Quick HOWTO : Ch22 : Monitoring Server Performance/zh

来自Ubuntu中文
跳到导航跳到搜索

{{#ifexist: :Quick HOWTO : Ch22 : Monitoring Server Performance/zh/zh | | {{#ifexist: Quick HOWTO : Ch22 : Monitoring Server Performance/zh/zh | | {{#ifeq: {{#titleparts:Quick HOWTO : Ch22 : Monitoring Server Performance/zh|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:Quick HOWTO : Ch22 : Monitoring Server Performance/zh|1|-1|}} | zh | | }}


简介

你能够使用Linux的图形化工具来容易地监视系统的网络性能。在下面的章节中,你将会学到怎样使用包括MRTG(基于SNMP的,用来监视网络流量的工具)和Webalizer(分析网站命中率的工具)在内的一些工具。

简单网络管理协议

许多服务器、路由器和防火墙在他们的对象标志符(OIDs)里保记录这他们的操作上的统计数据,你可以通过简单网络管理协议(SNMP)来细心的检索他们。为了方便使用,设备制造商为他们的设备提供了管理信息库文件MIB,该文件定义了设备对象标志符OID的功能。在这两句中有许多新的术语需要被理解,因此让我们花一点时间弄清楚他们。

OIDs 和 MIBs

OIDs 由SNMP标准定义的结构化管理信息树来确定。该树开始于根结点root,通过分支和叶继承下去,每一个子结点添加他们自己的引用值到一个由单独的时间区分的路径。图 22-1显示了OID结构,企业OID分支的路径首先通过org,dod,internet,和private branches,因此相应的OID路径是1.3.6.1.4.1。

图22-1 SNMP OID 结构

管理信息库(MIBs)是用文字定义每个OID分支.表22-1展示了常用的OIDs与它们的MIBs的对应关系.例如,org MIB定义了dod层必需的所有最高层的OIDs。dod下层的internet MIB定义了directory、mgmt、experimental、和private branches中的最高层OIDs。这种MIB信息对SNMP管理程序非常有用,你可以点击某个OID来看它的值、类型和描述。

Table 22-1 OIDs And Their Equivalent MIBs

OID MIB
1.3 org
1.3.6 dod
1.3.6.1 internet
1.3.6.1.1 directory
1.3.6.1.2 mgmt
1.3.6.1.3 experimental
1.3.6.1.4 private
1.3.6.1.4.1 enterprises

You can refer to an OID by substituting the values in a branch with one of these more readable MIB aliases. For example, you can reference the OID 1.3.6.1.4.1.9.9.109.1.1.1.1.5 as enterprises.9.9.109.1.1.1.1.5.1 by substituting the branch name (enterprises) for its OID numbers (1.3.6.1.4.1).

Remember, only the OID value at the very tip of a branch, the leaf, actually has a readable value. Think of OIDs like the directory structure on a hard disk. Each branch is equivalent to a subdirectory, and the very last value at the tip (the leaf) correlates to a file containing data.

The Linux snmpget command outputs the value of a single leaf, and the snmpwalk command provides the values of all leaves under a branch. I'll discuss these commands later; for now, all you need to know is that the command output frequently doesn't list the entire OID, just the MIB file in which it was found and the alias within the MIB. For example

SNMPv2-MIB::sysUpTime.0

Here the OID value was found in the SNMPv2-MIB file and occupies position zero in the sysUpTime alias.

Equipment manufacturers are usually assigned their own dedicated OID branch under the enterprises MIB, and they must also provide information in universally accepted OIDs for ease of manageability. For example, NIC interface data throughput values must always be placed in a predefined location in the general tree, but a memory use value on a customized processor card may be defined in a MIB under the manufacturer's own OID branch.

SNMP Community Strings

As a security measure, you need to know the SNMP password, or community string, to query OIDs. There are a number of types of community strings, the most commonly used ones are the Read Only or "get" community string that only provides access for viewing statistics and system parameters. In many cases the Read Only community string or password is set to the word "public;" you should change it from this easy-to-guess value whenever possible. The Read/Write or "set" community string is for not only viewing statistics and system parameters but also for updating the parameters.

SNMP Versions

There are currently three versions of SNMP.

  1. SNMP Version 1: The first version of SNMP to be implemented, version 1 was designed to be a protocol to provide device statistics and error reporting without consuming a lot of system resources. Security was limited to community strings and access controls based on the IP address of the querying server. Data communication wasn't encrypted.
  2. SNMP Version 2: The second version of SNMP, often referred to as v2c, expanded the number of supported error codes, increased the size of counters used to track data, and had the ability to do bulk queries that more efficiently loaded response packets with data. SNMP v2c is backward compatible with version 1.
  3. SNMP Version 3: This version provides greater security and remote configuration capabilities than its predecessors. Access isn't limited to a single community string for read-only and read/write access, as usernames and passwords have been introduced. Views of OIDs in a MIB can also be limited on a per-user basis. Support for encrypted SNMP data transfer and transfer error detection is also provided.

Remember their differences, because you will need to specify the version number when doing SNMP queries.

Doing SNMP Queries

Configuring SNMP on a server isn't hard, but it does require a number of detailed steps.

Installing SNMP Utilities on a Linux Server

If you intend to use your Linux box to query your network devices, other servers or even itself using MRTG or any other tool, you need to have the SNMP utility tools package net-snmp-utils installed. This package may also require pre-requisite packages, so it is best to use an automated package updater such yum or apt to do this.

When searching for these packages the filenames will start with the package name followed by a version number, as in net-snmp-utils-5.1.1-2.i386.rpm. (If you need an installation refresher, see Chapter 6, "Installing Linux Software").

SNMP Utilities Command Syntax

The SNMP utility tools package installs a number of new commands on your system for doing SNMP queries, most notably snmpget for individual OIDs and snmpwalk for obtaining the contents of an entire MIB. Both commands require you to specify the community string with a -c operator. They also require you to specify the version of the SNMP query to be used with a -v 1, -v 2c, or -v 3 operator for versions 1, 2, and 3, respectively. The first argument is the name or IP address of the target device and all other arguments list the MIBs to be queried.

This example gets all the values in the interface MIB of the local server using SNMP version 1 and the community string of craz33guy.

[root@bigboy tmp]# snmpwalk -v 1 -c craz33guy localhost interface
...
...
IF-MIB::ifDescr.1 = STRING: lo
IF-MIB::ifDescr.2 = STRING: eth0
IF-MIB::ifDescr.3 = STRING: eth1
...
...
IF-MIB::ifPhysAddress.1 = STRING:
IF-MIB::ifPhysAddress.2 = STRING: 0:9:5b:2f:9e:d5
IF-MIB::ifPhysAddress.3 = STRING: 0:b0:d0:46:32:71
...
...
[root@bigboy tmp]#

Upon inspecting the output of the snmpwalk command, you can see that the second interface seems to have the name eth0 and the MAC address 0:9:5b:2f:9e:d5. You can now retrieve the individual MAC address using the snmpget command.

[root@bigboy tmp]# snmpget -v 1 -c const1payted localhost ifPhysAddress.2
IF-MIB::ifPhysAddress.2 = STRING: 0:9:5b:2f:9e:d5
[root@bigboy tmp]#

You can confirm this information using the ifconfig command for interface eth0; the very first line shows a matching MAC address.

[root@bigboy tmp]# ifconfig -a eth0
eth0 Link encap:Ethernet HWaddr 00:09:5B:2F:9E:D5 
 inet addr:216.10.119.244 Bcast:216.10.119.255 Mask:255.255.255.240
...
...
[root@bigboy tmp]#

You'll now see how you can configure SNMP on your Linux server to achieve these results.

Configuring Simple SNMP on a Linux Server

By default Fedora, installs the net-snmp package as its SNMP server product. This package uses a configuration file named /etc/snmp/snmpd.conf in which the community strings and other parameters may be set. The version of the configuration file that comes with net-snmp is quite complicated. I suggest archiving it and using a much simpler version with only a single line containing the keyword rocommunity followed by the community string. Here is an example.

1) Save the old configuration file

[root@bigboy tmp]# cd /etc/snmp/
[root@bigboy snmp]# mv snmpd.conf snmpd.conf.old
[root@bigboy snmp]# vi snmpd.conf

2) Enter the following line in the new configuration file to set the Read Only community string to craz33guy.

rocommunity craz33guy

3) Configure Linux to start SNMP services on each reboot with the chkconfig command:

[root@bigboy root]# chkconfig snmpd on
[root@bigboy root]#

4) Start SNMP to load the current configuration file.

[root@bigboy root]# service snmpd start
Starting snmpd: [ OK ]
[root@bigboy root]#

5) Test whether SNMP can read the system and interface MIBs using the snmpwalk command.

[root@bigboy snmp]# snmpwalk -v 1 -c craz33guy localhost system
SNMPv2-MIB::sysDescr.0 = STRING: Linux bigboy 2.4.18-14 #1 Wed Sep 4 11:57:57 EDT 2002 i586
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
SNMPv2-MIB::sysUpTime.0 = Timeticks: (425) 0:00:04.25
SNMPv2-MIB::sysContact.0 = STRING: root@localhost
SNMPv2-MIB::sysName.0 = STRING: bigboy
...
...
...
[root@bigboy snmp]# snmpwalk -v 1 -c craz33guy localhost interface
IF-MIB::ifNumber.0 = INTEGER: 3
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifIndex.2 = INTEGER: 2
IF-MIB::ifIndex.3 = INTEGER: 3
IF-MIB::ifDescr.1 = STRING: lo
IF-MIB::ifDescr.2 = STRING: wlan0
IF-MIB::ifDescr.3 = STRING: eth0 
...
...
...
[root@bigboy snmp]# 

Now that you know SNMP is working correctly on your Linux server, you can configure SNMP statistics gathering software, such as MRTG, to create online graphs of your traffic flows.

SNMP On Other Devices

In the example, you were polling localhost. You can poll any SNMP-aware network device that has SNMP enabled. All you need is the IP address and SNMP Read Only string and you'll be able to get similar results. Here is an example of a query of a device with an IP address of 192.168.1.1.

[root@bigboy snmp]# snmpwalk -v 1 -c chir1qui 192.168.1.1 interface

Note: When issuing snmpwalk and snmpget commands, remember to use the proper version switch (-v 1, -v 2c, or -v 3) for the version of SNMP you're using.

Basic SNMP Security

The security precautions that need to be taken with SNMP vary depending on the version you are using. This section outlines the basic steps for protecting your MIB data.

SNMP Versions 1 and 2

The most commonly supported versions of SNMP don't encrypt your community string password so you shouldn't do queries over insecure networks, such as the Internet. You should also make sure that you use all reasonable security measures to allow queries only from trusted IP addresses either via a firewall or the SNMP security features available in the snmp.conf file. You can also configure your server to use the TCP wrappers feature outlined in Appendix I, "Miscellaneous Linux Topics," to limit access to specific servers without the need of a firewall.

In case you need it, the snmpd.conf file can support limiting MIB access to trusted hosts and networks.

The snmpd.conf file has two security sections; a section with very restrictive access sits at the top of the file and is immediately followed by a less restrictive section. The example that follows is a modification of the less restrictive section. You will have to comment out the more restrictive statements at the top of the file for it to work correctly.


## sec.name source community
## ======== ====== =========
com2sec local localhost craz33guy
com2sec network_1 172.16.1.0/24 craz33guy
com2sec network_2 192.168.2.0/24 craz33guy

## Access.group.name sec.model sec.name
## ================= ========= ========
group MyROGroup_1 v1 local
group MyROGroup_1 v1 network_1
group MyROGroup_2 v2c network_2

## MIB.view.name incl/excl MIB.subtree mask
## ============== ========= =========== ====
view all-mibs included .1 80

## MIB 
## group.name context sec.model sec.level prefix read write notif
## ========== ======= ========= ========= ====== ==== ===== =====
access MyROGroup_1 "" v1 noauth exact all-mibs none none
access MyROGroup_2 "" v2c noauth exact all-mibs none none

In our example:

  • Only three networks (localhost, 172.16.1.0/24, and 192.168.1.0/24) are allowed to access the server with the craz33guy community string.
  • Each network is matched to a either a group called MyROGroup_1 using SNMP version 1, or group called MyROGroup_2 using SNMP version 2.
  • All the MIBs on the server are defined by the view named all-mibs.
  • An access statement ensures that only the defined networks have read only access to all the MIBs. MyROGroup_1 only has version 1 access with MyROGroup_2 only having version 2 access.
  • Modification of the MIBs via SNMP is denied because the word "none" is in the write section of the access statement.

These precautions are probably unnecessary in a home environment where access is generally limited to devices on the home network by a NAT firewall.

SNMP Version 3

SNMP Version 3 SNMPv3 is a much more secure alternative to earlier versions as it encrypts all its data and uses a username / password combination for client authentication. The username should be located in the /etc/snmp/snmpd.conf file with a corresponding automatically generated password located in the /var/net-snmp/snmpd.conf file. Here is how it's done.

1. Install the net-snmp-devel package as it contains the utility that will allow you to generate the password. If you need an installation refresher, see Chapter 6, "Installing Linux Software")

2. Stop the snmpd process.

[root@bigboy tmp]# service snmpd stop
Stopping snmpd: [ OK ]
[root@bigboy tmp]#

3. Automatically create the /etc/snmp/snmpd.conf and /var/net-snmp/snmpd.conf username and password entries using the net-snmp-config command. In this example the authentication password of "rootsrockreggae" for the read only (-ro) username "username4snmpv3" is encrypted using the MD5 algorithm. The data received will not be encrypted.

[root@bigboy tmp]# net-snmp-config --create-snmpv3-user -ro \
-a MD5 -A rootsrockreggae username4snmpv3

adding the following line to /var/net-snmp/snmpd.conf:
 createUser username4snmpv3 MD5 "rootsrockreggae" DES
adding the following line to /etc/snmp/snmpd.conf:
 rouser username4snmpv3
[root@bigboy tmp]# service snmpd start
Starting snmpd: [ OK ]
[root@bigboy tmp]#

4. To encrypt the data received we use the net-snmp-config command again to create a username just for this purpose. A new read only username "securev3user" and authentication password "mandeville" are used, but this time the data will be encrypted using the DES algorithm with the privacy password of "savlamar".

[root@bigboy tmp]# net-snmp-config --create-snmpv3-user -ro \
-a MD5 -A mandeville -x DES -X savlamar securev3user

adding the following line to /var/net-snmp/snmpd.conf:
 createUser securev3user MD5 "mandeville" DES savlamar
adding the following line to /etc/snmp/snmpd.conf:
 rouser securev3user
[root@bigboy tmp]#

5. Start the snmpd process.

[root@bigboy tmp]# service snmpd start
Starting snmpd: [ OK ]
[root@bigboy tmp]#

6. First we'll do a query from remote host smallfry. We specify the authentication password and authentication encryption method, and we also use the -l flag to indicate that authentication will be used, but that data privacy will be disabled (the authNoPriv option).

[root@smallfry ~]# snmpget -v 3 -u username4snmpv3 -l authNoPriv \
-a MD5 -A rootsrockreggae 192.168.2.200 SNMPv2-MIB::sysORDescr.8

SNMPv2-MIB::sysORDescr.8 = STRING: The management information definitions for the SNMP User-based Security Model.
[root@smallfry ~]#

The query returns an easy to read string, "The management information definitions for the SNMP User-based Security Model". This unencrypted string can also be seen in the tshark packet capture of the server's interface.

[root@bigboy tmp]# tshark -n -i eth1 -x port 161
Capturing on eth1
...
...
...

 0.005889 192.168.1.100 -> 192.168.1.50 SNMP get-response

0000 00 c0 4f 46 0c 2e 00 b0 d0 46 32 71 08 00 45 00 ..OF.....F2q..E.
0010 00 f0 00 00 40 00 40 11 b3 b2 c0 a8 02 c8 c0 a8 ....@.@.........
0020 02 32 00 a1 80 0a 00 dc 87 38 30 81 d1 02 01 03 .2.......80.....
0030 30 11 02 04 45 a2 23 54 02 03 00 ff e3 04 01 01 0...E.#T........
0040 02 01 03 04 38 30 36 04 0d 80 00 1f 88 80 71 11 ....806.......q.
0050 68 72 0e b1 e7 45 02 01 12 02 01 39 04 0f 75 73 hr...E.....9..us
0060 65 72 6e 61 6d 65 34 73 6e 6d 70 76 33 04 0c 46 ername4snmpv3..F
0070 6c 74 26 51 4d aa 65 61 59 06 1a 04 00 30 7f 04 lt&QM.eaY....0..
0080 0d 80 00 1f 88 80 71 11 68 72 0e b1 e7 45 04 00 ......q.hr...E..
0090 a2 6c 02 04 43 4e da d7 02 01 00 02 01 00 30 5e .l..CN........0^
00a0 30 5c 06 0a 2b 06 01 02 01 01 09 01 03 08 04 4e 0\..+..........N
00b0 54 68 65 20 6d 61 6e 61 67 65 6d 65 6e 74 20 69 The management i
00c0 6e 66 6f 72 6d 61 74 69 6f 6e 20 64 65 66 69 6e nformation defin
00d0 69 74 69 6f 6e 73 20 66 6f 72 20 74 68 65 20 53 itions for the S
00e0 4e 4d 50 20 55 73 65 72 2d 62 61 73 65 64 20 53 NMP User-based S
00f0 65 63 75 72 69 74 79 20 4d 6f 64 65 6c 2e ecurity Model.

4 packets captured
[root@bigboy tmp]#

7. Next we'll do a query that will return a response over an encrypted data channel while crossing the network (the authPriv option).

[root@smallfry ~]# snmpget -v 3 -u securev3user -l authPriv \
-a MD5 -A mandeville -x DES -X savlamar 192.168.2.200 \

SNMPv2-MIB::sysORDescr.8
SNMPv2-MIB::sysORDescr.8 = STRING: The management information definitions for the SNMP User-based Security Model.
[root@smallfry ~]# 

The query returns the same string, but the tshark packet capture only sees encrypted data, with only the username being visible.

[root@bigboy tmp] # tshark -n -i eth1 -x port 161
Capturing on eth1
...
...
...
 0.003675 192.168.1.200 -> 192.168.1.50 SNMP Source port: 161 Destination port: 32778 [UDP CHECKSUM INCORRECT]

0000 00 c0 4f 46 0c 2e 00 b0 d0 46 32 71 08 00 45 00 ..OF.....F2q..E.
0010 01 00 00 00 40 00 40 11 b3 a2 c0 a8 02 c8 c0 a8 ....@.@.........
0020 02 32 00 a1 80 0a 00 ec 87 48 30 81 e1 02 01 03 .2.......H0.....
0030 30 11 02 04 17 52 82 96 02 03 00 ff e3 04 01 03 0....R..........
0040 02 01 03 04 3e 30 3c 04 0d 80 00 1f 88 80 71 11 ....>0<.......q.
0050 68 72 0e b1 e7 45 02 01 11 02 02 00 8e 04 0c 73 hr...E.........s
0060 65 63 75 72 65 76 33 75 73 65 72 04 0c 01 b2 00 ecurev3user.....
0070 6e 23 07 83 dc a2 b6 d6 3d 04 08 00 00 00 11 4e n#......=......N
0080 df 19 a3 04 81 88 36 dd e0 ce e0 52 19 ff 58 7e ......6....R..X~
0090 be fa d1 96 20 2b 28 65 59 30 e8 d4 cb 18 9f 8f .... +(eY0......
00a0 1e 5b a3 d6 ae f7 4a 86 bd ed 2a 4b a8 df 52 fb .[....J...*K..R.
00b0 00 b4 a8 37 3d 74 9e 6d 1d 56 9a ba f2 13 fa 72 ...7=t.m.V.....r
00c0 4d 47 fb 88 7b d3 54 e1 9d b3 66 f0 29 ab 8a 55 MG..{.T...f.)..U
00d0 6f 77 65 40 87 ab 0c 51 d9 0e bf 33 7f 9a cb ea [email protected]....
00e0 37 50 3c 8e 65 dd 8f 3c 49 71 96 59 f9 d3 a8 23 7P<.e..<Iq.Y...#
00f0 81 c6 1b b2 c2 d0 57 9b 98 1b 89 1e ca 77 3d 84 ......W......w=.
0100 6f af b6 9b 86 3a 2f 66 44 1a 41 51 03 bc o....:/fD.AQ..

4 packets captured
[root@bigboy tmp] #

8. Your password and privilege information are stored in /var/net-snmp/snmpd.conf using the format displayed when you used the net-snmp-config command. here is an example.

# File: /var/net-snmp/snmpd.conf before SNMP starts

createUser securev3user MD5 "mandeville" DES savlamar
createUser username4snmpv3 MD5 "rootsrockreggae" DES

The snmpd daemon will completely encrypt the SNMP password data in this file when it restarts which helps to further increase security. We can see an example of this configuration here.

# File: /var/net-snmp/snmpd.conf after SNMP starts

usmUser 1 3 0x80001f88780711168720eb1e745
0x73656375626576337573657200 
0x73656375726576337573657200 
NULL .1.3.6.1.6.3.10.1.1.2 0xd951
ac1d95033f4afgf31243eb6907df .1.3.6.1.6.3.10.1.2.2
0xf1f4bb00452211d27b50c273c09031ac 0x00
usmUser 1 3 0x80001f8880711168720eb1e745 
0x757365726e61657534736e6d70763300 
0x757365726e616d6534736e6d70763300 
NULL .1.3.6.1.6.3.10.
1.1.2 0x5e35c9f5352519aa4f53eded09bbdddd 
.1.3.6.1.6.3.10.1.2.2 0x5e35c9f5122519aa4f53eded09bbdddd ""
setserialno 1464593474

Practice using the net-snmp-config command so that you can become familiar with the syntax it uses to edit the SNMP configuration files. When in doubt, you can get a full syntax listing of the command if you use it without any arguments like this:

[root@bigboy tmp]# net-snmp-config 
...
...
 SNMP Setup commands:

 --create-snmpv3-user [-ro] [-A authpass] [-X privpass]
 [-a MD5|SHA] [-x DES|AES] [username]
...
...
[root@bigboy tmp]#

With experience, you should become confident enough to edit the configuration files by yourself.

As you can see, SNMPv3 is more secure than previous versions and should be your first SNMP choice whenever possible.

Simple SNMP Troubleshooting

If your SNMP queries fail, then verify that:

  • You restarted your snmp.conf file so the configuration settings become active. Remember, the snmpd.conf file is only read by the snmpd daemon when it starts up.
  • You are using the correct community string.
  • Firewalls aren't preventing SNMP queries from the SNMP client to the SNMP target.
  • Your SNMP security policy allows the query from your network.
  • Any TCP wrappers configuration on your SNMP target machine allows SNMP queries from your SNMP client. Generally speaking in a home environment protected by NAT your TCP wrappers files (/etc/hosts.allow) and (/etc/hosts.deny) should be blank.
  • Network routing between the client and target devices is correct. A simple ping or traceroute test should be sufficient.
  • The snmpd daemon is running on the SNMP client.
  • You are querying using the correct SNMP version.
  • Your /var/log/messages file does not contain errors that may have occurred while starting snmpd.

Troubleshooting to get functioning SNMP queries is important as many other supporting applications, such as MRTG which I'll discuss next, rely on them in order to work correctly.