Ndo 1.4b7 patch : SSL connections

nap naparuba at gmail.com
Thu Nov 6 16:50:21 CET 2008
Previous message: Ndo 1.4b7 patch : SSL connections
Next message: spec file bug
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
The new patch with the argument use_ssl in ndomod.cfg and ndo2db.cfg.
It take 0 or 1. If the argument is missing and USE_SSL was use for the
compilation, the ssl is used (so you can still use your curent
ndomod.cfg and ndo2db.cfg and have SSL).

In my production server: very low network trafic on lo (10kb/s) and
I've got 6000 services. The eth0 trafic is near 100kb/s if you want to
make the comparision with you environnement.
The load average is still the same, I do not see nagios or ndo2db in
high CPU, just 2 or 3% (Xeon 1.6Ghz). So it's ok. I check that the
trafic is really crypted by a tcpdump on lo so the patch is really
effective ;)

I'll let the ssl version run for some days and see a average of load average.


Gabès Jean



On Thu, Nov 6, 2008 at 3:35 PM, nap <naparuba at gmail.com> wrote:
> In compile it on my prod and I see theses errors:
> *#include "../include/io.h" to remove in io.c (begining)
> *-I/usr/include/openssl to add to all objects (maybe the common file
> is not a good place to put the load of SSL.h).
>
> I put the patch in production, I'll see the impact of SSL.
>
>
> Jean
>
> On Thu, Nov 6, 2008 at 2:36 PM, nap <naparuba at gmail.com> wrote:
>> On Thu, Nov 6, 2008 at 2:24 PM, Hendrik Bäcker <andurin at process-zero.de> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> nap schrieb:
>>>> Hi List,
>>>>
>>>>
>>>> I wrote a patch for ndo 1.4b7 (ndomod and ndo2db) : the SSL
>>>> connection. The code come from nrpe. I think this can be useful
>>>> with distributed Nagios, the communications between the secondary
>>>> nagios and ndo2db are in plaintext and we can see the name of the
>>>> host in it.
>>>>
>>> Nice thing.
>>>> The patch just apply the SSL connection to the sock of the
>>>> connection between ndomod and ndo2db (just for a tcp connection, i
>>>> don't think it is useful for unix socket...).
>>> I guess it becomes very useful for the situation of "outside-my-lan"
>>> nagios servers with "internal" db hosts.
>> Even in the LAN, it's easy to make a man in the middle attack with
>> ARP. And my security responsable do not want plaintext. Now He is
>> happy and allow me to put distribuated nagios in production :)
>>
>>> But do you have ideas about the performance situation?
>>> encryption takes cpu time and ndomod is usual not very quiet on wire.
>>>>
>>>> In the patch you can see the dh.h file from nrpe. In nrpe it's
>>>> generated by ./configure but I don't know how to modified it. The
>>>> Makefile need the ssl lib too, but I don't know how to modify the
>>>> autoconf (I leave a Makefile.new in the patch to show what to
>>>> modify), if someone can help me on this ;)
>>> I will have a look at it.
>> Thanks.
>>
>>>>
>>>> For the moment the patch apply the SSL for all connections, but
>>>> maybe we can put the use_ssl argument into ndo2db.conf and
>>>> ndomod.conf.
>>>>
>>> That would be the best way.
>> Ok, I'll see how to change it.
>>
>>>> I test with a small server and 4000 services and I don't see any
>>>> overload of ndo2db or nagios due to the SSL. It can't be null, just
>>>>  small.
>>>>
>>> mkay... drop my above question ;)
>> I test on my small dev server (virtual machine...), I'll put in onto
>> my production server (6000 services) and see if the trafic of lo (ndo
>> connexion in tcp localhost) is high or the load average reach the top
>> :)
>>
>>
>>>
>>> Nice thing, I am on your side for testing and helping hands.
>> Thanks again :)
>>
>>> Hendrik
>> Gabès Jean
>>
>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.7 (MingW32)
>>>
>>> iD8DBQFJEu/9lI0PwfxLQjkRAkUsAJ0T4PmN5cmtJjQ+SuDr6PEEXhzzswCZAQDx
>>> h/Zbezr0h0P0ujl4yPJxZ1E=
>>> =3D9L
>>> -----END PGP SIGNATURE-----
>>>
>>>
>>> -------------------------------------------------------------------------
>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>> _______________________________________________
>>> Nagios-devel mailing list
>>> Nagios-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/nagios-devel
>>>
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ndo14b7_ssl_patch_v2.patch
Type: text/x-patch
Size: 14203 bytes
Desc: not available
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20081106/9b5061ca/attachment.bin>
-------------- next part --------------
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-------------- next part --------------
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel
Previous message: Ndo 1.4b7 patch : SSL connections
Next message: spec file bug
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Developers mailing list