Tech Talk

Tuesday, January 22, 2019

Monitor letsencrypt certificates with Zabbix

Monitor letsenrcypt certificates with Zabbix

Letsenrcypt is a great free system to automatically provide ssl/tls certificates for your website(s)
Zabbix is a great free system to monitor your IT infrastructure

One of the main features of Zabbix is the ability to extend it with any kind of monitoring scripts.
So when you do use letsencrypt certificates, you can also monitor them from Zabbix.

There exists a template you can add to the Zabbix server, and the required config and script files you place on the agents.

These can be found here.

It provides these features:
- Autodiscovery of all active letsencrypt certificates
- Monitor the lifetime of the certificates
- Trigger when the certificates are about to expire (Which means your auro renew does not work correctly)
- Monitor the certbot version
- Triggers when certbor version is below 0.28

The certbot version is important, since all certbot versions below 0.28 don't support the ACME-2.0 standard which is required by letsencrypt since the 13-february 2019.

Whith this you can relax about your ssl certificates, you won't have customers calling you in the morning, that their website(s) have an invalid/expired certificate.

You can even enhance the ssl monitoring with more Zabbix templates from here.
These allow you to monitor also ftps/imaps/smtps/pop3s and other TLS/SSL secured connections.

We use these in our own environment, to make sure everything runs smoothly and that we are warned of potential problems before the customers notice them.

Friday, August 31, 2018

Java ffmpeg wrapper jave

Java ffmpeg wrapper

In the last months we did some major enhancements in the jave library which can be used from java to analyze/convert audio and video files with the use of ffmpeg.

The project homepage can be found here https://github.com/a-schild/jave2

The main changes as to the original package are:
- Support for Windwos 32+64 bit
- Support for Linux 32+64 bit
- Support for OS-X 64bit
- Upgraded to ffmpeg 4.x (From 3.x)
- Enhanced output parsing
- Added options for running the encoding/decoding as a separate thread
- Added to maven central for simpler usage
- Many smaller enhancements

The project was initially started by Carlo Pelliccia at http://www.sauronsoftware.it/projects/jave/

You are welcome to contribute to the project with ideas and code.
You can use the github page for this.

Monday, July 2, 2018

Install Zabbix agent on FreeNAS 11.x

There is no official Zabbix Agent binary for FreeNAS, so it has to be compiled from source on another machine. There are several options to do so, I decided to just spin up a FreeBSD Vagrant VM to build the binary.
This post is based on the post from [1] with some enhancements

For more recent howto see here

Vagrant VM

Setup VM & Build Environment

Create Vagrantfile:

Vagrant.configure("2") do |config|
  config.vm.box = "freebsd/FreeBSD-11.1-STABLE"
  config.vm.base_mac = "000000123456"
end

Start VM: vagrant up
Enter VM: vagrant ssh

Install dependecies:

sudo pkg install -y curl autoconf automake gettext gcc pcre

Compile Zabbix Agent

Download source: https://www.zabbix.com/download_sources#tab:40LTS

curl -fsSL "https://sourceforge.net/projects/zabbix/files/ZABBIX%20Latest%20Stable/3.4.14/zabbix-3.4.14.tar.gz/download" | tar zxvf -
cd zabbix-3.4.14
curl -fsSL "https://sourceforge.net/projects/zabbix/files/ZABBIX%20Latest%20Stable/4.0.3/zabbix-4.0.3.tar.gz/download" | tar zxvf -
cd zabbix-4.0.9

Build with TLS support for encryption:

./configure --enable-agent --with-openssl --enable-ipv6
sudo make install

Transfer compiled binary to FreeNAS system:

scp /usr/local/sbin/zabbix_agentd root@$FREENAS_IP:/usr/local/sbin/

Leave VM: exit
Destroy VM (optional): vagrant destroy

FreeNAS

After the zabbix_agentd binary is transferred to the FreeNAS system, it’s time to SSH into it to configure the agent.

Zabbix Agent Configuration

~~Add user:~~

pw groupadd zabbix
pw useradd zabbix -c "Daemon user for Zabbix agent" -d /nonexistent -s /usr/sbin/nologin -w no -g zabbix 
Create zabbix user and group via WebUI, otherwise they won't suvive a reboot

Create /etc/zabbix_agentd.conf:

Server=$ZABBIX_SERVER_IP
ServerActive=$ZABBIX_SERVER_IP
Hostname=$ZABBIX_AGENT_HOSTNAME
LogFile=/tmp/zabbix_agentd.log

Daemon Configuration

Enable daemon:

echo 'zabbix_agentd_enable="YES"' >> /etc/rc.conf

Create /etc/rc.d/zabbix_agentd:

#!/bin/sh

# PROVIDE: zabbix_agentd
# REQUIRE: DAEMON
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf.local or /etc/rc.conf to
# enable zabbix_agentd:
#
# zabbix_agentd_enable (bool): Set to NO by default.  Set it to YES to
#         enable zabbix_agentd.
#

. /etc/rc.subr

name="zabbix_agentd"
rcvar=zabbix_agentd_enable
start_precmd="zabbix_precmd"
required_files="/etc/zabbix_agentd.conf"

# read configuration and set defaultsc
load_rc_config "$name"
: ${zabbix_agentd_enable="NO"}
#: ${zabbix_agentd_pre:=/etc/${name}.pre.sh}

zabbix_agentd_conf="/etc/zabbix_agentd.conf"

if [ ! -z "$zabbix_agentd_conf" ] ; then
  zabbix_agentd_flags="${zabbix_agentd_flags} -c ${zabbix_agentd_conf}"
  required_files=${zabbix_agentd_conf}
fi

zabbix_precmd()
{
  if [ ! -z "$zabbix_agentd_pre" ] ; then
    if [ -e $zabbix_agentd_pre ] ; then
      . $zabbix_agentd_pre
    fi
  fi
}

command="/usr/local/sbin/${name}"

run_rc_command "$1"  run_rc_command "$1"

Make executable:
```
chmod +x /etc/rc.d/zabbix_agentd
```
Start daemon:
```
/etc/rc.d/zabbix_agentd start
```

Make config files persistent and survive reboots:

cp /etc/rc.conf /conf/base/etc/
cp /etc/rc.d/zabbix_agentd /conf/base/etc/rc.d/
cp /etc/zabbix_agentd.* /conf/base/etc/
 

Exit vagrant

in the ssh sesion type: exit

vagrant destroy

Zabbix configuration

Use the template from the zabbix wiki for the host monitoring

http://zabbix.org/wiki/File:Template_OS_FreeNAS.xml

Wednesday, April 11, 2018

Updated LDAP server for Innovaphone

Updated LDAP server for Innovaphone devices

Last year we did publish our small ldap server as opensource on git hub.
In the past months we did many enhancements, which added text search capability, more number fields and better support for varios DECT platforms.

If you already use it, we strongly suggest that you upgrade to the new 2.2 release.

If you are providing a hosted environment for your clients, then we have a closed source version of the same software, which can handle tenants for your different clients. Just contact info@aarboard.ch for a quote.

Wednesday, March 14, 2018

Monitor Netgear ReadyNAS with Zabbix

Zabbix template for Netgear ReadyNAS

Monitoring devices with Zabbix is a simple thing, at least when you have a matching template for your device.

For Netgear ReadyNAS devices there exist many different templates, but most are outdated and no longer support the current 6.9.x firmware.

We integrated "all" ideas found in the other templates to provide a easy to install/use template for your device.

Features

LLD of disks, fans, temperature sensors, volumes, partitions, inetrfaces and processors
Creation of graph and triggers
No need to deploy MIB files to servers/agents, we work with direct OID's

The template and install instructions can be found here on Github link

Please open a issue in Github if you need more features or have enhancements you can provide.

Monday, October 2, 2017

Small LDAP server for Innovaphone PBX

The innovaphone PBX series are small hardware (or virtual systems) which are very powerful and customizable to almost all user requirements.

They also use Internet standard where ever possible.

For number reverse look up and address books, the preferred method is ldap.

In small installations you usually don't have your LDAP server configured to maintain all your contacts and phone numbers, so you are in fact missing a simple address book for your solution.
Of course there exist large ldap servers, like Estos Metadirectory and others, but for many use cases they are just oversized and too expensive.

This gap is now filled with the open source project "inno-thinyldap" which can be found on github.

It has two main functions:
- Forward and reverse look up of numbers against a built in mysql database
- Reverse look up of phone numbers against the tel.search.ch directory

The local mysql address book can be maintained by uploading/download xlsx file containing your contacts and phone numbers.

Give it a try and tell me what you think about it.

PS: If you need the same thing, but usable for hosting/multiple clients in the same installation, get in touch with a.schild@aarboard.ch

Wednesday, June 21, 2017

JSVC fails with error 11 after latest linux kernel Upgrades on debian/ubuntu

This morning, after doing some apt-get update/upgrades on various debian systems, we noticed that many of our java services did no longer work.
Since we use it to handle all our tomcat instances on many many servers, the impact is heavy.No single tomcat did run this morning...

Looking into the tomcat logs, we did see this message:
Service killed by signal 11

After some more investigations, it looks like the problem is related to the new kernel version installed in the upgrade process.

Google didn't find much about this, but the more important ones are here:

~~So the solution for now, is either switch to not using jsvc to start your services, or use a older or a "unstable" kernel.~~

~~The kernel causing the problems is~~

3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u1 (2017-06-18) x86_64

~~With the older one it does work~~

3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30) x86_64

~~To switch back to the older kernel just do this, and reboot your system:~~

apt install linux-image-3.16.0-4-amd64=3.16.43-2

Reverting back to a older kernel is discouraged, since this does not solve the security problem.

Fortunately there is a very simple work arround for it.
When you start jsvc, just specify it to use a larger stack.
For tomcat you can put this in your startup file, so the daemon.sh takes the new options for jsvc.

export JSVC_OPTS=-Xss1280k

Thanks to https://community.ubnt.com/t5/UniFi-Wireless/IMPORTANT-Debian-Ubuntu-users-MUST-READ-Updated-06-21/td-p/1968252