Cacti: traffic analysis and monitoring network: Difference between revisions

From Alpine Linux
(Category:PHP)
(property set the cacti documentations and added to my production wiki pages)
Line 1: Line 1:
{{Tip|This document has been tested on Alpine Linux 2.2.2 with cacti from the edge repository}}
Cacti is a complete network monitoring and data analising solution using RRDTool's data storage and graphing functionality. It is the most widely used monitoring tool by ISPs to see graphically the network.


Install needed packages:
== Dedicated host preconfiguration ==
{{Cmd|apk add lighttpd php cacti net-snmp-tools fcgi}}
Add php support to lighttpd (uncomment this line in /etc/lighttpd/lighttpd.conf):
include "mod_fastcgi.conf"


Save and exit editor.
'''Cacti have very special and fixed requirements''' from the host, so for productino systems must be installed on a dedicated host machine.


Create a softlink for the cacti web files:
=== hostname setup ===
 
<pre><nowiki>
hostname monitor
 
echo 'hostname="monitor"' > /etc/conf.d/hostname
 
echo "monitor" > /etc/hostname
 
cat > /etc/hosts << EOF
127.0.0.1 monitor.venenux.net monitor localhost.localdomain localhost
151.101.128.249 dl-cdn.alpinelinux.org
::1 localhost localhost.localdomain
EOF
</nowiki></pre>
 
We added as plus the ip address of cdn alpine linux to avoid more packeds from a DNS server.
 
=== repositories and need packages ===
 
Unfortunatelly some commands are more complex, we must take in consideration that common commands are just busybox minimalist versions, so we must change it to normal ones:
 
<pre><nowiki>
cat > /etc/apk/repositories << EOF
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/main
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/community
EOF
 
apk update
 
apk add attr dialog binutils findutils readline lsof less nano curl
 
export PAGER=less
 
cat > /etc/apk/repositories << EOF
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/main
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/community
http://uk.alpinelinux.org/alpine/edge/main
http://uk.alpinelinux.org/alpine/edge/community
EOF
 
apk update
 
apk add utmps
 
cat > /etc/apk/repositories << EOF
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/main
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/community
EOF
 
apk update
</nowiki></pre>
 
== Requirements ==
 
* A web server like lighttpd
* The PHP scripting support
* A database engine like mariadb
* To retreive data the net-snmp tools
* To graphics the data the rrtool package
 
{{Warning|These complex configurations '''will be necessary''', as Cacti is demanding in its requirements once installed to right functionality.}}
 
=== The web server: lighttpd installation and configuration ===
 
Cacti runs as a web program, so we need the web server configured, due apache2 are so famous we only will document the lighttpd, becose for more used options there's already so much info:
 
<pre><nowiki>
apk add lighttpd gamin
 
mkdir -p /var/www/localhost/htdocs
sed -i -r 's#\#.*server.port.*=.*#server.port          = 80#g' /etc/lighttpd/lighttpd.conf
sed -i -r 's#.*server.stat-cache-engine.*=.*# server.stat-cache-engine = "fam"#g' /etc/lighttpd/lighttpd.conf
sed -i -r 's#\#.*server.event-handler = "linux-sysepoll".*#server.event-handler = "linux-sysepoll"#g' /etc/lighttpd/lighttpd.conf
 
mkdir -p /var/www/localhost/htdocs/serverinfo
sed -i -r 's#\#.*mod_status.*,.*#    "mod_status",#g' /etc/lighttpd/lighttpd.conf
sed -i -r 's#.*status.status-url.*=.*#status.status-url  = "/serverinfo/server-status"#g' /etc/lighttpd/lighttpd.conf
sed -i -r 's#.*status.config-url.*=.*#status.config-url  = "/serverinfo/server-config"#g' /etc/lighttpd/lighttpd.conf
 
mkdir -p /var/www/localhost/cgi-bin
sed -i -r 's#\#.*mod_alias.*,.*#    "mod_alias",#g' /etc/lighttpd/lighttpd.conf
sed -i -r 's#.*include "mod_cgi.conf".*#  include "mod_cgi.conf"#g' /etc/lighttpd/lighttpd.conf
 
mkdir -p /var/lib/lighttpd
chown -R lighttpd:lighttpd /var/www/localhost/
chown -R lighttpd:lighttpd /var/lib/lighttpd
chown -R lighttpd:lighttpd /var/log/lighttpd
 
rc-update add lighttpd default
 
rc-service lighttpd restart
 
checkset="";checkset=$(grep 'noatime' /etc/lighttpd/lighttpd.conf);[[ "$checkset" != "" ]] && echo listo || sed -i -r 's#server settings.*#server settings"\nserver.use-noatime = "enable"\n#g' /etc/lighttpd/lighttpd.conf
 
checkset="";checkset=$(grep 'network-backend' /etc/lighttpd/lighttpd.conf);[[ "$checkset" != "" ]] && echo listo || sed -i -r 's#server settings.*#server settings"\nserver.network-backend = "linux-sendfile"\n#g' /etc/lighttpd/lighttpd.conf
 
checkset="";checkset=$(grep 'max-fds' /etc/lighttpd/lighttpd.conf);[[ "$checkset" != "" ]] && echo listo || sed -i -r 's#server settings.*#server settings\nserver.max-fds = 2048\n#g' /etc/lighttpd/lighttpd.conf
 
rc-service lighttpd restart
</nowiki></pre>
 
{{Note|Next steps are purelly optional, just made to able to use only https to all the traffic between the host monitor of cacti and the rest of monitoring devices!}}
 
<pre><nowiki>
apk add openssl
 
mkdir -p /etc/ssl/certs/
 
openssl req -x509 -days 1460 -nodes -newkey rsa:4096 \
  -subj "/C=VE/ST=Bolivar/L=Upata/O=VenenuX/OU=Systemas:hozYmartillo/CN=localhost" \
  -keyout /etc/ssl/certs/localhost.pem -out /etc/ssl/certs/localhost.pem
 
chmod 755 /etc/ssl/certs/localhost.pem
 
cat > /etc/lighttpd/mod_ssl.conf << EOF
server.modules += ("mod_openssl")
\$SERVER["socket"] == "0.0.0.0:443" {
    ssl.engine  = "enable"
    ssl.pemfile = "/etc/ssl/certs/localhost.pem"
    ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
    ssl.honor-cipher-order = "enable"
}
\$HTTP["scheme"] == "http" {
    \$HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0\$0")
    }
}
EOF
sed -i -r 's#\#.*mod_redirect.*,.*#    "mod_redirect",#g' /etc/lighttpd/lighttpd.conf
itawxrc="";itawxrc=$(grep 'include "mod_ssl.conf' /etc/lighttpd/lighttpd.conf);[[ "$itawxrc" != "" ]] && echo listo || sed -i -r 's#.*include "mime-types.conf".*#include "mime-types.conf"\ninclude "mod_ssl.conf"#g' /etc/lighttpd/lighttpd.conf
sed -i -r 's#ssl.pemfile.*=.*#ssl.pemfile  = "/etc/ssl/certs/localhost.pem"#g' /etc/lighttpd/lighttpd.conf
rc-service lighttpd restart
</nowiki></pre>
 
=== The PHP: installation and configurations ===
 
Next requirement are the PHP scripting lang, becose Cacti are build with PHP, and has support for LDAP also.
 
{{Note|Cacti supports PHP5 and PHP7, in next section we will only cover PHP7 becose are the only availabe at recent Alpine versions, but if you use any older Alpine host for testing, you can use this command to detect what to install <code><nowiki>export phpmax=$(debver=$(cat /etc/alpine-release|cut -d '.' -f1);[ $debver -ge 6 ] && echo  7|| echo 5)</nowiki></code>, the shel var <code>phpmax</code> indicates based on Alpine version if 5 or 7 php will be used in command lines as: <code>apk add php$phpmax</code>.}}
 
<pre><nowiki>
 
apk add php7-fpm php7-bcmath php7-bz2 php7-ctype php7-curl php7-dom \
php7-enchant php7-exif php7-gd php7-gettext php7-gmp php7-iconv \
php7-imap php7-intl php7-json php7-mbstring php7-opcache php7-openssl \
php7-phar php7-posix php7-pspell php7-recode php7-session php7-simplexml \
php7-sockets php7-sysvmsg php7-sysvsem php7-sysvshm php7-tidy php7-tokenizer \
php7-xml php7-xmlreader php7-xmlrpc php7-xmlwriter php7-xsl php7-zip php7-sqlite3 \
php7-gd php7-gmp php7-ldap php7-openssl php7-pdo_mysql php7-posix php7-sockets php7-xml
 
apk add php7-pdo php7-pdo_mysql php7-mysqli php7-pdo_sqlite php7-sqlite3 \
php7-odbc php7-pdo_odbc php7-dba
</nowiki></pre>
 
The following configurations are for high or huge loads on a 2G RAM server, for more information about configuring PHP on Alpine linux see [[Production LAMP system: Lighttpd + PHP + MySQL]] wiki page.
 
<pre><nowiki>
sed -i -r 's|.*cgi.fix_pathinfo=.*|cgi.fix_pathinfo=1|g' /etc/php*/php.ini
sed -i -r 's#.*safe_mode =.*#safe_mode = Off#g' /etc/php*/php.ini
sed -i -r 's#.*expose_php =.*#expose_php = Off#g' /etc/php*/php.ini
sed -i -r 's#memory_limit =.*#memory_limit = 512M#g' /etc/php*/php.ini
sed -i -r 's#upload_max_filesize =.*#upload_max_filesize = 56M#g' /etc/php*/php.ini
sed -i -r 's#post_max_size =.*#post_max_size = 128M#g' /etc/php*/php.ini
sed -i -r 's#^file_uploads =.*#file_uploads = On#g' /etc/php*/php.ini
sed -i -r 's#^max_file_uploads =.*#max_file_uploads = 12#g' /etc/php*/php.ini
sed -i -r 's#^allow_url_fopen = .*#allow_url_fopen = On#g' /etc/php*/php.ini
sed -i -r 's#^.default_charset =.*#default_charset = "UTF-8"#g' /etc/php*/php.ini
sed -i -r 's#^.max_execution_time =.*#max_execution_time = 90#g' /etc/php*/php.ini
sed -i -r 's#^max_input_time =.*#max_input_time = 90#g' /etc/php*/php.ini
sed -i -r 's#.*date.timezone =.*#date.timezone = America/Panama#g' /etc/php*/php.ini
 
sed -i -r 's|.*events.mechanism =.*|events.mechanism = epoll|g' /etc/php*/php-fpm.conf
sed -i -r 's|.*emergency_restart_threshold =.*|emergency_restart_threshold = 12|g' /etc/php*/php-fpm.conf
sed -i -r 's|.*emergency_restart_interval =.*|emergency_restart_interval = 1m|g' /etc/php*/php-fpm.conf
sed -i -r 's|.*process_control_timeout =.*|process_control_timeout = 8s|g' /etc/php*/php-fpm.conf
 
sed -i -r 's|^.*pm.max_requests =.*|pm.max_requests = 10000|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*pm.max_children =.*|pm.max_children = 12|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*pm.start_servers =.*|pm.start_servers = 4|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*pm.min_spare_servers =.*|pm.min_spare_servers = 4|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*pm.max_spare_servers =.*|pm.max_spare_servers = 8|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*pm.process_idle_timeout =.*|pm.process_idle_timeout = 8s|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*pm =.*|pm = ondemand|g' /etc/php*/php-fpm.d/www.conf
 
mkdir -p /var/run/php-fpm7/
 
chown lighttpd:root /var/run/php-fpm7
 
sed -i -r 's|^.*listen =.*|listen = /run/php-fpm7/php7-fpm.sock|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^pid =.*|pid = /run/php-fpm7/php7-fpm.pid|g' /etc/php*/php-fpm.conf
sed -i -r 's#^user =.*#user = lighttpd#g' /etc/php*/php.ini
sed -i -r 's#^group =.*#group = lighttpd#g' /etc/php*/php.ini
sed -i -r 's|^.*listen.owner =.*|listen.owner = lighttpd|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*listen.group =.*|listen.group = lighttpd|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*listen.mode =.*|listen.mode = 0660|g' /etc/php*/php-fpm.d/www.conf
 
rc-update add php-fpm7 default
 
service php-fpm7 restart
</nowiki></pre>
 
After have php ready, lest integrate into the current preinstalled web server, we already choose lighttpd so:
 
<pre><nowiki>
mkdir -p /var/www/localhost/cgi-bin
 
sed -i -r 's#\#.*mod_alias.*,.*#    "mod_alias",#g' /etc/lighttpd/lighttpd.conf
 
sed -i -r 's#.*include "mod_cgi.conf".*#  include "mod_cgi.conf"#g' /etc/lighttpd/lighttpd.conf
 
sed -i -r 's#.*include "mod_fastcgi.conf".*#\#  include "mod_fastcgi.conf"#g' /etc/lighttpd/lighttpd.conf
 
sed -i -r 's#.*include "mod_fastcgi_fpm.conf".*#  include "mod_fastcgi_fpm.conf"#g' /etc/lighttpd/lighttpd.conf
 
cat > /etc/lighttpd/mod_fastcgi_fpm.conf << EOF
server.modules += ( "mod_fastcgi" )
index-file.names += ( "index.php" )
fastcgi.server = (
    ".php" => (
      "localhost" => (
        "socket"                => "/var/run/php-fpm7/php7-fpm.sock",
        "broken-scriptfilename" => "enable"
      ))
)
EOF
 
sed -i -r 's|^.*listen =.*|listen = /var/run/php-fpm7/php7-fpm.sock|g' /etc/php*/php-fpm.d/www.conf
 
sed -i -r 'php-fpm7 restart
 
rc-service lighttpd restart
 
echo "<?php echo phpinfo(); ?>" > /var/www/localhost/htdocs/info.php
</nowiki></pre>
 
To test PHP are woring correctly, browse the web server with <code>http://ipaddress/info.php</code> of course change "ipaddrs" with the ip of the web server.
 
=== the Database: mariadb installation and configuration ===
 
{{Warning|Cacti also can run with PostgreSQL, inclusivelly are a better choice for high production and huge data systems, but we documented here mysql only due postgresql need more complex tunning parameters}}
 
{{Note|Also can install '''adminer to manage the database''' using web browsing, see [[Production LAMP system: Lighttpd + PHP + MySQL#adminer:_Web_Frontend_administration|Adminer in production LAMP systems]] that can manage any kind of database graphically}}
 
<pre><nowiki>
apk add mysql mysql-client tzdata
 
mysql_install_db --user=mysql --datadir=/var/lib/mysql
 
rc-service mariadb start
 
mysql_tzinfo_to_sql /usr/share/zoneinfo/ | mysql -u root mysql
 
sed -i "s|.*max_allowed_packet\s*=.*|max_allowed_packet = 100M|g" /etc/my.cnf.d/mariadb-server.cnf
 
sed -i "s|.*bind-address\s*=.*|bind-address=127.0.0.1|g" /etc/mysql/my.cnf
sed -i "s|.*bind-address\s*=.*|bind-address=127.0.0.1|g" /etc/my.cnf.d/mariadb-server.cnf
 
cat > /etc/my.cnf.d/mariadb-server-default-charset.cnf << EOF
[client]
default-character-set = utf8mb4
 
[mysql]
default-character-set = utf8mb4
EOF
 
cat > /etc/my.cnf.d/mariadb-server-default-highload.cnf << EOF
[mysqld]
collation_server = utf8mb4_unicode_ci
character_set_server = utf8mb4
max_heap_table_size = 32M
tmp_table_size      = 32M
join_buffer_size    = 62M
innodb_file_format  = Barracuda
innodb_large_prefix = 1
innodb_buffer_pool_size = 512M
innodb_flush_log_at_timeout = 3
innodb_read_io_threads  = 32
innodb_buffer_pool_instances = 1
innodb_io_capacity    = 5000
innodb_io_capacity_max = 10000
EOF
 
rc-service mariadb restart
 
rc-update add mariadb default
</nowiki></pre>
 
After those commands runs the <code>mysql_secure_installation</code> script and answer as follows:
 
# '''Enter current password for root (enter for none):''' must be provided due we already set previously. correct respond are <code>OK, successfully used password, moving on...</code>
#  '''Switch to unix_socket authentication [Y/n]''' this are not the case and must be disabled, '''so answer NO''', and response will be <code>... skipping.</code>
# '''Change the root password? [Y/n]''' Just press "n" only if you provided a good password, otherwise just change it!
# '''Remove anonymous users? [Y/n]''' In any case, '''production system must remove it, so answer Y''' and proper respond mus be  <code>... Success!</code>.
# '''Disallow root login remotely? [Y/n]''' For sure answer Y''' and proper respond mus be  <code>... Success!</code>.
# '''Remove test database and access to it? [Y/n]''' Should be removed, so answer Y''' and proper respond mus be  <code>... Success!</code>.
# '''Reload privilege tables now? [Y/n]''' Aanswer Y''' and proper respond mus be  <code>... Success!</code>.
 
After reponse all the questions.. restart the service with <code>rs-service mariadb restart</code>
 
=== The tools: net-snmp and rrtool ===
 
WIP
 
<pre><nowiki>apk add net-snmp net-snmp-tools rrtool</nowiki></pre>
 
== Cacti Installation ==
 
As of Alpine 3.12, Cacti still are in edge branch, so we first pre-install the depends packages and later only from edge the cacti alone.
 
=== Depends Package requirements ===
 
{{Warning|As of Alpine 3.12, Cacti still are in edge branch so '''we need to separate stable package depends from cacti package it selft at install them''', if not, any security fix will be bypass if you will run production stable release (due that package was installed from edge and are more up to date rather than the stable ones).}}
 
<pre><nowiki>
cat > /etc/apk/repositories << EOF
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/main
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/community
EOF
 
apk update
 
apk add bash busybox coreutils net-snmp-tools perl rrdtool ttf-dejavu php7-snmp
</nowiki></pre>
 
=== Cacti packages install ===
 
{{Warning|As of Alpine 3.12, Cacti still are in edge branch so '''we need to separate stable package depends from cacti package it selft at install them''', if not, any security fix will be bypass if you will run production stable release (due that package was installed from edge and are more up to date rather than the stable ones).}}
 
<pre><nowiki>
cat > /etc/apk/repositories << EOF
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/main
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/community
http://dl-cdn.alpinelinux.org/alpine/edge/main
http://dl-cdn.alpinelinux.org/alpine/edge/community
http://dl-cdn.alpinelinux.org/alpine/edge/testing
EOF
 
apk update
 
apk add cacti cacti-setup cacti-php7 cacti-lang
 
cat > /etc/apk/repositories << EOF
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/main
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/community
EOF
 
apk update
</nowiki></pre>
 
=== Pre configurations ===
 
Cacti are run under cacti user, but lighttpd user also needs access durint install setup, so we temporally set all world write permissions to the files and later fix the permissions access:


{{Cmd|ln -s /usr/share/webapps/cacti /var/www/localhost/htdocs/cacti}}
{{Cmd|ln -s /usr/share/webapps/cacti /var/www/localhost/htdocs/cacti}}
Line 18: Line 367:
In case you are using other web server than lighttpd have to assign permits to that user.
In case you are using other web server than lighttpd have to assign permits to that user.
If it hasn't already been done, setup MySQL:
If it hasn't already been done, setup MySQL:
{{Cmd|apk add mysql-client}}
{{Cmd|<nowiki>mysql_install_db --user=mysql</nowiki>}}
{{Cmd|/etc/init.d/mysql start}}
{{Cmd|mysql_secure_installation}}
Create the cacti database and populate it
Create the cacti database and populate it
Grant Cacti MySQL user access (give it a more secure password):
Quit from Mysql command prompt:
Import the initial Cacti MySQL database


{{Cmd| mysql -u root -p}}
{{Cmd| mysql -u root -p}}
{{Cmd| mysql> create database cacti;}}
{{Cmd| mysql> create database cacti;}}
Grant Cacti MySQL user access (give it a more secure password):
{{Cmd| mysql> grant all on cacti.* to 'cactiuser'@'localhost' identified by 'MostSecurePassword'; flush privileges;}}
{{Cmd| mysql> grant all on cacti.* to 'cactiuser'@'localhost' identified by 'MostSecurePassword'; flush privileges;}}
Quit from Mysql command prompt:
{{Cmd| mysql> \q }}
{{Cmd| mysql> \q }}
{{Cmd|<nowiki>mysql --user=cacti -p cacti < /usr/share/webapps/cacti/cacti.sql</nowiki>}}


Edit and put in the password you used in the above step for the mysql user.  
Edit and put in the password you used in the above step for the mysql user.  
Line 41: Line 382:
{{Cmd|vi /var/www/localhost/htdocs/cacti/include/config.php}}
{{Cmd|vi /var/www/localhost/htdocs/cacti/include/config.php}}


Import the initial Cacti MySQL config:
=== Cacti web setup install ===
 
{{Cmd|<nowiki>mysql --user=cacti -p cacti < /usr/share/webapps/cacti/cacti.sql</nowiki>}}
 
Set lighttpd to autostart and start the daemon.
 
{{Cmd|rc-update add lighttpd && rc-service lighttpd start}}
 
Browse to http://localhost/cacti/<br />


In the web page click:
In the web page click:
Line 72: Line 405:
Add your devices and you're ready to start monitoring!
Add your devices and you're ready to start monitoring!


= See Also =
* [[Production LAMP system: Lighttpd + PHP + MySQL]]
* [[Production Lets Encrypt: dehydrated]]
* [[Alpine newbie developer]]
* [[Alpine newbie lammers]]
[[Category:Newbie]]
[[Category:Server]]
[[Category:Web_Server]]
[[Category:PHP]]
[[Category:Monitoring]]
[[Category:Monitoring]]
[[Category:PHP]]
[[Category:Development]]
[[Category:Security]]
[[Category:Production]]

Revision as of 15:34, 12 March 2020

Cacti is a complete network monitoring and data analising solution using RRDTool's data storage and graphing functionality. It is the most widely used monitoring tool by ISPs to see graphically the network.

Dedicated host preconfiguration

Cacti have very special and fixed requirements from the host, so for productino systems must be installed on a dedicated host machine.

hostname setup

hostname monitor

echo 'hostname="monitor"' > /etc/conf.d/hostname 

echo "monitor" > /etc/hostname

cat > /etc/hosts << EOF
127.0.0.1 monitor.venenux.net monitor localhost.localdomain localhost
151.101.128.249 dl-cdn.alpinelinux.org
::1 localhost localhost.localdomain
EOF

We added as plus the ip address of cdn alpine linux to avoid more packeds from a DNS server.

repositories and need packages

Unfortunatelly some commands are more complex, we must take in consideration that common commands are just busybox minimalist versions, so we must change it to normal ones:

cat > /etc/apk/repositories << EOF
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/main
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/community
EOF

apk update

apk add attr dialog binutils findutils readline lsof less nano curl

export PAGER=less

cat > /etc/apk/repositories << EOF
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/main
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/community
http://uk.alpinelinux.org/alpine/edge/main
http://uk.alpinelinux.org/alpine/edge/community
EOF

apk update

apk add utmps

cat > /etc/apk/repositories << EOF
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/main
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/community
EOF

apk update

Requirements

  • A web server like lighttpd
  • The PHP scripting support
  • A database engine like mariadb
  • To retreive data the net-snmp tools
  • To graphics the data the rrtool package
Warning: These complex configurations will be necessary, as Cacti is demanding in its requirements once installed to right functionality.


The web server: lighttpd installation and configuration

Cacti runs as a web program, so we need the web server configured, due apache2 are so famous we only will document the lighttpd, becose for more used options there's already so much info:

apk add lighttpd gamin

mkdir -p /var/www/localhost/htdocs
sed -i -r 's#\#.*server.port.*=.*#server.port          = 80#g' /etc/lighttpd/lighttpd.conf
sed -i -r 's#.*server.stat-cache-engine.*=.*# server.stat-cache-engine = "fam"#g' /etc/lighttpd/lighttpd.conf
sed -i -r 's#\#.*server.event-handler = "linux-sysepoll".*#server.event-handler = "linux-sysepoll"#g' /etc/lighttpd/lighttpd.conf

mkdir -p /var/www/localhost/htdocs/serverinfo
sed -i -r 's#\#.*mod_status.*,.*#    "mod_status",#g' /etc/lighttpd/lighttpd.conf
sed -i -r 's#.*status.status-url.*=.*#status.status-url  = "/serverinfo/server-status"#g' /etc/lighttpd/lighttpd.conf
sed -i -r 's#.*status.config-url.*=.*#status.config-url  = "/serverinfo/server-config"#g' /etc/lighttpd/lighttpd.conf

mkdir -p /var/www/localhost/cgi-bin
sed -i -r 's#\#.*mod_alias.*,.*#    "mod_alias",#g' /etc/lighttpd/lighttpd.conf
sed -i -r 's#.*include "mod_cgi.conf".*#   include "mod_cgi.conf"#g' /etc/lighttpd/lighttpd.conf

mkdir -p /var/lib/lighttpd
chown -R lighttpd:lighttpd /var/www/localhost/
chown -R lighttpd:lighttpd /var/lib/lighttpd
chown -R lighttpd:lighttpd /var/log/lighttpd

rc-update add lighttpd default

rc-service lighttpd restart

checkset="";checkset=$(grep 'noatime' /etc/lighttpd/lighttpd.conf);[[ "$checkset" != "" ]] && echo listo || sed -i -r 's#server settings.*#server settings"\nserver.use-noatime = "enable"\n#g' /etc/lighttpd/lighttpd.conf

checkset="";checkset=$(grep 'network-backend' /etc/lighttpd/lighttpd.conf);[[ "$checkset" != "" ]] && echo listo || sed -i -r 's#server settings.*#server settings"\nserver.network-backend = "linux-sendfile"\n#g' /etc/lighttpd/lighttpd.conf

checkset="";checkset=$(grep 'max-fds' /etc/lighttpd/lighttpd.conf);[[ "$checkset" != "" ]] && echo listo || sed -i -r 's#server settings.*#server settings\nserver.max-fds = 2048\n#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart
Note: Next steps are purelly optional, just made to able to use only https to all the traffic between the host monitor of cacti and the rest of monitoring devices!
apk add openssl

mkdir -p /etc/ssl/certs/

openssl req -x509 -days 1460 -nodes -newkey rsa:4096 \
   -subj "/C=VE/ST=Bolivar/L=Upata/O=VenenuX/OU=Systemas:hozYmartillo/CN=localhost" \
   -keyout /etc/ssl/certs/localhost.pem -out /etc/ssl/certs/localhost.pem

chmod 755 /etc/ssl/certs/localhost.pem

cat > /etc/lighttpd/mod_ssl.conf << EOF
server.modules += ("mod_openssl")
\$SERVER["socket"] == "0.0.0.0:443" {
    ssl.engine  = "enable"
    ssl.pemfile = "/etc/ssl/certs/localhost.pem"
    ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
    ssl.honor-cipher-order = "enable"
}
\$HTTP["scheme"] == "http" {
    \$HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0\$0")
    }
}
EOF
sed -i -r 's#\#.*mod_redirect.*,.*#    "mod_redirect",#g' /etc/lighttpd/lighttpd.conf
itawxrc="";itawxrc=$(grep 'include "mod_ssl.conf' /etc/lighttpd/lighttpd.conf);[[ "$itawxrc" != "" ]] && echo listo || sed -i -r 's#.*include "mime-types.conf".*#include "mime-types.conf"\ninclude "mod_ssl.conf"#g' /etc/lighttpd/lighttpd.conf
sed -i -r 's#ssl.pemfile.*=.*#ssl.pemfile   = "/etc/ssl/certs/localhost.pem"#g' /etc/lighttpd/lighttpd.conf
rc-service lighttpd restart

The PHP: installation and configurations

Next requirement are the PHP scripting lang, becose Cacti are build with PHP, and has support for LDAP also.

Note: Cacti supports PHP5 and PHP7, in next section we will only cover PHP7 becose are the only availabe at recent Alpine versions, but if you use any older Alpine host for testing, you can use this command to detect what to install export phpmax=$(debver=$(cat /etc/alpine-release|cut -d '.' -f1);[ $debver -ge 6 ] && echo 7|| echo 5), the shel var phpmax indicates based on Alpine version if 5 or 7 php will be used in command lines as: apk add php$phpmax.

apk add php7-fpm php7-bcmath php7-bz2 php7-ctype php7-curl php7-dom \
 php7-enchant php7-exif php7-gd php7-gettext php7-gmp php7-iconv \
 php7-imap php7-intl php7-json php7-mbstring php7-opcache php7-openssl \
 php7-phar php7-posix php7-pspell php7-recode php7-session php7-simplexml \
 php7-sockets php7-sysvmsg php7-sysvsem php7-sysvshm php7-tidy php7-tokenizer \
 php7-xml php7-xmlreader php7-xmlrpc php7-xmlwriter php7-xsl php7-zip php7-sqlite3 \
 php7-gd php7-gmp php7-ldap php7-openssl php7-pdo_mysql php7-posix php7-sockets php7-xml

apk add php7-pdo php7-pdo_mysql php7-mysqli php7-pdo_sqlite php7-sqlite3 \
 php7-odbc php7-pdo_odbc php7-dba

The following configurations are for high or huge loads on a 2G RAM server, for more information about configuring PHP on Alpine linux see Production LAMP system: Lighttpd + PHP + MySQL wiki page.

sed -i -r 's|.*cgi.fix_pathinfo=.*|cgi.fix_pathinfo=1|g' /etc/php*/php.ini
sed -i -r 's#.*safe_mode =.*#safe_mode = Off#g' /etc/php*/php.ini
sed -i -r 's#.*expose_php =.*#expose_php = Off#g' /etc/php*/php.ini
sed -i -r 's#memory_limit =.*#memory_limit = 512M#g' /etc/php*/php.ini
sed -i -r 's#upload_max_filesize =.*#upload_max_filesize = 56M#g' /etc/php*/php.ini
sed -i -r 's#post_max_size =.*#post_max_size = 128M#g' /etc/php*/php.ini
sed -i -r 's#^file_uploads =.*#file_uploads = On#g' /etc/php*/php.ini
sed -i -r 's#^max_file_uploads =.*#max_file_uploads = 12#g' /etc/php*/php.ini
sed -i -r 's#^allow_url_fopen = .*#allow_url_fopen = On#g' /etc/php*/php.ini
sed -i -r 's#^.default_charset =.*#default_charset = "UTF-8"#g' /etc/php*/php.ini
sed -i -r 's#^.max_execution_time =.*#max_execution_time = 90#g' /etc/php*/php.ini
sed -i -r 's#^max_input_time =.*#max_input_time = 90#g' /etc/php*/php.ini
sed -i -r 's#.*date.timezone =.*#date.timezone = America/Panama#g' /etc/php*/php.ini

sed -i -r 's|.*events.mechanism =.*|events.mechanism = epoll|g' /etc/php*/php-fpm.conf
sed -i -r 's|.*emergency_restart_threshold =.*|emergency_restart_threshold = 12|g' /etc/php*/php-fpm.conf
sed -i -r 's|.*emergency_restart_interval =.*|emergency_restart_interval = 1m|g' /etc/php*/php-fpm.conf
sed -i -r 's|.*process_control_timeout =.*|process_control_timeout = 8s|g' /etc/php*/php-fpm.conf

sed -i -r 's|^.*pm.max_requests =.*|pm.max_requests = 10000|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*pm.max_children =.*|pm.max_children = 12|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*pm.start_servers =.*|pm.start_servers = 4|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*pm.min_spare_servers =.*|pm.min_spare_servers = 4|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*pm.max_spare_servers =.*|pm.max_spare_servers = 8|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*pm.process_idle_timeout =.*|pm.process_idle_timeout = 8s|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*pm =.*|pm = ondemand|g' /etc/php*/php-fpm.d/www.conf

mkdir -p /var/run/php-fpm7/

chown lighttpd:root /var/run/php-fpm7

sed -i -r 's|^.*listen =.*|listen = /run/php-fpm7/php7-fpm.sock|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^pid =.*|pid = /run/php-fpm7/php7-fpm.pid|g' /etc/php*/php-fpm.conf
sed -i -r 's#^user =.*#user = lighttpd#g' /etc/php*/php.ini
sed -i -r 's#^group =.*#group = lighttpd#g' /etc/php*/php.ini
sed -i -r 's|^.*listen.owner =.*|listen.owner = lighttpd|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*listen.group =.*|listen.group = lighttpd|g' /etc/php*/php-fpm.d/www.conf
sed -i -r 's|^.*listen.mode =.*|listen.mode = 0660|g' /etc/php*/php-fpm.d/www.conf

rc-update add php-fpm7 default

service php-fpm7 restart

After have php ready, lest integrate into the current preinstalled web server, we already choose lighttpd so:

mkdir -p /var/www/localhost/cgi-bin

sed -i -r 's#\#.*mod_alias.*,.*#    "mod_alias",#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*include "mod_cgi.conf".*#   include "mod_cgi.conf"#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*include "mod_fastcgi.conf".*#\#   include "mod_fastcgi.conf"#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*include "mod_fastcgi_fpm.conf".*#   include "mod_fastcgi_fpm.conf"#g' /etc/lighttpd/lighttpd.conf

cat > /etc/lighttpd/mod_fastcgi_fpm.conf << EOF
server.modules += ( "mod_fastcgi" )
index-file.names += ( "index.php" )
fastcgi.server = (
    ".php" => (
      "localhost" => (
        "socket"                => "/var/run/php-fpm7/php7-fpm.sock",
        "broken-scriptfilename" => "enable"
      ))
)
EOF

sed -i -r 's|^.*listen =.*|listen = /var/run/php-fpm7/php7-fpm.sock|g' /etc/php*/php-fpm.d/www.conf

sed -i -r 'php-fpm7 restart

rc-service lighttpd restart

echo "<?php echo phpinfo(); ?>" > /var/www/localhost/htdocs/info.php

To test PHP are woring correctly, browse the web server with http://ipaddress/info.php of course change "ipaddrs" with the ip of the web server.

the Database: mariadb installation and configuration

Warning: Cacti also can run with PostgreSQL, inclusivelly are a better choice for high production and huge data systems, but we documented here mysql only due postgresql need more complex tunning parameters


Note: Also can install adminer to manage the database using web browsing, see Adminer in production LAMP systems that can manage any kind of database graphically
apk add mysql mysql-client tzdata

mysql_install_db --user=mysql --datadir=/var/lib/mysql

rc-service mariadb start

mysql_tzinfo_to_sql /usr/share/zoneinfo/ | mysql -u root mysql

sed -i "s|.*max_allowed_packet\s*=.*|max_allowed_packet = 100M|g" /etc/my.cnf.d/mariadb-server.cnf

sed -i "s|.*bind-address\s*=.*|bind-address=127.0.0.1|g" /etc/mysql/my.cnf
sed -i "s|.*bind-address\s*=.*|bind-address=127.0.0.1|g" /etc/my.cnf.d/mariadb-server.cnf

cat > /etc/my.cnf.d/mariadb-server-default-charset.cnf << EOF
[client]
default-character-set = utf8mb4

[mysql]
default-character-set = utf8mb4
EOF

cat > /etc/my.cnf.d/mariadb-server-default-highload.cnf << EOF
[mysqld]
collation_server = utf8mb4_unicode_ci
character_set_server = utf8mb4
max_heap_table_size = 32M
tmp_table_size      = 32M
join_buffer_size    = 62M
innodb_file_format  = Barracuda
innodb_large_prefix = 1
innodb_buffer_pool_size = 512M
innodb_flush_log_at_timeout = 3
innodb_read_io_threads  = 32
innodb_buffer_pool_instances = 1
innodb_io_capacity     = 5000
innodb_io_capacity_max = 10000
EOF

rc-service mariadb restart

rc-update add mariadb default

After those commands runs the mysql_secure_installation script and answer as follows:

  1. Enter current password for root (enter for none): must be provided due we already set previously. correct respond are OK, successfully used password, moving on...
  2. Switch to unix_socket authentication [Y/n] this are not the case and must be disabled, so answer NO, and response will be ... skipping.
  3. Change the root password? [Y/n] Just press "n" only if you provided a good password, otherwise just change it!
  4. Remove anonymous users? [Y/n] In any case, production system must remove it, so answer Y and proper respond mus be ... Success!.
  5. Disallow root login remotely? [Y/n] For sure answer Y and proper respond mus be ... Success!.
  6. Remove test database and access to it? [Y/n] Should be removed, so answer Y and proper respond mus be ... Success!.
  7. Reload privilege tables now? [Y/n] Aanswer Y and proper respond mus be ... Success!.

After reponse all the questions.. restart the service with rs-service mariadb restart

The tools: net-snmp and rrtool

WIP

apk add net-snmp net-snmp-tools rrtool

Cacti Installation

As of Alpine 3.12, Cacti still are in edge branch, so we first pre-install the depends packages and later only from edge the cacti alone.

Depends Package requirements

Warning: As of Alpine 3.12, Cacti still are in edge branch so we need to separate stable package depends from cacti package it selft at install them, if not, any security fix will be bypass if you will run production stable release (due that package was installed from edge and are more up to date rather than the stable ones).


cat > /etc/apk/repositories << EOF
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/main
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/community
EOF

apk update

apk add bash busybox coreutils net-snmp-tools perl rrdtool ttf-dejavu php7-snmp

Cacti packages install

Warning: As of Alpine 3.12, Cacti still are in edge branch so we need to separate stable package depends from cacti package it selft at install them, if not, any security fix will be bypass if you will run production stable release (due that package was installed from edge and are more up to date rather than the stable ones).


cat > /etc/apk/repositories << EOF
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/main
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/community
http://dl-cdn.alpinelinux.org/alpine/edge/main
http://dl-cdn.alpinelinux.org/alpine/edge/community
http://dl-cdn.alpinelinux.org/alpine/edge/testing
EOF

apk update

apk add cacti cacti-setup cacti-php7 cacti-lang

cat > /etc/apk/repositories << EOF
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/main
http://dl-cdn.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/community
EOF

apk update

Pre configurations

Cacti are run under cacti user, but lighttpd user also needs access durint install setup, so we temporally set all world write permissions to the files and later fix the permissions access:

ln -s /usr/share/webapps/cacti /var/www/localhost/htdocs/cacti

Assign permits to lighttpd user:

chown -R lighttpd:lighttpd /var/www/localhost/htdocs/cacti/

In case you are using other web server than lighttpd have to assign permits to that user. If it hasn't already been done, setup MySQL: Create the cacti database and populate it Grant Cacti MySQL user access (give it a more secure password): Quit from Mysql command prompt: Import the initial Cacti MySQL database

mysql -u root -p

mysql> create database cacti;

mysql> grant all on cacti.* to 'cactiuser'@'localhost' identified by 'MostSecurePassword'; flush privileges;

mysql> \q

mysql --user=cacti -p cacti < /usr/share/webapps/cacti/cacti.sql

Edit and put in the password you used in the above step for the mysql user.

vi /var/www/localhost/htdocs/cacti/include/config.php

Cacti web setup install

In the web page click:

-> Next

Then select new install in case is not selected:

-> New install, Next

Then finish

-> Finish

Login using:

Password= admin user= admin

Next wil be prompted to change password:

change password.

Add to crontab:

cd /etc/crontabs
vi root

copy to the end of the file:

*/5 * * * * lighttpd php /var/www/localhost/htdocs/cacti/poller.php > /dev/null 2>&1

In case you are using other web server have to modify the "lighttpd" user.

*/5 * * * * "web server user" php /var/www/localhost/htdocs/cacti/poller.php > /dev/null 2>&1

Add your devices and you're ready to start monitoring!

See Also