Search This Blog

Saturday, October 6, 2018

Pandora FMS and eHorus - a great integrated network monitoring and SaaS cloud-based remote management system

Supratim Sanyal's Blog: eHorus integration with Pandora FMS at SANYALnet Labs
eHorus integration in Pandora FMS web interface (Processes vie)

After playing around with the usual network monitoring tools, all of them impressive (Nagios, PRTG, Zabbix, Zenoss), I have settled down on Pandora FMS for a few years to monitor hobbyist servers in SANYALnet Labs. With solid agent-based real-time performance monitoring and alarming capabilities and an impressive "recon" task with automatic network hierarchy discovery and visual network mapping features, Pandora FMS has been serving me very well.

After a recent upgrade to the latest Pandora FMS distribution, I discovered it supports seamless integration with the eHorus cloud-based remote management system (SaaS) for total command and control of my network nodes right from inside the Padora FMS web interface as well as the eHorus portal internet web-site.

The steps to deploy eHorus and the required registration form and agent downloads are described pretty well at the eHorus web-site. The free tier allows up to 10 nodes and one concurrent user - quite enough for a hobbyist environment like mine.

I started off by registering an account at the eHorus portal and installing the CentOS 7 64-bit eHorus agent on my Dell PowerEdge R710 virtualization host that runs a bunch of SANYALnet Labs hobbyist nodes.

downloaded and installed the eHorus agent for 64-bit CentOS 7 following these instructions.The only change I made to the /etc/ehorus/ehorus_agent.conf file is to substitute my real eHorus userid in the "#eh_user USER" parameter in the config file.




I then enabled and started the ehorus_agent_daemon using the systemctl command.

# systemctl enable  ehorus_agent_daemon
# systemctl start ehorus_agent_daemon
# systemctl status  ehorus_agent_daemon
● ehorus_agent_daemon.service - LSB: eHorus Agent startup script
   Loaded: loaded (/etc/rc.d/init.d/ehorus_agent_daemon; bad; vendor preset: disabled)
   Active: active (running) since Fri 2018-10-05 23:55:20 UTC; 2h 13min ago
     Docs: man:systemd-sysv-generator(8)
   CGroup: /system.slice/ehorus_agent_daemon.service
           └─20940 /usr/bin/ehorus_agent -f /etc/ehorus/ehorus_agent.conf

Oct 05 23:55:18 dell-poweredge-r710.sanyalnet.lan systemd[1]: Starting LSB: eHorus Agent startup script...
Oct 05 23:55:19 dell-poweredge-r710.sanyalnet.lan ehorus_agent_daemon[20908]: 2018-10-05 23:55:19 [log][2] WARNING: no pas...t!
Oct 05 23:55:20 dell-poweredge-r710.sanyalnet.lan ehorus_agent_daemon[20908]: eHorus Agent is now running with PID 20940
Oct 05 23:55:20 dell-poweredge-r710.sanyalnet.lan systemd[1]: Started LSB: eHorus Agent startup script.
Hint: Some lines were ellipsized, use -l to show in full.


Checking the eHorus web portal, I could now see my server:

Supratim Sanyal's Blog: eHorus Portal (SANYALnet Labs)
eHorus Portal (internet web site) with one server

eHorus provides the following options for command and control of configured servers:

  • Terminal
  • Desktop,
  • Processes
  • Services
  • Files.


Supratim Sanyal's Blog: eHorus Details Screen (SANYALnet Labs)
eHorus Node Details Screen at Web Portal

eHorus integrates with Pandora FMS enabling seamless monitoring and control facilities for nodes from right inside the Pandora FMS web UI. Here is an example of a eHorus terminal window inside a Pandora FMS web session:

Supratim Sanyal's Blog: eHorus Details Screen (SANYALnet Labs)
 eHorus terminal inside Pandora FMS
I will gradually deploy eHorus remote management agents on some of my other nodes. Unfortunately, the eHorus agent is not available for OpenVMS VAX or Alpha, Solaris, AIX, NetBSD and similar unusual operating systems that I play around with.

Wednesday, September 26, 2018

Establish SSH connection to OpenVMS Alpha 8.3 + TCP/IP Services 5.6 on DEC AlphaServer | Getting Past diffie-hellman-group1-sha1 and ssh-dss for Legacy Operating Systems

1.558 (RAPTOR) - OpenVMS Alpha: MONITOR SYSTEM

This post falls in the "don't reinvent the wheel" category.

One of my toys is RAPTOR, an emulated AlphaServer ES40 running OpenVMS Alpha 8.3 operating system. It connects to HECnet over DECnet Phase IV, and to the internet using Digital TCP/IP Services for OpenVMS. It runs an internet-facing web-server (OSU DECthreads HTTP Server for OpenVMS), effortlessly handling legitimate and spam traffic serving http://sanyal.duckdns.org.

Digital/Compaq/HP TCP/IP Services for OpenVMS Alpha 5.6 includes a SSH server allowing network access using SSL from SSH clients.

$ TCPIP SHOW VERSION

  HP TCP/IP Services for OpenVMS Alpha Version V5.6
  on an AlphaServer ES40 833 MHz running OpenVMS V8.3

Due to the age of TCP/IP Services for OpenVMS Alpha Version V5.6, modern implementations of SSH clients do not directly establish a secure communications channel with RAPTOR. Ubuntu 17 Linux, for example, provides the following contemporary SSH client:

someuser@moksha:~$ ssh -V
OpenSSH_7.5p1 Ubuntu-10ubuntu0.1, OpenSSL 1.0.2g  1 Mar 2016

and attempting to ssh directly to RAPTOR produces the following error:

someuser@moksha:~$ ssh vmsuser@10.42.2.12
Unable to negotiate with 10.42.2.12 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Looking at the OpenSSH Legacy Options page, I created a ~/.ssh/config file with the following contents:

Host 10.42.2.12
        KexAlgorithms +diffie-hellman-group1-sha1

I set the file permissions for ~/.ssh/config to owner-read/write only (not sure if it is needed), and tried again. But this time, a different error showed up:

someuser@moksha:~$ chmod 600 ~/.ssh/config
someuser@moksha:~$ ls -l ~/.ssh/config
-rw------- 1 someuser somegroup 88 Sep 26 02:17 /home/someuser/.ssh/config

someuser@moksha:~$ ssh vmsuser@10.42.2.12
Unable to negotiate with 10.42.2.12 port 22: no matching host key type found. Their offer: ssh-dss

Looking more at the OpenSSH Legacy Options page, I added another line to ~/.ssh/config file so that the ~/.ssh/config now has a total of three lines in it:

Host 10.42.2.12
        KexAlgorithms +diffie-hellman-group1-sha1
        HostKeyAlgorithms +ssh-dss

And presto, I am able to ssh from Ubuntu 17 into OpenVMS Alpha!

someuser@moksha:~$ ssh vmsuser@10.42.2.12
The authenticity of host '10.42.2.12 (10.42.2.12)' can't be established.
DSA key fingerprint is SHA256:somestring/somestring.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.42.2.12' (DSA) to the list of known hosts.
vmsuser@10.42.2.12's password:

Welcome to OpenVMS (TM) Alpha Operating System, Version V8.3

System: RAPTOR, AlphaServer ES40 833 MHz
CPU 0    State: RUN                CPUDB: 81C16000     Handle: * None *
       Process: VMSUSER              PID: 000000B9

Product:  DECNET        Node:  RAPTOR               Address(es):  1.558
Product:  TCP/IP        Node:  raptor.sanyalnet.lan Address(es):  10.42.2.12

  26-SEP-2018 02:07:25

$
$
$ lo

Connection to 10.42.2.12 closed.SEP-2018 02:09:35.51

someuser@moksha:~$


Saturday, September 22, 2018

Running AIX x86 on Laptop | IBM AIX PS/2 1.3 for Intel i386 in Virtual Box

Supratim Sanyal's Blog: IBM AIX PS/2 1.3 for Intel i386 running X11 X Windows Motif Desktop in Virtual Box


AIX 1.3 for PS/2 is unique in that it is the only AIX release that runs on the Intel i386 processor architecture. IBM's announcement letter is still available online and starts off by describing AIX 1.3 for PS/2 as "AIX PS/2 Operating System Version 1.3 and its associated Conditions of Use Products (COUs) provide full hardware support and exploitation for all models of IBM PS/2 system units based on the 32-bit INTEL 386sx-16MHz up through the INTEL 486DX2-66MHz, utilizing both IBM Microchannel or IBM AT-Bus architectures."

As a DEC alumnus, the only IBM operating system I had ever used was PC DOS. This was by choice at the very beginning of my tryst with computing. DEC hardware and operating systems were being used in all sorts of interesting factory shop floor real-time systems, SCADAs, Nuclear Power Plants, Space technologies, Telecommunications etc. while IBM mainframes and minicomputers were more popular in (boring!) banking and financial systems.

I have since come to regret that unfounded bias, and when my favorite blogger posted an article on running AIX 1.3 inside VirtualBox I jumped on it and got it to work on my Lenovo Legion Y720 gaming laptop.

And, I also learned "AIX" actually stands for "Advanced Interactive Executive".


Supratim Sanyal's Blog: Running IBM AIX Operating System on PC Virtual Box - Graphical Desktop X11 X-Windows Motif

AIX for PS/2 supports a X Windows Motif based graphical desktop. A quick way to check the X11 desktop is to type in "xinit" which launches a X11/Motif graphical interface with a terminal, and then type in "xdt" to launch the IBM Graphical Desktop. The complete AIX for PS/2 X Windows Users' Guide is still available online.

The virtual machine boots up from floppy disks. Two boot floppy disks are needed. Booting from the first floppy disk loads the boot loader (IBM AIX PS/2 Bootstrap) itself:

SANYALnet Labs | IBM AIX boot sequence in VirtualBox

SANYALnet Labs | IBM AIX PS/2 PC Intel i386 Boot

On the next "LOAD A SYSTEM FROM THE DISKETTE" screen, the correct operating system choices need to be made:


Supratim Sanyal's Blog: IBM AIX PS/2 Intel i386 PC Boot


Module to be loaded: unix.gen
System mode: Multi User
Run system from hard disk: Yes

Proceeding from here, the Bootstrap will ask for the 2nd floppy disk to be inserted and continue booting AIX from there.

Supratim Sanyal's Blog: IBM AIX PS/2 PC Virtual Box Boot
Soon, a IBM AIX PS/2 Operating System login prompt is presented.

Supratim Sanyal's Blog: IBM AIX PS/2 PC i386 Intel Operating System Login
The X Windows/Motif graphical desktop can be launched using the "xinit" command after logging in. This launches the GUI desktop with a shell command prompt window. Issuing "xdt" launches the IBM AIX PS/2 AIXwindows Desktop.

In addition to the X Windows programs in /usr/bin/X11, additional AIXwindows software applications like "aixterm" are included. 

Unfortunately I have not been able to get networking to work yet. The AIX PS/2 announcement lists the following communication adapters as supported:

IBM PS/2 Adapter/A for Ethernet Networks (#0789)(6451233)
IBM Token Ring Network 16/4 Adapter/A (#1049)(74F9410)
IBM Token Ring Network 16/4 Adapter II
IBM Token Ring Network 16/4 Busmaster Server Adapter/A (#4041)(74F4140)

I have been unable to present any of this to AIX PS/2 in the VirtualBox hypervisor and will gladly welcome ideas to put AIX on the network in comments you can leave below.

Download

You can download the Oracle VirtualBox appliance for hobbyist use only from my google drive.

Friday, May 4, 2018

A Free Public VDE (Virtual Distributed Ethernet) Switch: Connect anything to anything anywhere over layer-2 ethernet

The Public VDE Networking server at Università di Bologna does not seem to be up, so I deployed my own in the spirit of that original effort. It is open-access, public, available to everybody.

It allows any Virtual Distributed Ethernet (VDE) Switches anywhere to be connected securely over the internet.

To connect to my free open access VDE public ethernet network, just virtually "wire" your switch to my public one using this command:

dpipe vde_plug = ssh vde0@sanyalnet-cloud-vps3.freeddns.org vde_plug

I am using this VDE switch to connect a VAX-11/780 in Kitchener, Ontario, Canada to a bunch of DECnet nodes in the Washington DC metro area. The exact commands I am using to set up the local VDE switches and connect them via the public VDE switch are:

/usr/local/bin/vde_switch -t vde-decnet-tap0 -s /tmp/vde-decnet.ctl -m 666 --mgmt /tmp/vde-decnet.mgmt --mgmtmode 666 --daemon --fstp

/usr/local/bin/dpipe /usr/local/bin/vde_plug /tmp/vde-decnet.ctl = /usr/bin/ssh vde0@sanyalnet-cloud-vps3.freeddns.org vde_plug

The second command line runs in the foreground in the terminal unless you force it background using screen or nohup etc.

Also, the above command lines work on CentOS 7 on which I built VDE from sources. On Ubuntu, you can simply install vde2 from the repos which puts the tools in /usr/bin instead of /usr/local/bin.

If possible, please enable FSTP when you create your local VDE switches (use the --fstp parameter in the vde_switch command line) to try to control ethernet loopbacks and floods so that I don't have to keep rebooting my server.

Tuesday, May 1, 2018

How to create a Linux account with empty password (no password) with SSH access

I had a very good reason to want a password-less account for users to login over SSH: make a publicly available Virtual Distributed Ethernet (vde) tunnel broker for anyone to connect anything from anywhere over a free public globally available layer-2 virtual ethernet switch requiring no password (details in next post).

It turned out to be pretty tricky, but I finally have what I wanted - an account on a Ubuntu 14.04 server that accepts ssh connections from anywhere to a user without prompting from a password.  This has nothing to do with exporting rsa/dsa keys and manipulating .ssh/authorized_keys etc. Neither has this anything to do with passwordless logon to Linux graphical desktops.

Here is a summary of what worked for me.

  • adduser someuser
  • passwd -d someuser    #delete password
  • vi /etc/ssh/sshd_config
    • Chanege PermitEmptyPasswords from no to yes, i.e.
      # PermitEmptyPasswords no
      PermitEmptyPasswords yes
    • If AllowUsers is enabled, don't forget to add the new username to the list of allowed users. I always configure the AllowUsers line to limit usernames that can log in to my internet-facing servers.
  • service ssh restart
  • vi /etc/pam.d/common-auth
    • change nullok_secure to nullok as in:
      # auth    [success=1 default=ignore]      pam_unix.so nullok_secure
      auth    [success=1 default=ignore]      pam_unix.so nullok
  • vi /etc/securetty
    • add the following line (I put it under "console" at the very top):
      ssh
  • suppress the big Ubuntu login banner by creating an empty file called .hushlogin in the new user's home directory

--


Saturday, April 21, 2018

Fixing LED Turn Indicator Hyperflashing (Rapid Flashing with LED Replacement Bulbs): Ford F-150 SVT Raptor



I picked up LED 4057 turn indicator bulbs (white for parking/indicator front, red for tail/brake/indicator rear) for my 2012 Ford F-150 SVT Raptor. On putting them in, the turn signals started flashing too rapidly, like they do when a bulb is blown.

On researching this on the F-150 forums, I found this phenomenon is very well-known, and actually has a name: "hyperflashing". My Raptor apparently also does not have a real flasher; the flashing function is managed by one of the computers in the truck, the Body Control Module (BCM). The sound of the flasher from the dashboard is artificially generated.

The problem is with the extremely low power that LED lamps draw compared to incandescent lamps that the BCM is designed for. This makes the BCM think the bulbs are blown, and it switches to rapid flashing as a way to warn the driver that indicator lights are not working.

There are two solutions. The first solution is adding a resistor in parallel to the wiring to the LED bulbs, thus increasing the power load to fool the BCM into thinking it has working incandescent bulbs. The second solution is to reprogram the BCM to turn off the "failed bulb" feature so that the BCM does not hyperflash even though it thinks the bulbs are blown.

Being a software nerd, reprogramming the BCM obviously was my choice for the fix. Fortunately, thanks to a very enthusiastic Ford community, the configuration addresses and data values/parameters are available for the BCM and other computers in my Raptor in a fantastic spreadsheet available free online: "2011-2014 F-150 limited 4wd As-Built Options".

I first ordered a OHP Ford ELMconfig USB device 500kbit/s ELM327 compatible interface with MS-CAN switch for Forscan FoCCCus Mazda OBD2 diagnostics adapter. When it arrived, I plugged the USB connector to my Windows 10 laptop. Windows 10 was able to find a driver online which it installed automatically. The Windows 10 Device Manager then showed a new "USB Serial Port (COM3)" and a "USB Serial Converter" device.

Supratim Sanyal's Blog: Ford F-150 OBD-II (OBD2) USB Converter OHP HS-CAN MS-CAN Adapter Device Driver Windows 10
OHP OBD-II USB Adapter Device Driver on Windows 10

Supratim Sanyal's Blog: OHP ELMConfig OBD2 OBD-II USB Scanner Adapter Connected to PC
ohp ELMconfig OBD2 adapter connected to laptop

Supratim Sanyal's Blog: ohp ELMconfig OBD2 scanner USB adapter information card
OHP ELMconfig OBD2 USB adapter information card

Supratim Sanyal's Blog: OHP ELMconfig OBD-II Scanner USB Adapter connection to Windows 10 PC
OHP ELMconfig OBD-2 USB Adapter

With the OHP OBD-II-USB converter ready, I then went ahead to download FORScan - the free software that allows reconfiguration of the computers on-board the Ford F-150 (and other Ford vehicles) via reading and writing configurable register addresses documented in the "As-Built Options" spreadsheet.

I also downloaded the FORScan tutorial that has excellent step-by-step instructions on using FORScan.

Getting a "trial license" for FORScan turned out to be surprisingly easy. I signed up at the FORScan forum, and my account was approved within half an hour. Once approved, I obtained a trial license from http://forscan.org/forum/extlic.php using the Hardware ID available in FORScan application itself from the steering wheel icon with the yellow question mark at bottom left. This is exactly as described in the FORScan tutorial.

Supratim Sanyal's Blog: FORScan License Keygen generator
FORScan Trial License Generator


Supratim Sanyal's Blog: How to get FORScan Hardware ID Screen
FORScan Hardware ID Screen

Once the FORScan license file was loaded, I was all set to connect the ODB-II adapter to my truck and tweak the configuration of the Body Control Module computer.

Looking at the BCM tab of the , to fix hyperflashing of the front LED turn signal indicators, I needed to change the first value at addresses 726-13-01 from 0101 (Front lamp outage on (hyperflash)) to 0000 (Front Lamp Outage off). Similarly, to fix hyperflashing of the rear LED turn signal indicators, I needed to change the first value at address 726-14-01 from 0101 (stop/rear lamp outage on (hyperflash)) to 0000 (Stop/rear lamp outage off). This effectively disabled the hyperflash-if-bulb-blown logic, thus addressing the problem. Of course, this means that if any of the LED bulbs really blows, I wouldn't know about it without physically looking at those LED bulbs - but I can do that check manually once in a while and live with it.

Supratim Sanyal's Blog: 2011-2014 Ford F-150 Front and Rear Turn Indicator Hyperflashing Control Addresses on BCM (Body Control Module)


Follwing the FORScan tutorial, I connected the OHP ELMconfig adapter  to the ODB2 port under the steering wheel, connected the USB end to my laptop running FORScan, turned the key to ignition-on position (one step before starting the engine), and took a backup of the BCM configuration first.

Supratim Sanyal's Blog: ODB2 port on 2012 Ford F-150 SVT Raptor
ODB2 port on 2012 Ford F-150 SVT Raptor

Supratim Sanyal's Blog: OHP ODB2 USB Adapter connected to ODB2 port on Ford F-150 SVT Raptor
OHP ODB2 USB adapter connected to my 2012 Ford F-150 SVT Raptor

Then I went ahead and wrote 0000 to the two addresses, following on-screen instructions to turn my truck completely off and on each time.

And presto, the LED turn signal indicators do not hyperflash any more!

A backup of the files mentioned in this post is available at my google drive.






Friday, April 6, 2018

Tru64 Unix Tiny Web Server: nweb

Once I had Tru64 Unix 5.0 running on a FreeAXP AlphaServer 400, I went on a search for a very small but safe web server that would deliver one static html page to http clients.

My environment is Compaq C V6.1-011 on Digital UNIX V5.0 (Rev. 910) C compiler running on Tru64 Unix 5.0 (OSF1 V5.0 910 alpha).

The heavyweight Apache httpd was not in consideration - too much bloat for a single static page server.

I next attempted thttpd - tiny/turbo/throttling HTTP server. I had to comment out "typedef long long int64_t;" in mmc.c, thttpd.c and libhttpd.c because the compiler complained of prior declaration in /usr/include/sys/bitypes.h, and could build successfully. But, on attempting to execute it, I get:

/usr/local/sbin/thttpd: getaddrinfo (null) - servname not supported for ai_socktype

Unfortunately my emails to the subscription address for the thttpd mailing list as well as directly to the mailing list did not produce any response. It is very quiet in the thttpd world.

Finally, I struck gold with Nigel Griffiths' nweb: a tiny, safe Web server (static pages only) - a masterpiece in 200 lines of posix-compatible classic Unix-style C code. The only tweaks I made to version 23 of the C program are:

  • changed setpgrp() to setpgrp(0,0) for it to compile
  • changed the logger() function to log to Tru64's syslog facility instead of an ever-growing nweb.log log file
  • added a couple of mime types to the extensions array (ttf, css) for a downloadable font and CSS that my static page uses
  • brought inclusion of <sys/types.h> before <unistd.h> as recommended by Tru64 Unix man page for the setpgrp function
A simple "cc -o nweb23 nweb23.c" produced a working nweb23 executable (with just one warning about a usual signed vs unsigned int used as a reference) which I moved to /usr/local/sbin. I added a /sbin/init.d/nweb23 script:


#!/sbin/sh
#
# start nweb23 httpd web server daemon
#
PATH=/sbin:/usr/sbin:/usr/bin:/usr/local/sbin
PORT=80
WEBROOT=/usr/users/decnet/webroot
#
export PATH PORT WEBROOT
#
case "$1" in
'start')
                        echo "Starting nweb23 httpd web server daemon"
                        /usr/local/sbin/nweb23 $PORT $WEBROOT
                        ;;
*)
                        echo "Usage:  $0 {start}"
                        ;;
esac


and created a link under /sbin/rc3.d to the init script, i.e. S99nweb23 -> ../init.d/nweb23, to start nweb up at boot.

That is all it took. nweb is happily serving http requests from the Tru64 server at http://sanyal.duckdns.org:89/.

A tarball containing the modified nweb version 23 source code along with the Tru64 Unix binary can be downloaded from my google drive.

Recommended Products from Amazon