[Check_mk (english)] multisite auth.secret

Archive checkmk-en
1

I've had a Nagios then check_mk then omd setup for a few years now. Trying to further migrate to using WATO and the distributed monitoring on one master and seven slave setups. I've run into a glitch that I guess I just haven't wrapped my brain around the correct sequence of steps yet.

Master is setup, two slave set up so far, everything seems to be working except the pnp4nagios hover popups for graphs when I view a host that is monitored on one of the slaves. If I click on the graph icon I see the graphs for that service.

Is this something to do with the auth.secret file? I can't seem to find documentation on what I should be doing with that file on the master or slave servers.

···

--
Stephen Berg
Systems Administrator
NRL Code: 7320
Office: 228-688-5738
stephen.berg.ctr@nrlssc.navy.mil

2

Hi Stephen,

If you want to have the PNP graphs working in a distributed setup, you
need to set up mod_proxy on your master site to connect to your remote
sites.

This is also on the website:
http://mathias-kettner.com/checkmk_multisite_modproxy.html

HTH,

Paul

···

On 11/07/16 17:47, Stephen Berg (Contractor) wrote:

I've had a Nagios then check_mk then omd setup for a few years now.
Trying to further migrate to using WATO and the distributed monitoring
on one master and seven slave setups. I've run into a glitch that I
guess I just haven't wrapped my brain around the correct sequence of
steps yet.

Master is setup, two slave set up so far, everything seems to be
working except the pnp4nagios hover popups for graphs when I view a
host that is monitored on one of the slaves. If I click on the graph
icon I see the graphs for that service.

Is this something to do with the auth.secret file? I can't seem to
find documentation on what I should be doing with that file on the
master or slave servers.

3

I've gone through and checked what the modproxy instructions say and still getting an error on the hover popups.

I'm pretty sure I got all the distributed monitoring set up as it should be. Everything else seems to be working at least.

Sockets are set to:
tcp:site1:6558
tcp:site2:6558

URL prefix:
http://server1/site1/
http://server2/site2/

Multisite URL of remote site:
http://server1/site1/check_mk/
http://server2/site2/check_mk/

In /etc/httpd/conf.d/multisite_proxy.conf:
<Location /site1>
         RewriteEngine On
         RewriteRule ^/.+/site1/(.*) http://server1/site1/$1 [P]
</Location>
<Location /site2>
         RewriteEngine On
         RewriteRule ^/.+/site2/(.*) http://server2/site2/$1 [P]
</Location>

Both sites and the main server have the same /opt/omd/sites/<site>/etc/auth.secret and auth.serials

A filtered list of LDAP users are being pulled from our FreeIPA servers, authentication works using that with no issues. Well one small issue, if I start firefox, pull up the main site and login, then try to go to the services view for a system on one of the slave servers I have to login there also, after that the login is remembered. I think that's the way it normally works but if I can avoid the additional logins to slave systems that would be nice. If I could get check_mk to use a kerberos TGT for login that would really nice.

I've checked the AuthName in /etc/httpd/conf.d/auth.conf and all three systems are the same.

This is the two log entries I see in the slave server apache log when I hover over the graph icon from the master site web UI:
<My IP> - - [12/Jul/2016:09:10:02 -0500] "GET /sit2/pnp4nagios/index.php/popup?host=host1&srv=_HOST_ HTTP/1.1" 302 - "http://master/mainsite/check_mk/view.py?view_name=allhosts&quot; "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0"

<My IP> - - [12/Jul/2016:09:10:02 -0500] "GET /site2/check_mk/login.py?_origtarget=/site2/pnp4nagios/index.php/popup?host=host1&srv=_HOST_ HTTP/1.1" 200 2202 "http://master/mainsite/check_mk/view.py?view_name=allhosts&quot; "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0"

I'm probably missing one little step in the setup but I'm having a heck of a time finding that one step.

···

On 07/11/2016 11:46 AM, Paul Bongers wrote:

Hi Stephen,

If you want to have the PNP graphs working in a distributed setup, you
need to set up mod_proxy on your master site to connect to your remote
sites.

This is also on the website:
http://mathias-kettner.com/checkmk_multisite_modproxy.html

HTH,

Paul

On 11/07/16 17:47, Stephen Berg (Contractor) wrote:

I've had a Nagios then check_mk then omd setup for a few years now.
Trying to further migrate to using WATO and the distributed monitoring
on one master and seven slave setups. I've run into a glitch that I
guess I just haven't wrapped my brain around the correct sequence of
steps yet.

Master is setup, two slave set up so far, everything seems to be
working except the pnp4nagios hover popups for graphs when I view a
host that is monitored on one of the slaves. If I click on the graph
icon I see the graphs for that service.

Is this something to do with the auth.secret file? I can't seem to
find documentation on what I should be doing with that file on the
master or slave servers.

_______________________________________________
checkmk-en mailing list
checkmk-en@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en

--
Stephen Berg
Systems Administrator
NRL Code: 7320
Office: 228-688-5738
stephen.berg.ctr@nrlssc.navy.mil

4

This is still not working for me. I can get to performance graphs, but the hover popups still fail.

Interestingly all this is working on my older sites on the same servers. They are not using WATO and moving to a WATO setup is the goal here.

I tried removing the master site and both slave sites and rebuilding from scratch.

Created master site, set a few parameters, set up a few folders to eventually organize my hosts. Changed the omdadmin password, configured LDAP to pull in a half a dozen accounts, just the IT shop folks.

Created a slave site (one on each remote server) and added it to the master's distributed setup. Create a couple hosts so the master server can monitor the slave servers. Then created a couple hosts using the master web UI and they got replicated out to the slave server as expected.

Is there a checklist or something that I can run through to try to find what I'm missing to get this working?

···

On 07/12/2016 09:15 AM, Stephen Berg (Contractor) wrote:

I've gone through and checked what the modproxy instructions say and still getting an error on the hover popups.

I'm pretty sure I got all the distributed monitoring set up as it should be. Everything else seems to be working at least.

Sockets are set to:
tcp:site1:6558
tcp:site2:6558

URL prefix:
http://server1/site1/
http://server2/site2/

Multisite URL of remote site:
http://server1/site1/check_mk/
http://server2/site2/check_mk/

In /etc/httpd/conf.d/multisite_proxy.conf:
<Location /site1>
        RewriteEngine On
        RewriteRule ^/.+/site1/(.*) http://server1/site1/$1 [P]
</Location>
<Location /site2>
        RewriteEngine On
        RewriteRule ^/.+/site2/(.*) http://server2/site2/$1 [P]
</Location>

Both sites and the main server have the same /opt/omd/sites/<site>/etc/auth.secret and auth.serials

A filtered list of LDAP users are being pulled from our FreeIPA servers, authentication works using that with no issues. Well one small issue, if I start firefox, pull up the main site and login, then try to go to the services view for a system on one of the slave servers I have to login there also, after that the login is remembered. I think that's the way it normally works but if I can avoid the additional logins to slave systems that would be nice. If I could get check_mk to use a kerberos TGT for login that would really nice.

I've checked the AuthName in /etc/httpd/conf.d/auth.conf and all three systems are the same.

This is the two log entries I see in the slave server apache log when I hover over the graph icon from the master site web UI:
<My IP> - - [12/Jul/2016:09:10:02 -0500] "GET /sit2/pnp4nagios/index.php/popup?host=host1&srv=_HOST_ HTTP/1.1" 302 - "http://master/mainsite/check_mk/view.py?view_name=allhosts&quot; "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0"

<My IP> - - [12/Jul/2016:09:10:02 -0500] "GET /site2/check_mk/login.py?_origtarget=/site2/pnp4nagios/index.php/popup?host=host1&srv=_HOST_ HTTP/1.1" 200 2202 "http://master/mainsite/check_mk/view.py?view_name=allhosts&quot; "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0"

I'm probably missing one little step in the setup but I'm having a heck of a time finding that one step.

On 07/11/2016 11:46 AM, Paul Bongers wrote:

Hi Stephen,

If you want to have the PNP graphs working in a distributed setup, you
need to set up mod_proxy on your master site to connect to your remote
sites.

This is also on the website:
http://mathias-kettner.com/checkmk_multisite_modproxy.html

HTH,

Paul

On 11/07/16 17:47, Stephen Berg (Contractor) wrote:

I've had a Nagios then check_mk then omd setup for a few years now.
Trying to further migrate to using WATO and the distributed monitoring
on one master and seven slave setups. I've run into a glitch that I
guess I just haven't wrapped my brain around the correct sequence of
steps yet.

Master is setup, two slave set up so far, everything seems to be
working except the pnp4nagios hover popups for graphs when I view a
host that is monitored on one of the slaves. If I click on the graph
icon I see the graphs for that service.

Is this something to do with the auth.secret file? I can't seem to
find documentation on what I should be doing with that file on the
master or slave servers.

_______________________________________________
checkmk-en mailing list
checkmk-en@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en

--
Stephen Berg
Systems Administrator
NRL Code: 7320
Office: 228-688-5738
stephen.berg.ctr@nrlssc.navy.mil