Varnish Configuration

Varnish startup configuration is contain in file /etc/sysconfig/varnish.

– this file is used by the Linux service

The main items it contains :

port number to listen upon – by default this is port 80.

port number and address for the admin interface -security warning here!

location of the main configuration file

VARNISH_VCL_CONF=/etc/varnish/default.vcl

location of the secret file

Size and storage of the Varnish cache

#
# # Cache file size: in bytes, optionally using k / M / G / T suffix,
# # or in percentage of available disk space using the % suffix.
VARNISH_STORAGE_SIZE=6G

VARNISH_VCL_CONF=/etc/varnish/default.vcl
#
# # Default address and port to bind to
# # Blank address means all IPv4 and IPv6 interfaces, otherwise specify
# # a host name, an IPv4 dotted quad, or an IPv6 address in brackets.
# VARNISH_LISTEN_ADDRESS=
VARNISH_LISTEN_PORT=80
#
# # Telnet admin interface listen address and port
VARNISH_ADMIN_LISTEN_ADDRESS=127.0.0.1
VARNISH_ADMIN_LISTEN_PORT=6082
#
# # Shared secret file for admin interface
VARNISH_SECRET_FILE=/etc/varnish/secret

VSFTP – enable logging

Running Very Secure Ftp (VSFTPD) needed to ensure logging for all connections, both success & failed was occurring.

Parameters

xferlog_enable=YES 
xferlog_file=/var/log/vsftpd.log 
log_ftp_protocol=YES 
xferlog_std_format=NO

– (full parameter list available here)

which when looking at the the connection log file gives me a sample output of

Mon Jun 10 18:27:32 2013 [pid 12652] [xxx] FTP command: Client "123.456.789", "PASV" 
Mon Jun 10 18:27:32 2013 [pid 12652] [xxx] FTP response: Client "123.456.789", "227 Entering Passive Mode (195,254,221,106,91,145) 
Mon Jun 10 18:27:32 2013 [pid 12652] [xxx] FTP command: Client "123.456.789", "LIST" 
Mon Jun 10 18:27:32 2013 [pid 12652] [xxx] FTP response: Client "123.456.789", "150 Here comes the directory listing." 
Mon Jun 10 18:27:32 2013 [pid 12652] [xxx] FTP response: Client "123.456.789", "226 Directory send OK."

example of a file upload

on Jun 10 18:31:28 2013 [pid 12790] [xxx] OK UPLOAD: Client "123.456.789", "/error.jpg", 374332 bytes, 104.94Kbyte/sec
 

as a side note to check if vsftpd is running and listening for connections, determine via netstat  (assuming ftp is running on the default port of 21) :

netstat --proto=inet,inet6 -avpnl | grep ":21"

tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 12641/vsftpd
tcp 0 0 123.254.221.106:21 134.128.72.178:56219 ESTABLISHED 2020/vsftpd
tcp 1 75 123.254.221.106:21 192.168.224.12:56345 LAST_ACK -
tcp 1 65 123.254.221.106:21 192.168.224.12:56343 LAST_ACK -
tcp 0 0 123.254.221.106:21 134.128.72.178:56220 ESTABLISHED 2018/vsftpd
tcp 0 0 123.254.221.106:21 134.128.72.28:53954 TIME_WAIT -
 

Process information

today we have a system which kicked all users out of the system due to memory being flushed or so it seems.  Whilst yes we have monitoring and can see memory & cpu usage, we dont actually have post event visibility of the processes that caused this.

Both top and ps provide this information, but only if we capture it. Thus the following will grab the process information  covering both cpu, overall memory consumption as total % followed by actual values for  RSS & VSZ.

ps -A -o comm,%cpu,%mem,rss,vsz |sed 's/\(\w*\)\/\(\w*\)/\1/g'|awk 'NR==1 { print} NR!=1 {cpu[$1]+=$2;mem[$1]=$3;rss[$1]=$4;vsz[$1]=$5} END { for (i in cpu) {print i,cpu[i],mem[i],rss[i],vsz[i]}}'| sort -r +1 -2 -| head -6 | tail -5

example output

mysqld 8.6 83.8 27557052 29039096
puppetd 0 0.1 64416 174908
zabbix_agentd 0 0.0 412 52292
watchdog 0 0.0 0 0
vmw_pvscsi_wq_2 0 0.0 0 0

note, it reports back both the RSS (Resident Set Size) and VSZ (virtual memory size).  There is a flaw here, but in essence, VSZ will show the entire process size as available – but not necessarily loaded into physical ram, whilst RSS will show the approximate amount of physical memory currently loaded.

I mention RSS as being approximate memory size – be aware that it doesn’t include the page size for any shared libraries.

Zabbix Quick Start

Just recently I wanted to test out Zabbix frontend.  Zabbix helpfully produce a neat appliance which once installed as a VM then allows you to connect up clients.

I wanted to test the new Zabbbix EPEL products.

1. first step, needed a dedicated VM.   Heading over to Fedora, downloaded a Centos live iso.
2. once the iso was downloaded, flashed up a vm and have a virgin vm waiting for me within a few minutes.

being old-school prefer to work via a terminal prompt and leave the gui on the hypervisor (I’m using XenServer for my hypervisor, for a main reason that its very easy to install and simple to use.)

so after changing the keyboard to suit my needs, need to first enable ssh :
service sshd start
next, need to reference the EPEL repository
wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -ivh epel-release-6-8.noarch.rpm

installing zabbix agent is the next easy step :
yum install zabbix20-agent
followed by installing the web frontend :

yum install zabbix20-web-mysql

next, it will be necessary to change some entries in the php config vi /etc/php change :

• Uncomment the date.timezone line and add your current zone, the list of time can be found here.
• max_execution_time = 300
• max_input_time = 300
• post_max_size = 16M

save the file and then connect to the zabbix url http://localhost/zabbix/ next step will be then to configure the connection to the Zabbix server database

test the connection and if all is well, Zabbix will then ask you to complete the fields for the zabbix backend server.

the above configuration is written to file
/etc/zabbix/web/zabbix.conf.php

• so if easier, modify that file. it may be necessary to restart the webserver to reflect the changes.

if the url fails to connect, then its possible :
1. firewall is precluding access – so configure iptables.  Example method I use is:

iptables -P INPUT ACCEPT
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -L -v

/sbin/service iptables save

This executes the iptables init script, which runs /sbin/iptables-save and writes the current iptables configuration to /etc/sysconfig/iptables.

• When you reboot, the iptables service will apply the rules saved in this file by using the iptables-restore command.

2. selinux is giving a problem. run the following to see if selinux is preventing:
tail -f /var/log/audit/audit.log |grep -i avc

example of access denial

type=AVC msg=audit(1358942792.307:56): avc: denied { name_connect } for pid=2735 comm="httpd" dest=3306 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mys qld_port_t:s0 tclass=tcp_socket

if so, then turn off selinux or add a policy to allow it. I think it’s a bad idea to turn it off, especially when selinux is easy to configure. To do this, use commands getsebool & setsebool. To see a list of available attributes:
getsebool -a

the one we wish to use here is
httpd_can_network_connect

thus
[root@local]# getsebool httpd_can_network_connect
httpd_can_network_connect --> off
[root@local]# setsebool httpd_can_network_connect on
[root@local]# getsebool httpd_can_network_connect
httpd_can_network_connect --> on

so simple – start to finish, took less than 20minutes!

Zabbix Netstat

Required to get back netstat data from the linux clients.

to achieve this, added this line to the agent file

UserParameter=netstat.stat[*],(netstat -$1|grep -i $2|wc -l)

and then restarted the agent.

Then just added lines to the respective template :
netstat.stat[ntp,active]

eg

which then can be put into a graph :

So by using the above key parameters it allows me to use for any command set of netstat and filter on the result set. Should in theory work on Windows o/s also.

Easy way to Install Tomcat In Centos

Installing Tomcat just takes a few minutes.

Tomcat requires java so install that followed by tomcat.

Method: open terminal, sudo as root type the following commands:

yum -y install java
yum -y install tomcat6 tomcat6-webapps tomcat6-admin-webapps

the start tomcat

/etc/init.d/tomcat6 start

to make it start automatically

chkconfig --add tomcat6
chkconfig tomcat on 235
chkconfig --list tomcat6
chkconfig --list tomcat6
tomcat6 0:off 1:off 2:on 3:on 4:on 5:on 6:off

To connect to Tomcat, browse to port 8080 on the server:

http://[serverip]:8080

 

Centos – change server name

changing the name on the centos vm is easy as pie.

two methods though unsure why bother on the second
1. from a command line enter
hostname [newhostname]

Upon entering the above command, the server hostname will be automatically changed.

or

2.

you can change the server hostname by editing the network file:

from a command line:

vi /etc/sysconfig/network

By default the file looks like this.

NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=livedvd.centos
Simply, change “livedvd.cento” to your chosen value and you are done.

distributed monitoring systems

over the last couple of months needed to implement a distributed monitoring system.  Nagios, Solarwinds and Zabbix seemed the obvious choices with Zabbix being chosen.  The main advantage for Zabbix being its free.