that users which need complete separation from the rest of the bunch are between uid 3000 and 4000 with the sole exception of the www user, which is going to access all the files as their owners define it in the other permission field. To spice it up a little, I wanna handle group permissions as well, 2 different users in the same primary group should be able to practice their group rights on a shared file.
And the winner is:
sysctl -w security.mac.bsdextended.firstmatch_enabled=1
${CMD} set 99 subject uid 3000:4000 object gid_of_subject mode arswx
${CMD} set 100 subject not uid www object uid 3000:4000 mode n
The first rule says everyone with the uid 3000..4000 shall only access group owned files without further restrictions. If you don’t want to allow group access replacegid_of_subject to uid_of_subject
Since we enabled first match, subjects between 3000 and 4000 are not staying for the second rule, which is set for everyone except the www user.
This rule says that they have no access on objects owned by users between 3000 and 4000. Fortunately we set up the firstmatch directive and users between 3000 and 4000 will not be punished with this rule as they exit from the chain at their first match, rule 99

Reference:
http://bsdbased.com/2009/11/06/separate-your-users-from-each-other-using-freebsd-mac
Posted by Jun Hsieh at 4:45 PM 0 comments Links to this post
Labels:

FreeBSD 8 VIMAGE + epair howto

The following text is about to show you how to use the new feature of FreeBSD 8:VIMAGE in a multi-jail environment.
  • Compile VIMAGE support into your kernel
    Add the “option VIMAGE” to your kernel config and make sure to remove theSCTP support. Lack of SCTP support is one of the reasons VIMAGE is still considered to be experimental.
If you don’t know how to build your own custom kernel image, follow the detailed instructions of the corresponding FreeBSD Handbook chapter .
  • Reboot with your new kernel
  • First let’s create a pair of epair interfaces then quickly start two VIMAGE jails. I’m using the same fs root to make it simple, but you should create your jails as you always do, you can even use ezjail to it. The only difference is the “vnet” jailparam which is passed as a command line argument to the jail binary. 
    If you use rc.conf you could try adding the “vnet” parameter to your jail__flags variable for automatic startup.
test# ifconfig epair create
epair0a
test# jail -c vnet name=tibi1 host.hostname=tibi1 path=/ persist
test# jls
   JID  IP Address      Hostname                      Path
     1  -               tibi1                         /
test# jail -c vnet name=tibi2 host.hostname=tibi2 path=/ persist
test# jls
   JID  IP Address      Hostname                      Path
     1  -               tibi1                         /
     2  -               tibi2                         /
So we have two instances and an epair device. Let’s see the interface list on the host.
lo0: flags=8049 metric 0 mtu 16384
        options=3
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
epair0a: flags=8842 metric 0 mtu 1500
        ether 02:c0:64:00:04:0a
epair0b: flags=8842 metric 0 mtu 1500
        ether 02:c0:64:00:05:0b
Both sides of the pair is in the host system. Put one end into one of your jails with the ifconfig vnet command and verify the results by running ifconfig inside your jail.
test# ifconfig epair0b vnet 1
test# jexec 1 ifconfig
lo0: flags=8008 metric 0 mtu 16384
        options=3
epair0b: flags=8842 metric 0 mtu 1500
        ether 02:c0:64:00:05:0b

OK, we have a layer 2 connection. Let’s add some IPs and run a ping test
test# jexec 1 ifconfig epair0b 192.168.11.2
test# ifconfig epair0a 192.168.11.1
test# ping 192.168.11.2
PING 192.168.11.2 (192.168.11.2): 56 data bytes
64 bytes from 192.168.11.2: icmp_seq=0 ttl=64 time=0.576 ms
64 bytes from 192.168.11.2: icmp_seq=1 ttl=64 time=0.081 ms
^C
--- 192.168.11.2 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.081/0.328/0.576/0.247 ms

It works!
Let’s do the same with your other jail

test# ifconfig epair1b vnet 2
test# jexec 2 ifconfig epair1b 192.168.11.3

Oh wait, these are completely different set of epair interfaces, you can’t use the same IP subnet on them. In order to mash them together on the host side, you have to make a bridge.
test# ifconfig bridge create
bridge0
test# ifconfig bridge0 addm epair0a addm epair1a up
test#

The commands above will create a new bridge interface, and add the host side of both epair interfaces to the bridge.
You can see it with ifconfig as well:
lo0: flags=8049 metric 0 mtu 16384
        options=3
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
epair0a: flags=8943 metric 0 mtu 1500
        ether 02:c0:64:00:04:0a
        inet 192.168.11.1 netmask 0xffffff00 broadcast 192.168.11.255
epair1a: flags=8942 metric 0 mtu 1500
        ether 02:c0:64:00:05:0a
bridge0: flags=8843 metric 0 mtu 1500
        ether a6:4b:75:2d:2b:9b
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: epair1a flags=143
                ifmaxaddr 0 port 5 priority 128 path cost 14183
        member: epair0a flags=143
                ifmaxaddr 0 port 4 priority 128 path cost 14183
Let’s put the host IP we set for epair0a earlier on the bridge interface instead and bring UP the host side of epair1. (Note: If you assign an IP to an interface, its state should automatically change to UP)
test# ifconfig epair0a -alias
test# ifconfig bridge0 192.168.11.1
test# ifconfig epair1a up
test# ifconfig bridge0
bridge0: flags=8843 metric 0 mtu 1500
        ether a6:4b:75:2d:2b:9b
        inet 192.168.11.1 netmask 0xffffff00 broadcast 192.168.11.255
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: epair1a flags=143
                ifmaxaddr 0 port 5 priority 128 path cost 14183
        member: epair0a flags=143
                ifmaxaddr 0 port 4 priority 128 path cost 14183
Running ping tests from the second jail, you can now ping your host and your other jail(s) too. 
test# jexec 2 ping 192.168.11.1
PING 192.168.11.1 (192.168.11.1): 56 data bytes
64 bytes from 192.168.11.1: icmp_seq=0 ttl=64 time=0.193 ms
^C
--- 192.168.11.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.193/0.193/0.193/0.000 ms
test# jexec 2 ping 192.168.11.2
PING 192.168.11.2 (192.168.11.2): 56 data bytes
64 bytes from 192.168.11.2: icmp_seq=0 ttl=64 time=0.410 ms
64 bytes from 192.168.11.2: icmp_seq=1 ttl=64 time=0.089 ms
^C
--- 192.168.11.2 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.089/0.249/0.410/0.160 ms

Remember, now that you have separate networking stacks for each of your jails, the choice of topology is yours.

Reference:
http://bsdbased.com/2009/12/06/freebsd-8-vimage-epair-howto
Posted by Jun Hsieh at 4:08 PM 0 comments Links to this post
Labels:

VIMAGE - Better virtualization in FreeBSD 8

Now that FreeBSD 8 is out, among many changes we can find enhancements in the field of virtualization as well. A newly developed virtualization container calledVIMAGE has been implemented to enable virtualization of the FreeBSD network stack.
As you may know previous releases of FreeBSD had support only for jails with IP addresses of the main network stack; meaning once you configured IP/IPv6 addresses on your host system, a subset of those addresses could be associated to each one of your jails. As simple as it sounds, it actually doesn’t let you perform several networking related tasks inside of a jail, and you couldn’t separate your jails from each other with a firewall as there were no real interfaces present in your system.
With VIMAGE you have a jail with full instance of the host’s networking stack, including loopback interface, routing tables, etc. Network interfaces created on the host system can be moved to any VIMAGE jail to enable its connection to the outside world with a new option of ifconfig called “vnet”.
vnet jail
Move the interface to the jail , specified by name or JID. If the jail has a virtual network stack, the interface will disap- pear from the current environment and become visible to the jail.

Note: Option “-vnet” does the opposite.
As you might not have as many network interfaces as jails, you might need some workarounds to tunnel network traffic between two interfaces of your system.
Forget TUN/TAP and VPNs. FreeBSD 8 has a special network device called epair , which lets you create a pair of interconnected ethernet interfaces. If you move one of them to a VIMAGE jail you are basicly done. Feel free to bridge them or useVLANs, they will still work. I don’t know about the overhead of epair, but if all you care about is security, this might be the best choice for you on FreeBSD.
To enable VIMAGE you have to add “option VIMAGE” to your kernel configuration file and recompile/reinstall it.

Reference:
http://bsdbased.com/2009/11/27/vimage-better-virtualization-in-freebsd-8
Posted by Jun Hsieh at 4:05 PM 0 comments Links to this post
Labels:

Installing Nagios on FreeBSD 8.1

Installing Nagios on FreeBSD 8.1

Nagios is a powerful monitoring system that enables organizations to identify and resolve IT infrastructure problems before they affect critical business processes.

the fork of nagios to icinga is a good thing, much in the same way as quagga was a great fork of zebra.

FreeBSD 8.1-STABLE-201011

Install Apache2.2

Install PHP5.2.17

Install MySQL5.5

Install Nagios:
# cd /usr/ports/net-mgmt/nagios
# make install

Enable nagios to start on boot:
# echo 'nagios_enable="YES"' >> /etc/rc.conf

Now copy the sample files to the config files:
# cd /usr/local/etc/nagios/
# cp cgi.cfg-sample cgi.cfg
# cp nagios.cfg-sample nagios.cfg
# cp resource.cfg-sample resource.cfg

Move sample files to a sample folder:
# mkdir -p /usr/local/etc/nagios/sample
# mv /usr/local/etc/nagios/*-sample /usr/local/etc/nagios/sample

Navigate to /usr/local/etc/nagios/objects and do the same:
# cd /usr/local/etc/nagios/objects
# cp commands.cfg-sample commands.cfg
# cp contacts.cfg-sample contacts.cfg
# cp localhost.cfg-sample localhost.cfg
# cp printer.cfg-sample printer.cfg
# cp switch.cfg-sample switch.cfg
# cp templates.cfg-sample templates.cfg
# cp timeperiods.cfg-sample timeperiods.cfg

Move sample files to a sample folder:
# mkdir -p /usr/local/etc/nagios/objects/sample
# mv /usr/local/etc/nagios/objects/*-sample /usr/local/etc/nagios/objects/sample

Note: A sample configuration file for monitoring windows servers can be found at /usr/ports/net-mgmt/nagios/work/nagios-3.2.3/sample-config/template-object/windows.cfg

Now check you nagios configurations errors:
# nagios -v /usr/local/etc/nagios/nagios.cfg

Create a Nagios Admin called "nagiosadmin":
# htpasswd -c /usr/local/etc/nagios/htpasswd.users nagiosadmin

Note: the -c parameter creates the htpasswd file. If htpasswd file already exists, it is rewritten and truncated.

Note: you must call the admin name "nagiosadmin", because it is the default admin name in these configuration file "grep -i 'admin' /usr/local/etc/nagios/*.cfg".

Create a Nagios user called "nagiosuser":
# htpasswd /usr/local/etc/nagios/htpasswd.users nagiosuser

Note: you do not need the -c parameter this time since the htpasswd file already created.

Now add Nagios Setting to your apache configuration:
# vi /usr/local/etc/apache22/httpd.conf

and add following lines to the end of the httpd.conf file:

### [START] nagios
ScriptAlias /nagios/cgi-bin/ /usr/local/www/nagios/cgi-bin/

Alias /nagios /usr/local/www/nagios/

<directory local="" nagios="" usr="" www="">
Options None
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthUSerFile /usr/local/etc/nagios/htpasswd.users
Require valid-user
</directory>

<directory cgi-bin="" local="" nagios="" usr="" www="">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthUSerFile /usr/local/etc/nagios/htpasswd.users
Require valid-user
</directory>
### [END] nagios

Restart Apache
# /usr/local/etc/rc.d/apache22 restart

Start Nagios
# /usr/local/etc/rc.d/nagios start

===========================================================
===========================================================

On the Nagios Client, install nrpe2:
# cd /usr/ports/net-mgmt/nrpe2
# cd make install

Make the Nagios configuration file:
# cp /usr/local/etc/nrpe.cfg-sample /usr/local/etc/nrpe.cfg

Change Permission
# chmod 440 /usr/local/etc/nrpe.cfg

On the Nagios Client, add the Nagios Server's IP Address to allowed hosts:
# vi /usr/local/etc/nrpe.cfg
allowed_hosts=127.0.0.1,192.168.13.3

Note: comma separated. No Space in between!

On the Nagios Client, enable nrpe2 to start on boot:
# echo "nrpe2_enable="YES"" >> /etc/rc.conf

On the Nagios Client, start nrpe2:
# /usr/local/etc/rc.d/nrpe2 start

On the Nagios Client, make sure nrpe2 is running:
# ps ax | grep nrpe

On the Nagios Client, make sure the nrpe2 daemon is running:
# netstat -at|grep 5666
tcp4 0 0 *.5666

On the Nagios Client, run check_nrpe2 check. You should see the version number on success.
# /usr/local/libexec/nagios/check_nrpe2 -H localhost
NRPE v2.12

On the Nagios Client, you can test some of these by running the following commands:
# /usr/local/libexec/nagios/check_nrpe2 -H localhost -c check_users
# /usr/local/libexec/nagios/check_nrpe2 -H localhost -c check_load
# /usr/local/libexec/nagios/check_nrpe2 -H localhost -c check_hda1
# /usr/local/libexec/nagios/check_nrpe2 -H localhost -c check_sda1
# /usr/local/libexec/nagios/check_nrpe2 -H localhost -c check_total_procs
# /usr/local/libexec/nagios/check_nrpe2 -H localhost -c check_zombie_procs

Note: plugins are stored in /usr/local/libexec/nagios.

At this point, you are done installing and configuring NRPE on the remote host (Nagios Client). Now its time to install a component and make some configuration entries on your monitoring server.

===========================================================
===========================================================

On the Nagios Server, install nrpe2:
# cd /usr/ports/net-mgmt/nrpe2
# make install

Make sure the check_nrpe2 plugin can talk to the NRPE daemon on the remote host. Replace "192.168.13.156" in the command below with the IP address of the remote host that has NRPE installed. Run following command on the Nagios Server:
# /usr/local/libexec/nagios/check_nrpe2 -H 192.168.13.156
NRPE v2.12

On the Nagios Server, run following command for testing:
# /usr/local/libexec/nagios/check_nrpe2 -H 192.168.13.156 -c check_total_procs

===========================================================
===========================================================

We will create a new configuration file for all FreeBSD servers on the LAN.
# vi /usr/local/etc/nagios/objects/lan-freebsd-servers.cfg

###############################################################################
# LOCALHOST.CFG - SAMPLE OBJECT CONFIG FILE FOR MONITORING THIS MACHINE
#
# Last Modified: 03-03-2011
#
# NOTE: This config file is intended to serve as an *extremely* simple
#       example of how you can create configuration entries to monitor
#       the local (FreeBSD) machine.
#
###############################################################################


###############################################################################
###############################################################################
#
# HOST DEFINITION
#
###############################################################################
###############################################################################

# Define a host for the local machine
define host{
        use             freebsd-server  ; Inherit default values from a template
        host_name       test-bsd        ; The name we're giving to this host
        alias           My TEST BSD     ; A longer name associated with the host
        address         192.168.13.156 ; IP address of the host
        }

define host{
        use             freebsd-server  ; Inherit default values from a template
        host_name       dev01           ; The name we're giving to this host
        alias           dev01     ; A longer name associated with the host
        address         192.168.13.157 ; IP address of the host
        }

define host{
        use             freebsd-server  ; Inherit default values from a template
        host_name       web1           ; The name we're giving to this host
        alias           Online Web     ; A longer name associated with the host
        address         192.168.13.242 ; IP address of the host
        }

define host{
        use             freebsd-server  ; Inherit default values from a template
        host_name       bsd-sql        ; The name we're giving to this host
        alias           Online SQL     ; A longer name associated with the host
        address         192.168.13.108 ; IP address of the host
        }

define host{
        use             freebsd-server  ; Inherit default values from a template
        host_name       fw1        ; The name we're giving to this host
        alias           Firewall Server  ; A longer name associated with the host
        address         192.168.13.2 ; IP address of the host
        }

###############################################################################
###############################################################################
#
# SERVICE DEFINITIONS
#
###############################################################################
###############################################################################

# Define a service to "ping" the local machine

define service{
        use                             generic-service         ; Name of service template to use
        host_name                       test-bsd,web1,bsd-sql,fw1,dev01
        service_description             PING
        check_command                   check_ping!100.0,20%!500.0,60%
        }

# Define a service to check SSH on the local machine.
# Disable notifications for this service by default, as not all users may have SSH enabled.

define service{
        use                             generic-service         ; Name of service template to use
        host_name                       test-bsd,web1,bsd-sql
        service_description             SSH
        check_command                   check_ssh
        notifications_enabled           0
        }

# Define a service to check HTTP.
# Disable notifications for this service by default, as not all users may have HTTP enabled.

define service{
        use                             generic-service         ; Name of service template to use
        host_name                       web1
        service_description             HTTP
        check_command                   check_http
        notifications_enabled           0
        }

# Define a service to check the number of currently logged in users.

define service{
        use                             generic-service         ; Name of service template to use
        host_name                       test-bsd,web1,bsd-sql,fw1,dev01
        service_description             Current Users
        check_command                   check_nrpe2!check_users
        }

# Define a service to check the root partition of the disk.

define service{
        use                             generic-service         ; Name of service template to use
        host_name                       localhost,test-bsd,web1,bsd-sql,fw1,dev01
        service_description             / partition
        check_command                   check_nrpe2!check_root
        }

# Define a service to check the /usr partition of the disk.

define service{
        use                             generic-service         ; Name of service template to use
        host_name                       localhost,test-bsd,web1,bsd-sql,fw1,dev01
        service_description             /usr partition
        check_command                   check_nrpe2!check_usr
        }

# Define a service to check the /var partition of the disk.

define service{
        use                             generic-service         ; Name of service template to use
        host_name                       localhost,test-bsd,web1,bsd-sql,fw1,dev01
        service_description             /var partition
        check_command                   check_nrpe2!check_var
        }

# Define a service to check the /tmp partition of the disk.

define service{
        use                             generic-service         ; Name of service template to use
        host_name                       localhost,test-bsd,web1,bsd-sql,fw1,dev01
        service_description             /tmp partition
        check_command                   check_nrpe2!check_tmp
        }

# Define a service to check the load.

define service{
        use                             generic-service         ; Name of service template to use
        host_name                       test-bsd,web1,bsd-sql,fw1,dev01
        service_description             Current Load
        check_command                   check_nrpe2!check_load
        }

# Define a service to check zombie processes.

define service{
        use                             generic-service         ; Name of service template to use
        host_name                       test-bsd,web1,bsd-sql,fw1,dev01
        service_description             Zombie Processes
        check_command                   check_nrpe2!check_zombie_procs
        }

# Define a service to check total processes.

define service{
        use                             generic-service         ; Name of service template to use
        host_name                       test-bsd,web1,bsd-sql,fw1,dev01
        service_description             total Processes
        check_command                   check_nrpe2!check_total_procs
        }

# Define a service to check mysql uptime.

define service{
        use                             generic-service         ; Name of service template to use
        host_name                       bsd-sql
        service_description             MySQL Uptime
        check_command                   check_nrpe2!check_mysql_health_uptime
        }

# Define a service to check mysql slave io running.

define service{
        use                             generic-service         ; Name of service template to use
        host_name                       bsd-sql
        service_description             MySQL Slave IO
        check_command                   check_nrpe2!check_mysql_health_slave-io-running
        }

# Define a service to check mysql slave sql running.

define service{
        use                             generic-service         ; Name of service template to use
        host_name                       bsd-sql
        service_description             MySQL Slave SQL
        check_command                   check_nrpe2!check_mysql_health_slave-sql-running
        }

Note: comma separated. No Space in between!

Add other FreeBSD hosts on the LAN to the host group member list.
# vi /usr/local/etc/nagios/objects/localhost.cfg

define hostgroup{
        hostgroup_name  freebsd-servers ; The name of the hostgroup
        alias           FreeBSD Servers ; Long name of the group
        members         localhost,test-bsd,web1,bsd-sql,fw1 ; Comma separated list of hosts that belong to this group
        }

Remember to add host name to /etc/hosts:
# vi /etc/hosts
192.168.13.156 test-bsd
192.168.13.242 web1
192.168.13.108 bsd-sql
192.168.13.2 fw1

Define check_nrpe2 command in order to allow Nagios Server to run the check_nrpe2 command. Add following lines to commands.cfg:
# vi /usr/local/etc/nagios/objects/commands.cfg

# 'check_nrpe2' command definition
define command{
        command_name check_nrpe2
        command_line $USER1$/check_nrpe2 -H $HOSTADDRESS$ -c $ARG1$
        }

Note: $USERn$ macros are defined in /usr/local/etc/nagios/resource.cfg.

Note: Standard macros that are available in Nagios are listed here http://nagios.sourceforge.net/docs/3_0/macrolist.html .

Add following line to nagios.cfg:
# vi /usr/local/etc/nagios/nagios.cfg
# Definitions for monitoring the freebsd servers on the lan.
cfg_file=/usr/local/etc/nagios/objects/lan-freebsd-servers.cfg

Now check you nagios configurations errors:
# /usr/local/bin/nagios -v /usr/local/etc/nagios/nagios.cfg

Restart nagios if everything was okay:
# /usr/local/etc/rc.d/nagios restart

===========================================================
===========================================================

On the Nagios Client, install check_mysql_health plugin:
# cd /usr/ports/net-mgmt/check_mysql_health
# make install

Note: there is a plugin called "check_mysql" in nagios-plugins-1.4.15_1,1. However, check_mysql_health seems better.

Go to your MySQL server, and grant "no privileges" for a nagios user.
# mysql -u root -p
mysql> GRANT USAGE ON *.* TO 'nagios'@'localhost' IDENTIFIED BY 'nagios';
mysql> FLUSH PRIVILEGES;
mysql> exit

If you want to monitor mysql replication status as well, grant "REPLICATION CLIENT" privileges for a nagios user.
# mysql -u root -p
mysql> GRANT REPLICATION CLIENT ON *.* TO 'nagios'@'localhost' IDENTIFIED BY 'nagios';
mysql> FLUSH PRIVILEGES;
mysql> exit

# mysql -u nagios -p
mysql> show grants;

View check_mysql_health options
# /usr/local/libexec/nagios/check_mysql_health -h

You can test some of these by running the following commands on Nagios Client:
# /usr/local/libexec/nagios/check_mysql_health --hostname localhost --username nagios --password nagios --mode uptime --warning 2 --critical 5

Note: this command above will trigger a WARNING if mysql uptime is greater than 2 minutes; will trigger a CRITICAL if mysql uptime is greater than 5 minutes.

Pleae note, that the thresholds must be specified according to the Nagios plug-in development Guidelines.

10 // means "Alarm, if > 10" (without colon).
90: // means "Alarm, if < 90" (with colon).

On Nagios Client, edit nrpe.cfg:
# vi /usr/local/etc/nrpe.cfg
### MySQL - hardcoded command arugments.
command[check_mysql_health_uptime]=/usr/local/libexec/nagios/check_mysql_health --hostname localhost --username nagios --password nagios --mode uptime
command[check_mysql_health_slave-io-running]=/usr/local/libexec/nagios/check_mysql_health --hostname localhost --username nagios --password nagios --mode slave-io-running
command[check_mysql_health_slave-sql-running]=/usr/local/libexec/nagios/check_mysql_health --hostname localhost --username nagios --password nagios --mode slave-sql-running

On Nagios Client, restart nrpe2:
# /usr/local/etc/rc.d/nrpe2 restart

You can test some of these by running the following commands on Nagios Client:
# /usr/local/libexec/nagios/check_nrpe2 -H localhost -c check_mysql_health_uptime

You can test some of these by running the following commands on Nagios Server:
# /usr/local/libexec/nagios/check_nrpe2 -H 192.168.13.108 -c check_mysql_health_uptime
# /usr/local/libexec/nagios/check_nrpe2 -H 192.168.13.108 -c check_mysql_health_slave-io-running
# /usr/local/libexec/nagios/check_nrpe2 -H 192.168.13.108 -c check_mysql_health_slave-sql-running

Check system message if it did not work.
# tail /var/log/messages

Reference:
http://www.wonkity.com/~wblock/docs/nagios.pdf

http://www.weithenn.org/cgi-bin/wiki.pl?Nagios-%E7%B6%B2%E8%B7%AF%E7%9B%A3%E6%8E%A7%E5%8F%8A%E5%91%8A%E8%AD%A6%E7%B3%BB%E7%B5%B1

http://nagios.sourceforge.net/docs/nrpe/NRPE.pdf

http://nagios.sourceforge.net/docs/3_0/macros.html
Posted by Jun Hsieh at 2:17 PM 0 comments Links to this post
Labels:

What's cooking for FreeBSD 9?

This page will document changes that will be included in FreeBSD 9, including those that might end up being committed to earlier branches. In other words, it describes differences between 8.0 and 9.0, no matter what happens to the versions in between.
For information on the currently released 8-STABLE branch see What's cooking for FreeBSD 8 page.
Some of the more important low-level changes can be seen in the future release's UPDATING file.
Also useful are the quarterly Status Reports:
Everyone is encouraged to download a snapshot CD image and try all the new features (as well as the old ones). Developers are very interested in bug reports. Note that FreeBSD 9.0 is not released yet and both the snapshots and the default source trees have debugging enabled by default (which results in dramatic slowdowns so don't benchmark them without removing the debugging options).
If you're interested in how FreeBSD gets developed, you're encouraged to read the mailing lists and developer blogs.

Overall system / architectural changes

Userland DTrace

Status: committed to -CURRENT.
Will appear in 9.0: sure
Author: Rui Paulo
Web: announcementcommit message
The kernel parts of the DTrace system diagnostic framework were imported some time ago, but they are now completed with the support for userland tracing, making it usable in general userland software development and system administration. Userland DTrace is already used in some large well known software packages such as PostgreSQL and X.Org.

CLANG / LLVM compiler

Status: Committed to -CURRENT.
Will appear in 9.0: yes
Authors: Roman Divacky, Pawel Worach, Ed Schouten and many others
Web: LLVMCLANGFreeBSD wikimailing list announcement
As the GCC compiler suite was relicensed under GPLv3 after the 4.2 release, and the GPLv3 is a big dissapointment for some users of BSD systems (mostly commercial users who have no-gplv3-beyond-company-doors policy), having an alternative, non-GPL3 compiler for the base system has become highly desireable. Currently, the overall consensus is that GCC 4.3 will not be imported into the base system (the same goes for other GPLv3 code).
The LLVM and CLANG projects together offer a full BSD-licenesed C/C++ compiler infrastructure that is, performance and feature-wise close to, or better than GCC. The LLVM is the backend and the CLANG is the front-end part of the infrastructure.
Recent development has shown that not only is it possible to start using LLVM+CLANG right away, it is also very stable. The probability of replacing GCC for the base system in the near future is high. LLVM/CLANG will also add benefits to the overall system such as better error reporting, Apple's Grand Central Dispatch system for developing multithreaded applications and possibly JIT compiling some internal structures like firewall rules.
Note that this mostly affects the base system. There is too much third party software (e.g. ports) that depends on GCC to completely replace it.
Update: To make this happen, PathScale has developed and donated the C++ runtime library under the BSD license. PathScale has some other tools and libraries which may in the future help the transition to a BSD-licensed toolkit: the assembler (pathas) and the debugger (pathDB).

Kernel & low level improvements

Large-scale SMP support

Status: Committed to -CURRENT
Will appear in 9.0: sure
Author: Atillio Rao and others
Web: commit message
This work brings in support for large SMP systems, with more than 32 CPUs. Previously, the kernel structures were unable to account for such a large number of CPUs so the newest method implements extensible CPU accounting. This is not an improvement in scalability in itself but is a prerequisite for large-scale SMP work.

USB 3.0 support

Status: Committed to -CURRENT
Will appear in 9.0: sure
Author: Hans Petter Selasky
Web: commit message
The new wave of USB changes improves on the hugely successful USB development released in FreeBSD 8 and brings in support for USB 3.0.

Network kernel core dumps (netdump)

Status: In development
Will appear in 9.0: probably
Author: Attilio Rao and others
Web: announcement
Netdump is a framework that aims for handling kernel coredumps over the TCP/IP suite in order to dump to a separate machine than the running one. That may be used on an interesting number of cases involving disk-less workstations, disk driver debugging or embedded devices.

Initial NUMA support

Status: Committed to -CURRENT
Will appear in 9.0: sure
Author: John Baldwin
Web: Commit messagediscussion
As NUMA-like architectures have become almost ubiqutous, even in i386 / amd64 architectures, there are potentially big performance gains to be had in enabling its supports within operating systems. New development aims to adapt the physical page allocator to be NUMA-aware.

Modern event timer infrastructure

Status: Committed to -CURRENT
Will appear in 9.0: sure
Authors: Alexander Motin
Web: Commit message 1 Commit message 2
To better support the many sources of timer ticks present in todays system and to build the foundation for tickless kernel, a new unifying timer infrastructure was created. It currently supports LAPIC, HPETs, i8254, RTC.

Tickless kernel

Status: Under development
Will appear in 9.0: probably
Authors:Tsuyoshi Ozawa, Alexander Motin
Web: ideanew timer infrastructure
To improve performance in virtual machines and power usage in laptops, the "dynamic tick mode" (also called, a bit inappropriately, "tickless mode") can replace the classic, strictly periodic hardware timer interrupt ticking with one-shot variable-time ticks. This will save some CPU time which would otherwise be spent handling timer interrupts which have no work assigned to them.

Networking improvements

More SMP-scalable TCP/IP

Status: Committed to -CURRENT
Will appear in 9.0: sure
Author: Robert Watson
Web: commit message announcement
Improvements to the networking stack introduce better scalability strategies based on thework by Alan Cox and others. With these changes, it is expected that the connections will have more clear CPU affinity, less cache line contention and better use of modern hardware flow detection and handling.

New NFS client and server

Status: Committed to -CURRENT
Will appear in 9.0: sure
Author: Rick Macklem
Web: commit message
The new NFS client and server introduce the support for NFSv4 as their biggest features, with ACL support, byte range locking and delegation support. It should also be easier to maintain and later upgrate do NFSv4.1

Five new TCP congestion algorithms

Status: Partially committed to -CURRENT
Will appear in 9.0: sure
Author: Lawrence Stewart
Web: Commit message
This commit marks the first formal contribution of the "Five New TCP Congestion ontrol Algorithms for FreeBSD" FreeBSD Foundation funded project. More details about the project are available at: http://caia.swin.edu.au/freebsd/5cc/.

SIFTR - Statistical Information for TCP Research

Status: Committed to -CURRENT
Will appear in 9.0: sure
Author: Lawrence Stewart
Web: commit message
SIFTR logs a range of statistics on active TCP connections to a log file, providing the ability to make highly granular measurements of TCP connection state. The tool is aimed at system administrators, developers and researchers.

Storage subsystems' improvements

A move to support 4K drives

Status: committed
Will appear in 9.0: sure
Authors: Kirk McKusick, Alexandar Motin, Andrey V. Elsukov and others
FreeBSD's GEOM and file systems have intrinsically supported large (or even arbitrary) sector sizes for a long time, but there is still the issue of detecting them and communicating this information across the layers. Some new development introduced SATA quirks to detect known 4K drives (with the ability for users to set their own quirks on non-detected drives), the gpart(8) utility will calculate the correct alignment or warn on misalignment, and the default fragment / block size for UFS was changed to 4K / 32K.

Generic GEOM IO schedulers

Status: Committed to -CURRENT
Will appear in 9.0: sure
Authors: Luigi Rizzo, Fabio Checconi
Web: commit message
The new framework, integrated with GEOM, allows for multiple disk IO schedulers to be used, if necessary, on different IO providers (e.g. drives). The usage of some IO schedulers can increase responsiveness in certain kinds of IO workloads, for example a mix of sequential and random IO.

HAST - High Availability Storage

Status: Committed to -CURRENT, planned MFC
Will appear in 9:0: sure
Author: Pawel Jakub Dawidek
Web: FreeBSD wiki page
HAST is a userland-based (ggate) implementation of a distributed storage device concept, similar to Linux's DRBD. It allows over-the-network mirroring of any GEOM storage devices in a semi-synchronous way (writes suceed when the data is sent over the wire).

UFS SoftUpdates+Journal (SU+J)

Status: Pending commit to -CURRENT
Will appear in 9.0: sure
Author: Jeff Roberson
Web: discussion
A new feature added to existing UFS SoftUpdates code makes use of a small journal, technically an intent log, to keep track of metadata garbage collection which has upto now been left as a job for (background) fsck after an unclean shutdown. The intent behind this is to eliminate the requirement for fsck or background fsck on file systems with SoftUpdates enabled after unclean shutdown.
In effect, this feature combines the best of both worlds - the very fast operation of SoftUpdates with the removal of the need for fsck characteristic for journalling file systems. This is not a radical change - the well known SoftUpdates mechanism is still in its original form - but it completes the garbage collection step in a different way.

New driver for AHCI SATA drives

Status: Committed to -CURRENT, MFC-ed
Will appear in 9.0: sure
Author: Alexandar Motin & others
Web: commit message
The new driver supports native AHCI via the CAM (common access method for storage) subsystem. AHCI drives are manipulated by camcontrol and support for new features like NCQ and port multipliers has been integrated. Among other features, performance has been significantly increased, port multipliers and hot-plugging are greatly improved.

ATA CAM implementation

Status: Committed to -CURRENT
Will appear in 9.0: sure
Author: Alexandar Motin
Web: commit message
The ATA disk drivers have all been moved to the CAM system, improving some features of them along the way. This makes CAM a very real central point and foundation of disk interfaces and management of (S)ATA, SCSI, USB and Firewire drives. Some SCSI controllers still have drivers outside CAM.
Improvements include: transfer size increase, better support for port multipliers.

Security

Capsicum

Status: Basic functions committed to -CURRENT
Will appear in 9.0: sure
Author: Robert Watson and others
Web: commit message
Capsicum is a framework for security isolation of sensitive processes, which may prove useful in security strengthening the operating system.

AES-XTS encryption mode in kernel

Status: Committed to -CURRENT
Will appear in 9.0: sure
Author: Pawel Jakub Dawidek
Web: AES-XTS in kernel AES-XTS in GELI AES-XTS via AESNI
The XTS block cypher mode is specially suited for encrypting disk drives and other block devices. It avoids some security problems arising with using plain CBC chaining with addressible-sector encryption.
AES with XTS mode is used in GELI and is also supported when implemented via the AES-NI.

NFSv4 ACLs for UFS

Status: Committed to -CURRENT, MFCed
Will appear in 9.0: sure
Author: Edward Tomasz Napierala
Web: commit message
The well known and loved UFS file system has for some time implemented POSIX.1e ACLs(access control lists) in addition to the classic Unix file permissions model. This file permission model greatly enhances the way files can be managed and allows new security models to be implemented. It is also a standard part of the FreeBSD kernel, ready to be used at any time.
However, the POSIX.1e standard apparently never became trully widespread in practice. Through market share domination (but not completly without technical merit) the NTFS (Microsoft Windows file system) ACL security model has become widely popular and implemented, even so that it directly inspired the ACL model in the NFS (Network File System) version 4. The POSIX model is simpler and more Unix-like but the NTFS/NFSv4 model is more expressive.
The two ACL models are incompatible - security parameters set in NFSv4 model cannot always be directly translated to the POSIX model. Due to this and considering that NFSv4 ACLs are already directly implemented in ZFS, the introduction of NFSv4 ACLs in UFS is simply a feature-completness step which makes both file systems similarily usable from NFSv4 clients.
The POSIX model still remains in the implementation, but is mutualy exclusive (at the mount-point level) with the NFSv4 model.

Other changes

The following is a list of smaller and / or more obscure changes that nevertheless deserve a special mention since they will be of interest to certain users:
As always, all features described here are, or will be, a part of the FreeBSD "base" system, available in every FreeBSD installation without patching or out-of-the-ordinary configuration.
For more information about development of FreeBSD (among other topics), see my blogwith daily and miscellaneous information.

Reference:
http://ivoras.net/freebsd/freebsd9.html
Posted by Jun Hsieh at 11:36 AM 0 comments Links to this post
Labels:
Subscribe to: Posts (Atom)