Re: [Nagios-devel] Ndo 1.4b7 patch : SSL connections
Posted: Thu Nov 06, 2008 3:50 pm
------=_Part_22373_29250527.1225986621976
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
The new patch with the argument use_ssl in ndomod.cfg and ndo2db.cfg.
It take 0 or 1. If the argument is missing and USE_SSL was use for the
compilation, the ssl is used (so you can still use your curent
ndomod.cfg and ndo2db.cfg and have SSL).
In my production server: very low network trafic on lo (10kb/s) and
I've got 6000 services. The eth0 trafic is near 100kb/s if you want to
make the comparision with you environnement.
The load average is still the same, I do not see nagios or ndo2db in
high CPU, just 2 or 3% (Xeon 1.6Ghz). So it's ok. I check that the
trafic is really crypted by a tcpdump on lo so the patch is really
effective
I'll let the ssl version run for some days and see a average of load averag=
e.
Gab=E8s Jean
On Thu, Nov 6, 2008 at 3:35 PM, nap wrote:
> In compile it on my prod and I see theses errors:
> *#include "../include/io.h" to remove in io.c (begining)
> *-I/usr/include/openssl to add to all objects (maybe the common file
> is not a good place to put the load of SSL.h).
>
> I put the patch in production, I'll see the impact of SSL.
>
>
> Jean
>
> On Thu, Nov 6, 2008 at 2:36 PM, nap wrote:
>> On Thu, Nov 6, 2008 at 2:24 PM, Hendrik B=E4cker wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> nap schrieb:
>>>> Hi List,
>>>>
>>>>
>>>> I wrote a patch for ndo 1.4b7 (ndomod and ndo2db) : the SSL
>>>> connection. The code come from nrpe. I think this can be useful
>>>> with distributed Nagios, the communications between the secondary
>>>> nagios and ndo2db are in plaintext and we can see the name of the
>>>> host in it.
>>>>
>>> Nice thing.
>>>> The patch just apply the SSL connection to the sock of the
>>>> connection between ndomod and ndo2db (just for a tcp connection, i
>>>> don't think it is useful for unix socket...).
>>> I guess it becomes very useful for the situation of "outside-my-lan"
>>> nagios servers with "internal" db hosts.
>> Even in the LAN, it's easy to make a man in the middle attack with
>> ARP. And my security responsable do not want plaintext. Now He is
>> happy and allow me to put distribuated nagios in production
>>
>>> But do you have ideas about the performance situation?
>>> encryption takes cpu time and ndomod is usual not very quiet on wire.
>>>>
>>>> In the patch you can see the dh.h file from nrpe. In nrpe it's
>>>> generated by ./configure but I don't know how to modified it. The
>>>> Makefile need the ssl lib too, but I don't know how to modify the
>>>> autoconf (I leave a Makefile.new in the patch to show what to
>>>> modify), if someone can help me on this
>>> I will have a look at it.
>> Thanks.
>>
>>>>
>>>> For the moment the patch apply the SSL for all connections, but
>>>> maybe we can put the use_ssl argument into ndo2db.conf and
>>>> ndomod.conf.
>>>>
>>> That would be the best way.
>> Ok, I'll see how to change it.
>>
>>>> I test with a small server and 4000 services and I don't see any
>>>> overload of ndo2db or nagios due to the SSL. It can't be null, just
>>>> small.
>>>>
>>> mkay... drop my above question
>> I test on my small dev server (virtual machine...), I'll put in onto
>> my production server (6000 services) and see if the trafic of lo (ndo
>> connexion in tcp localhost) is high or the load average reach the top
>>
>>
>>
>>>
>>> Nice thing, I am on your side for testing and helping hands.
>> Thanks again
>>
>>> Hendrik
>> Gab=E8s Jean
>>
>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.7 (MingW32)
>>>
>>> iD8DBQFJEu/9lI0PwfxLQjkRAkUsAJ0T4PmN5cmtJjQ+SuDr6PEEXhzzswCZAQDx
>>> h/Zbezr0h0P0ujl4yPJxZ1E=3D
>>> =3D3D9L
>>> -----END PGP SIGNATURE-----
>>>
>>>
>>> -----------------------------------------------------------------------=
--
>>> This SF.Net email is sponsored by the Moblin Your Move Developer's chal=
lenge
>>> Build the coolest Linux based applications with Moblin SD
...[email truncated]...
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
The new patch with the argument use_ssl in ndomod.cfg and ndo2db.cfg.
It take 0 or 1. If the argument is missing and USE_SSL was use for the
compilation, the ssl is used (so you can still use your curent
ndomod.cfg and ndo2db.cfg and have SSL).
In my production server: very low network trafic on lo (10kb/s) and
I've got 6000 services. The eth0 trafic is near 100kb/s if you want to
make the comparision with you environnement.
The load average is still the same, I do not see nagios or ndo2db in
high CPU, just 2 or 3% (Xeon 1.6Ghz). So it's ok. I check that the
trafic is really crypted by a tcpdump on lo so the patch is really
effective
I'll let the ssl version run for some days and see a average of load averag=
e.
Gab=E8s Jean
On Thu, Nov 6, 2008 at 3:35 PM, nap wrote:
> In compile it on my prod and I see theses errors:
> *#include "../include/io.h" to remove in io.c (begining)
> *-I/usr/include/openssl to add to all objects (maybe the common file
> is not a good place to put the load of SSL.h).
>
> I put the patch in production, I'll see the impact of SSL.
>
>
> Jean
>
> On Thu, Nov 6, 2008 at 2:36 PM, nap wrote:
>> On Thu, Nov 6, 2008 at 2:24 PM, Hendrik B=E4cker wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> nap schrieb:
>>>> Hi List,
>>>>
>>>>
>>>> I wrote a patch for ndo 1.4b7 (ndomod and ndo2db) : the SSL
>>>> connection. The code come from nrpe. I think this can be useful
>>>> with distributed Nagios, the communications between the secondary
>>>> nagios and ndo2db are in plaintext and we can see the name of the
>>>> host in it.
>>>>
>>> Nice thing.
>>>> The patch just apply the SSL connection to the sock of the
>>>> connection between ndomod and ndo2db (just for a tcp connection, i
>>>> don't think it is useful for unix socket...).
>>> I guess it becomes very useful for the situation of "outside-my-lan"
>>> nagios servers with "internal" db hosts.
>> Even in the LAN, it's easy to make a man in the middle attack with
>> ARP. And my security responsable do not want plaintext. Now He is
>> happy and allow me to put distribuated nagios in production
>>
>>> But do you have ideas about the performance situation?
>>> encryption takes cpu time and ndomod is usual not very quiet on wire.
>>>>
>>>> In the patch you can see the dh.h file from nrpe. In nrpe it's
>>>> generated by ./configure but I don't know how to modified it. The
>>>> Makefile need the ssl lib too, but I don't know how to modify the
>>>> autoconf (I leave a Makefile.new in the patch to show what to
>>>> modify), if someone can help me on this
>>> I will have a look at it.
>> Thanks.
>>
>>>>
>>>> For the moment the patch apply the SSL for all connections, but
>>>> maybe we can put the use_ssl argument into ndo2db.conf and
>>>> ndomod.conf.
>>>>
>>> That would be the best way.
>> Ok, I'll see how to change it.
>>
>>>> I test with a small server and 4000 services and I don't see any
>>>> overload of ndo2db or nagios due to the SSL. It can't be null, just
>>>> small.
>>>>
>>> mkay... drop my above question
>> I test on my small dev server (virtual machine...), I'll put in onto
>> my production server (6000 services) and see if the trafic of lo (ndo
>> connexion in tcp localhost) is high or the load average reach the top
>>
>>
>>
>>>
>>> Nice thing, I am on your side for testing and helping hands.
>> Thanks again
>>
>>> Hendrik
>> Gab=E8s Jean
>>
>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.7 (MingW32)
>>>
>>> iD8DBQFJEu/9lI0PwfxLQjkRAkUsAJ0T4PmN5cmtJjQ+SuDr6PEEXhzzswCZAQDx
>>> h/Zbezr0h0P0ujl4yPJxZ1E=3D
>>> =3D3D9L
>>> -----END PGP SIGNATURE-----
>>>
>>>
>>> -----------------------------------------------------------------------=
--
>>> This SF.Net email is sponsored by the Moblin Your Move Developer's chal=
lenge
>>> Build the coolest Linux based applications with Moblin SD
...[email truncated]...
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]