Building Smokeping on CentOS and running without root permissions.

I needed smokeping to run some tests, but every guide online alluded to using root for the application user which is really not ideal. I’m still not happy about setuid for fping, but as long as you provide at least basic authentication on the web front end, it shouldn’t be too much of a problem when it comes to audit.

The sections mention swapping between smokeping and root users. This will typically involve a lot of ctrl + D and sudo su – commands. Use common sense in the procedure below for this and use the “id” command to check who you are effectively logged in as. I know you can chown -R but I chose to use the actual user and then lock it down once finished to avoid confusing permission oversights. :p

I have run through this procedure myself and it works on a CentOS minimal install. There was a frustrating issue I had with getting echoping built with ssl support. Running configure and running into library errors usually points to development versions not being installed, NOT the normal, user libraries. In this case, openssl-devel and popt-devel. Thanks to my good friend Cody for pointing this out before I went crazy! :D

smokeping install – CentOS 6
With credit to WeDebugYou.com for the base on which I built this procedure.


# 1) Create smokeping non-priveleged user

sudo su -
useradd -m -s /bin/bash smokeping

# 2) Install prerequisite packages

yum install wget
cd /tmp
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm -Uvh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

# Required
yum install mod_fcgid httpd httpd-devel rrdtool fping wget curl bind-utils gcc make  
yum install perl perl-Net-Telnet perl-Net-DNS perl-LDAP perl-libwww-perl perl-RadiusPerl 
yum install perl-IO-Socket-SSL perl-Socket6 perl-CGI-SpeedyCGI perl-FCGI perl-RRD-Simple
yum install perl-CGI-SpeedyCGI perl-ExtUtils-MakeMaker


# 3) Install smokeping

cd /home/smokeping
mkdir smokeping
chown smokeping:apache smokeping	# Allow apache to read the dir later
chmod 750 smokeping			# Allow apache to read the dir later
su - smokeping
wget http://oss.oetiker.ch/smokeping/pub/smokeping-2.6.9.tar.gz

tar -zxvf smokeping-2.6.9.tar.gz -C /home/smokeping
cd smokeping-2.6.9/setup
./build-perl-modules.sh

cp -r ../thirdparty /home/smokeping/smokeping
cd ..
./configure --prefix=/home/smokeping/smokeping
make install


Create missing folders
cd /home/smokeping/smokeping
mkdir data var cache


# 4) Add startup script

[go back to root with ctrl + d ]

# Copy and paste from the line below into /etc/init.d/smokeping

#!/bin/sh
#
# smokeping    This starts and stops the smokeping daemon
# chkconfig: 345 98 11
# description: Start/Stop the smokeping daemon
# processname: smokeping
# Source function library.
. /etc/rc.d/init.d/functions

SMOKEPING=/home/smokeping/smokeping/bin/smokeping
SMOKEPINGUSER=smokeping
LOCKF=/var/lock/subsys/smokeping
CONFIG=/home/smokeping/smokeping/etc/config

[ -f $SMOKEPING ] || exit 0
[ -f $CONFIG ] || exit 0

RETVAL=0

case "$1" in
  start)
        echo -n $"Starting SMOKEPING: "
        daemon --user $SMOKEPINGUSER $SMOKEPING
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch $LOCKF
        ;;
  stop)
        echo -n $"Stopping SMOKEPING: "
        killproc $SMOKEPING
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f $LOCKF
        ;;
  status)
        status smokeping
        RETVAL=$?
        ;;
  reload)
        echo -n $"Reloading SMOKEPING: "
        killproc $SMOKEPING -HUP
        RETVAL=$?
        echo
        ;;
  restart)
        $0 stop
        sleep 3
        $0 start
        RETVAL=$?
        ;;
  condrestart)
        if [ -f $LOCKF ]; then
                $0 stop
                sleep 3
                $0 start
                RETVAL=$?
        fi
        ;;
  *)
        echo $"Usage: $0 {start|stop|status|restart|reload|condrestart}"
        exit 1
esac

# Stop copying!

chmod 755 /etc/init.d/smokeping


# 5) Back to smokeping user to set up config (probably ctrl+D rather than sudo su command)

sudo su - smokeping
cd /home/smokeping/smokeping/etc
for foo in *.dist; do cp $foo `basename $foo .dist`; done
vi config

change the following:

owner    = Jean Debogue
contact  = noc@jeandebogue.com
cgiurl   = http://graph.mydomain.com/smokeping/smokeping.cgi

imgcache = /home/smokeping/smokeping/cache
datadir  = /home/smokeping/smokeping/data
piddir  = /home/smokeping/smokeping/var
smokemail = /home/smokeping/smokeping/etc/smokemail.dist
tmail = /home/smokeping/smokeping/etc/tmail.dist

*** Presentation ***

template = /home/smokeping/smokeping/etc/basepage.html.dist

:wq!


# 6) Configure smokeping for apache

sudo su -

cd /home/smokeping/smokeping
ln -s /home/smokeping/smokeping/cache /home/smokeping/smokeping/htdocs/cache
chown -R apache cache
chown -R apache data

Now edit apache config…

#Add these lines into the file /etc/httpd/conf.d/smokeping.conf (ignore the
#Auth stuff and htpasswd if you don't want to password protect the dir)
#I do this out of paranoia.


ScriptAlias /smokeping/smokeping.cgi /home/smokeping/smokeping/htdocs/smokeping.fcgi.dist
Alias /smokeping /home/smokeping/smokeping/htdocs

< Directory "/home/smokeping/smokeping/htdocs">
        Options FollowSymLinks
        AuthType Basic
        AuthName "Smokeping"
        AuthBasicProvider file
        AuthUserFile /etc/httpd/passwd/passwords
        Require valid-user
< /Directory>


#Create Auth password if you need it...
mkdir /etc/httpd/passwd
htpasswd -c /etc/httpd/passwd/passwords webuser

[specify password, eg: smokeping]

chmod 600 /etc/httpd/passwd/passwords


#################### IF YOU HAVEN'T ALREADY SET APACHE UP PROPERLY DO IT NOW #####################
vi /etc/httpd/conf/httpd.conf

# IP below is an example!

Listen 192.168.1.25:80
DocumentRoot "/var/www/html"

And the rest…


# 7) setuid for fping
chown root:root /usr/sbin/fping
chmod u+s /usr/sbin/fping

edit /home/smokeping/smokeping/etc/config

remove the slaves section as we're not using that.

Replace the following from probes section

============================================================

*** Probes ***

+ FPing
binary = /usr/sbin/fping
packetsize = 750
step = 60

+ DNS
 binary = /usr/bin/dig
 server = 8.8.8.8
 pings = 3
 forks = 5

# Use these after you've compiled echoping
#+ EchoPingHttp
# binary = /usr/bin/echoping
# pings = 5
# forks = 5
# offset = 50%
# ipversion = 4
# url = /
#
#+ EchoPingHttps
# binary = /usr/local/bin/echoping
# pings = 5
# forks = 5
# offset = 50%
# ipversion = 4

+ Curl
 # probe-specific variables
 binary = /usr/bin/curl
 pings = 5

# a default for this target-specific variable
urlformat = http://%host%/


*** Targets ***

probe = FPing

menu = Top
title = Network Latency Grapher
remark = Welcome to the SmokePing website of SubnetZero.org!

 + network
 menu = Net latency
 title = Network latency (ICMP pings)

 ++ www1
 host = www.google.com

 + services
 menu = Service latency
 title = Service latency (DNS, HTTP)

 ++ DNS
 probe = DNS
 menu = DNS latency
 title = Service latency (DNS)

 +++ www1
 host = www.google.com

 + HTTP
 probe = Curl
 menu = http full page
 title = HTTP latency

 ++ www1
 host = www.google.com




==============================================

Double check permissions are ok:

ls -l /home/smokeping
drwxr-x---. 11 smokeping apache      4096 Jul  3 22:52 smokeping

cd /home/smokeping/smokeping
ls -l
drwxrwxr-x. 2 smokeping smokeping 4096 Jul  3 22:41 bin
drwxrwxr-x. 6 apache    smokeping 4096 Jul  3 23:55 cache
drwxrwxr-x. 6 apache    smokeping 4096 Jul  3 23:14 data
drwxrwxr-x. 3 smokeping smokeping 4096 Jul  3 23:13 etc
drwxrwxr-x. 3 smokeping smokeping 4096 Jul  3 23:28 htdocs
drwxrwxr-x. 3 smokeping smokeping 4096 Jul  3 22:42 lib
drwxrwxr-x. 3 smokeping smokeping 4096 Jul  3 22:42 share
drwxrwxr-x. 6 smokeping smokeping 4096 Jul  3 22:40 thirdparty
drwxrwxr-x. 2 smokeping smokeping 4096 Jul  3 23:13 var


If necessary..
chown -R apache cache
chown -R apache data

#8) Start smokeping and apache
/etc/init.d/smokeping start
/etc/init.d/httpd start


#### TEST AND IF ALL IS OK.... #######

sudo su -

chkconfig --add smokeping
chkconfig httpd on
chkconfig smokeping on

#lock down smokeping user

usermod -s /bin/false smokeping

======================================================

#9) Optional... build echoping with ssl

# If you locked down smokeping user already then do
usermod -s /bin/bash smokeping

sudo su - 
yum install openssl-devel popt-devel


sudo su - smokeping  
cd /tmp
wget http://downloads.sourceforge.net/project/echoping/echoping/6.0.2/echoping-6.0.2.tar.gz
tar zxvf echoping-6.0.2.tar.gz
cd echoping-6.0.2
./configure --prefix /usr/local/ --enable-icp --with-ssl --without-libidn


sudo su - 
cd /tmp/echoping-6.0.2
make test 
make install

#test echoping

/usr/local/bin/echoping -C -h /dana-na/auth/url_default/welcome.cgi rcseu.rabobank.com


#lock down smokeping user
usermod -s /bin/false smokeping

Note that if you want to use SSL (EchoPingHttps) probes, you MUST refer to the /usr/local/bin/echoping binary now instead
of the one that may already be installed.

This is a fantastic tool but it does have some peculiarities. I don’t agree with the default graph scaling, which you’ll soon see clips out the “smoke” peaks. Changing unison_tolerance for targets can work around this to an extent but you have to remember that graphs scale to the median. You will also probably want to review the RRDTool database aggregation if you want high resolution polling.

Here are my changes in the config file for 1 minute resolution… If I’ve done anything wrong, I’ll be happy to correct this post.

# consfn mrhb steps total

AVERAGE  0.5   1  10080 # 7 days of 1 min = 86400 seconds in a day. So 86400 * 7 / (step value 60) = 10080
AVERAGE  0.5   5  8064  # 4 weeks of 5 min =  2016*5 min aggregates in a week = 8064
    MIN  0.5   5  8064
    MAX  0.5   5  8064
AVERAGE  0.5  60  2016 # 3 months of 1 hour = 24*60min aggregates in a day * 7days * 12 weeks = 2016
    MAX  0.5 144  2016
    MIN  0.5 144  2016
Tagged , , . Bookmark the permalink.

5 Responses to Building Smokeping on CentOS and running without root permissions.

  1. Cody says:

    I value our long-long-long (hmm, if long long is 64 bits, is long long long 128 bits ? Okay, nevermind the idiocy there) time friendship too! (Thanks btw – that meant a lot to me and the day you wrote it was actually not at all a good day so that was a highlight of the day). Still hard to believe how long its been. Anyway… as for configure: it’s because it’s looking for header files (function prototypes and declarations as opposed to implementation/definition) to (get this!) configure the build for the system in question. Unfortunately (as I’m sure you’re aware) there’s a real difficulty with establishing a single standard and even POSIX has done some idiotic things (Linus Torvalds mentions one in the man page for accept; it’s quite amusing and he put it quite well) so things differ from system to system (hence autoconf/automake). What you would find is that if you were to somehow have the header files but not the libraries (whether static or shared objects) instead of getting an error during configure you would get a linker error (it might go as far as compiling the source files up until the point it would link all the objects together and then give you an error like the below example I just created albeit by excluding the linker flag):


    $ cat test.c
    #include
    #include
    int main() { printf("%f\n", rint(1.1)); return 0; }
    $ gcc test.c
    /tmp/ccQfbwNR.o: In function `main':
    test.c:(.text+0x1c): undefined reference to `rint'
    collect2: error: ld returned 1 exit status

    And if you want to go the other way around then remove the inclusion of math.h and try compiling: although you would luck out with it being built-in (though not a proper code) you would still – unless you pass -lm to the linker (through gcc) – get the same error from ld.

  2. Cody says:

    Right. I bloody well hate html in posts…I always forget the ampersand codes. The includes (if I can get it right at this hour) should rather be (and if not oh well – it is time to try to get some sleep!):
    #include <stdio.h>
    #include <math.h>

  3. Keith says:

    I follow the procedure here to setup the smokeping application. But when I start the service smokeping, the process is still running as root user. From the /etc/init.d/smokeping script, I don’t see su to smokeping when starting the process as the line shows below:
    daemon $SMOKEPING

  4. Sol says:

    OK, I found what I’d missed and updated the script….

    Basically:

    SMOKEPINGUSER=smokeping
    

    and

    daemon --user=smokeping $SMOKEPING
    

    HTH… if you’ve already run it, chances are you’ll have to fix permissions.

  5. Tijs says:

    many many thanks!!

Leave a Reply

Your email address will not be published. Required fields are marked *