Adding netdata to pakfire

Help on building IPFire & Feature Requests
ClusterSeek
Posts: 1
Joined: August 6th, 2016, 4:12 pm

Adding netdata to pakfire

Post by ClusterSeek » August 6th, 2016, 5:34 pm

I recently discovered this for linux would it be possible to include this in pakfire, the detailed graphs it generates could be a very useful addon on ipfire.

https://github.com/firehol/netdata/wiki

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: Adding netdata to pakfire

Post by ummeegge » August 7th, 2016, 10:40 am

Hi,
as always Firehol do some great stuff. Have compiled the netdata sources (only for 32 bit {meanwhile also for 64 bit systems}) and tried/try them currently out. Here a shortend screenshot of netdata on IPFire:

This is fixed with 1.10 --> --> https://forum.ipfire.org/viewtopic.php? ... 15#p118982
Do not use Virtualbox and Netdata --> https://forum.ipfire.org/viewtopic.php? ... 00#p100382
Image

I´am not sure if this will bring some big response from the core developer to add this feature to IPFire as an Addon, but what i can offer you is a possibility for some checks and testings on netdata for IPFire.

If you want to build it by yourself, you will need an IPFire dev environment --> http://wiki.ipfire.org/devel/start . In here --> https://github.com/firehol/netdata/wiki/Installation under point 2 i´ve tried it in IPFire dev environment and it worked for the first out of the box. Nevertheless there are some other things to do (especially permissions) but there are currently also a lot of errors under /var/log/netdata/error.log findable which needs to be fixed but they do not prevent it from working, i think mostly of those can be eliminated by an appropriate configuration...

Have uploaded the compiled sources to my home folder --> http://people.ipfire.org/~ummeegge/netdata/ but I wrote also a little in- uninstaller script for the already compiled sources, if you want to go through some testing/debugging/configuring scenarios, let it me know, will provide then howto use this stuff here but in case if, i will also postpone then this thread to development section.

If there should be some positiv results (fixes for the already appearing errors, concrete configuration, other enhancements, initscript {logrotate is already integrate} and even more), it´s on you then to bring this potential development with a good implementation in IPFire to the mailinglist to ask for a release.

As a first idea...

Greetings,

UE
Image
Image

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: Adding netdata to pakfire

Post by ummeegge » August 9th, 2016, 12:33 pm

Added some new things on it meanwhile.

- Added now Nginx as an upstream proxy for the already integrated lightweight netdata webserver. So it was possible to use https with PFS and authentication. An howto can be found in here --> https://github.com/firehol/netdata/wiki ... hind-nginx were i used it pretty much like described in there but with some additionals.

Fast howto:
1) Loaded nginx via Pakfire --> http://wiki.ipfire.org/nginx/start .

2) Create an directory, for your self-signed CA (e.g. --> http://manual.seafile.com/deploy/https_with_nginx.html) and DH-parameter (takes along time)

Code: Select all

mkdir /etc/nginx/ca

Code: Select all

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/nginx/ca/nginx.key -out /etc/nginx/ca/nginx.crt

Code: Select all

openssl dhparam -out /etc/nginx/ca/dh.pem 3072
for Nginx under /etc/nginx/ca .

3) nginx config looks now like this:

Code: Select all

worker_processes  1;

events {
  worker_connections  1024;
}


http {
  upstream backend {
    # the netdata server
    server 127.0.0.1:19999;
    keepalive 64;
  }

  server {
    listen       1234 ssl http2;
    server_name  192.168.123.234 # green0 IP;

    # Authentication
    auth_basic            "Protected";
    auth_basic_user_file  .htpasswd;

    # TLS settings
    ssl_certificate       /etc/nginx/ca/nginx.crt;
    ssl_certificate_key   /etc/nginx/ca/nginx.key;
    ssl_protocols         TLSv1.3;
    ssl_ciphers           TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-ARIA128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ARIA256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ARIA128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-ARIA256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-ARIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384;
    ssl_prefer_server_ciphers   on;

    ssl_dhparam           /etc/nginx/ca/dh.pem;
    ssl_ecdh_curve        X25519:secp521r1:secp384r1;

    ssl_session_cache     shared:SSL:1m;
    ssl_session_timeout   5m;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
 
    location / {
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_pass http://backend;
      proxy_http_version 1.1;
      proxy_pass_request_headers on;
      proxy_set_header Connection "keep-alive";
      proxy_store off;
      
     auth_basic            "Protected";
     auth_basic_user_file  .htpasswd;
    }

    # make sure there is a trailing slash at the browser
    # or the URLs will be wrong
    location ~ /netdata/(?<behost>.*) {
      return 301 /netdata/$behost/;
    }
  }
}

Nginx uses in this configuration port '1234' TCP for HTTPS and redirects the traffic to netdatas webserver which operates as an upstream backend to '127.0.0.1:19999' TCP

4) Added password file with credentials with a

Code: Select all

htpasswd -c /etc/nginx/.htpasswd ummeegge

New password: 
Re-type new password: 
Adding password for user ummeegge
5) Created an initscript for netdata under /etc/rc.d/init.d/netdata:

Code: Select all

#!/bin/sh
# Begin $rc_base/init.d/netdata
#
# $LastChangedBy: ummeegge $
# $Date: 2016-08-07 13:45:22 -0500 (Sun, 07 Sug 2016) $
######################################################
#

# Locations
NAME="netdata"
BIN=$(which netdata);
CONF="/etc/netdata/netdata.conf";
LOG="/var/log/netdata/";
PID="/var/run/netdata.pid";
#LANIP=$(awk -F"=" '/GREEN_ADDRESS/ { print $2 }' /var/ipfire/ethernet/settings);
LANIP="127.0.0.1";
PORT="19999";
USER="netdata";
DAEMONARGS="-c ${CONF} -P ${PID} -i ${LANIP} -p ${PORT} -u ${USER}";

. /etc/sysconfig/rc
. $rc_functions

[ -x ${BIN} ] || exit 1

case "$1" in
	start)
		boot_mesg "Starting ${NAME} daemon... ";
		loadproc ${BIN} ${DAEMONARGS};
		evaluate_retval;
		;;

	stop)
		boot_mesg "Stopping ${NAME} daemon... ";
		killproc -p ${PID} ${BIN};
		rm -f ${PID};
		evaluate_retval;
		;;

        reload)
                boot_mesg "Reloading ${NAME} daemon...";
                reloadproc ${BIN};
		evaluate_retval;
                ;;

	restart)
		$0 stop
		sleep 1
		$0 start
		;;

	status)
		statusproc ${BIN};
		;;

	*)
		echo "Usage: $0 {start|stop|restart|status}"
		exit 1
		;;
esac

# End $rc_base/init.d/netdata

whereby netdata still listens on 'TCP 19999' but on localhost interface defined with '127.0.0.1' . I left for the first the symlinks out cause Netdata is still in testing phase. There is the need for appropriate permissions for the netdata initscript:

Code: Select all

chmod 754 /etc/rc.d/init.d/netdata
chown root:root /etc/rc.d/init.d/netdata
5) Disabled netdata´s access.log under /etc/netdata/netdata.conf in [global] section with a

Code: Select all

access log = none
cause Nginx do this from now on.

6) Added some other (in netdata terms) apps, for IDS/IPSs like Snort, Guardian, Ossec and Portspoof which was done very easily under /etc/netdata/apps_groups.conf (formatting examples are in there).

7) Disabled cgroups and node.d in netdata.conf to reduce the error.log.

--> Now both servcies can be restarted

Code: Select all

/etc/init.d/nginx restart
/etc/init.d/netdata restart
8 ) Try currently an netdata build for IPFire.

Until now netdata works smooth and looks nice .-)

UE

P.S. Postponed thread to development section
Image
Image

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: Adding netdata to pakfire

Post by ummeegge » August 12th, 2016, 4:36 pm

Possibly there is no interesst anymore causing this topic, wanted to announce nevertheless an IPFire package for Netdata which can be found in here --> http://people.ipfire.org/~ummeegge/netdata/ .
What is in there:
1) An initscript starts Netdata on Port 19999, and listens only on the green interface. Symlinks for the runlevels aren´t added in this version so a

Code: Select all

/etc/init.d/netdata start
after every reboot or an start of the system in general needs to be done.
2) Logrotate script for /var/log/netdata which rotates currently one time a week.
3) Installer integrates group and user 'netdata' (cause Netdata runs with group and user 'netdata' <- same then 'nobody'), but sets also some needed permissions after installation.
4) uninstall.sh removes them also.

May enough for now.

Greetings,

UE
Image
Image

Garp
Posts: 127
Joined: July 8th, 2014, 7:38 am
Location: The Netherlands
Contact:

Re: Adding netdata to pakfire

Post by Garp » August 13th, 2016, 9:27 am

Thx, it looks interesting. Will try it. Few questions:

1. How do i install this on my IPFire box? Downloading the file and the run pakfire install filename doesn't do the trick
2. Will the package interfere with my current nginx setup on my IPFire box?
Image
Provide some additional protection for the clients on your network in a few easy steps: viewtopic.php?f=27&t=12122&p=78219#p78219

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: Adding netdata to pakfire

Post by ummeegge » August 13th, 2016, 10:21 am

Your welcome,
Garp wrote: 1. How do i install this on my IPFire box? Downloading the file and the run pakfire install filename doesn't do the trick
a) Navigate to

Code: Select all

cd /opt/pakfire/tmp
b) download the package from here --> http://people.ipfire.org/~ummeegge/netd ... r-1.ipfire with a

Code: Select all

wget http://people.ipfire.org/~ummeegge/netdata/netdata-master-1.ipfire
c) Check the sha256 sum

Code: Select all

sha256sum netdata-master-1.ipfire
which should be

Code: Select all

eb096c7626d98e85519b9d27d8cdf5e4c1dcadc67c096b3178967a3bd9a12972
d) if it´s correct unpack it

Code: Select all

tar xvf netdata-master-1.ipfire
e) and install it

Code: Select all

./install.sh
the package provides also an uninstaller which deletes, beneath the netdata directories, also the added new user and group 'netdata', so you can download it again for uninstallation or keep the package for this case.
Garp wrote:2. Will the package interfere with my current nginx setup on my IPFire box?
No cause Netdata delivers his own webserver (a lightweight one, the whole installation needs in my configuration currently 20 MB RAM) and the IPFire package do not provide the above mentioned Nginx installation (configuration), this needs to be done manually and in an extra step.
After installation Netdata will be started via his initscript (under /etc/rc.d/init.d/netdata) and listens only on the green interface on port 19999 TCP.

UE
Image
Image

Garp
Posts: 127
Joined: July 8th, 2014, 7:38 am
Location: The Netherlands
Contact:

Re: Adding netdata to pakfire

Post by Garp » August 13th, 2016, 10:41 am

Thx. It installed OK and runs flawlessly.

This is a really usefull tool!
Image
Provide some additional protection for the clients on your network in a few easy steps: viewtopic.php?f=27&t=12122&p=78219#p78219

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: Adding netdata to pakfire

Post by ummeegge » August 13th, 2016, 11:10 am

Yes i like it too.
there needs to be done some optimization for IPFire even if it works out of the box. If you check the error log from Netdata you will get some hints to that.
Another great thing is that it is not that hard to give some own plugins and charts a try --> https://github.com/firehol/netdata/wiki/Writing-Plugins . You can use Bash or even Python for it, Java seems to be the fastest way but i left it out cause IPFire do not serve node.js.

Also to collect different IPFires in one webinterface or even to customize the dashboard to individual needs seems not to be that hard --> http://netdata.rocks/ --> https://github.com/firehol/netdata/wiki ... Dashboards .

A lot more is possible, the wiki is good documented --> https://github.com/firehol/netdata/wiki and the development community is active --> https://github.com/firehol/netdata .

The development community of netdata develops also firehol. Costa was already here in the forum to help us out for the integration of their firehol blacklists for IPset --> viewtopic.php?t=15124 . Have seen that the firehol binary can also be used for netdata, have build it in that time but have compiled there only the 'update-ipset' binary in it and the 'iprange' sources --> http://people.ipfire.org/~ummeegge/ipset/ .

May there is more ? If you find/develop/fix some things, let it me know ;) .

Greetings,

UE
Image
Image

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: Adding netdata to pakfire

Post by ummeegge » August 25th, 2016, 3:13 pm

Some fixes --> https://github.com/firehol/netdata/commits/master and features are out incl. health monitoring --> https://github.com/firehol/netdata/wiki ... monitoring . Have made a new build which is available under the above mentioned address.

Netdata alert example over a WI and Nginx as upstream proxy:
Image

UE
Image
Image

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: Adding netdata to pakfire

Post by ummeegge » August 29th, 2016, 7:28 am

Netdata has released a new version 1.3.0 --> https://github.com/firehol/netdata which includes beneath the health monitoring --> https://github.com/firehol/netdata/wiki ... monitoring also so called badges --> https://github.com/firehol/netdata/wiki ... ing-Badges.
Compiled now this version and have left the master build behind.
This version includes now all existing files from netdata (also node.d) for further testings and further extended systems.

Please use testing systems for this.
Do not use Virtualbox and Netdata --> https://forum.ipfire.org/viewtopic.php? ... 00#p100382

Have wrote also a installer, uninstaller and a updater for Netdata on IPFire which you can get and start with the following commands:

Code: Select all

cd /tmp \
&& wget http://people.ipfire.org/~ummeegge/netdata/netdata_installer.sh \
&& chmod +x netdata_installer.sh \
&& ./netdata_installer.sh
the script is then located under /tmp .

All files can be found in here --> http://people.ipfire.org/~ummeegge/netdata/ . If you find bugs or have problems with the this script let it me know.
Feedback might be nice ;) .

Greetings,

UE
Image
Image

the-mk
Posts: 28
Joined: February 19th, 2016, 2:23 pm

Re: Adding netdata to pakfire

Post by the-mk » September 3rd, 2016, 10:55 am

Hi,
just wanted to test netdata on a IPfire installed on a virtualbox (not the one in the signature) and installed it as described in the latest post.
As soon as it tries to start the service, it looks like it is breaking something.
Then I rebooted (the hard way) and did a "/etc/init.d/netdata start - also not working.
Messages I get:
VirtualBox_IPfire_03_09_2016_12_44_44.jpg
VirtualBox_IPfire_03_09_2016_12_44_55.jpg
VirtualBox_IPfire_03_09_2016_12_45_12.jpg
VirtualBox_IPfire_03_09_2016_12_45_21.jpg
is there a way to get around it?

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: Adding netdata to pakfire

Post by ummeegge » September 4th, 2016, 6:27 am

Hi and thanks for the replay,
i can reproduce this error on Virtualbox but i´am currently not sure howto prevent or get around this, will need there a deeper look.

UE
Image
Image

the-mk
Posts: 28
Joined: February 19th, 2016, 2:23 pm

Re: Adding netdata to pakfire

Post by the-mk » September 4th, 2016, 7:03 am

Thanks!
so on physical hardware and/or other virtualizations than virtualbox this is not happening?

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: Adding netdata to pakfire

Post by ummeegge » September 4th, 2016, 7:33 am

Netdata works here on 2 different machines (signatur) without problems but it won´t work on 64 bit or Arm platforms.

UE
Image
Image

billybob
Posts: 14
Joined: February 2nd, 2015, 7:02 pm

Re: Adding netdata to pakfire

Post by billybob » September 4th, 2016, 3:33 pm

First a big thank you for this. I had seen the project in action a few months ago and would love to see it supported by ipfire team. Your installer is very nice and clean and I tried installing on a old laptop that does my backup routing. I ran into some trouble probably because the hardware is too old. (I didn't want to try on my main ipfire box >:D )
Apparently grsec didn't like the kernel crash.

Code: Select all

09:56:41	kernel:	grsec: banning user with uid 1001 until system restart for suspicious kernel cra sh
09:56:41	kernel:	---[ end trace 4bb4159930523318 ]---
09:56:41	kernel:	EIP: [<c045bd62>] copy_process.part.42+0x11f2/0x15a0 SS:ESP 0068:c8c15ed4
09:56:41	kernel:	Code: 20 75 28 8b 48 5c 85 c9 74 19 81 78 04 00 00 00 60 0f 87 9e 03 00 00 3b 41 5c 0f 85 93 03 00 00 89 50 5c 8b 40 08 8b 52 08 eb bd <0f> 0b 85 d2 75 79 8b 45 d0 8b 55 dc 8d b6 00 00 00 00 8b 45 c0
09:56:41	kernel:	[<c09ff4e4>] syscall_call+0x7/0x7
09:56:41	kernel:	[<c045c615>] SyS_clone+0x25/0x30
09:56:41	kernel:	[<c045c29d>] do_fork+0xad/0x360
09:56:41	kernel:	Call Trace:
09:56:41	kernel:	00000000 01200011 fffffff4 c81c6180 01200011 00000001 c8c15f6c c045c29d
09:56:41	kernel:	c81c3a80 00000000 c9c621e0 c81c3d7c 00000000 c9c623c0 00000000 00000000
09:56:41	kernel:	c832bc70 c832bc10 c832bc14 c832bc08 00000000 c832bc00 c9c623f8 c9c62218
09:56:41	kernel:	Stack:
09:56:41	kernel:	CR0: 8005003b CR2: 4fc5beb0 CR3: 0bb76000 CR4: 000007f0
09:56:41	kernel:	DS: 0068 ES: 0068 FS: 00d8 GS: 00e0 SS: 0068
09:56:41	kernel:	ESI: c9c623c0 EDI: c9c621e0 EBP: c8c15f2c ESP: c8c15ed4
09:56:41	kernel:	EAX: c8bfc6c0 EBX: c81c3a80 ECX: c8f68ae0 EDX: 00000000
09:56:41	kernel:	EIP: 0060:[<c045bd62>] EFLAGS: 00010246 CPU: 0
09:56:41	kernel:	task: c81c6180 ti: c81c65e0 task.ti: c81c65e0
Will test on other hardware soon. Thanks again for this.
Regards
Bill
IPFire 2.19 (i586) - Core Update 102

Post Reply