Tagrpm

Network Device Monitoring Using Prometheus and Grafana Part1

I use Prometheus and grafana for monitoring the Network devices. Prometheus is most power full tool to monitor any metrics, and it is lightweight and scalable.

Mostly my environment contains Cisco and Juniper device. Monitoring other vendors also very easy but you need to understand how Prometheus works first.

Below are the metrics monitored in My Cisco and Juniper Devices.

Cisco:

  • Hardware status
    • Fan Status
    • Power supply status
    • Temperature status
    • Processor and other hardware status
  • Interface Bandwidth Utilisation
  • Interface Error and Discards
  • Interface Packets per second Utilisation
  • IPsla Latency and Packet loss
  • BGP Neighbour Status
  • BGP Received Prefix status

Juniper:

  • Hardware Status
    • Fan Status
    • Power supply status
    • Temperature status
    • Processor and other hardware status
  • Interface Bandwidth Utilisation
  • Interface Error and Discards
  • Interface packets per second Utilisation
  • RPM latency and Packet loss
  • BGP Neighbour status
  • BGP Received Prefix Status

I will explain Part by part on how to configure things

There are multiple different steps needs to be followed to make this work.

We need to install 5 different components to have complete monitoring design

  • SNMP_generator
  • SNMP_exporter
  • Prometheus
  • Alert Manager
  • Grafana

In this SNMP_generator is used only for creating config file for snmp_exporter.

Dont worry, all the components works with each other through HTTP API so no need to worry about maintaining all of them mentioned above.

In my next tutorial i will explain about Installing and configuring SNMP_generator and SNMP_exporter.


How to Install WordPress on CentOS 7 with NGINX!

WordPress is a PHP and Mysql based opensource blogging platform. Around 25% of the websites in internet are using wordpress. Follow the below instructions to install the WordPress website on CentOS7.

Prerequisites

  • Have a working domain name pointing to your server public IP. For example: example.net

Enable EPEL Repository:

Enabling EPEL repository is a easy task as the EPEL repository RPM package is included in the CentOS Repository

Run the below command to install and enable EPEL repository.

sudo yum install epel-release

Run the below command to verify, if the EPEL repository is enabled or not

sudo yum repolist

Installing NGINX:

Run the below command to install NGINX.

sudo yum install nginx

Once the installation is complete, enable and start the NGINX service by running the below commands.

sudo systemctl enable nginx
sudo systemctl start nginx

Check the status of the Nginx service with the following command.

sudo systemctl status nginx

Open the port 80 and 443 ports in the firewall config. if your server is not protected with CentOS firewall ignore this step. Most of the cloud servers are by default protected with the firewalls.

sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

To verify the Nginx installation, open http://YOUR_SERVER_IP in your browser, and you will notice the default Nginx welcome page as shown in the image below:

To stop, start, restart, reload Nginx service use the below commands.

sudo systemctl stop nginx
sudo systemctl start nginx
sudo systemctl restart nginx
sudo systemctl reload nginx

Secure Nginx with Let’s Encrypt

Let’s Encrypt is a Free and Open Certificate authority developed by Internet Security Research Group(ISRG). Certificates issues by let’s Encrypt are trusted by almost all browsers today.

Install Certbot

Run the below command to install certbot

sudo yum install certbot

Generate Strong Dh(Diffie-Hellman) Group

DH group is a method of securely exchangin the cryptographic keys over on unsecured communication channel, like internet.

To generate a new set of 2048 DH parameters run the below commands.

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Obtain a Let’s Encrypt SSL certificate for your domain

To obtain an SSL certificate for your domain, we need to use the webroot plugin that works by creating a temporary file for validating the requested domain in the ${webroot-path}/.well-known/ directory. The Let’s Encrypt server makes HTTP requests to the temporary file to validate that the requested domain resolves to the server where certbot runs.

The following commands will create the directory and make it writable for the Nginx server.

sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp nginx /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt

create the below snippets.

sudo mkdir /etc/nginx/snippets

add /etc/nginx/snippets/letsencrypt.conf file with below config


location ^~ /.well-known/acme-challenge/ {
  allow all;
  root /var/lib/letsencrypt/;
  default_type "text/plain";
  try_files $uri =404;
}

add /etc/nginx/snippets/ssl.conf file with below config.

ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;

add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

Once the snippets are created, open the /etc/nginx/conf.d/example.net.conf file and add below config.

server {
  listen 80;
  server_name example.net www.example.net;

  include snippets/letsencrypt.conf;
}

Reload the Nginx configuration.

sudo systemctl reload nginx

Now run the certbot to obtain the SSL certificate for your domain.

sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.net -d www.example.net

Once you the received the certbot certificate, update the nginx config with below configuration.

server {
    listen 80;
    server_name www.example.net example.net;

    include snippets/letsencrypt.conf;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name www.example.net;

    ssl_certificate /etc/letsencrypt/live/example.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.net/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.net/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    return 301 https://example.net$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.net;

    ssl_certificate /etc/letsencrypt/live/example.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.net/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.net/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    # . . . other code
}

Reload the Nginx Service for the changes to take effect.

sudo systemctl reload nginx

Auto renew let’s Encrypt SSL certificate using the below crontab

crontab -e
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload nginx"

save and close the file.

Install MariaDB(Mysql)

MariaDB is an open source relational database management system, backward compatible, binary replacement of Mysql.

Install the MariaDB package using the below command.

sudo yum install mariadb-server

Once the installation is complete, start the MariaDB service and enable it to start on the boot using the below commands.

sudo systemctl start mariadb
sudo systemctl enable mariadb

Run the below mentioned mysql_secure_installation script which will perform several security tasks.

sudo mysql_secure_installation

Configure MySQL

Login to Mysql using no password

mysql -u root -p

within the MySQL shell, run the following commands to create DB for wordpress and username/password of wordpress access.

mysql> CREATE DATABASE wordpress CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
mysql> GRANT ALL ON wordpress.* TO 'wordpressuser'@'localhost' IDENTIFIED BY 'change-with-strong-password';
mysql> FLUSH PRIVILEGES;
mysql> EXIT;

Install PHP7.2

The recommended php version for WordProess is php7.2

if you have any older PHP version in the server please uninstall it.

To install PHP and all required php extensions run the below commands:

sudo yum install epel-release yum-utils
sudo yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
sudo yum-config-manager --enable remi-php72
sudo yum install php-cli php-fpm php-mysql php-json php-opcache php-mbstring php-xml php-gd php-curl

We installed php-fpm because we will be using Nginx as a web server.

PHP FastCGI Process Manager (PHP-FPM) is an alternative FastCGI daemon for PHP that allows a website to handle high loads

By default PHP FPM runs as user apache on port 9000. we’ll change the user to nginx and switch from TCP socket to Unix socket. To do that open /etc/php-fpm.d/www.conf and edit the lines mention below.

vi /etc/php-fpm.d/www.conf 
...
user = nginx
...
group = nginx
...
listen = /run/php-fpm/www.sock
...
listen.owner = nginx
listen.group = nginx

Change the /var/lib/php directory to the correct ownership.

sudo chown -R root:nginx /var/lib/php

Enable and start the php-fpm service:

sudo systemctl enable php-fpm
sudo systemctl start php-fpm

Download WordPress

First create a directory in which we will place the WordPress files.

sudo mkdir -p /var/www/html/example.net

Download the latest version of WordPress from WordPress Download page using wget. and copy it to the above mentioned folder.

cd /tmp
wget https://wordpress.org/latest.tar.gz
tar xf latest.tar.gzsudo 
mv /tmp/wordpress/* /var/www/html/example.net/

Now change the ownership of example.net directory.

chown -R nginx: /var/www/html/example.net

To setup the WordPress configuration file we need to generate some configuration files for it. Run the below command to generate the config

curl -s https://api.wordpress.org/secret-key/1.1/salt/

The generated output keys shold look like below.

define('AUTH_KEY',         'm=w)!7{-EEc&JYU~$wd@jTrqFseaZ0D-4Vd/?!>_hcF*BmQ+S2Do!QP>>O-|OI21');
define('SECURE_AUTH_KEY',  'S?lk-{RG 5K~sd*1$N<aZ18jy|^0n#-@eGqBhk3#dJy2M-|jUruu[T+ cYfJ^@2-'); 
define('LOGGED_IN_KEY', '>i*8?IA#h/.@?6MezjmoBWm&&b+h1YP?T.]Y=&*^h9[Bm`ThdbJ5zepb824LUd;-');
define('NONCE_KEY',        'cPim1L6}H1rQLtLj|FrN1DO:LZVsh`rr}5 `}k,f~%u)papX4|_J^Q%PKJ44uF[l');
define('AUTH_SALT',        ',+Aa_iZ/%yj5?-0F.O>Ogd6jCLU+2_2M$+1Zo-hUog70lLa$)YI@wbzkN<~v!Acd');
define('SECURE_AUTH_SALT', '-9sQ8iLS}1-iEX)b<A6(JNuPIGv2SV5ZiHV])4i+@oi6FG76$4{A@c*fj8[ *Uc-'); 
define('LOGGED_IN_SALT', 'K$i5b^g?TK4M|w;mqlh>m9ZJ5eVAq0X;we}jvw:JNkKm-O|-=GdH-{I><`J(ZgKB'); 
define('NONCE_SALT', 'c_VY?z=E}2r0A&r!F/qk*rtM3>K-Id+z*qG*^2g#4/-sR2%GP>b|{<97nL4uP8K/');

Now open /var/www/html/example.net/wp-config.php file, and find the above lines and replace it.

Now also update the DB_NAME, DB_USER, DB_PASSWORD in the file /var/www/html/example.net/wp-config.php with the correct credentials used in the Mysql Installation section.

define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'wordpressuser');

/** MySQL database password */
define('DB_PASSWORD', 'password-you-provided');

define('FS_METHOD', 'direct');

Now edit the /etc/nginx/conf.d/example.net.conf file and update it with the below config.

# Redirect HTTP -> HTTPS
server {
    listen 80;
    server_name www.example.net example.net;

    include snippets/letsencrypt.conf;
    return 301 https://example.net$request_uri;
}

# Redirect WWW -> NON WWW
server {
    listen 443 ssl http2;
    server_name www.example.net;

    ssl_certificate /etc/letsencrypt/live/example.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.net/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.net/chain.pem;
    include snippets/ssl.conf;

    return 301 https://example.net$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.net;

    root /var/www/html/example.net;
    index index.php;

    # SSL parameters
    ssl_certificate /etc/letsencrypt/live/example.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.net/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.net/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    # log files
    access_log /var/log/nginx/example.net.access.log;
    error_log /var/log/nginx/example.net.error.log;

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass unix:/run/php-fpm/www.sock;
        fastcgi_index   index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
        expires max;
        log_not_found off;
    }

}

Restart Nginx for the changes to take effect.

sudo systemctl restart nginx

Now open the browser and access the http://example.net URL to access the wordpress instance and start blogging. Happy blogging!!

© 2019 Networking Blog

Theme by Anders NorénUp ↑