Skip to content

Tag: centos 5

Monitoring MySQL with Munin on a DirectAdmin platform

Today I’ll be showing you how to monitor MySQL with Munin on a DirectAdmin platform. I’ve tested this setup for a customer on a CentOS box. It should be fairly easy to adapt this to Debian. You probably won’t even need to change credentials at all on a Debian box given the fact that it has an /etc/mysql/debian.cnf file by default. Although I’m not sure DirectAdmin puts it to good use. Any Debian/DirectAdmin users out there? Feel free to comment.

Let’s start off by checking the proper MySQL login credentials on our CentOS/RHEL box:

# cat /usr/local/directadmin/conf/mysql.conf
user=da_admin
passwd=removed

Easy enough. Let’s move on to installing munin and applying the credentials to the MySQL monitoring plugin. Munin isn’t available in the default repository. Not to worry, it’s in the Fedora Project’s EPEL repository for CentOS/RHEL. If you don’t have EPEL enabled yet be sure to check the excellent FAQ on the subject.

Or you could just move on to installing the repository.
For i386/i686:

 
# rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/
epel-release-5-3.noarch.rpm

For x86_64:

For x86_64: 
# rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/x86_64/
epel-release-5-3.noarch.rpm

Now we can go on installing munin:

# yum install munin munin-node

Sadly this doesn’t install pull all the necessary dependencies. Not sure why the package maintainer missed out on this but it’s rather easy to fix it:

# yum install perl-Cache perl-Cache-Cache 
# yum install perl-IPC-ShareLite perl-DBD-MySQL

On to the credentials part. Edit the mysql plugin on line 132:

# vim +132 /usr/share/munin/plugins/mysql_

You should see something like this with the credentials left blank:

my %config = (
    'dsn'        => $ENV{'mysqlconnection'} || 'DBI:mysql:mysql',
    'user'       => $ENV{'mysqluser'}       || 'da_admin',
    'password'   => $ENV{'mysqlpassword'}   || 'removed',
);

As you can see I’ve already filled in the blanks.

Once the plugin has been configured we’re able to apply it. Before applying I’d suggest you take a look at what graphs are available:

# /usr/share/munin/plugins/mysql_ suggest
mysql_bin_relay_log
mysql_commands
mysql_connections
mysql_files_tables
mysql_innodb_bpool
mysql_innodb_bpool_act
mysql_innodb_insert_buf
mysql_innodb_io
mysql_innodb_io_pend
mysql_innodb_log
mysql_innodb_rows
mysql_innodb_semaphores
mysql_innodb_tnx
mysql_myisam_indexes
mysql_network_traffic
mysql_qcache
mysql_qcache_mem
mysql_replication
mysql_select_types
mysql_slow
mysql_sorts
mysql_table_locks
mysql_tmp_tables

To apply all of them simply run the following:

# cd /etc/munin/plugins
# ln -sf /usr/share/munin/plugins/mysql_ mysql_
# for i in `./mysql_ suggest`; \
do ln -sf /usr/share/munin/plugins/mysql_ $i; done

If you only need a few of them you can apply them this way:

# cd /etc/munin/plugins
# ln -sf /usr/share/munin/plugins/mysql_ mysql_
# ln -sf /usr/share/munin/plugins/mysql_ mysql_bin_relay_log
# ln -sf /usr/share/munin/plugins/mysql_ mysql_commands
# ln -sf /usr/share/munin/plugins/mysql_ mysql_connections
# ln -sf /usr/share/munin/plugins/mysql_ $any_other_graph

Be sure to reload munin-node:

# /etc/init.d/munin-node restart

And that’s it. Enjoy your graphs at http://127.0.0.1/munin. 🙂

Munin MySQL InnoDB graph

Looking for open source projects that need help with packaging

In follow up to a friend’s recent blogpost “Bored Java Dev looking for Open Source project” I’m also looking for an open source project to contribute to. I’m not that much of a developer but I’d like to get more familiar with Linux distribution packaging. I have basic experience creating
Gentoo ebuilds, Debian DEB and CentOS RPM packages, but I want to learn and to get more involved.

Anyone with a promising new open source project feel free to send me a request at
tom [at] penumbra.be. I do however have some prerequisites:

  • Free and Open Source Software only, no exceptions
  • Non-commercial projects only
  • Preferably not limited to one (Linux) distribution
  • No Qt (KDE) applications due to personal preferences

What I can offer:

  • Spare time
  • Dedication
  • Build farm on x86, x86-64 and UltraSparc64

What I can’t offer:

Zabbix 1.8 on CentOS 5

For those who want or need to build Zabbix 1.8 on CentOS 5: there is an excellent RPM Spec file available at Andrew Farley’s blog. He’s also been kind enough to host a series of precompiled RPM packages.

If you look at the changelog you might find yours truly. I’ve contributed a patch to add a couple of dependencies and to fix a couple of bugs. So I thought I should share.

First of all the RPM Spec file:

http://repo.andrewfarley.com/centos/specs/zabbix.spec

If you’d like to compile your own packages you might follow this guide:

# yum groupinstall "Development Tools"
# yum install rpmdevtools
# rpmdev-setuptree

To compile for your running architecture:

# rpmbuild -bb --clean zabbix.spec

Or if you’d like to build for a specific architecture:

# rpmbuild -bb --clean --target i686 zabbix.spec

After the compile process you’ll find the RPM files in the following directory:

~/rpmbuild/RPMS/zabbix*.rpm

NTFS-3G on CentOS 5

Lately I’ve seen some customers struggle with their external USB drives formatted in NTFS on CentOS servers. Because it’s such a common problem I decided to make a very quick howto on the subject.

The Fuse packages found in the default CentOS repository haven’t been compiled with NTFS-3G support. Even though there are fuse-ntfs3g packages available! To get around this I prefer to enable the RPM Forge repository. It’s very easy to do so.

On 32bit platforms:

# wget http://apt.sw.be/redhat/el5/en/i386/RPMS.dag/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
# rpm -i rpmforge*i386.rpm

On 64bit platforms:

# wget http://apt.sw.be/redhat/el5/en/x86_64/RPMS.dag/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
# rpm -i rpmforge*x86_64.rpm

Moving on:

# rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
# yum update

Installing RPM Forge’s Fuse packages and dependencies:

# yum install -y kernel-devel kernel-headers
# yum install -y --enablerepo=rpmforge dkms dkms-fuse fuse
# yum install -y --enablerepo=rpmforge fuse-ntfs-3g-devel fuse-devel

For some strange reason, the Fuse module in the package isn’t compiled yet. Lucky for us the package maintainer has provided the source code for us:

# cd /usr/src/fuse-2.7.4-1.nodist.rf/
# ./configure
# make
# make install

And now the part most people seem to forget, insert the Fuse module into the kernel:

# insmod /lib/modules/2.6.18-164.9.1.el5/kernel/fs/fuse/fuse.ko

Mount the external disk:

# mount -t ntfs-3g /dev/sdc1 /mnt/usb/
# df -h
Filesystem            Size  Used Avail Use% Mounted on
...
/dev/sdc5             466G   79M  466G   1% /mnt/usb

That’s all there’s to it!

[root@srv01 src]# yum install -y –enablerepo=rpmforge dkms dkms-fuse fuse
Thats
[root@srv01 src]# yum install -y –enablerepo=rpmforge fuse-ntfs-3g-devel.i386 fuse-devel.i386

Apache mod_evasive DDoS prevention on a CentOS 5.x Plesk environment

A couple weeks ago I was asked to implement a DDoS prevention system for a customer who had been suffering some DDoS events.
Shouldn’t be too hard. The only catch was that the box was running a Plesk 9 LAMP stack.
I chose to go with mod_evasive, a GPL2 licensed module for Apache[1-2].
It can be downloaded at http://www.zdziarski.com/blog/?page_id=442 either using the CVS repository or as a tarball.
I ended up using the latter. The current stable version at this point is 1.10.1.
This guide has been assembled using Centos 5.4 with a Plesk 9 LAMP stack. I haven’t tested it on anything else, but it should work just the same way it does in this guide.
===== Install =====
First things first. Let’s check out which versions of apxs are installed:
<code>
# updatedb; locate apxs | grep bin
/usr/local/psa/admin/bin/apxs
</code>
This version is Parallell’s default version, wich comes with Plesk.
If this is the only version you have available you will need to install the generic httpd-devel package. Parallell’s version of apxs is a bit limited and won’t compile the module.
<code>
# yum install httpd-devel
</code>
Give it another go and you should end up with something like this:
<code>
# updatedb; locate apxs | grep bin
/usr/local/psa/admin/bin/apxs
/usr/sbin/apxs
</code>
Onto downloading and extracting the mod_evasive module:
<code>
# cd /usr/src
# wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
# tar xvzf mod_evasive_1.10.1.tar.gz
mod_evasive/
mod_evasive/.cvsignore
mod_evasive/LICENSE
mod_evasive/Makefile.tmpl
mod_evasive/README
mod_evasive/mod_evasive.c

A couple weeks ago I was asked to implement a DDoS prevention system in Apache for a customer who had obviously been suffering some gnarly DDoS events. Shouldn’t be too hard. The only catch was that the box was running a Plesk 9 LAMP stack.

I chose to go with mod_evasive, a GPL2 licensed module for Apache[1-2]. It can be downloaded at http://www.zdziarski.com/projects/mod_evasive/ either using the CVS repository or as a tarball. I ended up using the latter. The current stable version at this point is 1.10.1.

This guide has been assembled using Centos 5.4 with a Plesk 9 LAMP stack. I haven’t tested it on anything else, but it should work just the same way it does in this guide.

Install

First things first. Let’s check out which versions of apxs are installed:

# updatedb; locate apxs | grep bin
/usr/local/psa/admin/bin/apxs

This version is Parallell’s default version, wich comes with Plesk.

If this is the only version you have available you will need to install the generic httpd-devel package. Parallell’s version of apxs is a bit limited and won’t compile the module.

# yum install httpd-devel

Give it another go and you should end up with something like this:

# updatedb; locate apxs | grep bin
/usr/local/psa/admin/bin/apxs
/usr/sbin/apxs

Onto downloading and extracting the mod_evasive module:

# wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
# tar xvzf mod_evasive_1.10.1.tar.gz mod_evasive/
mod_evasive/.cvsignore
mod_evasive/LICENSE
mod_evasive/Makefile.tmpl
mod_evasive/README
mod_evasive/mod_evasive.c
mod_evasive/mod_evasive20.c
mod_evasive/mod_evasiveNSAPI.c
mod_evasive/test.pl
mod_evasive/CHANGELOG

Be sure to check out the CHANGELOG and README files!

Even though people tend to forget this step… those files are included for a reason.
Let’s move on to compiling and actually installing the module inside the Plesk chroot:

# /usr/sbin/apxs -cia /usr/src/mod_evasive/mod_evasive20.c
/usr/lib/apr-1/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions \
-fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -fno-strict-aliasing \
-DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -pthread -I/usr/include/httpd  -I/usr/include/apr-1   -I/usr/include/apr-1 \
-c -o mod_evasive20.lo mod_evasive20.c && touch mod_evasive20.slo
mod_evasive20.c: In function 'access_checker':
mod_evasive20.c:212: warning: implicit declaration of function 'getpid'
mod_evasive20.c:212: warning: format '%ld' expects type 'long int', but argument 4 has type 'int'
mod_evasive20.c:229: warning: ignoring return value of 'system', declared with attribute warn_unused_result
mod_evasive20.c: In function 'destroy_hit_list':
mod_evasive20.c:301: warning: control reaches end of non-void function
mod_evasive20.c: In function 'create_hit_list':
mod_evasive20.c:118: warning: control reaches end of non-void function
/usr/lib/apr-1/build/libtool --silent --mode=link gcc -o mod_evasive20.la  -rpath /usr/lib/httpd/modules -module -avoid-version    mod_evasive20.lo
/usr/lib/httpd/build/instdso.sh SH_LIBTOOL='/usr/lib/apr-1/build/libtool' mod_evasive20.la /usr/lib/httpd/modules
/usr/lib/apr-1/build/libtool --mode=install cp mod_evasive20.la /usr/lib/httpd/modules/
cp .libs/mod_evasive20.so /usr/lib/httpd/modules/mod_evasive20.so
cp .libs/mod_evasive20.lai /usr/lib/httpd/modules/mod_evasive20.la
cp .libs/mod_evasive20.a /usr/lib/httpd/modules/mod_evasive20.a
chmod 644 /usr/lib/httpd/modules/mod_evasive20.a
ranlib /usr/lib/httpd/modules/mod_evasive20.a
PATH="$PATH:/sbin" ldconfig -n /usr/lib/httpd/modules
----------------------------------------------------------------------
Libraries have been installed in:
/usr/lib/httpd/modules
If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the `LD_LIBRARY_PATH' environment variable
during execution
- add LIBDIR to the `LD_RUN_PATH' environment variable
during linking
- use the `-Wl,--rpath -Wl,LIBDIR' linker flag
- have your system administrator add LIBDIR to `/etc/ld.so.conf'
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
chmod 755 /usr/lib/httpd/modules/mod_evasive20.so
[activating module `evasive20' in /etc/httpd/conf/httpd.conf]

Next up we need to restart apache to load the module:

# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

Verify

Verify if the module is in the apache config:

# grep -i evasive /etc/httpd/conf/httpd.conf
LoadModule evasive20_module   /usr/lib/httpd/modules/mod_evasive20.so

Check wether the modtule is actually loaded:

# php -r 'phpinfo();' | grep -i evasive
^ Loaded Modules | core prefork http_core mod_so mod_auth_basic
mod_auth_digest mod_authn_file mod_authn_alias mod_authn_anon
mod_authn_dbm mod_authn_default mod_authz_host mod_authz_user
mod_authz_owner mod_authz_groupfile mod_authz_dbm mod_authz_default
util_ldap mod_authnz_ldap mod_include mod_log_config mod_logio
mod_env mod_ext_filter mod_mime_magic mod_expires mod_deflate
mod_headers mod_usertrack mod_setenvif mod_mime mod_dav mod_status
mod_autoindex mod_info mod_dav_fs mod_vhost_alias mod_negotiation
mod_dir mod_actions mod_speling mod_userdir mod_alias mod_rewrite
mod_proxy mod_proxy_balancer mod_proxy_ftp mod_proxy_http mod_proxy_connect
mod_cache mod_suexec mod_disk_cache mod_file_cache mod_mem_cache mod_cgi
mod_version **mod_evasive20** mod_perl mod_php5 mod_proxy_ajp mod_python mod_ssl |

Seems it’s loaded just fine.

Configure

Now let’s get started with the configuration. I couldn’t find any default config, but this one seems to run just fine. Even on a heavily visited shared hosting server.

Add the following rules at the end of /etc/httpd/conf/httpd.conf:

<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 6
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
</IfModule>

And let’s kick apache one last time:

# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

NOTE

Be sure to keep an eye on your webstats!

There might be a sudden drop in the amount of unique visitors. This might be a result of an attack that’s been evaded. However if you’ve used different configuration parameters you might have restricted it too much and you’ll end up restricting valid customers too. I haven’t recieved any negative comments about this setup (yet?)

Use with caution!