DevOps: Using Ansible to deploy Cacti for network monitoring
Limited Time Offer!
For Less Than the Cost of a Starbucks Coffee, Access All DevOpsSchool Videos on YouTube Unlimitedly.
Master DevOps, SRE, DevSecOps Skills!
Source –Ā opensourceforu.com
Cacti is written in PHP and uses the MySQL database as a backend. It uses the RRDtool (Round-Robin Database tool) to handle time series data and has built-in SNMP support. Cacti has been released under the GNU General Public License.
Setting up Cacti
We will use a CentOS 6.8 virtual machine (VM) running on KVM to set up Cacti. Just for this demonstration, we will disable SELinux. You will need to set the following in /etc/selinux/config and reboot the VM:
SELINUX=disabled |
When used in production, it is essential that you enable SELinux. You should then test for Internet connectivity from within the VM.
The Ansible version used on the host Parabola GNU/Linux-libre x86_64 is 2.2.1.0. The ansible/inventory/kvm/ directory structure is shown below:
ansible /inventory/kvm/inventory ansible /inventory/kvm/group_vars/all/all .yml |
The IP address of the guest CentOS 6.8 VM is provided in the inventory file as shown below:
centos ansible_host=192.168.122.98 ansible_connection= ssh ansible_user=root ansible_password=password |
Add an entry for ācentosā in the /etc/hosts file as indicated below:
192.168.122.98 centos |
The contents of the all.yml for use with the playbook are as follows:
--- mysql_cacti_password_hash: "{{ vault_mysql_cacti_password_hash }}" mysql_username: "{{ vault_mysql_user }}" mysql_password: "{{ vault_mysql_password }}" |
The Cacti.yml playbook is located in the ansible/playbooks/configuration folder.
Vault
Ansible provides the Vault feature, which allows you to store sensitive information like passwords in encrypted files. You can set the EDITOR environment variable to the text editor of your choice, as shown below:
$ export EDITOR=nano |
In order to store our MySQL database credentials, we will create a vault.yml file as indicated below:
$ ansible-vault create inventory /kvm/group_vars/all/vault .yml |
Provide a password when prompted, following which, the Nano text editor will open. You can enter the following credentials and save the file:
--- vault_mysql_cacti_password_hash: "*528573A4E6FE4F3E8B455F2F060EB6F63ECBECAA" vault_mysql_user: "cacti" vault_mysql_password: "cacti123" |
You can edit the same file, if you wish, using the following command:
$ ansible-vault edit inventory /kvm/group_vars/all/vault .yml |
It will prompt you for a password, and on successful authentication, your text editor will open with the decrypted file contents for editing.
Apache
Cacti has many dependency packages, and the first software that we will install is the Apache HTTP server.
--- - name: Install web server hosts: centos gather_facts: true tags: [httpd] tasks: - name: Update the software package repository yum: name: '*' update_cache: yes - name: Install HTTP packages package: name: "{{ item }}" state: latest with_items: - wget - nano - httpd - httpd-devel - name: Start the httpd server service: name: httpd state: started - wait_for: port: 80 |
A āyum updateā is first performed to sync with the package repositories. The httpd Web server and a few other packages are then installed. The server is started, and the Ansible playbook waits for the server to listen on port 80.
MySQL and PHP
The MySQL, PHP and RRDTool packages are then installed, following which the SNMP and MySQL servers are started as shown below:
- name: Install MySQL, PHP packages hosts: centos become: yes become_method: sudo gather_facts: true tags: [database-web] tasks: - name: Install database /web packages package: name: "{{ item }}" state: latest with_items: - mysql - mysql-server - MySQL-python - php-mysql - php-pear - php-common - php-gd - php-devel - php - php-mbstring - php-cli - php-process - php-snmp - net-snmp-utils - net-snmp-libs - rrdtool - name: Start snmpd server service: name: snmpd state: started - name: Start mysqld server service: name: mysqld state: started - wait_for: port: 3306 |
Cacti
Cacti is available in the EPEL repository for CentOS. The GPG key for the CentOS repositories is enabled before installing the EPEL repository. Aāyum updateā is performed and the Cacti package is installed. A Cacti user is then created in the MySQL database.
- name: Install Cacti hosts: centos become: yes become_method: sudo gather_facts: true tags: [cacti] tasks: - name: Import EPEL GPG key rpm_key: key: http: //dl .fedoraproject.org /pub/epel/RPM-GPG-KEY-EPEL-6 state: present - name: Add YUM repo yum_repository: name: epel description: EPEL YUM repo baseurl: https: //dl .fedoraproject.org /pub/epel/ $releasever/$basearch/ gpgcheck: yes - name: Update the software package repository yum: name: '*' update_cache: yes - name: Install cacti package: name: "{{ item }}" state: latest with_items: - cacti - name: Create cacti database user mysql_user: name: cacti password: "{{ mysql_cacti_password_hash }}" encrypted: yes priv: '*.*:ALL,GRANT' state: present |
Fixing a bug
The time zone data is missing in this MySQL version (5.1.73-8). In order to resolve this bug, the mysql_test_data_timezone.sql file needs to be imported and the ācactiā user needs to be given the SELECT privilege to do this.
- name: For bug https: //github .com /Cacti/cacti/issues/242 hosts: centos become: yes become_method: sudo gather_facts: true tags: [bug] tasks: - name: Import mysql_test_data_timezone.sql mysql_db: state: import name: mysql target: /usr/share/mysql/mysql_test_data_timezone .sql - name: Grant privileges mysql_user: name: cacti append_privs: true priv: 'mysql.time_zone_name:SELECT' state: present |
It is a good practice to have a separate playbook for such exceptional cases. In future, when you upgrade to newer versions that have bug fixes, you can simply skip this step.
Configuration
The last step involves configuring Cacti.
- name: Configuration hosts: centos become: yes become_method: sudo gather_facts: true tags: [config] tasks: - name: Create a database for cacti mysql_db: name: cacti state: present - name: Import cacti.sql mysql_db: state: import name: cacti target: /usr/share/doc/cacti-1 .0.4 /cacti .sql - name: Update database credentials in config file lineinfile: dest: /etc/cacti/db .php regexp: ā{{ item.regexp }}ā line: ā{{ item.line }}ā with_items: - { regexp: ā^\$database_usernameā, line: ā$database_username = ā{{ mysql_username }}ā;ā } - { regexp: ā^\$database_passwordā, line: ā$database_password = ā{{ mysql_password }}ā;ā } - name: Allow port 80 shell: iptables -I INPUT 5 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT - name: Update access in cacti.conf for httpd replace: dest: /etc/httpd/conf .d /cacti .conf regexp: ā{{ item.regexp }}ā replace: ā{{ item.replace }}ā with_items: - { regexp: āRequire host localhostā, replace: āRequire all grantedā } - { regexp: āAllow from localhostā, replace: āAllow from allā } - lineinfile: dest: /etc/cron .d /cacti regexp: ā^ #(.*)$ā line: ā\1ā backrefs: yes - name: Start mysqld server service: name: mysqld state: restarted - wait_for: port: 3306 - name: Start the httpd server service: name: httpd state: restarted - wait_for: port: 80 |
A database called ācactiā is created for the application, and the cacti.sql file is imported into it. The database credentials are updated for the Cacti application. The firewall rules are then updated to allow incoming HTTP requests for port 80. The periodic cron poller is then enabled in /etc/cron.d/cacti:
* /5 * * * * cacti /usr/bin/php /usr/share/cacti/poller .php > /dev/null 2>&1 |
The MySQL and HTTP servers are then restarted.
The result
The entire playbook can now be invoked as follows:
$ ansible-playbook -i inventory /kvm/inventory playbooks /configuration/cacti .yml --ask-vault-pass |