Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How to: gkrellm for multiple servers auto. and securely
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
timfreeman
Tux's lil' helper
Tux's lil' helper


Joined: 19 May 2003
Posts: 142
Location: Chicago

PostPosted: Tue Oct 28, 2003 8:10 pm    Post subject: How to: gkrellm for multiple servers auto. and securely Reply with quote

How to set up gkrellm to monitor multiple servers automatically and securely.

Synopsis

I found this thread and this thread here explaining how to set up a server not running X to serve the gkrellmd daemon and how to connect and listen to it. This is a great feature of gkrellm2 and I naturally wanted to find a secure solution. On the web, I found this article explaining how the author implemented his solution.

In this howto, I basically use that solution. However, I modify it to apply to gentoo setups, use a user besides root, set up a keypair, get rid of the open ssh terminals, and wrap it all in a shell script.

Install gkrellm

gkrellm installs just fine with USE="-gtk -gtk2", eliminating any need for X to be on your server.

Confirm you can listen without security:
Code:

#on gentoo server:
/etc/init.d/gkrellmd start

#on display machine:
gkrellm2 -s somehost

(adding -w will put it in the slit in fluxbox)


Their secure solution

The solution from NetAdminTools.com is to launch the daemons with command line flags that limit the connection to the gkrellm server to localhost and then forward the port to the display computer via ssh. This is very handy and eliminates most security problems especially for servers that don't have shell accounts (in which case really no one but the admins can see the status info being served only to localhost).

Besides the problem of letting anyone be able to view status information, there were some security problems associated with the daemon itself that I think have been solved (anybody know for sure?).

Gentoo

Basically, instead of their command line options, change /etc/gkrellmd.conf and add the daemon to default.

These are my changes, yours may differ. The port change just follows their change and is not necessary.

On each machine (not the display machine) edit /etc/gkrellmd.conf
Code:

# Limit number of simultaneous clients allowed to connect.
#
max-clients 1

# Specify the port to listen on for connections.
#
port 3000

# List of hosts allowed to connect.  If no hosts are specified in a
# gkrellmd.conf file or on the command line, all hosts will be allowed.
#
allow-host   127.0.0.1
allow-host   localhost


The last part is basically how to get security. By restricting gkrellmd to serve only local connections, joe schmoe can't monitor your server. With this setup, you just port forward ssh to get to it.

The other options you might pay attention to are the inet-interval for SMP machines and the drop privileges. Well, you should look at them all, heh.

Now, on each machine (not the display machine) run
Code:

rc-update add gkrellmd default
/etc/init.d/gkrellmd start


Make a krellm user


This step is unecessary but I wanted to create a non-root user with less priviliges than a normal user and make a keypair for automatic logins to forward the port. If you wind up using the script below and don't like this, just change the username variables for each server. If you have a better method, speak up!

Quick steps as root on each server:
Code:

useradd krellm -m -G users -s /bin/bash
passwd krellm
cd /home/krellm
mkdir .ssh
chown krellm .ssh
chmod 700 .ssh


Now on the display computer (assuming openSSH):
Code:

#as the user who will run the X server on the display computer
#don't make password blank, we'll use ssh-agent later
ssh-keygen -t dsa -b 4096

#repeat this for each server
scp .ssh/id_dsa.pub krellm@EACHSERVER:.ssh/authorized_keys2


Now you should be able to ssh to the servers. You should see a line asking for your private key password. Try it out to make sure it works.

Also try out ssh-agent if you feel like it.
Code:

ssh-agent bash
ssh-add
#Now if you do "ssh -l krellm SERVER" you should be logged right in.


(ssh-agent allows you to use an unlocked private key for your current session only
see more: drobbins 3 part article on using ssh

Testing gkrellmd

So, if it works then try out gkrellm:

EDIT: changed to -N per ang's suggestion
Code:

ssh -N -l krellm -L 3000:SERVER:3000 SERVER &
gkrellm2 -s localhost -P 3000 &

(again, add -w to the last line to put it in the slit in fluxbox)

EDIT:
The -N sets up ssh with no login shell. (I don't know well this works with authentication, 'cause I'm just using keys. It might background before you can have a change to bg... the old -f way waited)

So that's it. You listen on your local port 3000 for a gkrellm server which happens to really be your 3000 port on your server and there it is.

For each additional server, note the local port on your display computer must be different. So something like this:

Code:

ssh -N -l krellm -L 3000:SERVER:3000 SERVER &
ssh -N -l krellm -L 3001:SERVER:3000 SERVER2 &
ssh -N -l krellm -L 3002:SERVER:3000 SERVER3 &
gkrellm2 -s localhost -P 3000
gkrellm2 -s localhost -P 3001
gkrellm2 -s localhost -P 3002



Automate:

I wrote a little script to drive the process.
For convenience mode, start ssh-agent before running the script.


I did the kill function with ps ax and cut because creating a file with the PIDs seemed too tedious.. same for new environment vars. But that may be a better idea for some reason?

Code:


#!/bin/bash

# gkr -- v.0.1 -- 10/28/03 -- forums.gentoo.org

# Script to log in to multiple servers running the gkrellmd daemon
# restricted to localhost.  This logs in and forwards that local
# server port to the local port of the display computer and then
# displays gkrellm for each server

# change this to number of servers
numhosts=4



# if you are not using the user "krellm" you'll have to change
# the second grep to zero in on the port forwarding processes.
 
# tweak this::

killgkrellm() {

ps ax | grep "gkrellm2 -s" | cut -c 1-5 | xargs kill
ps ax | grep "krellm -L" | cut -c 1-5 | xargs kill

}


# check for kill command

if [ "$1" = "kill" ]; then
  killgkrellm
  exit 1
fi


# establish forwarding connections and start monitoring
# you could easily put an options variable in there for each server.. and put $options down below

x=0
while [ $x -ne $numhosts ]; do

  case $x in

    0)  host="192.168.1.100";username=krellm; remoteport=3000; localport=3000;;
    1)  host="192.168.1.101";username=krellm; remoteport=3000; localport=3001;;
    2)  host="192.168.1.102";username=krellm; remoteport=3000; localport=3002;;
    3)  host="192.168.1.103";username=krellm; remoteport=3000; localport=3003;;
  esac
 
  ssh -N -l $username -L $localport:localhost:$remoteport $host &
  gkrellm2 -s localhost -P $localport -w &
  x=`expr $x + 1`

done




Anyone try it out? Any suggestions? Any suggestions for making it more universally usable or better?


Last edited by timfreeman on Wed Jan 28, 2004 8:33 pm; edited 4 times in total
Back to top
View user's profile Send private message
meowsqueak
Veteran
Veteran


Joined: 26 Aug 2003
Posts: 1549
Location: New Zealand

PostPosted: Tue Oct 28, 2003 10:09 pm    Post subject: Reply with quote

Gosh, that looks like a lot of work. I just use X forwarding over SSH and open a single gkrellm for each machine. On a fast LAN, it works well.
Back to top
View user's profile Send private message
jingo
Tux's lil' helper
Tux's lil' helper


Joined: 04 Dec 2002
Posts: 134
Location: Denmark

PostPosted: Tue Oct 28, 2003 10:27 pm    Post subject: Reply with quote

Thanks, this was exactly what I was looking for!

Jingo
Back to top
View user's profile Send private message
timfreeman
Tux's lil' helper
Tux's lil' helper


Joined: 19 May 2003
Posts: 142
Location: Chicago

PostPosted: Wed Oct 29, 2003 12:04 am    Post subject: Reply with quote

meowsqueak wrote:
Gosh, that looks like a lot of work. I just use X forwarding over SSH and open a single gkrellm for each machine. On a fast LAN, it works well.


Yeah, I know it looks like a lot, but this way I type one thing and there they all are. And no need for X to be on the servers.

It's a quick setup:

change gkrellmd.conf
add gkrellmd to default and start on each server

start ssh-agent on laptop

start:
gkr

kill:
gkr kill


Yeah, I guess it's just one of those things that would annoy me if I had to go through and type a password in for each one..

Hope someone likes it, it's my first gentoo howto.
Back to top
View user's profile Send private message
meowsqueak
Veteran
Veteran


Joined: 26 Aug 2003
Posts: 1549
Location: New Zealand

PostPosted: Wed Oct 29, 2003 12:58 am    Post subject: Reply with quote

You don't need X on the servers - you only need the x client libs. But thanks for the howto anyway - it's always good to see alternatives (and I do realise your method is subtely different too).
Back to top
View user's profile Send private message
timfreeman
Tux's lil' helper
Tux's lil' helper


Joined: 19 May 2003
Posts: 142
Location: Chicago

PostPosted: Wed Oct 29, 2003 3:49 am    Post subject: Reply with quote

Oh, cool, I've never heard that. Well, you should modify the script to log in to each server and forward X then, cool. Then it would be automatic.

The "method" is just setting up ssh-agent and running a shell script. But because it is the -f option (which will work with X forwarding too) you can use it with the agent, with regular key, or with passwords and it will just wait for the authentication before putting it in the background. This would complement and enhance your method.

Anyhow, it was fun and only took an hour or two and I hopefully helped someone just starting with ssh too. If you don't make a new user and use root or an existing user, this would only take about 10 minutes to get up and running.

I couldn't imagine doing it manually if I had 10 servers instead of two!
Back to top
View user's profile Send private message
ang
n00b
n00b


Joined: 30 Jan 2003
Posts: 29

PostPosted: Sat Jan 10, 2004 1:29 pm    Post subject: gkrellmd and ssh timeout Reply with quote

as I see the ssh command is called with a timeout sleep 1d, that means the connection will be broken in the background.

I rather use

Code:
/etc/init.d/grkrellmd start


for starting the daemon on a host, having assigned all those variables in the /etc/gkrellmd.conf:
Code:

# /etc/gkrellmd.conf:
allow-host localhost
allow-host 127.0.0.1
allow-host ${HOST}
port ${PORT}
detach
user nobody
group proc

all for security... edit ${HOST} and ${PORT} as needed, could be your IP

The script I use for linking up to a ${HOST} from monitoring machine:

Code:
ssh -N -L ${PORT}:${HOST}:${PORT} ${ADMIN}@${HOST} &


the -N option for ssh creates the forwarding only, without the need for executing a command like sleep

and finally on the monitoring machine:

Code:
gkrellm2 -s localhost -P ${PORT} &
Back to top
View user's profile Send private message
timfreeman
Tux's lil' helper
Tux's lil' helper


Joined: 19 May 2003
Posts: 142
Location: Chicago

PostPosted: Sat Jan 10, 2004 1:37 pm    Post subject: Reply with quote

very cool, thankyou, I'll give that a shot
_________________
|||
Back to top
View user's profile Send private message
timfreeman
Tux's lil' helper
Tux's lil' helper


Joined: 19 May 2003
Posts: 142
Location: Chicago

PostPosted: Wed Jan 28, 2004 12:03 am    Post subject: Reply with quote

implementing the -N change here. You don't really want to list the allow-hosts in your conf file if you're moving around. I can't do it by IP etc. because I use DHCP servers and public networks a lot.

Because you're allowing hosts, why do you need to forward ports in the first place? Those allowhosts are irrelevant.

(I edited the script, it works much better here, thankyou.. )
_________________
|||
Back to top
View user's profile Send private message
jesterspet
Apprentice
Apprentice


Joined: 05 Feb 2003
Posts: 215
Location: Atlanta

PostPosted: Thu Jan 29, 2004 3:25 am    Post subject: Reply with quote

timfreeman wrote:
I can't do it by IP etc. because I use DHCP servers and public networks a lot.


For this situation might I suggest you forgo the ssh method & use stunnel instead? That way you can start the tunnel from the monitoring host, secure your communications, & authenticate using Certificates of Authority, while ensuring that you can connect from any IP address (or just your ISP's range)

This method should also work well in large networks, as you wouldn't have to add all the public keys to each host, only the CA.
_________________
(X) Yes! I am a brain damaged lemur on crack, and would like to buy your software package for $499.95
Back to top
View user's profile Send private message
timfreeman
Tux's lil' helper
Tux's lil' helper


Joined: 19 May 2003
Posts: 142
Location: Chicago

PostPosted: Fri Mar 19, 2004 8:24 pm    Post subject: Reply with quote

Sweet, thanks, I'm on vacation here finally and didn't realize there was a reply. I only heard vague things about that. Stunnel looks really cool for this, most especially because it wouldn't need a user account. I had only ever seen that pre-packaged, didn't realize you can do it for arbitrary tcp connections, dope.
_________________
|||
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum