From mark.saad at ymail.com Thu May 5 12:18:56 2011 From: mark.saad at ymail.com (Mark Saad) Date: Thu, 5 May 2011 12:18:56 -0400 Subject: [nycbug-talk] Cacti Sucks, So what do I replace it with. Message-ID: Talk I have a good question for you. I started to hate cacti for a few reasons I dont want to get into. I know that a few other trending / monitoring projects have reached critical mass have a good number of people using them. What do you recommend I move to. Here are my requirements. 1. SNMP Polling 2. RRD , SQLite, or Berklydb data storage 3. I don't want it to lower my tco or bake me a cake . 4. Flexible trend management. (If I want to trend nfs read operations for 100 servers into one graph I should not have to jump threw hoops) So people have pointed me to 1. zabbix.com 2. munin-monitoring.org 3. ganglia.sourceforge.net What are you using ? From pete at nomadlogic.org Thu May 5 13:57:35 2011 From: pete at nomadlogic.org (Pete Wright) Date: Thu, 5 May 2011 17:57:35 +0000 Subject: [nycbug-talk] Cacti Sucks, So what do I replace it with. In-Reply-To: References: Message-ID: <20110505175731.GQ88315@pv.nomadlogic.org> On Thu, May 05, 2011 at 12:18:56PM -0400, Mark Saad wrote: > Talk > I have a good question for you. I started to hate cacti for a few > reasons I dont want to get into. > > I know that a few other trending / monitoring projects have reached > critical mass have a good number of people using them. > What do you recommend I move to. Here are my requirements. > > 1. SNMP Polling > 2. RRD , SQLite, or Berklydb data storage > 3. I don't want it to lower my tco or bake me a cake . > 4. Flexible trend management. (If I want to trend nfs read operations > for 100 servers into one graph I should not have to jump threw hoops) > > So people have pointed me to > > 1. zabbix.com > 2. munin-monitoring.org > 3. ganglia.sourceforge.net > > What are you using ? i've found that ganglia can be pretty helpful for clusters of systems, although it is agent based. regarding your requirements i'd like to throw somethingout there that violates #'s 1 and 2, although i think it will provide you with a system that is more scalable and flexible moving forward. http://graphite.wikidot.com/ I've used graphite in on very large clusters, and have used it to plot all sorts of data and very high rates. We found that while it does not support snmp out of the box, it is trivail to get it setup to poll data via snmp. the flip-side is that since it does not rely on snmp you can gather a wider array of metrics w/ less work required to get it versus snmp. for example, you could write a script that executes a SQL statement that outputs interesting data from your RDBMS (how long has a given query run, whats the status of my VACUUM metrics, etc..). while i initially found that this unstructured approach made my sys-admin senses tingle it did provide us with some interesting opportunities i would not have been able to easilly do purely via SNMP. I've also found that the "whisper" fileformat that graphite data is stored in is quite a bit more flixible, and more efficient, than rrd - and most def faster and more scalable than sqlite or BDB. -pete -- Pete Wright pete at nomadlogic.org From jason at dixongroup.net Thu May 5 13:37:10 2011 From: jason at dixongroup.net (Jason Dixon) Date: Thu, 5 May 2011 13:37:10 -0400 Subject: [nycbug-talk] Cacti Sucks, So what do I replace it with. In-Reply-To: References: Message-ID: <20110505173710.GD2770@dixongroup.net> On Thu, May 05, 2011 at 12:18:56PM -0400, Mark Saad wrote: > Talk > I have a good question for you. I started to hate cacti for a few > reasons I dont want to get into. > > I know that a few other trending / monitoring projects have reached > critical mass have a good number of people using them. > What do you recommend I move to. Here are my requirements. > > 1. SNMP Polling > 2. RRD , SQLite, or Berklydb data storage > 3. I don't want it to lower my tco or bake me a cake . > 4. Flexible trend management. (If I want to trend nfs read operations > for 100 servers into one graph I should not have to jump threw hoops) > > So people have pointed me to > > 1. zabbix.com > 2. munin-monitoring.org > 3. ganglia.sourceforge.net I'm a big fan of Graphite (http://graphite.wikidot.com/). There are a lot of agents (Munin, collectd, gmond) that already support it. It will also read in any existing RRD files you have, which is really nice. It's less of a dashboard than Cacti; currently it excels at metrics storage and complex graph creation. But it does server-side rendering and supports all creation options as HTTP parameters, so it's easy to adjust graphs on the fly, embed them in your own HTML dashboards, etc. I gave a recent talk at PICC on using Graphite in conjuction with Nagios and PNP4Nagios to get more ROI on your existing Nagios installation. http://www.slideshare.net/obfuscurity/trending-with-purpose -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/ From bonsaime at gmail.com Thu May 5 16:20:33 2011 From: bonsaime at gmail.com (Jesse Callaway) Date: Thu, 5 May 2011 16:20:33 -0400 Subject: [nycbug-talk] Cacti Sucks, So what do I replace it with. In-Reply-To: <20110505173710.GD2770@dixongroup.net> References: <20110505173710.GD2770@dixongroup.net> Message-ID: On Thu, May 5, 2011 at 1:37 PM, Jason Dixon wrote: > On Thu, May 05, 2011 at 12:18:56PM -0400, Mark Saad wrote: >> Talk >> ? I have a good question for you. I started to hate cacti for a few >> reasons I dont want to get into. >> >> I know that a few other trending / monitoring projects have reached >> critical mass have a good number of people using them. >> What do you recommend I move to. ?Here are my requirements. >> >> 1. SNMP Polling >> 2. RRD , SQLite, or Berklydb data storage >> 3. I don't want it to lower my tco or bake me a cake . >> 4. Flexible trend management. ?(If I want to trend nfs read operations >> for 100 servers into one graph I should not have to jump threw hoops) >> >> So people have pointed me to >> >> 1. zabbix.com >> 2. munin-monitoring.org >> 3. ganglia.sourceforge.net > > I'm a big fan of Graphite (http://graphite.wikidot.com/). There are a > lot of agents (Munin, collectd, gmond) that already support it. It will > also read in any existing RRD files you have, which is really nice. It's > less of a dashboard than Cacti; currently it excels at metrics storage > and complex graph creation. But it does server-side rendering and > supports all creation options as HTTP parameters, so it's easy to adjust > graphs on the fly, embed them in your own HTML dashboards, etc. > > I gave a recent talk at PICC on using Graphite in conjuction with Nagios > and PNP4Nagios to get more ROI on your existing Nagios installation. > > http://www.slideshare.net/obfuscurity/trending-with-purpose > > -- > Jason Dixon > DixonGroup Consulting > http://www.dixongroup.net/ > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > Much appreciated, all. Cacti has it all there, it just needs to be rewritten from scratch... which isn't going to happen. Did not know that munin, collectd, and gmond have stuff that spews to graphite... nice! There is a lot of interest out there in getting a good replacement going, and many projects. It's good to see all of these efforts come out at once. Some projects are looking at what others are doing, and it's making a great feedback cycle... the Bazaar!!! -jesse From bonsaime at gmail.com Thu May 5 17:43:55 2011 From: bonsaime at gmail.com (Jesse Callaway) Date: Thu, 5 May 2011 17:43:55 -0400 Subject: [nycbug-talk] Cacti Sucks, So what do I replace it with. In-Reply-To: References: <20110505173710.GD2770@dixongroup.net> Message-ID: On Thu, May 5, 2011 at 5:07 PM, Edward Capriolo wrote: > On Thu, May 5, 2011 at 4:20 PM, Jesse Callaway wrote: >> On Thu, May 5, 2011 at 1:37 PM, Jason Dixon wrote: >>> On Thu, May 05, 2011 at 12:18:56PM -0400, Mark Saad wrote: >>>> Talk >>>> ? I have a good question for you. I started to hate cacti for a few >>>> reasons I dont want to get into. >>>> >>>> I know that a few other trending / monitoring projects have reached >>>> critical mass have a good number of people using them. >>>> What do you recommend I move to. ?Here are my requirements. >>>> >>>> 1. SNMP Polling >>>> 2. RRD , SQLite, or Berklydb data storage >>>> 3. I don't want it to lower my tco or bake me a cake . >>>> 4. Flexible trend management. ?(If I want to trend nfs read operations >>>> for 100 servers into one graph I should not have to jump threw hoops) >>>> >>>> So people have pointed me to >>>> >>>> 1. zabbix.com >>>> 2. munin-monitoring.org >>>> 3. ganglia.sourceforge.net >>> >>> I'm a big fan of Graphite (http://graphite.wikidot.com/). There are a >>> lot of agents (Munin, collectd, gmond) that already support it. It will >>> also read in any existing RRD files you have, which is really nice. It's >>> less of a dashboard than Cacti; currently it excels at metrics storage >>> and complex graph creation. But it does server-side rendering and >>> supports all creation options as HTTP parameters, so it's easy to adjust >>> graphs on the fly, embed them in your own HTML dashboards, etc. >>> >>> I gave a recent talk at PICC on using Graphite in conjuction with Nagios >>> and PNP4Nagios to get more ROI on your existing Nagios installation. >>> >>> http://www.slideshare.net/obfuscurity/trending-with-purpose >>> >>> -- >>> Jason Dixon >>> DixonGroup Consulting >>> http://www.dixongroup.net/ >>> _______________________________________________ >>> talk mailing list >>> talk at lists.nycbug.org >>> http://lists.nycbug.org/mailman/listinfo/talk >>> >> >> Much appreciated, all. Cacti has it all there, it just needs to be >> rewritten from scratch... which isn't going to happen. >> >> Did not know that munin, collectd, and gmond have stuff that spews to >> graphite... nice! >> >> There is a lot of interest out there in getting a good replacement >> going, and many projects. It's good to see all of these efforts come >> out at once. Some projects are looking at what others are doing, and >> it's making a great feedback cycle... the Bazaar!!! >> >> -jesse >> _______________________________________________ >> talk mailing list >> talk at lists.nycbug.org >> http://lists.nycbug.org/mailman/listinfo/talk >> > > Being a big cacti/snmp guy I have to chime in. > > First let me start by saying I do not like push based systems like > ganglia. ?(BTW I met one of original ganglia authors. Really cool guy) > Why? Counters are supposed to go up. The reason it is done like this > is so N independent systems can sample the value at different > intervals. For example, if i get an alert from my NMS saying "CPU is > high" but I have to wait "5" or "10" minutes to see if it clears or > actually SSH on the system, and run top my NMS is NOT useful. In this > case cacti has an awesome "Real time" plugin that allows me to look at > something in 5,10,20,30...second intervals. Game changer. Ganglia and Graphite only send the data when it's necessary... You can stick with a regular interval or you can send when it's appropriate. This is flexibility. Most stuff I'm trending is not appropriate to view on a 15 second polling interval. I just don't find the realtime graphs entirely useful for trending. I would like to be able to poll and push, ideally. There are benefits to both... However the real win with graphite is that you could get some alert in the middle of the night, and think... geez time to trend this stat. Write a script to throw the data to the collector and then go to bed without worrying about polluting OID space with a poorly structured table. Write the graphs later when you think more clearly. > > Most users do not learn or understand the features built into SNMP > 1) It is trivial to use extend or exec in snmp and pass a request for > an OID directly to a script > 2) You can use SNMP AGENT or AGENTX technology to link SNMP directly > to counters/method in a running process > 3) It is widely understood by a wide variety of tools. SNMP is useful. Good tool. Agentx is not so easy. I don't see what the data source has to do with this. > > This fundamental lack in understanding results in much wheel > reinvention and clunky solutions for passing data around. Take for > example how most people do apache stats. Typically they try to write > some wonky script that acquires information using wget from the > server_status page. Each time this page changes or adds something new > the scripts usually break. > > On the other side of the pond, look at IIS. Windows performance > counters and IIS are implemented !!beautifully!! You open a MMC > console connect to a remote server, get a list of objects, IE IIS, get > a list of counters IE requests/sec. chose an instance like > mywebsite.org, and bam real time counters, rendered on screen, built > in support to save this information to a file or SQL database. > > The open source world has just completely missed the boat in most > cases. Rather then look at the simple elegant way windows does this > and leverage SNMP agents and already existing SNMP tools, each project > takes a different wheel reinventing approach to accomplish the same > thing. > Is it the responsibility of every application to maintain an SNMP agent, compatible with whatever flavor (okay... ucd-snmp) of snmpd is running on whatever OS? > I am back to old school, every machine gets 4 graphs CPU, Disk > activity, network, and memory. Maybe I build a custom graph with > requests/second if applicable when I am in the mood, but that is it. > This stuff jumped the shark a long time ago. > -- -jesse From edlinuxguru at gmail.com Thu May 5 17:07:47 2011 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Thu, 5 May 2011 17:07:47 -0400 Subject: [nycbug-talk] Cacti Sucks, So what do I replace it with. In-Reply-To: References: <20110505173710.GD2770@dixongroup.net> Message-ID: On Thu, May 5, 2011 at 4:20 PM, Jesse Callaway wrote: > On Thu, May 5, 2011 at 1:37 PM, Jason Dixon wrote: >> On Thu, May 05, 2011 at 12:18:56PM -0400, Mark Saad wrote: >>> Talk >>> ? I have a good question for you. I started to hate cacti for a few >>> reasons I dont want to get into. >>> >>> I know that a few other trending / monitoring projects have reached >>> critical mass have a good number of people using them. >>> What do you recommend I move to. ?Here are my requirements. >>> >>> 1. SNMP Polling >>> 2. RRD , SQLite, or Berklydb data storage >>> 3. I don't want it to lower my tco or bake me a cake . >>> 4. Flexible trend management. ?(If I want to trend nfs read operations >>> for 100 servers into one graph I should not have to jump threw hoops) >>> >>> So people have pointed me to >>> >>> 1. zabbix.com >>> 2. munin-monitoring.org >>> 3. ganglia.sourceforge.net >> >> I'm a big fan of Graphite (http://graphite.wikidot.com/). There are a >> lot of agents (Munin, collectd, gmond) that already support it. It will >> also read in any existing RRD files you have, which is really nice. It's >> less of a dashboard than Cacti; currently it excels at metrics storage >> and complex graph creation. But it does server-side rendering and >> supports all creation options as HTTP parameters, so it's easy to adjust >> graphs on the fly, embed them in your own HTML dashboards, etc. >> >> I gave a recent talk at PICC on using Graphite in conjuction with Nagios >> and PNP4Nagios to get more ROI on your existing Nagios installation. >> >> http://www.slideshare.net/obfuscurity/trending-with-purpose >> >> -- >> Jason Dixon >> DixonGroup Consulting >> http://www.dixongroup.net/ >> _______________________________________________ >> talk mailing list >> talk at lists.nycbug.org >> http://lists.nycbug.org/mailman/listinfo/talk >> > > Much appreciated, all. Cacti has it all there, it just needs to be > rewritten from scratch... which isn't going to happen. > > Did not know that munin, collectd, and gmond have stuff that spews to > graphite... nice! > > There is a lot of interest out there in getting a good replacement > going, and many projects. It's good to see all of these efforts come > out at once. Some projects are looking at what others are doing, and > it's making a great feedback cycle... the Bazaar!!! > > -jesse > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > Being a big cacti/snmp guy I have to chime in. First let me start by saying I do not like push based systems like ganglia. (BTW I met one of original ganglia authors. Really cool guy) Why? Counters are supposed to go up. The reason it is done like this is so N independent systems can sample the value at different intervals. For example, if i get an alert from my NMS saying "CPU is high" but I have to wait "5" or "10" minutes to see if it clears or actually SSH on the system, and run top my NMS is NOT useful. In this case cacti has an awesome "Real time" plugin that allows me to look at something in 5,10,20,30...second intervals. Game changer. Most users do not learn or understand the features built into SNMP 1) It is trivial to use extend or exec in snmp and pass a request for an OID directly to a script 2) You can use SNMP AGENT or AGENTX technology to link SNMP directly to counters/method in a running process 3) It is widely understood by a wide variety of tools. This fundamental lack in understanding results in much wheel reinvention and clunky solutions for passing data around. Take for example how most people do apache stats. Typically they try to write some wonky script that acquires information using wget from the server_status page. Each time this page changes or adds something new the scripts usually break. On the other side of the pond, look at IIS. Windows performance counters and IIS are implemented !!beautifully!! You open a MMC console connect to a remote server, get a list of objects, IE IIS, get a list of counters IE requests/sec. chose an instance like mywebsite.org, and bam real time counters, rendered on screen, built in support to save this information to a file or SQL database. The open source world has just completely missed the boat in most cases. Rather then look at the simple elegant way windows does this and leverage SNMP agents and already existing SNMP tools, each project takes a different wheel reinventing approach to accomplish the same thing. I am back to old school, every machine gets 4 graphs CPU, Disk activity, network, and memory. Maybe I build a custom graph with requests/second if applicable when I am in the mood, but that is it. This stuff jumped the shark a long time ago. From chsnyder at gmail.com Thu May 5 17:17:21 2011 From: chsnyder at gmail.com (Chris Snyder) Date: Thu, 5 May 2011 17:17:21 -0400 Subject: [nycbug-talk] Cacti Sucks, So what do I replace it with. In-Reply-To: References: <20110505173710.GD2770@dixongroup.net> Message-ID: On Thu, May 5, 2011 at 4:20 PM, Jesse Callaway wrote: > There is a lot of interest out there in getting a good replacement > going, and many projects. It's good to see all of these efforts come > out at once. Some projects are looking at what others are doing, and > it's making a great feedback cycle... the Bazaar!!! > > I think the graphite guys nailed it when they wrote that this is a niche product. I struggled with cacti, munin, and others until I realized that it would be better to just roll my own with RRD and PHP so that I got exactly what I wanted. Outside of small-office situations, there is no one-size-fits all to monitoring. Graphite is a valid upgrade path from RRD, rather than a framework around it. Great suggestion. Chris Snyder http://chxor.chxo.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From edlinuxguru at gmail.com Thu May 5 18:19:33 2011 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Thu, 5 May 2011 18:19:33 -0400 Subject: [nycbug-talk] Cacti Sucks, So what do I replace it with. In-Reply-To: References: <20110505173710.GD2770@dixongroup.net> Message-ID: Gmail is probably going to destroy in line replies but here goes nothing. On Thu, May 5, 2011 at 5:43 PM, Jesse Callaway wrote: > On Thu, May 5, 2011 at 5:07 PM, Edward Capriolo wrote: >> On Thu, May 5, 2011 at 4:20 PM, Jesse Callaway wrote: >>> On Thu, May 5, 2011 at 1:37 PM, Jason Dixon wrote: >>>> On Thu, May 05, 2011 at 12:18:56PM -0400, Mark Saad wrote: >>>>> Talk >>>>> ? I have a good question for you. I started to hate cacti for a few >>>>> reasons I dont want to get into. >>>>> >>>>> I know that a few other trending / monitoring projects have reached >>>>> critical mass have a good number of people using them. >>>>> What do you recommend I move to. ?Here are my requirements. >>>>> >>>>> 1. SNMP Polling >>>>> 2. RRD , SQLite, or Berklydb data storage >>>>> 3. I don't want it to lower my tco or bake me a cake . >>>>> 4. Flexible trend management. ?(If I want to trend nfs read operations >>>>> for 100 servers into one graph I should not have to jump threw hoops) >>>>> >>>>> So people have pointed me to >>>>> >>>>> 1. zabbix.com >>>>> 2. munin-monitoring.org >>>>> 3. ganglia.sourceforge.net >>>> >>>> I'm a big fan of Graphite (http://graphite.wikidot.com/). There are a >>>> lot of agents (Munin, collectd, gmond) that already support it. It will >>>> also read in any existing RRD files you have, which is really nice. It's >>>> less of a dashboard than Cacti; currently it excels at metrics storage >>>> and complex graph creation. But it does server-side rendering and >>>> supports all creation options as HTTP parameters, so it's easy to adjust >>>> graphs on the fly, embed them in your own HTML dashboards, etc. >>>> >>>> I gave a recent talk at PICC on using Graphite in conjuction with Nagios >>>> and PNP4Nagios to get more ROI on your existing Nagios installation. >>>> >>>> http://www.slideshare.net/obfuscurity/trending-with-purpose >>>> >>>> -- >>>> Jason Dixon >>>> DixonGroup Consulting >>>> http://www.dixongroup.net/ >>>> _______________________________________________ >>>> talk mailing list >>>> talk at lists.nycbug.org >>>> http://lists.nycbug.org/mailman/listinfo/talk >>>> >>> >>> Much appreciated, all. Cacti has it all there, it just needs to be >>> rewritten from scratch... which isn't going to happen. >>> >>> Did not know that munin, collectd, and gmond have stuff that spews to >>> graphite... nice! >>> >>> There is a lot of interest out there in getting a good replacement >>> going, and many projects. It's good to see all of these efforts come >>> out at once. Some projects are looking at what others are doing, and >>> it's making a great feedback cycle... the Bazaar!!! >>> >>> -jesse >>> _______________________________________________ >>> talk mailing list >>> talk at lists.nycbug.org >>> http://lists.nycbug.org/mailman/listinfo/talk >>> >> >> Being a big cacti/snmp guy I have to chime in. >> >> First let me start by saying I do not like push based systems like >> ganglia. ?(BTW I met one of original ganglia authors. Really cool guy) >> Why? Counters are supposed to go up. The reason it is done like this >> is so N independent systems can sample the value at different >> intervals. For example, if i get an alert from my NMS saying "CPU is >> high" but I have to wait "5" or "10" minutes to see if it clears or >> actually SSH on the system, and run top my NMS is NOT useful. In this >> case cacti has an awesome "Real time" plugin that allows me to look at >> something in 5,10,20,30...second intervals. Game changer. > > Ganglia and Graphite only send the data when it's necessary... You can > stick with a regular interval or you can send when it's appropriate. > This is flexibility. Most stuff I'm trending is not appropriate to > view on a 15 second polling interval. I just don't find the realtime > graphs entirely useful for trending. > 15 second intervals are not useful for trending. But they are useful when things go wrong. I do not want to have to leave my NMS when monitoring my network. > I would like to be able to poll and push, ideally. There are benefits > to both... However the real win with graphite is that you could get > some alert in the middle of the night, and think... geez time to trend > this stat. Write a script to throw the data to the collector and then > go to bed without worrying about polluting OID space with a poorly > structured table. Write the graphs later when you think more clearly. > >> >> Most users do not learn or understand the features built into SNMP >> 1) It is trivial to use extend or exec in snmp and pass a request for >> an OID directly to a script >> 2) You can use SNMP AGENT or AGENTX technology to link SNMP directly >> to counters/method in a running process >> 3) It is widely understood by a wide variety of tools. > > SNMP is useful. Good tool. Agentx is not so easy. I don't see what the > data source has to do with this. > >> >> This fundamental lack in understanding results in much wheel >> reinvention and clunky solutions for passing data around. Take for >> example how most people do apache stats. Typically they try to write >> some wonky script that acquires information using wget from the >> server_status page. Each time this page changes or adds something new >> the scripts usually break. >> >> On the other side of the pond, look at IIS. Windows performance >> counters and IIS are implemented !!beautifully!! You open a MMC >> console connect to a remote server, get a list of objects, IE IIS, get >> a list of counters IE requests/sec. chose an instance like >> mywebsite.org, and bam real time counters, rendered on screen, built >> in support to save this information to a file or SQL database. >> >> The open source world has just completely missed the boat in most >> cases. Rather then look at the simple elegant way windows does this >> and leverage SNMP agents and already existing SNMP tools, each project >> takes a different wheel reinventing approach to accomplish the same >> thing. >> > > Is it the responsibility of every application to maintain an SNMP > agent, compatible with whatever flavor (okay... ucd-snmp) of snmpd is > running on whatever OS? > Yes. I believe it should be. Program ./configure themselves for different thread libraries, pointer size, etc. Configuring your agent is no different. It is a better alternative then relying on a cobbled collection of shell scripts that hopefully extract the information you need correctly. Your odds of finding a good template for the thing you are looking to monitor is low at best. I also hate seeing all the duplication of effort: http://codeinthehole.com/archives/8-Monitoring-MySQL-with-Ganglia-and-gmetric.html http://code.google.com/p/mysql-cacti-templates/ http://www.masterzen.fr/software-contributions/mysql-snmp-monitor-mysql-with-snmp/ http://github.com/kjellm/munin-mysql/tree/master http://code.google.com/p/appaloosa-zabbix-templates/ Just knock it out once, write an SNMP agent for mysql, produce a nice well documented mib file done deal. To beat a dead horse look at how our m$ friends do it. http://www.brentozar.com/archive/2006/12/dba-101-using-perfmon-for-sql-performance-tuning/. They have time to make videos and show off while we spend time debugging and reinventing data collection over and over again. >> I am back to old school, every machine gets 4 graphs CPU, Disk >> activity, network, and memory. Maybe I build a custom graph with >> requests/second if applicable when I am in the mood, but that is it. >> This stuff jumped the shark a long time ago. >> > > > > -- > -jesse > From dave at donnerjack.com Thu May 5 20:22:43 2011 From: dave at donnerjack.com (David Lawson) Date: Thu, 5 May 2011 20:22:43 -0400 Subject: [nycbug-talk] Cacti Sucks, So what do I replace it with. In-Reply-To: References: Message-ID: On May 5, 2011, at 12:18 PM, Mark Saad wrote: > Talk > I have a good question for you. I started to hate cacti for a few > reasons I dont want to get into. > > I know that a few other trending / monitoring projects have reached > critical mass have a good number of people using them. > What do you recommend I move to. Here are my requirements. > > 1. SNMP Polling > 2. RRD , SQLite, or Berklydb data storage > 3. I don't want it to lower my tco or bake me a cake . > 4. Flexible trend management. (If I want to trend nfs read operations > for 100 servers into one graph I should not have to jump threw hoops) > > So people have pointed me to > > 1. zabbix.com > 2. munin-monitoring.org > 3. ganglia.sourceforge.net I have some experience with both Zabbix and Munin and wouldn't recommend either of them. The Zabbix interface is horrific, there's no on disk config so you have to configure it through the web interface and it tries to do far, far too much and doesn't accomplish very much of it well. It has some upsides but they're few and far between. I've got it for monitoring/trending at work at the moment and am trying hard to replace it with Nagios and anything else. Munin works, but from what I've seen of the plugins and plugin configuration, it's needlessly complicated when compared to something like Cacti even. I haven't had any problems with it, but it's not as flexible, nor as simple as I'd like it to be. I'd chime in with all the other recommendations for Graphite, I'm hoping to get that set up sometime soon and get some hands on time with it, but I think it's a nice framework to build on and doesn't seem to suffer from the problems I've seen in other trending/reporting tools. --Dave From spork at bway.net Thu May 5 20:33:29 2011 From: spork at bway.net (Charles Sprickman) Date: Thu, 5 May 2011 20:33:29 -0400 (EDT) Subject: [nycbug-talk] Cacti Sucks, So what do I replace it with. In-Reply-To: References: Message-ID: On Thu, 5 May 2011, David Lawson wrote: > On May 5, 2011, at 12:18 PM, Mark Saad wrote: > >> Talk >> I have a good question for you. I started to hate cacti for a few >> reasons I dont want to get into. >> >> I know that a few other trending / monitoring projects have reached >> critical mass have a good number of people using them. >> What do you recommend I move to. Here are my requirements. >> >> 1. SNMP Polling >> 2. RRD , SQLite, or Berklydb data storage >> 3. I don't want it to lower my tco or bake me a cake . >> 4. Flexible trend management. (If I want to trend nfs read operations >> for 100 servers into one graph I should not have to jump threw hoops) >> >> So people have pointed me to >> >> 1. zabbix.com >> 2. munin-monitoring.org >> 3. ganglia.sourceforge.net > > I have some experience with both Zabbix and Munin and wouldn't recommend > either of them. > > The Zabbix interface is horrific, there's no on disk config so you have > to configure it through the web interface and it tries to do far, far > too much and doesn't accomplish very much of it well. It has some > upsides but they're few and far between. I've got it for > monitoring/trending at work at the moment and am trying hard to replace > it with Nagios and anything else. Regarding Nagios, it sounds like the OP is probably working with a much larger environment, but I've been moving to just letting Nagios be my single point of data collection. I figure it's already going out and polling stuff for monitoring, so why have something else like Cacti mirror it? Why add devices/services in two places? I'm using pnp4nagios for graphing everything that's monitored. It works, not sure how it scales, but it gives us the info we need. It uses rrd for storage and the graphs are generated on demand. You can browse graphs either through nagios or directly. The limitation here is of course that you're stuck with nagios' polling interval. But pretty much any plugin you download (or make yourself) should work with pnp4nagios - if it spits out performance data, you're all set. I tried Zabbix once and as you noted, found it very difficult to configure - I'd set one thing up and want to edit a config file to duplicate it a zillion times, but no such luck - db or nothing. Charles > Munin works, but from what I've seen of the plugins and plugin configuration, it's needlessly complicated when compared to something like Cacti even. I haven't had any problems with it, but it's not as flexible, nor as simple as I'd like it to be. > > I'd chime in with all the other recommendations for Graphite, I'm hoping to get that set up sometime soon and get some hands on time with it, but I think it's a nice framework to build on and doesn't seem to suffer from the problems I've seen in other trending/reporting tools. > > --Dave > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From jason at dixongroup.net Thu May 5 20:42:42 2011 From: jason at dixongroup.net (Jason Dixon) Date: Thu, 5 May 2011 20:42:42 -0400 Subject: [nycbug-talk] Cacti Sucks, So what do I replace it with. In-Reply-To: References: Message-ID: <20110506004242.GF2770@dixongroup.net> On Thu, May 05, 2011 at 08:33:29PM -0400, Charles Sprickman wrote: > > Regarding Nagios, it sounds like the OP is probably working with a much > larger environment, but I've been moving to just letting Nagios be my > single point of data collection. I figure it's already going out and > polling stuff for monitoring, so why have something else like Cacti > mirror it? Why add devices/services in two places? I'm using pnp4nagios > for graphing everything that's monitored. It works, not sure how it > scales, but it gives us the info we need. It uses rrd for storage and > the graphs are generated on demand. You can browse graphs either through > nagios or directly. The limitation here is of course that you're stuck > with nagios' polling interval. But pretty much any plugin you download > (or make yourself) should work with pnp4nagios - if it spits out > performance data, you're all set. The limitation with PNP4Nagios (and those like it) is that it only lets you visualize a single data point. Very often it's invaluable to correlate disparate datapoints in a single graph. Tools like Graphite (and Reconnoiter) let you do this easily. The talk and slides I mentioned recently demonstrated how you can get more use out of your existing Nagios installation by using PNP4Nagios (to extract perfdata into RRD) and Graphite (to do more advanced graph composition). So I agree that PNP4Nagios has some usefulness, but I wouldn't be satisfied with it as your sole trending utility. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/ From o_sleep at belovedarctos.com Fri May 6 21:47:49 2011 From: o_sleep at belovedarctos.com (Bjorn Nelson) Date: Fri, 06 May 2011 21:47:49 -0400 Subject: [nycbug-talk] Cacti Sucks, So what do I replace it with. In-Reply-To: <20110505173710.GD2770@dixongroup.net> References: <20110505173710.GD2770@dixongroup.net> Message-ID: <4DC4A4C5.9080703@belovedarctos.com> On 5/5/2011 1:37 PM, Jason Dixon wrote: > On Thu, May 05, 2011 at 12:18:56PM -0400, Mark Saad wrote: > >> 2. RRD , SQLite, or Berklydb data storage >> One little known but powerful feature of using sqlite as a data store is the "attach" function. If you have other sqlite files, such as a sqlite file containing the applications you have on your hosts you can do join the tables from the two separate sqlite files and create a result that tells you something like the total memory usage for a given application instead of just the hosts themselves. Alternatively, if you have a database of host categories such as location or sla, you can see uptimes per sla or network throughput per location, or failures per model. -Bjorn From nikolai at fetissov.org Sun May 8 18:04:21 2011 From: nikolai at fetissov.org (Nikolai Fetissov) Date: Sun, 8 May 2011 18:04:21 -0400 Subject: [nycbug-talk] May 2011 meeting audio Message-ID: <2c98293e9c1d48018b0f71386f9462dc.squirrel@geekisp.com> Folks, Audio recording of William Baxter presentation is online at http://www.fetissov.org/public/nycbug/nycbug-05-04-11.mp3 Cheers, -- Nikolai From george at galis.org Thu May 12 00:45:36 2011 From: george at galis.org (George Georgalis) Date: Wed, 11 May 2011 21:45:36 -0700 Subject: [nycbug-talk] coming to NYC for some weeks... Message-ID: <20110512044536.GM3001@bonnie.galis.org> Hello NYCBUG! I hope many of you will remember me from my time in NYC and when I was more active in this group. :) Well, I'm coming this weekend (14 May) for 4 weeks and looking for place to sleep. If you have a day or three (or more) I can use your couch, that would be excellent! Will be very busy working 8 or 10 hour days but would like to get away from that for evenings and weekends. :) Most important that I find hosts for the earlier part of my stay as I've been pretty (extremely) broke past months, but I'll be able to sublet or use hotel after two weeks (28 May). I'll be working near Queensboro Plaza, subway lines N, 7, E, G, R, F. So if you are near one of them and can host me you are golden! But I don't mind transfers :} I have basic bedding and know the ins and outs of being a quality guest. :) I'm also good about replying to email, so if there is ever any question, feel free to message me directly. If you can host me for some nights that would be great. If not but know someone who may, please pass on my contact. Either way, I hope to make the monthly meeting and look forward to some pub (read quality) time with my old friends there. As for newer members, I look forward to meeting you! -George From george at ceetonetechnology.com Fri May 13 15:14:10 2011 From: george at ceetonetechnology.com (George Rosamond) Date: Fri, 13 May 2011 15:14:10 -0400 Subject: [nycbug-talk] BSDCan Message-ID: <4DCD8302.5000606@ceetonetechnology.com> I know a bunch of people on talk@ are at BSDCan. . . Feel free to provide any interesting comments or updates. And we're definitely looking for a short report at the next meeting if someone wants to volunteer. g From george at galis.org Sat May 14 06:02:14 2011 From: george at galis.org (George Georgalis) Date: Sat, 14 May 2011 03:02:14 -0700 Subject: [nycbug-talk] coming to NYC for some weeks... In-Reply-To: <20110512044536.GM3001@bonnie.galis.org> References: <20110512044536.GM3001@bonnie.galis.org> Message-ID: <20110514100214.GA21405@bonnie.galis.org> Just a quick update... I'm mostly covered for housing now but I still need a place (couch) to sleep for Memorial Day weekend. Anyone need a house sitter :) I water plants and feed pets too :) -George On Wed 11 May 2011 at 09:45:36 PM -0700, George Georgalis wrote: >Hello NYCBUG! > >I hope many of you will remember me from my time in NYC and when >I was more active in this group. :) Well, I'm coming this weekend >(14 May) for 4 weeks and looking for place to sleep. If you have >a day or three (or more) I can use your couch, that would be >excellent! Will be very busy working 8 or 10 hour days but would >like to get away from that for evenings and weekends. :) > >Most important that I find hosts for the earlier part of my stay >as I've been pretty (extremely) broke past months, but I'll be >able to sublet or use hotel after two weeks (28 May). I'll be >working near Queensboro Plaza, subway lines N, 7, E, G, R, F. So >if you are near one of them and can host me you are golden! But I >don't mind transfers :} > >I have basic bedding and know the ins and outs of being a quality >guest. :) I'm also good about replying to email, so if there is >ever any question, feel free to message me directly. > >If you can host me for some nights that would be great. If not >but know someone who may, please pass on my contact. Either >way, I hope to make the monthly meeting and look forward to some >pub (read quality) time with my old friends there. As for newer >members, I look forward to meeting you! > >-George > From mspitzer at gmail.com Wed May 18 16:21:46 2011 From: mspitzer at gmail.com (Marc Spitzer) Date: Wed, 18 May 2011 16:21:46 -0400 Subject: [nycbug-talk] ipad remote storage question Message-ID: Hi all, I have a roll out at work for 200+ ipads in the fall, 400 in 2 years, and we need to provide remote file storage/access. I have spoken to apple about it and they are recommending webdav. I was wondering if anyone else had any different ideas or product recommendations? Currently we are testing with apache/webdav and each user gets his own stanza in apache config, its fine for 5-10 but will become a bit unwieldy when it grows. thanks, marc -- Freedom is nothing but a chance to be better. --Albert Camus ?The problem with socialism is that eventually you run out of other people's money. --Margaret Thatcher From pete at nomadlogic.org Wed May 18 17:00:06 2011 From: pete at nomadlogic.org (Pete Wright) Date: Wed, 18 May 2011 21:00:06 +0000 Subject: [nycbug-talk] ipad remote storage question In-Reply-To: References: Message-ID: <20110518210002.GC42416@pv.nomadlogic.org> On Wed, May 18, 2011 at 04:21:46PM -0400, Marc Spitzer wrote: > Hi all, > > I have a roll out at work for 200+ ipads in the fall, 400 in 2 years, > and we need to provide remote file storage/access. I have spoken to > apple about it and they are recommending webdav. I was wondering if > anyone else had any different ideas or product recommendations? > Currently we are testing with apache/webdav and each user gets his own > stanza in apache config, its fine for 5-10 but > will become a bit unwieldy when it grows. > just thinking off the top of my head, but perhaps you could use webdav+ldap to help scale this out? haven't looked at docs too closely, but i'm thinking something along the lines of pulling user auth along with some webdav attributes from ldap... -pete -- Pete Wright pete at nomadlogic.org From mspitzer at gmail.com Wed May 18 17:40:19 2011 From: mspitzer at gmail.com (Marc Spitzer) Date: Wed, 18 May 2011 17:40:19 -0400 Subject: [nycbug-talk] ipad remote storage question In-Reply-To: <20110518210002.GC42416@pv.nomadlogic.org> References: <20110518210002.GC42416@pv.nomadlogic.org> Message-ID: On Wed, May 18, 2011 at 5:00 PM, Pete Wright wrote: > On Wed, May 18, 2011 at 04:21:46PM -0400, Marc Spitzer wrote: >> Hi all, >> >> I have a roll out at work for 200+ ipads in the fall, 400 in 2 years, >> and we need to provide remote file storage/access. ?I have spoken to >> apple about it and they are recommending webdav. ?I was wondering if >> anyone else had any different ideas or product recommendations? >> Currently we are testing with apache/webdav and each user gets his own >> ? stanza in apache config, its fine for 5-10 but >> will become a bit unwieldy when it grows. >> > > just thinking off the top of my head, but perhaps you could use > webdav+ldap to help scale this out? ?haven't looked at docs too closely, > but i'm thinking something along the lines of pulling user auth along > with some webdav attributes from ldap... > > Perhaps I just dont know enough about apache presently and need to read some but here is a sanitized webdav directory config: #AllowOverride None Options -Includes +Indexes #Order allow,deny #Allow from all Order Deny,Allow Deny from all AuthBasicProvider ldap AuthName "pilot project" AuthzLDAPAuthoritative off AuthLDAPURL ldap://url_here AuthType Basic Require user usrid satisfy any Dav on While this does work maintaining 2-400 of these chunks is something I would like to dodge if possble. thanks, marc -- Freedom is nothing but a chance to be better. --Albert Camus ?The problem with socialism is that eventually you run out of other people's money. --Margaret Thatcher From chsnyder at gmail.com Wed May 18 17:51:47 2011 From: chsnyder at gmail.com (Chris Snyder) Date: Wed, 18 May 2011 17:51:47 -0400 Subject: [nycbug-talk] ipad remote storage question In-Reply-To: References: <20110518210002.GC42416@pv.nomadlogic.org> Message-ID: On Wed, May 18, 2011 at 5:40 PM, Marc Spitzer wrote: > Perhaps I just dont know enough about apache presently and need to > read some but here is a sanitized webdav directory config: > > > #AllowOverride None > Options -Includes +Indexes > #Order allow,deny > #Allow from all > Order Deny,Allow > Deny from all > AuthBasicProvider ldap > AuthName "pilot project" > AuthzLDAPAuthoritative off > AuthLDAPURL ldap://url_here > AuthType Basic > Require user usrid > satisfy any > > Dav on > > > > While this does work maintaining 2-400 of these chunks is something I > would like to dodge if possble. > > thanks, > > marc > > I don't know of any drop-in ways to do this, although it would be a great open source project. When I had to do something similar a couple years ago, I used a script to dynamically create the directories and write an .htaccess file to each of them. It seemed better than having a monolithic config, if for no other reason than I didn't want to have to restart the server with each change. Same script modified an .htpasswd file, adding the username and password for the user. I like the LDAP approach better, though, since you probably already have a directory of users. -------------- next part -------------- An HTML attachment was scrubbed... URL: From edlinuxguru at gmail.com Wed May 18 17:57:44 2011 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Wed, 18 May 2011 17:57:44 -0400 Subject: [nycbug-talk] ipad remote storage question In-Reply-To: References: <20110518210002.GC42416@pv.nomadlogic.org> Message-ID: I was going to suggest just moving the chunks to /etc/http/conf.d/.conf I have a script that takes one argument 'repo name' and generated an entire SVN repo. (If you want I will share) You can do a similar thing to building a config file for a specific user and then apachectl graceful to reload. On Wed, May 18, 2011 at 5:40 PM, Marc Spitzer wrote: > On Wed, May 18, 2011 at 5:00 PM, Pete Wright wrote: > > On Wed, May 18, 2011 at 04:21:46PM -0400, Marc Spitzer wrote: > >> Hi all, > >> > >> I have a roll out at work for 200+ ipads in the fall, 400 in 2 years, > >> and we need to provide remote file storage/access. I have spoken to > >> apple about it and they are recommending webdav. I was wondering if > >> anyone else had any different ideas or product recommendations? > >> Currently we are testing with apache/webdav and each user gets his own > >> stanza in apache config, its fine for 5-10 but > >> will become a bit unwieldy when it grows. > >> > > > > just thinking off the top of my head, but perhaps you could use > > webdav+ldap to help scale this out? haven't looked at docs too closely, > > but i'm thinking something along the lines of pulling user auth along > > with some webdav attributes from ldap... > > > > > > Perhaps I just dont know enough about apache presently and need to > read some but here is a sanitized webdav directory config: > > > #AllowOverride None > Options -Includes +Indexes > #Order allow,deny > #Allow from all > Order Deny,Allow > Deny from all > AuthBasicProvider ldap > AuthName "pilot project" > AuthzLDAPAuthoritative off > AuthLDAPURL ldap://url_here > AuthType Basic > Require user usrid > satisfy any > > Dav on > > > > While this does work maintaining 2-400 of these chunks is something I > would like to dodge if possble. > > thanks, > > marc > > -- > Freedom is nothing but a chance to be better. > --Albert Camus > > The problem with socialism is that eventually you run out > of other people's money. > --Margaret Thatcher > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mspitzer at gmail.com Wed May 18 18:06:05 2011 From: mspitzer at gmail.com (Marc Spitzer) Date: Wed, 18 May 2011 18:06:05 -0400 Subject: [nycbug-talk] ipad remote storage question In-Reply-To: References: <20110518210002.GC42416@pv.nomadlogic.org> Message-ID: On Wed, May 18, 2011 at 5:51 PM, Chris Snyder wrote: > > I don't know of any drop-in ways to do this, although it would be a great > open source project. > When I had to do something similar a couple years ago, I used a script to > dynamically create the directories and write an .htaccess file to each of > them. It seemed better than having a monolithic config, if for no other > reason than I didn't want to have to restart the server with each change. > Same script modified an .htpasswd file, adding the username and password for > the user. I like the LDAP approach better, though, since you probably > already have a directory of users. > unfortunately the .htaccess idea wont work, it would go in their home dirs and they would muck with it. thanks, marc -- Freedom is nothing but a chance to be better. --Albert Camus ?The problem with socialism is that eventually you run out of other people's money. --Margaret Thatcher From mspitzer at gmail.com Wed May 18 18:16:16 2011 From: mspitzer at gmail.com (Marc Spitzer) Date: Wed, 18 May 2011 18:16:16 -0400 Subject: [nycbug-talk] ipad remote storage question In-Reply-To: References: <20110518210002.GC42416@pv.nomadlogic.org> Message-ID: On Wed, May 18, 2011 at 5:57 PM, Edward Capriolo wrote: > I was going to suggest just moving the chunks to > /etc/http/conf.d/.conf while that does look enticing I fear it would tempt us from the one true way of always running the script(that is yet to be written) to fix things, it would be too easy to make just one fix. > > I have a script that takes one argument 'repo name' and generated an entire > SVN repo. (If you want I will share) You can do a similar thing to building > a config file for a specific user and then apachectl graceful to reload. > That is a generous offer even though I will not partake. the reason is that I do not want to have a large number of config files to manage, think deleted users for example, if I always start at the beginning and and go to the end things are always consistent. And I expect to run this job < 10 times a year so consistency and ease of understanding trumps incremental convenience. So it will be one big file with 400 users in it. thanks, marc -- Freedom is nothing but a chance to be better. --Albert Camus ?The problem with socialism is that eventually you run out of other people's money. --Margaret Thatcher From mspitzer at gmail.com Wed May 18 18:20:54 2011 From: mspitzer at gmail.com (Marc Spitzer) Date: Wed, 18 May 2011 18:20:54 -0400 Subject: [nycbug-talk] ipad remote storage question In-Reply-To: References: <20110518210002.GC42416@pv.nomadlogic.org> Message-ID: On Wed, May 18, 2011 at 6:16 PM, Marc Spitzer wrote: > On Wed, May 18, 2011 at 5:57 PM, Edward Capriolo wrote: >> I was going to suggest just moving the chunks to >> /etc/http/conf.d/.conf > > while that does look enticing I fear it would tempt us from the one > true way of always running the script(that is yet to be written) to > fix things, it would be too easy to make just one fix. http://www.youtube.com/watch?v=pUbaGfbm9Io , its oddly topical marc > >> >> I have a script that takes one argument 'repo name' and generated an entire >> SVN repo. (If you want I will share) You can do a similar thing to building >> a config file for a specific user and then apachectl graceful to reload. >> > > That is a generous offer even though I will not partake. ?the reason > is that I do not want to have a large number of config files to > manage, think deleted users for example, if I always start at the > beginning and and go to the end things are always consistent. ?And I > expect to run this job < 10 times a year so consistency and ease of > understanding trumps incremental convenience. ?So it will be one big > file with 400 users in it. > > thanks, > > marc > -- > Freedom is nothing but a chance to be better. > --Albert Camus > > ?The problem with socialism is that eventually you run out > of other people's money. > --Margaret Thatcher > -- Freedom is nothing but a chance to be better. --Albert Camus ?The problem with socialism is that eventually you run out of other people's money. --Margaret Thatcher From pete at nomadlogic.org Wed May 18 19:31:56 2011 From: pete at nomadlogic.org (Pete Wright) Date: Wed, 18 May 2011 23:31:56 +0000 Subject: [nycbug-talk] ipad remote storage question In-Reply-To: References: <20110518210002.GC42416@pv.nomadlogic.org> Message-ID: <20110518233152.GD42416@pv.nomadlogic.org> On Wed, May 18, 2011 at 05:40:19PM -0400, Marc Spitzer wrote: > On Wed, May 18, 2011 at 5:00 PM, Pete Wright wrote: > > On Wed, May 18, 2011 at 04:21:46PM -0400, Marc Spitzer wrote: > >> Hi all, > >> > >> I have a roll out at work for 200+ ipads in the fall, 400 in 2 years, > >> and we need to provide remote file storage/access. ?I have spoken to > >> apple about it and they are recommending webdav. ?I was wondering if > >> anyone else had any different ideas or product recommendations? > >> Currently we are testing with apache/webdav and each user gets his own > >> ? stanza in apache config, its fine for 5-10 but > >> will become a bit unwieldy when it grows. > >> > > > > just thinking off the top of my head, but perhaps you could use > > webdav+ldap to help scale this out? ?haven't looked at docs too closely, > > but i'm thinking something along the lines of pulling user auth along > > with some webdav attributes from ldap... > > > > > > Perhaps I just dont know enough about apache presently and need to > read some but here is a sanitized webdav directory config: > > > #AllowOverride None > Options -Includes +Indexes > #Order allow,deny > #Allow from all > Order Deny,Allow > Deny from all > AuthBasicProvider ldap > AuthName "pilot project" > AuthzLDAPAuthoritative off > AuthLDAPURL ldap://url_here > AuthType Basic > Require user usrid > satisfy any > > Dav on > > > > While this does work maintaining 2-400 of these chunks is something I > would like to dodge if possble. > yea i see what you mean, that would suck :) how about "Per-User Web directories" and mod_userdir: http://httpd.apache.org/docs/2.2/howto/public_html.html i wonder if that would play with DAV - might require some regex's somewhere though though... -p -- Pete Wright pete at nomadlogic.org From mspitzer at gmail.com Wed May 18 19:38:48 2011 From: mspitzer at gmail.com (Marc Spitzer) Date: Wed, 18 May 2011 19:38:48 -0400 Subject: [nycbug-talk] ipad remote storage question In-Reply-To: <20110518233152.GD42416@pv.nomadlogic.org> References: <20110518210002.GC42416@pv.nomadlogic.org> <20110518233152.GD42416@pv.nomadlogic.org> Message-ID: On Wed, May 18, 2011 at 7:31 PM, Pete Wright wrote: > yea i see what you mean, that would suck :) > > how about "Per-User Web directories" and mod_userdir: > http://httpd.apache.org/docs/2.2/howto/public_html.html > > i wonder if that would play with DAV - might require some regex's > somewhere though though... I do not think it would be a good fit :-/ the students will be reading and writing private files, homework and such. hiho hiho its off to script I go ... marc -- Freedom is nothing but a chance to be better. --Albert Camus ?The problem with socialism is that eventually you run out of other people's money. --Margaret Thatcher From pete at nomadlogic.org Wed May 18 19:41:22 2011 From: pete at nomadlogic.org (Pete Wright) Date: Wed, 18 May 2011 23:41:22 +0000 Subject: [nycbug-talk] ipad remote storage question In-Reply-To: References: <20110518210002.GC42416@pv.nomadlogic.org> <20110518233152.GD42416@pv.nomadlogic.org> Message-ID: <20110518234118.GE42416@pv.nomadlogic.org> On Wed, May 18, 2011 at 07:38:48PM -0400, Marc Spitzer wrote: > On Wed, May 18, 2011 at 7:31 PM, Pete Wright wrote: > > yea i see what you mean, that would suck :) > > > > how about "Per-User Web directories" and mod_userdir: > > http://httpd.apache.org/docs/2.2/howto/public_html.html > > > > i wonder if that would play with DAV - might require some regex's > > somewhere though though... > > I do not think it would be a good fit :-/ the students will be > reading and writing private files, homework and such. > > hiho hiho its off to script I go ... > d'oh! sounds like you def may have to write some cgi type thingy for this. fwiw - i* did something similar a little while ago. we basically re-created the amazon S3 api to allow access to personal filestores from gaming devices. so it's do-able! :) -pete *using the royal "i" there, it was a team effort -- Pete Wright pete at nomadlogic.org From me at joedunn.com Wed May 18 19:47:41 2011 From: me at joedunn.com (Joe Dunn) Date: Wed, 18 May 2011 19:47:41 -0400 Subject: [nycbug-talk] ipad remote storage question In-Reply-To: References: <20110518210002.GC42416@pv.nomadlogic.org> Message-ID: I'm not sure but wouldn't this is a good use for cfengine have a ipad_users (array of users) in a slist and then have that dump into a ipad_users.conf which is included in apache. When you have the next batch of users just add them to that list and it will generate automagically. There is probably a better, cleaner way but this comes to find as a solution. Joe On Wed, May 18, 2011 at 5:57 PM, Edward Capriolo wrote: > I was going to suggest just moving the chunks to > /etc/http/conf.d/.conf > > I have a script that takes one argument 'repo name' and generated an entire > SVN repo. (If you want I will share) You can do a similar thing to building > a config file for a specific user and then apachectl graceful to reload. > > > On Wed, May 18, 2011 at 5:40 PM, Marc Spitzer wrote: > >> On Wed, May 18, 2011 at 5:00 PM, Pete Wright wrote: >> > On Wed, May 18, 2011 at 04:21:46PM -0400, Marc Spitzer wrote: >> >> Hi all, >> >> >> >> I have a roll out at work for 200+ ipads in the fall, 400 in 2 years, >> >> and we need to provide remote file storage/access. I have spoken to >> >> apple about it and they are recommending webdav. I was wondering if >> >> anyone else had any different ideas or product recommendations? >> >> Currently we are testing with apache/webdav and each user gets his own >> >> stanza in apache config, its fine for 5-10 but >> >> will become a bit unwieldy when it grows. >> >> >> > >> > just thinking off the top of my head, but perhaps you could use >> > webdav+ldap to help scale this out? haven't looked at docs too closely, >> > but i'm thinking something along the lines of pulling user auth along >> > with some webdav attributes from ldap... >> > >> > >> >> Perhaps I just dont know enough about apache presently and need to >> read some but here is a sanitized webdav directory config: >> >> >> #AllowOverride None >> Options -Includes +Indexes >> #Order allow,deny >> #Allow from all >> Order Deny,Allow >> Deny from all >> AuthBasicProvider ldap >> AuthName "pilot project" >> AuthzLDAPAuthoritative off >> AuthLDAPURL ldap://url_here >> AuthType Basic >> Require user usrid >> satisfy any >> >> Dav on >> >> >> >> While this does work maintaining 2-400 of these chunks is something I >> would like to dodge if possble. >> >> thanks, >> >> marc >> >> -- >> Freedom is nothing but a chance to be better. >> --Albert Camus >> >> The problem with socialism is that eventually you run out >> of other people's money. >> --Margaret Thatcher >> _______________________________________________ >> talk mailing list >> talk at lists.nycbug.org >> http://lists.nycbug.org/mailman/listinfo/talk >> > > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mspitzer at gmail.com Wed May 18 19:48:42 2011 From: mspitzer at gmail.com (Marc Spitzer) Date: Wed, 18 May 2011 19:48:42 -0400 Subject: [nycbug-talk] ipad remote storage question In-Reply-To: <20110518234118.GE42416@pv.nomadlogic.org> References: <20110518210002.GC42416@pv.nomadlogic.org> <20110518233152.GD42416@pv.nomadlogic.org> <20110518234118.GE42416@pv.nomadlogic.org> Message-ID: On Wed, May 18, 2011 at 7:41 PM, Pete Wright wrote: > > d'oh! ?sounds like you def may have to write some cgi type thingy for > this. ?fwiw - i* did something similar a little while ago. ?we basically > re-created the amazon S3 api to allow access to personal filestores from > gaming devices. ?so it's do-able! :) > no you are looking at it from the wrong end, where the light at the end of the tunnel is an on coming freight train I need to write a script that generates the chunk of apache config I need to get dav working properly and securely. and do a little user management as well, basically add and delete is it and it be done. marc -- Freedom is nothing but a chance to be better. --Albert Camus ?The problem with socialism is that eventually you run out of other people's money. --Margaret Thatcher From mspitzer at gmail.com Wed May 18 19:50:22 2011 From: mspitzer at gmail.com (Marc Spitzer) Date: Wed, 18 May 2011 19:50:22 -0400 Subject: [nycbug-talk] ipad remote storage question In-Reply-To: References: <20110518210002.GC42416@pv.nomadlogic.org> Message-ID: On Wed, May 18, 2011 at 7:47 PM, Joe Dunn wrote: > I'm not sure but wouldn't this is a good use for cfengine > > have a ipad_users (array of users) in a slist and then have that dump into a > ipad_users.conf which is included in apache. > > When you have the next batch of users just add them to that list and it will > generate automagically. > > There is probably a better, cleaner way but this comes to find as a > solution. > > Joe hmm had not thought of that, will look into it. marc -- Freedom is nothing but a chance to be better. --Albert Camus ?The problem with socialism is that eventually you run out of other people's money. --Margaret Thatcher From george at ceetonetechnology.com Wed May 18 19:56:08 2011 From: george at ceetonetechnology.com (George Rosamond) Date: Wed, 18 May 2011 19:56:08 -0400 Subject: [nycbug-talk] ipad remote storage question In-Reply-To: References: Message-ID: <4DD45C98.4000703@ceetonetechnology.com> On 05/18/11 16:21, Marc Spitzer wrote: > Hi all, > > I have a roll out at work for 200+ ipads in the fall, 400 in 2 years, > and we need to provide remote file storage/access. I have spoken to > apple about it and they are recommending webdav. I was wondering if > anyone else had any different ideas or product recommendations? > Currently we are testing with apache/webdav and each user gets his own > stanza in apache config, its fine for 5-10 but > will become a bit unwieldy when it grows. > You might consider looking at SSHFS. When you say "file storage/access", do you mean ftp-style or more synchronous? SSHFS is better for the former, not the latter, AFAIK. I haven't looked at it in a while, but the OSX version was decently maintained. . .no idea if it runs on the iPad. g From o_sleep at belovedarctos.com Wed May 18 22:21:53 2011 From: o_sleep at belovedarctos.com (Bjorn Nelson) Date: Wed, 18 May 2011 22:21:53 -0400 Subject: [nycbug-talk] ipad remote storage question In-Reply-To: <20110518210002.GC42416@pv.nomadlogic.org> References: <20110518210002.GC42416@pv.nomadlogic.org> Message-ID: <4DD47EC1.7060608@belovedarctos.com> On 5/18/2011 5:00 PM, Pete Wright wrote: > On Wed, May 18, 2011 at 04:21:46PM -0400, Marc Spitzer wrote: > >> Hi all, >> >> I have a roll out at work for 200+ ipads in the fall, 400 in 2 years, >> and we need to provide remote file storage/access. I have spoken to >> apple about it and they are recommending webdav. I was wondering if >> anyone else had any different ideas or product recommendations? >> Currently we are testing with apache/webdav and each user gets his own >> stanza in apache config, its fine for 5-10 but >> will become a bit unwieldy when it grows. >> >> > just thinking off the top of my head, but perhaps you could use > webdav+ldap to help scale this out? haven't looked at docs too closely, > but i'm thinking something along the lines of pulling user auth along > with some webdav attributes from ldap... > I would think this sort of thing would be the best way, especially if you can hang it off of an existing ldap. Something that you won't have to re-implement things like password management or account disabling or enabling if the students transfer in or out mid semester. -Bjorn From edlinuxguru at gmail.com Thu May 19 09:16:15 2011 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Thu, 19 May 2011 09:16:15 -0400 Subject: [nycbug-talk] ipad remote storage question In-Reply-To: <4DD47EC1.7060608@belovedarctos.com> References: <20110518210002.GC42416@pv.nomadlogic.org> <4DD47EC1.7060608@belovedarctos.com> Message-ID: That is a good point you can layer mod-auth-ldap and mod-dav. Then you can use require-user param. you will still have to bake one config file per user. Again scripting can solve that. On Wednesday, May 18, 2011, Bjorn Nelson wrote: > On 5/18/2011 5:00 PM, Pete Wright wrote: > > On Wed, May 18, 2011 at 04:21:46PM -0400, Marc Spitzer wrote: > > > Hi all, > > I have a roll out at work for 200+ ipads in the fall, 400 in 2 years, > and we need to provide remote file storage/access. ?I have spoken to > apple about it and they are recommending webdav. ?I was wondering if > anyone else had any different ideas or product recommendations? > Currently we are testing with apache/webdav and each user gets his own > ? ?stanza in apache config, its fine for 5-10 but > will become a bit unwieldy when it grows. > > > > just thinking off the top of my head, but perhaps you could use > webdav+ldap to help scale this out? ?haven't looked at docs too closely, > but i'm thinking something along the lines of pulling user auth along > with some webdav attributes from ldap... > > > > I would think this sort of thing would be the best way, especially if you can hang it off of an existing ldap. ?Something that you won't have to re-implement things like password management or account disabling or enabling if the students transfer in or out mid semester. > > -Bjorn > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From ike at blackskyresearch.net Thu May 19 09:39:24 2011 From: ike at blackskyresearch.net (Isaac Levy) Date: Thu, 19 May 2011 09:39:24 -0400 Subject: [nycbug-talk] ipad remote storage question In-Reply-To: References: <20110518210002.GC42416@pv.nomadlogic.org> Message-ID: <201105191340.p4JDe3LS007957@rs75.luxsci.com> On May 18, 2011, at 7:50 PM, Marc Spitzer wrote: > On Wed, May 18, 2011 at 7:47 PM, Joe Dunn wrote: >> I'm not sure but wouldn't this is a good use for cfengine >> >> have a ipad_users (array of users) in a slist and then have that dump into a >> ipad_users.conf which is included in apache. >> >> When you have the next batch of users just add them to that list and it will >> generate automagically. >> >> There is probably a better, cleaner way but this comes to find as a >> solution. >> >> Joe > > hmm had not thought of that, will look into it. > > marc Thinking out loud, in 2 parts: Part 1: -- htpasswd will create files with lines like the following: marc:$11111blahblahhash0000000000 joe:$11111blahblahhash0000000000 A single file, 400 + users no big deal. I like standalone files- they work even when distributed auth does not, (and can be generated from LDAP via script/cron/trigger even.) Could be tied to some other mgmt tool- whatever can pass the textual data. htpasswd has a man page, which you can point the next guy at, etc... Part 2: -- Then, the htpasswd file can be used to generate the stanzas, htpasswd util can be used to remove user logins, etc... htpasswd files are easy to parse from a shell script/template, when a new user is added/removed: (stole confs from a google hit, dunno if they work, but the shell script should) http://www.serverwatch.com/tutorials/article.php/10825_2176771_2/Enabling-WebDAV-on-Apache.htm -- #!/bin/sh # one could use sed and a template config to be cleaner, # but this is a simple email thought for Marc so I'll # be silly and just do inline junk. DAVUSERCONF='/path/to/apache_includes' echo '' > $DAVUSERCONF # clears the file lazy style, then, for i in `cat /path/to/htpass_file | awk 'BEGIN { FS = ":" } {print $1}'` ; do echo "" >> $DAVUSERCONF echo ' DAV On' >> $DAVUSERCONF echo ' AuthType Basic' >> $DAVUSERCONF echo ' AuthName "WebDAV Restricted"' >> $DAVUSERCONF echo ' AuthUserFile /path/to/htpass_file' >> $DAVUSERCONF echo ' ' >> $DAVUSERCONF echo ' Require user webdav' >> $DAVUSERCONF echo ' ' >> $DAVUSERCONF echo '' >> $DAVUSERCONF done /path/to/apachectl graceful -- Run that however you want- only when adding/removing users, from some periodic job or straight cron, whatever floats your boat. Hope the jist is conveyed- not sure if this appeals to you, but it does keep the user management tied to a single file- the htpass. Perhaps a few 15 line shell scripts to maintain... Best, .ike PS, a version I'd run from cron, (assuming cron failures email someone useful or log/notify), which will exit neatly on failure, using my favorite 3 lines: -- #!/bin/sh shout() { echo "$0: $*" >&2; } barf() { shout "$*"; exit 100; } safe() { "$@" || barf "cannot $*"; } # one could use sed and a template config to be cleaner, # but this is a simple email thought for Marc so I'll # be silly and just do inline junk. DAVUSERCONF='/path/to/apache_includes' safe mkdir -p $DAVUSERCONF printf '' > $DAVUSERCONF # clears the file lazy style, then, for i in `safe cat /path/to/htpass_file | awk 'BEGIN { FS = ":" } {print $1}'` ; do echo "" >> $DAVUSERCONF echo ' DAV On' >> $DAVUSERCONF echo ' AuthType Basic' >> $DAVUSERCONF echo ' AuthName "WebDAV Restricted"' >> $DAVUSERCONF echo ' AuthUserFile /path/to/htpass_file' >> $DAVUSERCONF echo ' ' >> $DAVUSERCONF echo ' Require user webdav' >> $DAVUSERCONF echo ' ' >> $DAVUSERCONF echo '' >> $DAVUSERCONF done safe /path/to/apachectl graceful exit 0 -- From mark.saad at ymail.com Thu May 19 11:03:53 2011 From: mark.saad at ymail.com (Mark Saad) Date: Thu, 19 May 2011 11:03:53 -0400 Subject: [nycbug-talk] FreeIPA Message-ID: Hey Talk I was wondering if anyone has looked into FreeIPA http://freeipa.org/page/About on either Linux or a BSD. I would like to unify some of the services we are using and FreeIPA looks like a good fit. I dont know anyone who has used it and if its worth it or not. From pete at nomadlogic.org Thu May 19 13:37:16 2011 From: pete at nomadlogic.org (Pete Wright) Date: Thu, 19 May 2011 17:37:16 +0000 Subject: [nycbug-talk] FreeIPA In-Reply-To: References: Message-ID: <20110519173712.GF42416@pv.nomadlogic.org> On Thu, May 19, 2011 at 11:03:53AM -0400, Mark Saad wrote: > Hey Talk > I was wondering if anyone has looked into FreeIPA > http://freeipa.org/page/About on either Linux or a BSD. > I would like to unify some of the services we are using and FreeIPA > looks like a good fit. I dont know anyone who has used it and if its > worth > it or not. i remember hearing about openipa a little while ago. it looks pretty interesting to me :) cobbler/koan was(is?) a RedHat ET project and I found that it was well managed and the development was pretty wide open so that was great. Can't speak for OpenIPA though, i'd love to hear if anyone else has used it too! -pete -- Pete Wright pete at nomadlogic.org From edlinuxguru at gmail.com Thu May 19 14:03:43 2011 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Thu, 19 May 2011 14:03:43 -0400 Subject: [nycbug-talk] FreeIPA In-Reply-To: <20110519173712.GF42416@pv.nomadlogic.org> References: <20110519173712.GF42416@pv.nomadlogic.org> Message-ID: The last time I was looking at this stuff.. wink wink.. . I found myself pretty confused as to what (if any?) software worked with IPA. I mean it is Kerberos so I am guessing you can secure telnet and all the other mostly useless protocol Kerberos was designed to protect. I guess you can secure web browsing with kerberos tickets, but again, is that really common? I ended up with the ssh-public keys in LDAP. http://code.google.com/p/openssh-lpk/. The reason I chose this was 1) I know LDAP 2) People were comfortable with SSH-KEYS I still like it as a system actually. As to the IPA stuff, i could not figure out IF/HOW I could make it work with SSH, and the software stack needing it's own DNS server to control was a detraction. Edward On Thu, May 19, 2011 at 1:37 PM, Pete Wright wrote: > On Thu, May 19, 2011 at 11:03:53AM -0400, Mark Saad wrote: > > Hey Talk > > I was wondering if anyone has looked into FreeIPA > > http://freeipa.org/page/About on either Linux or a BSD. > > I would like to unify some of the services we are using and FreeIPA > > looks like a good fit. I dont know anyone who has used it and if its > > worth > > it or not. > > i remember hearing about openipa a little while ago. it looks pretty > interesting to me :) cobbler/koan was(is?) a RedHat ET project and I > found that it was well managed and the development was pretty wide open > so that was great. Can't speak for OpenIPA though, i'd love to hear if > anyone else has used it too! > > -pete > > > -- > Pete Wright > pete at nomadlogic.org > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pete at nomadlogic.org Thu May 19 14:13:34 2011 From: pete at nomadlogic.org (Pete Wright) Date: Thu, 19 May 2011 18:13:34 +0000 Subject: [nycbug-talk] FreeIPA In-Reply-To: References: <20110519173712.GF42416@pv.nomadlogic.org> Message-ID: <20110519181330.GG42416@pv.nomadlogic.org> On Thu, May 19, 2011 at 02:03:43PM -0400, Edward Capriolo wrote: > The last time I was looking at this stuff.. wink wink.. . I found myself > pretty confused as to what (if any?) software worked with IPA. I mean it is > Kerberos so I am guessing you can secure telnet and all the other mostly > useless protocol Kerberos was designed to protect. I guess you can secure > web browsing with kerberos tickets, but again, is that really common? > > I ended up with the ssh-public keys in LDAP. > http://code.google.com/p/openssh-lpk/. The reason I chose this was > 1) I know LDAP > 2) People were comfortable with SSH-KEYS > > I still like it as a system actually. As to the IPA stuff, i could not > figure out IF/HOW I could make it work with SSH, and the software stack > needing it's own DNS server to control was a detraction. > hrm, i've used kerb-auth with ssh and i *know* that works... (sshd.conf) # Kerberos options KerberosAuthentication yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes #KerberosGetAFSToken no my understanding of the role of OpenIPA is to centralize the management and auditing of ID management and authentication for heterogeneous environments. regarding the DNS requirements - that actually sorta makes sense, esp if you need to support an AD forest and are using BIND for name services. -pete -- Pete Wright pete at nomadlogic.org From bonsaime at gmail.com Thu May 19 14:25:14 2011 From: bonsaime at gmail.com (Jesse Callaway) Date: Thu, 19 May 2011 14:25:14 -0400 Subject: [nycbug-talk] FreeIPA In-Reply-To: <20110519181330.GG42416@pv.nomadlogic.org> References: <20110519173712.GF42416@pv.nomadlogic.org> <20110519181330.GG42416@pv.nomadlogic.org> Message-ID: On Thu, May 19, 2011 at 2:13 PM, Pete Wright wrote: > On Thu, May 19, 2011 at 02:03:43PM -0400, Edward Capriolo wrote: >> The last time I was looking at this stuff.. wink wink.. . I found myself >> pretty confused as to what (if any?) software worked with IPA. I mean it is >> Kerberos so I am guessing you can secure telnet and all the other mostly >> useless protocol Kerberos was designed to protect. I guess you can secure >> web browsing with kerberos tickets, but again, is that really common? >> >> I ended up with the ssh-public keys in LDAP. >> http://code.google.com/p/openssh-lpk/. The reason I chose this was >> 1) I know LDAP >> 2) People were comfortable with SSH-KEYS >> >> I still like it as a system actually. As to the IPA stuff, i could not >> figure out IF/HOW I could make it work with SSH, and the software stack >> needing it's own DNS server to control was a detraction. >> > > hrm, i've used kerb-auth with ssh and i *know* that works... > > (sshd.conf) > # Kerberos options > KerberosAuthentication yes > KerberosOrLocalPasswd yes > KerberosTicketCleanup yes > #KerberosGetAFSToken no > > > my understanding of the role of OpenIPA is to centralize the > management and auditing of ID management and authentication for > heterogeneous environments. > > regarding the DNS requirements - that actually sorta makes sense, esp if > you need to support an AD forest and are using BIND for name services. > > > -pete > > -- > Pete Wright > pete at nomadlogic.org > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > Word, kerberos is good for some things... but how can you AAA your jabber and AIM and well, anything that doesn't have gssapi built into it? Most software which has auth has some support for LDAP auth(entication). Kerberos support is less prevalent. An approach by some guys at my last job was to have LDAP authorization (password checking) via sasl on the backend. SASL was then talking to Kerberos. Once you get into hacking stuff like this it's almost not even worth it to have Kerberos, since you're sidestepping all of the nice features it provides like mitm protection, mutual-authentication, single-sign on. -- -jesse From edlinuxguru at gmail.com Thu May 19 14:57:31 2011 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Thu, 19 May 2011 14:57:31 -0400 Subject: [nycbug-talk] FreeIPA In-Reply-To: <20110519181330.GG42416@pv.nomadlogic.org> References: <20110519173712.GF42416@pv.nomadlogic.org> <20110519181330.GG42416@pv.nomadlogic.org> Message-ID: Pete, I was under the impression that the Kerberos +SSH setup you describe above requires a kerberos capable SSH Client. Is that correct? If so do all SSH tools like putty support this? That was the problem I was getting at, that in the environment I was in I was not able to control the SSH client, or the web browser in use, so even though technically SSH and HTTP support this. You can not count on a tool like putty, or someone favourite FTP client to have Kerberos. Edward On Thu, May 19, 2011 at 2:13 PM, Pete Wright wrote: > On Thu, May 19, 2011 at 02:03:43PM -0400, Edward Capriolo wrote: > > The last time I was looking at this stuff.. wink wink.. . I found myself > > pretty confused as to what (if any?) software worked with IPA. I mean it > is > > Kerberos so I am guessing you can secure telnet and all the other mostly > > useless protocol Kerberos was designed to protect. I guess you can secure > > web browsing with kerberos tickets, but again, is that really common? > > > > I ended up with the ssh-public keys in LDAP. > > http://code.google.com/p/openssh-lpk/. The reason I chose this was > > 1) I know LDAP > > 2) People were comfortable with SSH-KEYS > > > > I still like it as a system actually. As to the IPA stuff, i could not > > figure out IF/HOW I could make it work with SSH, and the software stack > > needing it's own DNS server to control was a detraction. > > > > hrm, i've used kerb-auth with ssh and i *know* that works... > > (sshd.conf) > # Kerberos options > KerberosAuthentication yes > KerberosOrLocalPasswd yes > KerberosTicketCleanup yes > #KerberosGetAFSToken no > > > my understanding of the role of OpenIPA is to centralize the > management and auditing of ID management and authentication for > heterogeneous environments. > > regarding the DNS requirements - that actually sorta makes sense, esp if > you need to support an AD forest and are using BIND for name services. > > > -pete > > -- > Pete Wright > pete at nomadlogic.org > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pete at nomadlogic.org Thu May 19 16:39:53 2011 From: pete at nomadlogic.org (Pete Wright) Date: Thu, 19 May 2011 20:39:53 +0000 Subject: [nycbug-talk] FreeIPA In-Reply-To: References: <20110519173712.GF42416@pv.nomadlogic.org> <20110519181330.GG42416@pv.nomadlogic.org> Message-ID: <20110519203949.GH42416@pv.nomadlogic.org> On Thu, May 19, 2011 at 02:57:31PM -0400, Edward Capriolo wrote: > Pete, > > I was under the impression that the Kerberos +SSH setup you describe above > requires a kerberos capable SSH Client. Is that correct? If so do all SSH > tools like putty support this? That was the problem I was getting at, that > in the environment I was in I was not able to control the SSH client, or the > web browser in use, so even though technically SSH and HTTP support this. > You can not count on a tool like putty, or someone favourite FTP client to > have Kerberos. > i know on FreeBSD (and iirc OpenBSD), as well as RHEL/CentOS linux krb auth is enabled by default for openssh. i can not speak for non-openssh implementations though. -pete -- Pete Wright pete at nomadlogic.org From okan at demirmen.com Thu May 19 17:12:00 2011 From: okan at demirmen.com (Okan Demirmen) Date: Thu, 19 May 2011 17:12:00 -0400 Subject: [nycbug-talk] FreeIPA In-Reply-To: <20110519203949.GH42416@pv.nomadlogic.org> References: <20110519173712.GF42416@pv.nomadlogic.org> <20110519181330.GG42416@pv.nomadlogic.org> <20110519203949.GH42416@pv.nomadlogic.org> Message-ID: <20110519211200.GC27939@clam.khaoz.org> On Thu 2011.05.19 at 20:39 +0000, Pete Wright wrote: > On Thu, May 19, 2011 at 02:57:31PM -0400, Edward Capriolo wrote: > > Pete, > > > > I was under the impression that the Kerberos +SSH setup you describe above > > requires a kerberos capable SSH Client. Is that correct? If so do all SSH > > tools like putty support this? That was the problem I was getting at, that > > in the environment I was in I was not able to control the SSH client, or the > > web browser in use, so even though technically SSH and HTTP support this. > > You can not count on a tool like putty, or someone favourite FTP client to > > have Kerberos. > > > > i know on FreeBSD (and iirc OpenBSD), as well as RHEL/CentOS linux krb > auth is enabled by default for openssh. i can not speak for non-openssh > implementations though. Right. Also note there are *two* ways: - do the kinit dance on your local machine and pass the ticket along. - have sshd use kerberos for authentication. The latter is what most people will want to do. From izaac at setec.org Thu May 19 22:26:06 2011 From: izaac at setec.org (Izaac) Date: Thu, 19 May 2011 22:26:06 -0400 Subject: [nycbug-talk] FreeIPA In-Reply-To: References: Message-ID: <20110520T022311Z@localhost> On Thu, May 19, 2011 at 11:03:53AM -0400, Mark Saad wrote: > I was wondering if anyone has looked into FreeIPA IPA to me is beer. So the more and the freer the better. > I would like to unify some of the services we are using and FreeIPA > looks like a good fit. I dont know anyone who has used it and if its > worth it or not. Why do I get a queasy NetInfo feeling by squinting at it from a distance? -- . ___ ___ . . ___ . \ / |\ |\ \ . _\_ /__ |-\ |-\ \__ From edlinuxguru at gmail.com Fri May 20 17:12:25 2011 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Fri, 20 May 2011 17:12:25 -0400 Subject: [nycbug-talk] ipad remote storage question In-Reply-To: <201105191340.p4JDe3LS007957@rs75.luxsci.com> References: <20110518210002.GC42416@pv.nomadlogic.org> <201105191340.p4JDe3LS007957@rs75.luxsci.com> Message-ID: On Thu, May 19, 2011 at 9:39 AM, Isaac Levy wrote: > On May 18, 2011, at 7:50 PM, Marc Spitzer wrote: > > > On Wed, May 18, 2011 at 7:47 PM, Joe Dunn wrote: > >> I'm not sure but wouldn't this is a good use for cfengine > >> > >> have a ipad_users (array of users) in a slist and then have that dump > into a > >> ipad_users.conf which is included in apache. > >> > >> When you have the next batch of users just add them to that list and it > will > >> generate automagically. > >> > >> There is probably a better, cleaner way but this comes to find as a > >> solution. > >> > >> Joe > > > > hmm had not thought of that, will look into it. > > > > marc > > > Thinking out loud, in 2 parts: > > Part 1: > -- > htpasswd will create files with lines like the following: > > marc:$11111blahblahhash0000000000 > joe:$11111blahblahhash0000000000 > > A single file, 400 + users no big deal. > I like standalone files- they work even when distributed auth does not, > (and can be generated from LDAP via script/cron/trigger even.) > > Could be tied to some other mgmt tool- whatever can pass the textual data. > htpasswd has a man page, which you can point the next guy at, etc... > > > > Part 2: > -- > Then, the htpasswd file can be used to generate the > stanzas, htpasswd util can be used to remove user logins, etc... > > htpasswd files are easy to parse from a shell script/template, when a new > user is added/removed: > > (stole confs from a google hit, dunno if they work, but the shell script > should) > > http://www.serverwatch.com/tutorials/article.php/10825_2176771_2/Enabling-WebDAV-on-Apache.htm > > -- > #!/bin/sh > > # one could use sed and a template config to be cleaner, > # but this is a simple email thought for Marc so I'll > # be silly and just do inline junk. > > DAVUSERCONF='/path/to/apache_includes' > > echo '' > $DAVUSERCONF > # clears the file lazy style, then, > > for i in `cat /path/to/htpass_file | awk 'BEGIN { FS = ":" } {print $1}'` ; > do > > echo "" >> $DAVUSERCONF > echo ' DAV On' >> $DAVUSERCONF > echo ' AuthType Basic' >> $DAVUSERCONF > echo ' AuthName "WebDAV Restricted"' >> $DAVUSERCONF > echo ' AuthUserFile /path/to/htpass_file' >> $DAVUSERCONF > echo ' ' >> $DAVUSERCONF > echo ' Require user webdav' >> $DAVUSERCONF > echo ' ' >> $DAVUSERCONF > echo '' >> $DAVUSERCONF > > done > > /path/to/apachectl graceful > > -- > > Run that however you want- only when adding/removing users, from some > periodic job or straight cron, whatever floats your boat. > > Hope the jist is conveyed- not sure if this appeals to you, but it does > keep the user management tied to a single file- the htpass. Perhaps a few > 15 line shell scripts to maintain... > > Best, > .ike > > > > > > > PS, a version I'd run from cron, (assuming cron failures email someone > useful or log/notify), which will exit neatly on failure, using my favorite > 3 lines: > -- > #!/bin/sh > > shout() { echo "$0: $*" >&2; } > barf() { shout "$*"; exit 100; } > safe() { "$@" || barf "cannot $*"; } > > # one could use sed and a template config to be cleaner, > # but this is a simple email thought for Marc so I'll > # be silly and just do inline junk. > > DAVUSERCONF='/path/to/apache_includes' > safe mkdir -p $DAVUSERCONF > > printf '' > $DAVUSERCONF > # clears the file lazy style, then, > > for i in `safe cat /path/to/htpass_file | awk 'BEGIN { FS = ":" } {print > $1}'` ; do > > echo "" >> $DAVUSERCONF > echo ' DAV On' >> $DAVUSERCONF > echo ' AuthType Basic' >> $DAVUSERCONF > echo ' AuthName "WebDAV Restricted"' >> $DAVUSERCONF > echo ' AuthUserFile /path/to/htpass_file' >> $DAVUSERCONF > echo ' ' >> $DAVUSERCONF > echo ' Require user webdav' >> $DAVUSERCONF > echo ' ' >> $DAVUSERCONF > echo '' >> $DAVUSERCONF > > done > > safe /path/to/apachectl graceful > > exit 0 > > -- > > > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > I have a similar script when I want to create SVN repo's for each smaller project I run at www.jointhegrid.com. Not exactly what you want but neat anyway. http://www.edwardcapriolo.com/roller/edwardcapriolo/entry/svn_creation_script Edward -------------- next part -------------- An HTML attachment was scrubbed... URL: From jpb at jimby.name Sun May 22 13:18:37 2011 From: jpb at jimby.name (Jim B.) Date: Sun, 22 May 2011 13:18:37 -0400 Subject: [nycbug-talk] Email address change for Jim B. Message-ID: <20110522171837.GA50481@jimby.name> Hi All, FYI, my email address is now jpb at jimby.name Best Regards, Jim Brown From mspitzer at gmail.com Tue May 31 20:31:53 2011 From: mspitzer at gmail.com (Marc Spitzer) Date: Tue, 31 May 2011 20:31:53 -0400 Subject: [nycbug-talk] interesting article on geting the best bang for your buck on hosting websites Message-ID: http://markmaunder.com/2009/how-to-handle-1000s-of-concurrent-users-on-a-360mb-vps/ -- Freedom is nothing but a chance to be better. --Albert Camus ?The problem with socialism is that eventually you run out of other people's money. --Margaret Thatcher