[Nagios-devel] [PATCH] Ndo 1.4b7 patch : SSL connexions
Posted: Thu Nov 13, 2008 9:38 am
------=_Part_3329_20986447.1226569117923
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Hi,
After 7 days of tests, I do not see any high utilisation of CPU of
Load average. I use only one ndo connexion, but with 6000 services on
it. So the SSL is quite ok with the CPU.
I attach the cpu graph of the two last weeks of my nagios server (with
ndomod and ndo2db on it). I put the patch in production 1 week ago.
Jean
On Thu, Nov 6, 2008 at 4:50 PM, nap wrote:
> The new patch with the argument use_ssl in ndomod.cfg and ndo2db.cfg.
> It take 0 or 1. If the argument is missing and USE_SSL was use for the
> compilation, the ssl is used (so you can still use your curent
> ndomod.cfg and ndo2db.cfg and have SSL).
>
> In my production server: very low network trafic on lo (10kb/s) and
> I've got 6000 services. The eth0 trafic is near 100kb/s if you want to
> make the comparision with you environnement.
> The load average is still the same, I do not see nagios or ndo2db in
> high CPU, just 2 or 3% (Xeon 1.6Ghz). So it's ok. I check that the
> trafic is really crypted by a tcpdump on lo so the patch is really
> effective
>
> I'll let the ssl version run for some days and see a average of load aver=
age.
>
>
> Gab=E8s Jean
>
>
>
> On Thu, Nov 6, 2008 at 3:35 PM, nap wrote:
>> In compile it on my prod and I see theses errors:
>> *#include "../include/io.h" to remove in io.c (begining)
>> *-I/usr/include/openssl to add to all objects (maybe the common file
>> is not a good place to put the load of SSL.h).
>>
>> I put the patch in production, I'll see the impact of SSL.
>>
>>
>> Jean
>>
>> On Thu, Nov 6, 2008 at 2:36 PM, nap wrote:
>>> On Thu, Nov 6, 2008 at 2:24 PM, Hendrik B=E4cker wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> nap schrieb:
>>>>> Hi List,
>>>>>
>>>>>
>>>>> I wrote a patch for ndo 1.4b7 (ndomod and ndo2db) : the SSL
>>>>> connection. The code come from nrpe. I think this can be useful
>>>>> with distributed Nagios, the communications between the secondary
>>>>> nagios and ndo2db are in plaintext and we can see the name of the
>>>>> host in it.
>>>>>
>>>> Nice thing.
>>>>> The patch just apply the SSL connection to the sock of the
>>>>> connection between ndomod and ndo2db (just for a tcp connection, i
>>>>> don't think it is useful for unix socket...).
>>>> I guess it becomes very useful for the situation of "outside-my-lan"
>>>> nagios servers with "internal" db hosts.
>>> Even in the LAN, it's easy to make a man in the middle attack with
>>> ARP. And my security responsable do not want plaintext. Now He is
>>> happy and allow me to put distribuated nagios in production
>>>
>>>> But do you have ideas about the performance situation?
>>>> encryption takes cpu time and ndomod is usual not very quiet on wire.
>>>>>
>>>>> In the patch you can see the dh.h file from nrpe. In nrpe it's
>>>>> generated by ./configure but I don't know how to modified it. The
>>>>> Makefile need the ssl lib too, but I don't know how to modify the
>>>>> autoconf (I leave a Makefile.new in the patch to show what to
>>>>> modify), if someone can help me on this
>>>> I will have a look at it.
>>> Thanks.
>>>
>>>>>
>>>>> For the moment the patch apply the SSL for all connections, but
>>>>> maybe we can put the use_ssl argument into ndo2db.conf and
>>>>> ndomod.conf.
>>>>>
>>>> That would be the best way.
>>> Ok, I'll see how to change it.
>>>
>>>>> I test with a small server and 4000 services and I don't see any
>>>>> overload of ndo2db or nagios due to the SSL. It can't be null, just
>>>>> small.
>>>>>
>>>> mkay... drop my above question
>>> I test on my small dev server (virtual machine...), I'll put in onto
>>> my production server (6000 services) and see if the trafic of lo (ndo
>>> connexion in tcp localhost) is high or the load average reach the top
>>>
>>>
>>>
>>>>
>>>> Nice thing, I am on your side for testing and helping hands.
>>> Thanks
...[email truncated]...
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Hi,
After 7 days of tests, I do not see any high utilisation of CPU of
Load average. I use only one ndo connexion, but with 6000 services on
it. So the SSL is quite ok with the CPU.
I attach the cpu graph of the two last weeks of my nagios server (with
ndomod and ndo2db on it). I put the patch in production 1 week ago.
Jean
On Thu, Nov 6, 2008 at 4:50 PM, nap wrote:
> The new patch with the argument use_ssl in ndomod.cfg and ndo2db.cfg.
> It take 0 or 1. If the argument is missing and USE_SSL was use for the
> compilation, the ssl is used (so you can still use your curent
> ndomod.cfg and ndo2db.cfg and have SSL).
>
> In my production server: very low network trafic on lo (10kb/s) and
> I've got 6000 services. The eth0 trafic is near 100kb/s if you want to
> make the comparision with you environnement.
> The load average is still the same, I do not see nagios or ndo2db in
> high CPU, just 2 or 3% (Xeon 1.6Ghz). So it's ok. I check that the
> trafic is really crypted by a tcpdump on lo so the patch is really
> effective
>
> I'll let the ssl version run for some days and see a average of load aver=
age.
>
>
> Gab=E8s Jean
>
>
>
> On Thu, Nov 6, 2008 at 3:35 PM, nap wrote:
>> In compile it on my prod and I see theses errors:
>> *#include "../include/io.h" to remove in io.c (begining)
>> *-I/usr/include/openssl to add to all objects (maybe the common file
>> is not a good place to put the load of SSL.h).
>>
>> I put the patch in production, I'll see the impact of SSL.
>>
>>
>> Jean
>>
>> On Thu, Nov 6, 2008 at 2:36 PM, nap wrote:
>>> On Thu, Nov 6, 2008 at 2:24 PM, Hendrik B=E4cker wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> nap schrieb:
>>>>> Hi List,
>>>>>
>>>>>
>>>>> I wrote a patch for ndo 1.4b7 (ndomod and ndo2db) : the SSL
>>>>> connection. The code come from nrpe. I think this can be useful
>>>>> with distributed Nagios, the communications between the secondary
>>>>> nagios and ndo2db are in plaintext and we can see the name of the
>>>>> host in it.
>>>>>
>>>> Nice thing.
>>>>> The patch just apply the SSL connection to the sock of the
>>>>> connection between ndomod and ndo2db (just for a tcp connection, i
>>>>> don't think it is useful for unix socket...).
>>>> I guess it becomes very useful for the situation of "outside-my-lan"
>>>> nagios servers with "internal" db hosts.
>>> Even in the LAN, it's easy to make a man in the middle attack with
>>> ARP. And my security responsable do not want plaintext. Now He is
>>> happy and allow me to put distribuated nagios in production
>>>
>>>> But do you have ideas about the performance situation?
>>>> encryption takes cpu time and ndomod is usual not very quiet on wire.
>>>>>
>>>>> In the patch you can see the dh.h file from nrpe. In nrpe it's
>>>>> generated by ./configure but I don't know how to modified it. The
>>>>> Makefile need the ssl lib too, but I don't know how to modify the
>>>>> autoconf (I leave a Makefile.new in the patch to show what to
>>>>> modify), if someone can help me on this
>>>> I will have a look at it.
>>> Thanks.
>>>
>>>>>
>>>>> For the moment the patch apply the SSL for all connections, but
>>>>> maybe we can put the use_ssl argument into ndo2db.conf and
>>>>> ndomod.conf.
>>>>>
>>>> That would be the best way.
>>> Ok, I'll see how to change it.
>>>
>>>>> I test with a small server and 4000 services and I don't see any
>>>>> overload of ndo2db or nagios due to the SSL. It can't be null, just
>>>>> small.
>>>>>
>>>> mkay... drop my above question
>>> I test on my small dev server (virtual machine...), I'll put in onto
>>> my production server (6000 services) and see if the trafic of lo (ndo
>>> connexion in tcp localhost) is high or the load average reach the top
>>>
>>>
>>>
>>>>
>>>> Nice thing, I am on your side for testing and helping hands.
>>> Thanks
...[email truncated]...
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]