Monitoring with Nagios 3
Because the release of Nagios 3.0 is comming closer, I wanted to have a look at it. I've found some nice packages on the blog of Sven Velt. Those packages are for i386 only and I needed amd64 packages. I just took the sources and recompiled them for the amd64 architecture. You can get them here. I take no credit for the packages because I merely compiled it.
Nagios 3 looks good. It has some nice new features like the multi line output for plugins. This wil likely make it possible to run more checks with less stress on the Nagios server. I'll post more when I find more nice features :-)
Creating shared mailboxes with Microsoft Exchange 2007
We've got Microsoft Exchange server.... *sigh*... I'm very Linux minded, but now I administer 4 Microsoft Windows 2003 servers. One of then runs Exchange 2007.
Today I needed group mailboxes. Simple... A mailbox to which multiple users have access. So I just open the Exchange 2007 Management Console, create a new mailbox, add a group as the owner, put the right people in the group and we're done... Not quite. It's not possible to add a group as owner to a mailbox from the management console.
Google is your friend. So I shifted to the pages google gave me but none of the had the real answer I needed. Until I finally hit this page written by Tyson Kopczynski. It explained that it isn't possible to do it from the management console, but you have to use the Microsoft Exchange 2007 Management Shell.
Just to save you (and myself) a click I copied it here:
1. Create a Domain Group named MBX-<mailboxname>-Full.
2. Next, run the following command to grant MBX-<mailboxname>-Full full access to the shared mailbox: get-mailbox -identity "<mailboxname>" | add-mailboxpermission -user "MBX-<mailboxname>-Full" -accessrights 'FullAccess'
3. Finally, run the following command to grant MBX-<mailboxname>-Full modify access to the mailbox’s “Personal Information” attributes: get-mailbox -identity "<mailboxname>" | add-adpermission -user "MBX-<mailboxname>-Full" -accessrights:ReadProperty, WriteProperty -properties 'Personal Information' -extendedrights 'Send-As'
Of course you need to replace <mailboxname> with the name of you mailbox... Duh...
Perl
Finaly I took the hurdle... I ordered two Perl books. Now lets read them and drop the shell scripts :-)
Microsoft’s Ballmer Reportedly Threatens Red Hat
I just read groklaw. It seems like Microsoft is out to try to destroy FOSS again. Just read this and go figure why you shouldn't be using it. I myself have 4 M$ servers at work but this kind of stuff makes me think if I just could somehow ditch them...
Microsoft doesn't mind FOSS software as long as it runs on top of windows and doesn't compete with any of their products.
3ware_temp plugin for munin
After having my Nagios installation mostly set-up (I still want it to sms though) I figured I also wanted some performance graphs. Performance graphs are useful to predict problems, you can see the performance of your server (d0h), figure out strange problems and the most important thing: they look cool to people who don't understand them. :-)
At first I figured because I use Nagios, I should also use Nagios to provide me with the performance data. Nagios does all the checks and I could use the output of the checks to feed it to rrd and let it make the graphs.
After searching the internet and looking at NagiosExchange I decided to use n2rrd. This tool uses the performance output from the nagios plugins and makes the graphs from there.
I have to say, it really is a great tool. I would recommend looking at it. But still, after some testing, I didn't use it. The problem I had was that most of the plugins I'm using do not give the right performance output or it was pretty much unclear what the output meant. This was a bad thing because now I had to modify the plugins which is something I definitely do not want because I'm using prepackaged plugins and it takes a lot of work.
So I got munin up and running. Munin is packaged for debian and comes with a *lot* of ready to use plugins. After configuring everything I needed I looked at the hdd_temp plugin. The hdd_temp plugin takes some configuration on 3ware controllers. You have to specify all the drives you want monitored and provide some mapping between drive names and 3ware controller possitions. In my case this is totally useless. I want to monitor all drives in my server. Do configuring every single drive is just too much work.
So, I wrote my own munin plugin which uses the tw_cli utility to detect the available drives and smartctl to query the drive temperatures accordingly. The plugin is available here. And here's some example output:
(This is actually a nice example of why you should do these kind of graphs. Above you can see the difference when the doors of the 19" racks are open and when they are closed. There seems to be a bit of an airflow problem. Nothing problematic though.)
check_3ware.sh update
I actually forgot to post this. The check_3ware.sh script has been updated. Right now it will also monitor any BBU it detects. Currently it will not tell you what exactly is wrong with your BBU, but it will return 'critical' when something is wrong. It's more than nothing huh?
Well, you can get it here.
Why I do NOT use OpenDNS
Currently I'm not an OpenDNS user and I just figured out I will never be...
OpenDNS provides 2 DNS servers which (they claim) are safer, faster and smarter. They are safer because they protect you from phishing sites. If you do a DNS request for a site which is know for phishing you will be redirected to another site. They are faster because they got this huuuuuuuge cache so they can server DNS requests from their cache and don't need to ask other DNS servers. And, finaly, they are smarter because the correct spelling mistakes. If you are like me and sometimes type the wrong top level domain OpenDNS will correct it for you. For example typing www.linux.ogr will be corrected to www.linux.org. Great huh?
Well, not quite... They say it's faster. I've used it a while and I can't say it's faster. It actually seemed to be slower than using my providers DNS servers. Maybe my provider (multikabel) has fscking fast DNS servers, but somehow I don't believe that. I just think OpenDNS servers are not as fast as they claim.
The 'safer' and 'smarter' bit are actually the same. When an OpenDNS server receives your request for a domain it evaluates the request. They look if it's a phishing site and if so, they redirect you. If your input is wrong they look for matches with the domain and either present you with a search engine like page with close hits, or redirect you to the page you most likely mean at their opinion. So, in both cases they tamper with your original DNS request.
The problem with this is that DNS should not be used to protect anyone from phishing sites. Don't get me wrong, phishing is a crime but basically phishing relies on people being stupid and not verifying the pages they are on or just blindly give information that the original site would never ever ask.
The second bad thing is that they actually rewrite your DNS request. When you make a typo you will land on a totally different site which you didn't request. When you do a wrong DNS request the behavior is to get an error that the domain doesn't exist. Imagine you make the same typo again and again, you type www.opendns.cmo without noticing it. OpenDNS will make sure you will get to the right site because they are so kind to modify the request. After that you get to use a computer that doesn't use OpenDNS and now you are going to have a hard time reaching the site. Yes, of course we ALL know it should be .com, but if it's always corrected for people, there will be idiots that don't understand DNS anymore and will be totally confused by the "Server not found". I can already see my users complaining. "The internet is broken, because when I type www.opendns.cmo I don't reach their site. At home it works so there's something wrong with your network. FIX IT!". We all know how users are...
Moreover, OpenDNS decided that when you request www.google.com you actually request google.navigation.opendns.com. Yes, did read it correctly. They decided you actually didn't want to reach www.google.com, instead you get redirected to one of their own sites which looks remarkably much like googles own site. But hey, isn't this what phishers do? Well, yeah, but since you voluntarily decided to use OpenDNS it's not really phishing anymore because they didn't force you to use it, and it's probably somewhere in their Terms but I didn't read them completely. Yes, they are open about doing it. But when asked on the forum about this they took one month to respond. Now, that's strange isn't it?
When asked on their forums why OpenDNS did this they replied that Dell and Google are the guilty parties. Dell installs the google toolbar with another tool on the computers they sell. This software redirects DNS requests to unknown domains to their own site with similar pages and some adds. The OpenDNS people responded furiously. How the HELL could Dell and Google do this!!! You should not be allowed to redirect unknown requests to other pages with adds!!! Well, guess what, they are furious because this one of the things OpenDNS makes money with. With the google software installed OpenDNS will miss profit. So, they made sure that requests from the google program gets filtered through their own google site so they can redirect is themselves.
Yes, Google and Dell did go too far with this tool. They shouldn't have installed it on they hardware that Dell sold. But then again, OpenDNS did go too far too... It's something like "The Pot Calling The Kettle Black". In my opinion DNS is something that shouldn't be tampered with. You of course are totally free to use whatever DNS system you want. But I just think it modifies the 'reality' of the internet. The next step will be censorship (which OpenDNS currently doesn't do) through DNS... and then it really gets scary...
Unix suprise
Note to self: If a file has read only rights, and you are the owner, you can still delete it. It cought me by suprise...
More 3ware and Nagios
I've extended the check_3ware.sh script a bit more.
Now the script returns OK if all your units are okay, WARNING when a unit is rebuilding, CRITICAL when an array has failed and UNKNOWN when tw_cli returns something I didn't catch. I don't know all states tw_cli can return so right now the solution is to return unknown. I'll probably extend it in the future.
You can still look at the script here.
Check 3ware controllers using Nagios
When implementing Nagios to monitor my servers I also wanted to check the RAID arrays. Our servers have 3ware controllers so I searched for a script that would do this for me. I found some perl scripts but somehow they just didn't do the trick.
Luckily 3ware provides a (closed source) admin tool called tw_cli. So, I decided to write my own check_3ware.sh script using the tw_cli tool. It's a very dumb script which outputs CRITICAL whenever one of your arrays does not return OK as state. You can get it here