This document explains how to prepare systems for graphing with the SSH-based scripts, which use only standard SSH and Unix commands to gather data from servers. The example server we will graph is 192.168.1.107.
The high-level process is as follows:
After importing the desired template, which is covered in the template-specific documentation, the next thing to do is set up SSH keys for the poller process to use. To do this, you need to know what user the Cacti poller runs as. You can look in the cron job that runs the poller:
debian:~# grep -r cacti /etc/cron* /etc/cron.d/cacti:*/5 * * * * www-data php /usr/share/cacti/site/poller.php >/dev/null 2>/var/log/cacti/poller-error.log
Another way is to simply look at who owns the log files:
debian:~# ls -l /var/log/cacti/ total 68 -rw-r----- 1 www-data www-data 53816 2009-10-27 17:55 cacti.log -rw-r----- 1 www-data www-data 7120 2009-10-25 06:20 cacti.log.1.gz -rw-r--r-- 1 www-data www-data 0 2009-10-27 17:55 poller-error.log -rw-r----- 1 www-data www-data 0 2009-10-19 18:57 rrd.log
In both cases, you can see that it runs as www-data. You’ll need to keep this in mind as you set things up further.
Now you will create an SSH key pair without a passphrase. When ssh-keygen asks you where to save the key, you will specify a convenient location. This example is using a Debian server, and Debian keeps the Cacti configuration in /etc/cacti, which seems like a better place than /var/www (the www-data user’s default home directory):
debian:~# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /etc/cacti/id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /etc/cacti/id_rsa. Your public key has been saved in /etc/cacti/id_rsa.pub.
The key has been created with permissions that will not let the www-data user access it, and you need to fix that:
debian:~# chown www-data /etc/cacti/id_rsa* debian:~# ls -l /etc/cacti/ total 16 -rw-r--r-- 1 root root 539 2008-08-08 21:43 apache.conf -rw-r----- 1 root www-data 575 2009-10-20 16:23 debian.php -rw------- 1 www-data root 1675 2009-10-27 18:07 id_rsa -rw-r--r-- 1 www-data root 393 2009-10-27 18:07 id_rsa.pub
That should work fine.
Now create the user on the server you want to graph. For this example, we’ll call this user “cacti”. Remember, the server you to graph is 192.168.1.107.
This example shows how to create the user manually and give it a suitable password, but you can create the user however you please:
debian:~# ssh 192.168.1.107 adduser cacti Adding user `cacti' ... ...
Once the user is created, you’re ready to copy the SSH key into its home directory:
debian:~# ssh-copy-id -i /etc/cacti/id_rsa.pub email@example.com firstname.lastname@example.org's password: Now try logging into the machine, with "ssh 'email@example.com'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. debian:~# ssh -i /etc/cacti/id_rsa firstname.lastname@example.org echo "it works" it works
Notice that you copied the public key (id_rsa.pub) and then logged in with the private key (id_rsa).
You should now be ready to use the PHP script to connect to this server over SSH. All you need to do is copy ss_get_by_ssh.php to the Cacti script directory and set the proper configuration variables. This example shows how to do it with an external configuration file, but you can do it any way you please:
debian:~# cp scripts/ss_get_by_ssh.php /usr/share/cacti/site/scripts/ debian:~# cat > /etc/cacti/ss_get_by_ssh.php.cnf <?php $ssh_user = 'cacti'; $ssh_iden = '-i /etc/cacti/id_rsa'; CTRL-D
If you need a more complex configuration setup, such as connecting to a different SSH port on different servers, follow the instructions to customize the data templates and accept input in each data source.
You can also place .cnf file in the same directory as the PHP script file (just to keep the backward compatibility) but this is a security risk as scripts/ folder falls under the web directory. So /etc/cacti/ is the recommended location for .cnf file. In any case, ensure that any files under scripts/ are not accessible from Web. Check out Hardening Cacti setup guide.
Finally, you’ll test the script to see if it can connect and retrieve values. It is important to do this as the same user the crontab runs under, with an empty environment, just as the crontab does. Otherwise the results will not necessarily whether Cacti’s polling will succeed or fail! The sample call to the script that follows is a good example. Make sure you specify the correct username; the example uses www-data. If the resource you’re graphing runs on a non-standard port, use the --port2 option:
debian:~# su - www-data -c 'env -i php /usr/share/cacti/site/scripts/ss_get_by_ssh.php --type memory --host 192.168.1.107 --items gu,gv' gu:30842880 gv:2244608 debian:~#
In the example above, the script did not print a newline after its output, so the prompt is likely to be mangled afterwards, but the output is “gu:30842880 gv:2244608”, followed by the command prompt, “debian:~# ”.
Everything looks fine, so the graphing should be working! Continue with the template-specific documentation.