Actually, I'm thinking that since I already have the PKI stuff in place, the server just puts a private-key encrypted https URL to a script in client-local.cfg, and the client decrypts and retrieves it.
One thing I've learned in 30 years in this business is that you never give the auditors everything you can do at the outset. Let them make a finding, then wrap something else around it.
On 2013-07-04 17:44, Ralph Mitchell wrote:
You should be very careful about how you validate this kind of automation. The client should probably do some kind of verification, and use canned scripts rather than just running any command handed to it. For example:
xymon adds to client-local.cfg for server1: restartapache:
date+%sserver1 xymon client saves that in $HOME/etc/local.cfg server1 cron job sees "restartapache", extracts the timestamp, checks that it didn't already do that, then posts that timestamp back to the xymon server, asking what it means; xymon server replies: restartapache As long as the reply matches, the client kicks apache Everybody writes log entries
The client call-back to verify the command could be done with curl over https with a client-side SSL certificate to validate each party to the other. That may seem like overkill, but when auditors are involved, maybe not... :-)
Ralph Mitchell
On Thu, Jul 4, 2013 at 3:21
PM, Another Xymon User <xymon at epperson.homelinux.net> wrote:
Thanks, Ralph! I had case 1 working with a PKI trust relationship for root between the Xymon servers and the clients, but when the auditors made us set "NoRootLogin yes" in sshd_config everywhere, it broke and I had not had a chance to figure out how to do it with sudo. Case 2 will let me work up an alternative.
On 2013-07-04 12:07, Ralph
Mitchell wrote:
It could be done, but it's a bit more
complicated than that. Your browser is talking to the Xymon server, not the server where the downed service should be running. Here's a couple of ways it could be done, using your tomcat example:
- you
would need a cgi script on the Xymon server capable of logging in to the remote tomcat server with enough privilege to be able to restart tomcat or to dump memory, then send back to your browser any restart messages or the memory dump as a file download;
or 2) a cgi script on the xymon server that could add a variable to the client-local.cfg for the tomcat server. Next time the remote checks in with xymon it would pick up that flag and store it in $HOME/etc/local.cfg. A cron job could examine that file occasionally and if the flag shows up, restart or dump memory as appropriate. This cycle could take 10 - 15 minutes to complete.
I don't know if anyone has such automation currently running.
Ralph Mitchell
On Thu, Jul 4, 2013 at 7:24 AM, deepak deore <deepakdeore2004 at gmail.com> wrote:
Is it possible to execute a command on client from xymon browser?
eg.
1.If a service is in RED state, just select that service
and fire restart command from browser.
- If tomcat not
responding then take thread dump from browser by selecting that particular tomcat.
I can write html for gui.
Xymon mailing list Xymon at xymon.com
Xymon mailing list Xymon at xymon.com
Xymon mailing list
Xymon at xymon.com
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon [1]