Pi at Work: november 2014

zaterdag 29 november 2014

Entrophy

Checking up on the grapĥs CGP is giving me, I noticed Enthropy getting low on 2 of my pi's. -Nice thing I have monitoring ;)

Some google'ing thought me that the RasPi has a hardware random number generator on board, but its just not enabled.

Can't explain it much better that this , so here's a link:
http://vk5tu.livejournal.com/43059.html
TL;DR:

add line 'bcm2708-rng' to file /etc/modules
Reboot the machine
sudo apt-get install rng-tools

What do we need entropy for ? For example, new processes have randomized addresses (ASLR) and network packets need random sequence numbers. Even the filesystem module may remove some entropy.

As The next post should be the first in a series on setting up your own OpenVPN on your raspberry ; I thought it might be wise to read up on some random security ;)

From random.c:

/dev/random is suitable for use when very high
 * quality randomness is desired (for example, for key generation or
 * one-time pads), as it will only return a maximum of the number of
 * bits of randomness (as estimated by the random number generator)
 * contained in the entropy pool.

The /dev/urandom device does not have this limit, and will return
 * as many bytes as are requested.  As more and more random bytes are
 * requested without giving time for the entropy pool to recharge,
 * this will result in random numbers that are merely cryptographically
 * strong.  For many applications, however, this is acceptable.

So in the end, this probably won't speed things up , but will improve security when you would have had no more truly random numbers available.

New output in syslog :

Feb 31 17:01:25 blackpi rngd[2272]: stats: bits received from HRNG source: 4500064

Feb 31 17:01:25 blackpi rngd[2272]: stats: bits sent to kernel pool: 4422560

Feb 31 17:01:25 blackpi rngd[2272]: stats: entropy added to kernel pool: 4422560

Feb 31 17:01:25 blackpi rngd[2272]: stats: FIPS 140-2 successes: 224

Feb 31 17:01:25 blackpi rngd[2272]: stats: FIPS 140-2 failures: 1

Feb 31 17:01:25 blackpi rngd[2272]: stats: FIPS 140-2(2001-10-10) Monobit: 0

Feb 31 17:01:25 blackpi rngd[2272]: stats: FIPS 140-2(2001-10-10) Poker: 0

Feb 31 17:01:25 blackpi rngd[2272]: stats: FIPS 140-2(2001-10-10) Runs: 1

Feb 31 17:01:25 blackpi rngd[2272]: stats: FIPS 140-2(2001-10-10) Long run: 0

Feb 31 17:01:25 blackpi rngd[2272]: stats: FIPS 140-2(2001-10-10) Continuous run: 0

Feb 31 17:01:25 blackpi rngd[2272]: stats: HRNG source speed: (min=367.841; avg=711.006; max=816.319)Kibits/s

Feb 31 17:01:25 blackpi rngd[2272]: stats: FIPS tests speed: (min=1.637; avg=5.827; max=7.937)Mibits/s

Feb 31 17:01:25 blackpi rngd[2272]: stats: Lowest ready-buffers level: 2

Feb 31 17:01:25 blackpi rngd[2272]: stats: Entropy starvations: 0

Feb 31 17:01:25 blackpi rngd[2272]: stats: Time spent starving for entropy: (min=0; avg=0.000; max=0)us

donderdag 20 november 2014

Collectd Graph Panel - CGP - Graphs for the masses !

As a graphing solution we'll use Collectd Graph Panel
It draxs interactive graphs at the clients side, wich is nice since the raspberry pi isn't exactly a powerhouse of processing.

More infor about CGP on : https://github.com/pommi/CGP

Let's get crackin':

Install an HTTP server and PHP5 plugin; in this setup we'll go for nginx.
sudo apt-get install nginx php5-fpm

Lets config the NginX

sudo nano /etc/nginx/sites-enabled/default

##

server {
listen 80;
server_name localhost;

root /var/www;
index index.php;

# This catches requests other than /CGP/rrd/ and PHP (see below)
location /CGP/ {
gzip on;
gzip_types "application/javascript text/css";
# The static files do not change often, cache hint 1 month
expires 1M;
}
# Assume that CGP is located at /srv/http/CGP/, directly serve the RRD data
# files for use with the canvas graph type. Add compression to reduce data
# usage by 70% - 80%.
location /CGP/rrd/ {
alias /var/lib/collectd/rrd/;
gzip on;
gzip_types "*";
# Cache hint: browser can recheck after 10 minutes
expires 10m;
#gzip_comp_level 3;
}

# Process PHP files through PHP-FPM
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# Disallow access to hidden files and directories (such as .git/)
location ~ /\. {
deny all;
}

}

Yeey that's the server done; lets put some files in there

cd /var/www
sudo git clone https://github.com/pommi/CGP.git
cd CGP/conf
nano config.php

Make the Highlighted changes

<?php

# collectd version
$CONFIG['version'] = 5;

# collectd's datadir
$CONFIG['datadir'] = '/var/lib/collectd/rrd';

# location of the types.db file
$CONFIG['typesdb'][] = '/usr/share/collectd/types.db';

# rrdtool executable
$CONFIG['rrdtool'] = '/usr/bin/rrdtool';

# rrdtool special command-line options
$CONFIG['rrdtool_opts'] = array();

# category of hosts to show on main page
#$CONFIG['cat']['category1'] = array('host1', 'host2');

# default plugins to show on host page
$CONFIG['overview'] = array('load', 'cpu', 'memory', 'swap');

# example of filter to show only the if_octets of eth0 on host page
# (interface must be enabled in the overview config array)
#$CONFIG['overview_filter']['interface'] = array('ti' => 'eth0', 't' => 'if_octets');

# default plugins time range
$CONFIG['time_range']['default'] = 86400;
$CONFIG['time_range']['uptime'] = 31536000;

# show load averages and used memory on overview page
$CONFIG['showload'] = true;
$CONFIG['showmem'] = false;

$CONFIG['term'] = array(
'2hour' => 3600 * 2,
'8hour' => 3600 * 8,
'day' => 86400,
'week' => 86400 * 7,
'month' => 86400 * 31,
'quarter'=> 86400 * 31 * 3,
'year' => 86400 * 365,
);

# show graphs in bits or bytes
$CONFIG['network_datasize'] = 'bytes';

# "png", "svg", "canvas" or "hybrid" (canvas on detail page, png on the others) graphs
$CONFIG['graph_type'] = 'canvas';

# For canvas graphs, use 'async' or 'sync' fetch method
$CONFIG['rrd_fetch_method'] = 'sync';

# use the negative X-axis in I/O graphs
$CONFIG['negative_io'] = false;

# add XXth percentile line + legend to network graphs
# false = disabled; 95 = 95th percentile
$CONFIG['percentile'] = false;

# create smooth graphs (rrdtool -E)
$CONFIG['graph_smooth'] = false;

# draw min/max spikes in a lighter color in graphs with type default
$CONFIG['graph_minmax'] = false;

# The URL that provides RRD files for the "canvas" graph type. Examples:
# 'rrd/{file}' is replaced by 'rrd/example.com/load/load.rrd'
# 'rrd.php?path={file_escaped}' becomes 'rrd.php?path=host%3Fload%3Fload.rrd'
$CONFIG['rrd_url'] = 'rrd.php?path={file_escaped}';

# browser cache time for the graphs (in seconds)
$CONFIG['cache'] = 90;

# page refresh (in seconds)
$CONFIG['page_refresh'] = '';

# default width/height of the graphs
$CONFIG['width'] = 400;
$CONFIG['height'] = 175;
# default width/height of detailed graphs
$CONFIG['detail-width'] = 800;
$CONFIG['detail-height'] = 350;
# max width/height of a graph (to prevent from OOM)
$CONFIG['max-width'] = $CONFIG['detail-width'] * 2;
$CONFIG['max-height'] = $CONFIG['detail-height'] * 2;

# collectd's unix socket (unixsock plugin)
# enabled: 'unix:///var/run/collectd-unixsock'
# enabled (rrdcached): 'unix:///var/run/rrdcached.sock'
# disabled: NULL
$CONFIG['socket'] = NULL;

# flush rrd data to disk using "collectd" (unixsock plugin)
# or a "rrdcached" server
$CONFIG['flush_type'] = 'collectd';

# system default timezone when not set
$CONFIG['default_timezone'] = 'UTC';

# load local configuration
if (file_exists(dirname(__FILE__).'/config.local.php'))
include_once 'config.local.php';

sudo service nginx restart

http://192.168.1.147/CGP/ ==> should now work

Collectd Clients on Raspberry Pi

The collectd config for the clients is basicly the same as with the server only one line difference; instead of listening ; you punch in a server.

The hostname of this client is SwitchPi, it also has 1wire filesystem (OWFS) running to capture temperatures with the curl plugin.

There's also one curl test that gets the core temperature of the BCM SoC on a Pi (file:///sys/class/thermal/thermal_zone0/temp)

Installing the collectd client is once again :

sudo apt-get install collectd collectd-utils

Next step is to config the deamon as a client using network as it's output.

sudo nano /etc/collectd/collectd.conf

## /etc/collectd/collectd.conf
## Config Type: CollectD Client

Hostname SwitchPi
FQDNLookup false
Interval 30
ReadThreads 1
LoadPlugin syslog
<Plugin syslog>
LogLevel info
</Plugin>

LoadPlugin cpu
LoadPlugin df
LoadPlugin disk
LoadPlugin entropy
LoadPlugin interface
LoadPlugin irq
LoadPlugin load
LoadPlugin memory
LoadPlugin processes
#LoadPlugin rrdtool
LoadPlugin swap
LoadPlugin users
LoadPlugin network

## Extra Plugins
#LoadPlugin nginx
#LoadPlugin iptables
LoadPlugin uptime
#LoadPlugin dns
#LoadPlugin ping
LoadPlugin curl

## CollectD Servers
<Plugin "network">
Server "192.168.1.147" "25826"
# Server "$COLLECTD SERVER IP" "25826"
SecurityLevel None
</Plugin>

#<Plugin rrdtool>
# DataDir "/var/lib/collectd/rrd"
#</Plugin>

Include "/etc/collectd/filters.conf"
Include "/etc/collectd/plugins.conf"
Include "/etc/collectd/thresholds.conf"

And next the plugins.conf again

sudo nano /etc/collectd/plugins.conf

## /etc/collectd/plugins.conf
## Config Type: CollectD Plugins
<Plugin swap>
ReportByDevice false
</Plugin>

<Plugin curl> #Last one does CPUTemp for raspberry; rest is 1wire-filesystem
<Page "KamerTemp">
URL "file:///mnt/1wire/28.XXXXXXXXXX0000/temperature"
<Match>
  Regex "(^-?[0-9]*\\.[0-9]+)"
DSType "GaugeLast"
Type "temperature"
Instance "Room"
</Match>
</Page>

<Page "Verwarming">
URL "file:///mnt/1wire/28.XXXXXXXX0000/temperature"
<Match>
  Regex "(^-?[0-9]*\\.[0-9]+)"
DSType "GaugeLast"
Type "temperature"
Instance "Heater"
</Match>
</Page>

<Page "SwitchPiTemp">
URL "file:///mnt/1wire/28.XXXXXXXX0000/temperature"
<Match>
  Regex "(^-?[0-9]*\\.[0-9]+)"
DSType "GaugeLast"
Type "temperature"
Instance "SwitchPi"
</Match>
</Page>

<Page "DcLinksTemp">
URL "file:///mnt/1wire/28.XXXXXXXX0000/temperature"
<Match>
  Regex "(^-?[0-9]*\\.[0-9]+)"
DSType "GaugeLast"
Type "temperature"
Instance "Data Center Left"
</Match>
</Page>

<Page "BuitenVooraan1e">
URL "file:///mnt/1wire/28.XXXXXXXX0000/temperature"
<Match>
  Regex "(^-?[0-9]*\\.[0-9]+)"
DSType "GaugeLast"
Type "temperature"
Instance "Outside"
</Match>
</Page>

<Page "CpuTemp">
URL "file:///sys/class/thermal/thermal_zone0/temp"
<Match>
Regex "([0-9]*)"
DSType "GaugeLast"
Type "temperature"
Instance "CPUTemp_switchpi"
</Match>
</Page>
</Plugin>

<Plugin df> #excluding some useless filesystems
        MountPoint "/run"
        MountPoint "/run/lock"
        MountPoint "/boot"
        FSType rootfs

        # ignore the usual virtual / temporary file-systems except tmpfs so we do monitor /run/shm
        FSType sysfs
        FSType proc
        FSType devtmpfs
        FSType devpts
        FSType fusectl
        FSType cgroup
        IgnoreSelected true
#       ReportInodes false
</Plugin>

<Plugin disk> #only monitor p2, mmcblk0 is a compound of the two
        Disk "mmcblk0"
        Disk "mmcblk0p1"
        Disk "sda1" #since sda will count traffic on all partitions
        IgnoreSelected true
</Plugin>

<Plugin "openvpn">
StatusFile "/var/log/openvpn-status.log"
StatusFile "/var/log/openvpntcp-status.log"

# Collect one RRD for each logged in user
CollectIndividualUsers true

# Aggregate number of connected users
CollectUserCount true

# Store compression statistics
CollectCompression true

# Use new NamingSchema
ImprovedNamingSchema true
</Plugin>

Raspberry Pi Collectd Server and CGP GUI

In this series of posts I'll try to explain how to set up a working Collectd infrastructure, Monitoring data will be sent to a central computer (Raspberry Pi running Raspbian, called MainPi) and clients will be configged to send their data to the MainPi.

This post is about the Collectd Server ... called mainpi here

MainPi will also be configged to run CGP (Collectd Graph Panel) so we have a nice grapical representation of the data, that will be the 3rd post in the series

Getting collectd installed on the central server (MainPi) is a easy as typing:

sudo apt-get install collectd collectd-utils

Next step is to config the deamon as a network server using rrd as it's output.

sudo nano /etc/collectd/collectd.conf

## /etc/collectd/collectd.conf

Hostname MainPi

FQDNLookup false

## This can be higher if you have a more powerfull box

Interval 30

## This can be higher if you have a more powerfull box

ReadThreads 1

LoadPlugin syslog

LogLevel info

</Plugin>

LoadPlugin cpu

LoadPlugin df

LoadPlugin disk

LoadPlugin entropy

LoadPlugin interface

LoadPlugin irq

LoadPlugin load

LoadPlugin memory

LoadPlugin processes

LoadPlugin rrdtool
LoadPlugin swap
LoadPlugin users
LoadPlugin network

## Server config

# Can also be "*" "25826" to listen on 0.0.0.0

Listen "192.168.1.147" "25826" #Local interface

ReportStats true SecurityLevel None </Plugin>

## Extra Plugins ## remove to disable #LoadPlugin nginx
LoadPlugin uptime
LoadPlugin ping

<Plugin rrdtool>
DataDir "/var/lib/collectd/rrd"
</Plugin>

Include "/etc/collectd/filters.conf"

Include "/etc/collectd/plugins.conf"

Include "/etc/collectd/thresholds.conf"

Since Plugins.conf is loaded , well need to config the plugins in that file.

sudo nano /etc/collectd/plugins.conf

## /etc/collectd/plugins.conf

## Static Plugins (every host has them)

ReportByDevice false

</Plugin>

## Dynamic Plugins (loaded by Ansible based on options)

#<Plugin nginx>

# URL "http://127.0.0.1/nginx_status"

#</Plugin>

Host "ntp.belnet.be"

</Plugin>

#</Plugin>

Thats the Collectd server set up !