[PATCH] Ndo 1.4b7 patch : SSL connexions

nap naparuba at gmail.com
Thu Nov 13 10:38:37 CET 2008


Hi,

After 7 days of tests, I do not see any high utilisation of CPU of
Load average. I use only one ndo connexion, but with 6000 services on
it. So the SSL is quite ok with the CPU.

I attach the cpu graph of the two last weeks of my nagios server (with
ndomod and ndo2db on it). I put the patch in production 1 week ago.


Jean

On Thu, Nov 6, 2008 at 4:50 PM, nap <naparuba at gmail.com> wrote:
> The new patch with the argument use_ssl in ndomod.cfg and ndo2db.cfg.
> It take 0 or 1. If the argument is missing and USE_SSL was use for the
> compilation, the ssl is used (so you can still use your curent
> ndomod.cfg and ndo2db.cfg and have SSL).
>
> In my production server: very low network trafic on lo (10kb/s) and
> I've got 6000 services. The eth0 trafic is near 100kb/s if you want to
> make the comparision with you environnement.
> The load average is still the same, I do not see nagios or ndo2db in
> high CPU, just 2 or 3% (Xeon 1.6Ghz). So it's ok. I check that the
> trafic is really crypted by a tcpdump on lo so the patch is really
> effective ;)
>
> I'll let the ssl version run for some days and see a average of load average.
>
>
> Gabès Jean
>
>
>
> On Thu, Nov 6, 2008 at 3:35 PM, nap <naparuba at gmail.com> wrote:
>> In compile it on my prod and I see theses errors:
>> *#include "../include/io.h" to remove in io.c (begining)
>> *-I/usr/include/openssl to add to all objects (maybe the common file
>> is not a good place to put the load of SSL.h).
>>
>> I put the patch in production, I'll see the impact of SSL.
>>
>>
>> Jean
>>
>> On Thu, Nov 6, 2008 at 2:36 PM, nap <naparuba at gmail.com> wrote:
>>> On Thu, Nov 6, 2008 at 2:24 PM, Hendrik Bäcker <andurin at process-zero.de> wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> nap schrieb:
>>>>> Hi List,
>>>>>
>>>>>
>>>>> I wrote a patch for ndo 1.4b7 (ndomod and ndo2db) : the SSL
>>>>> connection. The code come from nrpe. I think this can be useful
>>>>> with distributed Nagios, the communications between the secondary
>>>>> nagios and ndo2db are in plaintext and we can see the name of the
>>>>> host in it.
>>>>>
>>>> Nice thing.
>>>>> The patch just apply the SSL connection to the sock of the
>>>>> connection between ndomod and ndo2db (just for a tcp connection, i
>>>>> don't think it is useful for unix socket...).
>>>> I guess it becomes very useful for the situation of "outside-my-lan"
>>>> nagios servers with "internal" db hosts.
>>> Even in the LAN, it's easy to make a man in the middle attack with
>>> ARP. And my security responsable do not want plaintext. Now He is
>>> happy and allow me to put distribuated nagios in production :)
>>>
>>>> But do you have ideas about the performance situation?
>>>> encryption takes cpu time and ndomod is usual not very quiet on wire.
>>>>>
>>>>> In the patch you can see the dh.h file from nrpe. In nrpe it's
>>>>> generated by ./configure but I don't know how to modified it. The
>>>>> Makefile need the ssl lib too, but I don't know how to modify the
>>>>> autoconf (I leave a Makefile.new in the patch to show what to
>>>>> modify), if someone can help me on this ;)
>>>> I will have a look at it.
>>> Thanks.
>>>
>>>>>
>>>>> For the moment the patch apply the SSL for all connections, but
>>>>> maybe we can put the use_ssl argument into ndo2db.conf and
>>>>> ndomod.conf.
>>>>>
>>>> That would be the best way.
>>> Ok, I'll see how to change it.
>>>
>>>>> I test with a small server and 4000 services and I don't see any
>>>>> overload of ndo2db or nagios due to the SSL. It can't be null, just
>>>>>  small.
>>>>>
>>>> mkay... drop my above question ;)
>>> I test on my small dev server (virtual machine...), I'll put in onto
>>> my production server (6000 services) and see if the trafic of lo (ndo
>>> connexion in tcp localhost) is high or the load average reach the top
>>> :)
>>>
>>>
>>>>
>>>> Nice thing, I am on your side for testing and helping hands.
>>> Thanks again :)
>>>
>>>> Hendrik
>>> Gabès Jean
>>>
>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.7 (MingW32)
>>>>
>>>> iD8DBQFJEu/9lI0PwfxLQjkRAkUsAJ0T4PmN5cmtJjQ+SuDr6PEEXhzzswCZAQDx
>>>> h/Zbezr0h0P0ujl4yPJxZ1E=
>>>> =3D9L
>>>> -----END PGP SIGNATURE-----
>>>>
>>>>
>>>> -------------------------------------------------------------------------
>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>> _______________________________________________
>>>> Nagios-devel mailing list
>>>> Nagios-devel at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/nagios-devel
>>>>
>>>
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cpu.png
Type: image/png
Size: 36453 bytes
Desc: not available
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20081113/5979af8a/attachment.png>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ndo14b7_ssl_patch_v2.patch.txt
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20081113/5979af8a/attachment.txt>
-------------- next part --------------
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-------------- next part --------------
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel


More information about the Developers mailing list