Always being one to enjoy a technological challenge, I was presented with the task of building out a new management network. I firmly believe that management of all devices on a network needs to be out of band from the rest of the network operation, so I was quite happy to take on this task. After installing the new switches, and getting all of the monitor ports cabled up, I stopped to contemplate how I would set up my network monitoring suite, and how I would access this OOB network remotely.
Being a project that requires security (someone finding their way onto this network could be catastrophic), I decided that the best course of action was to set up a machine with a NIC in both my internal and my management networks, and run OpenBSD 5.3 on it. A few months ago, the friendly folks over at #juniper on freenode recommended Observium as a network monitoring suite, and I have found it to be a fantastic project so far. The Observium installation documentation is very clear that it supports Ubuntu/Debian only. There is a second set of installation instructions for RHEL/CentOS.
So off I went with my OpenBSD installation, knowing full well that the Observium installation was probably going to be a painful one, but the machine that spans the gap between the two networks is a prime location for my monitoring utilities, so I decided to do it anyway. Starting off with the OS installation, I accepted the defaults for the most part, configured my NICs for my network, and allowed OBSD to work its own disklabel magic (use the whole disk, autopartition). When it came time to choose installation sets, I simply issued a -x* -games*, and went along my merry way (not fully appreciating the implications of my actions at the time). Once the install was done, and I was presented with a prompt, the first order of business was to get the package mirror set up so I could begin installing the prerequisite software for Observium. I chose to use the mirror in Denver, CO, USA. This involved adding one line, and changing one line in .profile (changes in bold):
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/sbin:/usr/local/bin
PKG_PATH=ftp://ftp3.usa.openbsd.org/pub/OpenBSD/5.3/packages/amd64/
export PATH PKG_PATH
Next, we need to get a proper editor, and a few tools:
# pkg_add -vi vim nmap svn
After everything is done installing, I picked up the prereqs for Observium from their install documentation:
# pkg_add -vi fping mysql-server net-snmp rrdtool graphviz php
This will chug along for a while, and occasionally ask a question. When prompted for a php version, I chose the latest 5.3 release (per the prereqs), in the non ap2 build (this is for Apache 2, but Apache 1.3 ships with OBSD out of the box). But... the damn thing breaks on rrdtool... After a bit of Googling, I discovered that the required libraries are part of xcore53... one of the packages that I opted to not install earlier. SOOOOO, off to the closest mirror to grab xcore53.tgz, and run a cd / && tar -zxvpf ~/xcore53.tgz, start the pkg_add over, and we're done.
I brought up the mysql database with /usr/local/bin/mysql_install_db, then set the root password, and created a database for Observium according to the installation instructions. I set the database credentials in /var/www/observium/config.php.
Next, I decided to install observium into /usr/local/observium, as I didn't like the idea of using /opt. I pulled the code down via SVN per the instructions on the site, and dropped the config snippet from the RHEL instructions into /var/www/conf/httpd.conf, with some minor modifications:
ServerAdmin webmaster@localhost
DocumentRoot /usr/local/observium/html
Options FollowSymLinks
AllowOverride None
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
ErrorLog /usr/local/observium/logs/error.log
LogLevel warn
CustomLog /usr/local/observium/logs/access.log combined
I wound up chasing my tail for an hour or two messing with the httpd configs, before I realized that httpd had chrooted itself into /var/www (hence the funny config location). I quickly moved the Observium install over to /var/www/observium, and changed the httpd config again:
ServerAdmin webmaster@localhost
DocumentRoot /var/www/observium/html
Options FollowSymLinks
AllowOverride None
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
ErrorLog /var/www/observium/logs/error.log
LogLevel warn
CustomLog /var/www/observium/logs/access.log combined
Much better! Now we get an error about the database. pkg_add -vi php-mysql
Now getting an error about not being able to bind to the MySQL socket. Wow, wonderful. More Googling revealed that, yet again, the chroot was biting me:
# mkdir -p /var/www/var/run/mysql
# ln /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock
Now that we're past that, OH LOOK, It's a 500 error! After a few hours of sticking die()'s into the code, I figured out that since I was in a chroot, the install_dir variable would be relative to /var/www. Once this variable was set from /var/www/observium to /observium, the web UI loaded right up. When I attempted to add a user, I found that adduser.php was now throwing errors about not being able to find functions that should have been included with common.php. Turns out that even though Apache is chrooted, the php cli, is not. DOH! ln -s /var/www/observium /observium It's a hack, but hey, it works now... Kind of... In reality, it just fails differently. Turns out I missed a step in the install documentation, and didn't initialize the database...
After I got the DB initialized, and a user created, I realized that addhost.php wasn't working. After more tinkering, I realized that all of the default paths for the utilities were wrong, because the software was designed to run in Linux. I grabbed the whole block of utility path define()'s out of the defaults file, and gave them the correct paths, and lo and behold! OBSERVIUM IN OBSD.
I will most likely be revisiting this topic in the not-too-distant future, as I find more things that I need to hack around, but for the time being, It looks like I have monitoring running on the machine I wanted it on. Now it's time for pf!