{{Warning|Next steps are purely optional, make able to use only https to all the traffic between the host monitor of cacti and the rest of monitoring devices! Cacti should only be accessed over TLS (https) otherwise will exposes passwords and user data. This steps will generate a self signed cert file that will require to accept custom exception on the web browser but all the traffic will be over TLS/SSL as of https.}}
{{Warning|Next steps are '''recommended''' but optional, it able to use only https to all the traffic between the host monitor of cacti and the rest of monitoring devices! Cacti should only be accessed over TLS (https) otherwise will exposes passwords and user data. This steps will generate a self signed cert file that will require to accept custom exception on the web browser but all the traffic will be over TLS/SSL as of https.}}
<pre><nowiki>
<pre><nowiki>
Line 308:
Line 308:
=== The tools: net-snmp and rrtool ===
=== The tools: net-snmp and rrtool ===
WIP
{{Warning|do no set <code><nowiki>agentAddress tcp:161,tcp6:[::1]:161</nowiki><code>, seems by default the package added the udp 161 protocol, so if you made it, wil only listen and show info using ipv6 only}}
In this we only neet the commands for cacti, but for more info about the topic see:
In this we only neet the commands for cacti, but for more info about the topic see:
Revision as of 05:48, 20 March 2020
Cacti is a complete network monitoring and data analising solution using RRDTool's data storage and graphing functionality. It is the most widely used monitoring tool by ISPs to see graphically the network.
We added as plus the ip address of cdn alpine linux to avoid more packeds from a DNS server.
Repositories and packages
Unfortunatelly some commands are more complex, we must take in consideration that common commands are just busybox minimalist versions, so we must change it to normal ones:
Warning: These complex configurations will be necessary, as Cacti is demanding in its requirements once installed to right functionality.
The web server: Lighttpd installation and configuration
Cacti runs as a web program, so we need the web server configured, due apache2 are so famous we only will document the lighttpd, becose for more used options there's already so much info:
Warning: Next steps are recommended but optional, it able to use only https to all the traffic between the host monitor of cacti and the rest of monitoring devices! Cacti should only be accessed over TLS (https) otherwise will exposes passwords and user data. This steps will generate a self signed cert file that will require to accept custom exception on the web browser but all the traffic will be over TLS/SSL as of https.
Next requirement are the PHP scripting lang, becose Cacti are build with PHP, and has support for LDAP also.
Note: Cacti supports PHP5 and PHP7, in next section we will only cover PHP7 becose are the only availabe at recent Alpine versions, but if you use any older Alpine host for testing, you can use this command to detect what to install export phpmax=$(debver=$(cat /etc/alpine-release|cut -d '.' -f1);[ $debver -ge 6 ] && echo 7|| echo 5), the shel var phpmax indicates based on Alpine version if 5 or 7 php will be used in command lines as: apk add php$phpmax.
The following configurations are for high or huge loads on a 2G RAM server, for more information about configuring PHP on Alpine linux see Production LAMP system: Lighttpd + PHP + MySQL wiki page.
sed -i -r 's|.*cgi.fix_pathinfo=.*|cgi.fix_pathinfo=1|g' /etc/php*/php.ini
sed -i -r 's#.*safe_mode =.*#safe_mode = Off#g' /etc/php*/php.ini
sed -i -r 's#.*expose_php =.*#expose_php = Off#g' /etc/php*/php.ini
sed -i -r 's#memory_limit =.*#memory_limit = 512M#g' /etc/php*/php.ini
sed -i -r 's#upload_max_filesize =.*#upload_max_filesize = 56M#g' /etc/php*/php.ini
sed -i -r 's#post_max_size =.*#post_max_size = 128M#g' /etc/php*/php.ini
sed -i -r 's#^file_uploads =.*#file_uploads = On#g' /etc/php*/php.ini
sed -i -r 's#^max_file_uploads =.*#max_file_uploads = 12#g' /etc/php*/php.ini
sed -i -r 's#^allow_url_fopen = .*#allow_url_fopen = On#g' /etc/php*/php.ini
sed -i -r 's#^.default_charset =.*#default_charset = "UTF-8"#g' /etc/php*/php.ini
sed -i -r 's#^.max_execution_time =.*#max_execution_time = 90#g' /etc/php*/php.ini
sed -i -r 's#^max_input_time =.*#max_input_time = 90#g' /etc/php*/php.ini
sed -i -r 's#.*date.timezone =.*#date.timezone = America/Panama#g' /etc/php*/php.ini
sed -i -r 's|.*events.mechanism =.*|events.mechanism = epoll|g' /etc/php*/php-fpm.conf
sed -i -r 's|.*emergency_restart_threshold =.*|emergency_restart_threshold = 12|g' /etc/php*/php-fpm.conf
sed -i -r 's|.*emergency_restart_interval =.*|emergency_restart_interval = 1m|g' /etc/php*/php-fpm.conf
sed -i -r 's|.*process_control_timeout =.*|process_control_timeout = 8s|g' /etc/php*/php-fpm.conf
sed -i -r 's|^.*pm.max_requests =.*|pm.max_requests = 10000|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*pm.max_children =.*|pm.max_children = 12|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*pm.start_servers =.*|pm.start_servers = 4|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*pm.min_spare_servers =.*|pm.min_spare_servers = 4|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*pm.max_spare_servers =.*|pm.max_spare_servers = 8|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*pm.process_idle_timeout =.*|pm.process_idle_timeout = 8s|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*pm =.*|pm = ondemand|g' /etc/php*/php-fpm.d/www.conf
mkdir -p /var/run/php-fpm7/
chown lighttpd:root /var/run/php-fpm7
sed -i -r 's|^.*listen =.*|listen = /run/php-fpm7/php7-fpm.sock|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^pid =.*|pid = /run/php-fpm7/php7-fpm.pid|g' /etc/php*/php-fpm.conf
sed -i -r 's#^user =.*#user = lighttpd#g' /etc/php*/php.ini
sed -i -r 's#^group =.*#group = lighttpd#g' /etc/php*/php.ini
sed -i -r 's|^.*listen.owner =.*|listen.owner = lighttpd|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*listen.group =.*|listen.group = lighttpd|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*listen.mode =.*|listen.mode = 0660|g' /etc/php*/php-fpm.d/www.conf
rc-update add php-fpm7 default
service php-fpm7 restart
After have php ready, lest integrate into the current preinstalled web server, we already choose lighttpd so:
mkdir -p /var/www/localhost/cgi-bin
sed -i -r 's#\#.*mod_alias.*,.*# "mod_alias",#g' /etc/lighttpd/lighttpd.conf
sed -i -r 's#.*include "mod_cgi.conf".*# include "mod_cgi.conf"#g' /etc/lighttpd/lighttpd.conf
sed -i -r 's#.*include "mod_fastcgi.conf".*#\# include "mod_fastcgi.conf"#g' /etc/lighttpd/lighttpd.conf
sed -i -r 's#.*include "mod_fastcgi_fpm.conf".*# include "mod_fastcgi_fpm.conf"#g' /etc/lighttpd/lighttpd.conf
cat > /etc/lighttpd/mod_fastcgi_fpm.conf << EOF
server.modules += ( "mod_fastcgi" )
index-file.names += ( "index.php" )
fastcgi.server = (
".php" => (
"localhost" => (
"socket" => "/var/run/php-fpm7/php7-fpm.sock",
"broken-scriptfilename" => "enable"
))
)
EOF
sed -i -r 's|^.*listen =.*|listen = /var/run/php-fpm7/php7-fpm.sock|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 'php-fpm7 restart
rc-service lighttpd restart
echo "<?php echo phpinfo(); ?>" > /var/www/localhost/htdocs/info.php
To test PHP are woring correctly, browse the web server with http://ipaddress/info.php of course change "ipaddrs" with the ip of the web server.
The Database: MariaDB installation and configuration
Warning: Cacti also can run with PostgreSQL, inclusivelly are a better choice for high production and huge data systems, but we documented here mysql only due postgresql need more complex tunning parameters
Note: Also can install adminer to manage the database using web browsing, see Adminer in production LAMP systems that can manage any kind of database graphically
After those commands runs the mysql_secure_installation script and answer as follows:
Enter current password for root (enter for none): must be provided due we already set previously. correct respond are OK, successfully used password, moving on...
Switch to unix_socket authentication [Y/n] this are not the case and must be disabled, so answer NO, and response will be ... skipping.
Change the root password? [Y/n] Just press "n" only if you provided a good password, otherwise just change it!
Remove anonymous users? [Y/n] In any case, production system must remove it, so answer Y and proper respond mus be ... Success!.
Disallow root login remotely? [Y/n] For sure answer Y and proper respond mus be ... Success!.
Remove test database and access to it? [Y/n] Should be removed, so answer Y and proper respond mus be ... Success!.
Reload privilege tables now? [Y/n] Aanswer Y and proper respond mus be ... Success!.
After reponse all the questions.. restart the service with rs-service mariadb restart
The tools: net-snmp and rrtool
Warning: do no set agentAddress tcp:161,tcp6:[::1]:161, seems by default the package added the udp 161 protocol, so if you made it, wil only listen and show info using ipv6 only
As of Alpine 3.12, Cacti still are in edge branch, so we first pre-install the depends packages and later only from edge the cacti alone.
Installing Cacti Packages
Warning: As of Alpine 3.5, Cacti was a only one package "cacti", since alpine 3.6, cacti package are split in more packages. The commit that mess all are where a specific pool for php-fpm are made for cacti.. this its a mess due are not documented.. so we must avoid and ignored that due are undocumented and property configured the general pool.
Cacti runs under cacti user, but web server user (apache2, lighttpd) also needs access, so enable group access and as we said, temporally write world permissions:
grant temporally access to the web server
Create the cacti database and populate it
Grant Cacti MySQL user access (give it a more secure password):
Quit from Mysql command prompt:
Import the initial Cacti MySQL database
set the user, pass, and db name to the cacti config file
grant temporally world permission over log and lib directories of cacti
chown -R cacti:lighttpd /usr/share/webapps/cacti/;chown -R cacti:lighttpd /var/lib/cacti/
mysql -u root -p -e "CREATE DATABASE cacti;"
mysql -u root -p -e "GRANT ALL ON cacti.* TO 'cactiuser'@'localhost' IDENTIFIED BY 'cactipassword';FLUSH PRIVILEGES;
mysql -u root -p -e "GRANT GRANT OPTION ON cacti.* TO 'cactiuser'@'localhost';FLUSH PRIVILEGES;"
mysql -u root -p -e "GRANT SELECT ON mysql.time_zone_name TO 'cactiuser'@'localhost';"
mysql --user=cactiuser -p cactipassword cacti < /usr/share/webapps/cacti/cacti.sql
sed -i -r 's#\$database_default.*=.*;#\$database_default = 'cacti';#g' /etc/cacti/config.php
sed -i -r 's#\$database_username.*=.*;#\$database_username = 'cactiuser';#g' /etc/cacti/config.php
sed -i -r 's#\$database_password.*=.*;#\$database_password = 'cactipassword';#g' /etc/cacti/config.php
chmod 777 /var/log/cacti
chmod 666 /var/log/cacti/*.log
Cacti web setup install
Login using:
Password= admin user= admin
Next will be prompted to change password:
change password.
In the web page click:
-> Next
Then select new install in case is not selected:
-> New install, Next
Warning: take note since cacti 1.2.8 and still at cacti 1.2.10, installer have several errors for Cacti_Stats.xml.gz template, so lasted "check" have no description you must uncheck last as pointed here: https://github.com/Cacti/cacti/issues/3313#issuecomment-594114681 This template can be installed later with cli as: php -d max_execution_time=90 /usr/share/webapps/cacti/cli/import_package.php
--filename=Cacti_Stats.xml.gz under the templates directory of cacti install, but currently it hangs and never install it. Reported at https://github.com/Cacti/cacti/issues/3313#issuecomment-601508135
As we said, cacti need a crontab for pool collection of data!, this steps are not necesary since Alpine 3.7 due cacti package already install all necesary files.
Note: This steps are only for older cacti packages of Alpine until 3.6, since 3.7 cacti packages already install crontab for oll collection of data
