Hardware Requirements
You should meet these minimum hardware requirements for a single-server installation of Zenoss 4 Core (up to a 1000 devices):
| Deployment Size | Memory | CPU | Storage |
|---|---|---|---|
| 1 to 250 devices | 4GB | 2 cores | 1 x 300GB (10K RPM or SSD) |
| 250 to 500 devices | 8GB | 4 cores | 1 x 300GB (10K RPM or SSD) |
| 500 to 1000 devices | 16GB | 8 cores | 1 x 300GB (15K RPM or SSD) |
CentOS 6
My solution will be using the CentOS-6.3-x86_64-minimal.iso image. The aim of this image is to install a very basic CentOS 6.3 system, with the minimum number of packages needed to have a functional system. This post won't document the install process for CentOS 6 considering each environment (and associated requirements) is different. The stages of the OS installation consist of language, storage, hostname, network, timezone, and the root password. Note: All commands are run within the context of the root account unless otherwise specified.
Make sure to update the system after the initial boot post install:
# yum update
I also install the following packages that are not included by default:
# yum install file ntp vim-enhanced man man-pages wget traceroute yum-utils
# hosts file
It is recommended to add the hostname (FQDN and short) and IP address to your local hosts file. My Zenoss server's FQDN is zenoss.test.internal and the IP address is 192.168.36.20. Modify the file with your text editor.
# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.36.20 zenoss.test.internal zenoss
# SELinux
Zenoss documentation states the requirement that SELinux be disabled. We can accomplish this by changing the SELINUX value to disabled in the /etc/sysconfig/selinux file. Modify the file with your text editor.
# vim /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Reboot the computer for the change to take effect.
After logging in after the reboot, verify SELinux is disabled. Run the following command:
# sestatus
SELinux status: disabled
# Network Time Protocol (NTP)
Time synchronization is an often overlooked, but a very essential, configuration step for new server deployments. In my configuration, I will have my zenoss server sync with an Active Directory domain controller (which holds the PDC emulator FSMO role) on my private network. We will need to modify the ntp.conf file with a text editor and start the NTP daemon (and also set it for autostart at boot time). Notice that I "comment out" the default public pool.ntp.org virtual cluster servers. You may want to leave these enabled if you don't have a particular time source to sync with.
# vim /etc/ntp.conf
...
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org
#server 1.centos.pool.ntp.org
#server 2.centos.pool.ntp.org
# Use internal NTP Server (AD/DC01)
server 192.168.36.11 iburst
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
...
Start the NTP daemon.
# service ntpd start
Starting ntpd: [ OK ]
Set NTP daemon for autostart at boot time and verify.
# chkconfig ntpd on; chkconfig --list ntpd
ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
We can verify the NTP status by running the following commands:
# ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
*192.168.36.11 50.23.135.154 3 u 50 64 37 0.892 11.750 3.961
# ntpstat
synchronised to NTP server (192.168.36.11) at stratum 4
time correct to within 125 ms
polling server every 512 s
# Firewall
Zenoss requires the following ports to be open on the host firewall:
| Port | Protocol | Direction | Description |
|---|---|---|---|
| 11211 | TCP/UDP | inbound | memcached |
| 8080 | TCP | inbound | Web interface |
| 514 | UDP | inbound | syslog |
| 162 | UDP | inbound | SNMP Traps |
| 25 | TCP | inbound | zenmail |
Add the rules. It is recommended to add each rule with the iptables command, but I prefer to modify the /etc/sysconfig/iptables file directly with a text editor.
# vim /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 11211 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 11211 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 162 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
For tighter security, you can confine allowed traffic from a specific network. The following configuration would limit the allowed traffic solely from the 192.168.36.0/24 network.
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.36.0/24 -m state --state NEW -m tcp -p tcp --dport 11211 -j ACCEPT
-A INPUT -s 192.168.36.0/24 -m state --state NEW -m udp -p udp --dport 11211 -j ACCEPT
-A INPUT -s 192.168.36.0/24 -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -s 192.168.36.0/24 -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
-A INPUT -s 192.168.36.0/24 -m state --state NEW -m udp -p udp --dport 162 -j ACCEPT
-A INPUT -s 192.168.36.0/24 -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Restart the firewall service for the changes to take effect.
# service iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
# Oracle Java 6
From a client computer, browse to Oracle's Java Downloads and grab the latest Java Version 6 Linux x64 RPM file.
Transfer the file to the Zenoss server. The command/utility will vary depending on what client OS you're using. I recommend WinSCP, PSCP, PSFTP, or Filezilla if using a Windows client. From a Linux or Mac OS X client, we can use the scp command. The following command will copy the file to the root's home directory on the destination Zenoss server:
$ scp jre-6u38-linux-x64-rpm.bin root@192.168.36.20:
Back on the Zenoss server, we now need to make the binary file executable.
# cd ~
# chmod u+x ./jre-6u38-linux-x64-rpm.bin
Install the Oracle Java Runtime Environment (JRE).
# ./jre-6u38-linux-x64-rpm.bin
Unpacking...
Checksumming...
Extracting...
UnZipSFX 5.50 of 17 February 2002, by Info-ZIP (Zip-Bugs@lists.wku.edu).
inflating: jre-6u38-linux-amd64.rpm
Preparing... ########################################### [100%]
1:jre ########################################### [100%]
Unpacking JAR files...
rt.jar...
jsse.jar...
charsets.jar...
localedata.jar...
plugin.jar...
javaws.jar...
deploy.jar...
Done.
Add the JAVA_HOME variable statement to the end of the system BASH profile file.
# echo 'export JAVA_HOME=/usr/java/default' >> /etc/profile
"Dot" source the system BASH profile file to add the JAVA_HOME variable to the current shell environment.
# . /etc/profile
Verify the variable is set and that Java is installed correctly.
# echo $JAVA_HOME
/usr/java/default
# java -version
java version "1.6.0_38"
Java(TM) SE Runtime Environment (build 1.6.0_38-b05)
Java HotSpot(TM) 64-Bit Server VM (build 20.13-b02, mixed mode)
# RRDtool
We need to enable access to the RepoForge YUM repository for the RRDtool package.
From a client computer, browse to the RepoForge site and grab the latest rpmforge-release package for the EL 6 distribution (x86_64).
Transfer the package to the Zenoss server. The command/utility will vary depending on what client OS you're using. I recommend WinSCP, PSCP, PSFTP, or Filezilla if using a Windows client. From a Linux or Mac OS X client, we can use the scp command. The following command will copy the file to the root's home directory on the destination Zenoss server:
$ scp rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm root@192.168.36.20:
Back on the Zenoss server, we now need to install the rpmforge-release RPM package.
# cd ~
# yum --nogpgcheck localinstall rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
Disable automatic access to the RepoForge YUM repository.
# yum-config-manager --disable rpmforge
List all available versions of the rrdtool package. Zenoss requires version 1.4.7 or later.
# yum --showduplicates --enablerepo=rpmforge-extras list rrdtool
Loaded plugins: fastestmirror, presto
Loading mirror speeds from cached hostfile
* base: mirrors.cat.pdx.edu
* extras: mirror.spro.net
* rpmforge-extras: mirror.hmc.edu
* updates: centos.sonn.com
rpmforge-extras | 1.9 kB 00:00
rpmforge-extras/primary_db | 433 kB 00:00
Available Packages
rrdtool.i686 1.3.8-6.el6 base
rrdtool.x86_64 1.3.8-6.el6 base
rrdtool.x86_64 1.4.5-1.el6.rfx rpmforge-extras
rrdtool.x86_64 1.4.7-1.el6.rfx rpmforge-extras
Download and install the rrdtool package (and dependency packages).
# yum --enablerepo=rpmforge-extras install rrdtool-1.4.7-1.el6.rfx
# MySQL
My solution diverges from the official Zenoss documentation. I prefer to deploy the Percona Server with XtraDB instead of the standard MySQL server. Percona Server is an enhanced drop-in replacement for MySQL. Visit the Percona website for more information.
We first need to enable access to the Percona YUM repository for the Percona packages.
From a client computer, browse to the Percona Software Repositories for MySQL site and read the documentation wiki to see how to enable access to their YUM repo. At the time of this post, the following will perform an automatic installation. This operation will install the RPM and also the Percona GPG key.
# rpm -Uvh http://www.percona.com/redir/downloads/percona-release/percona-release-0.0-1.x86_64.rpm
Retrieving http://www.percona.com/redir/downloads/percona-release/percona-release-0.0-1.x86_64.rpm
Preparing... ########################################### [100%]
1:percona-release ########################################### [100%]
Verify the Percona repository has been added.
# yum repolist
Loaded plugins: fastestmirror, presto
Loading mirror speeds from cached hostfile
* base: mirror.pac-12.org
* extras: ftp.osuosl.org
* updates: mirror.cisp.com
repo id repo name status
base CentOS-6 - Base 6,346
extras CentOS-6 - Extras 17
percona CentOS 6 - Percona 39
updates CentOS-6 - Updates 1,017
repolist: 7,419
Let's now install the required packages.
# yum install Percona-Server-client-55 Percona-Server-server-55
After MySQL has been installed, we need to modify the MySQL my.cnf configuration file with some recommended settings from Zenoss.
# vim /etc/my.cnf
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
max_allowed_packet=16M
innodb_buffer_pool_size=256M
innodb_additional_mem_pool_size=20M
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
Start the MySQL daemon.
# service mysql start
Verify MySQL is set for autostart at boot.
# chkconfig --list mysql
mysql 0:off 1:off 2:on 3:on 4:on 5:on 6:off
# EPEL
We need to enable access to the EPEL repository for dependency packages of RabbitMQ and Zenoss Core.
Change to root's home directory and download the RPM from the EPEL site.
# cd ~
# wget -r -l1 --no-parent -A 'epel*.rpm' http://dl.fedoraproject.org/pub/epel/6/x86_64/
Install the EPEL RPM.
# yum --nogpgcheck localinstall dl.fedoraproject.org/pub/epel/6/x86_64/epel-*.rpm
Disable automatic access to the EPEL YUM repository.
# yum-config-manager --disable epel
# RabbitMQ
From a client computer, browse to the Download section of the RabbitMQ site and grab the latest 2.x Fedora/RHEL RPM package (version 3.x is not supported by Zenoss at the date of this post).
Transfer the package to the Zenoss server. The command/utility will vary depending on what client OS you're using. I recommend WinSCP, PSCP, PSFTP, or Filezilla if using a Windows client. From a Linux or Mac OS X client, we can use the scp command. The following command will copy the file to the root's home directory on the destination Zenoss server:
$ scp rabbitmq-server-2.8.7-1.noarch.rpm root@192.168.36.20:
Back on the Zenoss server, we now need to install the RabbitMQ package (and dependency packages from the EPEL repo).
# cd ~
# yum --nogpgcheck --enablerepo=epel localinstall rabbitmq-server-2.8.7-1.noarch.rpm
Start the RabbitMQ daemon.
# service rabbitmq-server start
Starting rabbitmq-server: SUCCESS
rabbitmq-server.
Set RabbitMQ for autostart at boot.
# chkconfig rabbitmq-server on
Zenoss Core
From a client computer, browse to the Zenoss Core site and grab the latest Zenoss Core 4 RPM package for RHEL/CentOS 6 64-bit (v4.2.3 at the date of this post).
Transfer the file to the Zenoss server. The command/utility will vary depending on what client OS you're using. I recommend WinSCP, PSCP, PSFTP, or Filezilla if using a Windows client. From a Linux or Mac OS X client, we can use the scp command. The following command will copy files to the root's home directory on the destination Zenoss server:
$ scp zenoss_core-4.2.3.el6.x86_64.rpm root@192.168.36.20:
root@192.168.36.20's password:
zenoss_core-4.2.3.el6.x86_64.rpm 100% 116MB 29.0MB/s 00:04
Back on our Zenoss server, we now need to install the Zenoss Core 4 package (and dependency packages from the EPEL repo).
# cd ~
# yum --nogpgcheck --enablerepo=epel localinstall zenoss_core-4.2.3.el6.x86_64.rpm
# memcached and snmpd
Start the memcached daemon and configure it to start automatically at boot.
# service memcached start
# chkconfig memcached on
Start the snmpd daemon and configure it to start automatically at boot.
# service snmpd start
# chkconfig snmpd on
# Start Zenoss
Run the following command to start Zenoss:
# service zenoss start
At this stage, Zenoss should be ready from a functional perspective. We now need to focus on securing the Zenoss server.
Post-Install
The auto-deploy script offered by Zenoss runs a separate script that secures your Zenoss installation. Since we chose to do a normal install, we will need to grab and run that script now.
We first need to switch to a login shell for the zenoss user.
# su -l zenoss
Verify the zenoss user shell. As a side note, that's an "interesting" UID number for the zenoss user.
$ id
uid=1337(zenoss) gid=500(zenoss) groups=500(zenoss)
Download the secure_zenoss.sh file from GitHub.
$ wget --no-check-certificate https://raw.github.com/osu-sig/zenoss-autodeploy-4.2.3/master/secure_zenoss.sh
Before we run the script, let's get the default passwords for the zenoss user in the global.conf file.
$ egrep 'user|password' $ZENHOME/etc/global.conf | grep -v admin
zodb-user zenoss
zodb-password zenoss
amqpuser zenoss
amqppassword zenoss
zep-user zenoss
zep-password zenoss
Give the secure_zenoss.sh script the execute permission.
$ chmod u+x secure_zenoss.sh
Run the secure_zenoss.sh script. I opted not to change the MySQL root password at this time. We will be performing that task in the next section.
$ ./secure_zenoss.sh
Restricting permissions on /opt/zenoss/etc/*.conf*
Assigning secure password for global.conf:zodb-password
Assigning secure password for global.conf:amqppassword
Assigning secure password for global.conf:zep-password
Assigning secure password for global.conf:hubpassword
Assigning secure password for hubpassword:admin
MySQL is configured with a blank root password.
Configure a secure MySQL root password? [Yn]: n
Forcing zeneventserver to only listen on 127.0.0.1:8084
Let's now verify the passwords have been modified for the zenoss user in the global.conf file.
$ egrep 'user|password' $ZENHOME/etc/global.conf | grep -v admin
zodb-user zenoss
zodb-password 18zmcTgYsA+AjczljwQd
amqpuser zenoss
amqppassword 18zmcTgYsA+AjczljwQd
zep-user zenoss
zep-password 18zmcTgYsA+AjczljwQd
hubpassword 18zmcTgYsA+AjczljwQd
We will also need to modify the password in the zodb_db_main.conf and zodb_db_session.conf files to match the value set for the zodb-password property in the global.conf file.
Let's first get the current configuration of these two files.
$ tail -n +1 $ZENHOME/etc/zodb_db_{main,session}.conf
==> /opt/zenoss/etc/zodb_db_main.conf <==
<mysql>
host localhost
port 3306
user zenoss
passwd zenoss
db zodb
</mysql>
==> /opt/zenoss/etc/zodb_db_session.conf <==
<mysql>
host localhost
port 3306
user zenoss
passwd zenoss
db zodb_session
</mysql>
Run the following commands to perform a substitution of the passwd property for each of the files:
$ zodbpw=$(grep zodb-password $ZENHOME/etc/global.conf | awk '{print $2}')
$ sed -i.orig "5s/zenoss/$zodbpw/" $ZENHOME/etc/zodb_db_{main,session}.conf
$ unset -v zodbpw
Verify the modification was successful.
$ tail -n +1 $ZENHOME/etc/zodb_db_{main,session}.conf
==> /opt/zenoss/etc/zodb_db_main.conf <==
<mysql>
host localhost
port 3306
user zenoss
passwd 18zmcTgYsA+AjczljwQd
db zodb
</mysql>
==> /opt/zenoss/etc/zodb_db_session.conf <==
<mysql>
host localhost
port 3306
user zenoss
passwd 18zmcTgYsA+AjczljwQd
db zodb_session
</mysql>
Exit out of the shell for the zenoss user to return to the root user shell.
$ exit
# MySQL (Percona Server)
The interactive mysql_secure_installation command improves the security of your MySQL installation. It will allow you to set your MySQL root password as well as other security related operations.
# mysql_secure_installation
The password for the MySQL database zenoss user will also need to be set to "sync up" with the previous password modifications. We will use the value set for the passwd property in the zodb_db_* config files.
# mysql -u root -p
Enter password: <your_mysql_root_password>
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 472
Server version: 5.5.31-30.3 Percona Server (GPL), Release rel30.3, Revision 520
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> SET PASSWORD FOR 'zenoss'@'localhost' = PASSWORD('18zmcTgYsA+AjczljwQd');
Query OK, 0 rows affected (0.00 sec)
mysql> \q
Bye
Restart the MySQL daemon.
# service mysql restart
# RabbitMQ
The following script will ensure the proper Zenoss credentials/permissions are set for the AMQP entities.
Create the set-rabbitmq-perms.sh script:
# vim set-rabbitmq-perms.sh
Enter the following text into your script then save it.
001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 | #!/usr/bin/env bash set -e VHOSTS="/zenoss"USER="zenoss"PASS="grep amqppassword \$ZENHOME/etc/global.conf | awk '{print \$2}'" if [ $(id -u) -eq 0 ]then RABBITMQCTL=$(which rabbitmqctl) $RABBITMQCTL stop_app $RABBITMQCTL reset $RABBITMQCTL start_app $RABBITMQCTL add_user "$USER" "$(su -l zenoss -c "$PASS")" for vhost in $VHOSTS; do $RABBITMQCTL add_vhost "$vhost" $RABBITMQCTL set_permissions -p "$vhost" "$USER" '.*' '.*' '.*' done exit 0else echo "Error: Run this script as the root user." >&2 exit 1fi |
Give the script file the execute permission.
# chmod u+x set-rabbitmq-perms.sh
Run the script.
# ./set-rabbitmq-perms.sh
Stopping node rabbit@zenoss ...
...done.
Resetting node rabbit@zenoss ...
...done.
Starting node rabbit@zenoss ...
...done.
Creating user "zenoss" ...
...done.
Creating vhost "/zenoss" ...
...done.
Setting permissions for user "zenoss" in vhost "/zenoss" ...
...done.
Restart the rabbitmq-server daemon.
# service rabbitmq-server restart
Restart Zenoss.
# service zenoss restart
# Verification
Verify all Zenoss daemons are running.
# su -l zenoss -c 'zenoss status'
Daemon: zeneventserver program running; pid=10258
Daemon: zopectl program running; pid=10350
Daemon: zenhub program running; pid=10408
Daemon: zenjobs program running; pid=10449
Daemon: zeneventd program running; pid=10495
Daemon: zenping program running; pid=10540
Daemon: zensyslog program running; pid=10827
Daemon: zenstatus program running; pid=10625
Daemon: zenactiond program running; pid=10661
Daemon: zentrap program running; pid=10829
Daemon: zenmodeler program running; pid=10788
Daemon: zenperfsnmp program running; pid=10845
Daemon: zencommand program running; pid=10877
Daemon: zenprocess program running; pid=10903
Daemon: zenrrdcached program running; pid=10902
Daemon: zenjmx program running; pid=10948
Daemon: zenwinperf program running; pid=11023
Daemon: zeneventlog program running; pid=11061
Daemon: zenwin program running; pid=11093
If the proper permissions have been set for the RabbitMQ zenoss vhost(s), then the following queues should be listed:
# rabbitmqctl -p /zenoss list_queues
Listing queues ...
celery 0
zenoss.queues.zep.migrated.summary 0
zenoss.queues.zep.migrated.archive 0
zenoss.queues.zep.rawevents 0
zenoss.queues.zep.heartbeats 0
zenoss.queues.zep.zenevents 0
zenoss.test.internal.celeryd.pidbox 0
zenoss.queues.zep.signal 0
zenoss.queues.zep.modelchange 0
...done.
# Web Interface Setup Wizard
After the preceding steps have been completed, it is time to start the Setup Wizard for the initial configuration of customizing Zenoss for your environment. On your client computer, open a web browser and type http://192.168.32.20:8080 in the address field.
0 comments:
Post a Comment