Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Hi Mathieu,
On Friday 27 April 2007 21:14:34 Mathieu Grzybek wrote:
> This is a company with a HQ and several independant sites. The
> monitoring database is hosted in the HQ. The servers running
> Nagios+ndomod in the other sites are behind a firewall and the only way
> to communicate with the world is a web proxy server. This case is very
> common. Everyone can't rent a wide intranet connection and/or a VPN.
> In most cases there is a website hosting by the HQ. No new port needed,
> just mod_soap and ndo2db.
Yup. Sorry, I now see where you're coming from here.
(more for the humour value, here's a Heath Robinson solution. You set up a=
n=20
ssh-over-http tunnel:
http://dag.wieers.com/howto/ssh-http-tunneling/
This would allow you to establish an ssh connection from the firewalled rem=
ote=20
machine to HQ via the remote-site's local http proxy. You can then either=
=20
configure a normal/static local-port-forwarding rule (with something like "=
=2DL=20
5668:my-ndodb-box.hq.example.org:5668") or use a dynamic (SOCKS) port=20
forwarding using something like tsocks to make Nagios/ndomod SOCKS-aware.
No soap necessary
[...]
> > If you do want to implement a webservice, I'd do it as a translation
> > service rather than replacing the existing TCP communication.
>
> Do you mean encapsulating the actual protocol ?
Well, I was thinking of "somehow" (in very abstract way) interfacing to the=
=20
existing NDOutils code, rather than rewriting anything.
=46or example, one way would be to have a single (very simple) method in th=
e=20
WSDL that accepts the NDO status string. The mod_soap implementation would=
=20
dump this to a file and run an unmodified file2sock on the file. You'd als=
o=20
need a simple client to send the line to mod_soap, but I guess that should =
be=20
straight forward.
One could even make file2sock more funky by adding a staging directory opti=
on=20
(e.g. "--staging-dir=3D/var/spool/file2sock"). Given this option, file2soc=
k=20
would daemonise itself and watch for files being created in that directory=
=20
(via inotify or FAM). Any files created would be upload automatically.
An alternative would be to use WebDAV (via mod_dav) with either the standar=
d=20
filesystem provider (mod_dav_fs) or with a custom fs provider that acts as =
a=20
sink, sending data to NDOdb.
=2E.. just a though.
[passing config information]
> > However, do you really want someone to be able to download a new config
> > that defines the "check_pw" command as "cat /etc/passwd /etc/shadow" or=
a
> > "check_rm" command as "rm -rf /"?
>
> NRPE can be run with limited privileges and use sudo for some event
> handlers. In large structures I think it's more convient than creating a
> new deployment process with OCS Inventory.
I'm not familiar with OCS Inventory (although, as usual, Google was=20
forthcoming), so can't really say; but, I think the idea of copying across=
=20
config files over HTTP would give me the willies. Mutually authenticated=20
X509-based security, maybe; but I guess I'm too used to being able to ssh=20
into a machine as necessary.
> The IT boss doesn't want to control the servers but wants to know if it
> runs.
Well, best of luck!
Cheers,
Paul.
--nextPart4044416.lKfXu7kvXQ
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQBGM+znCvCDPV5t1VQRAgM3AJ4koCM782aqszbX/fzHH60pJYsNjgCgscyw
uXf3ZjAVa3yjJyRNz8Uz/5M=
=Mecd
-----END PGP SIGNATURE-----
--nextPart4044416.lKfXu7kvXQ--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]