diff options
Diffstat (limited to 'INSTALLING.rst')
| -rw-r--r-- | INSTALLING.rst | 41 |
1 files changed, 33 insertions, 8 deletions
diff --git a/INSTALLING.rst b/INSTALLING.rst index c645ff9..2a4bcb8 100644 --- a/INSTALLING.rst +++ b/INSTALLING.rst @@ -21,11 +21,11 @@ Quick-install As root: -:: +:: ### Set to your regular username, obviously # YOURUSER=kly - # apt-get install sudo + # apt-get install sudo git # echo ${YOURUSER} ALL=NOPASSWD: ALL >> /etc/sudoers # echo deb http://http.debian.net/debian jessie-backports main non-free contrib > /etc/apt/sources.list.d/bp.list # apt-get update @@ -39,9 +39,35 @@ As ``$YOURUSER``:: Then visit http://ip-your-boxen/ -Manualy import the database for now:: +Securing InfluxDB +................. - psql -h localhost -d nms -U nms -f /opt/gondul/build/schema.sql +Default InfluxDB is wide open, to limit this a little we need to configure a few users + +Create the users needed: + +1. Admin + ``CREATE USER gondulAdmin WITH PASSWORD 'FancyPassword' WITH ALL PRIVILEGES;`` +2. Write only user + ``CREATE USER gondulWrite WITH PASSWORD 'funfunfunWrite';`` + ``GRANT WRITE ON gondul to gondulWrite;`` +3. Read only user + ``CREATE USER gondulRead WITH PASSWORD 'funfunfun';`` + ``GRANT READ ON gondul to gondulRead;`` + +Enable authentication by setting the ``auth-enabled`` option to true in the [http] section of the configuration file for influxDB (/etc/influxdb/influxdb.conf) + +Set the influxdb write user and password in /includes/config.pm + +| Add the read only user to varnish so all read requests are authenticated +| Example varnish config: + +| if (req.url ~ "^/query") { +| set req.backend_hint = influx; +| set req.http.Authorization = "Basic Z29uZHVsUmVhZDpmdW5mdW5mdW4="; +| } + +Generate the base64 string using ``echo -n "gondulRead:funfunfun" | base64`` Setting up your network... -------------------------- @@ -79,6 +105,8 @@ Each collector establishes a service on your system, found in gondul-services with regular systemd-commands. Apache is installed and set to listen to port 8080. +Varnish is installed and listens to port 80 +InfluxDB is installed and listens to port 8086 SNMP mibs are downloaded to ``/opt/gondul/data/mibs``. Both for Cisco and Juniper. If either vendor changes their FTP servers or whatever, this might @@ -112,9 +140,6 @@ broken: - DHCP log tailer (this is easy to fix, just need to copy ping/snmp basically) -- Varnish -- Bootstrapping the database - Distribution of configuration (config is being re-implemented) - Various test-cases (They are already there, just need to be fiddled with) -- Graphite / Grafana. Most likely, this will be an external "optional dependency" - +- Grafana. Most likely, this will be an external "optional dependency" |