View from the geek side


2014-10-27 CentOS7 on Hyper-V Core for Nagios

posted Oct 27, 2014, 1:57 PM by Boyce Crownover   [ updated Oct 27, 2014, 3:19 PM ]

The first thing I learned when attempting to set up a Hyper-V guest virtual server to run Nagios in a CentOS 7 environment was that the NetInstall ISO image doesn't work. I went down many a dark and dusty internet path trying to understand why and what to do about it so you don't have to. Don't use that ISO.

When I switched to trying to use the Everything ISO, it worked without any difficulty. That brings me to the second thing I learned: You can't download some ISOs from some mirrors on some networks. I ended up downloading it with bittorrent, which was faster and easier than trying to pull it in a single piece. This is what bittorrent was designed to be good for.

Once I started the virtual machine wizard with the CentOS Everything ISO, things were mostly smooth sailing, but there are were a couple things that might make your life easier if you didn't have to figure them out:
  • The kernel has the necessary VM support built in, so you will be able to shutdown without having to go to the command line and halt and then power-off from the Hyper-V control
  • The time zone you want may be faster to find than click
  • The installation wizard won't let you install without using swap space


Setting up the environment and basic system:

I do some things with my servers you may not want to do. There are lots of docs to tell you how to do a CentOS installation to meet a certain goal, and many of them may better suit your needs. These are the steps I take, with hopefully enough detail on the motivations for it that you'll know whether it is right for you or not.

  1. yum -y upgrade
    Update - the first thing I typically do is update the system, and you can use the upgrade or the update option with yum. I find that I rarely ever want an obsolete package to stick around, so I nearly always use upgrade.
  2. crontab -e and 0 */4 * * * (yum -y upgrade) & >/dev/null 2>&1
    I edit the crontab to include that line which is a little dangerous. It upgrades everything six times a day, at every hour divisible by four, and doesn't show any output, even errors. I haven't seen CentOS do anything that messed up any of my critical systems and I tend to have good backups so I'm happy knowing that I don't have to do anything for my system to stay current.
  3. yum -y install screen vim wget
    These are improvements to the base system I have a difficult time doing without and they're very limited and well tested so adding them doesn't significantly change the security of the system.
  4. yum -y install epel-release
    There are some things like fail2ban and nagios which only have limited direct support from RHEL, but if you want them, they're just a command away from being included on your system
  5. yum -y install fail2ban
    This is a pretty good system for blocking those irritating brute force scripts. There is a lot more it does and can do and there are things it doesn't protect against, but it does a decent job out of the box of improving your server's security.
  6. su - genericusername and ssh-keygen and exit and as root ssh localhost and exit and cat /home/genericusername/.ssh/id_rsa.pub >> .ssh/authorized_keys and chmod 0600 .ssh/authorized_keys
    I find it tedious to have to use sudo when I'm the only admin and I like to disable password based root login, so this is an example of how you'd go about setting key based login for netadmin
  7. echo 'auth required pam_listfile.so onerr=fail item=user sense=allow file=/etc/ssh_allow.pamlist' >> /etc/pam.d/sshd and echo 'genericusername' >> /etc/ssh_allow.pamlist
    This blocks password based login for anybody but the user you specify with genericusername which is why creating the key based login above was so critical.
  8. You can set the hostname at this point if you didn't already. echo "HOSTNAME=newhostname.full.domain" >> /etc/sysconfig/network and hostname newhostname.full.domain and systemctl restart rsyslog
  9. Restart fail2ban, and the ssh daemon:
    systemctl restart sshd fail2ban

Setting up Nagios

This is definitely not the most secure way to set it up, but I decided that I'd follow a guide and this is what the guide showed:

yum install nagios*

Notice how my other yum commands had the "-y" argument? The -y argument keeps you from having to confirm that you want everything that comes with your request.  If you include it, you're going to agree to everything. With the asterisk there, you're getting a very big list of software and you should be aware of what you're agreeing to, so I don't recommend skipping the prompt for this one. This is what my install included:

Installed:
  nagios.x86_64 0:3.5.1-1.el7                           nagios-common.x86_64 0:3.5.1-1.el7
  nagios-plugins-all.x86_64 0:2.0.1-1.el7               nagios-plugins-apt.x86_64 0:2.0.1-1.el7
  nagios-plugins-breeze.x86_64 0:2.0.1-1.el7            nagios-plugins-by_ssh.x86_64 0:2.0.1-1.el7
  nagios-plugins-dbi.x86_64 0:2.0.1-1.el7               nagios-plugins-dhcp.x86_64 0:2.0.1-1.el7
  nagios-plugins-disk_smb.x86_64 0:2.0.1-1.el7          nagios-plugins-dns.x86_64 0:2.0.1-1.el7
  nagios-plugins-flexlm.x86_64 0:2.0.1-1.el7            nagios-plugins-fping.x86_64 0:2.0.1-1.el7
  nagios-plugins-flexlm.x86_64 0:2.0.1-1.el7            nagios-plugins-fping.x86_64 0:2.0.1-1.el7
  nagios-plugins-http.x86_64 0:2.0.1-1.el7              nagios-plugins-icmp.x86_64 0:2.0.1-1.el7
  nagios-plugins-ifstatus.x86_64 0:2.0.1-1.el7          nagios-plugins-ircd.x86_64 0:2.0.1-1.el7
  nagios-plugins-log.x86_64 0:2.0.1-1.el7               nagios-plugins-mailq.x86_64 0:2.0.1-1.el7
  nagios-plugins-mysql.x86_64 0:2.0.1-1.el7             nagios-plugins-nagios.x86_64 0:2.0.1-1.el7
  nagios-plugins-ntp.x86_64 0:2.0.1-1.el7               nagios-plugins-ntp-perl.x86_64 0:2.0.1-1.el7
  nagios-plugins-oracle.x86_64 0:2.0.1-1.el7            nagios-plugins-overcr.x86_64 0:2.0.1-1.el7
  nagios-plugins-ping.x86_64 0:2.0.1-1.el7              nagios-plugins-procs.x86_64 0:2.0.1-1.el7
  nagios-plugins-rpc.x86_64 0:2.0.1-1.el7               nagios-plugins-sensors.x86_64 0:2.0.1-1.el7
  nagios-plugins-ssh.x86_64 0:2.0.1-1.el7               nagios-plugins-swap.x86_64 0:2.0.1-1.el7
  nagios-plugins-ups.x86_64 0:2.0.1-1.el7               nagios-plugins-uptime.x86_64 0:2.0.1-1.el7
  nagios-devel.x86_64 0:3.5.1-1.el7                     nagios-plugins.x86_64 0:2.0.1-1.el7
  nagios-plugins-bacula.x86_64 0:5.2.13-18.el7          nagios-plugins-bonding.x86_64 0:1.4-3.el7
  nagios-plugins-check-updates.x86_64 0:1.6.7-1.el7     nagios-plugins-cluster.x86_64 0:2.0.1-1.el7
  nagios-plugins-dig.x86_64 0:2.0.1-1.el7               nagios-plugins-disk.x86_64 0:2.0.1-1.el7
  nagios-plugins-dummy.x86_64 0:2.0.1-1.el7             nagios-plugins-file_age.x86_64 0:2.0.1-1.el7
  nagios-plugins-game.x86_64 0:2.0.1-1.el7              nagios-plugins-hpjd.x86_64 0:2.0.1-1.el7
  nagios-plugins-ide_smart.x86_64 0:2.0.1-1.el7         nagios-plugins-ifoperstatus.x86_64 0:2.0.1-1.el7
  nagios-plugins-ldap.x86_64 0:2.0.1-1.el7              nagios-plugins-load.x86_64 0:2.0.1-1.el7
  nagios-plugins-mrtg.x86_64 0:2.0.1-1.el7              nagios-plugins-mrtgtraf.x86_64 0:2.0.1-1.el7
  nagios-plugins-nrpe.x86_64 0:2.15-2.el7               nagios-plugins-nt.x86_64 0:2.0.1-1.el7
  nagios-plugins-nwstat.x86_64 0:2.0.1-1.el7            nagios-plugins-openmanage.x86_64 0:3.7.12-1.el7
  nagios-plugins-perl.x86_64 0:2.0.1-1.el7              nagios-plugins-pgsql.x86_64 0:2.0.1-1.el7
  nagios-plugins-radius.x86_64 0:2.0.1-1.el7            nagios-plugins-real.x86_64 0:2.0.1-1.el7
  nagios-plugins-smtp.x86_64 0:2.0.1-1.el7              nagios-plugins-snmp.x86_64 0:2.0.1-1.el7
  nagios-plugins-tcp.x86_64 0:2.0.1-1.el7               nagios-plugins-time.x86_64 0:2.0.1-1.el7
  nagios-plugins-users.x86_64 0:2.0.1-1.el7             nagios-plugins-wave.x86_64 0:2.0.1-1.el7

Dependency Installed:
  apr.x86_64 0:1.4.8-3.el7                            apr-util.x86_64 0:1.5.2-6.el7
  bind-libs.x86_64 32:9.9.4-14.el7                    bind-utils.x86_64 32:9.9.4-14.el7
  fontpackages-filesystem.noarch 0:1.44-8.el7         fping.x86_64 0:3.5-3.el7
  httpd-tools.x86_64 0:2.4.6-18.el7.centos            libX11.x86_64 0:1.6.0-2.1.el7
  libXpm.x86_64 0:3.5.10-5.1.el7                      libdbi.x86_64 0:0.8.4-6.el7
  libpng.x86_64 2:1.5.13-5.el7                        libsmbclient.x86_64 0:4.1.1-37.el7_0
  libtevent.x86_64 0:0.9.18-6.el7                     libtirpc.x86_64 0:0.2.4-0.3.el7
  libzip.x86_64 0:0.10.1-8.el7                        lm_sensors.x86_64 0:3.3.4-10.el7
  mailx.x86_64 0:12.5-11.el7                          net-snmp-libs.x86_64 1:5.7.2-18.el7
  ntpdate.x86_64 0:4.2.6p5-18.el7.centos              perl-Class-Accessor.noarch 0:0.34-12.el7
  perl-Digest.noarch 0:1.17-245.el7                   perl-Digest-HMAC.noarch 0:1.03-5.el7
  perl-Digest-SHA1.x86_64 0:2.13-9.el7                perl-Math-Calc-Units.noarch 0:1.07-9.el7
  perl-Nagios-Plugin.noarch 0:0.36-7.el7              perl-Net-SNMP.noarch 0:6.0.1-7.el7
  perl-Readonly-XS.x86_64 0:1.05-15.el7               perl-Socket6.x86_64 0:0.23-15.el7
  php.x86_64 0:5.4.16-23.el7_0.1                      php-cli.x86_64 0:5.4.16-23.el7_0.1
  pytalloc.x86_64 0:2.0.8-4.el7                       qstat.x86_64 0:2.11-13.20080912svn311.el7
  samba-client.x86_64 0:4.1.1-37.el7_0                samba-common.x86_64 0:4.1.1-37.el7_0
  autogen-libopts.x86_64 0:5.18-5.el7                 bacula-libs.x86_64 0:5.2.13-18.el7
  cups-libs.x86_64 1:1.6.3-14.el7                     fontconfig.x86_64 0:2.10.95-7.el7
  gd.x86_64 0:2.0.35-26.el7                           httpd.x86_64 0:2.4.6-18.el7.centos
  libX11-common.noarch 0:1.6.0-2.1.el7                libXau.x86_64 0:1.0.8-2.1.el7
  libjpeg-turbo.x86_64 0:1.2.90-5.el7                 libldb.x86_64 0:1.1.16-4.el7
  libtalloc.x86_64 0:2.0.8-4.el7                      libtdb.x86_64 0:1.2.12-3.el7
  libwbclient.x86_64 0:4.1.1-37.el7_0                 libxcb.x86_64 0:1.9-5.el7
  lm_sensors-libs.x86_64 0:3.3.4-10.el7               mailcap.noarch 0:2.1.41-2.el7
  net-snmp-utils.x86_64 1:5.7.2-18.el7                ntp.x86_64 0:4.2.6p5-18.el7.centos
  perl-Config-Tiny.noarch 0:2.14-7.el7                perl-Crypt-DES.x86_64 0:2.05-20.el7
  perl-Digest-MD5.x86_64 0:2.52-3.el7                 perl-Digest-SHA.x86_64 1:5.85-3.el7
  perl-Module-Implementation.noarch 0:0.06-6.el7      perl-Module-Runtime.noarch 0:0.013-4.el7
  perl-Params-Validate.x86_64 0:1.08-4.el7            perl-Readonly.noarch 0:1.03-22.el7
  perl-Sort-Versions.noarch 0:1.5-22.el7              perl-Try-Tiny.noarch 0:0.12-2.el7
  php-common.x86_64 0:5.4.16-23.el7_0.1               postgresql-libs.x86_64 0:9.2.7-1.el7
  radiusclient-ng.x86_64 0:0.5.6-9.el7                rpcbind.x86_64 0:0.2.0-23.el7
  samba-libs.x86_64 0:4.1.1-37.el7_0


And then I added npre:

yum install npre

An I configured httpd and nagios to run and started them:

systemctl start httpd nagios

systemctl enable httpd.service
chkconfig nagios o
n


And let them through the firewall:

firewall-cmd --permanent --zone=public --add-port=80/tcp
firewall-cmd --zone=public --add-port=80/tcp
firewall-cmd --permanent --zone=public --add-port=443/tcp
firewall-cmd --zone=public --add-port=443/tcp

Now you can browse to your server by IP address and add /nagios at the end, http://192.168.1.254/nagios for example, the defaults are:

username: nagiosadmin
password: nagiosadmin

You'll need to change that password right away, so that's done with the command:

htpasswd -c /etc/nagios/passwd nagiosadmin
(You'll be prompted for the password.)



1-1 of 1