Implement NConf for use with icinga on CentOS6 with SElinux

WOAH! Nconf doesn’t allow you to assign a check command to a service template! This is a show stopper for me, and it’s truly unfortunate that it took me this long to figure out.

I suggest LConf over NConf, but they are totally different.
Tested twice. Good to go.
To do: SElinux stuff, LDAP integration
Updated July 25th, 2012

Someone involved in Icinga recommends NConf and NagiosQL. There are several other nagios/icinga “configurators,” but after comparing a few, and coming from using Centreon for several years, I wanted a newer system that was easy to understand. Both NConf and NagiosQL feature interactive demo web sites that you can check out.

Looks like a dude is in the middle of doing the same exact thing I’m doing now. This dude may create a write up on installing NagiosQL shortly.

Note that I write this up as if you had followed Part 1: Implement icinga and icinga-web on CentOS6 with SElinux

NConf prerequisites:

setenforce permissive #temporarily set selinux to permissive
sed s/short_open_tag\ =\ Off/short_open_tag\ =\ On/ -i /etc/php.ini

Setup the latest NConf package to be served with httpd:

cd /usr/local/
tar zxvf ./nconf-*.tgz
chown apache:apache /usr/local/nconf/config
chown apache:apache /usr/local/nconf/output
chown apache:apache /usr/local/nconf/static_cfg
chown apache:apache /usr/local/nconf/temp

Setup the NConf database
Note the DB password nconf_DBUSER_PASSWORD, which will be used by the nconf web app to access the database.

mysql -p
mysql> CREATE DATABASE nconf;
mysql> quit
mysql -u nconf -p nconf < /usr/local/nconf/INSTALL/create_database.sql

Configure nconf to be served with httpd

echo "Alias /nconf /usr/local/nconf/" > /etc/httpd/conf.d/nconf.conf
echo "<Directory /usr/local/nconf/>" >> /etc/httpd/conf.d/nconf.conf
echo "        DirectoryIndex index.php" >> /etc/httpd/conf.d/nconf.conf
echo "        Options FollowSymLinks" >> /etc/httpd/conf.d/nconf.conf
echo "        AllowOverride all" >> /etc/httpd/conf.d/nconf.conf
echo "        Order allow,deny" >> /etc/httpd/conf.d/nconf.conf
echo "        Allow from all" >> /etc/httpd/conf.d/nconf.conf
echo "</Directory>" >> /etc/httpd/conf.d/nconf.conf
#make sure that SElinux is set to permissive with 'setenforce permissive'
service httpd restart

Follow the web install
1) Hit the following URL in a browser: https://SERVER/nconf/INSTALL.php
2) MySQL database configuration:

DBHOST: localhost
DBNAME: nconf
DBUSER: nconf

Note the DB password nconf_DBUSER_PASSWORD, which will be used by the nconf web app to access the database.

3) General configuration:

NCONFDIG: /usr/local/nconf
NAGIOS_BIN: /usr/bin/icinga
TEMPLATE_DIR: nconf_fresh

4) Authentication configuration:

file_admin_password: [a TEMPORARY password to access nconf, it should NOT be a secure password]

5) Delete some files:
Back on the console:

rm -rf /usr/local/nconf/INSTALL /usr/local/nconf/INSTALL.php /usr/local/nconf/UPDATE /usr/local/nconf/UPDATE.php

Download the logo images:

cd /usr/local/nconf
tar zxvfC imagepak-base.tar.tar /usr/local/nconf/img/logos/

Configure NConf conf to deploy the NConf-generated configuration for use with icinga (config the conf config):

echo "" >> /usr/local/nconf/config/deployment.ini
echo "" >> /usr/local/nconf/config/deployment.ini
echo "[Deploy to localhost]" >> /usr/local/nconf/config/deployment.ini
echo "type        = local" >> /usr/local/nconf/config/deployment.ini
echo "source_file = \"/usr/local/nconf/output/NagiosConfig.tgz\"" >> /usr/local/nconf/config/deployment.ini
echo "target_file = \"/etc/icinga/nconf/\"" >> /usr/local/nconf/config/deployment.ini
echo "action      = extract" >> /usr/local/nconf/config/deployment.ini
echo "reload_command = \"sudo /etc/init.d/icinga reload\"" >> /usr/local/nconf/config/deployment.ini
setfacl -m user:apache:rx /usr/bin/icinga
yum -y install sudo
echo "" >> /etc/sudoers
echo "" >> /etc/sudoers
echo "## BEGIN: NCONF SUDO" >> /etc/sudoers
echo "User_Alias      NCONF=apache,icinga" >> /etc/sudoers
echo 'Defaults:NCONF !requiretty' >> /etc/sudoers
echo "# icinga Restart" >> /etc/sudoers
echo "NCONF   ALL = NOPASSWD: /etc/init.d/icinga* restart" >> /etc/sudoers
echo "NCONF   ALL = NOPASSWD: /etc/init.d/icinga restart" >> /etc/sudoers
echo "# icinga reload" >> /etc/sudoers
echo "NCONF   ALL = NOPASSWD: /etc/init.d/icinga* reload" >> /etc/sudoers
echo "NCONF   ALL = NOPASSWD: /etc/init.d/icinga reload" >> /etc/sudoers
echo "# icinga test config" >> /etc/sudoers
echo "NCONF   ALL = NOPASSWD: /usr/bin/icinga* -v *" >> /etc/sudoers
echo "NCONF   ALL = NOPASSWD: /usr/bin/icinga -v *" >> /etc/sudoers
echo "# icinga test for optim config" >> /etc/sudoers
echo "NCONF   ALL = NOPASSWD: /usr/bin/icinga* -s *" >> /etc/sudoers
echo "NCONF   ALL = NOPASSWD: /usr/bin/icinga -s *" >> /etc/sudoers
echo "## END: NCONFSUDO" >> /etc/sudoers

Configure icinga to use the NConf-generated configuration:

mkdir /etc/icinga/nconf
chown icinga:apache /etc/icinga/nconf/
chmod 775 /etc/icinga/nconf/
sed s@cfg_file=/etc/icinga/objects/@#cfg_file=/etc/icinga/objects/@ -i /etc/icinga/icinga.cfg #disable all cfg_files
echo "cfg_dir=/etc/icinga/nconf" >> /etc/icinga/icinga.cfg
service icinga restart

Replace all references to http:// with https:// (suggested step)

find /usr/local/nconf/* -type f | xargs perl -pi -e 's/http:\/\//https:\/\//g'

Access NConf, generate the configs with NConf and push them to icinga:
It’s quite odd, but I’m having problems having nconf’s deployment method reload the icinga config.

  1. Access the NConf site: https://SERVER/nconf
  2. Logon with the user admin and the password you configured previously under: Authentication configuration/file_admin_password
  3. Modify a host, like a Windows server, changing the IP address (a lot of things will inherit from the host template). This will modify the NConf DB entry.
  4. On the left-side menu, click Generate Nagios config. This will generate the cfg files from the NConf DB and then test the cfg file against /usr/bin/icinga which you configured previously under: General configuration/NAGIOS_BIN.
  5. Click the Deploy button to push the configuration, which really triggers a script that executes the deployment profile detailed in /usr/local/nconf/config/deployment.ini (which we configured in the config the conf config section above).
  6. Since icinga has been restarted, access http://SERVER/ to see that the icinga-web interface has been updated with your new host information!

Change the NConf web UI password storage method and admin’s password

sed s/", \"clear\""/", \"md5\""/ -i /usr/local/nconf/config/nconf.php
export oldpass=$(grep admin: /usr/local/nconf/config/.file_accounts.php | cut -d ':' -f 3)
sed s/$oldpass/{MD5}$(echo -n NEW_NConf_PASSWORD | openssl md5 | cut -d ' ' -f 2)/ -i /usr/local/nconf/config/.file_accounts.php

Configure LDAP integration (suggested step)
I’m generally disappointed in their lack of implementing feature-ful LDAP query logic. I’ve started a thread for a few feature requests.

Right now, I’m leaving the following up with the warning that I could not get it to function…

I will be using NConf’s specific support for LDAP hosted in Windows Active Directory and be using ldaps, as I have this configured on my global catalog/DC. If you wish to not use LDAPS, change ‘ldaps’ to ‘ldap’ and ‘636’ to ‘389’.

  • Open dsa.msc and add two groups: ‘icingaadmins’ and ‘icingausers’.
  • Add users to these groups as you wish.
  • Make changes to authentication.php:
    [.source language=”bash”]
    vim /usr/local/nconf/config/authentication.php
    # define(‘AUTH_TYPE’, ‘ad_ldap’);
    # define(‘AD_LDAP_SERVER’, “ldaps://globalcatalog.domain.local”);
    # define(‘AD_LDAP_PORT’, “636”);
    # define(‘AD_BASE_DN’, “DC=domain,DC=local”);
    # define(‘AD_GROUP_ATTRIBUTE’, “memberof”);
    # define(‘AD_USERNAME_ATTRIBUTE’, “sAMAccountName”);
    # define(‘AD_ADMIN_GROUP’, “CN=icingaadmins,OU=Groups,OU=Site,DC=domain,DC=local”); #use adsiedit.msc to find the distinguishedName attribute of the group.
    # define(‘AD_USER_GROUP’, “CN=icingausers”);

  • Test authentication.


  • You can set up HTML basic authentication with icinga-web and with Nconf. I chose not to implement it because I would rather keep the two systems completely separate.
  • Any file added to the STATIC_CFG directories is <a href=" “>generated and deployed to the target cfg directory. It can not be an arbitrary file that you simply wish to allow Nconf users to edit through the web UI.
  • In order to modify a service’s check command, you must select the service then use the multi-modify link.
  • There are no check commands applicable to service templates. wat.

Probably gonna have to use httpd_sys_content_t somewhere.

With reference:

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: