Support #691
Updated by Daniel Curtis over 8 years ago
{{>toc}}
This is a simple guide to setup a Puppet Master server along with Puppet Dashboard and Icinga2 with PostgreSQL as the database backend on FreeBSD 9.2.
This will set up 2 web applications that can be viewed in any modern web browser at:
* *Default blank landing page* - http://puppet.example.com
* *Puppet Dashboard* - http://puppet.example.com:3000
* *Icinga* - http://icinga.example.com:8000
* *Puppet Master* - https://puppet.example.com:8140
h1. Prepare the Server
* Once the server baseline has been installed and root access has been obtained make sure the server is up to date:
<pre>
pkg update && upgrade
portsnap fetch extract
</pre>
* Portmaster will be useful for upgrading packages:
<pre>
pkg install portmaster
pkg2ng
</pre>
---
h1. Install PostgreSQL 9.4
* Install PostgreSQL:
<pre>
pkg install postgresql94-{server,client}
</pre>
* Enable PostgreSQL at boot:
<pre>
echo 'postgresql_enable="YES"' >> /etc/rc.conf
</pre>
* Initialize the database:
<pre>
service postgresql initdb
</pre>
* Start PostgreSQL:
<pre>
service postgresql start
</pre>
* Edit the postgres config file:
<pre>
vi /usr/local/pgsql/data/postgresql.conf
</pre>
#* And modify the following:
<pre>
listen_addresses = '*'
</pre>
* Edit the pg_hba config file:
<pre>
vi /usr/local/etc/pgsql/data/pg_hba.conf
</pre>
#* And modify the following:
# TYPE DATABASE USER CIDR-ADDRESS METHOD only
# Local connections
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust
# IPv4 connections:
host all all 192.168.10.0/24 md5
# IPv6 local connections:
host all all 1234::abcd/64 md5
* Restart postgresql:
service postgresql restart
h2. Create a new user and database
* Switch to the pgsql user and enter into the psql prompt:
<pre>
su pgsql
psql -d template1
</pre>
#* Create the *puppetmaster* user and database:
<pre>
CREATE USER puppetmasteruser WITH PASSWORD 'SuperSecretPuppetmasterPassword';
CREATE DATABASE puppetmasterdb OWNER puppetmasteruser;
GRANT ALL PRIVILEGES ON DATABASE "puppetmasterdb" to puppetmasteruser;
</pre>
#* Create the *dashboard* user and database:
<pre>
CREATE USER dashboarduser WITH PASSWORD 'SuperSecretDashboardPassword';
CREATE DATABASE dashboarddb OWNER dashboarduser;
GRANT ALL PRIVILEGES ON DATABASE "dashboarddb" to dashboarduser;
</pre>
#* Create the *icinga* user and database:
<pre>
CREATE USER icingauser WITH PASSWORD 'SuperSecretIcingaPassword';
CREATE DATABASE icingadb OWNER icingauser;
GRANT ALL PRIVILEGES ON DATABASE "icingadb" to icingauser;
</pre>
* Exit from the postgres user
<pre>
\q
exit
</pre>
* Test the connection on a remote host:
<pre>
psql -h pg.example.com -U puppetmasteruser -W puppetmasterdb
</pre>
---
h1. Install Puppet Master
* Install the puppet package
<pre>
pkg install puppet rubygem-rake rubygem-bundler rubygem-activerecord rubygem-sqlite3 rubygem-pg libxslt git node
</pre>
* Create a puppet config from the package sample:
<pre>
cp /usr/local/etc/puppet/puppet.conf-dist /usr/local/etc/puppet/puppet.conf
</pre>
* Configure your @[puppetmasterd]@ section to reflect these settings:
<pre>
vi /usr/local/etc/puppet/puppet.conf
</pre>
#* And add the following to the bottom of the file:
<pre>
[main]
logdir=/var/log/puppet
vardir=/var/puppet
ssldir=/var/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
server=puppetmaster.example.com
server=puppetmaster.altservice.com
report=true
pluginsync=true
environment = production
confdir = /usr/local/etc/puppet
[agent]
report = true
show_diff = true
environment = production
[master]
[puppetmasterd]
storeconfigs = true
dbadapter = postgresql
dbuser = puppetmasteruser
dbpassword = SuperSecretPuppetmasterPassword
dbserver = localhost
dbname = puppetmasterdb
</pre>
* Create folders for node and class definition files:
<pre>
mkdir /usr/local/etc/puppet/manifests/nodes
mkdir /usr/local/etc/puppet/manifests/classes
</pre>
* Then create a default site.pp file:
<pre>
import "nodes/*.pp"
vi /usr/local/etc/puppet/manifests/site.pp
</pre>
#* And add the following:
<pre>
node default {
notify { "Hey ! It works !": }
}
# The filebucket option allows for file backups to the server
filebucket { main: server => 'puppetmaster.altservice.com', path=> false, }
</pre>
* Create a puppet node config for *puppetmaster.example.com*:
<pre>
vi /usr/local/etc/puppet/manifests/nodes/puppetmaster.example.com.pp
</pre>
#* And Add the following:
<pre>
node 'puppetmaster.example.com' {
notify { "Hey ! It works !": }
}
</pre>
* Create a puppet node config for *client.example.com*:
<pre>
vi /usr/local/etc/puppet/manifests/nodes/client.example.com.pp
</pre>
#* And Add the following:
<pre>
node 'client.example.com' {
notify { "Hey ! It works !": }
}
</pre>
* Enable puppet in @/etc/rc.conf@:
<pre>
echo 'puppet_enable="YES"' >> /etc/rc.conf
</pre>
h2. Puppet Initial Testing
* At this point, Puppet needs to be started so that all its SSL keys can be generated. This gives the chance to test that Puppet does work before anything else gets stacked on as well as ensures the SSL keys referenced by Nginx's config file are generated and in place before that step.
<pre>
echo 'puppetmaster_enable="YES"' >> /etc/rc.conf
service puppetmaster start onestart
</pre>
* On *puppetmaster.example.com* - start Puppet on the client system
<pre>
puppet agent -vt
</pre>
* *NOTE*: I encountered a problem while migrating the Admin node, the new server uses a newer version of Puppet, and broke the fileserver feature. To work around this:
*# In *@/usr/local/etc/puppet/fileserver.conf@* put the name of your mount point, the path, and an allow * directive.:
<pre>
[files]
path /usr/local/etc/puppet/files
allow *
</pre>
*# In *@/usr/local/etc/puppet/auth.conf@*:
Use a regular expression path to match both the file_metadata and file_content endpoints followed by the name of your custom mount point. Then, use any combination of allow and allow_ip directives to control access.
<pre>
path ~ ^/file_(metadata|content)/files/
auth yes
allow /^(.+\.)?example.com$/
allow_ip 192.168.100.0/24
</pre>
h2. Install Puppet on Remote Node
* Install puppet:
<pre>
pkg install puppet
</pre>
* Create a basic puppet config:
<pre>
vi /usr/local/etc/puppet/puppet.conf
</pre>
#* And add the following:
<pre>
[main]
logdir=/var/log/puppet
vardir=/var/puppet
ssldir=/var/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
configtimeout=600
runinterval=28800
report=true
pluginsync=true
server=puppetmaster.example.com
</pre>
* Generate a puppet private key and send the CSR to the puppetmaster node for signing:
<pre>
puppet agent -vt --waitforcert 30
</pre>
h3. Sign the Puppet CSR
* On the *puppetmaster.example.com* node run the following to sign the certi
<pre>
puppet cert sign client.example.com
</pre>
---
h1. Install Puppet Dashboard
Now its time to install Puppet Dashboard, a web frontend to display puppet reports.
* Install puppet-dashboard from git
<pre>
cd /usr/local/www
git clone git://github.com/sodabrew/puppet-dashboard.git
</pre>
* Manually create the 'puppet-dashboard' user and group:
<pre>
pw groupadd -n puppet-dashboard -g 800
pw useradd -n puppet-dashboard -c "Puppet Dashboard,,," -u 800 -g puppet-dashboard -s /usr/sbin/nologin
</pre>
* Then provide the required permissions to @/usr/local/www/puppet-dashboard@
<pre>
chown -R puppet-dashboard:puppet-dashboard /usr/local/www/puppet-dashboard
</pre>
h2. Configure Puppet Dashboard
* Copy the example database YAML file and update with database information:
<pre>
cd /usr/local/www/puppet-dashboard/config
cp database.yml.example database.yml
</pre>
* Then edit the database.yml with the corrected information; make sure to replace the +password+ and +host+:
<pre>
vi database.yml
</pre>
#* and modify the following parameter accordingly:
<pre>
production:
database: dashboarddb dashboard_production
username: dashboarduser dashboard
password: SuperSecretDashboardPassword SuperSecretPassword
encoding: utf8
adapter: postgresql
host: localhost mysql2
</pre>
* Change the ownership and harden the permissions:
<pre>
chown puppet-dashboard:puppet-dashboard database.yml
chmod 660 database.yml
</pre>
* Copy the example settings YAML file, no changes needed:
<pre>
cd /usr/local/www/puppet-dashboard/config
cp settings.yml.example settings.yml
chown puppet-dashboard:puppet-dashboard settings.yml
chmod 660 settings.yml
</pre>
* Fix shebang line in External Node Classifier Script.
<pre>
sed -i '' -e 's/#! \/usr\/bin\/ruby/#!\/usr\/local\/bin\/ruby/' /usr/local/www/puppet-dashboard/bin/external_node
</pre>
* Install gems required in the 'Gemfile' via bundler: the Rubygem Bundler. If the postgresql gem bundles is required additional dependencies are needed:
<pre>
cd /usr/local/www/puppet-dashboard
bundle install --path vendor/bundle --without postgresql
</pre>
* Generate secret_token. Cleanup any errors and the default token after generating the new one.
<pre>
echo "secret_token: `bundle exec rake secret`" >> config/settings.yml
vi config/settings.yml
</pre>
h3. Setting up the database for Puppet Dashboard
* At this point the database was already installed with some blank tables. We need to run rake to finish the process with the database structure needed:
<pre>
cd /usr/local/www/puppet-dashboard
env RAILS_ENV=production bundle exec rake db:setup
</pre>
h3. Testing That Dashboard is Working
* Run Dashboard using Ruby's built-in WEBrick server to validate functionality. It will be available at http://puppet.example.com:3000
<pre>
cd /usr/local/www/puppet-dashboard
su -m puppet-dashboard -c 'bundle exec rails server'
</pre>
* Before going into a production environment, Dashboard 2.0 must precompile assets for production:
<pre>
env RAILS_ENV=production bundle exec rake assets:precompile
</pre>
* Chown any files created up until now to the right owner:
<pre>
chown -R puppet-dashboard:puppet-dashboard /usr/local/www/puppet-dashboard
</pre>
* Run Dashboard using Ruby's built-in WEBrick server to validate functionality. It will be available at http://puppet.example.com:3000
<pre>
cd /usr/local/www/puppet-dashboard
su -m puppet-dashboard -c 'env RAILS_ENV=production bundle exec rails server'
</pre> ---
h1. Configuring Puppet
All agent nodes have to be configured to submit reports to the master. The master has to be configured to send reports to Dashboard. If you already have a working Puppet installation you can configure it to distribute the updated puppet.conf to your hosts.
* Edit the *@puppet.conf@* on the Puppetmaster node: (on each agent)
<pre>
vi /usr/local/etc/puppet/puppet.conf [agent]
report = true
</pre>
#* And add
* *@puppet.conf@* (on the following to the [master] section: Puppetmaster)
<pre>
[master]
storeconfigs = true
dbadapter = postgresql
dbuser = puppetmasteruser
dbpassword = SuperSecretPuppetmasterPassword
dbserver = localhost
dbname = puppetmasterdb
reports = store, http
reporturl = http://puppet.example.com:3000/reports/upload
node_terminus = exec
external_nodes = /usr/bin/env PUPPET_DASHBOARD_URL=http://puppet.example.com:3000 /usr/local/www/puppet-dashboard/bin/external_node
</pre>
li
* Testing Puppet's Connection to Dashboard. A new background task should show in the Dashboard UI at http://puppet.example.com:3000
<pre>
puppet agent --test
</pre>
* Dashboard ships a worker process manager under script/delayed_job. It can manually start delayed jobs via the following command:
<pre>
su -m puppet-dashboard -c 'env RAILS_ENV=production bundle exec script/delayed_job -p dashboard -n 2 -m start'
</pre>
h2. Delayed Job Worker Init Script
However, rather than manually triggering background workers, this rc script will accomplish the same thing and ensure the background jobs get started on the next reboot.
* Create puppet dashboard FreeBSD init script:
<pre>
vi /usr/local/etc/rc.d/dashboard_workers
</pre>
#* and add the following
<pre>
#!/bin/sh
# PROVIDE: dashboard_workers
# REQUIRE: LOGIN
# KEYWORD: shutdown
# By default dashboard_workers uses flags '-n 1' for 1 worker. This should be
# adjusted to the number of CPU cores.
dashboard_workers_enable=${dashboard_workers_enable:-"NO"}
dashboard_workers_flags=${dashboard_workers_flags:-"-n 1"}
# The default rails environment is set to production
dashboard_workers_env=${dashboard_workers_env:-"/usr/bin/env PATH=${PATH}:/usr/local/bin RAILS_ENV=production"}
# The default user is set to puppet-dashboard and install location is set to
# /usr/local/share/puppet-dashboard.
dashboard_workers_user=${dashboard_workers_user:-"puppet-dashboard"}
dashboard_workers_chdir=${dashboard_workers_chdir:-"/usr/local/www/puppet-dashboard"}
. /etc/rc.subr
name="dashboard_workers"
rcvar="dashboard_workers_enable"
load_rc_config $name
extra_commands="reload run zap status"
# All commands call the same function and strip the fast|one|quiet prefix
# to deliver to the bundler.
reload_cmd="f_dashboard_workers reload"
restart_cmd="f_dashboard_workers restart"
run_cmd="f_dashboard_workers run"
start_cmd="f_dashboard_workers start"
status_cmd="f_dashboard_workers status"
stop_cmd="f_dashboard_workers stop"
zap_cmd="f_dashboard_workers zap"
# Use the function's ARVG $1 as the bundler program's '-m' flag
f_dashboard_workers() {
cd $dashboard_workers_chdir && \
su -m "$dashboard_workers_user" \
-c "${dashboard_workers_env} bundle exec script/delayed_job ${rc_flags} -p dashboard -m $1" || \
echo "Failed to $1 dashboard_workers"
}
run_rc_command "$1"
</pre>
#* And make it executable:
<pre>
chmod +x /usr/local/etc/rc.d/dashboard_workers
</pre>
* With that in place, we need to override the defaults and enable the script along with setting '-n 4' workers to match the number of processor cores and ensure it's ready for a production workload.
<pre>
echo 'dashboard_workers_enable="YES"' >> /etc/rc.conf
echo 'dashboard_workers_flags="-n 4"' >> /etc/rc.conf
service dashboard_workers start
</pre>
---
h1. Puppet Dashboard on Nginx with Nginx and Passenger
* Install the Nginx with Passenger gem:
<pre>
portmaster www/rubygem-passenger www/nginx
</pre>
*NOTE*: Make sure to enable +(*)NGINX and [X]SYMLINK+ when running @make config@ +[X]PASSENGER+ during the nginx configuration.
* Install Nginx with the Passenger gem:
<pre>
portmaster www/nginx www/rubygem-passenger
</pre>
*NOTE*: Make sure to enable +[X]PASSENGER+ during the nginx configuration. +(*)NGINX+ when running @make config@
* Create a configuration directory to make managing individual server blocks easier
<pre>
mkdir /usr/local/etc/nginx/conf.d
</pre>
* Configuring Nginx with Passenger, edit the *main nginx configuration file*:
<pre>
vi /usr/local/etc/nginx/nginx.conf
</pre>
#* And add/modify the following
<pre>
user www www;
worker_processes 4;
error_log /var/log/nginx_error.log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
passenger_root /usr/local/lib/ruby/gems/2.1/gems/passenger;
/usr/local/lib/ruby/gems/2.1/gems/passenger-5.0.4;
passenger_ruby /usr/local/bin/ruby;
passenger_max_pool_size 15;
passenger_pool_idle_time 300;
#passenger_spawn_method direct; # Uncomment on Ruby 1.8 for ENC to work
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
tcp_nodelay on;
# Load config files from the /etc/nginx/conf.d directory
include /usr/local/etc/nginx/conf.d/*.conf;
}
</pre>
* Then add a *default site server block*:
<pre>
vi /usr/local/etc/nginx/conf.d/default.conf
</pre>
#* Add the following:
<pre>
server {
listen 80 default;
server_name _;
index index.html index.php;
root /usr/local/www;
# IP and IP ranges which should get access
allow 10.0.0.0/24;
allow 10.1.0.1;
# all else will be denied
deny all;
# basic HTTP auth
auth_basic "Restricted";
auth_basic_user_file htpasswd;
location ~ \.cgi$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REMOTE_USER $remote_user;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
</pre>
* And create a *puppet master server block*:
<pre>
vi /usr/local/etc/nagios/conf.d/puppetmaster.conf
</pre>
#* And add the following:
<pre>
server {
listen 8140 ssl;
server_name puppet.example.com;
passenger_enabled on;
passenger_set_header HTTP_X_CLIENT_DN $ssl_client_s_dn;
passenger_set_header HTTP_X_CLIENT_VERIFY $ssl_client_verify;
passenger_user puppet;
passenger_group puppet;
access_log /var/log/nginx/puppet_access.log;
root /usr/local/etc/puppet/rack/public;
ssl_certificate /var/puppet/ssl/certs/puppet.example.com.pem;
ssl_certificate_key /var/puppet/ssl/private_keys/puppet.example.com.pem;
ssl_crl /var/puppet/ssl/ca/ca_crl.pem;
ssl_client_certificate /var/puppet/ssl/certs/ca.pem;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_prefer_server_ciphers on;
ssl_verify_client optional;
ssl_verify_depth 1;
ssl_session_cache shared:SSL:128m;
ssl_session_timeout 5m;
}
</pre>
* And create a *puppet dashboard server block*:
<pre>
vi /usr/local/etc/nginx/conf.d/puppet-dashboard.conf /usr/local/etc/nagios/conf.d/puppet-dashboard.conf
</pre>
#* And add the following:
<pre>
server {
listen 3000;
server_name puppet.example.com;
passenger_enabled on;
passenger_user puppet-dashboard;
passenger_group puppet-dashboard;
access_log /var/log/nginx_dashboard_access.log; /var/log/nginx/dashboard_access.log;
root /usr/local/www/puppet-dashboard/public;
}
</pre>
* Create the log directory to prevent issues on startup:
<pre>
mkdir /var/log/nginx
</pre>
* Enable a daily log file rotation via @newsyslog.conf@:
<pre>
printf "/var/log/nginx/*.log\t\t\t644 7\t * @T00 JG /var/run/nginx.pid 30\n" >> /etc/newsyslog.conf
</pre>
* If the puppetmaster service is still running from earlier testing, stop it now:
<pre>
service puppetmaster onestop
</pre>
* With initial setup of the Puppetmaster done, a RACK file that Nginx will use to start the Ruby application will be needed:
<pre>
mkdir -p /usr/local/etc/puppet/rack/public
</pre>
* Create the config.ru file
<pre>
vi /usr/local/etc/puppet/rack/config.ru
</pre>
#* And add the following
<pre>
# Trimmed back FreeBSD Version of https://github.com/puppetlabs/puppet/blob/master/ext/rack/files/config.ru
$0 = "master"
ARGV << "--rack"
ARGV << "--confdir" << "/usr/local/etc/puppet"
ARGV << "--vardir" << "/var/puppet"
require 'puppet/util/command_line'
run Puppet::Util::CommandLine.new.execute
</pre>
* Make the script executable
<pre>
chown -R puppet:puppet /usr/local/etc/puppet/rack
</pre>
* Enable nginx service and start it. At this point basic functionality is online:
<pre>
echo 'nginx_enable="YES"' >> /etc/rc.conf
service nginx start
</pre>
#* *NOTE*: I had a problem connecting to the puppet master, getting 403 errors, after I had setup Nginx/Passenger. The problem was with the @/usr/local/etc/puppet/puppet.conf@ and there being a couple of parameters that needed to be taken out. If the following two lines are present, remove or comment them out. They are are provided in the nginx.conf:
<pre>
#ssl_client_header = SSL_CLIENT_S_DN
#ssl_client_verify_header = SSL_CLIENT_VERIFY
</pre>
h2. Configuring Dashboard - Advanced Features
* Generating Certs and Connecting to the Puppet Master
With separate Puppet/Dashboard systems the puppet cert sign dashboard will be on the Puppetmaster:
<pre>
cd /usr/local/www/puppet-dashboard
su -m puppet-dashboard -c 'bundle exec rake cert:create_key_pair'
su -m puppet-dashboard -c 'bundle exec rake cert:request'
puppet cert sign dashboard
su -m puppet-dashboard -c 'bundle exec rake cert:retrieve'
</pre>
h3. Enabling Inventory Support
* Edit the *@auth.conf@* file on the puppetmaster Puppet master
<pre>
vi /usr/local/etc/puppet/auth.conf
</pre>
#* Add the following:
<pre>
path /facts
auth yes
method find, search
allow dashboard
</pre>
h3. Enabling the Filebucket Viewer
* Edit the *@site.pp@* on the Puppet master:
<pre>
vi /usr/local/etc/puppet/manifests/site.pp
</pre>
#* Add the following:
<pre>
filebucket { "main":
server => "{ main: server => 'puppetmaster.example.com', path=> false, }", "{your puppet master}",
path => false,
}
</pre>
#* In either site.pp, in an individual init.pp, or in a specific manifest.
<pre>
File { backup => "main" }
</pre>
* Go back and add the line for Inventory Support
<pre>
vi /usr/local/www/puppet-dashboard/config/settings.yml
</pre>
#* And change the following parameters:
<pre>
enable_inventory_service: true
use_file_bucket_diffs: true
</pre>
* With all the updates made, restart so that it takes effect:
<pre>
service nginx restart
</pre>
* For future maintenance, periodic jobs to prune old reports and run DB optimization.
<pre>
mkdir -p /usr/local/etc/periodic/monthly
vi /usr/local/etc/periodic/monthly/clean_dashboard_database.sh
</pre>
#* And add the following:
<pre>
#!/bin/sh
cd /usr/local/share/puppet-dashboard && \
echo "Pruning Old Reports from Puppet Dashboard Database" && \
/usr/bin/su -m puppet-dashboard -c '/usr/local/bin/bundle exec rake RAILS_ENV=production reports:prune upto=3 unit=mon' && \
echo "Optimizing Database" && \
/usr/bin/su -m puppet-dashboard -c '/usr/local/bin/bundle exec rake RAILS_ENV=production db:raw:optimize'
</pre>
#* And make it executable:
<pre>
chmod 755 /usr/local/etc/periodic/monthly/clean_dashboard_database.sh
</pre>
* And create a weekly script:
<pre>
mkdir -p /usr/local/etc/periodic/weekly
vi /usr/local/etc/periodic/weekly/clean_puppet_reports.sh
</pre>
</pre>
#* And add the following:
<pre>
#!/bin/sh
echo "Pruning Puppetmaster Reports greater than 7 days old"
echo -n " Reports Removed:"
find /var/puppet/reports -mtime 7 | xargs rm -v | wc -l
</pre>
#* And make it executable:
<pre>
chmod 755 /usr/local/etc/periodic/weekly/clean_puppet_reports.sh
</pre>
---
h1. Install Icinga2 Nagios
* Start by installing icinga2 nagios, php, and fcgiwrap: fcgi:
<pre>
pkg install icinga2 portmaster net-mgmt/nagios net-mgmt/nagios-plugins net-mgmt/nrpe www/spawn-fcgi www/fcgiwrap net/samba-smbclient databases/p5-DBI databases/p5-Class-DBI-mysql
</pre>
*NOTE*: Make sure to uncheck *[ ]MYSQL* during the icinga2 package configuration.
* Start and And then enable the service to start at boot:
<pre>
echo 'icinga2_enable="YES"' 'nagios_enable="YES"' >> /etc/rc.conf
service icinga2 start echo 'spawn_fcgi_enable="YES"' >> /etc/rc.conf
</pre>
* Enable the icinga2 ido-pgsql feature: echo 'fcgiwrap_enable="YES"' >> /etc/rc.conf
<pre> echo 'fcgiwrap_user="www"' >> /etc/rc.conf
ln -s /usr/local/etc/icinga2/features-available/ido-pgsql.conf /usr/local/etc/icinga2/features-enabled/ido-pgsql.conf echo 'nrpe2_enable="YES"' >> /etc/rc.conf
</pre>
h2. Configure Nagios
* Edit Now copy the icinga2 ido-pgsql config: sample config files to real config files
<pre>
vi /usr/local/etc/icinga2/features-enabled/ido-pgsql.conf cd /usr/local/etc/nagios/
</pre> cp cgi.cfg-sample cgi.cfg
#* And modify the following: cp nagios.cfg-sample nagios.cfg
<pre>
object IdoPgsqlConnection "ido-pgsql" {
user = "icingauser"
password = "SuperSecretIcingaPassword"
host = "localhost"
database = "icingadb"
}
</pre> cp resource.cfg-sample resource.cfg
* Load the icinga2 ido-pgsql schema cd /usr/local/etc/nagios/objects/
<pre> cp commands.cfg-sample commands.cfg
psql -h localhost -U icingauser -W -d icingadb < /usr/local/share/icinga2-ido-pgsql/schema/pgsql.sql cp contacts.cfg-sample contacts.cfg
</pre>
* Restart icinga2: cp localhost.cfg-sample localhost.cfg
<pre> cp printer.cfg-sample printer.cfg
service icinga2 restart cp switch.cfg-sample switch.cfg
</pre>
h2. Install Icingaweb2
* Install icingaweb2: cp templates.cfg-sample templates.cfg
<pre>
pkg install icingaweb2 php56-pgsql pecl-imagick
</pre>
* Configure the default PHP settings
<pre>
cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini timeperiods.cfg-sample timeperiods.cfg
</pre>
* Set the local timezone: Now check you nagios configurations errors
<pre>
sed -i '' -e 's/;date.timezone\ =/date.timezone\ =\ America\/Los_Angeles/' /usr/local/etc/php.ini nagios -v /usr/local/etc/nagios/nagios.cfg
</pre>
* Edit /usr/local/etc/php-fpm.conf:
<pre>
vi /usr/local/etc/php-fpm.conf
</pre>
#* Make Now set a password for the following changes: web interface
<pre>
listen = /var/run/php-fpm.sock htpasswd -c /usr/local/etc/nagios/htpasswd.users nagiosadmin
listen.owner = www
listen.group = www
listen.mode = 0660
</pre>
* Start and enable PHP-FPM at boot:
<pre>
echo 'php_fpm_enable="YES"' >> /etc/rc.conf
service php-fpm start
</pre>
* Next, create the *nagios server block*:
<pre>
vi /usr/local/etc/nginx/conf.d/icinga.conf /usr/local/etc/nginx/conf.d/nagios.conf
</pre>
#* And add the following
<pre>
server {
listen 8000 default;
server icinga.example.com; nagios.example.com;
index index.html index.php;
root /usr/local/www;
# IP and IP ranges which should get access
allow 10.0.0.0/24;
allow 10.1.0.1;
# all else will be denied
deny all;
# basic HTTP auth
auth_basic "Restricted";
auth_basic_user_file htpasswd;
location ~ ^/icingaweb2/index\.php(.*)$ \.cgi$ {
fastcgi_pass unix:/var/run/php-fpm.sock; try_files $uri =404;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock;
fastcgi_param SCRIPT_FILENAME /usr/local/www/icingaweb2/public/index.php; $document_root$fastcgi_script_name;
fastcgi_param ICINGAWEB_CONFIGDIR /usr/local/etc/icingaweb2;
fastcgi_param REMOTE_USER $remote_user;
}
location ~ ^/icingaweb2(.+)? \.php$ {
alias /usr/local/www/icingaweb2/public; try_files $uri =404;
index index.php; include fastcgi_params;
try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args; fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
</pre>
NOTE: It is important that the .cgi location has fastcgi_pass set to @unix:/var/run/fcgiwrap/fcgiwrap.sock@.
* Restart nginx: Load the schema
<pre>
cd /usr/local/share/doc/ndoutils
perl ./installdb -u nagios-p SecretNagiosPassword -h localhost -d nagios
</pre>
#* _Example output_
<pre>
DBD::mysql::db do failed: Table ‘nagios.nagios_dbversion’ doesn’t exist at ./installdb line 51.
** Creating tables for version 1.4b9
Using mysql.sql for installation…
** Updating table nagios_dbversion
Done!
</pre>
* Configure the @/usr/local/etc/nagios/nagios.cfg@ file and change the following parameter:
<pre>
event_broker_options=-1
</pre>
* Add the following in “EVENT BROKER MODULE(S)” section
<pre>
broker_module=/usr/local/bin/ndomod.o config_file=/usr/local/etc/nagios/ndomod.cfg
</pre>
* Configure the @/usr/local/etc/nagios/ndo2db.cfg@ file, and change the below three lines:
<pre>
db_user=nagios
db_pass=SecretNagiosPassword
debug_level=-1
</pre>
* Start ndo2db
<pre>
service nginx ndo2db start
</pre>
* Start Nagios
<pre>
service nagios restart
</pre>
* Now create Start nginx, and check to see if nagios is working by opening a configuration token: web browser and going to http://example.com/nagios:
<pre>
cd /usr/local/www/icingaweb2 && ./bin/icingacli setup token create --config=/usr/local/etc/icingaweb2 service nginx start
</pre>
* Enter this token on Icinga Web 2's setup interface at http://localhost:8000/icingaweb2/setup *NOTE*: I kept getting a permission problem when logging in to the Nagios interface. It turned out I needed to add the correct admin user:
<pre>
vi /usr/local/etc/nagios/cgi.cfg
</pre>
#* Then add/modify the following
<pre>
use_authentication=1
#edit username
authorized_for_all_host_commands=username
authorized_for_all_hosts=username
authorized_for_all_service_commands=username
authorized_for_all_services=username
authorized_for_configuration_information=username
authorized_for_system_commands=username
authorized_for_system_information=username
</pre>
---
h1. Resources
* http://docs.puppetlabs.com/dashboard/manual/1.2/bootstrapping.html#configuring-dashboard
* http://docs.puppetlabs.com/dashboard/manual/1.2/bootstrapping.html#installing-puppet-dashboard
* http://docs.puppetlabs.com/dashboard/manual/1.2/bootstrapping.html#creating-and-configuring-a-mysql-database
* http://docs.puppetlabs.com/dashboard/manual/1.2/bootstrapping.html#testing-that-dashboard-is-working
http://docs.puppetlabs.com/dashboard/manual/1.2/bootstrapping.html#configuring-puppet
* http://docs.puppetlabs.com/dashboard/manual/1.2/bootstrapping.html#starting-and-managing-delayed-job-workers
* http://docs.puppetlabs.com/dashboard/manual/1.2/bootstrapping.html#running-dashboard-in-a-production-quality-server
* http://docs.puppetlabs.com/puppet/latest/reference/config_important_settings.html
* http://z0mbix.github.io/blog/2012/03/01/use-nginx-and-passenger-to-power-your-puppet-master/
* http://www.watters.ws/mediawiki/index.php/Configure_puppet_master_using_nginx_and_mod_passenger
* http://docs.puppetlabs.com/dashboard/manual/1.2/configuring.html
* https://forums.freebsd.org/viewtopic.php?&t=42071
* http://projects.puppetlabs.com/issues/16686
* http://rlaskey.org/words/897/nagios-nginx-freebsd/
* http://www.unixmen.com/it-appears-as-though-you-do-not-have-permission-to-view-information-for-any-of-the-hosts-you-requested/